Introduction
Anti-Virus manufacturers has evolved a lot during the last decade, starting with simple signature-
based scanners and thereafter slowly implementing more and more advanced heuristics. Most of
these are able to scan files stored on the harddisk, but also opcodes in the memory.
Opcodes are in short, Assembly commands which are the lowest level of instructions given to the
CPU by any application running. A program is usually developed in a higher level language such
as C or C++, where opcodes are usually not directly involved. The compiler on the other hand,
translates the high-level code into these opcodes based on the Architecture used and so forth.
When a traditional Anti-Virus application scans a file, it does so by reading the offsets and its
assigned values. Where the offset is a memory address and the value is an opcode which the
scanner can read with a simple binary hex-viewer. Therefore, it is able to look for a signature.
If an application passes the file-scan check on the harddisk without any heuristic “sandboxes”
applied, then the file is either safe to run or the Anti-Virus application just got bypassed!
This paper will show some of the methods and techniques, one can use in order to do this
author.
Internot security team
Link:
