Skip to content

Ross-Ward/Shield-Engine

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Shield

Shield Labs Logo

Shield Engine

Part of the Shield Labs ecosystem.

An open-source, high-performance malware detection engine built in Go. Designed for transparency, depth, and layered defense.


🛡️ Overview

Antivirus engines are often "black boxes" that quarantine files without explaining the why or how. Shield Engine is built in the open, allowing security researchers and developers to understand detection techniques ranging from simple signatures to advanced heuristics and entropy analysis.

Shield is designed for:

  • Internal Malware Detection: Scanning infrastructure for known threats.
  • Security Research: Analyzing techniques used by modern malware.
  • Layered Defense: Providing a transparent alternative to proprietary solutions.

🚀 Key Features

Engine Detection Technique Status
Hash-Based SHA-256, SHA-1, MD5 signatures ✅ Production
YARA Rules Advanced pattern matching (YARA-Lite) ✅ Production
PE Heuristics IAT analysis, section headers, static API checks ✅ Production
Entropy Detecting packed/encrypted malicious payloads ✅ Production
Fuzzy Hashing ssdeep/TLSH for detecting polymorphic variants ✅ Production
Evasion Lab Tools for testing engine bypass techniques 🔜 Planned

🏗️ Architecture

Shield utilizes a modular Detector Interface, allowing multiple engines to scan a file concurrently and return a combined risk assessment.

graph TD
    CLI[Shield CLI] --> Orchestrator[Scanner Orchestrator]
    Orchestrator --> Hash[Hash Engine]
    Orchestrator --> YARA[YARA Engine]
    Orchestrator --> PE[PE Heuristics]
    Orchestrator --> Entropy[Entropy Engine]
    Orchestrator --> Fuzzy[Fuzzy Engine]
    Hash --> DB[(Signatures DB)]
    YARA --> Rules[(YARA Rules)]
Loading

📂 Project Structure

Shield/
├── main.go              # CLI Entry Point & Orchestration
├── scanner/             # Core Detection Engines
│   ├── entropy.go       # Entropy & Packing Detection
│   ├── fuzzy.go         # Fuzzy Hashing (ssdeep/TLSH)
│   ├── pe.go            # PE Heuristics & IAT Analysis
│   ├── scanner.go       # Orchestration & Multi-thread Scanning
│   └── yara.go          # YARA-Lite Rule Integration
├── rules/               # YARA Rule Collections (Core, ESET, etc.)
├── signatures/          # Known-bad Hash Databases
├── go.mod               # Dependencies
└── README.md            # Documentation

🛠️ Getting Started

Prerequisites

  • Go 1.21+
  • libyara (Required for YARA scanning support)

Installation

git clone https://github.com/Ross-ward/Shield-Engine.git
cd Shield-Engine
go build -o Shield main.go

Usage

Scan a single file:

./Shield scan --file suspicious.exe

Scan a directory recursively:

./Shield scan --dir ./downloads

Add a new threat hash:

./Shield add-hash --hash <sha256> --name "Emotet Loader"

🔍 Detection Engines

1. Hash-Based Detection

The most fundamental method. Compares file hashes (SHA-256, SHA-1, MD5) against our signatures/signatures.txt database. While easily bypassed by changing a single byte, it remains the standard for identifying known samples.

2. YARA Rule Scanning

Shield integrates a recursive YARA rule loader. It scans files against thousands of community rules (Elastic, ESET, Florian Roth) to identify specific malware families and attack techniques.

3. Static PE Analysis

The PE engine parses the Windows executable structure to identify:

  • Suspicious Imports (IAT): Detecting calls to VirtualAlloc, WriteProcessMemory, etc.
  • Section Anomalies: Unusual section names or high-entropy code sections.

4. Entropy Analysis

Malware often uses packers (UPX, VMProtect) to hide its code. Shield calculates the Shannon Entropy of file sections; high entropy across large blocks often indicates encrypted or compressed malicious payloads.

5. Fuzzy Hashing

Polymorphic malware changes its hash but keeps its structure. Shield uses fuzzy hashing to detect "similarity" between files, catching variants that traditional hash checks miss.


⚠️ Disclaimer

Shield Engine is for educational and research purposes only. Do not use this tool on systems or files you do not own or have explicit permission to analyze. Handling malware should always be done in isolated, non-networked lab environments.


🤝 Contributing & Support

Shield Labs is an open project. We welcome contributions to the scanning engines, signature databases, and documentation.

  • GitHub: Shield Project
  • Organization: Part of the Shield Labs Security Hub.

© 2026 Shield Labs. Licensed under the MIT License.

About

Modular malware detection engine in Go - YARA rules, PE parsing, entropy analysis, ssdeep/TLSH fuzzy hashing

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors