First we must understand how to worka simple AV, basically an AV software hascomponents:
1. Engine scanner, this is the main component AVrecognize a virus pattern. Engine can be groupedinto static and dynamic. Static in this case can be called aspecific to a particular pattern of a virus file. Checksumis one example of this static engine. Dynamic inthe sense that he recognized the behavior of the 'common' a virus. Heuristic becomesone example.
2. Database definition, be a reference of a patternvirus file. Static Engine relies heavily on this component.
3. Decompress or unpacking engine, specially for checking filescompressed (*. avi, *. zip, etc.) or compression or packing forPE files such as UPX, MEW, etc..
Not infrequently the result of the check on filevirus suspected false-positive result even false-negative (-false-positive means a clean slate is considered thread by AV, andfalse-negative means the file is 100% thread will be clean).All that can be caused by imperfections of the engine scanneritself. Example
in the case of Engine String scanner (scanner-Engineselected strings of text file-based), when applied rule 3out of 5 (- if AV find 3 of 5 string category listmalicious) then AV will give the file indicated by a threadpositive. And in fact, the file has no effectdangerous run or executed. This kind of scanning errorscommonly found for the files *. VBS, *. HTML, etc.. To usechecksum engine is very much found in several local AV software.Checksums are commonly used include CRC16, CRC32, MD5, etc..Due easy to implement. Engine itself insteadwithout disabilities, Checksum worked with byte-by-byte processing ofa file with an algorithm tertenu (- depending on the typechecksum used) so as to produce a particular formatof the file. Examples using CRC32 and MD5 checksum:
* CalCrc = CRC32 (file_name_and_path)
* CalMD5 = MD5 (file_name_and_path)
Then the contents of the string calCrc is 7AF9E376,while for MD5nya is 529CA8050A00180790CF88B63468826A. Needknown if the virus changed the routine to apply a particular byte ofTSB virus body each time it uses the checksum engine willless than optimal because if the first byte of the file the checksum changes alsowill change.
Let us learn to make a simple AV, which is required:
1. Software Visual Basic 6.0
2. A little understanding of programming of Visual Basic 6.0
3. Sample clean file or virus (- optional)
First #
Now we will learn to create a simple routine:
- Select the file to be checked
- Open the file in binary mode
- Process the byte-by-byte to generate checksum
Open MS-Visual Basic 6.0 you, then make anForm class module and by adding a Textbox object,CommonDialog and Command Button. (Objects can be added CommonDialogby selecting Project -> Component or Ctrl-T and chooseMicrosoft Common Dialog Control 6.0) Type the following code in the classmodule (we named TSB clsCrc class module):
START HERE ================= ====================
Private crcTable (0 To 255) As Long 'crc32
Public Function CRC32 (ByRef bArrayIn () As Byte, ByVal lLen As Long, Optional ByVal lcrc As Long = 0) As Long
'BArrayIn is an array of bytes of the file is read, lLen is the size or file size
Dim lCurPos As Long 'Current position for iterating the array bArrayIn
Dim lTemp As Long 'temp variable calculation results
If lLen = 0 Then Exit Function 'exit function if the file size = 0
lTemp = lcrc Xor & HFFFFFFFF
For lCurPos = 0 To lLen
lTemp = (((lTemp And & HFFFFFF00) \ \ & H100) And & HFFFFFF) Xor (crcTable ((lTemp And 255) Xor bArrayIn (lCurPos)))
Next lCurPos
CRC32 = lTemp Xor & HFFFFFFFF
End Function
Private Function BuildTable () As Boolean
Dim i As Long, x As Long, crc As Long
Const Limit = & HEDB88320
For i = 0 To 255
crc = i
For x = 0 To 7
If crc And 1 Then
crc = (((crc And & HFFFFFFFE) \ \ 2) And & H7FFFFFFF) Xor Limit
Else
crc = ((crc And & HFFFFFFFE) \ \ 2) And & H7FFFFFFF
End If
Next x
crcTable (i) = crc
Next i
End Function
Private Sub Class_Initialize ()
BuildTable
End Sub
END HERE ================= ====================
Then type the following code in the Command1_Click event:
START HERE ================= ====================
As String Dim namaFileBuka, HasilCrc As String
CCRC Dim As New clsCrc 'make a new object of class ClsCrc
As Long Dim calCrc
Dim tmp () As Byte 'array for files that are read
Private Sub Command1_Click ()
CommonDialog1.CancelError = True 'error when the user clicks cancel on CommonDialog
CommonDialog1.DialogTitle = "Read File" 'Caption CommonDialog
On Error GoTo erorhandle 'handle error label
CommonDialog1.ShowOpen
namafilbuka = CommonDialog1.FileName
Open namafilbuka For Binary Access Read As # 1 'open the selected file with read access to the binary mode
ReDim tmp (LOF (1) - 1) As Byte 'restatement for the array, # # Bugs Fixed
Get # 1,, tmp ()
Close # 1
calCrc = UBound (tmp) 'retrieve the file size of the array
calCrc = CCrc.CRC32 (tmp, calCrc) 'calculate CRC
HasilCrc = Hex (calCrc) 'converted to hexadecimal format, because the calculation of the CRC is still a numeric class
Text1.Text = HasilCrc 'show results
Exit Sub
erorhandle:
If Err.Number <> 32755 Then MsgBox Err.Description 'error number32,755 dalah when the user clicks the cancel button when selecting file
END HERE ================= ====================
You try to run the program on a punchF5 button, and then click Command1 to select and open the file. ThenThe program will display CRC32nya.
Second #
The above code can we make a routine check filesuspect virus by comparing the results between CRC32nya and databaseCRC ourselves. The algorithm is:
- Select the file to be checked
- Open the file in binary mode
- Process the byte-by-byte to generate checksum
- Open the database file
- Take the contents of the file line by line
- Identify Checksum calculation results with the checksum of the file
The format of the database file itself can be determined, for example:
- FluBurung.A = ABCDEFGH
- Diary.A = 12345678
Where is the name of the virus and FluBurung.A ABCDEFGH dalah Crc32nya. Ifwe have a file format as above, then we need to read the filesequentially per line and separate the name of the virus andCrc32nya. In this case, the separator character is '='.
Create one new module (- renamed module1) and fill with the code:
START HERE ================= ====================
Public namaVirus As String, CrcVirus As String'Global variable declaration for the name and CRC Public virus pathExe asString 'variable declaration EXE file storage location of our AV
Public Function cariDatabase (CRC As String, namaFileDB As String) As Boolean
LineStr Dim As String, tmp () As String 'variable placeholders for the contents of the file
Open namaFileDB For Input As # 1 'open the file with the input mode
Do
Line Input # 1, lineStr
tmp = Split (lineStr, "=") 'split the file contents bedasarkan separator character' = '
namaVirus = tmp (0) 'enter into a variable from an array namavirus
CrcVirus = tmp (1) 'enter into a variable from an array Crcvirus
If CrcVirus = CRC Then 'if CRC calculations fit / match with database
cariDatabase = True 'return the value TRUE
Exit Do 'out of the loop
End If
Loop Until EOF (1)
Close # 1
End Function
END HERE ================= ====================
Then add 1 new object into the Form, ieCommand button2. then type the following code into the event listingsCommand2_Click:
START HERE ================= ====================
If Len (App.Path) <= 3 Then 'if our directory is the root directory
pathEXE = App.Path
Else
pathEXE = App.Path & "\ \"
End If
CommonDialog1.CancelError = True 'error when the user clicks cancel on CommonDialog
CommonDialog1.DialogTitle = "Read File" 'Caption CommonDialog
On Error GoTo erorhandle 'handle error label
CommonDialog1.ShowOpen
namafilbuka = CommonDialog1.FileName
Open namafilbuka For Binary Access Read As # 1 'open the selected file with read access to the binary mode
ReDim tmp (LOF (1) - 1) As Byte 'restatement for the array # # Bugs Fixed
Get # 1,, tmp ()
Close # 1
calCrc = UBound (tmp) 'retrieve the file size of the array
calCrc = CCrc.CRC32 (tmp, calCrc) 'calculate CRC
HasilCrc = Hex (calCrc) 'converted to hexadecimal format, because the calculation of the CRC is still a numeric class
If cariDatabase (HasilCrc, pathEXE & "DB.txt") Then 'if the function TRUE
MsgBox "Virus found:" & namaVirus' show message Box
End If
Exit Sub
erorhandle:
If Err.Number <> 32755 Then MsgBox Err.Description 'error number32,755 dalah when the user clicks the cancel button when selecting file
END HERE ================= ====================
This simple AV feature can be added to thefeatures of process scanner, registry access, real-time protection (RTP) andothers. To process scanner is basically a technique of enumerationall processes that are running on the operating system, and then look forthe location or the location of the file and perform the scanning process.
No comments:
Post a Comment