Hi,
I wonder why some Antivirus programms suddenly start to recognize Projects\Tools\Common\c86\hiderun_x86.exe as a virus. For example:
https://www.virustot...c3958/analysis/
I guess this file is essential for WinPE, is there a documentation what it exactly does? And why do antivirus programs now detect this file as malware?
Hiderun_x86.exe suddenly considered a virus?
Started by
Jackie78
, Oct 05 2012 09:40 AM
4 replies to this topic
#2
pscEx
-
- Team Reboot
-
- 12707 posts
Platinum Member
- Location:Korschenbroich, Germany
- Interests:What somebody else cannot do.
-
European Union
Posted 05 October 2012 - 11:58 AM
Do not worry about "suddenly appearing virus worning on 'established' applications"
Because the virus creators daily have new ideas, the antivir programs have to check more and more (machine code) patterns.
And there it is rather possible that a certain pattern is contained in a "serious" application.
To your question: hiderun, as the name says, runs a program invisible for a user. When the program is run directly, the application GUI or a command window would pop up.
There are different hiderun's. I also wrote a x86 / x64 pair.
Here my simple source code:
Peter
Because the virus creators daily have new ideas, the antivir programs have to check more and more (machine code) patterns.
And there it is rather possible that a certain pattern is contained in a "serious" application.
To your question: hiderun, as the name says, runs a program invisible for a user. When the program is run directly, the application GUI or a command window would pop up.
There are different hiderun's. I also wrote a x86 / x64 pair.
Here my simple source code:
// hiderunEx.cpp : Defines the entry point for the console application.
//
#pragma once
#include "targetver.h"
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include <shellapi.h>
bool StartWait(TCHAR *exeFile, TCHAR *startParams, TCHAR *workDir, bool wait, bool show)
{
SHELLEXECUTEINFO SEInfo;
DWORD exitCode;
int infsize = sizeof(SHELLEXECUTEINFO);
memset(&SEInfo, 0, infsize);
SEInfo.cbSize = infsize;
SEInfo.fMask = SEE_MASK_NOCLOSEPROCESS;
SEInfo.lpFile = exeFile;
SEInfo.lpParameters = startParams;
SEInfo.lpDirectory = workDir;
if(show)
SEInfo.nShow = SW_SHOWNORMAL;
else
SEInfo.nShow = SW_HIDE;
if(ShellExecuteEx(&SEInfo))
{
if(wait)
do{
MsgWaitForMultipleObjects(1, &SEInfo.hProcess, FALSE, 10, QS_ALLINPUT);
GetExitCodeProcess(SEInfo.hProcess, &exitCode);
}while((exitCode == STILL_ACTIVE));
return TRUE;
}
else
return false;
}
#define PARMLEN 4096
int _tmain(DWORD argc, TCHAR *__argv[], TCHAR *__envp[])
{
bool wait = false;
bool show = false;
DWORD start = 1;
TCHAR *exe;
TCHAR *parms;
bool quote;
TCHAR buffer[128];
if (argc == 1)
return -1;
if (_tcsicmp(TEXT("/w"), __argv[start]) == 0)
{ start++;
wait = true;
}
if (_tcsicmp(TEXT("/s"), __argv[start]) == 0)
{ start++;
show = true;
wait = true;
}
parms = (TCHAR *) malloc (PARMLEN);
exe = __argv[start++];
parms[0] = 0;
for(;start < argc;start++)
{
TCHAR *tst = __argv[start];
quote = false;
TCHAR *st = &tst[0];
for (;;)
{ st = _tcsstr(st, TEXT("%"));
if (st == NULL) break;
_tcscpy(&buffer[0], st + 1);
TCHAR *en = _tcsstr(buffer + 1, TEXT("%"));
if (en != NULL)
{
*en = 0;
TCHAR *env = _tgetenv(buffer);
if (_tcsstr(env, TEXT("%")) != NULL)
{
quote = true;
break;
}
st = _tcsstr(st + 1, TEXT("%"));
}
st++;
}
quote = ((_tcsstr(tst, TEXT(" ")) != NULL) || quote);
if (quote)
_tcscat(&parms[0], TEXT("""));
_tcscat(&parms[0], tst);
if (quote)
_tcscat(&parms[0], TEXT("""));
_tcscat(&parms[0], TEXT(" "));
}
StartWait(exe, parms, NULL, wait, show);
free(parms);
return 0;
}
Peter
- Brito likes this
#3
homes32
-
- .script developer
-
- 1035 posts
Gold Member
- Location:Minnesota
-
United States
Posted 05 October 2012 - 04:21 PM
Hi,
I wonder why some Antivirus programms suddenly start to recognize ProjectsToolsCommonc86hiderun_x86.exe as a virus. For example:
https://www.virustot...c3958/analysis/
I guess this file is essential for WinPE, is there a documentation what it exactly does? And why do antivirus programs now detect this file as malware?
its a false positive.
hiderun does exactly want psc said above and the programs name implies. it hides annoying .cmd windows from popping up during the building process and the boot process in order to keep them from being closed by the user, possibly causing problems with building or booting of the PE.
the c++ source code for this particular version of hiderun is available for your inspection in the tools folder (ie C:winbuilderProjectsToolsWin7PESEsrc
regards,
Homes32
#4
sbaeder
-
- .script developer
-
- 1338 posts
Gold Member
- Location:usa - massachusettes
-
United States
Posted 06 October 2012 - 04:49 PM
And to pile on here in addition to the very good comments above, the very fact that it is trying to "hide" a running process may be a cause for alarm, since that is what a "Virus" would attempt to do...So, that may be enough to flag it, and without some other "whitelist", report it as suspicious.
Scott
Scott
#5
homes32
-
- .script developer
-
- 1035 posts
Gold Member
- Location:Minnesota
-
United States
Posted 07 October 2012 - 07:12 PM
well if we want to get technical its not really hiding the process, just toggling the window state fromAnd to pile on here in addition to the very good comments above, the very fact that it is trying to "hide" a running process may be a cause for alarm, since that is what a "Virus" would attempt to do...So, that may be enough to flag it, and without some other "whitelist", report it as suspicious.
Scott
SW_SHOWNORMAL to SW_HIDE
nothing unusual about that, but I script kiddies and other wannabes have [mis]used self contained programs like this in the past to hide their poorly written malicious programs from visibility.
thats why the source is included, so you can analyze it for yourself and see that we have nothing to hide
- Brito likes this
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
