Did you understand the replies you received? Analyzing arbitrary code for arbitrary malice is not NP hard - that would be too easy - but provably undoable
The product you cite is clearly using some heuristic to determine what might be malicious - which is not close to the same as what you are asking. The development of such heuristics is a topic 'beyond the scope of this course’ if you know what I mean
Sent from Surface Pro
From: xxxxx@hotmail.com
Sent: Sunday, October 12, 2014 8:14 PM
To: Windows System Software Devs Interest List
Hello,
What’s the purpose of such systems? To find whether it’s a malware?
Writing a program to detect whether an arbitrary program contains malware is an
equivalent of solving the halting problem.
not necessarily, it’s commonly used for this purpose.
Guys, a system that does exactly what I mean is: http://www.joesecurity.org/
If you try the service, you’ll note it shows the disassembly of each function executed, it also shows non-executed functions.
So I have been thinking for days how this system actually works, I even tried to hook at KTHREAD.TrapFrame… anyway, I don’t think it uses hooks.
So I can not imagine how it works, I guess they implemented a very heavy emulator, similar like dirtbox… I don’t know. what do you guys think?
I know it may be an advanced issue, well, I am pretty sure I am not a beginner, so please, I would like to know you all opinions. Thanks.
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer