On Fri, 29 Oct 2010 14:21:40 +0200 Amr Thabet <amr.tha...@student.alx.edu.eg> wrote:
> Hello Mr. Edwin, > > - "port" it to ClamAV bytecode, i.e. make it compilable by the "ClamAV > bytecode compiler" see: (not a trivial task) > http://git.clamav.net/gitweb?p=clamav-bytecode-compiler.git;a=blob_plain;f=docs/user/clambc-user.pdf;hb=HEAD > > Yeah I see that it's not a trivial task but at least it could done > > - write a tool for sigmakers, to help them find malicious code > sequences faster (or even automatically) > > I could help in supporting that also Pokas Dbg could help see this > link: https://sourceforge.net/projects/pokasdbg Will have a look this weekend. > > > There are many ways you can use an emulator in AV, and I think it is > important to choose one: > - detect trash code > > not so good :) > > - detect anti-emulator, VM detection code > > Need to make the emulator bypass these types of code Or we could just say its malicious when we find these. Unless it leads to too many FPs. > > - unpack some simple packed malware > > I write a detection code for win32.Virut.A with pokas emu at the > examples\04 in x86emu-src.zip at > https://sourceforge.net/projects/x86emu Thanks, will test it. > > - unpack both malware, and legit software > - unpack/emulate enough to reach the actual malicious code (this can > be quite hard) > > yeah it will take long time (in some malware) but you don't need to > find the entry point so you will emulate until the Maximum Iterations > reached and then scan the memory with the sig Right. > > Another decision that needs to be made is where the emulator is used: > - is it an emulator run by the end-user? > > it's a small tool and could be run in any OS . it could run on > windows users easily. and also linux with just a copy of > (kernel32.dll,user32.dll,ntdll.dll) The real ones, or will wine's version do? Do you need the actual code in them, or just the export tables? > > - is it an emulator run by malware analysists / sigmakers? > > it's not a stand alone application so it's not so flexible to be used > with malware analysists / sigmakers but Pokasdbg help a lot in this > point > > - is it an emulator used by an automated signature creation process? > > surely (the benefit of this emulator is that it's a dll file (or .so) > with many functions make you control the whole application you > emulate and the emulator behavior easily and do many modifications in > it ) > > > > I hope To see ClamAV more better and I hope you could support an > Emulator . I think I'll write an app that uses libclamav, multiple emulators, and compares their execution. I think contrib/ would be good place for such an app. Then I'll scan part of our zoo with it, and see how much it can emulate. > I also hope you find Pokas Emulator helpful on that . if > you decide to choose it you will find me online with you for any > questions. I don't know yet. Looks like I'm hitting some portability issues now: - missing <cstdio> and <cstring> include (otherwise fails to build with gcc 4.4) - dbg/dbg.cpp has x86 assembly code, so it won't work on x86-64: :71: Error: operand type mismatch for `push' Is there a way to disable that part of the code? - with -m32 the first example works, but the 2nd example tries to execute some code in TestBP. What code is it trying to execute? It wouldn't be wise to execute the malware code on the real CPU ... thats the point of having an emulator in the first place Program received signal SIGSEGV, Segmentation fault. 0x08078e98 in ?? () (gdb) bt #0 0x08078e98 in ?? () #1 0xf7fedd39 in Debugger::TestBp (this=0x806b8c8, num=0, thread=..., ins=0x8078de8) at dbg/dbg.cpp:39 #2 0xf7fedda9 in Debugger::TestBp (this=0x806b8c8, thread=..., ins=0x8078de8) at dbg/dbg.cpp:48 #3 0xf7fe82f9 in Process::emulate (this=0x805fe68) at process.cpp:179 #4 0x08049239 in main (argc=1, argv=0xffffd354) at main.cpp:58 Is your code supposed to work on Linux, or would I be better of testing in on Windows first? > > also it has a good reference in x86emu-docs.zip in > https://sourceforge.net/projects/x86emu/ > > and good examples specially example 04 that has the detection and the > disinfection of virut.A > > also you could find it in : > http://www.woodmann.com/collaborative/knowledge/images/Bin_Virut.A_Malware_Analysis_Paper_2010-9-3_15.53_Virut.A.rar Will take a look. Best regards, --Edwin _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
