dmknght / rkcheck Goto Github PK
View Code? Open in Web Editor NEWA malware scanner with Yara and ClamAV binding
A malware scanner with Yara and ClamAV binding
Procedure steps:
Here is the antivirus https://sourceforge.net/projects/xylent/
The ClamAV scan is slower than Yara when scan ELF files. Also, the Yara's modules are more effective than ClamAV getting metadata of PE, ELF file. Create a proper file / process scanner that gives the Yara's higher scan priority
Procedure steps:
if kind.yaradb == pcDir:
walkDir(yaradb) -> check yara rules
combine all rules and load
Example: rkscanmal --list-files /usr/lib/x86-64_linux_gnu/lib*.so
If there's no clamav's signatures, libclam refuses process inner files
[x] Scan memory chunk
[ ] Detection passed the test
Relate to #4
clamav leaves a lot of tmp folders. Must find a way to clean them.
Use sigma to detect suspicious logs in Linux system
ClamAV cache will calculate checksum and so on. It's better to disable it if the Clam's Engine is not used
Current tool failed to detect some basic tests
Source code
#include <stdio.h>
int main() {
char buf[64];
printf("HelloWorld\n");
gets(buf);
return 0;
}
-> Compile and execute
Yara rule
private rule elf_magic {
strings:
$magic = {7f 45 4c 46 [12] (00 | 01 | 02 | 03 | 04 )}
condition:
$magic and not defined uint8(@magic[1] - 1)
}
rule Hello {
strings:
$ = "HelloWorld"
condition:
elf_magic and any of them
}
ClamAV logical signature
Hello;Target:6;0;48656c6c6f576f726c64
When scan with original Yara, the Yara rule detected
yara rule.yara 3507070
Hello 3507070
When try with rkcheck
, it failed to detect either using Yara or ClamAV
-> Must rewrite the memory scan to improve scan progress
In latest commits in dev
, I tried improving scan performance by disabling certain modules. However, it caused ClamAV doesn't use the scan engine.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.