Can you please give me links to huge articles on heuristic detection or a good explanation, please??? :)

@Aravind333 - It really looks like you're way out of your depth here. If you were good enough at programming for this stuff to matter to you in any way, you would not still be on this thread asking this question. In fact, this thread probably would have never started.

Sorry but you are too ahead of your self.

OrionMaster was dead right with this.

Go and learn the appropriate parts of Windows API, write some code and understand. Write some heuristics, watch them in action. Then ask yourself this question again and you will perhaps be able to answer.

This is a bit like a carpenter seeing his company make beautiful wooden houses, and the carpenter puts many holidays trying to master the skill on building beautiful houses, after few months he comes back boasting about his skill, to his co-workers then they all have to go to house to fix something.

Then the co-workers say show me your skill to the carpenter, and he complains - "I am not building a house, so I cannot show you my skill".

The saying of this story is, one must have the skill in the smaller topics to aim for the bigger topic.

This thread is a prime example of my saying in action. LOL

Can you tell me more on heuristics...?
This thread is getting long!:)

Told you already:

Hi,

You are asking too broad of a question. I will try my best to answer your question.

heuristic development in an AV solution, requires you to understand how Malwares behave in general and API's they exploit in order to perform their malicious deeds. In quick words, heuristics in a AV solution is basically building a picture of how the process works.

To follow this and provide more detail, check for common Malware behaviour:

- Injection Activity
- Network Activity
- Registry Activity
- File Activity

Further tracking includes:
- MBR\VBR monitoring
- System Driver Installation

To expand\elaborate ever further, to track these behaviors it requires you to intercept key API's used by Malware via placing hooks on common API's.

I have included few common API's Malwares use, thus hooking them would be ideal:

1. NtDuplicateObject
2. NtTerminateProcess
3. NtOpenProcess
4. NtMapViewOfSection
5. NtUnmapViewOfSection
6. NtOpenSection
7. NtAllocateVirtualMemory
8. NtWriteVirtualMemory
9. NtProtectVirtualMemory
10. NtCreateThread
11. NtCreateThreadEx (Vista+)
12. NtQueueApcThread
13. NtQueueApcThreadEx
14. NtOpenFile
15. NtDeleteFile
16. NtWriteFile
17. NtReadFile

In addition Windows contains useful functions which can be called to build\acquire vital pieces of information, which can help track Malwares on the System.

1. CmRegisterCallback (Receive notifications on virtually all registry events.)
2. PsSetCreateProcessNotifyRoutine (For new/terminating process notification)


To make, this job easier and more effective - I advise you place hook on KiFastSystemCall (on x86 machines only).
As for x64 machines, you can either perform\place hook on X86SwitchTo64BitMode or, if you wish to hook even lower hook Wow64SystemServicesEx (available on x86 process only, but using x64 DLL loading), this would make it almost impossible to bypass.

Moreover, those functions has access to all NT system calls, therefore you can hook the entire userland by placing hook on 1 functions.

Lastly, I would recommend monitoring the MBR\VBR as if a Malware subverts the MBR\VBR, everything is untrusted.

To hook KiFastSystemCall - visit my blog, to get complete source code to hook KiFastSystemCall:

http://codeempire.blogspot.co.uk/2013/10/hooking-x86-system-call-stub.html

As for the other functions, I am going to be posting them soon.

GL