Windows PE file and Malware scanners.

A lot of malware this day are base on Windows PE file format. You probably know it as executable (.exe) file.

Windows PE file and Malware scanners.
Windows PE file and Malware scanners.

Image by kai kalhh from Pixabay

One of the repeated questions that I get is how can I be 100% sure an exe file is not malware?

The sad answer is, you cannot be 100% sure the exe file is not malicious (Malware).

Why?

If it is a new type of malware there is a chance that Antivirus will not recognize it as malware.

Now that we said that lets continue.

Disclaimer:

The information you see here is not aim to make you an antivirus programmer, nor to create an anti-virus. The information is just a thought of the author and provide as is without warranties,

Method to scan Windows PE file:

If you find a specific file and you want to try and check it against viruses you can use the following methods:

  1. You can use an online multi antivirus scanner, like VirusTotal to upload the file and see the result it gives you.
  2. Use an Antivirus that you should have installed on your PC.
  3. Use an Anti-Malware that I also recommended you have installed in your PC.
  4. Make sure the real time protection of the antivirus is on (when it on, new created files are automatically scan for malware – before you access-open them).
  5. There are some tools you can download and run on the file without installation – a good one can be avz4 a free antivirus.

Windows PE file programmatically (WinAPI):

If we look on a Windows PE file programmatically you can use the WinAPI function to open an exe file.

Once the file is open you can start load it with MapAndLoad function and receive information based on the PE structure.

You need to be familiar with the Windows Portable Executable (PE) file format.

In C++ you can look on the following:

Structures to start with:

  • IMAGE_DOS_HEADER
  • IMAGE_FILE_HEADER
  • IMAGE_OPTIONAL_HEADER
  • IMAGE_NT_HEADERS
  • IMAGE_SECTION_HEADER
  • LOADED_IMAGE

API Function to start with:

  • CreateFile(…)
  • CreateFileMapping(…)
  • MapViewOfFile(…)
  • MapAndLoad(…)

There is also a PEFile module for Python that you can use to open exe file programmatically.       

Malware scanner:

If you thought to create an antivirus please take a look on the following:

Be aware that the development of a scanner is possible, but to maintain a database with signature of each variant is not simple.

To know if file is a virus or not (programmatically) you need a signature of malware and that is another very long topic, where to find, how to make it into a signature – a good signature.

In general, there are several scanning methods:

  1. Signature – You have a list of signatures that you compare the exe file with. for example, you can use a hash algorithm (like MD5) and then compare the file hashing with the signature database (full file MD5, each section MD5 and so on) (the old way).
  2. Classification – Most malware contain a common code inside them; classification will search inside the file a share signature (like list of HEX that a certain virus use) and mark as malware base on this. For example, there are a lot of variant of common viruses due to this (using the same code for downloading files from the web, using the same code to exploit known vulnerabilities and so on).
  3. Heuristic – Take a list of what common between malware – The file is Packed, contain common malware API function, functions have the same memory offset or address, not an exe file but contain a PE section inside it, Contain Alternate Data Stream and so on. you will have to give a score for each one of them and then if the score the file is getting is higher than something it can be flag as Malware – It needs to be tuning due to FALSE positive results.
  4. Behavior – Open and run the file in a restricted environment to check what it is doing – Flag it as malware if it does things that malware do.
  5. Artificial Intelligence (AI) or Machine Learning ( ML) – There are some Marching Learning algorithm that are in use for classification of malware (due to the fact that there are lots of malware example that we can feed the algorithm and tell it that the sample is malware or not and then it can scan a file to determinate if it is a malware or not).

You can create a PE file parser and should if you want to learn how inner executable files works on windows. Here we talk about scanning method only. Malware scanner will have to have much more, here is a starting list of what you need.

What a full malware scanner need – a starting list:

  • Malware Signature database.
  • Database Updater.
  • Scanner that can scan files, process, services, registry keys, Memory and other windows objects.
  • Malware remover module that will be able to delete the malware and all the malware left over.
  • Real time protection that will hook some function to catch new created files.
  • Real time Web Protector to verify site you enter are not contain malicious code.
  • Driver to scan and guard in the low level of the system -Kernel.

As you can see, it can be possible to create one, and if you ever wanted go and do it. Even if it will be just for your practice and not as a real tool. You will learn a lot on the operation system, low level API and some great programming challenges.

See you in another article, thanks for reading.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.