I want to code an AntiVirus for learning purposes. It will be signatures-based. I already wrote a scanner that loops through all system files and creats memory mapping for each file. What i am trying to do now, is to get a binary signature (in hex) from each malicious file (sample files) so i can compare it with the database i created.
What is the problem now?
I noticed that the commercial AntiViruses like Kaspersky for example, chooses a file signature from wherever location inside the binary file.
Now suppose that i detected a new malicious file and i chose the offset 0x8766 which has the value 0x4F as a signature for that malicious file.
now if i want to check a file which has a samll size where the offset 0x8766 does not exist in that small file .. this will be a problem?!
this is sample code represents the way i am going:

hFile = ::CreateFile(State.Path, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE,
                                 0, OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN, 0);//open the file

if(hFile !=INVALID_HANDLE_VALUE){
hMap= ::CreateFileMapping(hFile, 0, PAGE_READONLY | SEC_COMMIT, 0, 0, 0);//create Mem mapping for the file in virtual memory
if( hMap!=NULL){
base = ::MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);//load the mapped file into the RAM
//start to compare some bytes (values) from mspaint.exe file in Win7
if( *((BYTE *)base + 0x1C3DF0)== 0x05 )
i++; 
if( *((BYTE *)base + 0x25250C)== 0x21 )
i++;
if( *((BYTE *)base + 0x25272A)== 0x97 )
i++;

if(i==3){
// the file is malicious
}

Another question: Do i need to map the whole signatures database in the ram before i start comparing and how?
and what you suggest signature needs to contain? the file size …etc? any other suggestions