Would it seem like a good idea to write a program that calculates an md5 or other hash algorithm of the core system files? I just happened to have a bad mishap and had to blow my HDD (not my important oneĀ ;)) but the one that my computer boots to. Do the size/contents of files (Windows) periodically change? If this seemed like a go, how would I be able to go about finding the files people like to inject code into? My ultimate goal is to write a program that compares hash values and see which files are corrupt.
Any help appreciated.
If you apply hotfixes or otherwise patch your operating system against security issues regularly, then yes, they change.
I figured as much. Does anyone really know how anit-virus programs really work? Are there preset names they are set to scan for?
As far as real-time scanning goes, the well-designed AV softwares out there (few and far between as far as the AV world goes, unfortunately) use something called a filesystem filter driver that sits in between programs and the underlying filesystem in kernel mode and allows the AV software to inspect all file-level I/O before it is allowed to happen (or return to a program).
Detection of viruses themselves is typically done by some sort of pattern matching based on file data - although this is a fairly large oversimplification.
The MD5 Idea might be a good one. Just prompt when it changes to ask if the change was expected or not. Then Update the hash of the file (and maybe make file backups in a compressed file?) if it's expected, and revert to the old version if it isn't. I think Windows XP does something similar to this already, though.