Is this normal for an ASM programmer? Are all files detected as viruses?

Started by David, November 25, 2009, 09:42:17 PM

Previous topic - Next topic

David

Hi, I made a chat client in mASM using sockets for my friend for 20 bucks, because MSN's filesize is too big for him. It uses WSAAsyncSockets.

Now the only problem is it is detected as a back-door for some reason, I guess it's because of those stupid "black hats" making trojans with WinSock.  It's a big deal for my friend, because he says nobody will use it.  So I either have to rewrite it in C++ or give him his money back.

Why is it being detected as a backdoor?  It just sends and receives messages and puts them in an edit box.  Will programming in ASM mean all of my programs will be detected as viruses? 




jj2007

AVG occasionally complains about my executables, but it's not a big deal. Your code is obviously more suspicious - a tiny app that sends and receives data over the net, olala! Any heuristic scanner must shout foul. Suggestion: PM the full code to an administrator. You might get some hints.

drizz

1) remove all instructions that c++ compiler would never produce (if you use them); like pushad/popad etc.
2) link statically with c++ runtime library (libc.lib, libcmt.lib whatever) and make WinMain your entrypoint (search forum for examples)

i think this will solve your problem

optional 3) put digital signature on your exe (but you have to add the issuer certificate to every machine)

The truth cannot be learned ... it can only be recognized.

hutch--

David,

Tell us a little bit more about your app and how its written.

Also if you can identify the AV scanner that is trashing your app, let us know so it can go in the forum sh*t list so others know about the problem.

I have a few basic suggestions, put an XML manifest either in the resource section or as a seperate file.


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<description>Your application name</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
</assembly>


Put a version info block in the resources.


VS_VERSION_INFO VERSIONINFO
FILEVERSION 1, 0, 0, 0
PRODUCTVERSION 1, 0, 0, 0
FILEOS VOS_WINDOWS32
FILETYPE VFT_APP
BEGIN
  BLOCK "StringFileInfo"
  BEGIN
    BLOCK "040904B0"
    BEGIN
      VALUE "ApplicationType",  "Yourcode APP\000"
      VALUE "FileDescription",  "What you app is\000"
      VALUE "FileVersion",      "1.0"
      VALUE "LegalCopyright",   "Copyright \251 2008-2009 Yourname\000"
      VALUE "ProductName",      "App product name\000"
      VALUE "Licence",          "Licenced to your Customers Only\000"
    END
  END
  BLOCK "VarFileInfo"
  BEGIN
    VALUE "Translation", 0x409, 0x4B0
  END
END


Try using Pelle's liker instead of the old Microsoft one, I have seen that solve similar problems over time.

If you assume that the low end of AV scanning is written by imbeciles you would be right so if you must survive in that environment, do a few of the basic things that make it easy for idiots to get it right.

Let us know if you have any luck here.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php