Hello there! I built a tool named Qu1cksc0pe. This tool can statically analyze Windows, Linux, MacOS binaries for suspicious activities and extracts lots of information from target binary to show user what that binary capable of.
Features:
APK and document file analysis.
Malware detection.
Extract suspicious Windows API’s/Functions from binary*
Entropy based obfuscation detection.
Packer type analysis.
Malware hash scanner.
URL, domain, IP address and email extraction.
Programming language detection (Also includes: Go, Nim, Zig) And so on…
Hello. I’m reviewing your code and i really like the idea. The score based using strings is good (maybe it scans for functions and API name (maybe i’m misunderstanding). I’m having some ideas for your project:
You should name your modules using snake syntax. Python is using pep8 and well it is easier to read (not neccessary. Just reader friendly)
Use file format as modules instead of platform. I mean instead of linAnalysis for Linux, you can name ELF for ELF executable files
In hash section, you should try imphash as import hash and support section hashing.
Think about analysis scripting languages.
If you define database as a module of python, you can use the trick import <module> and do module.__path__[0] instead of hardcoded $home folder
I also suggest you to join detect-it-easy project at https://github.com/horsicq/DIE-engine. There are some features are already in this project and your other features like hash scan, score based scan will be useful. You can also join ClamAV discord server and work with the dev team. They are very cool and friendly and i’m sure score-based detection will be really cool.
For package it to Parrot OS, i’ll be honest i don’t really want to add it for now. Please don’t get me wrong, i really love the features of the project but:
It is better for project to have a setup.py which is easier to package everything.
As the 5 above, it is easier to work and maintain the database
As i suggested, Parrot now is having detect-it-easy on repository so i prefer a framework that does things instead of multiple tools.
Parrot Team is having and idea to create single tool that can detect common malwares in system, replace chrootkit and rkhunter which mostly check file exists instead of actual check malware signatures so I think we can work with each other in future using your idea.
we need i.p.d.s. rather than another i.d.s… they guys ideah is great but it doesnt (prevent) intrusion.
correct me if im wrong , but linux has verry little in the (prevention) of intrusion ,suricata,snort? yes there are a few more maybe, but there not live or real time on the reporting incodents side .so again not affective at all… i myself am trying to launch a security buisness this year hopefully,and I want bells ringing if someone googles the buisnes name lol…if i get port scanned that persons home address should pop up on my laptop, before an employee tells me they have detected a breach at the binary level and were fcked already,that guy would be fired instantly by the way,if any more i.d.s. or what we really need an ipds is built,it needs to be like what Jason A. Donenfield did with wireguard,less than 5 thousand lines of code compaired to the 600thousand in ovpn,but maybe document it a little better than jason did lol…i think i may try to compile one by rev.engineering and reduceing a bunch of the crap thats out there already…dmknight your coding is more advanced than mine,but if your interested in a different concept on an ipds contact me
More about IPS thing: The cost of developing a good engine is very high. Service must not reduce performance of networking while it must block any threat in real time. It also need very effective rule parser for complex things like network scanner. It also means it needs so many researchers to maintain the tool to fight against new threats.
Detect based on binary level as you call, doesn’t mean you are pwned. It can be very first step on victim’s machine in different scenario. There are more things we can discus about Activated protection method, which i like to call, on the system but i prefer it in other topic.