my avg virus scanner says that my exe is a virus wy?
here's the code
.386
.model flat, stdcall
option casemap:none
;include's here.
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
;----------------------------------------------------------------------------
.data
.code
start:
invoke ExitProcess,0
end start
Quote from: xellos on November 01, 2010, 10:22:43 PM
my avg virus scanner says that my exe is a virus wy?
here's the code
.386
.model flat, stdcall
option casemap:none
;include's here.
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
;----------------------------------------------------------------------------
.data
.code
start:
invoke ExitProcess,0
end start
Change your AVG, that is stupid, with something smarter. :bg
Frank
Hi xellos,
You receive a false-positive alert. Probably, your AV software does not interpret correctly the MS PE file format specification.
Quote from: xellos on November 01, 2010, 10:22:43 PM
my avg virus scanner says that my exe is a virus wy?
here's the code
.386
.model flat, stdcall
option casemap:none
;include's here.
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
;----------------------------------------------------------------------------
.data
.code
start:
invoke ExitProcess,0
end start
Call to API ExitProcess in the begin of code, is interpreted by some AV heuristic, has a virus technique when calling a hooked ExitProcess, for reedirect to the Entry Point of the virus and trick the heuristic scan to believe its exiting the program. Nothing to be alarm from, just add a few APIs before
That may work, but I have to agree with the others.
Retarded AV program.
I'd like to know the name of it.
There is another factor with the crappy end of AV scanners, put a version control block in a resource section and add a manifest to the EXE file. Tjhis allows the crappy end of AV scanners to recognise that the application is not malicious code. Note though that the executable file will still be scanned and if it has any recognisable malicious code it will still generate a problem.
I have the code for a version block.
I couldn't find an example of putting a manifest in the .exe.
Andy,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<description>Your Application</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
</assembly>
In your resource file, resource 1, type 24.
1 24 "yourfile.xml"
.CODE
%Date db " &@Date" ; Compile date
start:
invoke InitCommonControls
invoke ExitProcess,0
end start
I got this in Ollydbg.
I am using XP Home Edition.
Is the last line expected?
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr 0000051D ERROR_NO_IMPERSONATION_TOKEN
Quote from: hutch-- on November 04, 2010, 02:39:00 AM...add a manifest to the EXE file. Tjhis allows the crappy end of AV scanners to recognise that the application is not malicious code.
Thank God the script kiddies have not yet learned that trick :8)
Typical of Microsoft security theories, the script kiddies probably learnt it first and everyone else is stuck with its nuisance value.