On Sun, 24 Oct 2010 01:11:20 +0200 Amr Thabet <amr.tha...@student.alx.edu.eg> wrote:
> I suggest to add an open source emulator to the application to make > it run when the md5 scan failed to detect any virus . Hi, Thanks for the suggestion. I think Pokas emulator (or another one) could be used in ClamAV in the following ways, see the rest of this email for details: - "port" it to ClamAV bytecode, i.e. make it compilable by the "ClamAV bytecode compiler" see: (not a trivial task) http://git.clamav.net/gitweb?p=clamav-bytecode-compiler.git;a=blob_plain;f=docs/user/clambc-user.pdf;hb=HEAD - write an emulator that can be used to prototype new detections, which can later be implemented in bytecode without the help of the emulator - write a tool for sigmakers, to help them find malicious code sequences faster (or even automatically) - write a tool that uses both libclamav and your (or another) emulator: it would register itself with libclamav's callbacks, scan files, and on executables it would invoke the emulator from libclamav. It can then pass back a detection result to libclamav. I think this might be the quickest way to get started There are many ways you can use an emulator in AV, and I think it is important to choose one: - detect trash code - detect anti-emulator, VM detection code - unpack some simple packed malware - unpack both malware, and legit software - unpack/emulate enough to reach the actual malicious code (this can be quite hard) - prototyping new malware detection ideas, that can later be implemented directly in libclamav without the emulator, or in bytecode Another decision that needs to be made is where the emulator is used: - is it an emulator run by the end-user? - is it an emulator run by malware analysists / sigmakers? - is it an emulator used by an automated signature creation process? For ClamAV I think it'd make sense to focus on the prototyping part for the emulator. I was actually experimenting with an emulator for the first, 3rd and 6th case (trash code, simple packed malware, and prototyping). I used libemu for that purpose. Although it is meant to emulate only win32 shellcode, it works surprisingly well on startup code of malware (with some tweaks). Sure it lacks a PE loader, and some other bits, but that is easy to write. It worked well enough to unpack a rootkit, and record some API calls. All that without needing a win32 installation. I didn't publish the code though, since it is not finished yet, but if someone considers it would be useful, I could probably do that. Having said that I don't mean to integrate that into libclamav anytime soon, or in fact ever. This kind of emulator can be used to build some tools for sigmakers, or maybe some automated analyzer in the future. Not for the end-user. Would take too much time to emulate each executable this way, not to mention possible security issues. However what an emulator would be really good for is quick prototyping of new detection ideas: You have an idea how to detect malware, you plug it into the emulator. You run it on malware samples, see how much it detects. Then you run it on clean (and packed/copy protected) software. If you see it detects too many, back to the drawing board for you. Once you have the algorithm prototyped with the emulator, and if it something quite simple, you may implemented it using ClamAV's bytecode. ClamAV has a disassembler, which can be accessed from the bytecode, so you could write a simple emulator in bytecode, which then processes the results using the algorithm you prototyped on the real emulator. That might work. Actually I'm already working on one such prototype, but got caught up in solving bugs for 0.96.4. Will post details about it once I finish it. On Sun, 24 Oct 2010 15:29:26 +0200 Amr Thabet <amr.tha...@student.alx.edu.eg> wrote: > the only problem in Bochs and qemu is they are built for supporting > full virtualization . so emulate the hardware and the the cpu and Yes, and they are quite good at that. > they don't support emulating the operating system You don't necessarily need or want a full OS emulator in an AV, just some basics. > > so you need to emulate the operating system (Windows or Linux) > > you have a good choice is Pandora's Bochs but it's very slow and you > couldn't use it in an antivirus because you can't run it inside an > antivirus transparently Is it available for download? > > Ida-emu could be modified to support running inside an antivirus. > it's a good choice as it's fast and support windows and linux > virtualization (emulating linux and windows) That would require a license for IDA Pro, so I don't think it is an option for ClamAV. > > Pokas emulator is a good choice as it support conditional breakpoints > without decreasing the performance and support many breakpoints. but > it emulates only windows That would be enough. I don't see a point in emulating Linux. > and a bit slower than ida-emu I assume you could limit the amount of instructions you emulate, depending on the purpose of the emulation. Best regards, --Edwin _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
