flat assembler
Message board for the users of flat assembler.
Index
> Windows > Hello world FASM program detected as virus. Why? Goto page Previous 1, 2, 3 Next |
Author |
|
andyz74 21 Jan 2008, 20:01
OzzY wrote: Would anyone be interested in creating a AV program in FASM? I'm on Linux for myself, but my dad's computer is windows and seems to be infected sometimes... What i thought a few days ago is another way of "protection": If we assume, that nearly all *.exe-files don't have overlay-code appended, but are just executable code and aren't altered by themselves... then wouldn't it be possible to write a simple program that a) makes a backup of an exe and b) appends some "check-file-integrity-code" which does alarm, if file is altered? So, just like u can shrink exe with "pklite abcde.exe", u could protect a file with "crc-check abcde.exe". I hope my desolate english could give U an idea, of what I mean. What do the experts think about it? Obviously, this would only protect executable files, so that virii, can't harm them. Trojans ans worms are another problem, but (usually) don't fuck-up your programs. |
|||
21 Jan 2008, 20:01 |
|
KingDemon 22 Jan 2008, 13:14
It's not the PE headers or the sections that are the problem. Some antivirus programs also check for older, DOS viruses inside .EXE files. The Windows PE executable format uses a so-called stub DOS program which displays a message if the program is ran in DOS, but the .EXE files created by FASM use a non standard stub program, with most of the MZ (DOS executable header) fields overwritten to make the resulting EXE's smaller. I haven't run one in DOS yet, but I do know that it doesn't contain any kind of message (or code to dispaly the message).
Also, another problem may be that you used a "ret" to exit the program, instead of calling ExitProcess.... _________________ Don't mind me! I'm just a crazy next-door neighbor. |
|||
22 Jan 2008, 13:14 |
|
LocoDelAssembly 22 Jan 2008, 14:05
Quote:
But in fact fasm installs a stub, check with a hex editor or load the exe with DEBUG to see the error message. Code: C:\DOCUME~1\Hernan\ESCRIT~1>debug test2.exe -g This program cannot be run in DOS mode. El programa ha terminado de forma normal And no, the "This program..." is not generated by DEBUG since I have a Spanish installation. Aditionally you can check the sources: Code: make_stub: mov [stub_file],edx or edx,edx jnz stub_from_file push esi mov edx,edi xor eax,eax mov ecx,20h rep stos dword [edi] mov eax,40h+default_stub_end-default_stub mov cx,100h+default_stub_end-default_stub mov word [edx],'MZ' mov word [edx+4],1 mov word [edx+2],ax mov word [edx+8],4 mov word [edx+0Ah],10h mov word [edx+0Ch],0FFFFh mov word [edx+10h],cx mov word [edx+3Ch],ax mov word [edx+18h],40h lea edi,[edx+40h] mov esi,default_stub mov ecx,default_stub_end-default_stub rep movs byte [edi],[esi] pop esi jmp stub_ok default_stub: use16 push cs pop ds mov dx,stub_message-default_stub mov ah,9 int 21h mov ax,4C01h int 21h stub_message db 'This program cannot be run in DOS mode.',0Dh,0Ah,24h rq 1 default_stub_end: use32 |
|||
22 Jan 2008, 14:05 |
|
OzzY 22 Jan 2008, 18:04
KingDemon wrote: It's not the PE headers or the sections that are the problem. Some antivirus programs also check for older, DOS viruses inside .EXE files. The Windows PE executable format uses a so-called stub DOS program which displays a message if the program is ran in DOS, but the .EXE files created by FASM use a non standard stub program, with most of the MZ (DOS executable header) fields overwritten to make the resulting EXE's smaller. I haven't run one in DOS yet, but I do know that it doesn't contain any kind of message (or code to dispaly the message). I think you are right. This one isn't detected anymore: Code: format PE GUI 4.0 include 'win32a.inc' entry main section '.text' code readable executable main: invoke MessageBox,0,msg,ttl,0 invoke ExitProcess,0 section '.data' data readable writeable msg db 'hello world',0 ttl db 'simple program',0 section '.idata' import data readable library user32,'user32.dll',\ kernel32,'kernel32.dll' import user32,MessageBox,'MessageBoxA' import kernel32,ExitProcess,'ExitProcess' But why would the ret be so harmfull? |
|||
22 Jan 2008, 18:04 |
|
revolution 22 Jan 2008, 18:20
OzzY wrote: But why would the ret be so harmfull? |
|||
22 Jan 2008, 18:20 |
|
OzzY 23 Jan 2008, 16:06
Quote: Dear Sir or Madam, Congratulations for AVIRA virus submission service! |
|||
23 Jan 2008, 16:06 |
|
KingDemon 31 Jan 2008, 07:42
Well, your program might've not been a virus but there are others that use "ret" or "call" tricks a bit differently to get into the kernel. The kernel32 module is loaded automatically for each program at a specific address, even if no functions are used from it.
This way you could call kernel functions without actually adding them into your imports section, which is considered to be a threat by most antivirus software. Heuristics virus detectors scan for badly intended usage of system functions, for example calling the CreateFile function to open an .exe with write access. But if the system calls are hidden from the antivirus, it won't be able to find anything wrong with it so they decided to solve the problem from the get-go. _________________ Don't mind me! I'm just a crazy next-door neighbor. |
|||
31 Jan 2008, 07:42 |
|
daniel.lewis 01 Feb 2008, 05:31
To be honest, the only thing keeping me from writing a virus with perfect metamorphasis which installed a secure OS on infected PCs; is that I would probably spend the rest of my short natural life in an american prison in Syria.
Pathogenic fundamentals clearly indicate that homogenous populations are most vulnerable. Don't be mainstream, and you won't be targetted. Very few virii for Menuet. : p _________________ dd 0x90909090 ; problem solved. |
|||
01 Feb 2008, 05:31 |
|
Raedwulf 02 Feb 2008, 08:19
No antivirus here.
|
|||
02 Feb 2008, 08:19 |
|
vid 02 Feb 2008, 11:09
other possibility could be that calling imports FASM way is detected. Eg. when you call procs like this:
Code: call dword [MessageBox] and not Code: call MessageBox ... MessageBox: jmp dword [__imp_MessageBox] Can you try whether the second way is detected as virus too? |
|||
02 Feb 2008, 11:09 |
|
TheRaven 24 Apr 2008, 05:14
OzzY wrote: ...I don't know what's worse, if it doesn't detect the virus or if it detects a program that's not virus as virus. Quite a few A.V. utilities will miss viruses and allegate a non-viral application as being a trojan... It is quite annoying and unavoidable with too many A.V. tools like McAfee and the like. What really grinds my gears is an A.V. suite that fubar's itself to the point that it can't even be launched, but has system processes running in the background. On top of all of this you can neither un-install, install over, or repair the install what so ever. To make matters worse the inop firewall would screw with software installations making some appl.'s inop as well. System Mechanic Professional v.7,so much for the professional aspect of it, had to be manually un-installed from the system registry through regEdit. I loved that part! Two A.V. systems to watch out for are: 1.) McAfee's Internet Security Suite 2.) System Mechanic Professional v.7 _________________ Nothing so sought and avoided more than the truth. I'm not insane, I know the voices in my head aren't real! |
|||
24 Apr 2008, 05:14 |
|
Alphonso 24 Apr 2008, 10:28
With Avira I get Trojan horse TR/Crypt.XPACK.Gen with just
Code: format PE GUI 4.0 include 'win32a.inc' section '.code' code readable executable invoke ExitProcess,0 section '.data' code readable writeable data import library kernel32,'KERNEL32.DLL' import kernel32,ExitProcess,'ExitProcess' end data |
|||
24 Apr 2008, 10:28 |
|
revolution 24 Apr 2008, 10:38
I think it will be because you have a writeable code section. Try this:
Code: section '.data' readable writeable |
|||
24 Apr 2008, 10:38 |
|
Alphonso 24 Apr 2008, 10:51
Oops, I should be more careful with the cut and paste. However the result is the same, using
Code: section '.code' readable executable ... section '.data' readable writeable ... |
|||
24 Apr 2008, 10:51 |
|
revolution 24 Apr 2008, 10:56
Curious, perhaps anything <2KB (or similar figure) is automatically considered a problem? Try expanding to a larger size
Code: db 4096 dup ('x') |
|||
24 Apr 2008, 10:56 |
|
Alphonso 24 Apr 2008, 11:01
I did try padding out earlier the code section to make the executable the same size as with a data section, no difference. But here is something interesting, if I debug with Olly it tells me "Module has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying..."
|
|||
24 Apr 2008, 11:01 |
|
revolution 24 Apr 2008, 13:49
So insert
Code: entry $ |
|||
24 Apr 2008, 13:49 |
|
Alphonso 24 Apr 2008, 14:52
I did try earlier
Code: format PE GUI 4.0
entry start |
|||
24 Apr 2008, 14:52 |
|
AlexP 25 Apr 2008, 12:56
Quote: the only thing keeping me from writing a virus with perfect metamorphasis which installed a secure OS on infected PCs; is that I would probably spend the rest of my short natural life in an american prison in Syria. |
|||
25 Apr 2008, 12:56 |
|
Goto page Previous 1, 2, 3 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.