Hello Mr. Edwin, - "port" it to ClamAV bytecode, i.e. make it compilable by the "ClamAV bytecode compiler" see: (not a trivial task) http://git.clamav.net/gitweb?p=clamav-bytecode-compiler.git;a=blob_plain;f=docs/user/clambc-user.pdf;hb=HEAD
Yeah I see that it's not a trivial task but at least it could done - write a tool for sigmakers, to help them find malicious code sequences faster (or even automatically) I could help in supporting that also Pokas Dbg could help see this link: https://sourceforge.net/projects/pokasdbg There are many ways you can use an emulator in AV, and I think it is important to choose one: - detect trash code not so good :) - detect anti-emulator, VM detection code Need to make the emulator bypass these types of code - unpack some simple packed malware I write a detection code for win32.Virut.A with pokas emu at the examples\04 in x86emu-src.zip at https://sourceforge.net/projects/x86emu - unpack both malware, and legit software - unpack/emulate enough to reach the actual malicious code (this can be quite hard) yeah it will take long time (in some malware) but you don't need to find the entry point so you will emulate until the Maximum Iterations reached and then scan the memory with the sig Another decision that needs to be made is where the emulator is used: - is it an emulator run by the end-user? it's a small tool and could be run in any OS . it could run on windows users easily. and also linux with just a copy of (kernel32.dll,user32.dll,ntdll.dll) - is it an emulator run by malware analysists / sigmakers? it's not a stand alone application so it's not so flexible to be used with malware analysists / sigmakers but Pokasdbg help a lot in this point - is it an emulator used by an automated signature creation process? surely (the benefit of this emulator is that it's a dll file (or .so) with many functions make you control the whole application you emulate and the emulator behavior easily and do many modifications in it ) I hope To see ClamAV more better and I hope you could support an Emulator . I also hope you find Pokas Emulator helpful on that . if you decide to choose it you will find me online with you for any questions. also it has a good reference in x86emu-docs.zip in https://sourceforge.net/projects/x86emu/ and good examples specially example 04 that has the detection and the disinfection of virut.A also you could find it in : http://www.woodmann.com/collaborative/knowledge/images/Bin_Virut.A_Malware_Analysis_Paper_2010-9-3_15.53_Virut.A.rar I hope that helps wait for your reply Thanks _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
