Want to develop a security software, how to do?


Today, I would like to introduce to you what core technologies or core components are essential for developing a security software such as 360 and QQ computer housekeeper?

Want to develop a security software, how to do?

Anti virus engine

First, the first essential is the anti-virus engine. This is the earliest core of security software. Its purpose is to detect whether a file is malware.

The anti-virus engine mainly determines whether the target is malicious by static analysis of the file, identifying the characteristics of the malicious file and matching it with its own virus feature library.

The main technologies used in this include file format recognition, shelling and shelling technology, encryption and decryption technology, disassembly of executable files, instruction level feature matching, virtual execution, sample family Gang gene discrimination, machine learning and so on.

Want to develop a security software, how to do?

Hook drive

The main task of security software is to protect our computer from viruses, Trojans and other malicious software. In addition to identifying known threats through static analysis, we should also hold the computer’s security defense line to prevent it from being broken by malicious software.

How to defend?

Security software needs to perceive everything that happens on the computer, including the creation of every process thread, the creation and reading and writing of every file, the establishment of every network connection, and even the call of every system service.

Want to develop a security software, how to do?

Security software is throughHOOKTechnology to do all this.

The security software uses the kernel driver to hijack the key entrance of the application to the operating system kernel, so as to monitor the behavior of all processes.

Almost every security software has such a driver. It has a hook framework inside, which provides a programming interface for other drivers to call, such as the famous one in 360hookport.sys。

Active defense drive

Just having a hook framework driver is not enough, but also supporting an active defense driver, which is responsible for completing specific security defense.

Want to develop a security software, how to do?

There is usually an active defense process on the application layer, which is responsible for receiving control instructions from the cloud server of security software, issuing the latest defense rules and the latest feature library, such as which programs and operations to intercept.

After the active defense process pulls this information, it sends it to the active defense driver in kernel space, which will specifically execute the corresponding interception behavior.

File filter driver

Sometimes monitoring through hook driver can not completely solve the problem. There are some underlying software that can bypass the system API call, so that the hook driver can’t monitor it.

Therefore, security software will generally be equipped with a file filter driver to realize the lower level file monitoring function through the interface provided by the file system.

Minifilter and sfilter are commonly used in this kind of driver.

Network monitoring driver

Similar to the file filtering driver, a lower layer driver is also needed for the network to monitor all network connections in the computer, monitor all data packets in and out of the computer through the interface at the bottom of the operating system network architecture, and fully understand the network communication.

Want to develop a security software, how to do?
The technologies used in this kind of driver include TDI, NDIS, WFP, etc.

Sandbox drive

In addition to guarding our computers, the other main work of security software is to analyze malicious programs.

The anti-virus engine mentioned above is mainlystatic analysisHowever, static analysis has certain limitations. In many cases, the malicious program will not be exposed until it is run. So,dynamic analysisTechnology is indispensable.

Although network security technology has developed for many years, the main technology used in dynamic analysis is still“Sandbox analysis”。

Want to develop a security software, how to do?

The so-called sandbox analysis is to provide a simulation environment, throw the target in, let it run, and wait until its original shape is revealed, whether it is malicious can be seen at a glance.

Therefore, many security software will also provide a sandbox driver to simulate a “safe” execution environment through kernel isolation and let the target run in it.

Attack and defense drive

The target of security software is so large that it will naturally attract a lot of malware attacks. In addition to malware, some security software will attack each other in order to rob users.

Therefore, security software must strengthen its own defense.

The active defense mentioned above belongs to the operation of the regular army and also includes the ability to protect itself. However, in the face of the same kernel level attack opponent, this move has little effect.

Therefore, security software will generally have an attack and defense drive to fight with opponents and protect themselves through various means. There are a variety of technologies used in this.


To sum up, there are three main things to do in developing a security software:

Want to develop a security software, how to do?

After reading this article, do you have any harvest? Writing is not easy. Welcome to forward and share with your fingers.