helderc Posted January 26, 2015 Posted January 26, 2015 Does any body know how to reverse Kaspersky virus signatures? I have looking for something like that in the leaked source code, but its huge and I couldnt find anything. Comments are welcome!
simple Posted January 26, 2015 Posted January 26, 2015 (edited) If you're getting false positives, all they do is say "if this call comes after that call and is x bytes apart - flag"... there's no need to spend time reversing, etc when all u do is change the code base a little. edit - downloaded it and had a look, yes it's a big project but their coders write more comments than code. run command - grep --include=\*.{c,h} -rnw '/directory/sources/' -e "DriverEntry" - this will show u the few drivers they use, from there u can see all self protections, what hashes, ioctls, how exe get blocked (filter driver), etc. there's also several .doc files showing what api calls trigger which detections, etc. What r u looking for exactly? Edited January 27, 2015 by simple
helderc Posted February 2, 2015 Author Posted February 2, 2015 My intention is, in some way, get the signatures and its respective virus name inside the def files and put them in ClamAV definitions.Doing that, ClamAV will identify as much viruses as KAV and the viruses names will be the same, as well. I'm a malware collector and the best tool to sort a collection, even to identify duplicates is scan the whole collection with a good AV. In the past we used to use the KAV 4.5, but it is very old for the new technologies.
simple Posted February 7, 2015 Posted February 7, 2015 Then do what I said to find the hashing code in the driver, then write a script to search for strings of the hashes length. Like I told u, most AV's search for call sequences, not hash comparisons as it's much faster. Just don't expect any of this to stop/identify malware.
cLn Posted November 17, 2015 Posted November 17, 2015 (edited) Hello..First of all, I am new to the forum, besides my English is very bad, I use google translator to communicate with youSorry to revive the issue, but I think it serves like this ...In http://z0mbie.daemonlab.org/ relateds the AV-section, there are tools which can serve you for what you are looking for ...AVPX 3.30 .avc unpackerAVP4 .SRU files (secret stuff)UNP_VDB - based .vdb 1.02 unpackerEven old, will serve to think what you want, but I tried it once was rolling with the result and leave it be, as you know more and I servedCheers Edited November 17, 2015 by cLn
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now