The Antivirus Hackers Handbook by Jaxeon Koret and Elias Bachaalany is part book, part a research report, detailing the findings of Jaxeon Koret and Elias Bachaalany in how Antivirus programs work, try to protect themselves and can be attacked and exploited.
The book assumes that you have some basic knowledge how compilers produce programs, what assembler looks like and how to map that on program statements in the code you write, and have access to IDA Pro free edition, Ghidra, Hopper or some other reverse engineering and analysis tool. We are then guided through the authors journey of discovery, analyzing the cores and plugin systems of various Antivirus products, how they work, how they detect viruses, how they update themselves, and how they try to protect themselves.
Antivirus systems are terribly large and attractive targets when trying to exploit individual machines or even fleets of machines: They try to scan and understand all kinds of file formats, run analysis often in privileged mode and with system protections turned off, and they are usually installed uniformly on a large fleet of machines in corporates, as mandatory pieces of software. These days they also increasingly have cloud components they upload data to, well suited to mask exfiltration traffic. When trying to attack and subvert corporate targets, they are the ideal platform for an attacker.
And the authors take us on that journey, at a level of intricate detail, but also always keeping the larger goal in sight. After reading this book one is looking at corporate security software differently, questioning if it is actually making things more secure.
“The Antivirus Hackers Handbook”, Jaxeon Koret and Elias Bachaalany, EUR 32.06