Thursday, August 18, 2011

Anti-Virus Emulation Engine

Hi all, we have a new product for your attention. Anti-Virus Emulation Engine (AVE Engine) is a fast and small emulator of Win32 platform for anti-malware purposes.

The emulator takes a Win32 binary (EXE or DLL) at input and executes it in virtual Win32 user-mode environment. In particular it emulates a subset of API functions necessary for unpacking.

Three aspects were taken into account during development: simplicity, correctness and performance.

Architecture of the emulator is simple and transparent. The emulator has been written in pure C, codebase size is approximate 20000 LOC. The code is easily portable to different platforms. Currently emulator works on Windows x86 and Linux x86 platforms. We are planning to add more supported platforms (Windows x64, Linux x86-64, Mac OS X x86/x86-64).

The emulator correctly handles complex issues of Win32 emulation: exception handling, SEH emulation, support of undocumented platform's features. It is resistant to anti-debugging and anti-emulation techniques. Currently it supports unpacking of PE executables packed with UPX, ASPack, MEW, FSG, PECompact, NSPack, WinUpack packers. Private packers used by malwares are unpacked as well.

AVE Engine uses dynamic translation technique to accelerating the emulation. Speed of emulation is high due to aggressive optimization of translated code. Memory footprint is small (1...2 MB for typical executable with size about 200...300KB).

Interface of the engine is simple and flexible. It allows setting time limit of emulation and tuning event filters. Event handlers can read code and data from emulated memory for subsequent analysis.

Emulator can be used:
- In anti-virus scanners for unpacking and heuristic analyzing of executable files
- In malware classification systems for obtaining relevant information for classification

We offer AVE Engine to researchers and anti-virus developers on terms of commercial license. Two licensing options are available: binary and source license. If you are interested in details, feel free to contact us via sales at northsecuritylabs.com. The offer is limited due to specifics of the product. We will give preference to companies working in the field of information security.