Most anti-virus companies have a special signature scanner to scan your entire computer for viruses, this could be cumbersome and long with the more files you got so I thought of a few cool ideas.
I.Execution Debugging
When reversing code, I came up with this idea. Most viruses I've seen/reversed have the same structures and calls. Most would xor the registers there about to use to flush them out and make a specific call to a certain function or move its file contents and bytes into memory. When an executable is binded, I noticed two kind of binders are popular.
Ones like AIO files where it extracts the orginal file and virus into the /temp folder. The AIO than points to execute the orginal file than the virus. Than deletes the files from /temp folder after execution. The user notices nothing...
Another type of binder was far more complex. It would add the virus mainly at the end of the file, or could sometimes inject the virus in the middle of the code but it always had the virus in some sort of function with a call to that function.
Code: Select all
Call 0040301F ;execution of orginal file
Call 00403022 ;execution of binded virus.
Most beginning crackers use NOP as their answer to most cracks and crackmes. NOP stands for No Operation. If a call such as JMP To Error Message is made, the JMP is an unconditional jump which is forced. You would replace it with NOP which would force the continuation and execution of the code.
Code: Select all
JMP SHORT 0040102F
...commands go here.
MessageBoxA , "Error" ;0040102F Address <- Error
...commands go here.
MessageBoxA, "Success" ;where we want to be at.
Code: Select all
NOP
...commands here.
MessageBoxA, "Error" ; we avoiding jumping here.
MessageBoxA, "Success" ; you end up here somehow.
If Anti-virus software offered a NOP Malicious address feature, you would be able to still use the infected executable , and avoid the binded of infected execution.
cONs
Debugging a 100mb or more executable would take to long. Too much code would be flagged as Virus functions, and thus be NOP'd over. Only works for certain binders and maybe advance malwares.
II.Byte By Byte Checking
I got this idea from a rootkit program I used in SuSe Linux...
The idea is to map out all executable on the harddrive, each directory would have a new text file of all the executable in that directory. The executable are mapped into a text file where its bytes are recorded.
Code: Select all
Program.exe = 55kb
InfectedFile.exe = 1.2mb
Noninfectedfile.exe = 0kb
Code: Select all
Program.exe =1.2mb
Infectedfile.exe = 1.2mb
Noninfectedfile.exe = 1.2mb
The byte-by-byte checker would only need to map the harddrive once because mapping the harddrive constantly would take forever to scan.
Cons
Rootkits can modify its total bytes to be the same and so does advance malware, but this would most likely effect the original executable thats infected so it would force it to be slightly noticeable but is only obvious during full execution.
III. Emulated Kernel
An operating system made virtual with all virtual functions... the future. ^^
All executables could be run under a special kernel mode operation. Just like a sandbox, but it prevents any modification to system files. It would flag any operations trying to edit system files and set a breakpoint at that operation and ask if the user if its okay or just completely prevent it and stop execution. To modify system settings a user would have to modify them under a root account and manually.
cONS
Would take forever to code such software, system would run twice as slow. And most programs that REQUIRE modification wouldn't execute properly.
IV. API Hooker
An API Hooker that listens to all API functions. When an API that looks suspicious is executed it is mointered and asks the user if its okay. Most viruses use the same API hook for keyloggers so this would most likely prevent mainly keyloggers. Also, most skiddes make use of API functions for viruses to hide system tray and open the cd-rom , these APIs could be stopped and prevented by setting breakpoints at this point and allows the user to determine if execution would continue.
cOns
Not all keyloggers and malware use API functions. Infact advance malware make use of their own keylogging functions. I know some reverse engineers have managed to reverse a few APIs and make some Assembly alternative code which is far more dangerous and stealth than the APIs used by default.
V. EnD
In conclusion, viruses are just artificial intelligence. Their programs as well, but they artifically pertain their own mindset. So no matter how well an Anti-Virus software is constructed, their is always a new virus bypassing and more stealthier than the next virus showed on AV's top infection list.
And remember kids, support the scene, dont destroy it. [/b][/code]