HEX DEREF ANTI-MALWARE X FOR HOME USERS AND MALWARE ANALYSTS

A proactive anti-malware solution with memory forensics, which is specifically designed for malware analysts who performs manually dynamic analysis, comes with a kernel driver (written in C/C++) that protects the system in real time. The solution offers robust security while prioritizing user privacy. It's a great choice for home users who want effective protection without compromising their personal data.

The author has a simple but one could say, the most effective solution to the entire malware problem, including their worst versions, namely ransomwares, which prevents their operation at the kernel level before any damage can occur.

Real-time kernel-level features:

  • Identifies whether the PE file (EXE, DLL or a kernel driver) has a digital signature or not
  • Detects whether a newly launched process is digitally signed and, depending on the settings, prevents this process from starting if it is not
  • Block any process from loading a DLL without a digital signature
  • Zero day protection
  • BYOVD protection (detects/prevents administrator-to-kernel transition that is used in kernel mode malwares)

* * * The majority of malwares, if not all, are not digitally signed. An unsigned executable doesn't automatically mean malicious software. If we consider protecting a company's server from cyber threats, it is easier to prevent the execution of unsigned code at the kernel level with default settings. If a software is needed that uses a DLL (Dynamic Link Library) that is not digitally signed, it is manually analyzed and added to the allowed list. At this point, the risk of ransomware causing any damage has already been minimized. These few simple but crucial features significantly reduces manual work. Instead of dealing with thousands of suspicious events, there are only a few that need to be reviewed.

Most antivirus solutions lack integrity checks at the kernel level. Therefore this solution provides significantly better protection for home users than any traditional AV. This solution respects user privacy and does not track your browsing history, unlike almost all others.

After these measures, malware is forced to reveal itself , and the malware author must use a leaked code signing certificate. The attack surface has now significantly decreased. If an unsigned DLL is allowed to run as an administrator privileges, the damage has very likely already occurred and manual analysis is necessary in any case.

This solution employs a simple yet effective novel approach to a problem that is missing from almost all of the current competing solutions as of 06/2024.

  • Detects a previously unknown malware, and in a certain situations including those operating in the kernel memory
  • Self-integrity checks that detects if the malware attempted to disable the protection at the user or kernel level. Proactivity in this context means that the solution responds to this in real-time according to predefined measures
  • Secure IOCTL communication (The exploitation mentioned in the article is not possible with this protection)
  • Works alongside your other security software, such as Windows Defender or any other
  • It's easy to use, and with just one setting change, a home user becomes a malware analyst. Best of all, home users get better protection for their devices than what's even found in most enterprise EDR/XDR/EPP/NGAV solutions!

Depending on the settings, the solution either reduces the attack surface or completely prevents the operation of the malware in most situations. In practice, this solution forces the malware to become visible.

For instance, the solution is able to detect and block the operation of LockBit 3.0 ramsomware and all it's variants in real-time without the need to define a predefined pattern.

In other words the Keuda.fi case would have been detected and prevented with this protection in real time.

* * * The author will provide soon a video presentation with a real-life example where the operation of notorious ransomware is prevented in real time without the need to remediate anything.

If the running user-level process is protected even a little with the kernel's built-in features, then in practice before the malware can do anything, the user must run the malicious code with an administrator user rights. If the malware runs as the current user, it can only inject itself to a process with the same privilige.

The user interface (UI) has been coded with C# .NET 8.0 so that the project would be easier to customize and be more easily modifiable for the buyers of the source code.

Availability of the source code

Malware analysts are as good as the softwares they use. The source code is available for purchase as a software work non-exclusively without resale rights for internal use within a company.

For instance, if an educational institution wants to independently start developing a version that suits their purposes right away. As a result, the further development of the solution may no longer necessarily depend on the original developer.

The source code has many kernel-level anti-cheat features because they work pretty much the same way as an anti-malware solutions. Therefore, a product derived from the source code could, for example, be sold to foreign gaming companies who do not have proper kernel-level anti-cheat protection developed.

With this source code, you can almost immediately reach the same level as what the best competing products on the market offer if the user interface (UI) is not counted.

Despite all the efforts (as of 06/2024, 2.5+ years of constant development by the author), the solution is a work in progress (WiP).

Anti-ramsomware

A ransomware that uses a zero-day vulnerability begins ruthlessly encrypting files and destroying backups immediately, as happened in the case of Keuda. There is no other option but to stop the ransomware's operation in real-time, and a mere antivirus (AV) is no longer necessarily sufficient.

Proactivity means that the solution can automatically perform a predefined action, for example, take a physical memory dump and upload it to a remote server for further analysis.

ABOUT AUTHOR

I am self taught coder (a total of 14 years of coding experience as of 06/2024 in PHP/C#/C/C++). I am also a hobbyist windows internals researcher and reverse engineer. My motto is. If I need to get something done. I will just do it and I am usually very good at what I do.