making anti-virus

[IchBistTod]

Okay well I want to make an anti-virus but I am stuck on two issues.

1)monitoring what a process is doing(ex what file it is writing to and what its writing to it.(For cryptors that hide a file inside to bypass scan time detection)

and

2)pausing a process while I scan the exe its using.

any help greatly appriciated.

Edited July 12, 2009 by IchBistTod

[IchBistTod]

**bump**

[Andreik]

Answer for 2nd question: you can use NtSuspendProcess from ntdll.dll

[IchBistTod]

sorry im really not all that good with dllcalls.... could you please give me the dll call i would need to use with example.exe as the process i am pausing?

[DCCD]

2)pausing a process while I scan the exe its using.

did you mean decompress all "EXE" files?

[IchBistTod]

no, I mean to stop the exe from executing while its being scanned, so if its a virus it cant cause damage during the scan, and be deleted before any damage is cause.

[monoceres]

Let this one go. It's not possible to do anything useful in autoit when it comes to antivirus since it requires a kernel driver to monitor the system in a reliable way.

The main rule is, if you don't know how to do it, then it's most likely that you can't do it.

If you're still interested in general process monitoring and such then check out my api hooking script in my, it only works in current process but should give some insight in the subject.

[herewasplato]

Let this one go. ...

Now if you could just convince LittleCoderNthai:

http://www.autoitscript.com/forum/index.php?app=core&module=search&do=user_posts&mid=50586

:-(

[IchBistTod]

You seem to have been here a long time.

So im sorry that I mus correct you. Anything is possible in autoit, even if its via DLL's, COM Objects, and inline ASM. AutoIt is a RAD(Rapid application development) language.

[herewasplato]

You seem to have been here a long time.

So im sorry that I mus correct you. Anything is possible in autoit, even if its via DLL's, COM Objects, and inline ASM. AutoIt is a RAD(Rapid application development) language.

I'm not sure if you were talking to monoceres who is young and bright or me (old and dull). Yes, I've been using AutoIt longer than the forum join date would indicate... but that really does not matter. I only use AutoIt to do the things that I need it to do. It can do far more than I know how to make it do.

monoceres, on the other hand, has a pretty good understanding of AutoIt and programming in general... far better than I.

Maybe you and LittleCoderNthai should get together via PMs and work something up. I would not expect much help from those that think that AutoIt is the wrong tool for the job.

Edited July 14, 2009 by herewasplato

[trung0407]

When it comes with memory reading, pointers, processes, etc... you should use C++ lol

You're not gonna make a DLL call in every line of your Autoit script, are you?

What Autoit lacks is pointers, if they implement it, you could do lots of things more.

[monoceres]

You seem to have been here a long time.

So im sorry that I mus correct you. Anything is possible in autoit, even if its via DLL's, COM Objects, and inline ASM. AutoIt is a RAD(Rapid application development) language.

Oh really? Write me a driver that operates in ring-0 and I stand corrected.

Trying to make an anti-virus in user mode is plain stupid and bound to fail.

Edit: Implementing the anti-virus part in a custom written dll does not count.

Edited July 14, 2009 by monoceres

[GodlessSinner]

Possible to do the follow:

Write a script, that will scan your exe's, get sizes or heshes of them and write it encrypted to end of each exe.

Also may to do via register an item in context menu of exe's for run it only when file checking is ok.

And more difficult is to do this:

-write a script that will pack exe in itself and also pack one encrypted copy of exe, and in this case file can check itself and recover if it has been infected and more...

[IchBistTod]

driver in pure autoit = fail.

AutoIt can take a relativity small set of functions from a DLL made in C or C++ and link them together persay, and give them much more functionality. AutoIt can be used in conjunction with other programming languages to accomplish great things. Sorry if what i said was mis-understood. I was here looking for pre created DLLs to save some work.

[IchBistTod]

and from observation of LittleCoderNthai's posts, he seems to be about 12 or 13(or from India, as people from India that I have talked to on the internet always seem about 12 or 13 even if they are in their 30;s) He has no knowledge of autoit what-so-ever, he lies so he seems smarter than he really is, and he asks questions for every step of the way, while I was asking for just two solutions, one of witch I found, and should be able to use as soon as figure out its DLL call.

And no, I'm not against Indians, I am sure other countries have a large group of people that sound 12-13 regardless of age as well, I however have not encountered them.

The last time I had a partner, he took the completely useless source code I gave him(I told him it was the project) and tried to blackmail me and sell it, without even knowing what it was...... This guy gives off that same kinda person vibe.

Edited July 14, 2009 by IchBistTod

[IchBistTod]

In autoit, with the basic functions and windows DLL's it is possible to do all of the following

1.Get a process's full path

2.stop the process from executing

3.scan the binary against a database, and hash's against a database

4.create virus signatures and hashes and add them to a database

5.kill infected processes and delete their EXE and find/kill all of its child processes and delete their EXEs

6.unhook handles on files

7.create backups of the registry, and all files on the hard drive that can later be used to restore the system

8.More things, that I don't feel like writing...but you get the hint.

Edit:

Oh and by the way, I never said it was possible to make a Driver in autoit, I said it was possible to make anything WITH THE USE OF DLL Calls, COM Objects and Inline ASM

Edited July 14, 2009 by IchBistTod