PC: SVDL antivirus
 Previus Credits Index Next

The Step Virus Detect Language is a language for detecting virus using the same virus instructions.

Look at this (invented) example of a virus that searches if it has already infect a file: 

@@SearchForAlreadyInfected:
                    MOV  AX,[0102h]
                    MOV  BX,[0104h]
                    ADD  AX,BX
                    CMP  AX,'#$'
                    JE   @@FileAlreadyInfected
@@FileNotInfected:
The Virus sum two memory locations and see if the sum is equal to the '#$' chars. The value of the two memory locations, are the contents of the file at position, for examples 02h,04h that the virus had readed in a previous point.

So if I want to find that virus with a scanner I must insert a pattern like the opcode of previous instructions, or I can use this virus based code: 

@@SearchForVirusPippo:
                   MOV  AX,buffer[02h]
                   MOV  BX,Buffer[04h]
                   ADD  AX,BX
                   CMP  AX,'#$"
                   JE   @@FileInfectedByVirusPippo
@@SearchForVirusPluto:
Where Buffer is a buffer that contains the initial portion of the file being tested.

One antivirus that use this algorithmic virus based technique will have this structure:

  1. Open one file to test
  2. Read significative portion of the file to test in a buffer (the portion must be the start and the end of file)
  3. Enter in a sequence of virus based instruction like in previous examples
  4. If a virus is found make the message
  5. Else goto point 1 with another file
The first thing to say is that if a programs "scanned" by this antivirus is say not infected, it is really not infected by the viruses the antivirus scan for, but if the file is say infected by virus XX, there's the possible that the file is not infected (and so it will be never infected by that virus).
These possibility is very little if the virus use sophisticated detection technique, but may be more high if virus use simple technique.

However, this kind of antivirus have one good point, and one bad point: the good is that it is very fast, because it use machine language for finding the virus like the virus does, the bad is that if a new virus is added, the program must be re-compiled. Well, we can think of other solution, like dynamic call to external procedure containing in a virus database (that are updated with new virus) , but this means that we must use more machine code (e.g. the MOV AX,Buffer[02h] may become more complicated due to the fact that now Buffer is external to this procedure).
The other solution is the my: use a new low level language and an interpreter to execute the bytecode generated by a compilation of the language.

 

Top
Pc Logo
 PC Pc Logo Tognon Stefano programs