[Gllug] Memory scanning

[James Courtier-Dutton]

On 6 September 2010 08:02, Nix <nix at esperi.org.uk> wrote:
> On 5 Sep 2010, James Courtier-Dutton said:
>
>
>> This would catch root kits that use hooks to hide themselves.
>
> This isn't Windows. Have there actually been any rootkits that use PLT
> manipulation of running binaries to hide themselves? It seems like a
> fiercely complicated way to do things, given that in order to do this
> you already must have sufficient privileges to execute arbitrary
> nonprivileged code, and it would seem easier to try to spread to more
> machines than to hide yourself on this one.
> --

Thank good it is not windows. This would be even more difficult to do
on windows.
For quite a long time now, I have wanted to write a tool in Linux that
can scan a Windows NTFS partition.
It would scan every executable on the HD, but not scan it for viruses,
but instead scan if for if it is the original or not.
The trouble is, I have tried taking the windows install .iso image,
and say a entire SP1 download, and trying to determine what the
outcome of the two merged together is, but it seems incredibly hard to
do.
My plan was to download all patches and hotfixes from microsoft, and
then create SHA sums of the files from them, but I cannot find out how
to create entire files. I.e. File X + Patch Y = File Z. I cannot see
how to get to File Z with only having File X and Patch Y.
The only way I have seen so far is to run it all in a virtual machine
and apply patches and get the File Z that way. I gave up on that idea
as being too messy.
I think it would be a useful tool for windows users.
I.e.
User has a new unknown virus that anti virus software cannot see.
I mount their windows ntfs partition and run my scanner.
It then highlights all the files that did not come from Microsoft but
should have come form microsoft.
I have then identified the binary containing the virus and can then
replace it with a known good version.
This could provide for a method to clean Windows machines of viruses
without needing to re-install them.
I would also do SHA sums a large whitelist of Windows compatible
software that can be trusted. E.g. iTunes etc.
One could do the same with Word Macro viruses. Have a whitelist of
Macros that are know to be good, and quaranteen all other ones.

A least on Linux, the File Z is easy to find and one already has the
SHA sums in the distro manifests.
There are already tools in Linux that do this sha sum checking so no
need to create them.
If anyone can help me with the "File X + Patch Y = File Z" problem, I
could implement the same features for ntfs mounts as well.

I was wanting to implement this memory scan in Linux, because most
Linux viruses tend to just stay in memory because the infrecting files
is less common in Linux than in Windows.

Kind Regards

James
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug