Jump to content
Tuts 4 You
MacMike

Want to develop Antivirus

Recommended Posts

MacMike

Hello Everyone,

I am almost finish learning Algorithm in C programming language. My Goal is and i wanna develop antivirus software.

My Question is where should i start? 
I am looking for your valuable opinion.

Thanks 

Share this post


Link to post
Share on other sites
Kurapica

Man, I love you, in a manly way of course !

What you mentioned that you have learned is not enough to do that, you need more

experience before jumping to a complicated project like an AV.

Edited by Kurapica (see edit history)
  • Like 1

Share this post


Link to post
Share on other sites
atom0s

You have a long way to go before you will even come close to writing any type of anti-virus that has any real usage/purpose. Simple understandings of C are not going to get you that far. 

You need to have a very good understanding of a low-level language such as C and C++ in general and ASM. Along with that, you need to take the time to really learn the inner workings of Windows and the much lower level aspects of the OS. Your AV is going to need to do kernel level things (drivers), hooks, etc. if you expect to handle any type of real detections and protections today. With how low-level things have gotten with things like rootkits and other forms of virus/malware, doing things in user-mode is never going to be enough.

Based on your post, you are really far from any of this. Take the time to learn what you are doing otherwise you are going to produce garbage that no one will want to use.

  • Like 1

Share this post


Link to post
Share on other sites
MacMike
2 hours ago, atom0s said:

You have a long way to go before you will even come close to writing any type of anti-virus that has any real usage/purpose. Simple understandings of C are not going to get you that far. 

You need to have a very good understanding of a low-level language such as C and C++ in general and ASM. Along with that, you need to take the time to really learn the inner workings of Windows and the much lower level aspects of the OS. Your AV is going to need to do kernel level things (drivers), hooks, etc. if you expect to handle any type of real detections and protections today. With how low-level things have gotten with things like rootkits and other forms of virus/malware, doing things in user-mode is never going to be enough.

Based on your post, you are really far from any of this. Take the time to learn what you are doing otherwise you are going to produce garbage that no one will want to use.

i think i must finish algorithm and data structure first and then learn internal of windows.

 

Edited by MacMike (see edit history)
  • Confused 1

Share this post


Link to post
Share on other sites
evlncrn8

did you read ANY of what atom0s or Kurapica said at all ? finishing your data  structure and algo is POINTLESS as it will most likely change once you learn more c/c++, asm, drivers, and os stuff internals..

also bear in mind that there are already existing very good anti virus products out there already, so how on earth do you think you'll even be able to compete with those ? dont run before you can walk

Edited by evlncrn8 (see edit history)

Share this post


Link to post
Share on other sites
MacMike

What if i reverse engineer an existing antivirus and develop my own.
Thanks for your comment.

Edited by MacMike (see edit history)
  • Confused 1

Share this post


Link to post
Share on other sites
Kurapica
11 hours ago, MacMike said:

What if i reverse engineer an existing antivirus and develop my own.
Thanks for your comment.

I think it's the best idea, you can later share your findings with the rest of the community, I'm sure we can learn from this.

  • Like 1

Share this post


Link to post
Share on other sites
MacMike
26 minutes ago, Kurapica said:

I think it's the best idea, you can later share your findings with the rest of the community, I'm sure we can learn from this.

Sure, Thanks. Meanwhile  if i need any help i will post here.
thanks 

Share this post


Link to post
Share on other sites
Peter Ferrie

This is a worthy idea and should be encouraged.

To write a simple anti-virus program requires only some checksumming or pattern-matching.

You can checksum an entire file and compare the sum to a list of known bad sums, and report if you find a match.  However, this will detect only that single file and will miss all variants of it.

You can use pattern-matching to look for sequences of bytes in the file, and report if you find a match.  This will detect some variants of the file, if only other bytes are changed.

This will get you started.  As you add more  sums and patterns, you'll see that the performance degrades quickly.  At that point, you might begin to research different ways to perform multiple pattern-matching simultaneously, instead of one-at-a-time.

Pattern-matching can be made faster if you parse the file format to locate specific areas of interest (like the entrypoint of the file, for example).

There are also checksumming algorithms that are faster but weaker - there can be many common files that have the same sum - or slower but stronger (fewer files found easily with the same sum).

 

  • Like 2

Share this post


Link to post
Share on other sites
evlncrn8

@Peter Ferrie - are there any cuda based scanners ? i was considering doing cuda for pid, i got the loading pe into memory bit done, but then i hit a little hurdle trying to do everything in asm.. so delayed it for pid 7 

  • Like 1

Share this post


Link to post
Share on other sites
DelphiMan

NOTHING IMPOSSIBLE  "BUT"  YOU NEED A STRONG TEAM WITH HUGE EFFORT AND EXPERIENCE AND LONG TIME TO SEE THE FIRST RESULTS.

Share this post


Link to post
Share on other sites
Techlord
5 hours ago, Peter Ferrie said:

This is a worthy idea and should be encouraged.

To write a simple anti-virus program requires only some checksumming or pattern-matching.

You can checksum an entire file and compare the sum to a list of known bad sums, and report if you find a match.  However, this will detect only that single file and will miss all variants of it.

You can use pattern-matching to look for sequences of bytes in the file, and report if you find a match.  This will detect some variants of the file, if only other bytes are changed.

This will get you started.  As you add more  sums and patterns, you'll see that the performance degrades quickly.  At that point, you might begin to research different ways to perform multiple pattern-matching simultaneously, instead of one-at-a-time.

Pattern-matching can be made faster if you parse the file format to locate specific areas of interest (like the entrypoint of the file, for example).

There are also checksumming algorithms that are faster but weaker - there can be many common files that have the same sum - or slower but stronger (fewer files found easily with the same sum).

 

These days, I would say that without proper heuristics checking in place, the AV would be of very limited use. While I agree that pattern matching is still used, it is far less useful than it was several years ago. We also need to implement solutions to bypass malware techniques that would try to shut down the AV processes and lot more.

I agree with the general ideas of the others in this thread that creating a new AV software is not something that a beginner should embark upon. If they are doing it for their own learning and understanding then it is fine but not as a commercial venture or to use it in production.

A much better first step would be to dissect existing AV software and see how they function.

Share this post


Link to post
Share on other sites
Peter Ferrie
On 12/7/2018 at 11:52 AM, evlncrn8 said:

@Peter Ferrie - are there any cuda based scanners ? i was considering doing cuda for pid, i got the loading pe into memory bit done, but then i hit a little hurdle trying to do everything in asm.. so delayed it for pid 7 

There is a library from Intel for GPU-based string-scanning, but it's specific to Intel GPUs.

There are currently no general-purpose scanners on CUDA.  Yours could be first! 🙂

  • Like 1

Share this post


Link to post
Share on other sites
Peter Ferrie
On 12/7/2018 at 4:31 PM, Techlord said:

These days, I would say that without proper heuristics checking in place, the AV would be of very limited use. While I agree that pattern matching is still used, it is far less useful than it was several years ago. We also need to implement solutions to bypass malware techniques that would try to shut down the AV processes and lot more.

I agree with the general ideas of the others in this thread that creating a new AV software is not something that a beginner should embark upon. If they are doing it for their own learning and understanding then it is fine but not as a commercial venture or to use it in production.

A much better first step would be to dissect existing AV software and see how they function.

 

 

A project for the sake of a project is worth writing, regardless of what exists now.  Imagine if Linus had been discouraged by someone because Unix existed already. 🙂

There are many features that modern AVs have, but these were added over time, and the same can be done for this project.  These features become goals, once the base is done.

To dissect existing AV software via anything other than observation of behaviour could prevent someone from inventing something new, because now the ideas are influenced by what was seen.

 

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×