Malware scanner

docs/malware-scanner/README.md

@@ -1 +1,55 @@
-## *Currently empty, check back later or contribute yourself*
+# Malware scanner and detector
+
+---
+
+# Static analysis from up-to-date signature database
+This should be used by modpack checkers/launchers, this should be fast, detect known threats, quickly filter malwares from huge directories (modpacks, whole disks)
+
+## Matching rules
+Standard way for representing JVM malware signatures.  
+Rules should be similar to Yara rules (just for JVM application) This means
+- [ ] Binary sequence matches (mostly for asset matching)
+- [ ] Filtered Java ASM instruction sequences (for example only check for method invocations, but all of them)  
+Ability to match only in selected functions could be useful
+- [ ] filename matches (with regex)
+- [ ] function name/id matches  
+- [ ] Match conditions like "at least 10" or "$a or $b and $c"
+- [ ] per-malware threat level and lookup ID. Lookup ID should direct users to a website dedicated to malware details and removal guide.
+- [ ] per-rule match id allowing us to see exact matching details.
+
+### Online signature database
+Matcher rules should be hosted online and fetched by the detector allowing users to have up-to-date scan result without updating the program itself.  
+Rules describe a model, it does not describe any executed logic.  
+
+**Problems with downloading anything**
+Executing/downloading from database is dangerous, see [Runtime Downloading](/docs/runtime-downloading/README.md).  
+Any downloaded *data* should be signed to prevent any misuse.
+
+
+## Detection algorithm  
+Should be fast **and** reliable. Reference implementation should be in JVM language.
+- [ ] fast matching, like [KMP](https://en.wikipedia.org/wiki/Knuth%E2%80%93Morris%E2%80%93Pratt_algorithm) O(m+n)
+- [ ] obfuscation resilent: ignore class hashes when loading file, open any .class what may be executed  
+- [ ] low-footpring, threading for speed
+- [ ] simple API usage with many helper functions
+- [ ] API documentation
+
+## Interfaces
+- [ ] standalone/CLI interface
+- [ ] standalone/GUI interface + installer
+- [ ] library interfaces/wrappers, use from launchers, third-party apps
+- [ ] launch wrapper to allow being inserted before mod launchers, easy user-guide to set it up/maybe tools
+
+The reference algorithm should be reproducable from matching rules, allow open-source developers to re-write it in other programming languages.  
+
+---
+
+# Dynamic analysis \[TODO]
+A slow but reliable detector looking for jar capabilities, potential malware sign
+- detecting the capability to download stuff from the internet (potentially jars, but can be genuine)
+- detecting the capability to manipulate zip/jar.
+- detecting the capability to execute stuff (Runtime.exec())
+- simulate code-execution to detect certain behavioural patterns (patterns like executing certain commands)
+- TODO 
+
+It can be implemented using [SSVM](https://github.com/xxDark/SSVM)