check file signature in vb.net ?

Could it be implemented on the vb.net or i should do it on C#?

Doesn't make any difference. Both will do the job.

and analyse the file signature

What do you mean by file signature? Something (a hash value) you've pre-calculated from the files in a file system and associated with the file's type? Or the "magic number" in an arbitrary file which identifies the file's type, for example "GIF87a" or "GIF89a" in GIF-format image files?

Or the "magic number" in an arbitrary file which identifies the file's type, for example "GIF87a" or "GIF89a" in GIF-format image files?
From what i had found online ,this is the essential features that needs to develop the tool.For example ,lets talk about a scenario : filea.doc had modified to filea.dll for hiding some information, the tool would analyse that file and would correct the filea.dll to file.doc since the truth that the file signature of filea.dll shows that it is filea.doc.

anyway ,is there any sample code that would do the comparison of file signature with file extension in VB.NET .I'm worry that i cannot complete the implementation part of this project since it needs some code library that i havent deal with .

The most important thing i would like to know is how to return the hex signature of a single file to the user interface if i program it with vb.net.For example to obtain the information like the table of list of file signatures http://en.wikipedia.org/wiki/List_of_file_signatures

is there any sample code that would do the comparison of file signature with file extension in VB.NET

Yes. At least libraries to identify files, but since there are so many file formats, none of them can be perfect. I suggest choosing a subset of file formats and concentrate on recognizing them as well as possible.

I won't write the app for you, that's against DaniWeb's rules :) But I'll give you something to start with.

Here's how I would do it (this is pseudo code, not pure VB.NET):
- create a class for a signature

class SignatureItem
FileExtension As String[]
Signature As Byte[]
Offset As Integer

I declared file extension as an array since some "magic numbers" match with more than one file format. You could simplify your job and settle only for one file extension per signature.
- create a collection to hold SignatureItems and the recognition logic

class Signatures
_Collection As List<SignatureItem>

Function GetSignatureFromFile(FileName As string) As SignatureItem
' Read file byte by byte and match with SignatureItems in the List<SignatureItem>
' Return SignatureItem if match, else return Nothing (no match)

Function GetFileExtensionFromSignature(SigItem As SignatureItem) As String[]
If SigItem IsNot Nothing Then
  Return SigItem.FileExtension
Else
  Return Nothing
End If

User interface needs (at least) following functions:
- Add/Modify/Delete signatures, OR import signature items from a plain text file
- check files signature and extension, if match then Ok, else suggest extension(s) and rename file if needed

And finally a few links:
- Wotsit.org is an old and extremely good source for file formats
- FILExt.com is more of a database of filetypes and applications that use those filetypes, currently with +50000 filetypes
- Online TrID File Identifier is a browser based app which recognizes file's format, and this is exactly what you're doing. The recognize functionality is based on a library (.NET version available) which you can download: TrIDNet. Just remember to read license file carefully.

There may be other sites, libraries and solutions available so this is by no means an exclusive list of sources. Just something to get started with.

After you have more or less working VB.NET code, and you encounter a problem you can't solve by yourself, post it here and someone will help you with the coding itself.

HTH

Hi

i am also doing my bachelour degree and i have select an AVirus as my Final Year Project. I am stuck at the position when i want to clean the fiel.
I am creating my AV in vb.net using md5hasher. I want to get the original hash code of the infected file and then replace the current hash code with original code.
E.g;

File's Original hash code is A=(1,2,3)
File's Hash code when effected is A=(1,2,4)

now i have to replace this 4 with 3 to repair my file.

is there any solution you have that i should use behind "clean" button?

Thanks and Regards.

I'm going to do my graduate dissertation this year .My title is develop a forensic tools which is able to detect and analyse the file signature then compare it with the extension.If the extension is wrong match with the file signature then there is a feature in the tools that would revert the wrong file extension to its original state.The problem is there is little information could be found online that shows the code library or function that could enable me to program the above mentioned feature.Could it be implemented on the vb.net or i should do it on C#?Any sample code that could peform the file signature with the extension and also correct the file extension according to the signature in vb ? Please ,help

This is an old thread. You should have started a new thread instead!

I am stuck at the position when i want to clean the fiel.
I am creating my AV in vb.net using md5hasher. I want to get the original hash code of the infected file and then replace the current hash code with original code.

Hash functions are one-way functions and all you can do with them in AV is to tell weather the file has been changed or not. You can't re-build the original information from the hash value and the infected file. You have to restore the original file from somewhere and that's usually your backup system.
But you can prevent the execution of the file by quarantining the infected file or by deleting the file. That's the way how AVs work.

HTH

OK.

It mean that my idea after clean\repair button is totally wrong. then tell me the machanism after clean button. I mean many of AVs has clean button, what they do with file affected to clean virus from them?
Any Idea?

Initially I was limmited to "Delete" button, but the scope of the application was increased by the faculty and they ask me to add a "Clean Virus" option.

So do you have any idea that what machanism the AV companies used to clean\repair the file.

Thanks.

This is an old thread. You should have started a new thread instead!

Hash functions are one-way functions and all you can do with them in AV is to tell weather the file has been changed or not. You can't re-build the original information from the hash value and the infected file. You have to restore the original file from somewhere and that's usually your backup system.
But you can prevent the execution of the file by quarantining the infected file or by deleting the file. That's the way how AVs work.

HTH

what machanism the AV companies used to clean\repair the file

Self-contained worms and similar malware can be deleted without any harm to the system. A virus attached to a critical system file can be cleaned only by replacing it with a clean version. A virus usually appends it to the file and adds a hook (i.e. jump instruction) to a proper place in the original code. AV company could use this information to re-patch the hook since they know its offset in the file, and also remove the extra stuff from the file's end since they know the original file length. But I'm not 100% sure if they do it in this way.

HTH

OK. If I add SHA1 mechanism with MD5 then will be able to clean an infected file?
because in few places I have seen that some people used this technique to increase the security status and also they use clean button. I think I'll get 2 benefits, high volume of virus signatures and solution to a clean button...

What's your advice...

If I add SHA1 mechanism with MD5 then will be able to clean an infected file?

Nope... MD5 and SHA1 will detect changes in a file since they are error detecting hash functions. What you need is an error correcting code.

I suggest reading Error detection and correction. You do have error detection (SHA1) so take a look at error correction part and follow the links in that section. Unfortunately .NET doesn't implement any error correcting code (maybe some parity bit which is pretty useless in AV).

My advise is to implement a reliable, fast virus detection system with an option to quarantine infected file. However, if your target system is Windows 7, take a look at sfc command (System File Checker). Open the command prompt (cmd) and type "sfc /?" (w/o parenthesis) to get more information. You might be able to use it in your AV. But that helps only with system files ;)

HTH

P.s. You may also consider using .NET's SHA256 for file integrity checking...

ok.
I will try this. Do you have any idea how to read and copy the contents of a *.txt file and then paste to another *.txt file in vb.net...?

any idea?