[Gllug] Memory scanning

[Richard Jones]

On Mon, Sep 06, 2010 at 10:36:50AM +0100, James Courtier-Dutton wrote:
> For quite a long time now, I have wanted to write a tool in Linux that
> can scan a Windows NTFS partition.
> It would scan every executable on the HD, but not scan it for viruses,
> but instead scan if for if it is the original or not.
> The trouble is, I have tried taking the windows install .iso image,
> and say a entire SP1 download, and trying to determine what the
> outcome of the two merged together is, but it seems incredibly hard to
> do.
[more wibbling deleted]

Been there, done that:

<quote from http://libguestfs.org/TODO.txt>
  Integration with host intrusion systems
  ---------------------------------------
  Perfect way to monitor VMs from outside the VM.  Look for file
  hashes, log events, login/logout etc.
</quote>

I looked at adding to AIDE.  It's a simple matter of programming to
make it work, more of a problem getting the invasive patches accepted
upstream.  We even have all the hooks needed to pull out checksums in
libguestfs itself.

The problem of getting the original hashes isn't really a problem at
all.  You just install all variations of Windows you can think of and
pull the hashes of those files from the pristine install images.  (For
Linux it's even easier: Red Hat *publishes* the pristine hashes of
known-good files).

BTW, I don't think this idea is viable commercially.  Intel have for
years been trying to virtualize Windows and insert virus scanning in a
"hypervisor layer" beneath it.  They have more money than Croesus and
they've poured pots of it into vPro, with no visible outcome so far.

Rich.

-- 
Richard Jones
Red Hat
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug