Jump to content











Photo
- - - - -

Hiderun_x86.exe suddenly considered a virus?


  • Please log in to reply
4 replies to this topic

#1 Jackie78

Jackie78
  • Members
  • 4 posts
  •  
    Germany

Posted 05 October 2012 - 09:40 AM

Hi,

I wonder why some Antivirus programms suddenly start to recognize Projects\Tools\Common\c86\hiderun_x86.exe as a virus. For example:

https://www.virustot...c3958/analysis/

I guess this file is essential for WinPE, is there a documentation what it exactly does? And why do antivirus programs now detect this file as malware?

#2 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 05 October 2012 - 11:58 AM

Do not worry about "suddenly appearing virus worning on 'established' applications"

Because the virus creators daily have new ideas, the antivir programs have to check more and more (machine code) patterns.

And there it is rather possible that a certain pattern is contained in a "serious" application.

To your question: hiderun, as the name says, runs a program invisible for a user. When the program is run directly, the application GUI or a command window would pop up.

There are different hiderun's. I also wrote a x86 / x64 pair.

Here my simple source code:

// hiderunEx.cpp : Defines the entry point for the console application.

//

#pragma once

#include "targetver.h"

#include <stdio.h>

#include <tchar.h>

#include <windows.h>

#include <shellapi.h>



bool StartWait(TCHAR *exeFile, TCHAR *startParams, TCHAR *workDir, bool wait, bool show)

{

SHELLEXECUTEINFO SEInfo;

DWORD exitCode;

int infsize = sizeof(SHELLEXECUTEINFO);

memset(&SEInfo, 0, infsize);

SEInfo.cbSize = infsize;

SEInfo.fMask = SEE_MASK_NOCLOSEPROCESS;

SEInfo.lpFile = exeFile;

SEInfo.lpParameters = startParams;

SEInfo.lpDirectory = workDir;

if(show)

SEInfo.nShow = SW_SHOWNORMAL;

else

SEInfo.nShow = SW_HIDE;

if(ShellExecuteEx(&SEInfo))

{

if(wait)

	 do{

	 MsgWaitForMultipleObjects(1, &SEInfo.hProcess, FALSE, 10, QS_ALLINPUT);

	 GetExitCodeProcess(SEInfo.hProcess, &exitCode);

	 }while((exitCode == STILL_ACTIVE));

return TRUE;

}

else

return false;

}

#define PARMLEN 4096

int _tmain(DWORD argc, TCHAR *__argv[], TCHAR *__envp[])

{

bool wait = false;

bool show = false;

DWORD start = 1;

TCHAR *exe;

TCHAR *parms;

bool quote;

TCHAR buffer[128];

if (argc == 1)

return -1;

if (_tcsicmp(TEXT("/w"), __argv[start]) == 0)

{ start++;

wait = true;

}

if (_tcsicmp(TEXT("/s"), __argv[start]) == 0)

{ start++;

show = true;

wait = true;

}

parms = (TCHAR *) malloc (PARMLEN);

exe = __argv[start++];

parms[0] = 0;

for(;start < argc;start++)

{

TCHAR *tst = __argv[start];

quote = false;

TCHAR *st = &tst[0];

for (;;)

{ st = _tcsstr(st, TEXT("%"));

	 if (st == NULL) break;

	 _tcscpy(&buffer[0], st + 1);

	 TCHAR *en = _tcsstr(buffer + 1, TEXT("%"));

	 if (en != NULL)

	 {

	 *en = 0;

	 TCHAR *env = _tgetenv(buffer);

	 if (_tcsstr(env, TEXT("%")) != NULL)

	 {

		 quote = true;

		 break;

	 }

	 st = _tcsstr(st + 1, TEXT("%"));

	 }

	 st++;

}

quote = ((_tcsstr(tst, TEXT(" ")) != NULL) || quote);

if (quote)

_tcscat(&parms[0], TEXT("""));

_tcscat(&parms[0], tst);

if (quote)

_tcscat(&parms[0], TEXT("""));

_tcscat(&parms[0], TEXT(" "));

}

StartWait(exe, parms, NULL, wait, show);

free(parms);

return 0;

}


Peter
  • Nuno Brito likes this

#3 homes32

homes32

    Gold Member

  • .script developer
  • 1029 posts
  • Location:Minnesota
  •  
    United States

Posted 05 October 2012 - 04:21 PM

Hi,

I wonder why some Antivirus programms suddenly start to recognize ProjectsToolsCommonc86hiderun_x86.exe as a virus. For example:

https://www.virustot...c3958/analysis/

I guess this file is essential for WinPE, is there a documentation what it exactly does? And why do antivirus programs now detect this file as malware?


its a false positive.
hiderun does exactly want psc said above and the programs name implies. it hides annoying .cmd windows from popping up during the building process and the boot process in order to keep them from being closed by the user, possibly causing problems with building or booting of the PE.
the c++ source code for this particular version of hiderun is available for your inspection in the tools folder (ie C:winbuilderProjectsToolsWin7PESEsrc

regards,
Homes32

#4 sbaeder

sbaeder

    Gold Member

  • .script developer
  • 1338 posts
  • Location:usa - massachusettes
  •  
    United States

Posted 06 October 2012 - 04:49 PM

And to pile on here in addition to the very good comments above, the very fact that it is trying to "hide" a running process may be a cause for alarm, since that is what a "Virus" would attempt to do...So, that may be enough to flag it, and without some other "whitelist", report it as suspicious.

:cheers:
Scott

#5 homes32

homes32

    Gold Member

  • .script developer
  • 1029 posts
  • Location:Minnesota
  •  
    United States

Posted 07 October 2012 - 07:12 PM

And to pile on here in addition to the very good comments above, the very fact that it is trying to "hide" a running process may be a cause for alarm, since that is what a "Virus" would attempt to do...So, that may be enough to flag it, and without some other "whitelist", report it as suspicious.

:cheers:
Scott

well if we want to get technical its not really hiding the process, just toggling the window state from
SW_SHOWNORMAL to SW_HIDE
nothing unusual about that, but I script kiddies and other wannabes have [mis]used self contained programs like this in the past to hide their poorly written malicious programs from visibility.

thats why the source is included, so you can analyze it for yourself and see that we have nothing to hide :rofl2:
  • Nuno Brito likes this




1 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


    Bing (1)