Quick note: I have turned this project down because I was setting my goals too high for my knowledge of driver development and C#-C++ interoperability.
I’m not planning in continuing or re-making this project.
This post is different from the 2 before since this is just a demo of an Antivirus I’m coding.
It will be fairly simple but hella fun to make! In this state, it only inspects the PE header’s imports for suspicious functions (for instance: TerminateProcess, WriteProcessMemory, etc…)
I will account for dynamic imports later on. (hint: hook GetProcAddress)
Oh and also, it already has the list of hashes implemented, I just need to use the md5 hashing function :).
- FileSystem Minifilter
- Protection against dynamic imports