Hello,
64 bit examples for the UASM from Chinese colleagues, it will be interesting to learn from these examples :t Password - 1
https://www.file-upload.net/**********windows64-1.7z.html
Have a good weekend all!!!
They are not examples, that is some suspicious exe and some suspicious installer ::)
I am not gonna install that and not gonna run that exe either :icon13:
I don't see any source examples there, maybe I should take of my shades 8)
They even have made an extra effort to hide the URL that you normally see in the lower left corner when you hover over the links!
LiaoMi, can you tell us more about this?
Habran, what does Jotti (https://virusscan.jotti.org/en-US/scan-file) say about the exe and the installer?
I don't have Jotti, I use Malwarebytes. Did not react, however, I am not interested in games and installers and don't want to install some crap on my laptop.
I run it on a virtual machine I have for testing dubious software. It does not ask for folder to install, I could not find anything installed or new in the Program Files folders, ProgramData, Windows and System32 folders, Documents. It does not ask for password either.
Is there only exe or they provided some source?
Quote from: habran on August 27, 2017, 04:50:43 PM
Is there only exe or they provided some source?
I did not find anything at all. :shock:
:icon_eek: WTPH ::)
LiaoMi, are you pulling our legs? :dazzled:
Hello people!
Sorry for the inconvenience! I use this file sharing service, because one of the users from the forum also used it. I can download as usual, the appearance of ads and malicious files, depends on the browser and IP address.
In the 7z archive there are source codes, I dont know where I can reload the archive, so that you do not cause a new wave of installers ?!
http://sendfile.su/1357767 (http://sendfile.su/1357767) On this file sharing service I dont have advertising, no file downloader, here is an alternative link https://mega.co.nz/#!I15wnLRD!AAAAAAAAAAAS85NJHNJVdQAAAAAAAAAAEvOTSRzSVXU (https://mega.co.nz/#!I15wnLRD!AAAAAAAAAAAS85NJHNJVdQAAAAAAAAAAEvOTSRzSVXU)
I use a Chrome browser with the adguard, and I also have Malwarebytes. I'll erase the link above so that no one can pick up these spyware ... This link will be in this message, but with a warning that it is infected
https://www.file-upload.net/download-12679197/windows64-1.7z.html :icon_exclaim: :icon_exclaim: :icon_exclaim: :icon_exclaim: :icon_exclaim: :icon_exclaim: infected
Here is my download page for downloading from an infected service
(https://image.ibb.co/fe7gbk/Image_1.png)
I've downloaded and extracted the archive. Nothing suspicious so far ( didn't scan exe's though ).
Archive extracts everything to
luoyunbin folder
The contents of the folder:
Quote
Appendix A Chapter03 Chapter07 Chapter11 Chapter15 Readme.txt
Appendix B Chapter04 Chapter08 Chapter12 Chapter16 Var.bat
Appendix C Chapter05 Chapter09 Chapter13 Chapter17 读者调查表.doc
Chapter02 Chapter06 Chapter10 Chapter14 Chapter18 附录A-C.pdf
Where Appendix* and Chapter** are subfolders containing other subfolders with asm sources , makefiles, object files and exe's.
Looks like lots of work. The only ( and HUGE ! ) disadvantage of the package is that all the docs and comments are written in Chinese. Translate it to English and re-upload it.
@jj & @habran
The download page as shown by JJ has 3 download buttons . One ( blue ) is for downloading the archive and other 2 are for something else :)
No success :(
Password required when you want to extract it ::)
password : 1
I will download directly from here:
https://github.com/zhaohengyi/Win_Asm_Program_Ver2
Quote from: aw27 on August 27, 2017, 07:54:44 PM
I will download directly from here:
https://github.com/zhaohengyi/Win_Asm_Program_Ver2
This is an older version for the 32-bit system
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 使用 nmake 或下列命令进行编译和链接:
; ml /c /coff Main.asm
; rc Main.rc
; Link /subsystem:windows Main.obj Main.res
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap :noneAnd this in the topic is for a 64 bit system for UASM
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; К№УГ nmake »тПВБРГьБоЅшРР±аТлєНБґЅУ:
; uasm -c -win64 Main.asm
; rc Main.rc
; Link /subsystem:windows Main.obj Main.res
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
option casemap:none
option win64:7
.elseif eax == WM_HOOK
mov rax,wParam
.if al == 0dh
mov eax,0a0dh
.endif
mov @dwTemp,eax
invoke SendDlgItemMessage,hWnd,IDC_TEXT,EM_REPLACESEL,0,addr @dwTemp
.else
mov rax,FALSE
ret
.endif
mov rax,TRUE
ret
_ProcDlgMain endp
Quote from: LiaoMi on August 27, 2017, 08:10:25 PM
This is an older version for the 32-bit system
Thank you, LiaoMi :icon14:
OK, I have succeeded to extract it :t
Thanks LiaoMi :biggrin:
It is nice to see that UASM is becoming INTERNATIONALLY preferred assembler ;)
What a mess. Why not make a simple 7zip or do it in several 7zip files? The 32 bits version seems to be good
Finally I've got it from mega
Hi caballero,
The nested archives protected with password method is a nasty trick aimed to "escape" or "avoid" online scanners. Extracted the contents of the zip and 7z archive and created a new one without password. Uploaded it to Jotti :
https://virusscan.jotti.org/en-US/filescanjob/sod5np9egx
PUA.Win.Packer.Upx-4
Win32/Kryptik.FD
Win64:Evo-gen
Trojan-Dropper.Win32.Small
Naturally, the original archive will look "safe" and "innocent" :
https://virusscan.jotti.org/en-US/filescanjob/sod5np9egx
In my opinion, members of the forum should not post links to such type of nested archives protected with passwords.
Quote from: Vortex on August 27, 2017, 09:30:45 PM
Hi caballero,
The nested archives protected with password method is a nasty trick aimed to "escape" or "avoid" online scanners. Extracted the contents of the zip and 7z archive and created a new one without password. Uploaded it to Jotti :
https://virusscan.jotti.org/en-US/filescanjob/sod5np9egx
PUA.Win.Packer.Upx-4
Win32/Kryptik.FD
Win64:Evo-gen
Trojan-Dropper.Win32.Small
Naturally, the original archive will look "safe" and "innocent" :
https://virusscan.jotti.org/en-US/filescanjob/sod5np9egx
In my opinion, members of the forum should not post links to such type of nested archives protected with passwords.
Similar detections were in the examples of UASM, my antivirus nod or symantec does not allow downloading such archives, for example, a file from a project "luoyunbin\Chapter13\HideProcess9x" which was not converted to x64 UASM, the rest of the examples can be useful, it is important that these examples were done by the Chinese for self-study in order to use UASM. In any case, I also would not like to see such archives.
Quote from: Vortex on August 27, 2017, 09:30:45 PM
PUA.Win.Packer.Upx-4
Win32/Kryptik.FD
Win64:Evo-gen
Trojan-Dropper.Win32.Small
The "packer" is probably a false positive, but the rest is not so harmless...
What is Win32/Kryptik.FD (http://remove-malware4you.com/post/Remove-Win32Kryptik.FD-How-to-Remove-Win32Kryptik.FD-From-PC_7_236156.html)
Trojan-Dropper.Win32.Small (https://threats.kaspersky.com/en/threat/Trojan-Dropper.Win32.Small/)
Many of us have experienced false positives. This is natural with non-mainstream code, the AV are just too dumb to distinguish experimental assember code from malware. But two of the above are definitely not harmless, and besides, honest programmers do not hide their stuff in nested password-protected archives uploaded to obscure sites 8)
QuoteBut two of the above are definitely not harmless, and besides, honest programmers do not hide their stuff in nested password-protected archives uploaded to obscure sites.
I agree with Jochen. It's important to provide simple archives containing clean material and not stuff like protected and nested archives.
Quote from: jj2007 on August 27, 2017, 11:04:45 PM
honest programmers do not hide their stuff in nested password-protected archives uploaded to obscure sites 8)
Sometimes it's inevitable. See what is found in my DLL written in GoAsm: https://www.virustotal.com/en/file/d3dd443066c777964c6c001060a2bb7fb245817a41f1cea9f9e404b0db721a8a/analysis/1479014195/ (https://www.virustotal.com/en/file/d3dd443066c777964c6c001060a2bb7fb245817a41f1cea9f9e404b0db721a8a/analysis/1479014195/). Did I put all that in it? Of course not. The DLL is clean. However, some trojan makers have used it with their malicious scripts, and now it's also flagged as malware by a bunch of AVs. Due to that, my previous site was blocked by the hoster and I had to move to another and put the DLL in an archive protected with a password. What else could I do? Negotiate with 20+ AV companies?
Yuri,
Rename the DLL and post it elsewhere.
Quote from: Yuri on August 28, 2017, 06:06:43 PMSometimes it's inevitable ... What else could I do? Negotiate with 20+ AV companies?
Right, it is not that simple. If Jotti flags my installer as clean (https://virusscan.jotti.org/en-US/filescanjob/d3k4xnxe9i), it is sheer luck, as inside there are several routines that are a) unique (SSE2 code...) and b) could be used by anybody to produce malware, as you rightly state. What we are doing here is not mainstream, so we are subject to special attention. I must admit I don't have a simple solution for this problem. Attacking AV companies publicly for their dumb software damaging honest business might have some effect, but I'm not optimistic.
There are two things here, make sure the code is squeaky clean with no crap in it AND put a manifest and version control block in the files within the zip file. Apart from that, this is why there is an AV sh*t list in the forum, nothing like a bit of bad publicity to make them improve their performance.
Quote from: hutch-- on August 29, 2017, 03:59:40 PM
Yuri,
Rename the DLL and post it elsewhere.
What for? In case you meant remove the link from this forum, I've done that.
No no, if the named file is blacklisted by AV companies, call it something else and post it somewhere else.
Hi Yuri,
I have an old SFX archive example coded with GoAsm. The sample uses Jeremy Collake's JCALG1 compression library. Jotti and virustotal are reporting that the SFX archive is "infected" Of course, this is a false-positive. I tried the technique splitting the executable into multiple files. The idea is to present those file fragments to the AV engines as meaningless binary data files "missing" the important block IMAGE_NT_HEADERS and the sections text and data. Splitting the executable into three parts :
Part 1, 32 bytes , only the first half of IMAGE_DOS_HEADER
Part 2, 32 bytes , second half of IMAGE_DOS_HEADER
Part 3, the rest of the file
You can use a file splitter. I used dd adapted to Windows :
http://www.chrysocome.net/dd
Split.bat :
dd if=Sfxdemo.exe of=Sfxdemo.exe.01 bs=32 count=1
dd if=Sfxdemo.exe of=Sfxdemo.exe.02 bs=32 count=1 skip=1
dd if=Sfxdemo.exe of=Sfxdemo.exe.03 bs=32 skip=2
Result :
Size File name
24.064 Sfxdemo.exe
32 Sfxdemo.exe.01
32 Sfxdemo.exe.02
24.000 Sfxdemo.exe.03
A simple batch file can be presented to the end user to combine the parts, no need of external tools. Double clicking the batch file :
copy /b Sfxdemo.exe.01+Sfxdemo.exe.02+Sfxdemo.exe.03 Sfxdemo.exe
Analysis of Sfxdemo.exe :
https://virusscan.jotti.org/en-US/filescanjob/oh2870yoks
Analysis of the files Sfxdemo.exe.01, Sfxdemo.exe.02 and Sfxdemo.exe.03 :
https://virusscan.jotti.org/en-US/filescanjob/jz07f1ek2k,4peo8klxce,265bda0ds8
Analysis by virustotal :
Sfxdemo.exe.01 :
https://virustotal.com/#/file/9a25e59e4ddb7fede5ee68a2b728912a009c98c7f29b3d1e7745d4b3e8e6d0c3/detection
Sfxdemo.exe.02 :
https://virustotal.com/#/file/a2461009f610d333b185ea0e8d7836d26ca7333b0c0cd8609c4c24073e6dc091/detection
Sfxdemo.exe.03 :
https://virustotal.com/#/file/a5feb198bdd2c5d3177f8621ea5869ee9845991e13270490f19b8abde3fa63ce/detection
Sfxdemo.exe :
https://virustotal.com/#/file/e94fd2fa54056cd0f18fc51177ccfdf4ecc63a333ef6f78ae8e2fa71dfc73186/detection
Thanks, Vortex, that's an interesting technique, I'll keep it in mind. However, it's also a trick and so it may seem as suspicious to a user as an archive with a password. In both cases everything depends on whether the user trusts you or not.
Quote from: hutch-- on August 30, 2017, 12:50:47 AM
No no, if the named file is blacklisted by AV companies, call it something else and post it somewhere else.
No, renaming doesn't work. I've already tried it, as well as adding a manifest. Shuffling parts of the source code gets rid of some AVs but not all. Getting rid of all of them seems impossible. Baidu, for example, doesn't like my DllMain function if it's longer than a certain number of bytes. It doesn't matter what the function does. But I can't keep it that short because I need to do some initialization. If I try to move initialization to a separate function and call it from DllMain, that doesn't make Baidu happy.
Some time ago I was able to shake off a couple of AVs by simply moving the entry point of the DLL one byte forward. Have no idea why it worked.
Quote from: Vortex on August 30, 2017, 04:06:10 AM
Hi Yuri,
I have an old SFX archive example coded with GoAsm. The sample uses Jeremy Collake's JCALG1 compression library. Jotti and virustotal are reporting that the SFX archive is "infected" Of course, this is a false-positive. I tried the technique splitting the executable into multiple files. The idea is to present those file fragments to the AV engines as meaningless binary data files "missing" the important block IMAGE_NT_HEADERS and the sections text and data. Splitting the executable into three parts :
Part 1, 32 bytes , only the first half of IMAGE_DOS_HEADER
Part 2, 32 bytes , second half of IMAGE_DOS_HEADER
Part 3, the rest of the file
You can use a file splitter. I used dd adapted to Windows :
http://www.chrysocome.net/dd
Split.bat :
dd if=Sfxdemo.exe of=Sfxdemo.exe.01 bs=32 count=1
dd if=Sfxdemo.exe of=Sfxdemo.exe.02 bs=32 count=1 skip=1
dd if=Sfxdemo.exe of=Sfxdemo.exe.03 bs=32 skip=2
Result :
Size File name
24.064 Sfxdemo.exe
32 Sfxdemo.exe.01
32 Sfxdemo.exe.02
24.000 Sfxdemo.exe.03
A simple batch file can be presented to the end user to combine the parts, no need of external tools. Double clicking the batch file :
copy /b Sfxdemo.exe.01+Sfxdemo.exe.02+Sfxdemo.exe.03 Sfxdemo.exe
Analysis of Sfxdemo.exe :
https://virusscan.jotti.org/en-US/filescanjob/oh2870yoks
Analysis of the files Sfxdemo.exe.01, Sfxdemo.exe.02 and Sfxdemo.exe.03 :
https://virusscan.jotti.org/en-US/filescanjob/jz07f1ek2k,4peo8klxce,265bda0ds8
Analysis by virustotal :
Sfxdemo.exe.01 :
https://virustotal.com/#/file/9a25e59e4ddb7fede5ee68a2b728912a009c98c7f29b3d1e7745d4b3e8e6d0c3/detection
Sfxdemo.exe.02 :
https://virustotal.com/#/file/a2461009f610d333b185ea0e8d7836d26ca7333b0c0cd8609c4c24073e6dc091/detection
Sfxdemo.exe.03 :
https://virustotal.com/#/file/a5feb198bdd2c5d3177f8621ea5869ee9845991e13270490f19b8abde3fa63ce/detection
Sfxdemo.exe :
https://virustotal.com/#/file/e94fd2fa54056cd0f18fc51177ccfdf4ecc63a333ef6f78ae8e2fa71dfc73186/detection
:biggrin:
This is also a malicious technique -
https://en.wikipedia.org/wiki/Dropper_(malware)
I think the best option is to check the content first, then delete the executable files, and leave only the sources.
LiaoMi,
Where do you see something malicious in the splitting technique? FYI, the UNIX\Linux family is providing the cut\merge method since longtime. Departing from your point of view, self-extracting archives should be forbidden as they can transport malware. The problem is that AV companies are doing their best to discourage some developers.
There are quite a number of techniques we could apply to hide potentially dangerous routines from the AV brigade. But afaik, you can't download attachments if you are not logged in, so what is the problem? That archives are too big to be posted here? Sorry, but what's the point of assembler if you can't zip the content to 512kB or less?
Yes, removing the header makes the DLL innocuous: https://www.virustotal.com/en/file/8f9d343b86df6bfb7ad241b2e1647fd7d4d4f8a8904320b03af2c23d97a4f226/analysis/1504089347/ (https://www.virustotal.com/en/file/8f9d343b86df6bfb7ad241b2e1647fd7d4d4f8a8904320b03af2c23d97a4f226/analysis/1504089347/).
What if it was real malware? Would they still detect it? :icon_rolleyes:
Quote from: Yuri on August 30, 2017, 08:45:03 PMWhat if it was real malware? Would they still detect it? :icon_rolleyes:
Without indulging too much in details, you have to distinguish between "scanners" and "watchdogs":
- Scanners need to find signatures in all files. Try to imagine what "all files" means on your machine, and to imagine how efficient scanners can be...
- Watchdogs must shout foul if a process tries to do strange things. Since many processes access the internet etc, their efficiency depends on user's running processes, firewall, services etc
Hi Yuri,
This should probably depend on the analysis techniques employed by the AV engine. Deep inspections can take more time and such AV engines would probably slow down computers. Encryption methods can make things even more difficult. As you said, everything depends on whether the user trusts you or not.
In the end, the most important thing for malware is to get "a foot in the door", i.e. to get a small proggie running that afterwards can download whatever is necessary. Cheating scanners is easy, encrypting a file, for example, can be done in milliseconds.
Yuri,
Try another trick, different linkers sometimes place the PE header at different offsets from the MZ header. I don't know how you have produced the binary but I know that most AV scanners have a good look at the MZ/PE header structure and if it deviated from their view of normal, they will flag it as infected or suspicious.
I used GoLink. But I don't think this is the problem. As far as I know, the DLL has been distributed together with malicious scripts, often in text form inside the script and then stored on disk as a binary file. This probably led some AVs to see it as malware. When it was just built it wasn't flagged as such.