The MASM Forum Archive 2004 to 2012

hello.... to everyone..
iam an amateur; a learner ; one who totally has no setting to programming or any kind of coding environment at all.
So, i request that i may be given a little leeway in the beginning.
The code below is borrowed from GoAsm manual.
DATA SECTION
KEEP  DD 0             
;
CODE SECTION
START:
PUSH -11               
CALL GetStdHandle     
PUSH 0, ADDR KEEP       
PUSH 9
PUSH "GOOD LUCK "
PUSH EAX               
CALL WriteFile
;
XOR EAX, EAX             
RETAfter assembling to get an .obj file, GoLink is used to make an executable. Yes... exe is made alright; but antivirus program blocks it. if i disable the av, everything works out fine. i was informed by a prominent personality in the field that is it is a false positive identification.
Is there any other way than what i was doing (turn off av) to get through this indispensable hindrance?
Regards....

Hello Hello

Does the antivirus kick in if you use a different string (ie. something other than "Good Luck")?

Jorgon, I believe this may be AV-specific. Hello, are you using Avira Antivirus or AVG? Anything I compiled with either MASM or GoASM is automatically flagged as a generic trojan by both of these products. There are numerous other threads about this here:

http://www.masm32.com/board/index.php?board=52.0

On a whim, I tried linking my .obj file with the newest version of Microsoft's LINK.EXE (version 8? 9? I  forget) and this stopped the false reporting; however the executable was nearly twice as large.

However I am not sure this works in all cases, and this is really not the proper solution to the problem. (The problem is, these AV softwares are not following the Portable Executable (PE32) file format specification precisely.) It is amazing how much variance the industry takes on such a "format specification."

Jorgon..

i feel much honored to see your prompt reply.
Yes antivirus shows its value even for another string i had used earlier.
After drifting for a considerable time in the past, finally i landed up at GoAsm. Many thanks for the wonderful documentation of GoAsm (i understood to a level what an assembler or a linker is, after reading it).

Best wishes .....

Mark Jones...

Yes. it is Avira Antivirus  as you have  presumed.
i need to learn assembly from the very beginning and sure i will be around for some time doing just that . hope i would get tolerant response for my elementary queries .

thank you

Hi hello,

Can't remember which AV software I had but it would kick in if I called GetProcessHeap as the first call in the program. Try to make a dummy API call first like GetModuleHandle, might help.

There's definitely a problem with Avira Antivirus.
It found several files on my machine to be infected which no other antivirus program has reported.  Some of these were made with GoAsm and GoLink, but also a large number were made with other assemblers and linkers.  Strangely it passed most of the files, and picked out only a few.  It was notable, however, that all the files were written in assembler.

An exe using the following code was reported ok:-

DATA
PLEASEPASSME DD 0
CODE
START:
XOR EAX,EAX
RET
However an exe using the following code was reported as containing a trojan called TR/Crypt.XPACK.Gen:-
DATA
PLEASEPASSME DD 0
CODE
START:
PUSH EAX,EAX,EAX,EAX
CALL MessageBoxA
XOR EAX,EAX
RET

I havn't yet found any reasoning behind which exe's are reported and which are not, but I don't think that is really the correct approach.  I'm going to take this up with Avira directly.

Hi Jeremy,

Even an attempt to modify hello's code by adding a simple C run-time startup code could not stop Avira from reporting false positive. Linking the same GoAsm object module with Polink does not report any false positive message.

[attachment deleted by admin]

My (limited) experience with this, points to a linking discrepancy. Perhaps somewhere, these AV's have marked specific linking details as "trojan-like."

donkey....

One thing I noticed here (from the content in your response )is that you guys consider me as if iam as qualified as others are in this forum. Far from it , iam at a stage, where i don't even know how to begin assembly coding. The code I had presented above is borrowed from the GoAsm manual. i want to make a start, but still not sure how to...

Anyway... thanks for your response.

Regards...

The problem is how the AV software manufacturer interprets the internals of a PE as malware.

I've been in touch with Avira, and they have said as follows:-

QuoteWe will take out the pattern recognition in one of our next (engine-)updates.

So let's wait and see what happens.  I have Avira installed on my machine, but switched off, and I shall try it out in a few days time.

I've got it:

GoLink produces the Value 60000020h as characteristics for Section '.idata' in the section table. This value is a bitmap for the section flags IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SC_CNT_CODE. The Section '.idata' has to be marked as executable because it holds the indirect jumps to external functions. Microsoft's Link generates this table in the section '.text' and gives section '.rdata' (='.idata') the characteristics value 40000040h (IMAGE_SCN_MEM_READ, IMAGE_SCN_CNT_INITIALIZED_DATA). Changing the GoLink value into the MS value stops Antivir to complain. But then eventually the DEP throws  an exception (for Germany's citizenship test: please pronounce "Datenausführungsverhinderung"!).

HTH

viele grüße
ralph

Hi ralph!

Sorry but I'm not sure that this is the answer.

I updated Avira Antivir (which I presume is the one you are talking about) and did a complete scan.  It passed many files which had the same idata attributes (60000020h) and rejected several files which did not.
I attach a file which it used to reject until I sent it to them, and now it passes as ok.  It has the same idata attributes (60000020h).

Even if you change small things, such as adding only one extra line of instruction it seems to change the response from the Avira product.  I suspect that it is sensitive in some way to a checksum or maybe to the timedate stamp (although I can't imagine why).




[attachment deleted by admin]

Hi Jeremy!

It seems that they (Avira Antivir and McAfee-GW-Edition according to www.virustotal.com) has built in a quick and dirty exception rule. They check the manufacturer label in the msdos stub for the string "GoLink, GoAsm www.GoDevTool". Anything else produces "TR/Crypt.XPACK.Gen". For me assembling with Nasm this is not a very good solution because I get only "GoLink www.GoDevTool.com".

I forgot to mention that this effect does not appear by linking with the option /CONSOLE.

viele grüße
ralph

Really!

That is very nasty indeed.
Someone complained once about that string in the MSDOS stub, but you've found that it has another valuable use.

Does this mean that if someone did want to use GoAsm and GoLink to make a trojan it would not be picked up by the anti virus software?

And the next problem: Antivir doesn't allow me to link a console program against MSVCRT.DLL   :snooty:

But now I know the solution: So I don't want to miss GoLink I have to change to GoAsm :P

viele grüße
ralph

I really hope we don't get into the habit of "fixing" our code because
the programmers at Avira are being lazy. At least, that is how it appears
to me. They have some catch-all code in their av program that needs to
be removed. This should not become our problem. I suggest using a
different av program altogether.

Quote from: rkhb on April 06, 2009, 05:41:02 PM
And the next problem: Antivir doesn't allow me to link a console program against MSVCRT.DLL   :snooty:

But now I know the solution: So I don't want to miss GoLink I have to change to GoAsm :P

viele grüße
ralph

I am using Avira Personal Edition with the latest updates and I don't have any problem with linking this console application against msvcrt.dll :

; Demo built with GoAsm.Exe Version 0.56.5b and GoLink.Exe Version 0.26.9e

.data

msg     db 'hello world!',0
msg2    db 'THIS IS A MSVCRT DEMO.',0
format1 db '%s',13,10,'%s',0

.code

start:

    invoke  _strupr,ADDR msg
    add     esp,4
    invoke  _strlwr,ADDR msg2
    add     esp,4
    invoke  printf,ADDR format1,ADDR msg,ADDR msg2
    add     esp,3*4
    invoke  ExitProcess,0


Jotti (http://virusscan.jotti.org/) reports clean the final executable.

Could you attach your project here so we can test it?

[attachment deleted by admin]

Hi Vortex!

You misunderstood me. I assembled so far with Nasm and linked with GoLink. Linking without /CONSOLE causes a "TR/Crypt.XPACK.Gen" alarm. So I thought I could at least link with /CONSOLE. Far from it!

I attach a little program which shows dividing two integers without use of DIV:

1) GoAsm and GoLink, linked against MSVCRT.DLL,
2) GoAsm and GoLink, linked against CRTDLL.DLL.
3) Nasm and GoLink, linked against MSVCRT.DLL,
4) Nasm and GoLink, linked against CRTDLL.DLL,

I sent the four Executables to www.virustotal.com and got only an alarm for No. 3).

viele grüße
ralph

[attachment deleted by admin]

I agree with dedndave, it's the anti-virus software company's problem, not ours.

I have been running without an anti-virus program for a few months now and I haven't had any problems.  I'm coming to the conclusion that anti-virus software is just not necessary as long as you are careful.

Hi rkhb,

I understand the situation but you should be more specific in that posting. There was no any reference to a Nasm+Golink test.

rkhb,

Could you please test this version? It's reported clean by VirusTotal :

; Name:         test.asm
; Assemblieren: GoAsm.exe test.asm
; Linken:       a) GoLink.exe test.obj /console /entry _main test.exe kernel32.dll msvcrt.dll


.DATA
    Dividend: dd 3979415386
    Divisor:  dd 100000
    fmt:      db "%u div %u = %u",10,0
    Quotient dd ?

.CODE
_main:                                 ; ; EDI = EAX / EBX
        mov eax, [Dividend]
        mov ebx, [Divisor]
        xor edi, edi                   ; Quotient = 0 (Anfangswert)
        xor edx, edx                   ; Zahl (dl) = 0 (Anfangswert)
        mov cl, 32                     ; 32 Schleifendurchgänge: for (CL=32; CL>0; CL--)
    Schleife:
        shl eax, 1                     ; Bit 31 von EAX ...
        rcl edx, 1                     ;     ... nach Bit 1 von EDX
        cmp ebx, edx                   ;  Carry gesetzt, wenn EDX > Divisor (Fall Weiß)
        ja >Sprungmarke                ; Sprung, wenn Carry=0 und Zero=0 (Ergebnis nicht Null)
        sub edx, ebx                   ; Fall Weiß: EDX = EDX - EBX
        stc                            ; Carry setzen
    Sprungmarke:
        rcl edi, 1                     ; Carry (0 oder 1) an Quotienten kleben.
        sub cl, 1
        jnz Schleife
        mov [Quotient], edi

        PUSH [Quotient], [Divisor], [Dividend], ADDR fmt
        call printf ; msvcrt.dll
        add     esp,16                 ; cdecl

        xor eax, eax                   ; Exitcode=0
        invoke ExitProcess,eax


@Vortex

In Reply #14 of this thread I wrote "For me assembling with Nasm...". Why should I write in Reply #16 "...I have to change to GoAsm"?

I don't need to test your program, I'm sure you are right. In Reply #14 I assumed that Antivir and McAfee have a general exception for programs assembled with GoAsm. They check the string in the MSDOS stub generated by GoLink. I presume that <b>any</b> OBJ-file which is <b>not</b> generated by GoAsm would be linked by GoLink to an Executable which will cause Antivir and McAfee to complain.

@Greg

Who is "ours"? It's prior my problem because I can't publish a program which causes a Trojan horse alarm - whencesoever (this word really exists in my dictionary ::)). If people faced the choice to delete my program or the AV program - which choice will they make? But I can solve my problem: I change the assembler or I change the linker. My intention for my postings was to help and not to get help.

viele grüße
ralph