Jump to content

Virus Detection


Recommended Posts

Does anyone see anything in this script that would cause an anti-virus to detect it as a trojan?

#include <GUIConstants.au3>
#include <Array.au3>
#include <File.au3>

GUICreate("BackIt", 255, 110, 255, 255)
GUICtrlCreateLabel("Please select an task to perform.", 5, 5)
$buttonInstall = GUICtrlCreateButton("Start", 95, 75, 60)
$comboInstallType = GUICtrlCreateCombo("Backup", 93, 40, 65)
GUICtrlSetData($comboInstallType, "Recover")
GUISetState(@SW_SHOW)

While 1
    $msg = GUIGetMsg()
    Select
        Case $msg = $GUI_EVENT_CLOSE
            ExitLoop
        Case $msg = $buttonInstall
            If GUICtrlRead($comboInstallType) = "Backup" Then
                _BackupFiles()
            EndIf
            If GUICtrlRead($comboInstallType) = "Recover" Then
                _RecoverFiles()
            EndIf
            ExitLoop
    EndSelect
WEnd



Func _BackupFiles()
    $backupLoc = "F:\AISD Backup\"
    $recovery = InputBox("BackIt","Enter a location name here that you can remember for the recovery process. (Example: A102Adams, B204Johnson, TP2Greene, MainOfficeTeresa) The name that you choose will become a directory housing the backup files in F:\AISD Backup\.", "")
    _CopyWithProgress("C:\Documents and Settings\Alvin Staff\" , $backupLoc & $recovery)
    _CopyWithProgress("Q:\" , $backupLoc & $recovery & "\Local Documents Backup\")
    _CopyWithProgress("Software.txt", $backupLoc & $recovery)
    _CopyWithProgress("D:\" , $backupLoc & $recovery & "\Local Documents Backup\")
    MsgBox(4096, "BackIt", "Documents have been copied and are placed in " & $backupLoc & $recovery & ". " & "Remember the name : " & $recovery & " : for afterwards, you will need it to recover the files back to their original location.", 10)

Dim $Software
_ComputerGetSoftware($Software)
If @error Then
    $error = @error
    $extended = @extended
    Switch $extended
        Case 1
            _ErrorMsg("Array contains no data.")
    EndSwitch
EndIf

For $i = 1 To $Software[0][0] Step 1
    
    $file = FileOpen($backupLoc & $recovery & "Software.txt", 1)
    

; Check if file opened for writing OK
If $file = -1 Then
    MsgBox(0, "Error", "Unable to open file.")
    Exit
EndIf

FileWrite($file, "Program: " & $Software[$i][0] & "   Version: " & $Software[$i][1] & @CRLF & _
            "Program Creator: " & $Software[$i][2] & @CRLF & _
            "---------------------------------------------" & @CRLF & _
            "" & @CRLF & _
            "")
            FileClose($file)

Next



EndFunc


Func _RecoverFiles()
    $recoverLoc = "F:\AISD Backup\"
    $backup = InputBox("BackIt","Please enter the name that you gave this computer when you ran the backup utility. (Example: A102Adams, B204Johnson, TP2Greene, MainOfficeTeresa) If you forgot, browse over to F:/AISD Backup/ to view the directory.", "")
    _CopyWithProgress($recoverLoc & $backup , "C:\Documents and Settings\Alvin Staff\");Recovers the root folder to documents
    _CopyWithProgress($recoverLoc & $backup & "\Local Documents Backup\" , "Q:\")   ;Recovers the Local Disk drive (If the Drive letter is Q)
    _CopyWithProgress($recoverLoc & $backup & "\Local Documents Backup\" , "D:\")   ;Recovers the Local Disk drive (If the Drive letter is D)
    _CopyWithProgress($recoverLoc & $backup & "\Software.txt", "C:\Documents and Settings\Alvin Staff\Desktop\");Copies the Software list onto the Desktop.
    MsgBox(4096, "BackIt", "All files have been recovered sucessfully! The software list will be on the desktop: See Software.txt!", 10)


EndFunc


Func _CopyWithProgress($SourcePath, $DestPath, $Replace=0)
    If Not FileExists($SourcePath) Then Return SetError(1, 0, -1)
    If Not StringInStr(FileGetAttrib($DestPath), "D") And Not DirCreate($DestPath) Then Return SetError(2, 0, "")
    If $Replace <> 0 And $Replace <> 1 Then SetError(3, 0, "")
    
    Local $PathName = StringRegExpReplace($SourcePath, "^.*\\", "")
    Local $Progress=0, $Counter, $ReadySize, $MidlePath, $Ready, $TimeRemained
    Local $CurrentFilePath, $CurrentFileName, $CurrentFilePathName, $CurrentParentDirName
    
    ProgressOn("Backing up " & $SourcePath, "Copy: " & $PathName, "Getting dir structure" & @LF & "Please wait...")
    
    Local $TotalDirSize = DirGetSize($SourcePath)
    Local $FilesArr = _FileListToArrayEx($SourcePath)
    Local $FilesCount = UBound($FilesArr)-1
    Local $ProgressStep = 100 / $FilesCount
    
    If IsArray($FilesArr) Then
        For $i = 1 To UBound($FilesArr)-1
            $CurrentFilePath = $FilesArr[$i]
            $CurrentFileName = StringRegExpReplace($CurrentFilePath, "^.*\\", "")
            $CurrentFilePathName = StringReplace($CurrentFilePath, $SourcePath & "\", "")
            
            $CurrentParentDirName = _GetParentDirName($CurrentFilePath)
            
            $Progress += $ProgressStep
            $Counter += 1
            
            $ReadySize = FileGetSize($CurrentFilePath)
            
            $MidlePath = _GetMidlePath($CurrentFilePath)
            $Ready = $Counter & "/" & $FilesCount
            $TimeRemained = _GetTimeRemained($TotalDirSize, $ReadySize, $FilesCount, $Counter)
            
            ProgressSet($Progress, 'Copy... from "' & $CurrentParentDirName & '" to "' & $CurrentParentDirName & '"' & @LF & _
                $MidlePath & @LF & "Approximately Remained Time: " & $TimeRemained, "Ready: " & $Ready)
            FileCopy($CurrentFilePath, $DestPath & "\" & $CurrentFilePathName, 8+$Replace)
        Next
    EndIf
    ProgressOff()
EndFunc

Func _FileListToArrayEx($sPath, $sMask='*')
    Local $i, $j, $blist, $rlist[1]=[0], $dlist = _DirListToArray($sPath)
    _ArrayAdd ($dlist, $sPath)
    For $i=1 To $dlist [0] +1
        $blist = _FileListToArray ($dlist [$i], $sMask, 1)
        If Not @error Then
            For $j=1 To $blist [0]
                _ArrayAdd ($rlist, $dlist[$i] & "\" & $blist [$j])
            Next
        EndIf
    Next
    $rlist [0] = UBound ($rlist) - 1
    Return $rlist
EndFunc

Func _DirListToArray($sPath)
    Local $rlist[2]=[1, $sPath], $blist, $alist=_FileListToArray ($sPath, '*', 2)
    If IsArray ($alist) Then
        For $i=1 To $alist [0]
            _ArrayAdd ($rlist, $sPath & "\" & $alist [$i])
            $blist = _DirListToArray ($sPath & "\" & $alist [$i])
            If $blist[0]>0 Then
                For $j=1 To $blist [0]
                    _ArrayAdd ($rlist, $blist [$j])
                Next
            EndIf
        Next
    EndIf
    $rlist[0] = UBound($rlist) - 1
    Return $rlist
EndFunc

Func _GetMidlePath($sPath)
    If StringLen($sPath) <= 50 Then Return $sPath
    Local $StartPath = StringLeft($sPath, 25)
    Local $EndPath = StringTrimLeft($sPath, StringInStr($sPath, "\", 0, -2)-1)
    Return $StartPath & "..." & $EndPath
EndFunc

Func _GetParentDirName($FullName)
    Local $LastSlashPos = StringInStr($FullName, "\", 0, -1)
    Local $SecondLastSlashPos = StringInStr($FullName, "\", 0, -2)
    Return StringMid($FullName, $SecondLastSlashPos+1, $LastSlashPos-$SecondLastSlashPos-1)
EndFunc

Func _GetTimeRemained($TotalSize, $CurrentSize, $FilesCount, $CurrentFilesCount)
    Local $NumLevl = 0.5
    
    If $TotalSize <= $CurrentSize Then Return _SecsToTime(0)
    
    Switch $FilesCount - $CurrentFilesCount
        Case 0 To 100
            $NumLevl = 0.1
        Case 100 To 1000
            $NumLevl = 0.5
        Case 1000 to 2000
            $NumLevl = 1
        Case Else
            $NumLevl = 2
    EndSwitch
    
    $Secs = ($TotalSize * $NumLevl) / (3600 * $CurrentFilesCount) - ($CurrentSize * $NumLevl) / (3600 * $CurrentFilesCount)
    Return _SecsToTime($Secs)
EndFunc

Func _SecsToTime($iTicks, $Delim=":")
    If Number($iTicks) >= 0 Then
        $iHours = Int($iTicks / 3600)
        $iTicks = Mod($iTicks, 3600)
        $iMins = Int($iTicks / 60)
        $iSecs = Round(Mod($iTicks, 60))
        If StringLen($iHours) = 1 Then $iHours = "0" & $iHours
        If StringLen($iMins) = 1 Then $iMins = "0" & $iMins
        If StringLen($iSecs) = 1 Then $iSecs = "0" & $iSecs
        Return $iHours & $Delim & $iMins & $Delim & $iSecs
    EndIf
    Return SetError(1, 0, 0)
EndFunc

Func _ComputerGetSoftware(ByRef $aSoftwareInfo)
    Local Const $UnInstKey  = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    Local $i = 1
    Dim $aSoftwareInfo[1][4]
    
    While 1
        $AppKey = RegEnumKey($UnInstKey, $i)
        If @error <> 0 Then ExitLoop
        ReDim $aSoftwareInfo[UBound($aSoftwareInfo) + 1][4]
        $aSoftwareInfo[$i][0]   = StringStripWS(StringReplace(RegRead($UnInstKey & "\" & $AppKey, "DisplayName"), " (remove only)", ""), 3)
        $aSoftwareInfo[$i][1]   = StringStripWS(RegRead($UnInstKey & "\" & $AppKey, "DisplayVersion"), 3)
        $aSoftwareInfo[$i][2]   = StringStripWS(RegRead($UnInstKey & "\" & $AppKey, "Publisher"), 3)
        $aSoftwareInfo[$i][3]   = StringStripWS(RegRead($UnInstKey & "\" & $AppKey, "UninstallString"), 3)
        $i += 1
    WEnd
    
    $aSoftwareInfo[0][0] = UBound($aSoftwareInfo, 1) - 1
    If $aSoftwareInfo[0][0] < 1 Then
        SetError(1, 1, 0)
    EndIf
EndFunc

[center][/center][center]Xonos Development[font=trebuchet ms,helvetica,sans-serif]- Resources -[/font]AutoIT Documentation | Active Directory UDF | Windows Services UDF | Koda GUI Designer[/center]

Link to comment
Share on other sites

do not use upx, is the upx that flags the AV

Yeah I saw that. Dang, that sucks. I'll just write a script that disables Vexira. :D Thanks guys. Sorry for wasting your time.

[center][/center][center]Xonos Development[font=trebuchet ms,helvetica,sans-serif]- Resources -[/font]AutoIT Documentation | Active Directory UDF | Windows Services UDF | Koda GUI Designer[/center]

Link to comment
Share on other sites

Take it from someone who used to work for a School District: I'd suggest NOT disabling your antivirus just to run your script. Disabling UPX compression (if it solves your problem) is the easiest and safest bet to fix the issue, and not leave a computer vulnerable during a time.

Link to comment
Share on other sites

Take it from someone who used to work for a School District: I'd suggest NOT disabling your antivirus just to run your script. Disabling UPX compression (if it solves your problem) is the easiest and safest bet to fix the issue, and not leave a computer vulnerable during a time.

I wrote a script that backs up teacher software + documents to my networked drive so that I can re-image computers. This will save my time considering I have roughly 3000 computers to reimage and backup. I'll need to disable the virus protection while I run this script. It doesn't matter that the AV is disabled considering I am reimaging the computer.

Edited by Richardo

[center][/center][center]Xonos Development[font=trebuchet ms,helvetica,sans-serif]- Resources -[/font]AutoIT Documentation | Active Directory UDF | Windows Services UDF | Koda GUI Designer[/center]

Link to comment
Share on other sites

would also suggest writing to the antivirus vendor with your source code and compiled app so that if interested, they might exclude your file signature...

It doesn't work that way.

Your script has (or should have) nothing to do with copiled version be marked as some sort of malware due to a specific way AutoIt scripts are compiled to executables. It only changes hash and I don't believe they will treasure your hash value. I think that would just be much overkill for them, not to mention the possible damage that could they do to themselves that way.

But I could be wrong. Anyone tried that?

Btw, who would interpret your script for them? Jon? :D

♡♡♡

.

eMyvnE

Link to comment
Share on other sites

Just a few users nagging them about AutoIt is usually enough. Of course after a few months someone will fuck up once again and it's all over from the start :-D

I also code in asm and have seen the same shit, due to "unexpected" exe structure most probably.

Link to comment
Share on other sites

Argumentum stated that using UPX sets some AV off, but i have also seen some AV programs (Avira - i think) flag compiled files as malware mentioning "AutoIT" in the malware/quarantine warning. I had assumed this was because the exe's still had AutoIT related info in the file Version information but i could be wrong.

Liam

Link to comment
Share on other sites

You have a point, but most ppl don't want to distribute their script butt-naked like that ! :-)

lol, yeah i wouldnt for most things, but IT related projects seem like a self executing SFX would be acceptable

i dont think that AV programs bother with resource version information... seems to easy to manipulate, and when dealing with a broken or no signature situtations, vesion info is pointless

Link to comment
Share on other sites

UPX usually doesn't hide anything, modern antiviruses employ emulator technology to trace through the unpacking and then "look at" the unpacked code. Especially for the most popular executable packer ever. (Too bad it's discontinued)

Edited by Inverted
Link to comment
Share on other sites

BTW, ZoneAlarm's AntiVirus (which uses the Kaspersky AV engine) passed the file.

As Inverted said, most people don't wish to distribute the file uncompiled. If you have 3000+ users all you need is one of them to mess with the script before it is compiled to potentially cause real problems.

JohnMC, i agree that most AV wouldn't check resource info, but i wouldn't be surprised if some check it as an additional measure. I could be wrong though.

Liam

Link to comment
Share on other sites

It doesn't work that way.

Your script has (or should have) nothing to do with copiled version be marked as some sort of malware due to a specific way AutoIt scripts are compiled to executables. It only changes hash and I don't believe they will treasure your hash value. I think that would just be much overkill for them, not to mention the possible damage that could they do to themselves that way.

But I could be wrong. Anyone tried that?

Btw, who would interpret your script for them? Jon? :D

They can interpret it, its simular to other languages in various points.

Compile it and send to them with a copy of source and they can prevent that file from becoming detected as a virus as 90% of virus programs check a form of hash most use md5, they can put your signature into there db in the whitelist.

Link to comment
Share on other sites

there is two chances, one they might just do something to exclude the app in question (hash or whatever they do, of course this would be too heavy an overhead for themm , as u mentioned) on the other hand, i have a feeling, if there are enough users who could send out their script to them, they might be ready to exclude the autoit engine from their signature (if thats what they have!) or the upx packer (?) or they might even come up with a more detailed answer on why they have marked our app as malicious.

i am saying this becuase, i have submitted files to (not exactly au3 but various others) a few AV vendors and they come up with answer many a times ( of course vendors like clamav dont respond to you personallywhen submitting samples, but i;ve had response from few other companies.

i just wanted to mention this because, releasing the source code to the vendor (when we are ok with it , ofcourse) MAY TURN OUT TO BE USEFUL - no harm trying it, isnt it. we dont exactly know how they are gonna clear it or even if they are gonna do it. but yet, there is all chances it might even have been a false positive - which they would be more than ready to get rid of...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...