diff --git a/docs/malware-scanner/README.md b/docs/malware-scanner/README.md index 99e84c3..6813eff 100644 --- a/docs/malware-scanner/README.md +++ b/docs/malware-scanner/README.md @@ -1 +1,55 @@ -## *Currently empty, check back later or contribute yourself* \ No newline at end of file +# Malware scanner and detector + +--- + +# Static analysis from up-to-date signature database +This should be used by modpack checkers/launchers, this should be fast, detect known threats, quickly filter malwares from huge directories (modpacks, whole disks) + +## Matching rules +Standard way for representing JVM malware signatures. +Rules should be similar to Yara rules (just for JVM application) This means +- [ ] Binary sequence matches (mostly for asset matching) +- [ ] Filtered Java ASM instruction sequences (for example only check for method invocations, but all of them) +Ability to match only in selected functions could be useful +- [ ] filename matches (with regex) +- [ ] function name/id matches +- [ ] Match conditions like "at least 10" or "$a or $b and $c" +- [ ] per-malware threat level and lookup ID. Lookup ID should direct users to a website dedicated to malware details and removal guide. +- [ ] per-rule match id allowing us to see exact matching details. + +### Online signature database +Matcher rules should be hosted online and fetched by the detector allowing users to have up-to-date scan result without updating the program itself. +Rules describe a model, it does not describe any executed logic. + +**Problems with downloading anything** +Executing/downloading from database is dangerous, see [Runtime Downloading](/docs/runtime-downloading/README.md). +Any downloaded *data* should be signed to prevent any misuse. + + +## Detection algorithm +Should be fast **and** reliable. Reference implementation should be in JVM language. +- [ ] fast matching, like [KMP](https://en.wikipedia.org/wiki/Knuth%E2%80%93Morris%E2%80%93Pratt_algorithm) O(m+n) +- [ ] obfuscation resilent: ignore class hashes when loading file, open any .class what may be executed +- [ ] low-footpring, threading for speed +- [ ] simple API usage with many helper functions +- [ ] API documentation + +## Interfaces +- [ ] standalone/CLI interface +- [ ] standalone/GUI interface + installer +- [ ] library interfaces/wrappers, use from launchers, third-party apps +- [ ] launch wrapper to allow being inserted before mod launchers, easy user-guide to set it up/maybe tools + +The reference algorithm should be reproducable from matching rules, allow open-source developers to re-write it in other programming languages. + +--- + +# Dynamic analysis \[TODO] +A slow but reliable detector looking for jar capabilities, potential malware sign +- detecting the capability to download stuff from the internet (potentially jars, but can be genuine) +- detecting the capability to manipulate zip/jar. +- detecting the capability to execute stuff (Runtime.exec()) +- simulate code-execution to detect certain behavioural patterns (patterns like executing certain commands) +- TODO + +It can be implemented using [SSVM](https://github.com/xxDark/SSVM)