https://github.com/kareimgazer/malware-detector
A script to identify malicious programs based on their behaviour
https://github.com/kareimgazer/malware-detector
Last synced: 6 months ago
JSON representation
A script to identify malicious programs based on their behaviour
- Host: GitHub
- URL: https://github.com/kareimgazer/malware-detector
- Owner: KareimGazer
- Created: 2022-02-07T11:59:19.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2022-02-09T16:42:54.000Z (over 3 years ago)
- Last Synced: 2025-02-03T12:43:05.270Z (8 months ago)
- Language: Python
- Size: 629 KB
- Stars: 2
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# malware-detector
A script to identify malicious programs based on their behaviour
## Abstract
Information security has become ubiquitous in this era. in this project we try to demonstrate a simple example of detection of malware based on its observed behaviour in the memory.
## The Problem
its required to identify and stop a process which allocates 200 MB in the heap for 10 seconds and deallocates them for another 10 seconds
## Solution
we observe the changes in memory usage by each processes in the systems and identify the one which allocates 200M for 10 seconds and then deallocates them for another 10 seconds. we must take into consideration that some other processes can do the same behaviour by chance so the test should be repeated multiple times to make sure that the identfied processes is indeed the malicious one.
## Main Idea
the following steps:
- collect the system info in a csv file
- clean the data and focus on the memory behaviour
- analyze the processes twice every 10 seconds so that we can notice the specific behaviour
- from the analysis process we get a list of suspicious processes
- we repeated the analysis processes again and take the intersection of the processes list
- we repeat that multiple times to make sure that our desicion is correct and the list of processes didn't happen by chance
- we stop that processes
## Getting started
To get started:
### Installation
The development environment is ubuntu linux and can be extended to other environments.
The script is written in python 3 to download it do the following:
- `sudo apt-get update`
- `sudo apt-get install -y python3-pip`
we use libraries:
- OS for executing system commands
- CSV for reading and cleaning system data
- time for controlling the timing behaviour of the program
which are preinstalled when python3 is downloaded.
we use the C programming language to build the malicious program, and we used gcc for compilation `sudo apt-get install gcc`
### Usage
- download the files
- open a terminal
- compile memory.c using this command `gcc memEat.c -o memEat`
- run the program `./memEat`
- now the program is runnig and occupying the memory
- open another terminal and run `python3 manager.py`
- the program will identify the processes and notfiy you that it's stopped running
- return to the previous terminal to notice the program stopped running
### Sample Output
1. Launching Memory Eater
2. Launching Manager to stop the processes
3. the processes is stopped after about 40 seconds
## The Nitty-Gritty Details
The program is divided into 3 functions and a driver code which uses them:
- **get_proc_mem**: return a dictionary of all processes indexed by their process ID and containg the value of its memory usage
- **scan**: produces the previouis dictionary twice 10 seconds in between and returns a list of suspicious processes
- **detect**: scans multiple times as provided to the fucntion - default is 2 - and returns the malcious processes
- **The Driver Code**: uses detect to identify the malicious process and stop it using `kill ` system utility
## Folder Structure
Refer to the following table for information about important directories and files in this repository.
```
malware-detector
├── screenshots screen shots of runnig the program.
├── README.md main documentation.
├── manager.py used to identify and stop the program.
└── memEat.c sample malicious program.
```