Does anyone know how AntiViruses scan memory

Discussion in 'other anti-virus software' started by victor43, Dec 17, 2011.

Thread Status:
Not open for further replies.
  1. victor43

    victor43 Registered Member

    Joined:
    Nov 4, 2009
    Posts:
    32
    I was hoping there might be someone who is keen on this subject since I have no clue on how this done. Well this is based on the premise that almost all AV solutions will scan system memory when running some sort of scan. The question is then how is this done from a kernel mode driver ? How do AV's access memory that does not belong to it work ? Can AV scan and detect, coding techniques, such as Dll injection and API hooking and inline hooking ?

    Please excuse if this is not the correct place for this topic...

    Best Regards

    Victor
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Since task managers can do that, why not AVs?
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    AVs can scan and detect "coding techniques" in that they can virtualize and view a program's behaviors. There's also file analysis where they scan the file and look at the code and try to see what it's doing.

    As for scanning in memory, it's data just like any other. It can be viewed and read by programs.
     
  4. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    I'd say your premise is wrong - IMHO the scanning is usually file based (i.e. even if it's a "memory scan", it's actually the scan of files that are currently loaded into memory).

    Anyway, to access other processes' memory - there's even Win32 API for that, you don't need a driver.
     
  5. smage

    smage Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    377
    Comodo AV can sine it has integrated BoClean (memory scanner) in it.
     
Loading...
Thread Status:
Not open for further replies.