Jump to content
Tuts 4 You

Reverse Kaspersky Virus Signatures


helderc

Recommended Posts

Does any body know how to reverse Kaspersky virus signatures?


 


I have looking for something like that in the leaked source code, but its huge and I couldnt find anything.


 


Comments are welcome!


Link to comment
Share on other sites

If you're getting false positives, all they do is say "if this call comes after that call and is x bytes apart - flag"... there's no need to spend time reversing, etc when all u do is change the code base a little.


 


edit - downloaded it and had a look, yes it's a big project but their coders write more comments than code. run command  - grep --include=\*.{c,h} -rnw '/directory/sources/' -e "DriverEntry" - this will show u the few drivers they use, from there u can see all self protections, what hashes, ioctls, how exe get blocked (filter driver), etc. there's also several .doc files showing what api calls trigger which detections, etc. What r u looking for exactly?

Edited by simple
Link to comment
Share on other sites

My intention is, in some way, get the signatures and its respective virus name  inside the def files and put them in ClamAV definitions.


Doing that, ClamAV will identify as much viruses as KAV and the viruses names will be the same, as well.


 


I'm a malware collector and the best tool to sort a collection, even to identify duplicates is scan the whole collection with a good AV. In the past we used to use the KAV 4.5, but it is very old for the new technologies.


Link to comment
Share on other sites

Then do what I said to find the hashing code in the driver, then write a script to search for strings of the hashes length. Like I told u, most AV's search for call sequences, not hash comparisons as it's much faster. Just don't expect any of this to stop/identify malware.


Link to comment
Share on other sites

  • 9 months later...

Hello..First of all, I am new to the forum, besides my English is very bad, I use google translator to communicate with youSorry to revive the issue, but I think it serves like this ...In http://z0mbie.daemonlab.org/ relateds the AV-section, there are tools which can serve you for what you are looking for ...AVPX 3.30 .avc unpackerAVP4 .SRU files (secret stuff)UNP_VDB - based .vdb 1.02 unpackerEven old, will serve to think what you want, but I tried it once was rolling with the result and leave it be, as you know more and I servedCheers

Edited by cLn
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...