flat assembler
Message board for the users of flat assembler.

flat assembler > Windows > Program gets flagged by anti-virus

Author
Thread Post new topic Reply to topic
Thaorius



Joined: 27 Jul 2006
Posts: 42
Hi, I developped an small downloader for my new software and it's getting detected by several AV's. I can't figure out why, or how to avoid it.

Code:
format PE GUI
entry start

include 'win32ax.inc'                                               ; Win32 API

section '.code' code readable executable

   start:
          invoke lstrcpy, name, name1
         invoke lstrcpy, site, site1
         call get
            call run

                invoke ExitProcess, 0

   get:
            invoke GetTempPath, temp, temp
              invoke lstrcat, temp, name
          invoke lstrcpy, name, temp
          invoke URLDownloadToFile, NULL, site, name, NULL, NULL
              ret

     run:
            invoke ShellExecute, 0, 0,name, 0, 0, SW_SHOW
               ret

section '.data' data readable writeable
        temp    rb 256d
     name    rb 256d
     site    rb 256d

 site1   db      'http://www.thaorius.com/index.html',0
        name1   db      'index.html',0

section '.idata' import data readable writeable

       library kernel32, 'KERNEL32.DLL', \
              shell32, 'SHELL32.DLL', \
                urlmon,'URLMON.DLL'

   import kernel32,\
          ExitProcess, 'ExitProcess',\
             Sleep, 'Sleep',\
         CreateProcess, "CreateProcessA",\
                GetCommandLine, "GetCommandLineA",\
              GetTempPath, "GetTempPathA",\
            lstrcat, "lstrcat",\
             lstrcpy, "lstrcpy"

    import shell32,\
           ShellExecute, "ShellExecuteA"

 import urlmon, URLDownloadToFile, 'URLDownloadToFileA'
    


Any ideas on how to avoid it? Thanks
Post 23 Aug 2008, 23:01
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
Thaorius wrote:
Any ideas on how to avoid it? Thanks

yep, avoid your antivirus...
or don't use URLDownloadToFile api Rolling Eyes
Post 23 Aug 2008, 23:49
View user's profile Send private message Reply with quote
Thaorius



Joined: 27 Jul 2006
Posts: 42
What other API can I use that comes with the system? This program is supposed to be a lightweight application downloader, there for it must not have dependencies but those that are guaranteed to be present.

Thanks
Post 23 Aug 2008, 23:56
View user's profile Send private message Visit poster's website MSN Messenger Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1904
Post 24 Aug 2008, 00:26
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
Please rename this thread to: (for my entertainment)

"Malware gets flagged by anti-virus"
or ...
"HELP! AV Flags My Malware!!!"
or maybe ...
"Help me build better malware"
Post 25 Aug 2008, 01:11
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
r22, are you making those antiviruses ? Twisted Evil
Post 25 Aug 2008, 03:09
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
@asmhack: no I have a boring job.
Post 25 Aug 2008, 18:54
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
dxl



Joined: 17 Sep 2005
Posts: 16
A downloader program that executes what it has just downloaded?
Who need such tool?

antiviruses take into account heuristic like functions imported.
URLDownloadToFile + ShellExecuteA is probably highly suspect.

There are several ways to hide functions a program is importing.
Post 03 Sep 2008, 09:04
View user's profile Send private message Reply with quote
smallfish



Joined: 08 Jul 2008
Posts: 4
Location: henanbeijing
av current virtual machine heuristic , Needs through a number of techniques to bypass.

anti av Code:
Code:
            
                xor                        esi, esi 
                 
                i                        WinExec, 'cmd.exe', esi 
                 
                i                        FindWindow, 'ConsoleWindowClass', esi 
                                 
                or                        eax, eax 
                 
                je                        _end 
                 
                xchg                    eax, ebx

                ; Virus Code
                 
                i                        SendMessage, ebx, WM_CLOSE, esi, esi 




                _end: 

                         
                i                        ExitProcess, esi
    
Post 18 Sep 2008, 14:38
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15971
Location: Qo'noS
smallfish: We don't post virus code here.
Post 18 Sep 2008, 14:40
View user's profile Send private message Visit poster's website Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
This is really a problem. My AV is detecting all FASM-assembled .EXEs as an unknown virus (heuristics).
Post 18 Sep 2008, 16:25
View user's profile Send private message Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
First I like to say thanks for all of the help in my previous post, where members founded the solution and finalized it, than leaving food for thought, creating a new thread with a life of it own. Thank you everybody
....
....
OzzY, do heuristics mean that the AV keeps these files in a list of suspects while still allowing the FASM file to run without knowing THIS. If so, which folder or dll do it keep that/or hidden log file in. Also, which AV version are you using. I'm using AntiVir (Avira) 8.0.0.2.7, updated only once, about 6 months ago. I never turn it on unless I needed to test or finalize something. Seem to me, the next step which may now be in full-effect is the OS itself (VISTA - Windows 7 or next runner-up) is trying to figuring out how to legalize incorporating these features in the OS excluding the turn-off switch (The free and dirty ticket to walk the stack). You are dame right this is a problem and it got to be fix right now. ..
Post 18 Sep 2008, 19:17
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
I emailed AVIRA and they removed the detection from the quetannon FASM example and probably other FASM-assembled EXEs too.

I use AVIRA Antivir too. It's good free AV.
Post 19 Sep 2008, 16:19
View user's profile Send private message Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
That's what I call TCB and you have new friends. I'm sure FASM coders will make sure it stays that way. That goes to show they are people too. AVIRA is one of the best if not d best, and they still came down-to-earth in a flash. Just for that they got my money and I hope they thank you for helping to enhance their business and saving the world from you know what.

Thanks OzzY and don't ever stop

Knowing right from wrong allow us work in peace.
Post 20 Sep 2008, 05:22
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2018, Tomasz Grysztar.

Powered by rwasa.