We all can understand that writing an Antivirus is hard.
I mean even I was going to attempt to do one and eventually stopped. (mainly because I was overwhelmed with ideas, and was going to be a pain to implement)
If you’re really serious about writing an Antivirus, I recommend you to take a look at this amazing article first: https://www.adlice.com/making-an-antivirus-engine-the-guidelines/
This post will NOT contain code, just some general theory around the topic.
Components
Before anything else, figure which components your Antivirus will have, that is, for instance:
- Will it have a Web module that injects a DLL into every browser to intercept Websites and query VirusTotal?
- Perhaps it will also harden Binary Exploitation, like Malwarebytes’ anti-exploit
- Or just a file scan module that gets the checksum of files and then queries a server that will compare it with thousands of known virus’ hashes
- Will it have a Driver to protect the User-mode part of the Antivirus?
These are just a few ideas, but I highly recommend you to make a little structure of what you’re thinking of.
Antivirus Workflow/Which components interact with which
After nailing down all the components, from the kernel-land drivers to user-mode DLLs, the next step is figuring out how you’re going to piece them together.
For instance, writing a Driver, you’ll want to have (preferentially) a Service that will make the bridge connection between Driver-Rest Antivirus Engine.
If the GUI gets input from the user you’ll want to request a file scan to the Service that will then send an IOCTL to the Driver.
Etc…
Heuristics
Antiviruses look promising however lets face it: they’re not perfect.
Most of the ones out there in the market have a mechanism called Heuristics, that is, you choose certain metrics that you’re going to use in order to find if the virus is or not suspicious. (in later stages you may want to make criteria to identify the virus type)
Example:
You have a Driver that scans an EXE before it launches, then will it read the Entropy of it in order to determine if it is packed or not.
Then you may want to look at the IAT (Import Address Table), to determine if it has signs of Process Hollowing (basically a program that starts a process in order to impersonate himself inside the new one).
In this case, you could find that out by seeing if the PE import WriteProcessMemory, VirtualAlloc(/Ex) and NtUnmpapViewOfSection, since this will detect like 90% of the public code about Process Hollowing.
Ending
Now, are you still brave enough to code an Antivirus?