Malware Scanner project by darcjrt

Looks very promising :wink:

Only a small point, your running an insecure version of java 1.6.07 next to jre6 probably a left over install ;D

Can you also reverse that and make it a File integrity checker so you can see what has changed on disk ?

Thanks and thank you for noticing. I did not understand the last statement.

I’ve split the Test results and the scanner posts …

A file integrity scanner would be kind of the reverse of this malware scanner.

For file integrity scanning, you would “baseline” your system, save all hashes, and run a scanner every x time to detect changes in files on your system something like tripwire etc… but where drifting !ot! here :wink:

hahaha nonsense. I just did not understand your question at first. That is a great idea. Let’s see what happens with this MR first.

How about this??
The first button scans the whole drive.
The second button verifies if a file was deleted or created. This can be helpful for analyzing droppers, installers, rogues, etc.

The app will create a log file of files deleted or created.

[attachment deleted by admin]

An installation monitor. I like that :slight_smile:

Can you create such a tool that watches what is installed, and when asked it moves all the new files into 1 folder ? This is really handy when talking about deleting rogues ;D

Xan

Yes my friend. That is exactly what it does. When it stops verifying changes, there is a button to browse for the report file and copy all the dropped files by the rogue into a folder.

could you submit it to me over pm 88)

Xan

There’s a lot of potential for this tool of yours,not only for rogue removal but also to clean up after untidy uninstallers. :-TU

Of course I will. PLS. As soon as you try it out, let me know any bug you might find. This tool was created in less than 15 mins. So it might be buggy. I already used it on Vista and XP and worked like a charm.
I’ll send you the link.

Can you guys send me Rogues? I want to really move forward with this app. I have setup a VM with multiple images to analyze rogues and create signatures.

PLS.

Maybe COMODO can integrate this tool to CIS…a rogue scanner. hehehe :stuck_out_tongue:

When adding stuff to it’s database, could you make a multi selector ? Adding 50.000 samples aint fun otherwise …
track disk changes is extremely slow…
when scanning with TDC I can only see start, even when it’s scanning, it doesn’t change to stop
When trying to open the log file, before original scanning is complete I get this bug report

Zie het einde van dit bericht voor meer informatie over het aanroepen van JIT-foutopsporing (Just In Time) in plaats van dit dialoogvenster.

************** Tekst van uitzondering **************
System.ArgumentException: Lege padnaam is niet geldig.
bij System.IO.StreamReader…ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)
bij System.IO.StreamReader…ctor(String path)
bij DiskChangesTrack.Form1.button1_Click(Object sender, EventArgs e)
bij System.Windows.Forms.Control.OnClick(EventArgs e)
bij System.Windows.Forms.Button.OnClick(EventArgs e)
bij System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
bij System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
bij System.Windows.Forms.Control.WndProc(Message& m)
bij System.Windows.Forms.ButtonBase.WndProc(Message& m)
bij System.Windows.Forms.Button.WndProc(Message& m)
bij System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
bij System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
bij System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Geladen assembly’s **************
mscorlib
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.3074 (QFE.050727-3000)
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll

DiskChangesTrack
Assembly-versie: 1.0.0.0
Win32-versie: 1.0.0.0
CodeBase: file:///C:/Program%20Files/NetMR%20beta/DiskChangesTrack.exe

System.Windows.Forms
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll

System
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll

System.Drawing
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll

System.Data.SQLite
Assembly-versie: 1.0.60.0
Win32-versie: 1.0.60.0
CodeBase: file:///C:/Program%20Files/NetMR%20beta/System.Data.SQLite.DLL

System.Data
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_32/System.Data/2.0.0.0__b77a5c561934e089/System.Data.dll

System.Transactions
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_32/System.Transactions/2.0.0.0__b77a5c561934e089/System.Transactions.dll

System.Configuration
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll

System.Xml
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.3074 (QFE.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll

System.EnterpriseServices
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_32/System.EnterpriseServices/2.0.0.0__b03f5f7f11d50a3a/System.EnterpriseServices.dll

mscorlib.resources
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.3074 (QFE.050727-3000)
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll

System.Windows.Forms.resources
Assembly-versie: 2.0.0.0
Win32-versie: 2.0.50727.1434 (REDBITS.050727-1400)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms.resources/2.0.0.0_nl_b77a5c561934e089/System.Windows.Forms.resources.dll

************** JIT-foutopsporing **************
Als u JIT-foutopsporing wilt inschakelen, moet in het configuratiebestand voor deze
toepassing of computer (machine.config) de waarde
jitDebugging in het gedeelte system.windows.forms zijn ingesteld.
De toepassing moet ook zijn gecompileerd terwijl foutopsporing
was ingeschakeld.

Bijvoorbeeld:

Wanneer JIT-foutopsporing is ingeschakeld, worden onverwerkte uitzonderingen
naar het JIT-foutopsporingsprogramma gestuurd dat op de computer is geregistreerd
en worden niet door dit dialoogvenster verwerkt.


I’ll send you some (just a few, bad internet connection) over pm :wink:

Xan

How about this one?
Try this one. Its a disk watcher. Monitors the whole drive for file changes on real time!!!

Yes, I am bored!

[attachment deleted by admin]

find the first bug : it says : I will monitor blablabla … and the time is YYYYMMDD 88)

Xan

It is not a bug :smiley:
I’m just displaying the format of the date and time to use for the file.
Anyway, here is a new version. this one creates 3 files. One for created files, other one for deleted and the last one for remaining files. It does a logic between created and deleted and report back the files that were created but not deleted.

Enjoy!

[attachment deleted by admin]

Interesting but this is completely useless as a check if you only check for the first 2KB.

I do have a formula to look for specific bytes on specifics offsets. But it still really lame. Besides I’m looking all over the web and I cant find a good way of scanning a file. And the ones I found are from IBM and really complex, which I might consider later on but I do have a lot of work right now.

If you guys know or have any idea or a better idea on how to scan a file and use signatures and create sigs efficiently, pls let me know.

Ask Melih/egeman…but it’s probably a secret. :stuck_out_tongue:

And I’m just a beginner programmer…so don’t ask me. :stuck_out_tongue:

hahaha yes it is a secret.
That is the key to an AV, the combination of scanning methods and signature algorithm!!!

I’ll keep looking forward to the project. At least with what I have now, I’m not getting FPs. Already Detects:

Adware.Amazon.Toolbar
FraudTool.AstrumAV
Rogue.AV09Installer
Rogue.AV2009
Riskware.eAntiSpy
FraudTool.ExterminateIT
Risktool.FunWebProducts
FraudTool.IEScan
FraudTool.MSAntispyware09
Rogue.PcPrivacyCleaner
Rogue.PCSafe.AdwareFilter
Rogue.PerfectDefender
Risktool.RegistryDr
Rogue.SaferScan
Rougue.SystemSecurity
Unclass.baddie
FraudTool.VirusDr
Fraud.VirusRemover2009
Fraud.WindowsAntivirus
FraudTool.ADSAdwareRemover
FraudTool.AdwareAgent
Rogue.FraudTool.Antivirus Plus

Now you need your own website and forum, and I can be your forum admin! ;D