Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Reverse Kaspersky Virus Signatures

helderc
helderc
in Malware Reverse Engineering

Featured Replies

Posted

Does any body know how to reverse Kaspersky virus signatures?


 


I have looking for something like that in the leaked source code, but its huge and I couldnt find anything.


 


Comments are welcome!


If you're getting false positives, all they do is say "if this call comes after that call and is x bytes apart - flag"... there's no need to spend time reversing, etc when all u do is change the code base a little.


 


edit - downloaded it and had a look, yes it's a big project but their coders write more comments than code. run command  - grep --include=\*.{c,h} -rnw '/directory/sources/' -e "DriverEntry" - this will show u the few drivers they use, from there u can see all self protections, what hashes, ioctls, how exe get blocked (filter driver), etc. there's also several .doc files showing what api calls trigger which detections, etc. What r u looking for exactly?

Edited by simple

  • Author

My intention is, in some way, get the signatures and its respective virus name  inside the def files and put them in ClamAV definitions.


Doing that, ClamAV will identify as much viruses as KAV and the viruses names will be the same, as well.


 


I'm a malware collector and the best tool to sort a collection, even to identify duplicates is scan the whole collection with a good AV. In the past we used to use the KAV 4.5, but it is very old for the new technologies.


Then do what I said to find the hashing code in the driver, then write a script to search for strings of the hashes length. Like I told u, most AV's search for call sequences, not hash comparisons as it's much faster. Just don't expect any of this to stop/identify malware.


  • 9 months later...

Hello..First of all, I am new to the forum, besides my English is very bad, I use google translator to communicate with youSorry to revive the issue, but I think it serves like this ...In http://z0mbie.daemonlab.org/ relateds the AV-section, there are tools which can serve you for what you are looking for ...AVPX 3.30 .avc unpackerAVP4 .SRU files (secret stuff)UNP_VDB - based .vdb 1.02 unpackerEven old, will serve to think what you want, but I tried it once was rolling with the result and leave it be, as you know more and I servedCheers

Edited by cLn

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.