A lightweight, command-line antivirus tool focused entirely on static analysis of Windows executables (PE files). This tool is designed for security researchers to quickly identify potentially malicious files, flag them based on entropy, and build a crowdsourced hash intelligence database.
✅ PE Header Parsing
Reads and analyzes the Portable Executable (PE) file structure using the Windows API.
✅ Entropy Calculation
Calculates Shannon entropy of the entire file to detect obfuscated or packed executables.
Higher entropy (typically > 7.2) may indicate packing or encryption.
✅ Malicious File Detection
Flags files with suspicious entropy for manual review. Files are not deleted automatically.
✅ User Approval System
After scanning:
- View flagged files
- Choose to approve (ignore future warnings) or deny (mark as malicious)
✅ External Hash Server Integration (Planned)
When a file is denied, its hash will be sent to an external server:
- For storage
- For future scanning comparisons
- To contribute to a shared intelligence database
✅ Scan Options (Planned)
- Scan a single file
- Recursively scan all
.exe/.dllfiles in a directory
- You run the CLI tool on a file or folder.
- Each
.exeor.dllfile is:- Parsed for valid PE headers
- Measured for entropy
- Compared against thresholds for suspicious properties
- Suspicious files are added to a "review list".
- You are prompted to approve or deny each.
- Denied hashes are (optionally) sent to an external server and optionally deleted.
Build on Windows with GCC (MinGW):
gcc -o av-cli.exe antivirus.c hashutil.c -ladvapi32