flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > FASMLIB 0.8.0 - general purpose library

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
Mac2004



Joined: 15 Dec 2003
Posts: 314
Mac2004 07 Jul 2012, 13:51
vid: Avast Antivirus reports that there's virus detected on your site.

regards,
Mac2004
Post 07 Jul 2012, 13:51
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12737
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 21 Jul 2012, 18:22
hi vid,
thanks for the great library! am using it through dll

maybe could add a function for compare & replace?

eg,
to replace
C:\WINDOWS\SYSTEM32\KERNEL32.DLL

to
C:/WINDOWS/SYSTEM32/KERNEL32.DLL
Post 21 Jul 2012, 18:22
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 07 Oct 2012, 08:19
Hi, vid.
Recently I try to use FASMLIB's heap manager in FreshLib in order to serve the OSes where no heap management is provided by the system.

Anyway, I found several bugs that need to be fixed:

"heapmgr/alloc.asm"

1. mem.alloc pops esi and edi in wrong order, thus exchanging their values.

2. in case of error, mem.alloc does not pops register values at all. This particular mistake is common for several other procedures: mem.free, mem.realloc, mem.size.
I didn't checked whole library, but only the procedures I need.
Code:
.rnc:   clc
.r:     pop     esi edi edx ecx ebx
        ret
.rc:    stc
        ret
    



There is possibility of other bugs as well, because FreshLib tests does not work properly with FASMLIB heap manager, but it can be because of FreshLib bugs as well.
If I found something I will report it again.

Regards
Post 07 Oct 2012, 08:19
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
logicx



Joined: 20 Oct 2012
Posts: 2
logicx 20 Oct 2012, 21:24
Mac2004 wrote:
vid: Avast Antivirus reports that there's virus detected on your site.

regards,
Mac2004

I'm seeing that too; the file is symbols.exe from examples.
Here is the virustotal report with a detection ratio of 23/43

https://www.virustotal.com/file/abb60294641513b3b7330e32fbb57db103fafc299574198a6a8fd03db2f4b28c/analysis/
Post 20 Oct 2012, 21:24
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 20 Oct 2012, 22:50
logicx wrote:
I'm seeing that too; the file is symbols.exe from examples.
Here is the virustotal report with a detection ratio of 23/43

https://www.virustotal.com/file/abb60294641513b3b7330e32fbb57db103fafc299574198a6a8fd03db2f4b28c/analysis/
That report is from over 1 year ago. Perhaps you should scan again to see the current report.
Post 20 Oct 2012, 22:50
View user's profile Send private message Visit poster's website Reply with quote
titeha



Joined: 04 Apr 2011
Posts: 1
Location: Russia
titeha 07 Aug 2013, 06:42
Hi, Vid!

Please look for this code (convert int32 to ascii) with using sse2 instruction:

Code:
IntToStr:
   push edi
   mov eax, [esp + 8]    ; value
   mov edi, [esp + 0ch]  ; buffer

   movq xmm0, [Divider]
   pxor xmm6, xmm6
   xor ecx, ecx

   ; check for sign
   cdq
   xor eax, edx
   sub eax, edx
   and edx, '-'
   setnz cl
   cvtsi2sd xmm1, eax
   mov [edi], edx
   add edi, ecx

   ; main loop
@@:mulsd xmm1, xmm0
   cvttsd2si ecx, xmm1
   pslldq xmm6, 1
   add eax, 30h
   lea edx, [ecx + ecx * 4]
   sub eax, edx
   sub eax, edx
   movd xmm2, eax
   xor eax, eax
   por xmm6, xmm2
   add eax, ecx
   jnz @b

   ; save result
   movdqu [edi], xmm6

   ; leave function
@@:pop edi
   ret 8

Divider dq 0.1
    


it fast function

sorry for my english
Post 07 Aug 2013, 06:42
View user's profile Send private message Reply with quote
spandexyfronts



Joined: 15 Sep 2013
Posts: 6
spandexyfronts 21 Sep 2013, 14:46
Windows defender is reporting the library contains a virus and won't allow the dowload, any suggestions?
Post 21 Sep 2013, 14:46
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 21 Sep 2013, 14:55
spandexyfronts wrote:
Windows defender is reporting the library contains a virus and won't allow the dowload, any suggestions?
Yes. Disable or uninstall Windows Defender.

But seriously, there is nothing that can be done from this end. Talk to the authors of Windows Defender if you want this false alert to go away.
Post 21 Sep 2013, 14:55
View user's profile Send private message Visit poster's website Reply with quote
Sasha



Joined: 17 Nov 2011
Posts: 93
Sasha 12 Oct 2013, 23:11
Post 12 Oct 2013, 23:11
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 13 Oct 2013, 06:04
Sasha wrote:
https://www.virustotal.com/en/file/542528531f124a4dfb1f1270d867ff1cf95053da86167ebeae6d477af3b252cd/analysis/
Why and what to do?


Read the VirusTotal FAQ:

Quote:
VirusTotal is detecting a legitimate software I have developed, please remove the detections

VirusTotal acts simply as an information aggregator, presenting antivirus results, file characterization tool outputs, URL scanning engine results, etc. VirusTotal is not responsible for false positives generated by any of the resources it uses, false positive issues should be addressed directly with the company or individual behind the product under consideration.

We can, however, help you in combatting false positives. VirusTotal has built an early warning system regarding false positives whereby developers can upload their software to a private store, such software gets scanned on a daily basis with the latest antivirus signatures. Whenever there is a change in the detections of any of your files, you are immediately notified in order to mitigate the false positive as soon as possible.

_________________
Tox ID: 48C0321ADDB2FE5F644BB5E3D58B0D58C35E5BCBC81D7CD333633FEDF1047914A534256478D9
Post 13 Oct 2013, 06:04
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 13 Oct 2013, 06:44
Actually it is not VirusTotal's fault for the false detections. The ones to blame are the AV vendors. If there is a problem then talk to the AV vendor ... Or, my preferred option, delete any and all AV's and then use your own judgement about what is a virus and what is not.
Post 13 Oct 2013, 06:44
View user's profile Send private message Visit poster's website Reply with quote
Sasha



Joined: 17 Nov 2011
Posts: 93
Sasha 13 Oct 2013, 09:48
revolution wrote:
Actually it is not VirusTotal's fault for the false detections.

It's not a VirusTotal's fault, of course. It just helps me to check the program in 47 AV's at a time.
revolution wrote:
If there is a problem then talk to the AV vendor

To 30 AV vendors...
revolution wrote:
Or, my preferred option, delete any and all AV's and then use your own judgement about what is a virus and what is not.

I don't have an AV installed now. Once I had it, but I had to turn it of, when compiling. Interesting, while the .exe file was not detected as a virus, it was still alerted on compilation process itself.
And the main problem is that other users will think, that my program is a virus.
Post 13 Oct 2013, 09:48
View user's profile Send private message Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1178
Location: Unknown
HaHaAnonymous 13 Oct 2013, 15:41
[ Post removed by author. ]


Last edited by HaHaAnonymous on 28 Feb 2015, 19:44; edited 1 time in total
Post 13 Oct 2013, 15:41
View user's profile Send private message Reply with quote
Frank



Joined: 17 Jun 2003
Posts: 100
Frank 13 Oct 2013, 21:55
Sasha wrote:
revolution wrote:
If there is a problem then talk to the AV vendor

To 30 AV vendors...

Or hunt down vid (the author of the library), and convince him to remove all binaries from the ZIP file. That's a single point of contact for you => easier to do. It is also a future-proof solution: no precompiled binaries => no false positives any more.

Sasha wrote:
And the main problem is that other users will think, that my program is a virus.

That is the risk that you accept when working with non-mainstream tools (such as fasm). However: vid's binaries are from 2007, and fasm has changed a lot in the meantime. If you recompile vid's stuff with a modern fasm, do you then still get a massive number of false positives? If yes, then I guess Tomasz (the author of fasm) may be interested to learn about the fact.
Post 13 Oct 2013, 21:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 13 Oct 2013, 23:15
Frank wrote:
However: vid's binaries are from 2007, and fasm has changed a lot in the meantime. If you recompile vid's stuff with a modern fasm, do you then still get a massive number of false positives? If yes, then I guess Tomasz (the author of fasm) may be interested to learn about the fact.
The output from fasm won't change. fasm follows the SSSO principal: Same Source Same Output. It is not an HLL compiler, it won't change your code sequence or optimise out dead code or anything like that.
Post 13 Oct 2013, 23:15
View user's profile Send private message Visit poster's website Reply with quote
Frank



Joined: 17 Jun 2003
Posts: 100
Frank 13 Oct 2013, 23:23
@revolution: That is mostly correct, but not fully. Sasha wrote about an AV program on his computer: "Once I had it, but I had to turn it of, when compiling. Interesting, while the .exe file was not detected as a virus, it was still alerted on compilation process itself." I had a similar problem, circa 2-3 years ago, and a fasm upgrade solved it. The problem was not in my own code, but something in the PE part that fasm contributes to the executable.

EDIT: Yes, I know that the above sounds rather wishi-washi. I don't have the time to reconstruct the exact fasm versions that caused it. Anyway, it's an empirical question -- Sasha can simply recompile vid's source code, produce a new ZIP file, re-upload that to VirusTotal, and then compare the number of false positives.
Post 13 Oct 2013, 23:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 14 Oct 2013, 01:52
I tried to recompile the DLL file and do a binary compare but I can't figure out how to do it. Has vid posted instructions somewhere on how to make a new DLL? There is no file in the zip file that I could find that has 'format pe dll' so perhaps vid has some Secret Recipe©®™ to generate the DLL?
Post 14 Oct 2013, 01:52
View user's profile Send private message Visit poster's website Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 977
Location: Czechoslovakia
MazeGen 15 Oct 2013, 07:39
Frank wrote:
Or hunt down vid (the author of the library), and convince him to remove all binaries from the ZIP file. That's a single point of contact for you => easier to do. It is also a future-proof solution: no precompiled binaries => no false positives any more.

That's exactly what I told him just few weeks ago but he's such a lazy lout! :P
Post 15 Oct 2013, 07:39
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 15 Oct 2013, 13:20
Hello again!

So, I removed compiled examples from fasmlib-0.8.0.zip. Now it comes out clean on virustotal.com. Fortunately, none of library binaries was flagged as virus: https://www.virustotal.com/en/file/2162c95f8e4aedb9daf9666aac7658af79a666684a43ce4c4e8d883f61135958/analysis/1381842511/

I still do like the project as an idea, but I have different interests now and do not plan to spend time on it anymore. Whoever wishes to do whatever with the library is free and welcome to do so. I can give advice / explain things about its working as far as I remember, but I won't go hunt down bugs or anything.

Quote:
I tried to recompile the DLL file and do a binary compare but I can't figure out how to do it. Has vid posted instructions somewhere on how to make a new DLL? There is no file in the zip file that I could find that has 'format pe dll' so perhaps vid has some Secret Recipe©®™ to generate the DLL?

Because I was building library for number of compilers under two OSes, and with documentation generated from sources in various formats, I used a rather complicated build process. It was a big ugly batch file that used quite many 3rd party tools.

One of those tools is not preserved (AsmDoc, custom tool I wrote to parse documentation from comments in source file to DocBook format). So it won't be possible to replicate entire build process, particulary to generate up-to-date documentation from sources.

I also do have development version of unreleased fasmlib-0.9 laying around, if anyone wants it. It added tiny layer to access command line options and a text -> floating point conversion. I have sent it to few people who asked for it over the years.
Post 15 Oct 2013, 13:20
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 15 Oct 2013, 15:04
Hi vid. Thanks for the response. I am sure if you offer v0.9 people will ask for it, so perhaps you can simply post it here and satisfy all those that may wish to take advantage of it.
Post 15 Oct 2013, 15:04
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.