Kevin Vance - I've been totally caught up in a new project (shock!) for windows…

Entries | Archive | Friends | Friends' Friends | User Info

12:03 pm

Wednesday, June 7th, 2006
Previous Entry Share Next Entry
Startalyzer screenshotI've been totally caught up in a new project (shock!) for windows (whaaaaa?!) called Startalyzer. It does more than HijackThis and its ilk, but less than Spybot S&D and its. We only examine known startup/hijack points, scheduled jobs, etc. Everything we find is compared to a database of known Microsoft filenames, version numbers, product names, etc. and WHIRLPOOL hashes :D The idea being that there could also be databases of known legitimate software, drivers, and malware.

But we don't scan for malware specifically, and we don't automatically take any action. Just present file/version info, strings output, etc., and highlight known files. The user decides what to remove from startup, which Startalyzer should be able to do for any origin. So the "user" is not the end-user but a technician or high school student.

Yesterday, I got all the little pieces together for the first time: the origin wrangler, a few test origins, the file database, the PE parser, the classifier, and the GUI. Just from this test I can see I still have to do a bunch of little stupid things like follow LNK files and parse RUNDLL32 commandlines. And also extract both ASCII and unicode strings. Yikes.

Python, wxWindows, sqlite, and mhash. I'm not as impressed with wx as I was several years ago beacuse I used a recent version of GTK+ a few months ago. GTK+, at least on python, is so much more powerful. Too bad the result looks totally out of place on windows.

P.S. Reward for getting to the end: small Kari Byron photoshoot on FHM.
Link )Reply )

Comments
[User Picture]From: mrlachatte
2006-06-09 12:12 am (UTC)
Sounds like good fun. How'd you get involved in it?
(Reply) (Thread)
[User Picture]From: kvance
2006-06-09 02:43 am (UTC)
I fix a lot of people's computers, and the problem is almost always some kind of malware. As usual, the tools don't do what I want, but because it's windows there's basically no source code to hack.

The word "involved" makes it sound like there are other people working on this project. In the software reference frame, I almost always say "we." I've never really thought about it, but I guess I mean "the software, and I as its distant master."
(Reply) (Parent) (Thread)
[User Picture]From: kaddar
2006-06-09 04:52 pm (UTC)
Maybe you could make it hook into an online database that users contribute to, like some sort of per-filename forum thread. That'd make it useful to see other people's thoughts on what a file is. It wouldn't really help much vs randomly generated process names, unfortunately.
(Reply) (Parent) (Thread)