flat assembler
Message board for the users of flat assembler.

Index > Windows > Hello world FASM program detected as virus. Why?

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
vid wrote:
i quess it's unstandard layout of PE sections... this really doesn't appear in any real file.


I guess not. Even this with standard sections is detected:
Code:
format PE GUI 4.0
include 'win32a.inc'
entry main
section '.text' code readable executable
main:
    invoke MessageBox,0,msg,ttl,0
    ret

section '.data' data readable writeable
msg db 'hello world',0
ttl db 'simple program',0

section '.idata' import data readable
library user32,'user32.dll'
import user32,MessageBox,'MessageBoxA'     


I guess they need to improve their engine. Razz
Post 20 Jan 2008, 04:56
View user's profile Send private message Reply with quote
andyz74



Joined: 26 Nov 2007
Posts: 36
Location: Germany
andyz74
OzzY wrote:
Would anyone be interested in creating a AV program in FASM?
It would be simple, light-weight and fast.


I'm on Linux for myself, but my dad's computer is windows and seems to be infected sometimes...
What i thought a few days ago is another way of "protection": If we assume, that nearly all *.exe-files don't have overlay-code appended, but are just executable code and aren't altered by themselves... then wouldn't it be possible to write a simple program that
a) makes a backup of an exe and
b) appends some "check-file-integrity-code" which does alarm, if file is altered?

So, just like u can shrink exe with "pklite abcde.exe", u could protect a file with "crc-check abcde.exe".

I hope my desolate english could give U an idea, of what I mean.
What do the experts think about it?

Obviously, this would only protect executable files, so that virii, can't harm them. Trojans ans worms are another problem, but (usually) don't fuck-up your programs.
Post 21 Jan 2008, 20:01
View user's profile Send private message Visit poster's website Reply with quote
KingDemon



Joined: 16 Oct 2006
Posts: 21
Location: Somewhere in Romania
KingDemon
It's not the PE headers or the sections that are the problem. Some antivirus programs also check for older, DOS viruses inside .EXE files. The Windows PE executable format uses a so-called stub DOS program which displays a message if the program is ran in DOS, but the .EXE files created by FASM use a non standard stub program, with most of the MZ (DOS executable header) fields overwritten to make the resulting EXE's smaller. I haven't run one in DOS yet, but I do know that it doesn't contain any kind of message (or code to dispaly the message).

Also, another problem may be that you used a "ret" to exit the program, instead of calling ExitProcess....

_________________
Don't mind me! I'm just a crazy next-door neighbor.
Post 22 Jan 2008, 13:14
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

I haven't run one in DOS yet, but I do know that it doesn't contain any kind of message (or code to dispaly the message).


But in fact fasm installs a stub, check with a hex editor or load the exe with DEBUG to see the error message.

Code:
C:\DOCUME~1\Hernan\ESCRIT~1>debug test2.exe
-g
This program cannot be run in DOS mode.

El programa ha terminado de forma normal    

And no, the "This program..." is not generated by DEBUG since I have a Spanish installation.

Aditionally you can check the sources:
Code:
make_stub:
        mov     [stub_file],edx
        or      edx,edx
        jnz     stub_from_file
        push    esi
        mov     edx,edi
        xor     eax,eax
        mov     ecx,20h
        rep     stos dword [edi]
        mov     eax,40h+default_stub_end-default_stub
        mov     cx,100h+default_stub_end-default_stub
        mov     word [edx],'MZ'
        mov     word [edx+4],1
        mov     word [edx+2],ax
        mov     word [edx+8],4
        mov     word [edx+0Ah],10h
        mov     word [edx+0Ch],0FFFFh
        mov     word [edx+10h],cx
        mov     word [edx+3Ch],ax
        mov     word [edx+18h],40h
        lea     edi,[edx+40h]
        mov     esi,default_stub
        mov     ecx,default_stub_end-default_stub
        rep     movs byte [edi],[esi]
        pop     esi
        jmp     stub_ok
      default_stub:
        use16
        push    cs
        pop     ds
        mov     dx,stub_message-default_stub
        mov     ah,9
        int     21h
        mov     ax,4C01h
        int     21h
      stub_message db 'This program cannot be run in DOS mode.',0Dh,0Ah,24h
        rq      1
      default_stub_end:
        use32    
Post 22 Jan 2008, 14:05
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
KingDemon wrote:
It's not the PE headers or the sections that are the problem. Some antivirus programs also check for older, DOS viruses inside .EXE files. The Windows PE executable format uses a so-called stub DOS program which displays a message if the program is ran in DOS, but the .EXE files created by FASM use a non standard stub program, with most of the MZ (DOS executable header) fields overwritten to make the resulting EXE's smaller. I haven't run one in DOS yet, but I do know that it doesn't contain any kind of message (or code to dispaly the message).

Also, another problem may be that you used a "ret" to exit the program, instead of calling ExitProcess....


I think you are right. This one isn't detected anymore:
Code:
format PE GUI 4.0
include 'win32a.inc' 
entry main 
section '.text' code readable executable 
main: 
    invoke MessageBox,0,msg,ttl,0 
    invoke ExitProcess,0

section '.data' data readable writeable 
msg db 'hello world',0 
ttl db 'simple program',0 

section '.idata' import data readable 
library user32,'user32.dll',\
        kernel32,'kernel32.dll'
import user32,MessageBox,'MessageBoxA'
import kernel32,ExitProcess,'ExitProcess'     


But why would the ret be so harmfull?
Post 22 Jan 2008, 18:04
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
OzzY wrote:
But why would the ret be so harmfull?
I doubt it the ret as such, but more the lack of ExitProcess that may be triggering the alarm. Many viruses seem to be bent on not exposing which API's they are using so perhaps the AV is also unhappy about the paucity of imported API's.
Post 22 Jan 2008, 18:20
View user's profile Send private message Visit poster's website Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Quote:
Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00117077.



A listing of files alongside their results can be found below:

File ID Filename Size (Byte) Result
3651385 test.exe 1.5 KB FALSE POSITIVE


Please find a detailed report concerning each individual sample below:

Filename Result
test.exe FALSE POSITIVE

The file 'test.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.


Congratulations for AVIRA virus submission service!
Post 23 Jan 2008, 16:06
View user's profile Send private message Reply with quote
KingDemon



Joined: 16 Oct 2006
Posts: 21
Location: Somewhere in Romania
KingDemon
Well, your program might've not been a virus but there are others that use "ret" or "call" tricks a bit differently to get into the kernel. The kernel32 module is loaded automatically for each program at a specific address, even if no functions are used from it.
This way you could call kernel functions without actually adding them into your imports section, which is considered to be a threat by most antivirus software.
Heuristics virus detectors scan for badly intended usage of system functions, for example calling the CreateFile function to open an .exe with write access.
But if the system calls are hidden from the antivirus, it won't be able to find anything wrong with it so they decided to solve the problem from the get-go.

_________________
Don't mind me! I'm just a crazy next-door neighbor.
Post 31 Jan 2008, 07:42
View user's profile Send private message Reply with quote
daniel.lewis



Joined: 28 Jan 2008
Posts: 92
daniel.lewis
Very Happy To be honest, the only thing keeping me from writing a virus with perfect metamorphasis which installed a secure OS on infected PCs; is that I would probably spend the rest of my short natural life in an american prison in Syria.

Pathogenic fundamentals clearly indicate that homogenous populations are most vulnerable.

Don't be mainstream, and you won't be targetted. Very few virii for Menuet. : p

_________________
dd 0x90909090 ; problem solved.
Post 01 Feb 2008, 05:31
View user's profile Send private message Reply with quote
Raedwulf



Joined: 13 Jul 2005
Posts: 375
Location: United Kingdom
Raedwulf
No antivirus here.
Post 02 Feb 2008, 08:19
View user's profile Send private message MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
other possibility could be that calling imports FASM way is detected. Eg. when you call procs like this:
Code:
call dword [MessageBox]
    


and not
Code:
call MessageBox
...
MessageBox: jmp dword [__imp_MessageBox]
    


Can you try whether the second way is detected as virus too?
Post 02 Feb 2008, 11:09
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
TheRaven



Joined: 22 Apr 2008
Posts: 89
Location: U.S.A.
TheRaven
OzzY wrote:
...I don't know what's worse, if it doesn't detect the virus or if it detects a program that's not virus as virus.


Quite a few A.V. utilities will miss viruses and allegate a non-viral application as being a trojan...

It is quite annoying and unavoidable with too many A.V. tools like McAfee and the like.

What really grinds my gears is an A.V. suite that fubar's itself to the point that it can't even be launched, but has system processes running in the background. On top of all of this you can neither un-install, install over, or repair the install what so ever. To make matters worse the inop firewall would screw with software installations making some appl.'s inop as well.

System Mechanic Professional v.7,so much for the professional aspect of it, had to be manually un-installed from the system registry through regEdit. I loved that part!

Two A.V. systems to watch out for are:
1.) McAfee's Internet Security Suite
2.) System Mechanic Professional v.7

_________________
Nothing so sought and avoided more than the truth.
I'm not insane, I know the voices in my head aren't real!
Post 24 Apr 2008, 05:14
View user's profile Send private message Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
With Avira I get Trojan horse TR/Crypt.XPACK.Gen with just
Code:
format PE GUI 4.0
include 'win32a.inc'

section '.code' code readable executable

            invoke ExitProcess,0

section '.data' code readable writeable

data import

 library kernel32,'KERNEL32.DLL'

 import kernel32,ExitProcess,'ExitProcess'

end data    
and no heuristics, but if I comment out the '.data' section it is Ok. I just take the lazy way out and put my ASM folder in the 'exceptions' and worry about it if it causes false positives after the code is completed, which it hasn't so far..
Post 24 Apr 2008, 10:28
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
I think it will be because you have a writeable code section. Try this:
Code:
section '.data' readable writeable    
Post 24 Apr 2008, 10:38
View user's profile Send private message Visit poster's website Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
Oops, I should be more careful with the cut and paste. However the result is the same, using
Code:
section '.code' readable executable
...
section '.data' readable writeable
...    
and even if I use section '.code' executable
Post 24 Apr 2008, 10:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
Curious, perhaps anything <2KB (or similar figure) is automatically considered a problem? Try expanding to a larger size
Code:
db 4096 dup ('x')    
Post 24 Apr 2008, 10:56
View user's profile Send private message Visit poster's website Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
I did try padding out earlier the code section to make the executable the same size as with a data section, no difference. But here is something interesting, if I debug with Olly it tells me "Module has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying..."
Post 24 Apr 2008, 11:01
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
So insert
Code:
entry $    
just before calling ExitProcess.
Post 24 Apr 2008, 13:49
View user's profile Send private message Visit poster's website Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
I did try earlier
Code:
format PE GUI 4.0
entry start    
with start being the beginning of code, I tried your suggestion of entry $ too, but no difference. What I found is the "PE optional header : base of code" is set to 0000h but address entry point set to 1000h, if I set base of code to 1000h (hex edit) both Olly and Avira seem happy.
Post 24 Apr 2008, 14:52
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
Quote:
the only thing keeping me from writing a virus with perfect metamorphasis which installed a secure OS on infected PCs; is that I would probably spend the rest of my short natural life in an american prison in Syria.
Last I checked, it's not illegal to code/spread the deadliest viruses on your computer, it's just illegal to 'distribute them', aka get them in the wild.
Post 25 Apr 2008, 12:56
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.