I teach an x86 Assembly Language class at a small college. Over the past few years I've occasionally had a problem with AV not allowing some Assembler program to run. In those cases I've been able to create an exclusion in the AV to solve the problem. This time...I can't seem to fix it. Here's the specifics:
Windows 10 Laptop
Visual Studio 2022
Windows Defender AV
Previous programs were running fine, up to a recent small project. Now nothing works, any attempt to run any assembler project fails, stating that it can't find the .exe file.
The program starts up, displays the command console window, then stops with the error.
I've added an exclusion for the project folder to Defender with no luck. Also tried to add an exclusion for the .exe file but Defender won't let me do that because the file doesn't exist. I'm assuming this is an AV problem because I don't know what else it might be. BTW...copy and past the same code to a different computer and it works perfectly.
I know this has been discussed before but I've tried all the suggestions with no luck. I would really appreciate any help/ideas/suggestions that anyone might have.
Frustrated Faculty
Hi riversr54,
Could you post the source code and the executable?
Hi riversr54,
Its a problem that is getting worse over time. I try for a UI app to have a manifest and version control block in the resource script which used to work OK but of late, perfect, reliable executables built from your own source code on a perfectly clean machine are being flagged as infected or suspicious and some claim that the infections on a win32/64 exe is for an Apple of Android smartphone.
There are a few things you can do, ensure you get an Instance handle, use at least a couple of KERNEL32 functions, a manifest and version control block and it helps some but it is getting worse as AV vendors ramp up the false positives to try and look like they are hitting more things.
YHave a look at this data for Win10 64 bit.
http://masm32.com/board/index.php?topic=10733.0 (http://masm32.com/board/index.php?topic=10733.0)
Here's the code that we are using to test. Couldn't be much simpler. Copies one array to another.
.386
.model flat,stdcall
.stack 4096
ExitProcess PROTO, dwExitCode:DWORD
.data
firstArray BYTE 'a','b'
secondArray BYTE ?
count BYTE lengthof firstArray
.code
main PROC
movzx ecx, count
mov esi, 0
L1:
mov al, firstArray[esi]
mov secondArray[esi],al
inc esi
Loop L1
INVOKE ExitProcess,0
main ENDP
END main
forgot dec ecx
Hello,
This one should work :
.386
.model flat,stdcall
ExitProcess PROTO dwExitCode:DWORD
includelib \masm32\lib\kernel32.lib
.data
firstArray BYTE 'a','b'
count BYTE lengthof firstArray
.data?
secondArray db 2 dup(?) ; Reserve two bytes
; in the uninitialized
; data section
.code
start:
movzx ecx, count
xor esi,esi
L1:
mov al,firstArray[esi]
mov secondArray[esi],al
inc esi
loop L1
invoke ExitProcess,0
END start
Maybe we've forgotten the original question...I don't need help with the code, it works just fine on other machines, but on this one student machine, it will not run because apparently the AV is deleting the .exe before it can actually run. The code is not the problem, it's the AV (at least that's what I think at this point)
Do you build the project on the command line with the batch file or with the Visual Studio's Build Solution-menu?
It sounds like a bad configuration. Its not building an executable but doing something else such as creating object files or listing or a .dll etc..
Hi riversr54,
OK, I will test your code a Windows 10 system but you need a little help with your code. Let's examine it under the debugger Ollydbg :
00401000 > $ 0FB60D 0320400>MOVZX ECX,BYTE PTR DS:[402003]
00401007 . BE 00000000 MOV ESI,0
0040100C > 8A86 00204000 MOV AL,BYTE PTR DS:[ESI+402000]
00401012 . 8886 02204000 MOV BYTE PTR DS:[ESI+402002],AL
00401018 . 46 INC ESI
00401019 .^E2 F1 LOOPD SHORT CopyArra.0040100C
0040101B . 6A 00 PUSH 0 ; /ExitCode = 0
0040101D . E8 00000000 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
00401022 $-FF25 34204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess
00402000 61 62 00 02 2C 20 00 00 ab.�, ..
00402008 00 00 00 00 00 00 00 00 ........
When [ESI+402002] points 402003, the statement
MOV BYTE PTR DS:[ESI+402002],AL or mov secondArray[esi],al
will overwrite the lenght of firstArray This means that at the address 402003h, the byte value 02h will be replaced by 62h ("b"). This is not a serious mistake but reserving enough space in your data section to avoid unnecessary overwritings ( and potential buffer overruns ) will improve your code.
It's AV that erase .exe.
Probably you have to exclude the folder.
First check that computer is not infected with a real virus :biggrin:
The problem that riversr54 has referred to is a reasonably recent one and it appears to coincide with Microsoft shedding thousands of employees and in the AV field, starting to share viral signatures with the rest of the low end of AV scanners.
Now differing from virus writers and AV companies (with suspicions that they are the same) the masm32 SDK and the developing masm64 project are created directly from source code on fully isolated development computers that have absolutely no signature lists, malicious code, trojan test pieces or other dangerous code on them.
Developed directly from source code using Microsoft binaries, assemblers, linkers and resource compilers, anyone using these tools, as long as their computer is totally virus and trojan free, are not producing dangerous code that needs to be deleted.
On my own computers, I have had to set exclusions on drives and recently, disable part of the default Microsoft AV scanner, simply to avoid false positives and silent deletions. If you do this, you will need to have a reliable "On Demand" AV scanner. My own choice is Kaspersky's KVRT.EXE.
This is the normal response from Kaspersky KVRT.EXE every time I run it on the box where I build MASM32 and the 64 bit SDK.
Hello,
I tested an improved version of the code on Windows 10 and had no any problems with Windows Defender :
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\masm32.lib
.data
firstArray BYTE 'a','b',0
count BYTE lengthof firstArray
.data?
secondArray db 3 dup(?) ; Reserve two bytes
; in the uninitialized
; data section
.code
start:
movzx ecx, count
xor esi,esi
L1:
mov al,firstArray[esi]
mov secondArray[esi],al
inc esi
loop L1
invoke StdOut,ADDR secondArray
invoke ExitProcess,0
END start
@Hutch
be careful as kaspersky is a well known russian digital weaponry
according to some rumours it has backdoors..
:biggrin:
The only thing that it could learn from me is how to write assembler. I download it, run it then delete it.
It's easy to detect the network connections with an application like NirSoft's CurrPorts.
QuoteIt's easy to detect the network connections with an application like NirSoft's CurrPorts.
Another good one is the Microsoft Sysinternals Suite's TCPView. There is many usefull pieces of software in that Suite, I also recommend Process Explorer.
:biggrin:
Microsoft Sysinternals is very useful software, comes at the right price and can do many useful things. Among many, the Process Explorer is a tool that I use on enough things to kep it directly on my desktop.
As far as software origins go, I use software from around the world, (none from Antarctica yet) and evaluate it by its performance, not a country's politics.
Quote from: greenozon on March 18, 2023, 06:39:16 PM
@Hutch
be careful as kaspersky is a well known russian digital weaponry
according to some rumours it has backdoors..
Check here (https://cybernews.com/best-antivirus-software/kaspersky-antivirus-review/#:~:text=threats%20were%20found.-,Malware%20protection,result%20of%200%20false%20positives.) (found googling kaspersky backdoor):
QuoteKaspersky's malware scanner has been tested as recently as fall of 2022 by major testing labs. Such labs as AV-Comparatives and AV-Test showed that Kaspersky performed extremely well, capturing 100% of zero-day malware and 100% of widespread malware, with an excellent result of 0 false positives.
Further down, there's a text to make the NSA happy: "We don't recommend getting Kaspersky because of its ties to Russia's Federal Security Service (FSB)." :greensml:
Check also Kaspersky's blog (https://www.kaspersky.com/blog/frequently-alleged-nonsense/21013/). Of course, you cannot fully exclude the possibility that the Russians are spying on your machine. However, using logic, it would appear that Kaspersky would shoot themselves in the foot if, suddenly, the Internet was full of stories saying Kaspersky software intercepted your online banking password and transferred Millions to support Putin's war. Right?
QuoteFounded in 2004, Kaspersky North America (https://usa.kaspersky.com/about/company) is a Massachusetts corporation and is a wholly-owned subsidiary of its holding company, Kaspersky's Limited, based in the United Kingdom.
We are one of the world's largest privately owned cybersecurity companies. We operate in 200 countries and territories and have 35 offices in 31 countries. Over 4,000 highly-qualified specialists work for Kaspersky.
We are a global company, with a global vision and a focus on international markets. Our global unaudited IFRS revenue for 2017 totaled USD 698 million.
Our independence allows us to be more agile; to think differently and act faster. We are forever innovating, delivering protection that's effective, usable and accessible. We pride ourselves on developing world-leading security that keeps us – and every one of our 400 million users protected by our technologies, and 270,000 corporate clients – one step ahead of potential threats.
Of course, if Hutch finds out that Klaus Schwab owns Kaspersky shares, then... but I digress, sorry :badgrin:
:biggrin:
> Further down, there's a text to make the NSA happy: "We don't recommend getting Kaspersky because of its ties to Russia's Federal Security Service (FSB)."
Substitute "Russia" with the US, UK, Canada, Europe, China, Formosa and many others, they all hold true. All governments say nasty things about their political enemies.
PS : You have to be careful about Count Vlad, he was not only in the KGB but used to be a communist. :badgrin:
If the MOSSAD can hack my PC, they (and any other) will learn how to write assembler. :joking:
Ok, maybe the code is not perfect, but that is not the point. The point is that the exact same code runs perfectly on my computer but will not run (no .exe found) on student computer. We've added the folder to the exclusion list and disabled Windows Defender (Virus and Thread Protection) but still have the same problem. I'm looking into the possibility that it is a Visual Studio Configuration problem. That seems to be only thing that makes any sense right now.
riversr54
These are a real pain to track down, the things I have had to do on my own computers to research the problem are on Win10 Pro so find out if its an issue with Win10 Home. As usual, try out some other code samples to see if it happens on all small code or just that one.
Hi riversr54,
Kindly, could you post here your final executable?