GooseBt: A programmable malware detection framework based on process, file, registry, and COM monitoring

As the networks is becoming faster and more convenient, computers is communicating with each other more and more frequent. However, security of computer communication is required to be concerned. Thus, this paper introduces a new programmable malware detection framework under Windows platform named GooseBt based on process, file, registry, and COM monitoring, which provides a new thought to perform malware detection. Usually, it is quite difficult to design with various kernel drivers on different platform versions, which are required to be developed before malware detection methods could be addressed. Moreover, most kinds of the existing anti-virus software are not programmable. In GooseBt framework, users can directly use easy codes to design their malware detection methods and make it run in Windows kernel mode. Static rules and dynamic rules are provided as interfaces based on message mapping. Moreover, third-party anti-virus manufacturers can directly call the API of the framework. The framework is proved to be effective and stable.