i found this: https://www.clamav.net/doc/webinars/Webinar-Alain-2009-03-04.pdf https://www.clamav.net/doc/webinars/Webinar-Alain-2009-03-04.pdf
and my question is: how can i extract target pe sections?

You can use a debugger to see the sections in a PE file. I like Filealyzer. It is free from Spybot Search & Destroy at https://www.safer-networking.org/en/filealyzer/ on the web. I like version 1.6.0.0, an older version. The code section is usually used for an MDB file hash, which you can get from the OpenSBI tab. You can use the Hexdump followed by List strings tab to see the file contents and grab the hexadecimal representation for a string for an NDB signature. See below:

filesize:filehash:Trojan.Whatever MDB sig for a file section

Trojan.Whatever:1:hexstring NDB sig for a string in the file

Regards,

How do I know the bytes from the pe file sections which begin?

You can get an MD5 hash for a section and use that as the signature. The code section is usually used for a section hash because it might be used again in other malware. Sometimes there is more than one code section, so you can get a MD5 hash for the entire file in that case--if you can not figure out the right code section to use. The MD5 file hash will minimize false positives, but it will only detect that one malware. It is a safe and quick signature. Using the file or section size in the signature also will minimize false positives.

Regards,

if I wanted to get the signature of the PE file I must get the sections of the file. but to be able to extract, programmatically, I have to know the beginning of these sections ... how do I figure out what is the beginning of these sections?

FileAlyzer will let you see all the sections in a PE file, and you can view individual sections. You will be able to see where a section begins. I am sure that other debuggers and disassemblers like Ida Pro or OllyDbg will do the same. Clam AV has a built-in disassembler (or part of one), but it is only for internal scanning.

I do not know how you would find the beginning of a section within your program other than via calling a disassembler or via some disassembler functions.

Regards,

if I want, I can use the antivirus clamwin classes to extract the signature files?

I do not know what you mean by "using the ClamWin classes to extract the signature files."

ClamWin uses its code to scan files to look for the signatures in its signature database. You can use the ClamWin code in another application to scan, of course, but your application must be open source, like ClamWin.

Regards,

where can i find the code about the extracting of the signature?

It sounds like you are intending to build your own antivirus. I think you will need to examine the code yourself--which is beyond the support we can give here. The code ClamWin uses is merely ported over from ClamAV for Linux to a Windows version, which is not exactly the same.

Regards,

exactly, I'm trying to build an antivirus for my personal project. I didn't understand what it means to your last sentence.

I ment that the ClamWin code is primarily from the ClamAV project for Linux computers. ClamWin basically adds a Windows GUI to the ClamAV code so that it can be used on Windows computers, but there are some other small differences. The ClamWin port is available for download/examination at
https://www.clamwin.com/component/option,com_weblinks/catid,2/Itemid,80/ on the web.

Any use of open source software code (like ClamWin) in another application requires that you also make your application open source.

Regards,