NickyBlue
October 13th, 2012, 03:55
Hi Aimless,
Nice for providing such descriptive response..at least it clarify the communication mix up happening. You understand my point. I mean I am not native English so its little bit typical thing for me. I have to construct sentences into my mind before I say. U understand What I am saying...Its another thing with our native language. So forgive my literal errors. And about the word "recruitment"...you know that's why I deleted that thing ...On later It started looking like that to myself as well. First to tell you. I am not from some company here to recruit somebody. Actually I just wanted to say the things I think wud be necessary to build such thing. But due to my English it not that easy for me as for you to do effective communication in that. Sometime.. u know...
And secondly its just purely a hobby or some kinda open source project that I am thinking not commercial. I might even not be there after I complete my part or some other unforeseen personnel circumstances. And you are right about that Symantec and other Antiviruses products inability to detect all or the unknown viruses. Only my experience is rather more of a worst kind. To the extend that it really make me wonder sometimes that, are they really doing some heuristic there at all within their implementation or its all hype, no meat.
Tell you the real example my own experience. I might not be formal computer educate like some of you but been using it for last 15 yrs or so. So I seen and heard everything they talk about during all this time but never found a valid proof which supports their claims. My machine is always being as vulnerable or getting easily infected no matter what product I used. Whenever I go..I mean there's a cyber cafe near my residence always equipped with up to date online virus scanner. But whenever I go there some thing is shipped backed to my system through USB stick. And to make thing more horror full what I found is that, the thing which have been able to bypass their antivirus protection or of mine's were just crap. I mean simple infectors. I got those samples somewhere in my computers, not all of them but few recent additions. My previous hard drive got hard crashed. Latest one was some cheapshit W32.Sality but its understandable its was some typical infector if not that stealthy. But before that it was ...what its name let me check out. ..I got that thing here with me... yeah Slug-in.A. That's one piece of primitive shit to remove. But to make thing more worse I couldn't find a cure for it on whole net at that time or anywhere. Even the cure I downloaded from AVG or anything came are to be not working. So in the end I have to write my own little program to remove it from my system. And you guess my problem I am not even a programmer. Since all my things or installers is on my hard drive so were already infected. I couldn't lose them. CD/DVD not so reliable here. Over all what I am saying if they have implemented some thing what they say how could such primitive infector bypass them. Or am I supposed to think I am some sort of criminal in this world so this whole world is conniving against me. And those state-of-the-art products are providing such privilege to worthless malicious code only on my system. Am I supposed to think that? I think that very pathetic or funny concept in itself to think in that line whichever way you see it. Okay tell me, you guys been working professionally on these things so you must had more wider experience than me. I mean I just know few which infiltrated or has been injected by some mischievous ppl into my system. But have you ever encountered ...anybody of you, that some antivirus product has detected some new malware. Totally new I mean? Except false alarms for various packers. I mean I never had that experience but rather contrary to it.
And the thing is..most of you guys working in that field so must know the difficulty of that thing. If I have to check my system for such things I am afraid to say these IDA pro and whatever they are just I don't wanna say anything about that. I mean its really a mess working with them. Better that I re-install windows. It might not be problem for you guys you have been working with them since your college days and you are always into it cause its your profession but for a person like me. ...WOW! I don't think so. I need something more effective and easier to handle. The problem with me is more severe that I really suspect (or rather suspect is foolish word now) that there are some folks, very well reputed folks within my circle who are intentionally and unnecessarily creating problem into my system. And such type of intentional infiltration by somebody which is not supposed to do it at first place (use your goodness) is some sort of typical or metaphysical concept in itself to deal with. or in plain words a real real nuisance. You said you should know how some malware can come into your machine I tel you just a small part of it and how much nuisance it can be to handle it even that side of thing with IDA Pro or your Ollg dbg. Since now a days OS itself have blotted or memory constraints are not there like in old DOS days. So if I have to write a virus. I wudn't be infecting at the entry point. Better is to use export/import table, relocation table as guide to get such pointers or just decode the program to find a suitable point in-between more over I can do it in stag-erred way spreading the whole virus body among various call across the whole program. And if it wud have been a 30 MB file(not so rare now a days) it'll take a hell of a lifetime of yours to statically analyze that file in any latest current tool available be it IDA Pro or Ollg or whatever other disassembler, decompilers you got out there. And if you go on run time analysis you open yourself a hell of a new type of new problems ... what you guys call anti debugging or VM retaled issues. or whatever sensitive awareness thing. You just hitting the black box that something might come by negligence or magic to you to trap it. The problem will be more severe if its already installed into system. You all being doing all these things u know about the messiness or difficulty of problem. I wud rather kick computer out of my life.
So what I want to say I have been in this shit for long, confronting lots of problem. Trouble shooting my home system. And I have some inherent love for computer or processor. That's why I read Intel manual out of my curiosity. I mean I am not computer professional why should I be interested in all that? But I do read them (SOME SOME) likea you read novel. Computer is my sort of hobby, liking not my profession. So I thought lot of folks doing open source this and that, so lets start something a hobby project nothing serious like that. I have a idea of building a code analyzer, sort of Virtual machine not in the line of Symantec pls but a real virtual machine kinda logic which can analyze the whole executable in a logical way. Like it is supposed to be executed within real system. But we don't run actual virus code. we calculate its results (instruction execution). We don't monitor things we interpret things like it is there.
Such as decryption/ encryption or packer/unpacker, we create a logic which interpret the thing like you do when you are watching it in debugger. It don't run the routine under some VM. It must also have the ability step the whole description or unpacking or packing. Not some black box approach. If you use black box approach you bound to fail on occasionally. Yeah sometime or we provide options to speeding up the thing. Like decryption routine there is. We first beak it into individual loop. Then the analyzing code should be able to tell its both bounds or detect if this loop gonna create problem if run in single step ( I mean run). Like the anti-debugging tricks you encounter in your daily life. Not all anti-debugging tricks cause lots of it cease to exist in this mode. But like loop overwrite in between its execution could create a problem. So your analyzer have to be that smart if it had to do it fast way otherwise go the more reliable slower way. You guys always facing those things so I came here to collect various kinda problems that could be anticipated. That's why I started it as question... I think I started too early
But yes we could be specific about those things like unpacking or decryption. Or decoder/encoder database ..like usually you keep instruction format to help aid dissembling instruction. But to have a better analysis we must have few more fields i.e instruction template/or simulation routines for some system instructions, Exception list and logic (can be build directly from Intel manual actually lots of other things as well) etc to simulate the real environment that is possible. And a good structured analysis database to store intermediate results and it should be designed such that we don't miss a single piece of information about its running condition. And I think its achievable to extreme where you need lot hell of a hard drive space to comfortable level where you need just few times the file size. Something like this... And you got to analyze things in logical way. For example you just can't start disassembling from entry point. There are various entry point present within header which can be executed first like one of your TLS code. You know all the things far more better that's where you wud be helping me
cause you're already doing it what if manually. All I wanna say is to decode in logical way like always push the next instruction into temp stack and follow the call. Hit the error condition follow processor logic. Exceptional handler whatever... That way lots of problems can be handled automatically without much fuss. And decoding will be very true. There are some finer aspect but that you 'll be patching or taking care of as they come. Simple!
I had some previous work which unfortunately or whatever I lost in my hard drive crash few months ago. Actually it wasn't the runnable project something of pseudo code style or actually C code but lacking some outer construct. Actually I builded all the necessary header files, Data structures, Processor database (almost completed that) but lost it. And moreover I forgotten most of them now...smile..Actually its a mode you working in at that time your mind thinks or breath that frequency. But if you leave computer for few months or year then it takes time to recollect. So I am going to start it again or already started in slow pace so most probably I'll be getting up in few...u know.. Yeah first thing I am gonna compile instruction database but since it takes undivided attention for full 1 or two weeks (now probably two) to devel that deep into the Intel or AMD manual especially for a guy like me so I am putting it off for some time. This time I am just recollecting or building my mind again about the whole concept.
And again since I lack some formal computer knowledge ...like I reported that in 2nd post about header files. I wrote it because I am not comfortable with typical compiler directive cause never used them ..no need comes by. And if I have to do it by myself I wud really have to dig deep into their manuals which certainly not that much a easy task for me...will cost time.. And with parsing headers I mean I am not just interested in equates here..that this = this... u know I need or I think that whatever is their in the header files including compiler pre-processor directives I think our objective is to encode most of the logic into the database. I mean it more or less look like a compiler parsher has parshed it inot memory. But I think that kinda knowledge is needed to make analytical engine more reliable and effective. I am not thinking about creating some decompiler or disassembler or debugger. or an other virtual machine software like your Symantec ppl talk about but a simple code analyzer. Which can interpret or analyze the whole logic their is within the program. So escaping concept is not valid in our context. But the fact is if you have to create such so called simple analyzer you'll have to include all of these tools quality into one place place some more. That's one of the difficult thing about. It gonna be some huge coding to cover all those aspects. Some very typical routine to be coded but that where the fun in it or challenge. That's why I am trying it. That's the fun of having a hobby like this.
Last of all its just a hobby project. If it completes, good! its gonna help myself! If not than I am not putting voucher against anybody for my wasted time. So you see how I have been doing it whenever I get time or mood I just think about it, open my VISUAL IDE. just put some more code or pseudo logic. otherwise just forget about that thing. I mean its not my necessity, I am not gonna startup something with that product. I am not gonna setup some lab like some of the you guys here. All I need such thing for my personnel use sometime. Actually tell Mr. Aimless. I don't have that much of a macro or vb script problem. Cause basically I don't use Microsoft word,excel or anything. I use simple Uedit for my edits or acrobat, HTML. I means these are the documents I usually use. VB script thing is easily stoppable and recognizable. .Net I don't have any such thing but Visual studio itself. Other things I use are media players, some DAW, DJ software I mean recreational software. So the basic problem is Exe for me. Sorry to be so selfish. But u understand that. And why I said that is ..I mean can be basic logic move to...actually I know you are also right they are different environment. But what I was talking they are all programming languages. They have some basic control construct. Its not about decoding instruction. Its about how to relate those instruction into a logic or entity? I can't find exact word for it but you get the idea.
Okay lets complete it here...I mean ..but lets me ask you one simple question. We all talk about this polymorphism that thing. I seen them from DIE-HARD 2 to one-half...Darkavenger....seen those code. been into my system by the grace of folks around me ...haha. I mean never done details just loaded them within debugger or Sourcer diassembler famous at that time. And there decryption routines were so obvious once you fire it in debugger. They are all just garbage inserted everywhere within code body to achieve polymorphism at that time. Which if you think logically if your analyzer have been built in logical way. I mean real virtual machine kinda thing. The first time you encounter those faulty redundant opcodes you know there's something fishy about that. Compilers don't generate such kinda redundant or unnecessary opcodes. The problem was what what you should have interpreted like instruction you are interpreting likea some string even what if * pattern string. But my real question is, isn't it had been more appropriate to perfect our analyzer logic in the direction of detecting Executable infection routines rather than perfecting our other kinda heuristic detection whatever pattern or whatever not. Cause if its file infector less trojan kinda thing it got to have such infection mechanism. Which is its main inherent property rather than anything else. If you checking if its man or woman, you got to be looking somewhere else more appropriate, no? Second why is there never a mechanism is inbuilt into the various virus monitoring programs from such reputed companies to inform user if some executable is being appended or modified. That won't create much false alarms in real life systems. Especially which ain't understandable. One knows when he's compiling or using such potential things even if your monitor can't differentiate it. Instead a complicated jargon or difficulty in detecting scan strings or heuristic is being propagated. Why a few line solution into your monitoring programs were sidelined in favor of complex un-understandable heuristic search thing to bog down the normal user system? I mean what's the logic in that kinda monitoring. Where you should be searching or reading or analyzing things (VM) you are talking about running the code and where you are supposed to provide some simple hooks to trap such calls, you are searching so called millions of bogus strings? I mean since you have been doing that way in VM so the problem which shouldn't be there become a major problem and same is the case here on this side of things. Had it had been the other way 90% of problems simply cease to exist at the first place. I mean this kinda thing seems to be illogical to me. There a right way every thing has to be done. For ex: if you want to sneeze what you do bring your hand directly to your nose right? You don't do it like rounding through back of your head and grabbing it from different direction, do you? Such thing bound to create problems, either for your nose or for your hand, isn't it? Either your nose gonna get twisted or your hand gonna get twisted or possibilites are that both of them will be. So my saying is this kinda negligency is going on since DOS days. We came all the way through win31 to win95/98 to XP now win 7. I don't know whats the status of win 7. I don't have that machine. I run win XP SP3 on my home computer which is 2.8 GHZ Intel machine. I mean this kinda thing should have been implemented within file system drivers of OS itself but they ignore it all the way and our reputed antivirus companies as well never find it a attractive proposition. Instead they began talking about virus in millions which were actually few at that time. Yeah one more smart thing they do. You check any product. When they scan they include the simple "txt" files or other invalid file into there scanned object counter. Very good at that. That's one of nice marketing strategy. I mean this hell of the way to take literal meaning of scan too far, No?
Last of all, I am just asking you, or I asked you in the first place. Its not that I have some serious project or you leave all your work or try answer or discuss with me. IT was more likea that during your normal day to day working if you any time just drop one or two line or some link telling me that could be the problem. How you gonna achieve that. So I might be trying explain it from my side that how I think that could be overcome. Just simple talking nothing serious. And you always reminding me of
disavower. I don't have any problem with him. I can understand his what you call it...his umm way of saying things, style, np. But I sure find it offensive on part of Mr. Woodman. I think you should better take care of thing better. You are administrator here.
And if you referring to Hindi song lyric it has nothing to do with anybody of you here. But I sure have to deal with lots of diff world within the same world. You won't understand it or if you do then you won't admit it, I know. So I don't think its valid to discuss such things. But because if you dealing continuously with some kinda aspect it bound to affect your speech or behavior sometime..locally I mean. That's how we human interpret thing. We emulate the environment within our-self. So for sometime local coloring kinda thing remain. That's how you enjoy movie or understand what the man in front trying say. Nothing to be taken so serious anyway.
Thank you.
Last time addition: Sorry I forget to cover one more point stated by Mr. Aimless in his post to me. About me heading the process. I never proposed that, or rather I never could unless its only me solely creating it in the first place. You understand the logic Mr. Aimless? I know my limitation as a programmer. That's why I clearly stated many times that I am not a formal computer educate. I never done that much of system debugging or exploration as well. Since its not my profession and the tools available weren't of my liking. Had it been my profession then even if I have to do it machine code way, hexa bytes. I wud surely have done that. But since its not so I din't find it a that much of a interesting? thing.
All I said that I can do decoder/encoder part plus database and some semantics specially hardwired to decoder/encoder part. I can help preparing the base. Like your IDA Pro has IDA disassembler base. And real good base that much I can assure. But just that! That's why I said in starting lines that I might not be here after completing my part if given me to perform. It's just a hobby that I came here. I got some free time and interest in such things. I know some basic Intel assembly, or C, C++ knowledge, not that complicated I mean. Simple fundamental knowledge and I think that's enough for designing such logic. And if I get problem I wud be asking you to help me out, right. You can head it. You might be permanent member here. So even if I am not here the project would be running by you guys, It doesn't make any difference, right? Actually I myself searching for knowledgeable person to head it. I think that clarifies my position regarding that.
Note: Forgive me if still there are some errors left.
