My very own basic AV running off signature-based detection, heuristic and behavioural analysis, written in Python.
Eurofighter is my very own anti-virus software designed to run on the Windows operating system, featuring basic signature-based and heuristic detection methods. I originally decided to write this in C++ where I promptly realized that "This will take far too long and require a lot more effort for similar payout.". Yes, C++ is lovely but more the amount of extra libraries to link and alien syntax, Python is just more appealing and simple.
By no means is this project supposed to be a REAL anti-virus; it is a proof-of-concept to show my knowledge of
- How anti-virus detects and terminates malware.
- How to evade malware.
Yes, I do plan to discuss how to evade Eurofighter, though that shouldn't be hard. Even Defender has DefenderCheck to deal with among other tools xD
You can compile the Eurofighter executable for Linux/Windows using pyinstaller!
- Install
pyinstallerusingpipxwithpipx install pyinstaller. You can usepipbut I don't have a Python venv going so I resort topipx. - Clone this repo using
git clone https://github.com/nubbsterr/Eurofighter.git cdEurofighter/src to enter the source directory of Eurofighter.- Compile using
pyinstallerwith the command:pyinstaller --onefile --name Eurofighter eurofighter.py. A Linux or Windows executable will be generated depending on what system you are on (I legit have 0 care for MacOS).
Project status and agenda can be found below. Everything is a work-in-progress and the entire project is designed to be a proof-of-concept, not a real AV (for now, maybe.) If you have suggestions, or wish to contribute, please feel free to contact me on Discord @ nubbieeee or submit a PR!
- Quarantine sample; put it in some protected read only folder, or just delete the sample forcefully.
- Force delete the file using
DeleteFile(<filename.exe/dll>)in code or just callstd::system.
- Force delete the file using
- Will test with actual samples before doing this! See theZoo!
- Mock sandbox solution where we:
- Create but suspend the malware process
- Inject a DLL to log API calls made by the malware; logging is done into a .txt file in real-time
- logging will be done over a network share between the host and VM, read-only and mounted once process started.
- DLL will have checksum post analysis to check if anything was modified.
- Resume thread execution
- VM will be securely isolated to prevent malware doing VM escape or leaking onto host machine; needs research.
- Close the sample when needed:
- After elapsed time, x amount of threads/processes opened, # of incidents spotted thru bad behaviour, etc.
- WaitForSingleObject() is a good choice since in the case of the malware PROCESS (not THREAD) it will show that the process exited on its own!
- Return type of
WAIT_TIMEOUT= still running, terminate sample forcefully.WAIT_OBJECT_0= exited succesfully.WAIT_FAILED= function failed, terminate sample, then runGetLastErrorand output info to console! - Use
DWORDdata type to store return value!
- Return type of
- Cleanup when needed or when we note that the malware has stopped executing; whenever (Close handles will basically free system memory that is running your process. Terminate first, then CloseHandle)
- NOTE: We should run this all in a VM; take initial snapshot, run malware, rollback snapshot, repeat! VM is connected to NO networks.
- For scripting this from start to finish, the steps would be:
- Boot the VM and record a snapshot
- Copy malware sample to host
- Do the above steps for setting up the process and DLL injection
- Collect logs once malware is running and cleanup when appropriate
- Copy logs from VM to host
- Rollback VM then shutdown.
- NOTE! Use a read-only shared folder on the VM to store the log data so it is NOT tampered with; TBD since