Antivirus should register a PsSetCreateProcessNotifyRoutineEx callback. The first thing to protect the user from, is the launching of malicious processes. To learn about hooks, you can check that basic example: To learn about coding drivers, you can check that useful links:
#THEBRAIN 9 AVAST HOW TO#
NOTE: I will not cover the workarounds with hooks for pre-Vista systems, because it’s easy to find on the internet, and because it would need a whole chapter to explain how to hook, where to hook and so… But you have to know it’s the same idea than the kernel APIs, except that you have to implement yourself what Microsoft provided on Vista+ systems. This was not the case for hooks, as the implementation was totally product dependant. More, that kind registration based system allows us to dispatch our system security into layers, where several products with different aims can cohabit. That way, it’s easy to register an antivirus product into the kernel.
#THEBRAIN 9 AVAST DRIVER#
On Vista+, Microsoft provided APIs to insert our low level driver between userland calls and kernel APIs.They used what we call “Hooks” (API detours for filtering purpose). However, on Pre-Vista systems, Antivirus companies used to use rootkit-like features to guard the doors (even if it was not recommended at all by Microsoft) and be able to protect your system.Don’t be stunned if building an antivirus for pre-Vista systems can be a real pain, because it was not designed for this. Starting with Vista, Microsoft understood that the Antivirus industry needed keys to enter the kernel and activate filters in strategic places, such as file system, registry and network.
One can found here the pointers to design an antivirus engine, or simply learn how most of them are built.įor a good protection, an Antivirus must have at least one driver, to be able to run code in kernel and overall have access to kernel APIs. So, I’ll cover here the guidelines for a basic antivirus coding, for Windows and in C/C++. I’m not telling kiddies are not skilled, but I’m telling building an antivirus engine needs either lot of skilled people with full time job plus lot of time to release a decent software or lot of money to pay them 🙂 (in case they are not volunteer). I’ve also seen many “Antivirus softwares” made by kiddies, with very few still-at-school people and about 4 hours per day of coding on several weeks. When roaming around the techies forums, I often see some people (and many not very experienced) asking for “How do I make an antivirus”, sometimes with not very adapted languages (bat, PHP, …) and having a wrong idea of what an antivirus is, and how it should be built.
0 kommentar(er)
