Dear All,
I am working on project that is detecting unknown Viruses, so i am going to build my small emulator that emulates the assembly code of the executable so i can detect whether it is a virus or not by emulating it to virtual registers then observing what happens. so i need help in getting the code of every assembly instruction in c .
Your Help is very appreciated. Thank You & Best Regards. Abdelrahman
If you want to create an x86 emulator, you can have a look at this complete opcodes listing: x86 Instruction Set Reference. But it doesn't seem to be a good way to detect viruses.
There is nothing in the register values that indicates maliciousness. You better give up on that. What most sandboxes trying to detect malicious behavior do is intercepting the system/library calls.
call ftable+1 with context %eax=1 %ebx=4000 %ecx=3F could as well mean shoot nuclear missiles as it could mean print hello world. Now if you put your own function between the system and the executable you can know what is going on(identifying it as malicious isn't as easy as that).
That certainly needs no emulator, so you better reconsider that as writing an accurate emulator is very, very hard.