My very own basic AV running off signature-based detection, heuristic and behavioural analysis, written in Python.
Eurofighter is my very own anti-virus software designed to run on Windows and Linux, featuring basic signature-based and heuristic detection methods. By no means is this project supposed to be a REAL anti-virus; it is a proof-of-concept to show my knowledge of
- How anti-virus detects and terminates malware.
- How to evade malware.
Yes, I do plan to discuss how to evade Eurofighter, though that shouldn't be hard. Even Defender has DefenderCheck to deal with among other tools xD
Eurofighter requires the dotenv, pefile and requests modules, which can all be installed through pip, pipx, or your own package manager if it has such modules as packages. For archlinux, pip can be installed using yay with yay python-pip. Similarly, you can run sudo pacman -S python-pip or sudo pacman -S python-pipx to install either package. yay can be used to install packages if you do not want to set up a Python virtual environment by running yay [python-module_name]. E.g. yay python-requests.
You can compile Eurofighter into an executable for Linux/Windows using pyinstaller, if you hate calling python3 a bunch:
- Install
pyinstallerusingpipxwithpipx install pyinstaller. You can usepipbut I don't have a Python venv going so I resort topipx. - Clone this repo using
git clone https://github.com/nubbsterr/Eurofighter.git cdEurofighter/src to enter the source directory of Eurofighter.- Compile using
pyinstallerwith the command:pyinstaller --onefile --name Eurofighter eurofighter.py. A Linux or Windows executable will be generated depending on what system you are on (I legit have 0 care for MacOS).
Evasion can definitely be done by obfuscating the file contents. Strings and PE analysis will fail if it cannot find an exact match to the malicious function calls or DLLs, which are hard-coded. If it is base64 encoded then string may pick it up since it will decode any potential base64 string it finds.
You can definitely evade signature-based detection if the file does not exactly match any signature in the signatures.txt "database". Just change ANYTHING in the file and the hash changes.
Static analysis and quarantine is done! No plans to continue to dynamic analysis since VM management through the terminal will prbly suck a bunch. As it stands, Eurofighter is decently complete and just needs some live testing.
- Mock sandbox solution where we:
- Create but suspend the malware process
- Inject a DLL to log API calls made by the malware; logging is done into a .txt file in real-time
- logging will be done over a network share between the host and VM, read-only and mounted once process started.
- DLL will have checksum post analysis to check if anything was modified.
- Resume thread execution
- Close the sample when needed:
- After elapsed time, x amount of threads/processes opened, # of incidents spotted thru bad behaviour, etc.
- WaitForSingleObject() is a good choice since in the case of the malware PROCESS (not THREAD) it will show that the process exited on its own!
- Return type of
WAIT_TIMEOUT= still running, terminate sample forcefully.WAIT_OBJECT_0= exited succesfully.WAIT_FAILED= function failed, terminate sample, then runGetLastErrorand output info to console! - Use
DWORDdata type to store return value!
- Return type of
- Cleanup when needed or when we note that the malware has stopped executing; whenever (Close handles will basically free system memory that is running your process. Terminate first, then CloseHandle)
- For scripting this from start to finish, the steps would be:
- Boot the VM and record a snapshot
- Copy malware sample to host
- Do the above steps for setting up the process and DLL injection
- Collect logs once malware is running and cleanup when appropriate
- Copy logs from VM to host
- Rollback VM then shutdown.