Malware Scanner Using Python

Overview

This project implements a simple malware scanner using Python, designed to identify potential malware by searching for specific byte signatures in executable files. The scanner also includes functionality to create a test malware executable for validation purposes.

High-Level Overview

1. Setup Environment: Prepare the Python environment by ensuring you have Python 3.x installed.
2. Implement Scanner: Write the core scanning functionality that checks executable files for known malware signatures.
3. Create Test Malware Sample: Develop a test executable that mimics malware behavior to validate the scanner’s effectiveness.
4. Testing: Execute the scanner against the test sample and verify that it detects the simulated malware.
5. Documentation: Provide detailed documentation on how to use the scanner and create test samples.

Features

• Scans directories for executable files.
• Detects predefined malware signatures.
• Generates a test executable that simulates malware behavior.

Getting Started

Prerequisites

• Python 3.x
• Basic knowledge of running Python scripts

Installation

1. Clone the repository:

   git clone https://github.com/yourusername/malware-scanner.git

2. Navigate to the project directory:

   cd malware-scanner

Code

Malware Scanner

Here’s the complete code for the malware scanner:

import os  # Imports the os module for interacting with the operating system.

# List of byte patterns representing malware signatures.
Malware_Signatures = [
    b'\x90\x90\x90\x90',  # NOP sled
    b'\xEB\xFE',          # Infinite loop
]

def scan_file_with_signatures(file_path):  # A function that scans a single file for known malware signatures.
    try:
        with open(file_path, 'rb') as f:  # Opens the specified file in binary mode.
            file_content = f.read()  # Reads the entire file into memory for analysis.
            for signature in Malware_Signatures:  # Iterates through the malware signatures to check for matches.
                if signature in file_content:  # Checks if any signature exists within the file content.
                    print(f"Malware signature found in {file_path}")  # Logs the detection.
                    return True  # Indicates potential malware.
    except Exception as e:  # Handles errors that may arise during file access.
        print(f"Error reading {file_path}: {e}")  # Prints an error message if file access fails.
    return False  # Returns False if no malware signatures are detected.

def scan_directory(directory):  # A function that scans all executable files in a specified directory.
    for root, _, files in os.walk(directory):  # Uses os.walk() to traverse the directory structure.
        for file in files:
            file_path = os.path.join(root, file)  # Constructs the full path for each file found.
            if file.endswith('.exe'):  # Filters to only process executable files.
                print(f"Scanning {file_path}...")  # Provides feedback on the current scanning progress.
                if scan_file_with_signatures(file_path):  # Calls the scanning function.
                    print(f"Potential malware detected in {file_path}")  # Logs any detections.

if __name__ == "__main__":  # Checks if the script is run as the main program.
    directory_to_scan = input("Enter the directory to scan for malware: ")  # Prompts user input for the directory.
    scan_directory(directory_to_scan)  # Initiates the scanning process based on user input.

Test Code for Malware Sample

The following code generates a test executable that simulates malware behavior:

import struct  # Imports the struct module for handling binary data formatting.

def create_sample(filename):  # Defines a function to create a test executable with a specified name.
    payload = b'\x90' * 100 + b'\xEB\xFE' + b'\x90' * 100  # Constructs a byte sequence mimicking malware behavior.
    with open(filename, 'wb') as f:  # Opens a new file in binary write mode.
        f.write(b'MZ')  # Writes the DOS header, marking the file as executable.
        f.write(struct.pack('<H', 0x00))  # Adds a placeholder for the DOS stub.
        f.write(b'\x00' * 58)  # Writes padding to ensure the PE header is correctly positioned.
        f.write(b'PE\x00\x00')  # Writes the PE header, indicating the start of the executable's main structure.
        f.write(struct.pack('<H', 0x014C))  # Specifies the architecture as x86.
        f.write(struct.pack('<H', 0x0002))  # Indicates that the executable contains two sections.
        f.write(struct.pack('<I', 0x00001000))  # Sets a timestamp for the file.
        f.write(struct.pack('<I', 0x00000000))  # Indicates no symbol table is present.
        f.write(struct.pack('<I', 0x00000000))  # Specifies that there are no symbols.
        f.write(struct.pack('<H', 0x00E0))  # Sets the size of the optional header.
        f.write(struct.pack('<H', 0x0200))  # Defines characteristics for the executable.
        f.write(b'.text')  # Names the section containing the executable code.
        f.write(struct.pack('<I', 0x00000000))  # Specifies the virtual size of the section.
        f.write(struct.pack('<I', 0x00001000))  # Sets the address where the section will be loaded in memory.
        f.write(struct.pack('<I', 0x00002000))  # Indicates the size of the raw data in the section.
        f.write(struct.pack('<I', 0x00000000))  # Specifies the offset to the raw data in the file.
        f.write(struct.pack('<I', 0x00000000))  # Indicates that there are no relocations.
        f.write(struct.pack('<I', 0x00000000))  # Specifies that there are no line numbers.
        f.write(struct.pack('<H', 0x0000))  # Indicates that no relocations exist.
        f.write(struct.pack('<H', 0x0000))  # Specifies that there are no line numbers.
        f.write(struct.pack('<I', 0x00000000))  # Defines characteristics for the section.
        f.write(payload)  # Writes the constructed payload to the executable.

if __name__ == "__main__":  # Runs the sample creation function when the script is executed.
    create_sample("malware_test_sample.exe")  # Generates the test executable.

Testing the Scanner

Step-by-Step Instructions

1. Run the Test Sample Creation:

   • Execute the test code to generate a sample malware executable:

   python malware_scanner.py

   • 

2. Locate the Executable:

   • After running the script, check the directory for malware_test_sample.exe.

   • 

3. Run the Malware Scanner:

   • Execute the scanner script and provide the directory where the test sample is located:

   python malware_scanner.py

   • Enter the directory path when prompted.

   • 

4. Review Results:

   • Check the console output to see if the scanner detected the test sample.

   • 

Conclusion

This malware scanner serves as a foundational tool for detecting known malware signatures in executable files. It provides a simple yet effective way to test malware detection methodologies, with the ability to create test samples for validation.

Feel free to expand upon this code by adding more signatures, improving error handling, or enhancing user interactions!

License

This project is licensed under the MIT License - see the LICENSE file for details.

---

Feel free to reach out if you have any questions!