Minifilter driver with sigma_function for malware behaviour similarities

Hi all. I wrote a minifilter driver. But now I’ve a problem. I was reading a nice article about malware analysis (Malware Behaviour Analysis), and there is a interesting function called: sigma function. This function looks for matching (and non-matching) codes sequences for the malwares function calls. My problem is: where, in a minifilter, I’ve to implement this function?
(And why the wdk example scanner.c did not use one of this tactis?)

None of the anti-virus engines that I know of scan a file in kernel mode.
They all have a user mode component (a service) that scans the file. This is
how the WDK Scanner sample also does it (well, except for the service part).

When you say “why the wdk example scanner.c did not use one of this tactis”,
what exactly are you referring do ? Scanning kernel mode ?

In general you want the amount of code running in the kernel to be as little
as possible. Also, from an anti-virus engine developer perspective you are
quite limited in what you can do in the kernel (can’t use almost any
existing user mode libraries or dlls, can’t use funky languages (.NET) and
so on). In my opinion writing a complete AV scanner engine (something
comparable with a real antivirus and not some one-off tool) that runs in the
kernel would be like writing some financial application in assembly
language.

Thanks,
Alex.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.it
Sent: Thursday, August 18, 2011 1:49 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Minifilter driver with sigma_function for malware behaviour
similarities

Hi all. I wrote a minifilter driver. But now I’ve a problem. I was reading a
nice article about malware analysis (Malware Behaviour Analysis), and there
is a interesting function called: sigma function. This function looks for
matching (and non-matching) codes sequences for the malwares function calls.
My problem is: where, in a minifilter, I’ve to implement this function?
(And why the wdk example scanner.c did not use one of this tactis?)


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

First of all thanks for your reply Alex. Ok I used wrong words, sorry for that. I saw the user part of the scanner, and I know that in an AV software this part is quite essential.

I can ask it in other words: what the kernel part of this software needs to do (so what the minifilter needs to do), if I’m gonna use the sigma function in user part? I’ve to intercept function calls maybe? How?

Thanks