Re: ANTIVIRUS' vs asm executables

[TouEnMasm]

Something important to do is use a manifest AND a version control block. If the donkey end of AV scanners cannot find these they often flag a file as risky or infected.

This assertion Need tests,this one http://masm32.com/board/index.php?topic=9071.msg99618#msg99618 had no rc file (no manifest,no version control)
but isn't confuse with a virus.Using the crt with his proper call seems very important.

[hutch--]

If it was that easy to do, the virus/trojan guys would do it.

[TouEnMasm]

Another statement who don't replace tests.

[hutch--]

If you want to make a pest of yourself, go to #twitter, keep it up here and you will be set free.

Rule 5 of the forum.

This forum will not allow argument or extended discussion on the suitability of answers as it is of no assistance to the person asking the question. This forum will not allow talking heads, script kiddies or any other form of influence peddling.

First and last warning.

[TouEnMasm]

I just find useful to have some tests to solve the problem.
I have not see VC forum with numerous virus at download (?..).
Pest is on those continuous virus alert .
Any other ideas than make tests to solve it ?

[hutch--]

I don't know if you read English all that well but the point was that the "Campus" is not for debate or influence peddling, the last thing a new member needs is a confusing argument over answers. If you have a technical point that is useful, post it in the Workshop. I will enforce the Campus being for new members, not influence peddling.

As far as your include files, you have been provided with a sub forum of your own so you can post whatever technical data you want and I did suggest that the people who need your include files are the UASM guys where with 64 bit MASM you are wasting both your time and mine as 64 bit MASM does not use your format of include files.

One more thing, I am not a free kick simply because I run this forum. You have been a member here for a long time and I have no desire to kick you out but be warned that the endless antagonism will end up with that result. If you want that type of garbage, do it on #twitter, not here.

[HSE]

Hi Yves!

I have not see VC forum with numerous virus at download (?..).

AV recognize little things. For example what is placed in unused bytes for alignment. VC have very well defined that. Nidud noted that, and AsmC copied that. Very smart!!

Also VC use a couple of specific functions. If you are using your own, AV suspect.

Regards, HSE.

[jj2007]

If it was that easy to do, the virus/trojan guys would do it.

Exactly. If I was a virus writer, I would add a manifest AND a version control block, always

[TouEnMasm]

AV recognize little things. For example what is placed in unused bytes for alignment

useful information.
I will tested this one.

[jj2007]

AV recognize little things. For example what is placed in unused bytes for alignment.

Interesting

Code Select Expand

include \masm32\include\masm32rt.inc
.code
start:
  nops 3
  align 16
  .Repeat
inc ecx
  .Until !Zero?
  exit
end start

Code Select Expand

ML 6.14
90                nop
90                nop
90                nop
8DA424 00000000   lea esp, [esp]
8D9B 00000000     lea ebx, [ebx]

ML 6.15
8DA424 00000000   lea esp, [esp]
8D9B 00000000     lea ebx, [ebx]

ML 14.0
8DA424 00000000   lea esp, [esp]
8D9B 00000000     lea ebx, [ebx]

AsmC
8DA424 00000000   lea esp, [esp]
8D80 00000000     lea eax, [eax]

UAsm64
8DA424 00000000   lea esp, [esp]
8D80 00000000     lea eax, [eax]

Code Select Expand

align 8
ML 6.14
nop
add eax, 0 ; **** trashes flags ****
Úinc ecx
Àjz short 00401008

ML 14.0
CPU Disasm
Address        Hex dump              Command                                 Comments
00401000        $ FF25 30204000     jmp near [<&kernel32.ExitProcess>]
00401006           CC                int3
00401007           CC                int3
00401008           CC                int3
00401009           CC                int3
0040100A           CC                int3
0040100B           CC                int3
0040100C           CC                int3
0040100D           CC                int3
0040100E           CC                int3
0040100F           CC                int3
<ModuleEntryPo Ú$  90                nop
00401011       ³.  90                nop
00401012       ³.  90                nop
00401013       ³. EB 03             jmp short 00401018
00401015       ³   CC                int3
00401016       ³   CC                int3
00401017       ³   CC                int3
00401018       ³>  41                Úinc ecx
00401019       ³. 74 FD             Àjz short 00401018
0040101B       ³.  6A 00             push 0                                  ; ÚExitCode = 0
0040101D       À.  E8 DEFFFFFF       call <jmp.&kernel32.ExitProcess>        ; ÀKERNEL32.ExitProcess

AsmC+UAsm64
90                nop
2E:8D4420 00      lea eax, cs:[eax]
41                Úinc ecx
74 FD             Àjz short 00401008

Later versions of MASM insert the jump table before the module entry point.

[HSE]

Hi JJ!

VC have very well defined that.

Pay attention     VC not ML, it's the compiler who make that.

Nidud noted that, and AsmC copied that. Very smart!!

You must ask Nidud how is that because I don't remember. Perhaps are macros, for sure is in the forum.