Making a Deterrent virus
Notes:
- The author is NOT responsible for the use and abuse of this article.
- Destination articles made ONLY for learning materials only.
- The use of the name, brand or logo only as REFERENCES EXEMPLARY, and only, meaning there is NOT promoting the party.
- Writer apologize when all / part of the contents of this article has been implied in other similar articles.
Main #
Now the presence of the virus makers (hereinafter abbreviated so-VM only) have created local stifling the computer user land. Can imagine from the many local virus is not a one-two that destroy data (particularly for office files; word, excel, etc ...). For the vendor's Anti Virus (hereinafter abbreviated to become only AV) of this phenomenon is the land business for their products. A NORMAN, who is now downloading the company's support of local consultants virus (VAKSIN.COM), Symantec, McAffe, NOD32, and so forth. By offering the software update definition AV fastest, most sensitive scanner engines, and the other is the secret to fishing the victims of the virus to buy and use their AV software. For the authors this is indeed their own rather burdensome considering the updated definition files or engine AV page must be through an internet connection. And how has no access at all? Consequently iyalah behind the introduction of new variants of the virus on the edges make AV already installed like 'Tiger Ompong'. If we make AV own how? with the definition of the database can be updated by us can even exchange with a friend? Can only, with the requirement would learn a few techniques pemograman.Pertama we must understand how to work a simple AV, basically have an AV software components:
1. Engine scanners, this is a major component in the AV identify a pattern of viruses. This engine can be grouped into static and dynamic. Static in this case can be called a specific pattern of certain files from a virus. Checksum is one example of this engine static. He survived in the dynamic behavior recognize the 'public' a virus. Heuristic become one example.
2. Database definition, be a reference from a virus pattern files. Engine static very dependent on this component.
3. Decompress or unpacking engines, special checks for files that terkompresi (*. avi, *. zip, etc.) or compression or packing for PE files such as UPX, Mew, etc..
Not infrequently the results of checks on suspect files virus yield false-positive and even false-negative (- false-positive means the file is considered clean by the AV thread, and false-negative means the file is 100% thread will be considered clean). All that can be caused by third-scanner got from the engine itself. Ex
in the case of Engine String example scanner (a scanner-Engine-string selection string of text file-based), when the rule applied 3 out of 5 (- when you find AV 3 from the list of categories of malicious string 5), the AV files that will provide a terindikasi thread positive. In fact file page does not cause harmful effects when running or executed. This kind of scanning errors commonly found for the files *. vbs, *. HTML, etc.. To use checksum engine is found in some local AV software. Checksum commonly used among CRC16, CRC32, MD5, etc.. Due to easy to implement. Engine is not without its own disability, work with a checksum to process byte-by-byte from a file with an algorithm particularly (- depending on the type of checksum used) so that a particular format of the file page. Example use CRC32 checksum and MD5:
* CalCrc = CRC32 (file_name_and_path)
* CalMD5 = MD5 (file_name_and_path)
But the content of the string calCrc is 7AF9E376, while for MD5nya is 529CA8050A00180790CF88B63468826A. Please note that if the virus implement routine change certain byte page virus from the body every time they use the checksum engine will be less than optimal because when 1 byte of the file changed the checksum will also change.
Let us learn to make a simple AV, which is needed:
1. Software Visual Basic 6.0
2. Pemograman little understanding of the Visual Basic 6.0
3. Sample files or clean the virus (- optional)
First #
Now we will learn to create a simple routine to:
- Selecting a file that will be checked
- Open the file in binary mode
- Processing for the byte to byte checksum
Open MS-Visual Basic 6.0 you, and make a class module and add a Form object with wonder, and CommonDialog Command Button. (CommonDialog Objects can be added by selecting Project -> Component or Ctrl-T and choose Microsoft's Common Dialog Control 6.0) Type the following code in the class module (we give the name of class module page clsCrc):
================= START HERE ====================
Private crcTable (0 to 255) As Long 'crc32
Public Function CRC32 (ByRef bArrayIn () As Byte, ByVal lLen As Long, ByVal Optional lcrc As Long = 0) As Long
'BArrayIn is a byte array from the file that read, lLen is the size or file size
As Long Dim lCurPos' Current position for the array bArrayIn Iterations
As Long Dim lTemp 'variable temp calculation results
If lLen = 0 Then Exit Function 'exit function if the file size = 0
lTemp = lcrc xor & HFFFFFFFF
For lCurPos = 0 To lLen
lTemp = (((And lTemp & HFFFFFF00) & H100) and & HFFFFFF) xor (crcTable ((lTemp and 255) xor bArrayIn (lCurPos)))
Next lCurPos
CRC32 = lTemp xor & HFFFFFFFF
End Function
Private Function BuildTable () As Boolean
Dim i As Long, x As Long, CRC As Long
Const Limit = & HEDB88320
For i = 0 To 255
CRC = i
For x = 0 to 7
And if CRC 1 Then
CRC = (((I & HFFFFFFFE CRC) 2) And & H7FFFFFFF) xor Limit
Else
CRC = ((CRC And & HFFFFFFFE) 2) And & H7FFFFFFF
End If
Next x
crcTable (i) = CRC
Next i
End Function
Private Sub Class_Initialize ()
BuildTable
End Sub
================= END HERE ====================
Then type the following code in the Command1_Click event:
================= START HERE ====================
As String Dim namaFileBuka, HasilCrc As String
Dim CCrc As New clsCrc ', being the object of a new class ClsCrc
As Long Dim calCrc
Dim tmp () As Byte 'array create the file that read
Private Sub Command1_Click ()
CommonDialog1.CancelError = True 'error when users click on the cancel CommonDialog
= CommonDialog1.DialogTitle "Read File" 'Caption commondialog
On Error Goto erorhandle 'label error handle
CommonDialog1.ShowOpen
namafilbuka = CommonDialog1.FileName
Open namafilbuka For Binary Access Read As # 1 'open the selected file with read access to the binary mode
ReDim tmp (LOF (1) - 1) As Byte 'declaration for re-arrays, Bugs Fixed # #
Get # 1, tmp ()
Close # 1
calCrc = UBound (tmp) 'retrieve the file size of the array
calCrc = CCrc.CRC32 (tmp, calCrc) 'countdown CRC
HasilCrc = Hex (calCrc) 'hexadesimal change to the format, because the results of the calculation of the CRC class is still a numeric
Text1.Text = HasilCrc 'results show
Exit Sub
erorhandle:
If Err.Number <> 32755 Then MsgBox Err.Description 'error number 32,755 are when users click on the cancel button when selecting files
================= END HERE ====================
Try to run your programs with the push above the F5 key, and then click Command1 to open the file and choose. But the program will display the CRC32nya.
Second #
The code above we can make a routine checks the files with the suspect virus between CRC32nya and compare the results of our own database of CRC. Algoritmanya is:
- Selecting a file that will be checked
- Open the file in binary mode
- Processing for the byte to byte checksum
- Open the database file
- Take the contents of the file line-by-line
- Identify checksum calculations with the checksum from the file
A database file format can be set, for instance:
- FluBurung.A = ABCDEFGH
- Diary.A = 12345678
FluBurung.A Where is the name of the virus and ABCDEFGH are Crc32nya. If we have the file format as above, then we need to read the file in sekuensial per line, and separate between the virus and Crc32nya name. In this case, which is a separator characters' = '.
Create a new module 1 (- given the name module1) and the contents of the code:
================= START HERE ====================
Public namaVirus As String, CrcVirus As String 'global variable declaration for the name of the virus and CRC Public pathExe as String' variable declarations EXE file storage location of our AV
Public Function cariDatabase (CRC As String, namaFileDB As String) As Boolean
As String Dim lineStr, tmp () As String 'variable to accommodate the contents of the file
Open namaFileDB For Input As # 1 'open the file with the input mode
Do
Line Input # 1, lineStr
tmp = Split (lineStr, "=") 'separate the contents of the file bedasarkan separator characters' ='
namaVirus tmp = (0) 'namavirus to enter the array of variables
CrcVirus tmp = (1) 'Crcvirus to enter the array of variables
If CrcVirus = CRC Then, when the CRC calculation match / match with a database
cariDatabase = True 'return value TRUE
Exit Do 'exit from the recurrence
End If
Loop Until EOF (1)
Close # 1
End Function
================= END HERE ====================
Then add 1 new item into the form, namely Command button2. and then type the following code into the listing Command2_Click event:
================= START HERE ====================
If Len (App.Path) <= 3 Then 'directory when it is the root directory
pathEXE = App.Path
Else
pathEXE = App.Path & ""
End If
CommonDialog1.CancelError = True 'error when users click on the cancel CommonDialog
= CommonDialog1.DialogTitle "Read File" 'Caption commondialog
On Error Goto erorhandle 'label error handle
CommonDialog1.ShowOpen
namafilbuka = CommonDialog1.FileName
Open namafilbuka For Binary Access Read As # 1 'open the selected file with read access to the binary mode
ReDim tmp (LOF (1) - 1) As Byte 'declaration to re-array Bugs Fixed # #
Get # 1, tmp ()
Close # 1
calCrc = UBound (tmp) 'retrieve the file size of the array
calCrc = CCrc.CRC32 (tmp, calCrc) 'countdown CRC
HasilCrc = Hex (calCrc) 'hexadesimal change to the format, because the results of the calculation of the CRC class is still a numeric
If cariDatabase (HasilCrc, pathEXE & "DB.txt") Then 'if the value is TRUE
MsgBox "The virus found:" & namaVirus' show message Box
End If
Exit Sub
erorhandle:
If Err.Number <> 32755 Then MsgBox Err.Description 'error number 32,755 are when users click on the cancel button when selecting files
================= END HERE ====================
AV simple features can be added to the feature process scanners, registry access, real-time protection (RTP) and others. To process scanner is basically the technique enumerasi all processes are running on the Operating System, and to find a location or the location of the file and make the process of scanning. Features access registry allows us to directly edit the Windows registry when access to the registry (Regedit) blocked by the virus. While the features of RTP AV enables us to run simultaneously with the Windows Explorer to mengscan directory or file that is we see or browse. For this third feature will be discussed further in the next article.
Conclusion #
No need to buy AV software is expensive to keep us from the threat of computer viruses, we can make them yourself with the features that are not less good. Indeed, there is imperfection in their own AV, but at least can be made from prevention of computer virus infection is rampant. AV software is complemented by simple engines scanners and static definition database. Not closed the possibility of AV software is improved in terms of more advanced engines scannernya.
Closing #
AV software development is simple Open-Source fully participate during the original name of the manufacturer. And a complete listing can be downloaded projects in http://www.geocities.com/emomelodicfreak/ProjekAV.zip
visit http://fikrul.co.cc/?p=35
if you want more info
- The author is NOT responsible for the use and abuse of this article.
- Destination articles made ONLY for learning materials only.
- The use of the name, brand or logo only as REFERENCES EXEMPLARY, and only, meaning there is NOT promoting the party.
- Writer apologize when all / part of the contents of this article has been implied in other similar articles.
Main #
Now the presence of the virus makers (hereinafter abbreviated so-VM only) have created local stifling the computer user land. Can imagine from the many local virus is not a one-two that destroy data (particularly for office files; word, excel, etc ...). For the vendor's Anti Virus (hereinafter abbreviated to become only AV) of this phenomenon is the land business for their products. A NORMAN, who is now downloading the company's support of local consultants virus (VAKSIN.COM), Symantec, McAffe, NOD32, and so forth. By offering the software update definition AV fastest, most sensitive scanner engines, and the other is the secret to fishing the victims of the virus to buy and use their AV software. For the authors this is indeed their own rather burdensome considering the updated definition files or engine AV page must be through an internet connection. And how has no access at all? Consequently iyalah behind the introduction of new variants of the virus on the edges make AV already installed like 'Tiger Ompong'. If we make AV own how? with the definition of the database can be updated by us can even exchange with a friend? Can only, with the requirement would learn a few techniques pemograman.Pertama we must understand how to work a simple AV, basically have an AV software components:
1. Engine scanners, this is a major component in the AV identify a pattern of viruses. This engine can be grouped into static and dynamic. Static in this case can be called a specific pattern of certain files from a virus. Checksum is one example of this engine static. He survived in the dynamic behavior recognize the 'public' a virus. Heuristic become one example.
2. Database definition, be a reference from a virus pattern files. Engine static very dependent on this component.
3. Decompress or unpacking engines, special checks for files that terkompresi (*. avi, *. zip, etc.) or compression or packing for PE files such as UPX, Mew, etc..
Not infrequently the results of checks on suspect files virus yield false-positive and even false-negative (- false-positive means the file is considered clean by the AV thread, and false-negative means the file is 100% thread will be considered clean). All that can be caused by third-scanner got from the engine itself. Ex
in the case of Engine String example scanner (a scanner-Engine-string selection string of text file-based), when the rule applied 3 out of 5 (- when you find AV 3 from the list of categories of malicious string 5), the AV files that will provide a terindikasi thread positive. In fact file page does not cause harmful effects when running or executed. This kind of scanning errors commonly found for the files *. vbs, *. HTML, etc.. To use checksum engine is found in some local AV software. Checksum commonly used among CRC16, CRC32, MD5, etc.. Due to easy to implement. Engine is not without its own disability, work with a checksum to process byte-by-byte from a file with an algorithm particularly (- depending on the type of checksum used) so that a particular format of the file page. Example use CRC32 checksum and MD5:
* CalCrc = CRC32 (file_name_and_path)
* CalMD5 = MD5 (file_name_and_path)
But the content of the string calCrc is 7AF9E376, while for MD5nya is 529CA8050A00180790CF88B63468826A. Please note that if the virus implement routine change certain byte page virus from the body every time they use the checksum engine will be less than optimal because when 1 byte of the file changed the checksum will also change.
Let us learn to make a simple AV, which is needed:
1. Software Visual Basic 6.0
2. Pemograman little understanding of the Visual Basic 6.0
3. Sample files or clean the virus (- optional)
First #
Now we will learn to create a simple routine to:
- Selecting a file that will be checked
- Open the file in binary mode
- Processing for the byte to byte checksum
Open MS-Visual Basic 6.0 you, and make a class module and add a Form object with wonder, and CommonDialog Command Button. (CommonDialog Objects can be added by selecting Project -> Component or Ctrl-T and choose Microsoft's Common Dialog Control 6.0) Type the following code in the class module (we give the name of class module page clsCrc):
================= START HERE ====================
Private crcTable (0 to 255) As Long 'crc32
Public Function CRC32 (ByRef bArrayIn () As Byte, ByVal lLen As Long, ByVal Optional lcrc As Long = 0) As Long
'BArrayIn is a byte array from the file that read, lLen is the size or file size
As Long Dim lCurPos' Current position for the array bArrayIn Iterations
As Long Dim lTemp 'variable temp calculation results
If lLen = 0 Then Exit Function 'exit function if the file size = 0
lTemp = lcrc xor & HFFFFFFFF
For lCurPos = 0 To lLen
lTemp = (((And lTemp & HFFFFFF00) & H100) and & HFFFFFF) xor (crcTable ((lTemp and 255) xor bArrayIn (lCurPos)))
Next lCurPos
CRC32 = lTemp xor & HFFFFFFFF
End Function
Private Function BuildTable () As Boolean
Dim i As Long, x As Long, CRC As Long
Const Limit = & HEDB88320
For i = 0 To 255
CRC = i
For x = 0 to 7
And if CRC 1 Then
CRC = (((I & HFFFFFFFE CRC) 2) And & H7FFFFFFF) xor Limit
Else
CRC = ((CRC And & HFFFFFFFE) 2) And & H7FFFFFFF
End If
Next x
crcTable (i) = CRC
Next i
End Function
Private Sub Class_Initialize ()
BuildTable
End Sub
================= END HERE ====================
Then type the following code in the Command1_Click event:
================= START HERE ====================
As String Dim namaFileBuka, HasilCrc As String
Dim CCrc As New clsCrc ', being the object of a new class ClsCrc
As Long Dim calCrc
Dim tmp () As Byte 'array create the file that read
Private Sub Command1_Click ()
CommonDialog1.CancelError = True 'error when users click on the cancel CommonDialog
= CommonDialog1.DialogTitle "Read File" 'Caption commondialog
On Error Goto erorhandle 'label error handle
CommonDialog1.ShowOpen
namafilbuka = CommonDialog1.FileName
Open namafilbuka For Binary Access Read As # 1 'open the selected file with read access to the binary mode
ReDim tmp (LOF (1) - 1) As Byte 'declaration for re-arrays, Bugs Fixed # #
Get # 1, tmp ()
Close # 1
calCrc = UBound (tmp) 'retrieve the file size of the array
calCrc = CCrc.CRC32 (tmp, calCrc) 'countdown CRC
HasilCrc = Hex (calCrc) 'hexadesimal change to the format, because the results of the calculation of the CRC class is still a numeric
Text1.Text = HasilCrc 'results show
Exit Sub
erorhandle:
If Err.Number <> 32755 Then MsgBox Err.Description 'error number 32,755 are when users click on the cancel button when selecting files
================= END HERE ====================
Try to run your programs with the push above the F5 key, and then click Command1 to open the file and choose. But the program will display the CRC32nya.
Second #
The code above we can make a routine checks the files with the suspect virus between CRC32nya and compare the results of our own database of CRC. Algoritmanya is:
- Selecting a file that will be checked
- Open the file in binary mode
- Processing for the byte to byte checksum
- Open the database file
- Take the contents of the file line-by-line
- Identify checksum calculations with the checksum from the file
A database file format can be set, for instance:
- FluBurung.A = ABCDEFGH
- Diary.A = 12345678
FluBurung.A Where is the name of the virus and ABCDEFGH are Crc32nya. If we have the file format as above, then we need to read the file in sekuensial per line, and separate between the virus and Crc32nya name. In this case, which is a separator characters' = '.
Create a new module 1 (- given the name module1) and the contents of the code:
================= START HERE ====================
Public namaVirus As String, CrcVirus As String 'global variable declaration for the name of the virus and CRC Public pathExe as String' variable declarations EXE file storage location of our AV
Public Function cariDatabase (CRC As String, namaFileDB As String) As Boolean
As String Dim lineStr, tmp () As String 'variable to accommodate the contents of the file
Open namaFileDB For Input As # 1 'open the file with the input mode
Do
Line Input # 1, lineStr
tmp = Split (lineStr, "=") 'separate the contents of the file bedasarkan separator characters' ='
namaVirus tmp = (0) 'namavirus to enter the array of variables
CrcVirus tmp = (1) 'Crcvirus to enter the array of variables
If CrcVirus = CRC Then, when the CRC calculation match / match with a database
cariDatabase = True 'return value TRUE
Exit Do 'exit from the recurrence
End If
Loop Until EOF (1)
Close # 1
End Function
================= END HERE ====================
Then add 1 new item into the form, namely Command button2. and then type the following code into the listing Command2_Click event:
================= START HERE ====================
If Len (App.Path) <= 3 Then 'directory when it is the root directory
pathEXE = App.Path
Else
pathEXE = App.Path & ""
End If
CommonDialog1.CancelError = True 'error when users click on the cancel CommonDialog
= CommonDialog1.DialogTitle "Read File" 'Caption commondialog
On Error Goto erorhandle 'label error handle
CommonDialog1.ShowOpen
namafilbuka = CommonDialog1.FileName
Open namafilbuka For Binary Access Read As # 1 'open the selected file with read access to the binary mode
ReDim tmp (LOF (1) - 1) As Byte 'declaration to re-array Bugs Fixed # #
Get # 1, tmp ()
Close # 1
calCrc = UBound (tmp) 'retrieve the file size of the array
calCrc = CCrc.CRC32 (tmp, calCrc) 'countdown CRC
HasilCrc = Hex (calCrc) 'hexadesimal change to the format, because the results of the calculation of the CRC class is still a numeric
If cariDatabase (HasilCrc, pathEXE & "DB.txt") Then 'if the value is TRUE
MsgBox "The virus found:" & namaVirus' show message Box
End If
Exit Sub
erorhandle:
If Err.Number <> 32755 Then MsgBox Err.Description 'error number 32,755 are when users click on the cancel button when selecting files
================= END HERE ====================
AV simple features can be added to the feature process scanners, registry access, real-time protection (RTP) and others. To process scanner is basically the technique enumerasi all processes are running on the Operating System, and to find a location or the location of the file and make the process of scanning. Features access registry allows us to directly edit the Windows registry when access to the registry (Regedit) blocked by the virus. While the features of RTP AV enables us to run simultaneously with the Windows Explorer to mengscan directory or file that is we see or browse. For this third feature will be discussed further in the next article.
Conclusion #
No need to buy AV software is expensive to keep us from the threat of computer viruses, we can make them yourself with the features that are not less good. Indeed, there is imperfection in their own AV, but at least can be made from prevention of computer virus infection is rampant. AV software is complemented by simple engines scanners and static definition database. Not closed the possibility of AV software is improved in terms of more advanced engines scannernya.
Closing #
AV software development is simple Open-Source fully participate during the original name of the manufacturer. And a complete listing can be downloaded projects in http://www.geocities.com/emomelodicfreak/ProjekAV.zip
visit http://fikrul.co.cc/?p=35
if you want more info
diposting oleh rednigt.blogspot.com pada
10.55
0 Komentar:
Posting Komentar
Berlangganan Posting Komentar [Atom]
<< Beranda