Real time monitoring in portable executable

Question

2.33/5 (3 votes)

See more:

Reference to Sir Sergey Alexandrovich Kryukov's answer refer here[^]

I came to know that there is no difference between a normal executable which installs and a portable executable.I have several doubts on it and as per Sir Sergey Alexandrovich Kryukov's suggestion I posted this as a separate question.

Doubt 1:

If a portable executable can be copied in a USB/SD card then how to make a licence?
For example:
If my software needs to be purchased for a required period and an user buys for an year since my executable is portable after buying my software an user could copy the portable executable and can make it to run on another computer.So how can I prevent this?

Doubt 2:
I am still learning Win32 but I have knowledge in console application.
How could I change the settings?
For example:
If my software does some disk cleaning and has several options like cleaning recycle bin, Temporary files, etc., If an user ticks the recycle bin the cleaner will clean recycle bin and the user's option is usually saved so every time on opening the executable it remembers the users choice and does its work according to it.But for a portable executable it usually opens as like a new program.

Doubt 3:[Up-date]

Here is a brief explanation of doubt 3.

I did want to create an antivirus.

A short explanation of What I have tried/learned/researched so far in my 5 months of programming experience:

1. C++ is the best language to create an antivirus because it is faster than any other languages but I see several open source projects programmed using Python so I started learning python.

2. There are two techniques for analyzing a malware static(analyzing by not opening an executable) and dynamic(opposite to static).[I am quiet well aware of the two techniques]

3. for dynamic analysis I have downloaded various analyzer tools like PE studio, CFF exploresr, OllyDbg, etc.,(IDA pro is a very good tool by have less money since I am a student of only 17 years)

4. Learned some basic functions of assembly like jumping, calling. I know advanced functions are required but I am learning assembly.

5. Brought a new laptop at a cheap rate.(intel processor, windows) Because I have no faith on virtual machines.

6. I have a good general knowledge in Cyber security, cryptography, etc.,

7. I have knowledge of how threats work.(will be explained in the second section).

8. Learned some concepts in English like proper capitalization, requesting, conversing to an experienced person which is highly useful for getting what I need for Google and also from others.[but this is not up-to the level]

You may ask why Have I explained this to you. I explained this because I will not get any answers like "You have not even done single research and came here to ask this question" and to make some difference between a newbie programmer who asks "How to program an antivirus?" and to avoid down-voting(further).

So here is my problem:

1. Browser hijackers are stable(That is they will not change its position i.e will get located on a single folder). So using SHA-512(MD-5 is enough) algorithm and comparing the hash values we could easily identify the browser hijackers.

2. The same principle would be applied for rouge security software.

Here is where I struck:

1. while a Trojan,keylogger gets it location changed.It may spread through an infected USB/SD cards etc., so how do I enable a real time monitoring for finding these threats?I know hash algorithms are useless here.

2. Could you please give me some links/keywords in C/C++ which is related to working on internet.Since my English is poor I'll try to explain this:
C++ functions to access the webpage, download for a webpage(for updating) like this.Just keywords is enough.

Kindly help me with this. This is what I have learned in 5 months.

If I have missed anything kindly notify me.

My sincere Thank you to all who has helped me.

Posted 5-Jan-16 20:10pm

VISWESWARAN1998

Updated 7-Jan-16 6:02am

v5

Add a Solution

Comments

Sergey Alexandrovich Kryukov 6-Jan-16 9:53am

1. License is totally unrelated to installation.
2. Persist in a file.
3. Explain monitoring in detail.
—SA

[no name] 6-Jan-16 10:37am

Sir,
3. I see some software(e.g Antivirus/Anti-malware) which runs on the PC all the time form opening to shutting down.When I accidentally extract a zip file which contains some malware my Anti virus pop-ups a message how it is possible?

Sergey Alexandrovich Kryukov 6-Jan-16 10:44am

I would need to know more detail.
—SA

[no name] 6-Jan-16 10:50am

Sir, more detail about what? could you please explain me?
Thank you for your comments.

Sergey Alexandrovich Kryukov 6-Jan-16 11:57am

This is you who want to achieve something. Neither you nor I know what does that unknown anti-virus. And you did not even properly explained the symptom. Perhaps it's more important what you want to achieve.
—SA

[no name] 7-Jan-16 9:44am

Sir, I have tried to explain my question briefly kindly verify my updated question.Very Thank you for your help.

Jochen Arndt 7-Jan-16 10:46am

Some suggestions:

This is Quick Answers. So you should ask only one question per post (or at least closely related ones). Also try to be as precise as possible so that it can be answered in short. I know that this is difficult when English is not your native language. Just invest some more time before asking here (I have to do it too).

From the latest update on 3. I understand this:

How does an AntiVirus software checks for file activities?

Answer: It runs as a system service that hooks I/O calls.

Possible keywords to look up are "c++ windows system service" and "c++ windows hook io".

[no name] 7-Jan-16 12:08pm

Thank you sir for your kind suggestion. Next time while posting in this forum I will definitely consider the 10 rules for posting a question and will make sure my English is has enough contents to post a solution.

Thank you once again for your kind help.

Sergey Alexandrovich Kryukov 7-Jan-16 12:56pm

I mistakenly, due to some posting problems, posted my answer twice, so I removed one. Actual answer is in Solution 3.
With the removed post, I removed your comment: "VISWESWARAN1998 has posted a comment to the Answer "Real time monitoring in portable executable": First of all Thank you for your kind help sir. I have tagged my question as per your solution. "Are you sure you can handle all that? All those problems are quite difficult." Day by day of learning with patience on one day or another I will see the light Once again Thank your sir for your kind help".

You are very welcome. I appreciate your bravery and the compassion for hard work and passion. My best wished in New Year.

—SA

[no name] 7-Jan-16 13:32pm

Thank you sir for your kind encouragement.I wish you a very Happy New Year!

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard MacCutchan · Accepted Answer · 2016-01-05T22:03:00

Solution 1

1. Use Google to learn about licencing. Generally you need some way of verifying whether the user has paid for the product and how long they have been using it. This usually means the application needs to contact your server via the internet.

2. User options can be saved in the registry or application configuration files.

3. Don't understand.

Note: this forum is for Quick technical questions, please read Code Project Quick Answers FAQ[^]. If you wish to learn how Windows operating system and various other features work then please use Google for research, or get hold of books on the subjects.

Posted 5-Jan-16 22:03pm

Richard MacCutchan

Comments

[no name] 6-Jan-16 10:47am

I am really sorry Sir for I have violated the first point in the rules for posting(Have you searched or Googled for a solution?) but I have no choice.

I have no rights to ask you but I am asking you. Could you please give me some keywords(I am not even expecting links) to refer for above of my concepts? I could not find what I want with my English(still learning) so that I feel better that I am going in right path

Richard MacCutchan 6-Jan-16 12:41pm

You have the keywords in your questions. I really do not understand what you are asking for.

[no name] 6-Jan-16 13:00pm

Sir, I have tried to explain my question briefly kindly verify my updated question.Very Thank you for your help.

Richard MacCutchan 6-Jan-16 13:11pm

Seriously, with five months experience I do not think you have the experience to create an anti-virus program. There are many advanced concepts that you first need to understand. And, as I said before, you need to do your own research on these subjects, this forum is for Quick Technical Answers.

[no name] 6-Jan-16 13:13pm

Sir, I have asked this in my question,"2. Could you please give me some links/keywords in C/C++ which is related to working on internet.Since my English is poor I'll try to explain this:
C++ functions to access the webpage, download for a webpage(for updating) like this.Just keywords is enough."
could you give me some ? Thank you.

Richard MacCutchan 6-Jan-16 15:21pm

See https://www.google.com/search?q=webpage%2C+download+c%2B%2B.

[no name] 7-Jan-16 12:16pm

Sir, Thank you for helping me.
With your keywords I have found an excellent tutorial on web programming in tutorialspoint.com and my vote of 5.

Once again Thank you sir for helping me.

Sergey Alexandrovich Kryukov · Accepted Answer · 2016-01-07T04:25:00

VISWESWARAN1998 asked
while a Trojan, keylogger gets it location changed. It may spread through an infected USB/SD cards etc., so how do I enable a real time monitoring for finding these threats? I know hash algorithms are useless here.

First of all, this monitoring cannot be called "real-time".

As far as I remember, you work on Windows (correct me if I'm mistaken here; but you should better tag your OS when you ask questions).

On Windows, you can use file system notification mechanism. You can start here:
FindFirstChangeNotification function (Windows)[^].

But don't think it will give your the easy solution. The mechanism will be too heavy-weight, and I would not be sure it's reliable enough. More advanced approach would be developed on the level of the file system driver. Roughly, it's explained in this CodeProject article: File System Filter Driver Tutorial[^].

In particular, please see the section "Register a notification for file system changes" of this article.
See also:
IoRegisterFsRegistrationChange routine (Windows Drivers)[^],
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux ... - Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters - Google Books[^].

Are you sure you can handle all that? All those problems are quite difficult.

—SA