awesome_anti_virus_engine/readme.md

## Preface

**key08 Security** has surpassed **3,000 followers**, meaning that a significant portion of cybersecurity professionals in China are keeping an eye on it. So, it's time for a big project.

### Why This Project?
While working in the domestic cybersecurity field, I realized that **there is still a lot of untapped potential in the overall technical level**. Many people working in cybersecurity might also be interested in how **security software** on their computers actually works. Additionally, some might even dream of developing their **own antivirus software** or see it as their long-term goal.

So, I felt there was a need to systematically **document the working principles of an antivirus engine**. While working on this, I noticed that the **information available online is close to zero**. The few available sources only describe outdated technologies like **signature-based scanning and cloud antivirus from before 2006**. Antivirus software seems to be treated like a **black box**.

To **systematically educate**, rather than spread **misinformation or meme-based security practices** like some other public security accounts, I spent **two days** developing an antivirus engine that aligns with **modern security practices (as of 2025)**.

Now, I will explain **how it works, what its weaknesses are**, and at the end of the chapter, I will even **open-source the code**, which can be **compiled directly using Visual Studio**, making **learning more convenient**.

> ⚠️ **WARNING:** This code is provided **for learning purposes only**. The **datasets for machine learning, signature analysis, and dynamic behavior detection are extremely small**, so **detection effectiveness is very limited**.
> 
> **Do not use this code for your "bypass AV" tests** and then complain that it fails to detect certain samples. This is **not intended for antivirus evasion testing**.
> **If you want to improve it, study the issues yourself instead of copying and pasting the code and then asking why it doesn't work!**

---

## Classification of Antivirus Engines
Currently, all major security vendors promote their so-called **NGAV (Next-Gen Antivirus)**, but in reality, most detection engines fall into these four categories:

1. **Cloud-Based Detection**
   - This includes:
     - **Fuzzy hashing engines** (such as `ssdeep`, `simhash`, etc.), which are used to **compare the similarity of files** (some vendors call this **"virus DNA"**).
     - **Traditional hash-based engines**, which rely on **SHA1, SHA256**, etc.
     - **Various cloud-based sandbox, manual or automated analysis systems**.

2. **Signature-Based Detection**
3. **AI & Machine Learning-Based Detection**
4. **Heuristic-Based Sandbox Detection**

Cloud-based engines are **extremely complex** and are typically a **core capability of each security company**, so **we won't discuss their implementation here** (except for those who simply use **VirusTotal (VT) as their cloud engine**). 

That leaves **categories 2, 3, and 4**, which are typically combined in AV solutions.

Each has its own strengths and weaknesses:
- **Signature-Based Detection**: Does **not** have heuristic capabilities and **fully relies on manual rule creation**, but it is the **most effective**. Each security vendor's detection capabilities **heavily rely on their signature database**.
- **Heuristic-Based Sandbox Detection**: Has **weak detection capabilities**, is **easily bypassed**, and **lags behind evolving threats**. It also tends to generate **false positives**.
- **AI/Machine Learning-Based Detection**: Provides **high detection rates** but also produces **high false positive rates**, often **negatively impacting business operations** (e.g., compiling a simple **Hello World!** application in **Visual Studio** might trigger an alert). **Many AI-based engines are overly aggressive** and flag almost anything **without a digital signature**.

---

## What Are We Going to Build?
Today, we will create **a combined Machine Learning + Behavior-Based Sandbox Engine**.

We are **not** implementing a **signature-based engine** because that would be **too simple** (if you're interested in signature matching, check out **YARA**).

The overall engine structure is as follows:
![](https://key08.com/usr/uploads/2025/03/926716651.png)

We need to implement **two core modules**:
1. **Sandbox Behavior Analysis Module**
2. **Machine Learning-Based Detection Module**

We will **introduce each module step by step**.

---

## Sandbox Module
A **sandbox module** is typically used for **unpacking and behavior analysis**. Essentially, it is a **PE file emulator**.

In our system, we use **Unicorn Engine** to **simulate CPU execution**. **Unicorn Engine** is a **lightweight**, **cross-platform** CPU emulation framework that **supports multiple architectures**, including **MIPS, ARM, PowerPC, x86, and x64**. It is based on **QEMU** and was first introduced at **Black Hat 2015** by the **GrayShift security team**.

### Main Steps of the Sandbox:
1. **Initialize the Emulation Environment**
   - Relocate PE file sections
   - Setup stack memory
   - Initialize `Unicorn Engine` and allocate virtual memory
   - Map the PE file into the virtual environment
   - Load required DLLs into the virtual machine
   - Hook critical DLL functions to monitor behavior
   - Set up essential handles, stack, **PEB**, **TEB**, etc.
   - Store important PE metadata for unpacking

2. **Relocation Processing**
   - If a **PE header contains a relocation table**, Windows will relocate **resources and functions** before execution.

3. **Memory and Stack Allocation**
   - The **stack memory** must be fully emulated for the execution environment.

4. **Mapping PE Sections into Memory**
   - A **PE file's size on disk differs from its actual size when loaded in memory**.
   - We must **expand** it and **map each section accordingly**.

5. **Load Required DLLs**
   - **Parse the Import Table** and **map necessary DLLs** into our virtual machine.

6. **Intercept API Calls**
   - Hook **imported API functions**.

7. **Shellcode & Packed Malware Detection**
   - Monitor for **self-modifying code execution**, which indicates **packed malware**.

8. **Behavior-Based Detection**
   - Detect suspicious behavior, such as:
     - **Downloading executable files via `WinHttp`**
     - **Excessive `sleep` delays**
     - **Accessing sensitive directories**
     - **Direct access to `LDR` structures** (used to detect stealth malware)

### Sandbox Performance:
Here’s an example detection result:
![](https://key08.com/usr/uploads/2025/03/408250478.png)

---

## Machine Learning Module
The **machine learning module** is used to classify files based on extracted PE features.

### Feature Engineering:
We extract the following feature sets:
1. **PE Header Features** (Presence of Import Tables, TLS sections, relocations, etc.)
2. **Imported DLLs** (Checks for specific suspicious DLLs)
3. **File Entropy** (Measures randomness)
4. **Entry Point Byte Sequence** (Examines the first 64 bytes of code)
5. **Section Analysis** (Checks PE section sizes and entropy)
6. **Code-to-Data Ratio** (Compares code section size vs. total PE file size)

### Training Data:
We collected **1,000 benign samples** and **1,000 malicious samples**, saved their features into a **CSV file**, and used them for training.

![](https://key08.com/usr/uploads/2025/03/1410311475.png)

> ⚠️ **NOTE:** The dataset is **too small** for real-world performance. A proper dataset should have at least **100,000+ benign and 100,000+ malicious samples**.

### Model Training:
We use **XGBoost** for training and then export the trained model to **pure C++ code** using **m2cgen**.

![](https://key08.com/usr/uploads/2025/03/358391058.png)

---

## Conclusion
This is a **basic but modern antivirus engine** using **sandbox-based behavior analysis** and **machine learning-based detection**.

The **full source code** is available on **GitHub** (link below). 🚀

🔗 **GitHub Repository:** [INSERT LINK HERE]