Emulation basics...

[Inf0Byt3]

I want to create a small emulator for PE executable files to implement dynamic heuristic scanning on PureAV and I need some ideas. How can I emulate an exe? I was thinking to transform the code section in hex values or dissasemble it and emulate the obtained instructions. Any better thoughts?

[Nik]

Well no need to convert anything i think. The you can check agains Hex values though. It's difficult I think because you will need to simulate the processor and provide a link to the system...

[Inf0Byt3]

What about creating dangerous applications in c/pb and strip the code part and then extract rules from it? (not the headers)

[thefool]

Euh i doubt this is the way to go. And you can't just create a dangerous app and strip the roules. There are COUNTLESS ways to do it!!!!

and you don't emulate the exe's.

i just thought, perhaps you can find all the api commands it calls, and then have a point system or so. Eg something wich deletes and uses things to make itself self-modificable and so on... But there is a risk that you can grap a totally "legal" exe.

[Inf0Byt3]

Thought about this version too, but as you said, it's a huge risk in having false positives. I will add this as a rule too but with smaller impact on detection statistics. Found some papers and an emulator is too hard to build and slow for an av. There is another method though, static heuristics, using a database with different code parts.

[josku_x]

If it's for your av, you might want to look the memory for illegal instructions or so..

[traumatic]

PE?

...and I thought you left Windows for good...

Welcome back!

[Fred]

PE?

...and I thought you left Windows for good...

Welcome back!

[Inf0Byt3]

Nonono, don't get me wrong ! I am on linux, i don't have win installed... If I said i quit using it, believe me i'm not getting back to it . I want to do heuristics for PE because there are no viruses for elf exes (in fact there are only 13 as I can remember). So I will continue developing it on linux.