How to write an antivirus for a virus using assembler?

A

Andr2016-12-06 10:17:52

assembler

Andr, 2016-12-06 10:17:52

Tell me how to write an antivirus for a virus?
Here is my virus:
use16
org 100h
begin:
jmp Init
int_21_proc proc
cmp ah, 9h
je Yes_9
Yes_9:
push ds
push dx
push cs
pop ds
mov dx offset mes1
pushf
call dword ptr cs:[Init_211_proc]
pop dx
pop ds
iret
mes1:
; ==============================================
mov ah , 2ch
int 21h
mov [Hour], ch
mov[Min], cl
mes2:
mov ah,9h
mob bx, offset mes2
int 21h
mes2 db Hour,Min 'Hour'
Hour dd ?
Min dd ?
;=============================================
int_21_proc endp
Init:
mov ah, 35h
mov al, 21h
int 21h
mov word ptr Init_211_proc, bx
mov word ptr Init_211_proc+2, es
mov ax, 2521h
mov dx, offset int_21_proc
int 21h
mov dx, offset Init
int 27h
end start
;=== ================================
Init_211_proc dd ?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

B

blinkers, 2016-12-06
@blinkers

To solve your problem, the book "We write a virus and antivirus" is 99.99999% suitable. Author Khizhnyak P.L.

R

Rou1997, 2016-12-06
@Rou1997

You study the format of the EXE file, using disassemblers, look for which bytes of the compiled EXE get malicious code, add their sequence to the antivirus database (you can just in a binary file), then the antivirus checks the suspicious EXE specified by the user, simply reads and checks if it contains this sequences, if any, it suggests deleting the file.

A

Andrew, 2016-12-06
@OLS

The option with 0% False Positive + False Negative is to include all the compiled code in the antivirus database by one byte, or in order to save money - a hash sum from it. However, your antivirus will be "overtrained": any code change will result in a pass. You should understand how big the generalizability should be and try to include in the signature (ie the part of the code covered by the hash sum) the part that is most likely not to change when someone edits it. And then the most interesting actually begins.