Sign in to follow this  
Followers 0
IchBistTod

making anti-virus

16 posts in this topic

#1 ·  Posted (edited)

Okay well I want to make an anti-virus but I am stuck on two issues.

1)monitoring what a process is doing(ex what file it is writing to and what its writing to it.(For cryptors that hide a file inside to bypass scan time detection)

and

2)pausing a process while I scan the exe its using.

any help greatly appriciated.

Edited by IchBistTod

[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites



**bump**


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

Answer for 2nd question: you can use NtSuspendProcess from ntdll.dll


When the words fail... music speaks

Share this post


Link to post
Share on other sites

sorry im really not all that good with dllcalls.... could you please give me the dll call i would need to use with example.exe as the process i am pausing?


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

no, I mean to stop the exe from executing while its being scanned, so if its a virus it cant cause damage during the scan, and be deleted before any damage is cause.


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

Let this one go. It's not possible to do anything useful in autoit when it comes to antivirus since it requires a kernel driver to monitor the system in a reliable way.

The main rule is, if you don't know how to do it, then it's most likely that you can't do it.

If you're still interested in general process monitoring and such then check out my api hooking script in my, it only works in current process but should give some insight in the subject.


Broken link? PM me and I'll send you the file!

Share this post


Link to post
Share on other sites

Let this one go. ...

Now if you could just convince LittleCoderNthai:

http://www.autoitscript.com/forum/index.php?app=core&module=search&do=user_posts&mid=50586

:-(


[size="1"][font="Arial"].[u].[/u][/font][/size]

Share this post


Link to post
Share on other sites

You seem to have been here a long time.

So im sorry that I mus correct you. Anything is possible in autoit, even if its via DLL's, COM Objects, and inline ASM. AutoIt is a RAD(Rapid application development) language.


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

You seem to have been here a long time.

So im sorry that I mus correct you. Anything is possible in autoit, even if its via DLL's, COM Objects, and inline ASM. AutoIt is a RAD(Rapid application development) language.

I'm not sure if you were talking to monoceres who is young and bright or me (old and dull). Yes, I've been using AutoIt longer than the forum join date would indicate... but that really does not matter. I only use AutoIt to do the things that I need it to do. It can do far more than I know how to make it do.

monoceres, on the other hand, has a pretty good understanding of AutoIt and programming in general... far better than I.

Maybe you and LittleCoderNthai should get together via PMs and work something up. I would not expect much help from those that think that AutoIt is the wrong tool for the job.

Edited by herewasplato

[size="1"][font="Arial"].[u].[/u][/font][/size]

Share this post


Link to post
Share on other sites

When it comes with memory reading, pointers, processes, etc... you should use C++ lol

You're not gonna make a DLL call in every line of your Autoit script, are you?

What Autoit lacks is pointers, if they implement it, you could do lots of things more.

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

You seem to have been here a long time.

So im sorry that I mus correct you. Anything is possible in autoit, even if its via DLL's, COM Objects, and inline ASM. AutoIt is a RAD(Rapid application development) language.

Oh really? Write me a driver that operates in ring-0 and I stand corrected.

Trying to make an anti-virus in user mode is plain stupid and bound to fail.

Edit: Implementing the anti-virus part in a custom written dll does not count.

Edited by monoceres

Broken link? PM me and I'll send you the file!

Share this post


Link to post
Share on other sites

Possible to do the follow:

Write a script, that will scan your exe's, get sizes or heshes of them and write it encrypted to end of each exe.

Also may to do via register an item in context menu of exe's for run it only when file checking is ok.

And more difficult is to do this:

-write a script that will pack exe in itself and also pack one encrypted copy of exe, and in this case file can check itself and recover if it has been infected and more...


_____________________________________________________________________________

Share this post


Link to post
Share on other sites

driver in pure autoit = fail.

AutoIt can take a relativity small set of functions from a DLL made in C or C++ and link them together persay, and give them much more functionality. AutoIt can be used in conjunction with other programming languages to accomplish great things. Sorry if what i said was mis-understood. I was here looking for pre created DLLs to save some work.


[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

and from observation of LittleCoderNthai's posts, he seems to be about 12 or 13(or from India, as people from India that I have talked to on the internet always seem about 12 or 13 even if they are in their 30;s) He has no knowledge of autoit what-so-ever, he lies so he seems smarter than he really is, and he asks questions for every step of the way, while I was asking for just two solutions, one of witch I found, and should be able to use as soon as figure out its DLL call.

And no, I'm not against Indians, I am sure other countries have a large group of people that sound 12-13 regardless of age as well, I however have not encountered them.

The last time I had a partner, he took the completely useless source code I gave him(I told him it was the project) and tried to blackmail me and sell it, without even knowing what it was...... This guy gives off that same kinda person vibe.

Edited by IchBistTod

[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

In autoit, with the basic functions and windows DLL's it is possible to do all of the following

1.Get a process's full path

2.stop the process from executing

3.scan the binary against a database, and hash's against a database

4.create virus signatures and hashes and add them to a database

5.kill infected processes and delete their EXE and find/kill all of its child processes and delete their EXEs

6.unhook handles on files

7.create backups of the registry, and all files on the hard drive that can later be used to restore the system

8.More things, that I don't feel like writing...but you get the hint.

Edit:

Oh and by the way, I never said it was possible to make a Driver in autoit, I said it was possible to make anything WITH THE USE OF DLL Calls, COM Objects and Inline ASM

Edited by IchBistTod

[center][/center][center]=][u][/u][/center][center][/center]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0