Author Topic: AV Emulation (Assembly)  (Read 5911 times)

0 Members and 1 Guest are viewing this topic.

May 24, 2008, 10:38:39 am
Read 5911 times

sowhat-x

  • Guest
...ever have been wondering how AV products "emulate" the executable's instructions?
Kind of "funny" attitude actually...
While there are literally tons of sources and tutorials out there explaining how to write all different kinds of viruses/malware etc.,
still,in year 2008,there is almost next to nothing public info out there,regarding the basics of writing antiviral code...

Following articles are available only in russian language,meaning you'll have to make use of some online translation service.
Secondly,they're obviously meant for people,that already have a pretty extensive knowledge of assembly...
ie.this certainly doesn't include guys like me,he-he...  :)

http://users.northnet.ru/lonsdale/proj/2/index.html
http://users.northnet.ru/lonsdale/proj/3/index.html
http://users.northnet.ru/lonsdale/proj/files/xpl_010.zip

And also here as well...
http://www.wasm.ru/article.php?article=av_emul
http://www.wasm.ru/pub/6/files/av_emul.zip

May 24, 2008, 01:25:43 pm
Reply #1

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Only active opensource project of this kind, that I'm aware of, is libemu:
http://libemu.mwcollect.org/

April 08, 2009, 05:19:19 pm
Reply #2

sowhat-x

  • Guest
Just stumbled upon a couple more articles that come with introductory antiviral / emulation code examples  :)
Russian language only again though - site appears to have Kaspersky as it's backend:
http://av-school.ru/article/a-45.html
http://av-school.ru/article/a-62.html

April 09, 2009, 06:40:58 am
Reply #3

Toaster

  • Newbie

  • Offline
  • *

  • 7
there is almost next to nothing public info out there

and it should stay so.

Peter Kleissner, Core developer in an AV  8)

April 09, 2009, 01:11:57 pm
Reply #4

sowhat-x

  • Guest
In my poor opinion,i consider the above code/documentation as a pretty good starting point,
in order for people,to understand how stuff works...and it's less dangerous info as well,
at least when compared to open src bootkits released to the wide public...  8)

Not everybody has the same ideas though about what kind of info/code should be released,
so luckily for all of us,quite a few stuff will never find it's way out there...  :)


April 09, 2009, 09:21:52 pm
Reply #5

Toaster

  • Newbie

  • Offline
  • *

  • 7
well yes I differ between company interest and personal interest. I am doing a lot of stuff "of the road" just because of my personal interest.
I would never release any information of the company to the public, I respect and take care of intellectual property and rights.

But personally we are doing things because of three reasons (once nice said by Vipin Kumar)
 - Name
 - Satisfaction
 - Money

I have no problem releasing a bootkit until I am a developer and not Security Researcher. What I am making is software, not anything good nor evil. Human knowledge belongs to the world as I always claim it to do. Take the information, use it.

So differ between companies secrets (how something is done internally) which could really make damage and some coding off the road. We as AV don't want sensitive information to be dropped onto the interned (the wide public), this is also why you will never receive any response by AV if you are reporting something. Do not take such things personal, this is business. And this is also why AVs can't/won't give any support or response to things like this malware-domain-list. It's simply not our intention to do so.

just that to be said  8)

April 10, 2009, 01:39:48 am
Reply #6

sowhat-x

  • Guest
Quote
just that to be said  8)

/sowhat-x agrees 100% with this specific one statement... 'nuff said  ;)

April 10, 2009, 06:42:11 am
Reply #7

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
Ya know something, I cant even find the right words to express what I wanted to say but I can tell you this much, its the old stale wore ideas displayed in this thread that has/will/is forever to cripple the AV world, no matter how you slice it, one thing forever will stand true.

United MalwareGroups Stand

Divided AVs will fall

And thats the Bottom Line cause Stone-Cold says so!  :D


April 10, 2009, 07:13:33 am
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Do not take such things personal, this is business. And this is also why AVs can't/won't give any support or response to things like this malware-domain-list. It's simply not our intention to do so.


Huh, that's an arrogant statement and I think you are completely mistaken.  >:(
Ruining the bad guy's day