Hiderun_x86.exe suddenly considered a virus?
#1
Posted 05 October 2012 - 09:40 AM
I wonder why some Antivirus programms suddenly start to recognize Projects\Tools\Common\c86\hiderun_x86.exe as a virus. For example:
https://www.virustot...c3958/analysis/
I guess this file is essential for WinPE, is there a documentation what it exactly does? And why do antivirus programs now detect this file as malware?
#2
Posted 05 October 2012 - 11:58 AM
Because the virus creators daily have new ideas, the antivir programs have to check more and more (machine code) patterns.
And there it is rather possible that a certain pattern is contained in a "serious" application.
To your question: hiderun, as the name says, runs a program invisible for a user. When the program is run directly, the application GUI or a command window would pop up.
There are different hiderun's. I also wrote a x86 / x64 pair.
Here my simple source code:
// hiderunEx.cpp : Defines the entry point for the console application. // #pragma once #include "targetver.h" #include <stdio.h> #include <tchar.h> #include <windows.h> #include <shellapi.h> bool StartWait(TCHAR *exeFile, TCHAR *startParams, TCHAR *workDir, bool wait, bool show) { SHELLEXECUTEINFO SEInfo; DWORD exitCode; int infsize = sizeof(SHELLEXECUTEINFO); memset(&SEInfo, 0, infsize); SEInfo.cbSize = infsize; SEInfo.fMask = SEE_MASK_NOCLOSEPROCESS; SEInfo.lpFile = exeFile; SEInfo.lpParameters = startParams; SEInfo.lpDirectory = workDir; if(show) SEInfo.nShow = SW_SHOWNORMAL; else SEInfo.nShow = SW_HIDE; if(ShellExecuteEx(&SEInfo)) { if(wait) do{ MsgWaitForMultipleObjects(1, &SEInfo.hProcess, FALSE, 10, QS_ALLINPUT); GetExitCodeProcess(SEInfo.hProcess, &exitCode); }while((exitCode == STILL_ACTIVE)); return TRUE; } else return false; } #define PARMLEN 4096 int _tmain(DWORD argc, TCHAR *__argv[], TCHAR *__envp[]) { bool wait = false; bool show = false; DWORD start = 1; TCHAR *exe; TCHAR *parms; bool quote; TCHAR buffer[128]; if (argc == 1) return -1; if (_tcsicmp(TEXT("/w"), __argv[start]) == 0) { start++; wait = true; } if (_tcsicmp(TEXT("/s"), __argv[start]) == 0) { start++; show = true; wait = true; } parms = (TCHAR *) malloc (PARMLEN); exe = __argv[start++]; parms[0] = 0; for(;start < argc;start++) { TCHAR *tst = __argv[start]; quote = false; TCHAR *st = &tst[0]; for (;;) { st = _tcsstr(st, TEXT("%")); if (st == NULL) break; _tcscpy(&buffer[0], st + 1); TCHAR *en = _tcsstr(buffer + 1, TEXT("%")); if (en != NULL) { *en = 0; TCHAR *env = _tgetenv(buffer); if (_tcsstr(env, TEXT("%")) != NULL) { quote = true; break; } st = _tcsstr(st + 1, TEXT("%")); } st++; } quote = ((_tcsstr(tst, TEXT(" ")) != NULL) || quote); if (quote) _tcscat(&parms[0], TEXT(""")); _tcscat(&parms[0], tst); if (quote) _tcscat(&parms[0], TEXT(""")); _tcscat(&parms[0], TEXT(" ")); } StartWait(exe, parms, NULL, wait, show); free(parms); return 0; }
Peter
- Brito likes this
#3
Posted 05 October 2012 - 04:21 PM
Hi,
I wonder why some Antivirus programms suddenly start to recognize ProjectsToolsCommonc86hiderun_x86.exe as a virus. For example:
https://www.virustot...c3958/analysis/
I guess this file is essential for WinPE, is there a documentation what it exactly does? And why do antivirus programs now detect this file as malware?
its a false positive.
hiderun does exactly want psc said above and the programs name implies. it hides annoying .cmd windows from popping up during the building process and the boot process in order to keep them from being closed by the user, possibly causing problems with building or booting of the PE.
the c++ source code for this particular version of hiderun is available for your inspection in the tools folder (ie C:winbuilderProjectsToolsWin7PESEsrc
regards,
Homes32
#4
Posted 06 October 2012 - 04:49 PM
Scott
#5
Posted 07 October 2012 - 07:12 PM
well if we want to get technical its not really hiding the process, just toggling the window state fromAnd to pile on here in addition to the very good comments above, the very fact that it is trying to "hide" a running process may be a cause for alarm, since that is what a "Virus" would attempt to do...So, that may be enough to flag it, and without some other "whitelist", report it as suspicious.
Scott
SW_SHOWNORMAL to SW_HIDE
nothing unusual about that, but I script kiddies and other wannabes have [mis]used self contained programs like this in the past to hide their poorly written malicious programs from visibility.
thats why the source is included, so you can analyze it for yourself and see that we have nothing to hide
- Brito likes this
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users