File Detection and Threading/Child Processes

[rcmaehl]

Well, I'm making an Anti-Malware program. However, since I'm a smart computer user and also a primarily Linux user I have no viruses that I can use for the program definitions and it would take me a long while (can't find any good torrents at the moment, although I could just ask 4chan now that I think about it , so can you guys link me to some Virustotal results of malware.

So far my Anti-Malware program detects the following:

For Linux: Forkbombs (in python, bash, sh), anything that contains 'rm- rf /' and variants, Everything from Windows

For Windows: autorun.inf (Risky), Forkbombs (in Autoit, python, batch), anything with 'Format /x C:' and variants, Unprotected Administrator Accounts

If all else fails I'll just have the AV program go by a whitelist.

Also what's the best way to compare files? MD5/SHA1/SHA256/etc?

Now for the AutoIt related part:

If I have a script calling multiple child process one after another and having it read the Stdout of each child process to allow me to bypass RunWait and having the child process use an exit code instead of writing to Stdout thus allowing multiple child processes at once. What's the best way (or a way) to make sure all the child processes terminated and launch another child process so that the number of child processes is always the same (until I don't need it to be) while having it being able to determine if the child process did not write to Stdout for some reason (and relaunch the child process that didn't write to Stdout)?

Chart:

+Parent

+Child One -> Stdout <- Parent Reads

+Child Two -> Stdout <- Parent Reads

+Child Three -> Stdout <- Parent Reads

+Child Four -> Stdout <- Parent Reads

+Child Five -> Stdout <- Parent Reads

EDIT: Removed a derp I had for a second about forgetting discussing malware was not allowed.

Edited December 16, 2011 by rcmaehl

[Skitty]

Well, I'm making an Anti-Malware program. However, since I'm a smart computer user and also a primarily Linux user I have no viruses that I can use for the program definitions and it would take me a long while (can't find any good torrents at the moment, although I could just ask 4chan now that I think about it , so can you guys link me to some Virustotal results of malware.

I've tried the same, I made a post about how I can get some malware hashes etc, one of the mvp's or mods pointed out an API virus total has where you can submit a file and retrieve the results but that's very limited and very time consuming, clamav is open source, the best you can do is find out how it detects malware and implement it's shit in autoit, I haven't looked at it so I'm not sure how or where it obtains definitions or if it even uses them, but if it does, maybe you can use them from autoit, at least that's the way I thought about it. But I abandoned the idea after a while.