How to make a 'heuristic' malware scanner in c++???

closed account (3hMz8vqX)
Hi all,
It has been so long since I visited the forum...
So here is my new question!!!
How to make a 'heuristic' malware scanner in c++???
Thankyou everyone in advance!!!
Regards,
Aravind.
closed account (3hMz8vqX)
One day and no reply?
Please help guys:)
just try your best!!!
closed account (13bSLyTq)
Hi,

You are asking too broad of a question. I will try my best to answer your question.

heuristic development in an AV solution, requires you to understand how Malwares behave in general and API's they exploit in order to perform their malicious deeds. In quick words, heuristics in a AV solution is basically building a picture of how the process works.

To follow this and provide more detail, check for common Malware behaviour:

- Injection Activity
- Network Activity
- Registry Activity
- File Activity

Further tracking includes:
- MBR\VBR monitoring
- System Driver Installation

To expand\elaborate ever further, to track these behaviors it requires you to intercept key API's used by Malware via placing hooks on common API's.

I have included few common API's Malwares use, thus hooking them would be ideal:

1. NtDuplicateObject
2. NtTerminateProcess
3. NtOpenProcess
4. NtMapViewOfSection
5. NtUnmapViewOfSection
6. NtOpenSection
7. NtAllocateVirtualMemory
8. NtWriteVirtualMemory
9. NtProtectVirtualMemory
10. NtCreateThread
11. NtCreateThreadEx (Vista+)
12. NtQueueApcThread
13. NtQueueApcThreadEx
14. NtOpenFile
15. NtDeleteFile
16. NtWriteFile
17. NtReadFile

In addition Windows contains useful functions which can be called to build\acquire vital pieces of information, which can help track Malwares on the System.

1. CmRegisterCallback (Receive notifications on virtually all registry events.)
2. PsSetCreateProcessNotifyRoutine (For new/terminating process notification)


To make, this job easier and more effective - I advise you place hook on KiFastSystemCall (on x86 machines only).
As for x64 machines, you can either perform\place hook on X86SwitchTo64BitMode or, if you wish to hook even lower hook Wow64SystemServicesEx (available on x86 process only, but using x64 DLL loading), this would make it almost impossible to bypass.

Moreover, those functions has access to all NT system calls, therefore you can hook the entire userland by placing hook on 1 functions.

Lastly, I would recommend monitoring the MBR\VBR as if a Malware subverts the MBR\VBR, everything is untrusted.

To hook KiFastSystemCall - visit my blog, to get complete source code to hook KiFastSystemCall:

http://codeempire.blogspot.co.uk/2013/10/hooking-x86-system-call-stub.html

As for the other functions, I am going to be posting them soon.

GL
Topic archived. No new replies allowed.