Assembler, .exe file being deleted...apparently

[riversr54]

I teach an x86 Assembly Language class at a small college. Over the past few years I've occasionally had a problem with AV not allowing some Assembler program to run. In those cases I've been able to create an exclusion in the AV to solve the problem. This time...I can't seem to fix it. Here's the specifics:

Windows 10 Laptop
Visual Studio 2022
Windows Defender AV

Previous programs were running fine, up to a recent small project. Now nothing works, any attempt to run any assembler project fails, stating that it can't find the .exe file.
The program starts up, displays the command console window, then stops with the error.

I've added an exclusion for the project folder to Defender with no luck. Also tried to add an exclusion for the .exe file but Defender won't let me do that because the file doesn't exist. I'm assuming this is an AV problem because I don't know what else it might be. BTW...copy and past the same code to a different computer and it works perfectly.

I know this has been discussed before but I've tried all the suggestions with no luck. I would really appreciate any help/ideas/suggestions that anyone might have.

Frustrated Faculty

[Vortex]

Hi riversr54,

Could you post the source code and the executable?

[hutch--]

Hi riversr54,

Its a problem that is getting worse over time. I try for a UI app to have a manifest and version control block in the resource script which used to work OK but of late, perfect, reliable executables built from your own source code on a perfectly clean machine are being flagged as infected or suspicious and some claim that the infections on a win32/64 exe is for an Apple of Android smartphone.

There are a few things you can do, ensure you get an Instance handle, use at least a couple of KERNEL32 functions, a manifest and version control block and it helps some but it is getting worse as AV vendors ramp up the false positives to try and look like they are hitting more things.

YHave a look at this data for Win10 64 bit.

http://masm32.com/board/index.php?topic=10733.0

[riversr54]

Here's the code that we are using to test. Couldn't be much simpler. Copies one array to another.

Code Select Expand


.386
.model flat,stdcall
.stack 4096
ExitProcess PROTO, dwExitCode:DWORD

.data
    firstArray BYTE 'a','b'
    secondArray BYTE ?
    count BYTE lengthof firstArray

.code
    main PROC
       
        movzx ecx, count
        mov esi, 0
        L1:
            mov al, firstArray[esi]
            mov secondArray[esi],al
            inc esi
            Loop L1


INVOKE ExitProcess,0
main ENDP
END main

[BugCatcher]

forgot dec ecx

[Vortex]

Hello,

This one should work :

Code Select Expand

.386
.model flat,stdcall

ExitProcess PROTO dwExitCode:DWORD

includelib  \masm32\lib\kernel32.lib

.data

    firstArray  BYTE 'a','b'
    count BYTE lengthof firstArray

.data?

    secondArray db 2 dup(?) ; Reserve two bytes
                            ; in the uninitialized
                            ; data section
.code

start:
       
    movzx   ecx,  count
    xor     esi,esi
L1:
    mov     al,firstArray[esi]
    mov     secondArray[esi],al
    inc     esi
    loop    L1

    invoke  ExitProcess,0

END start


[riversr54]

Maybe we've forgotten the original question...I don't need help with the code, it works just fine on other machines, but on this one student machine, it will not run because apparently the AV is deleting the .exe before it can actually run. The code is not the problem, it's the AV (at least that's what I think at this point)

[C3]

Do you build the project on the command line with the batch file or with the Visual Studio's Build Solution-menu?

[InfiniteLoop]

It sounds like a bad configuration. Its not building an executable but doing something else such as creating object files or listing or a .dll etc..

[Vortex]

Hi riversr54,

OK, I will test your code a Windows 10 system but you need a little help with your code. Let's examine it under the debugger Ollydbg :

Code Select Expand

00401000 > $ 0FB60D 0320400>MOVZX ECX,BYTE PTR DS:[402003]
00401007   . BE 00000000    MOV ESI,0
0040100C   > 8A86 00204000  MOV AL,BYTE PTR DS:[ESI+402000]
00401012   . 8886 02204000  MOV BYTE PTR DS:[ESI+402002],AL
00401018   . 46             INC ESI
00401019   .^E2 F1          LOOPD SHORT CopyArra.0040100C
0040101B   . 6A 00          PUSH 0                                   ; /ExitCode = 0
0040101D   . E8 00000000    CALL <JMP.&kernel32.ExitProcess>         ; \ExitProcess
00401022   $-FF25 34204000  JMP DWORD PTR DS:[<&kernel32.ExitProcess>;  kernel32.ExitProcess


Code Select Expand

00402000  61 62 00 02 2C 20 00 00  ab., ..
00402008  00 00 00 00 00 00 00 00  ........

When [ESI+402002] points 402003,  the statement

Code Select Expand

MOV BYTE PTR DS:[ESI+402002],AL  or

Code Select Expand

mov secondArray[esi],al

will overwrite the lenght of firstArray  This means that at the address 402003h, the byte value 02h will be replaced by 62h ("b"). This is not a serious mistake but reserving enough space in your data section to avoid unnecessary overwritings ( and potential buffer overruns ) will improve your code.

[HSE]

It's AV that erase .exe.

Probably you have to exclude the folder.

First check that computer is not infected with a real virus 

[hutch--]

The problem that riversr54 has referred to is a reasonably recent one and it appears to coincide with Microsoft shedding thousands of employees and in the AV field, starting to share viral signatures with the rest of the low end of AV scanners.

Now differing from virus writers and AV companies (with suspicions that they are the same) the masm32 SDK and the developing masm64 project are created directly from source code on fully isolated development computers that have absolutely no signature lists, malicious code, trojan test pieces or other dangerous code on them.

Developed directly from source code using Microsoft binaries, assemblers, linkers and resource compilers, anyone using these tools, as long as their computer is totally virus and trojan free, are not producing dangerous code that needs to be deleted.

On my own computers, I have had to set exclusions on drives and recently, disable part of the default Microsoft AV scanner, simply to avoid false positives and silent deletions. If you do this, you will need to have a reliable "On Demand" AV scanner. My own choice is Kaspersky's KVRT.EXE.

[hutch--]

This is the normal response from Kaspersky KVRT.EXE every time I run it on the box where I build MASM32 and the 64 bit SDK.

[Vortex]

Hello,

I tested an improved version of  the code on Windows 10 and had no any problems with Windows Defender :

Code Select Expand

.386
.model flat,stdcall
option casemap:none

include     \masm32\include\windows.inc
include     \masm32\include\kernel32.inc
include     \masm32\include\user32.inc
include     \masm32\include\masm32.inc

includelib  \masm32\lib\kernel32.lib
includelib  \masm32\lib\user32.lib
includelib  \masm32\lib\masm32.lib

.data

    firstArray  BYTE 'a','b',0
    count BYTE lengthof firstArray

.data?

    secondArray db 3 dup(?) ; Reserve two bytes
                            ; in the uninitialized
                            ; data section
.code

start:
       
    movzx   ecx,  count
    xor     esi,esi
L1:
    mov     al,firstArray[esi]
    mov     secondArray[esi],al
    inc     esi
    loop    L1

    invoke  StdOut,ADDR secondArray
    invoke  ExitProcess,0

END start


[greenozon]

@Hutch
be careful as kaspersky is a well known russian digital weaponry
according to some rumours it has backdoors..