flat assembler
Message board for the users of flat assembler.

Index > Compiler Internals > PE formatter modification that removes fake virus detection

Author
Thread Post new topic Reply to topic
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
Here's a demo 'hello' which when compiled by FASMW 1.67.27 create 4 detections on www.VirusTotal.com
Code:
format PE GUI 4.0
include 'win32a.inc'

section '.text' code readable executable
  invoke  MessageBox,0,MBText,MBCapt,MB_OK
  invoke  ExitProcess,0

section '.data' data readable writeable
  MBCapt db 'False Detection Test',0
  MBText db 'Hello',0

section '.idata' import data readable writeable
  library kernel32,'KERNEL32.DLL',user32,'USER32.DLL'
  import kernel32,ExitProcess,'ExitProcess'
  import user32,MessageBox,'MessageBoxA'    
and attached is the same program compiled by a slightly modified FASMW which gives no detections at all. The only difference between the two hello's is in the PE header, the program binary itself is exactly the same.

imho it should be the anti virus software that should be modified, not fasm.


Description: Hello_OK.exe
Download
Filename: Hello.zip
Filesize: 466 Bytes
Downloaded: 350 Time(s)

Post 17 Aug 2008, 05:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17663
Location: In your JS exploiting you and your system
revolution
@Alphonso: Good job.

Now there is just the small matter remaining to tell everyone what are the changes needed in the header ... care to do the honours?
Post 17 Aug 2008, 17:23
View user's profile Send private message Visit poster's website Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
Well I really don't think it's the right thing to do, all we are doing is changing the PE header data, you're still going to get some false postives. It's the antivirus software that needs fixing.

You're more than welcome to the code, though it's a little unrefined and maybe even buggy. I kept it all in one place to minimise the impact to the source code.

Ver 1.67.27
1. Locate and open the 'FORMATS.INC' file in the source directory.
2. Find the label 'directory_ok:' as shown below.
Code:
        mov     [edx+ecx*8+4],eax       ; directory size
      directory_ok:
        inc     cl
        cmp     cl,10h
        jb      process_directories
        mov     ebx,[code_start]
        sub     ebx,[stub_size]
        mov     ecx,edi
        sub     ecx,ebx
        mov     ebp,ecx
        shr     ecx,1
        xor     eax,eax
        cdq
      calculate_checksum:
        mov     dx,[ebx]    
After the third line down 'jb process_directories' insert the following 'process_pe_extras:' code, you should have the following.
Code:
      directory_ok:
        inc     cl
        cmp     cl,10h
        jb      process_directories
;insert here --->
process_pe_extras:

        mov     edx,[code_start]
        mov     cx,[edx+6]              ;number of sections
        test    cx,cx
        jz      NoSections              ;Just in case!

        mov     word [edx+1ah],2        ;Linker major version   |These two just to keep
        mov     word [edx+40h],3        ;OS major version       |F-Secure quiet...

        xor     eax,eax                 ;Zero data incase of multiple passes
        mov     [edx+1ch],eax           ;Size of code
        mov     [edx+20h],eax           ;Size of IData
        mov     [edx+24h],eax           ;Size of UData
        mov     [edx+2ch],eax           ;Base of code
        test    [format_flags],8        ;check for 64bit
        jnz     NoBaseOfData            ;64bit header does not have a base of data
                                        ;uses 64 bit image base instead
        mov     [edx+30h],eax           ;Base of data
NoBaseOfData:
        movzx   ebx,word [edx+14h]      ;size of optional file header
        add     ebx,18h                 ;add size file header
MoreSections:
        mov     eax,[edx+ebx+24h]       ;Section Characteristics
        test    eax,20h
        jnz     CodeSection
        test    eax,40h
        jnz     InitDataSection
        test    eax,80h
        jnz     NextSection

UnInitDataSection:
        mov     eax,[edx+ebx+10h]       ;Unitialised data size
        add     [edx+24h],eax           ;add to size of unititialised data
        jmp     NextSection

CodeSection:
        cmp    [edx+2ch],dword 0        ;Do we have base of code?
        jne    BaseOfCodeSet
        mov    eax,[edx+ebx+0ch]        ;RVA
        mov    [edx+2ch],eax
BaseOfCodeSet:
        mov     eax,[edx+ebx+10h]       ;Code size
        add     [edx+1ch],eax           ;add to size of code
        jmp     NextSection

InitDataSection:
        cmp    [edx+30h],dword 0        ;Do we have base of data?
        jne    BaseOfDataSet
        mov    eax,[edx+ebx+0ch]        ;RVA
        mov    [edx+30h],eax
BaseOfDataSet:
        mov     eax,[edx+ebx+10h]       ;Data size
        add     [edx+20h],eax           ;add to size of Initdata
        jmp     NextSection

NextSection:
        add     ebx,28h
        dec     cx
        jnz     MoreSections
NoSections:
;end of insert--->
        mov     ebx,[code_start]
        sub     ebx,[stub_size]
        mov     ecx,edi
        sub     ecx,ebx
        mov     ebp,ecx
        shr     ecx,1
        xor     eax,eax
        cdq
      calculate_checksum:    
Save and recompile FASM(D)(W).ASM. I only tried this with FASMW.ASM but I guess the others should be Ok.

All we have done here is added
    Linker version to 2 - just to keep F-Secure happy
    OS major version to 3 - F-Secure again!
    Size of Code
    Size of initialized data
    Size of uninitialized data
    Base of code
    Base of data - unless 64bit PE

Well I think that's all, remember this isn't a fix but meant to show that some antivirus software seems to be using the PE header as part of a virus signature.


Description: A compiled FASMW.EXE using above code
Download
Filename: FASMW.zip
Filesize: 60.7 KB
Downloaded: 333 Time(s)

Description: For those that don't like to cut & paste
Download
Filename: FORMATS.zip
Filesize: 14.19 KB
Downloaded: 313 Time(s)

Post 17 Aug 2008, 18:42
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Thanks a lot Alphonso for taking the time for doing this. I've moved this to Compiler Internals so Tomasz (and people that customize fasm) can see it easily.
Post 17 Aug 2008, 19:01
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7796
Location: Kraków, Poland
Tomasz Grysztar
I agree about code and data values, I plan to have such change (thought a bit different in implementation) - however why would I want to give up storing fasm's version in PE header, just like I should be allowed to?
Post 18 Aug 2008, 06:51
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.