So, I assembled and linked the very first do nothing program in Iczelion's tutorial 2 and then ran the exe. AVG Free fired off on it and reported Trojan horse Back Door.Poison Ivy.N. Here is the whole program:
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
.code
start:
invoke ExitProcess,0
end start
I scanned the \masm32 directory and got no hits with avg. I also scanned every copy of kernel32.dll (4) and got no hits with avg, so why am I getting a hit on the assembled exe? Needless to say, this doesn't give me a warm fuzzy.
If your system is not otherwise infected, I would say that you are getting a false positive.
In the tutorial, Iczelion says his file size of the exe is 1,536 bytes. My file size is 12,288 bytes. Quite a bit of difference there.
On my system the exe, built with the included batch file, is 2560 bytes. How did you build yours?
Builds directly from the masm32 editor at 2k.
Make sure your own system is not infected with a virus but it sounds like a false positive, something that the trashy end of AV scanners do regularly.
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
.code
start:
invoke ExitProcess,0
end start
heh, I just built Hutch's code and AVG gave me the same trojan warning, and I damned well know that it ain't. Them's the breaks...
I built mine just as the tutorial stated.
ml /c /coff /Cp msgbox.asm
link /subsystem:windows /libpath:c:\masm32\lib msgbox.obj
I'm running xp home on this laptop.
I might add that I went on to the next listing and added the code to show the message box. After assembling and linking AVG did not fire on this version. The exe is 16 KB.
If your file size is well above the expected value, then it's not a false positive. Try to disassemble the exe...
Replacing "invoke ExitProcess,0" with "ret" (exe is 1024 bytes) passes AVG's test.
I think it has to do with the number of imports...there are quite a few posts here about false positives.
It is difficult to bloat an "invoke ExitProcess, 0" to the extra 10k that he produced. Disassemble the exe, and I am sure there will be nice surprises.
I found the problem with the file size. I was using link ver 6.00.8447. When I used link ver 5.12.8078 the file size came down to 2,560 bytes for the version that outputs a messagebox. I don't know why link ver 6.00.8447 increases the file size, but it does. I have VC 6++ installed on this pc.
Still, a linker that produces 10k extra and a virus warning might have a little problem.
If you want to keep using the VC6 linker, set the file alignment to 512 bytes.
Quote from: hutch-- on April 05, 2008, 09:00:51 AM
If you want to keep using the VC6 linker, set the file alignment to 512 bytes.
Will that resolve the file size difference? I'm not how to set the alignment, but I think the directive is: .align page
Is that correct?
link /?
Quote from: hutch-- on April 05, 2008, 09:41:58 AM
link /?
That worked. File size 2,560 bytes. Thank you.
I suppose I can safely ignore the "Link: warning LNK4108: /Align specified without /driver or /vxd; image may not run" message.
You can safely ignore the warning if you don't intend to write a commercial app for future Windows versions. Although they'll probably never tighten the rules... /align:64 works perfectly on my XP box, with 768 bytes ;-)
Interestingly enough they learnt the lesson with the later linkers which will all do 512 byte alignment. Its part of the PE spec so it runs on all versions of 32 bit Windows.
This is not part of the PE specs but still runs smoothly on XP... 704 bytes
.386
.model flat, stdcall
.nolist
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
.code
tx db "Wow", 0
msgtitle db "Align:4", 0
start:
invoke MessageBox, 0, addr tx, addr msgtitle, MB_OK
invoke ExitProcess,0
end start