News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

my exe a virus?

Started by xellos, November 01, 2010, 10:22:43 PM

Previous topic - Next topic

xellos

my avg virus scanner says that my exe is a virus wy?

here's the code

.386
.model flat, stdcall
option casemap:none
;include's here.
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
;----------------------------------------------------------------------------
.data

.code
start:

invoke ExitProcess,0
end start

frktons

Quote from: xellos on November 01, 2010, 10:22:43 PM
my avg virus scanner says that my exe is a virus wy?

here's the code

.386
.model flat, stdcall
option casemap:none
;include's here.
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
;----------------------------------------------------------------------------
.data

.code
start:

invoke ExitProcess,0
end start


Change your AVG, that is stupid, with something smarter.  :bg

Frank
Mind is like a parachute. You know what to do in order to use it :-)

Vortex

Hi xellos,

You receive a false-positive alert. Probably, your AV software does not interpret correctly the MS PE file format specification.

theunknownguy

Quote from: xellos on November 01, 2010, 10:22:43 PM
my avg virus scanner says that my exe is a virus wy?

here's the code

.386
.model flat, stdcall
option casemap:none
;include's here.
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
;----------------------------------------------------------------------------
.data

.code
start:

invoke ExitProcess,0
end start


Call to API ExitProcess in the begin of code, is interpreted by some AV heuristic, has a virus technique when calling a hooked ExitProcess, for reedirect to the Entry Point of the virus and trick the heuristic scan to believe its exiting the program. Nothing to be alarm from, just add a few APIs before

Magnum

That may work, but I have to agree with the others.

Retarded AV program.

I'd like to know the name of it.

Have a great day,
                         Andy

hutch--

There is another factor with the crappy end of AV scanners, put a version control block in a resource section and add a manifest to the EXE file. Tjhis allows the crappy end of AV scanners to recognise that the application is not malicious code. Note though that the executable file will still be scanned and if it has any recognisable malicious code it will still generate a problem.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Magnum

I have the code for a version block.

I couldn't find an example of putting a manifest in the .exe.

Have a great day,
                         Andy

hutch--

Andy,


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<description>Your Application</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
</assembly>


In your resource file, resource 1, type 24.


1 24 "yourfile.xml"
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Magnum


.CODE

%Date       db " &@Date" ; Compile date

start:

invoke InitCommonControls

invoke ExitProcess,0


end start


I got this in Ollydbg.
I am using XP Home Edition.

Is the last line expected?

C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr 0000051D ERROR_NO_IMPERSONATION_TOKEN
Have a great day,
                         Andy

jj2007

Quote from: hutch-- on November 04, 2010, 02:39:00 AM...add a manifest to the EXE file. Tjhis allows the crappy end of AV scanners to recognise that the application is not malicious code.

Thank God the script kiddies have not yet learned that trick :8)

hutch--

Typical of Microsoft security theories, the script kiddies probably learnt it first and everyone else is stuck with its nuisance value.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php