flat assembler
Message board for the users of flat assembler.
Index
> Compiler Internals > PE formatter modification that removes fake virus detection |
Author |
|
Alphonso 17 Aug 2008, 05:05
Here's a demo 'hello' which when compiled by FASMW 1.67.27 create 4 detections on www.VirusTotal.com
Code: format PE GUI 4.0 include 'win32a.inc' section '.text' code readable executable invoke MessageBox,0,MBText,MBCapt,MB_OK invoke ExitProcess,0 section '.data' data readable writeable MBCapt db 'False Detection Test',0 MBText db 'Hello',0 section '.idata' import data readable writeable library kernel32,'KERNEL32.DLL',user32,'USER32.DLL' import kernel32,ExitProcess,'ExitProcess' import user32,MessageBox,'MessageBoxA' imho it should be the anti virus software that should be modified, not fasm.
|
|||||||||||
17 Aug 2008, 05:05 |
|
Alphonso 17 Aug 2008, 18:42
Well I really don't think it's the right thing to do, all we are doing is changing the PE header data, you're still going to get some false postives. It's the antivirus software that needs fixing.
You're more than welcome to the code, though it's a little unrefined and maybe even buggy. I kept it all in one place to minimise the impact to the source code. Ver 1.67.27 1. Locate and open the 'FORMATS.INC' file in the source directory. 2. Find the label 'directory_ok:' as shown below. Code: mov [edx+ecx*8+4],eax ; directory size directory_ok: inc cl cmp cl,10h jb process_directories mov ebx,[code_start] sub ebx,[stub_size] mov ecx,edi sub ecx,ebx mov ebp,ecx shr ecx,1 xor eax,eax cdq calculate_checksum: mov dx,[ebx] Code: directory_ok: inc cl cmp cl,10h jb process_directories ;insert here ---> process_pe_extras: mov edx,[code_start] mov cx,[edx+6] ;number of sections test cx,cx jz NoSections ;Just in case! mov word [edx+1ah],2 ;Linker major version |These two just to keep mov word [edx+40h],3 ;OS major version |F-Secure quiet... xor eax,eax ;Zero data incase of multiple passes mov [edx+1ch],eax ;Size of code mov [edx+20h],eax ;Size of IData mov [edx+24h],eax ;Size of UData mov [edx+2ch],eax ;Base of code test [format_flags],8 ;check for 64bit jnz NoBaseOfData ;64bit header does not have a base of data ;uses 64 bit image base instead mov [edx+30h],eax ;Base of data NoBaseOfData: movzx ebx,word [edx+14h] ;size of optional file header add ebx,18h ;add size file header MoreSections: mov eax,[edx+ebx+24h] ;Section Characteristics test eax,20h jnz CodeSection test eax,40h jnz InitDataSection test eax,80h jnz NextSection UnInitDataSection: mov eax,[edx+ebx+10h] ;Unitialised data size add [edx+24h],eax ;add to size of unititialised data jmp NextSection CodeSection: cmp [edx+2ch],dword 0 ;Do we have base of code? jne BaseOfCodeSet mov eax,[edx+ebx+0ch] ;RVA mov [edx+2ch],eax BaseOfCodeSet: mov eax,[edx+ebx+10h] ;Code size add [edx+1ch],eax ;add to size of code jmp NextSection InitDataSection: cmp [edx+30h],dword 0 ;Do we have base of data? jne BaseOfDataSet mov eax,[edx+ebx+0ch] ;RVA mov [edx+30h],eax BaseOfDataSet: mov eax,[edx+ebx+10h] ;Data size add [edx+20h],eax ;add to size of Initdata jmp NextSection NextSection: add ebx,28h dec cx jnz MoreSections NoSections: ;end of insert---> mov ebx,[code_start] sub ebx,[stub_size] mov ecx,edi sub ecx,ebx mov ebp,ecx shr ecx,1 xor eax,eax cdq calculate_checksum: All we have done here is added
OS major version to 3 - F-Secure again! Size of Code Size of initialized data Size of uninitialized data Base of code Base of data - unless 64bit PE
|
|||||||||||||||||||||
17 Aug 2008, 18:42 |
|
LocoDelAssembly 17 Aug 2008, 19:01
Thanks a lot Alphonso for taking the time for doing this. I've moved this to Compiler Internals so Tomasz (and people that customize fasm) can see it easily.
|
|||
17 Aug 2008, 19:01 |
|
Tomasz Grysztar 18 Aug 2008, 06:51
I agree about code and data values, I plan to have such change (thought a bit different in implementation) - however why would I want to give up storing fasm's version in PE header, just like I should be allowed to?
|
|||
18 Aug 2008, 06:51 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.