Detecting Viruses

How do you go about writing a virus scanner? Well I guess there are two obvious ways. You could study existing computer viruses. Or you could try to write some yourself. The outcome should be similar. You will understand how a virus operates. With that knowledge, you can detect and remove viruses. It sounds simple. But I bet it is involved.

Let's try to think about the second technique. How can we write a virus? Essentially we want to run our own malicious code. What better way to do that than to latch onto a trusted existing program that users run. The key here is how to latch on. The program you want to act as your host is an executable. That means it has a section which consists of the code it runs. We want to have that program run our code instead.

Therefore we have two tasks to accomplish: put our code somewhere in the file, and make sure our code gets executed. How about we just tack our code on to the end of the file? There is an existing entry point for the original executable. Let's just substitute the original entry point with the location our of rogue code which is now at the end? Sure that's a good plan. Now let's get back to our original objective. How can we produce a virus detector that can find instances where a legit program has been jacked. Easy. Just check whether the entry point for the program points to the code at the end of the file. If so, you are probably looking at an infected application.

Of course all of this is very simple. Existing virus scanner probably do all this as part of their most simple virus detection techniques. However we are on the right track. We could think up more complicated ways to achieve takeover of a program. And thinking of those methods, and the means to detect/remove them is the very topic I am interested in. Perhaps I shall spend some time furthering this idea. Come with me as I venture into the world of computer viruses.