Anti Malware Developement

[obscurant1st]

hi all,

I'm planning to develope an anti malware application with my friends.
We are malware analysis professionals. So we do know how to make those definitions.
But we do need some help in the coding part.
actually i hv some doubts.

how can we compare the md5 of a system file n the one in our definitions..
our definitions contain the md5s of malwares.
What should be the algorithm to used to compare md5s.
in normal comparison it ll take whole day just to compre these md5s..

then how to compress our definition files
n then how to use these compressed definitions in our application.

if any of you have experience in developing these kinds of application please help us.

Tell us where to start???

[GremlinSA]

There are several methods that you could use...

here's one off the top of my head...

sort your MD5's and create a indexing array ...

then when you need to check a MD5 using the indexing array you only comparing to a short list between two indexes..

Something alone this line

MD5's

1. 003b78----
2. 01ab43----
3. 01be65----
4. 025f8a----
5. etc...

you can then build 255 indexes.. (the first byte of the MD5) ... with the index pointing to the first item in the list with that byte..

Index

1. 2
2. 4

how your comparative MD5 01ef34--- will search between the first and second index only... (2 and 4) cutting your search to 1/256 of the time.. (less a little overhead) ...

Or if you have a bigger list you can use the first 2 bytes as the index or even the first 4 bytes.. cutting your search to 1/65535 or 1/4294967296 of the time respectively .. (less the indexing overhead) ..

Gremmy...