News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

False Alarm

Started by hello, December 09, 2008, 03:19:51 PM

Previous topic - Next topic

hello

hello.... to everyone..
iam an amateur; a learner ; one who totally has no setting to programming or any kind of coding environment at all.
So, i request that i may be given a little leeway in the beginning.
The code below is borrowed from GoAsm manual.
DATA SECTION
KEEP  DD 0             
;
CODE SECTION
START:
PUSH -11               
CALL GetStdHandle     
PUSH 0, ADDR KEEP       
PUSH 9
PUSH "GOOD LUCK "
PUSH EAX               
CALL WriteFile
;
XOR EAX, EAX             
RET
After assembling to get an .obj file, GoLink is used to make an executable. Yes... exe is made alright; but antivirus program blocks it. if i disable the av, everything works out fine. i was informed by a prominent personality in the field that is it is a false positive identification.
Is there any other way than what i was doing (turn off av) to get through this indispensable hindrance?
Regards....

jorgon

Hello Hello

Does the antivirus kick in if you use a different string (ie. something other than "Good Luck")?

Author of the "Go" tools (GoAsm, GoLink, GoRC, GoBug)

Mark Jones

Jorgon, I believe this may be AV-specific. Hello, are you using Avira Antivirus or AVG? Anything I compiled with either MASM or GoASM is automatically flagged as a generic trojan by both of these products. There are numerous other threads about this here:

http://www.masm32.com/board/index.php?board=52.0

On a whim, I tried linking my .obj file with the newest version of Microsoft's LINK.EXE (version 8? 9? I  forget) and this stopped the false reporting; however the executable was nearly twice as large.

However I am not sure this works in all cases, and this is really not the proper solution to the problem. (The problem is, these AV softwares are not following the Portable Executable (PE32) file format specification precisely.) It is amazing how much variance the industry takes on such a "format specification."
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

hello

Jorgon..

i feel much honored to see your prompt reply.
Yes antivirus shows its value even for another string i had used earlier.
After drifting for a considerable time in the past, finally i landed up at GoAsm. Many thanks for the wonderful documentation of GoAsm (i understood to a level what an assembler or a linker is, after reading it).

Best wishes .....

hello

Mark Jones...

Yes. it is Avira Antivirus  as you have  presumed.
i need to learn assembly from the very beginning and sure i will be around for some time doing just that . hope i would get tolerant response for my elementary queries .

thank you


donkey

Hi hello,

Can't remember which AV software I had but it would kick in if I called GetProcessHeap as the first call in the program. Try to make a dummy API call first like GetModuleHandle, might help.
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

jorgon

There's definitely a problem with Avira Antivirus.
It found several files on my machine to be infected which no other antivirus program has reported.  Some of these were made with GoAsm and GoLink, but also a large number were made with other assemblers and linkers.  Strangely it passed most of the files, and picked out only a few.  It was notable, however, that all the files were written in assembler.

An exe using the following code was reported ok:-

DATA
PLEASEPASSME DD 0
CODE
START:
XOR EAX,EAX
RET

However an exe using the following code was reported as containing a trojan called TR/Crypt.XPACK.Gen:-
DATA
PLEASEPASSME DD 0
CODE
START:
PUSH EAX,EAX,EAX,EAX
CALL MessageBoxA
XOR EAX,EAX
RET


I havn't yet found any reasoning behind which exe's are reported and which are not, but I don't think that is really the correct approach.  I'm going to take this up with Avira directly.
Author of the "Go" tools (GoAsm, GoLink, GoRC, GoBug)

Vortex

Hi Jeremy,

Even an attempt to modify hello's code by adding a simple C run-time startup code could not stop Avira from reporting false positive. Linking the same GoAsm object module with Polink does not report any false positive message.

[attachment deleted by admin]

Mark Jones

My (limited) experience with this, points to a linking discrepancy. Perhaps somewhere, these AV's have marked specific linking details as "trojan-like."
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

hello

donkey....

One thing I noticed here (from the content in your response )is that you guys consider me as if iam as qualified as others are in this forum. Far from it , iam at a stage, where i don't even know how to begin assembly coding. The code I had presented above is borrowed from the GoAsm manual. i want to make a start, but still not sure how to...

Anyway... thanks for your response.

Regards...

Vortex

The problem is how the AV software manufacturer interprets the internals of a PE as malware.

jorgon

I've been in touch with Avira, and they have said as follows:-
QuoteWe will take out the pattern recognition in one of our next (engine-)updates.
So let's wait and see what happens.  I have Avira installed on my machine, but switched off, and I shall try it out in a few days time.

Author of the "Go" tools (GoAsm, GoLink, GoRC, GoBug)

rkhb

I've got it:

GoLink produces the Value 60000020h as characteristics for Section '.idata' in the section table. This value is a bitmap for the section flags IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SC_CNT_CODE. The Section '.idata' has to be marked as executable because it holds the indirect jumps to external functions. Microsoft's Link generates this table in the section '.text' and gives section '.rdata' (='.idata') the characteristics value 40000040h (IMAGE_SCN_MEM_READ, IMAGE_SCN_CNT_INITIALIZED_DATA). Changing the GoLink value into the MS value stops Antivir to complain. But then eventually the DEP throws  an exception (for Germany's citizenship test: please pronounce "Datenausführungsverhinderung"!).

HTH

viele grüße
ralph

jorgon

Hi ralph!

Sorry but I'm not sure that this is the answer.

I updated Avira Antivir (which I presume is the one you are talking about) and did a complete scan.  It passed many files which had the same idata attributes (60000020h) and rejected several files which did not.
I attach a file which it used to reject until I sent it to them, and now it passes as ok.  It has the same idata attributes (60000020h).

Even if you change small things, such as adding only one extra line of instruction it seems to change the response from the Avira product.  I suspect that it is sensitive in some way to a checksum or maybe to the timedate stamp (although I can't imagine why).




[attachment deleted by admin]
Author of the "Go" tools (GoAsm, GoLink, GoRC, GoBug)

rkhb

Hi Jeremy!

It seems that they (Avira Antivir and McAfee-GW-Edition according to www.virustotal.com) has built in a quick and dirty exception rule. They check the manufacturer label in the msdos stub for the string "GoLink, GoAsm www.GoDevTool". Anything else produces "TR/Crypt.XPACK.Gen". For me assembling with Nasm this is not a very good solution because I get only "GoLink www.GoDevTool.com".

I forgot to mention that this effect does not appear by linking with the option /CONSOLE.

viele grüße
ralph