1,105,295 Community Members

Reading A File Signature

Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Hello Everyone.

I am making a tool in which I want a button to do the following job

e.g;

A=(1,2,3) Signature Guide
B=(1,2,4) File Signature

In short I am making an antivirus, every thing is done, except "clean" button.

I want that the clean button should do the following job.

read the file (B) signature and compare it with signature guide(A), if the file (B) signature is different from signature file (A) then repair the file changing its signature just like its present in signature guide..

Any idea...?

Member Avatar
lolafuertes
Posting Shark
912 posts since Oct 2008
Reputation Points: 145 [?]
Q&As Helped to Solve: 196 [?]
Skill Endorsements: 7 [?]
 
1
 

Please, post what you have coded so far here.

Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Please, post what you have coded so far here.

its total of 471 lines code just on form1.

however i m pasting the code behind delete and delete all

delete

Try
            Kill(ListBox2.SelectedItem)
            ListBox2.Items.Remove(ListBox2.SelectedItem)



            MsgBox("Threat Was Removed Successfully!", MsgBoxStyle.Information)


        Catch ex As Exception

        End Try

delete all

timer2.start()

and

timer2

Try
            If Not ListBox2.Items.Count = 0 Then
                ListBox2.SelectedIndex += 1
                Kill(ListBox1.SelectedItem)
                ListBox2.Items.Remove(ListBox2.SelectedItem)
            Else
                Timer1.Stop()
                Timer2.Stop()

                MsgBox("Threat Was Removed Successfully!", MsgBoxStyle.Information)

            End If
        Catch ex As Exception

        End Try
Member Avatar
lolafuertes
Posting Shark
912 posts since Oct 2008
Reputation Points: 145 [?]
Q&As Helped to Solve: 196 [?]
Skill Endorsements: 7 [?]
 
1
 

Do you use binary readers to read the file and the guide signatures?
Are always both o the same length?
Do you have a CompareSignatures function to retrieve if the guide signature is the
file signature?
Do you have a ReplaceSignature function?
How do you remove from memory a file already loaded to change their signature?

Just a comment on your delete all process. Lets do an example:
You have 3 Items in the ListBox.
The first Item is the 0, the second is 1 and the third is 2.

You select the first Item 0, kill the file and remove the item from the ListBox.

Actually you'll have 2 Itmes, 0 and 1, then you select the next (+1) SelectedIndex. This will be the 1. and kill the file an remove from the listbox.

Actually you'll have 1 Itmes, 0, then you select the next (+1) SelectedIndex. This will be the 2, probaly throwing an exception.

I would suggest to cicle the SelectecIndex from Items.Count-1 to 0 step -1 to avoid this error.

Hope this helps

Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Thanks for ur reply.

Actually I am creating an antivirus using MD5 hasher. Now it uses hashe (file signatures) and compares the hexadecimal signatures of the files scaned to the virus list. if these signatures found same so mean virus exists, other wise no virus.

i am making "Clean" button to repair the virus effected file.
E.g;
original file A=(1,2,3)
Efected File A=(1,2,4)

Repair file A=(1,2,3) means to recover 4 to 3....

now, this can only be done when i have both info that what is effected file current hash code and what was its original hash code. then replace current hash code with original... actually i m new to vb.net, so have too much trouble...

i am adding code of Custom Scan, Delete, Delete All, Timer1 and Timer 2.

Custome Scan

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        FolderBrowserDialog1.ShowDialog()
        ListBox1.Items.Clear()
        ListBox2.Items.Clear()
        TabControl1.SelectTab(1)

        'Enabling Buttons

        'Button8.Enabled = True
        'Button9.Enabled = True
        'Button10.Enabled = True


        Try
            For Each strDir As String In
            System.IO.Directory.GetDirectories(FolderBrowserDialog1.SelectedPath)

                For Each strFile As String In System.IO.Directory.GetFiles(strDir)

                    ListBox1.Items.Add(strFile)

                Next

            Next
        Catch ex As Exception
        End Try

        Timer1.Start()
    End Sub

Delete

Private Sub Button4_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button4.Click
        Try
            Kill(ListBox2.SelectedItem)
            ListBox2.Items.Remove(ListBox2.SelectedItem)



            MsgBox("Threat Was Removed Successfully!", MsgBoxStyle.Information)


        Catch ex As Exception

        End Try
    End Sub

delete All

Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click
        Timer2.Start()
    End Sub

Timer 2

Try
            If Not ListBox2.Items.Count = 0 Then
                ListBox2.SelectedIndex += 1
                Kill(ListBox1.SelectedItem)
                ListBox2.Items.Remove(ListBox2.SelectedItem)
            Else
                Timer1.Stop()
                Timer2.Stop()

                MsgBox("Threat Was Removed Successfully!", MsgBoxStyle.Information)

            End If
        Catch ex As Exception

        End Try
    End Sub

Timer 1

Private Sub Timer1_Tick(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Timer1.Tick
        ProgressBar1.Maximum = Conversions.ToString(ListBox1.Items.Count)
        total.Text = Conversions.ToString(ListBox1.Items.Count)

        If Not ProgressBar1.Value = ProgressBar1.Maximum Then
            Try

                ListBox1.SelectedIndex = ListBox1.SelectedIndex + 1
                TextBox1.Text = ListBox1.SelectedItem.ToString
            Catch ex As Exception
            End Try



            Try

                Dim scanbox As New TextBox
                Dim read As String = My.Computer.FileSystem.ReadAllText("viruslist.txt")
                ProgressBar1.Increment(1)
                detected.Text = Conversions.ToString(ListBox2.Items.Count)
                files.Text = Conversions.ToString(ProgressBar1.Value)
                scanbox.Text = read.ToString
                Dim md5 As MD5CryptoServiceProvider = New MD5CryptoServiceProvider
                Dim f As FileStream = New FileStream(ListBox1.SelectedItem, FileMode.Open, FileAccess.Read, FileShare.Read, 8192)
                f = New FileStream(ListBox1.SelectedItem, FileMode.Open, FileAccess.Read, FileShare.Read, 8192)
                md5.ComputeHash(f)
                Dim hash As Byte() = md5.Hash
                Dim buff As StringBuilder = New StringBuilder
                Dim hashByte As Byte
                For Each hashByte In hash
                    buff.Append(String.Format("{0:X2}", hashByte))
                Next

                If scanbox.Text.Contains(buff.ToString) Then



                    ListBox2.Items.Add(ListBox1.SelectedItem)
                End If
            Catch ex As Exception
            End Try
        Else
            Timer1.Stop()
            MsgBox("Finished Scanning Folder!")
            TabControl1.SelectTab(2)
            If ListBox1.Items.Count = 0 Then
                MsgBox("No Threats were detected, Scan Window will close!", MsgBoxStyle.Information)

            End If
        End If
    End Sub

hope it will help u...


Do you use binary readers to read the file and the guide signatures?
Are always both o the same length?
Do you have a CompareSignatures function to retrieve if the guide signature is the
file signature?
Do you have a ReplaceSignature function?
How do you remove from memory a file already loaded to change their signature?

Just a comment on your delete all process. Lets do an example:
You have 3 Items in the ListBox.
The first Item is the 0, the second is 1 and the third is 2.

You select the first Item 0, kill the file and remove the item from the ListBox.

Actually you'll have 2 Itmes, 0 and 1, then you select the next (+1) SelectedIndex. This will be the 1. and kill the file an remove from the listbox.

Actually you'll have 1 Itmes, 0, then you select the next (+1) SelectedIndex. This will be the 2, probaly throwing an exception.

I would suggest to cicle the SelectecIndex from Items.Count-1 to 0 step -1 to avoid this error.

Hope this helps

Member Avatar
lolafuertes
Posting Shark
912 posts since Oct 2008
Reputation Points: 145 [?]
Q&As Helped to Solve: 196 [?]
Skill Endorsements: 7 [?]
 
1
 

The MD5 hash returns a 128 bits value (16 bytes lenght and340282366920938463463374607431768211456 distinct results are possible).

But... more than one source for the hash can have the same hash value, and there is no way to know the source for that result.

To know more about the collision results in MD5 please visit the Wikipedia page.

IMO, you should research for another approach to the 'repair' function.

Sorry.

Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

thanks.

U say that a file has more than 1 hash values, no prob, just type the syntax to get any previous hash value and the replace the current value with the aquired previous value, if possible. b.coz i am just stucked here
and one more thing

i read that thier r 3 ways to quarantine an effected file
1. change the extension to none (filename.*)
2. change file name with ext to none (*.*)
3. change the file location.

i am able to move or change the file ext or name plus ext or its location.

the question is,

how to recover the changed files to its original state or original location. b.coz e.g; thier r 10 files quarantined and these are from different locations...then how to recover the all at the same time?

thanks.

The MD5 hash returns a 128 bits value (16 bytes lenght and340282366920938463463374607431768211456 distinct results are possible).

But... more than one source for the hash can have the same hash value, and there is no way to know the source for that result.

To know more about the collision results in MD5 please visit the Wikipedia page.

IMO, you should research for another approach to the 'repair' function.

Sorry.

Member Avatar
lolafuertes
Posting Shark
912 posts since Oct 2008
Reputation Points: 145 [?]
Q&As Helped to Solve: 196 [?]
Skill Endorsements: 7 [?]
 
1
 

Sorry, I am saying that many files can have the same hash value.
Also I am saying that is not possible to replace the hash value of a file with aonther.

As the hash value is the result of a calculation, you can not replace the result of the calculation to 'clean' the original file.

In order to see a simple example, If you have a hash value of 4, wich is the result of adding all the original positive numbers values together, what one is the right original file structure?
Possible answers:
Original has a lenght of 1 with value of 4. (this is easy)
Original has a lenght of 2 with the following possible pairs: 0 + 4 or 1 + 3 or 2 + 2 or 3 + 1 or 4 + 0
Original has lenght of 3 values with : 0 + 0 + 4 or 0 + 1 + 3 or .... 4 + 0 + 0
...
Original has 2Mbytes length: Fill in all the possible values here by your self :( .

With the value of 4, and the examples here, if the result of the calculation is to be 3 istead of 4, wich of the original file values is the right one to be modified? You can only apply the clean process (according to this algotrithm) if the file is 1 byte in length.

As the MD5 hash calculation is really a lot more complex, there is no way to clean the original file by replacing the hash values. Sorry.

In order to clean your files, you'll need another approach.

Hope this helps to undertand the problem.

Member Avatar
lolafuertes
Posting Shark
912 posts since Oct 2008
Reputation Points: 145 [?]
Q&As Helped to Solve: 196 [?]
Skill Endorsements: 7 [?]
 
1
 

Answering the question of the quarantined files i would suggest the following:
Always copy the original file to the destination location, then Delete the original file. Never Move.
In order to recover the original file name i would suggest that when copying the original to the destination folder, change the name to a random Guid. Then create a file with the same random Guid + extensioon log (or some thing you define), and write there the info about the original file. This way you will always have pairs of files, the original and the info.

Hope this helps.

Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

ok.
For clean purpose, is there any other possible way exist?
i mean to say that do you have any idea that waht the other AV done for clean purpose if they have clean button which removes the viruses from file and recover the affected files to thier original state...

and would u plz like to demonstrate the quarantine meathod with an example so that i should be able to get to your approach.

Thanks.

Member Avatar
lolafuertes
Posting Shark
912 posts since Oct 2008
Reputation Points: 145 [?]
Q&As Helped to Solve: 196 [?]
Skill Endorsements: 7 [?]
 
1
 

As far as I know, not all the infections can be cleaned.
The mechanism other AV use to reecognize a file as being infected, and to be able to remove the infection is out of my knowledge.

How to obtain a Guid?
Using the System.Guid.NewGuid().ToString() you can ogtain a value (like 9245fe4a-d402-451c-b9ed-9c1a04247482) that can be used as the file name.

Example:

Dim QurantineeFileName as String = System.Guid.NewGuid().ToString()
Dim QuarantineeInfoFileName = QuarantineeFileName & ".log"
Dim QuarantineFilder as System.IO.DirectoryInfo = New System.IO.DirectoryInfo ("C:\Quarantine")
If QuarantineFolder.Exists = false Then
   Try
      QuarantineFolder.Create
   Catch ex as Exception
      msgBox("Error creating the quarantine directory: " & ex.Message)
      '
      '   Maybe you want to wait for a Cancel or Retry
      '
   End try
End If
Dim OriginalFile as System.IO.FileInfo = New System.IO.Fileinfo(TextBox1.Text)
Dim DestinationFile as System.IO.FileInfo = New System.IO.Fileinfo(QurantineeFileName)
Dim DestinationInfoFile as System.IO.FileInfo = New System.IO.Fileinfo(QuarantineeInfoFileName)
'
'
'
Do While DestinationFile.Exists or DestinationInfoFile.Exists
   QurantineeFileName = System.Guid.NewGuid().ToString()
   QuarantineeInfoFileName = QuarantineeFileName & ".log"
   DestinationFile = New System.IO.Fileinfo(QurantineeFileName)
   DestinationInfoFile = New System.IO.Fileinfo(QuarantineeInfoFileName)
Loop
Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Hello
Bro thanks a lot for helping me so much. I wasn't able to do the quarantine issue fully without your support. Now one more request, I have grab items from textbox2 to textbox3 through quarantine button, then for deleting these files, I will use a timer3 (timer1 for scanning, timer2 for deleting the selected files, and timer3 for deleting the selected files from quarantine tab) but what would be the mechanism for restore and restore all button?
Please demonstrate with example according to the example of the quarantine you posted last..

Once again, thanks a lot dear....

Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

and one more thing.

http://www.youtube.com/watch?v=1naoiDDWazk&feature=feedlik

watch this link, you may get any assistance from this vid.
This video is a response video to the "advance anti virus tutorial in vb.net" which i am using as a guide video for my project.

Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

ok dear.

i have added the same code to my AV but its giving me problem, when i run my application, scan the drives, and then want to quarantine the effected files so it gives error of un handled exception in quarantinee file.

where do you think problem arrives?

Member Avatar
lolafuertes
Posting Shark
912 posts since Oct 2008
Reputation Points: 145 [?]
Q&As Helped to Solve: 196 [?]
Skill Endorsements: 7 [?]
 
1
 

Which unhandled exception?
Did you verifyed that have write permissions to the quarantine folder?

Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

exception at
quarantinefile

is unhandled when the application is executed...
i will paste the full code in few hours as i am now not at my home.

Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Respected

the unhandled exception code is pasted below;

Private Function QuarantineeFileName() As String
        Throw New NotImplementedException
    End Function
Member Avatar
awais bukhari
Newbie Poster
2 posts since Nov 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 1 [?]
Skill Endorsements: 0 [?]
 
1
 

i have same quest and problem as akkb having :(

Member Avatar
lolafuertes
Posting Shark
912 posts since Oct 2008
Reputation Points: 145 [?]
Q&As Helped to Solve: 196 [?]
Skill Endorsements: 7 [?]
 
0
 

Private Function QuarantineeFileName() As String Throw New NotImplementedException End Function

You are just throwing an unhandled exception.

What is expected to do the QuarantineeFileName function?

Member Avatar
akkbkht
Junior Poster in Training
98 posts since Nov 2011
Reputation Points: 14 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

i don't need to throw the uinhandled exception, the application itself throws it. if I didn't do that, it gives me error...:(

You
This question has already been solved: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: