Oxygen Basic

Programming => Bugs & Feature Requests => Topic started by: Emil_halim on April 10, 2016, 11:14:56 AM

Title: Avira antiVirus
Post by: Emil_halim on April 10, 2016, 11:14:56 AM

Hi All,

my Avira anti virus detects two virus in those files [ Oxide.exe ,  co2.exe ].

does any one have this problem.

Title: Re: Avira antiVirus
Post by: Peter on April 10, 2016, 01:38:35 PM

Quote

my Avira anti virus detects two virus in those files [ Oxide.exe ,  co2.exe ].

No, I got never a virus!
my virus scanner is self made.  ;D

Title: Re: Avira antiVirus
Post by: Charles Pegge on April 10, 2016, 11:16:55 PM

Unfortunately,  Avira persistently throws false positives.

Title: Re: Avira antiVirus
Post by: Arnold on April 11, 2016, 02:21:32 AM

I gave up Avira long ago because the scanner reported too many false positives. For my personal use the scanner of MS Essentials is sufficient.

Sending co2.exe and oxide.exe to www.virustotal.com will show 5 (false) positives of 56 results:
Oxide.exe: AegisLab, Avira, Ikarus, Qihoo-360, Rising
co2.exe: AegisLab, Avast, Avira, Ikarus, Rising

51 messages indicate that the files are ok. If some scanners like Kaspersky, McAfee, Microsoft or Symantec would complain I had a real problem. Not because of Oxygen, but because of something else which went totally wrong with my system.

Title: Re: Avira antiVirus
Post by: Emil_halim on December 15, 2016, 08:06:24 AM

Hi charles,

still my avast antivirus refuse to run co2.exe , also it removes it from my computer.

only it accepts  gxo2 , so can you help me?

Title: Re: Avira antiVirus
Post by: JRS on December 15, 2016, 11:58:46 AM

Avast anti-virus is the worst software you can use. You're better off with Microsoft's Essentials. (free)

Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 15, 2016, 05:00:43 PM

Charles,

Low quality free anti-virus software like Avira and Avast and a lot of other "brand" names is unfortunately spread very widely among inexperienced computer user base due to being bundled liberally to the installation packages of other, more useful general-purpose software.

A number of easily accessible "anti-malware" sites like VirusTotal.com and similar are also full of such low-quality AV specimens and offer an ill service of false flagging decent software as malware.

An extremely poor implementation of heuristics engines in such low quality AV software cannot tell well-behaved programs like OxygenBasic components from genuine malware other than by checking if OxygenBasic binaries meet certain criteria that MS Windows sets for modern executable files.

Thus, a legit Windows executable should have valid file time and checksum stamps and should carry an embedded icon and version info resources. It should also be supplied with either standalone or embedded manifest resource, preferably with multiple definitions of OSes the executable is supposed to be compatible with.

The Oxygen binaries have neither version info nor manifest resources, standalone or embedded. This is sufficient for the low quality Avira and Avast to falsely flag them as potential malware.

Perhaps you would find it not so burdensome to add both the version info and manifest resources to your compilations of O2 binaries for inclusion into the future regular distributions of OxygenBasic? It might also be reasonable to make the O2 compiler link at least minimal precompiled icon, version and manifest resources transparently into every user compiled executable written in O2.

Title: Re: Avira antiVirus
Post by: Charles Pegge on December 16, 2016, 01:54:19 AM

Hi Emil,

Avast, which I also use,  has got more paranoid over time. I always work with the File Shield turned off.

The 'Ask' option does not allow execution

I found the false-positive reporting option in the current update, so I hope co2 and other o2 executables will not be blocked in later updates.

Title: Re: Avira antiVirus
Post by: Arnold on December 16, 2016, 01:58:19 AM

If the measures which Mike suggested can help to get rid of these nasty messages this would be really brilliant.

I always wondered why using tcc results in warnings by these scanners whereas gcc will get no warnings.

Title: Re: Avira antiVirus
Post by: Charles Pegge on December 16, 2016, 02:15:16 AM

Hi Mike,

Yes, I will look into embedding these ornaments, but I doubt that icons and manifests are involved in malware detection, since the most insidious code will be well disguised inside a legit-looking piece of software.

Furthermore, the Anti-Virus attacks, when the newly compiled program is being stored to a PE file, prior to embedding of icons and other resources.

Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 16, 2016, 02:17:25 AM

Roland,

Using windres.exe from the GCC distribution to precompile the icon, version info, and manifest resources into an .o file and then linking it with your TCC .o files effectively eliminates false alarms issued by low-end AV software.

Apparently GCC is also on the exclusion list of most AV software -- something that's a paid service that the volunteer TCC dev team cannot afford.

OTOH intelligent AV packages like Kasperski, Ez Nod, Microsoft Essentials and a few others would not throw false alarms at either TCC or O2 executables; apparently their heuristics is strong enough to analyse the executables for their real, rather than face, value.

Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 16, 2016, 02:59:17 AM

Hi Charles,

Thanks for your prompt response to my suggestion.

Quote from: Charles Pegge on December 16, 2016, 02:15:16 AM

... the Anti-Virus attacks, when the newly compiled program is being stored to a PE file, prior to embedding of icons and other resources.

I am not talking about embedding the resources post-factum into the already compiled but still resourceless executable the way ResHacker does it. I'm talking about linking the precompiled resource object files at the stage when GAS (or GCC) back end links the O2 object files written in, and pre-translated by, FreeBASIC into assembly or C, respectively, into the resultant O2 binaries.

If the O2 compiler, in its turn, does not make use of intermediary object files when compiling user executables written in Oxygen, then it should have appropriate procedures hardcoded into it by hand to patch the executable header section table and other relevant header entries with the info about the precompiled .rsrc section you're adding to the executable manually while the executable's image is still in the compiler memory and before it is finally dumped to the disk.


[HINT] If you're uncertain about how to calculate correct, Windows-compliant CRC-32 for the in-memory image of an executable file that the MapFileAndCheckSumA() API is only able to calc for the on-disk file images, you may use the following C code making sure to omit from the calculation the four bytes of the executable's header where the resultant CRC-32 value proper is going to be written to (just reset them to zero for the calculation purposes). If you are going to use some language other than C to re-implement this code, also make sure to use C-compatible data types and follow the C rules of operator precedence to ensure compatible results:

Code: C

1. unsigned long   crc32_table[256]; // CRC-32 LUT
2.  
3. unsigned long crc32(char* data, int dataLen) {
4.   if (0 == crc32_table[1]) init_crc32_table(); // init LUT once only
5.  
6.   // Be sure to use unsigned variables,
7.   // because negative values introduce high bits
8.   // where zero bits are required.
9.  
10.   unsigned long ulCRC = 0xffffffff;
11.   unsigned char* buffer = (unsigned char*)data;
12.  
13.   // Perform the algorithm on each byte in the
14.   // data stream using the lookup table values.
15.  
16.   while (dataLen--)
17.     ulCRC = (ulCRC >> 8) ^ crc32_table[(ulCRC & 0xff) ^ *buffer++];
18.  
19.   return ulCRC ^ 0xffffffff;
20. }
21.  
22. // Call this function only once to initialize the CRC table.
23. void init_crc32_table(void) {
24.   // This is the official polynomial used by CRC-32
25.   // in PKZip, WinZip, Ethernet, and Win PE headers.
26.  
27.   unsigned long ulPolynomial = 0x04c11db7;
28.  
29.   register int i;
30.   for (i = 0; i <= 0xff; i++) {
31.     crc32_table[i] = reflect(i, 8) << 24;
32.  
33.     register int j;
34.     for (j = 0; j < 8; j++)
35.       crc32_table[i] =
36.         (crc32_table[i] << 1) ^ (crc32_table[i] & (1 << 31) ? ulPolynomial : 0);
37.     crc32_table[i] = reflect(crc32_table[i], 32);
38.   }
39. }
40.  
41. // Reflection is a requirement for the official CRC-32 standard.
42. // You can create CRCs without it, but they won't conform to the standard.
43. unsigned long reflect(unsigned long ref, char ch) {
44.   unsigned long value = 0;
45.  
46.   register int i;
47.   for (i = 1; i < (ch + 1); i++) {
48.     if (ref & 1)
49.       value |= 1 << (ch - i);
50.     ref >>= 1;
51.   }
52.  
53.   return value;
54. }

Title: Re: Avira antiVirus
Post by: Emil_halim on December 16, 2016, 03:44:06 AM

nice charles,

waiting for next release , hope it will be soon.

Title: Re: Avira antiVirus
Post by: jcfuller on December 16, 2016, 11:08:02 AM

Quote from: Mike Lobanovsky on December 16, 2016, 02:17:25 AM

Roland,

Using windres.exe from the GCC distribution to precompile the icon, version info, and manifest resources into an .o file and then linking it with your TCC .o files effectively eliminates false alarms issued by low-end AV software.

Apparently GCC is also on the exclusion list of most AV software -- something that's a paid service that the volunteer TCC dev team cannot afford.

Mike,
  What are the windres options for 64bit?

James

Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 16, 2016, 01:54:40 PM

Hi James,

TCC cannot utilize either VC COFF-formatted .obj files or GCC .o files in either COFF or ELF format, but it can cope with windres.exe's COFF-formatted .o files that contain pure resources and nothing else but an #include "resource.h" directive at the most. If your input .RC file uses #defines instead of numeric literals as resource IDs, then the "resource.h" would contain a list of those #defines.

windres.exe uses the corresponding GCC it comes with to preprocess the .RC input file, so if the GCC switches are set for x64 compilation (I presume in your case they always are), then the windres.exe command line switches (assuming again all your files are in you current path and/or are accessible via environment variables) will be pretty simple:

windres -O coff -i inres.rc -o outres.o (avoid space delimited file paths using Linuxoid software!)

Once compiled, link the resultant resource object file outres.o with the other TCC source files of your current compilation, e.g.

tcc main.c outres.o -luser32 -o yourapp.exe (ditto!)

Please note that some x64 TDM-GCC builds of windres.exe fail to compile valid 32-bit resource object files even when GCC's own cross-compilation switches are set correctly. Prefer to use original x64 MinGW/GCC builds of windres.exe to cross compile 32-bit resources on 64-bit platforms, or use original 32-bit windres.exe for that purpose.

Note also that if you aren't using #defines in the source .RC file as your resource IDs at all but rather numeric literals only, then windres.exe can work independently of your GCC installation. That is, you can simply port (copy) it to a computer that doesn't have any other traces of GCC installation and use it to compile the resources as indicated above. In this case, a 64-bit windres.exe would yield 64-bit resource object files, and a 32-bit windres.exe, 32-bit resource object files, respectively.

Title: Re: Avira antiVirus
Post by: jcfuller on December 16, 2016, 02:53:07 PM

Mike,
  It's a negatory here.

It works fine with this added to the c file.
/* -------------------------------*/
/* Tiny C support for LinkRes2Exe */
/* -------------------------------*/
int dummy __attribute__ ((section(".rsrc")));
/* -------------------------------*/
and using gorc to compile the rc and Mike Hennings LinkRes2Exe to add the compiled res.

OS: Win10 64
------------------------------------------------------------------------------
SET RESTARGET=-O coff
windres -I. %RESTARGET% -i "%F%.rc" -o "%F%res.o"
'------------------------------------------------------------------------------
tcc version 0.9.26 (x86-64 Win64)
-> hellosdk.c
-> hellosdkres.o
hellosdkres.o:1: error: unrecognized file type
'------------------------------------------------------------------------------
gcc version:
gcc (x86_64-win32-sjlj-rev0, Built by MinGW-W64 project) 5.2.0

hellosdkres.rc

#define MANIFEST 24
#define IDR_XPMANIFEST1 1
#define IDR_VERSION1 1

IDR_XPMANIFEST1 MANIFEST "xpmanifest.xml"

IDR_VERSION1 VERSIONINFO
FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEOS 0x00000004
FILETYPE 0x00000000
BEGIN
  BLOCK "StringFileInfo"
  BEGIN
    BLOCK "FFFF0000"
    BEGIN
      VALUE "FileVersion", "1.0.0.0\0"
      VALUE "ProductVersion", "1.0.0.0\0"
    END
  END
  BLOCK "VarFileInfo"
  BEGIN
    VALUE "Translation", 0xFFFF, 0x0000
  END
END


Manifest file


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
   version="1.0.0.0"
   processorArchitecture="*"
   name="Company.Product.Name"
   type="win32"
/>
<description></description>
<dependency>
   <dependentAssembly>
      <assemblyIdentity
         type="win32"
         name="Microsoft.Windows.Common-Controls"
         version="6.0.0.0"
         processorArchitecture="*"
         publicKeyToken="6595b64144ccf1df"
         language="*"
      />
   </dependentAssembly>
</dependency>
</assembly>


James

Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 16, 2016, 05:12:29 PM

James,

Try adding an explicit specification of COFF target platform to ensure windres.exe compiles a 64-bit object file, like this:

windres -I. %RESTARGET% -F pe-x86-64 -i "%F%.rc" -o "%F%res.o"

That's however a TDM-GCC spec and frankly, I've no idea whether it's gonna work with your vanilla MinGW installation. I'm not using 64 bits and/or Win 10 so often as to be 100% sure about anything there.

I would also suggest trying their W.I.P. TCC v0.9.27 from their git mob branch instead of the older v0.9.26 because:

1. It provides a civilized VS2015 solution instead of the medieval batch files; and

2. In the three years that have passed since v0.9.26, grishka could've fixed this issue if it's really a 64-bit TCC/COFF compatibility problem rather than 64-bit windres.exe/COFF glitch.

32-bit windres.exe has compiled Windows resources for my TCC v0.9.25 faultlessly for years.


P.S. BTW what is all that #define bloat for in hellosdkres.rc? Aren't a couple of 1's and a 24 simpler, faster and more elegant than all this preprocessor verbosity? This could've also spared you a couple milliseconds or more of your precious life each time you recompile the resources. :)

P.P.S. You could've used scripted ResHacker alone to the exact same effect instead of the three stages you're using now -- "Tiny C support ...", GoRC, and LinkRes2Exe, with an added bonus of having 100% correct checksum in the resultant PE header field that TCC omits unless its tccpe.c is fixed with a corresponding MapFileAndCheckSumA() call.

Title: Re: Avira antiVirus
Post by: jcfuller on December 17, 2016, 06:01:33 AM

Mike,
  Thanks for the effort and info.
I thought I would try it to see if it worked with 64bit and it did not.
I really have no interest to explore any further.

James

Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 17, 2016, 04:17:31 PM

Quote from: jcfuller on December 17, 2016, 06:01:33 AM

I really have no interest to explore any further.

Hmm James,


I must admit I'm not sure now what was really there behind your question but when I'm talking business, business is what I mean.

Below please find a zip with everything you'll ever need to use WINDRES.EXE for linking Windows resources with your 64-bit TCC executables: compilers, sample resources, BAT files, and stuff.


Regards,

.

Title: Re: Avira antiVirus
Post by: Charles Pegge on December 18, 2016, 01:22:25 AM

Thanks Mike,  for all your suggestions and crc code for PE files.

Title: Re: Avira antiVirus
Post by: jcfuller on December 18, 2016, 03:58:31 AM

Mike,
  First test using the NUWEN distro worked fine but your example comes in at 160k :)
Yes I know it's the icon!!
Can we get away with no icon or one much smaller and still get an A++ rating from VirusTotal scan?

When I said I had no interest, it was in building a 0.9.27 tcc 64bit version just to do a little testing.
The 9.26 I have was prebuilt.
Is there a prebuilt windows 64bit 0.9.27 for download or did you build it yourself?
 Thanks again,
James

Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 18, 2016, 09:28:16 AM

Yes James,

The exe size is entirely the icon's contribution. It was the first free icon I came across when googling for "Hello" icons on the net. :)

You can use any Windows .ICO file in any size and/or resolution and/or composition. WINDRES.EXE will add an appropriate matching ICONGROUP resource automatically.

As for A++, in almost all cases a manifest and a version info will be sufficient. Yet the executables compiled with TCC bear their own distinct "signatures" that can help distinguish them from others, compiled with the more mature compilers like VC or GCC which are apparently on the AV permanent exclusion lists. (you can see that MinGW/TDM binaries themselves carry no Windows resources and nonetheless aren't provoking false AV alarms: low end AV software usually parasitizes on malware databases of other, more intelligent anti-viral packages)

Thus, every 32-bit executable compiled with TCC would bear, a few bytes away from its main entry point, a sequence of automatically generated empty NOP and LEA ESI, [ESI] instructions, apparently for code alignment purposes, which will be sufficient to unambiguously identify it as a TCC creation.

I used yesterday's most recent mob branch zip download (see tcc_git.png below) to rebuild this TCC from scratch in my VS2013. I also have VS2015 CE installed but my VS2013 is a licensed Ultimate so I prefer to use it whenever I can. You can use the VS2015 solution from the zip for that verbatim; the only alteration you need is to reset both projects' properties from the v140 to v120 toolset used in VS2013 (see solution_props.png below).

This solution however lacks a few things to compile a functional TCC package out-of-the-box (which is no surprise for a Linuxoid project, hehe):

• first off, add manually a config.h file to the root directory of your download that would contain only the following two lines:

Code: C

1. #define TCC_VERSION "0.9.27"
2. #define ssize_t unsigned long

• compile the tcc.exe and libtcc.dll binaries from within your Visual Studio. Make sure the targets are set for x64 Release. My compilation went OK without a warning. The binaries will also be automatically copied to the \win32 directory
• this isn't however a working package yet. You will also need TCC's own libraries and tools and a full set of includes to match, as a post-build step. Assuming you have a functional  MinGW/GCC or TDM-GCC or NUWEN installation, run the following batch file from within the \win32 directory where tcc.exe/libtcc.dll now reside. It will build TCC tools and libraries and it will also replenish the \win32\include directory with the common includes from the root directory of your download:

Code: [Select]

@set target=-DTCC_TARGET_PE -DTCC_TARGET_X86_64
@set CC=gcc -m64 -Os -s -fno-strict-aliasing
@goto tools

:tools
%CC% %target% tools/tiny_impdef.c -o tiny_impdef.exe
%CC% %target% tools/tiny_libmaker.c -o tiny_libmaker.exe

:libtcc
if not exist libtcc mkdir libtcc
copy ..\libtcc.h libtcc\libtcc.h
%CC% %target% -shared -DLIBTCC_AS_DLL -DONE_SOURCE ../libtcc.c -o libtcc.dll -Wl,-out-implib,libtcc/libtcc.a
tiny_impdef libtcc.dll -o libtcc/libtcc.def

:copy_std_includes
copy ..\include\*.h include
copy ..\tcclib.h include
copy ..\tests\libtcc_test.c examples

:libtcc1.a
.\tcc %target% -c ../lib/libtcc1.c
.\tcc %target% -c lib/crt1.c
.\tcc %target% -c lib/wincrt1.c
.\tcc %target% -c lib/dllcrt1.c
.\tcc %target% -c lib/dllmain.c
.\tcc %target% -c lib/chkstk.S

:lib64
.\tcc %target% -c ../lib/alloca86_64.S
tiny_libmaker lib/libtcc1.a libtcc1.o alloca86_64.o crt1.o wincrt1.o dllcrt1.o dllmain.o chkstk.o

:the_end
del *.o


Copy my WINDRES.EXE I sent you (it's a TDM-GCC 5.1.0 tool) alongside tcc.exe/libtcc.dll (or add your own if it's equally functional) et voila! you now have a portable distro of latest TCC that can link Windows resources to the TCC-generated executables.

Have a Merry Christmas and a Happy Coding New Year!

(http://www.fbsl.net/phpbb2/images/smilies/icon_ml_noel.gif)

.

Title: Re: Avira antiVirus
Post by: Charles Pegge on December 19, 2016, 10:11:21 AM

Hi Mike,

I've been scrutinisong your crc code above, and comparing it with the standard crc-32 algorigthm, there appears to be an error in the crc32_table function

Code: [Select]

      unsigned long ulPolynomial = 0x04c11db7;
     
      register int i;
      for (i = 0; i <= 0xff; i++) {
        crc32_table[i] = reflect(i, 8) << 24;
     
        register int j;
        for (j = 0; j < 8; j++)
          crc32_table[i] =
            (crc32_table[i] << 1) ^ (crc32_table[i] & (1 << 31) ? ulPolynomial : 0);
        crc32_table[i] = reflect(crc32_table[i], 32);
      }
    }

The final reflect should be in the outer loop. Thus:

Code: [Select]

      unsigned long ulPolynomial = 0x04c11db7;
     
      register int i;
      for (i = 0; i <= 0xff; i++) {
        crc32_table[i] = reflect(i, 8) << 24;
     
        register int j;
        for (j = 0; j < 8; j++)
          crc32_table[i] =
            (crc32_table[i] << 1) ^ (crc32_table[i] & (1 << 31) ? ulPolynomial : 0);
        }
        crc32_table[i] = reflect(crc32_table[i], 32);
   }

Do you agree?

Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 19, 2016, 05:20:56 PM

No Charles,

I can't agree with your placement of curly braces while your verbal interpretation seems correct.

My code simply uses the inner loop written in a one-liner notation; CRLFs do not break a C language code line. :)

Final reflection is applied to each successive ith element of the table as a post-bit shifting/xoring step after the inner loop has been run for this particular ith element. Please consider a more canonical notation below:

Code: C

1. ........
2.       register int i;
3.       for (i = 0; i <= 0xff; i++) {
4.         crc32_table[i] = reflect(i, 8) << 24; // init ith element with a reflected value of i
5.      
6.         register int j;
7.         for (j = 0; j < 8; j++) {
8.           // bitshift it step-wise and xor it with the polynomial
9.           crc32_table[i] = (crc32_table[i] << 1) ^ (crc32_table[i] & (1 << 31) ? ulPolynomial : 0);
10.         }
11.  
12.         crc32_table[i] = reflect(crc32_table[i], 32); // reflect its final value again
13.       }
14. ........

Multiple variations of this code with and without reflection found on the net would depend on the interpretation of this polynomial as a MSB/LSB value and would differ from one another in the order of operators used according to the rules of precedence in a particular language implementation. After all, it's only the resultant bit sequence that matters. And it will appear the same regardless of the language, if the initial assumption and corresponding choice of instruments are correct.

This code comes directly from FBSL v3.5 sources where it is used for the implementation of BASIC Checksum() routine and own zlib compatible ZIP compression/decompression Deflate()/Inflate() routines, and also for recomputing PE header checksums after the user script has been embedded in the FBSL executable stub. In other words, it's been field tested and proven functional over quite some time.

Title: Re: Avira antiVirus
Post by: Charles Pegge on December 20, 2016, 01:31:26 AM

Thanks Mike,

My IQ diminishes in the afternoon! Is coffee a remedy?

Here is a more pedantic, though verified o2 version:

Code: [Select]

  int reflect(int r,n)
  {
  xor edx,edx
  mov cl,n
  .ri
   dec cl
   jl fwd ni
   mov eax,r
   and eax,1
   jz fwd nd
    mov eax,1
    shl eax,cl
    or edx,eax
   .nd
   shr r,1
   jmp ri
  .ni
  mov eax,edx
  return
  }

  'print hex ( reflect (0x2,32), 8)

  'http://wiki.osdev.org/CRC32
  'https://www.lammertbies.nl/comm/info/crc-calculation.html

  int t[0x100]
  void init_crc32_table(int*t)
  {
  int a,i,j
  % Polynomial = 0x04c11db7
  for i=0 to 255
    t=reflect(i,8)
    t=t<<24
    for j=0 to 7
      a=t and 0x80000000
      t=t<<1
      if a then t xor= Polynomial
    next
    t = reflect(t, 32)
    @t+=4
  next
  }

  init_crc32_table t

  'def v +", "+mid(hex(t[%1],8),-8)
  'print "crctable... " v 0 v 1 v 2 v 255

  int crc32(sys p,le)
  {
   byte b at p
   int v
   byte i
   int crc=0xffffffff
   while le
     le--
     i=crc xor b
     v=t[i]
     crc=(crc>>8) xor v
     @b++
   end while
   return not(crc)
  }

  'string s="A" 'crc32 should be: D3D99E8B
  'string s="a" 'crc32 should be: E8B7BE43
  string s="123456789" 'crc32 should be: CBF43926
  print hex crc32 strptr s, len s


Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 20, 2016, 02:46:07 AM

Hi Charles,

Looks pretty neat and should be blazing fast once the table is initialized. :)

Title: Re: Avira antiVirus
Post by: Charles Pegge on December 22, 2016, 12:43:31 AM

Hi Mike,

crc32 looks a lot better in pure assembler. After all, the algorithm was originally designed for hard-wiring in silicon :)

For instance bit reflection reduces to iterations of:

shl edx,1 'shift left (msb shifted into carry flag)
rcr eax,1 'rotate thru carry right. Carry flag shifted into msb

Code: [Select]

  'CRC-32
  =======
  'http://wiki.osdev.org/CRC32
  'https://www.lammertbies.nl/comm/info/crc-calculation.html

  int crc32_table[0x100]
  '
  void init_crc32_table()
  {
  % Polynomial = 0x04c11db7
  addr esi,crc32_table
  xor edi,edi
  .ri
   cmp edi,255
   jg ni
   '
   'reflect8
   mov ecx,8
   xor eax,eax
   mov edx,edi
   .rf8
    shl dl,1
    rcr eax,1
    dec ecx
   jg rf8
   '
   mov ecx,8
   .rj
    dec ecx
    jl fwd nj
    shl eax,1
    jnc rj
    xor eax,Polynomial
   jmp rj
   .nj
   '
   'reflect32
   mov ecx,32
   mov edx,eax
   xor eax,eax
   '
   .rf32
    shl edx,1
    rcr eax,1
    dec ecx
   jg rf32
   '
   mov [esi],eax
   add esi,4
   inc edi
   jmp ri
   .ni
  }
  init_crc32_table

  int crc32(sys p,le)
  {
   mov ecx,le
   mov esi,p
   mov eax,0xffffffff
   addr edi,crc32_table
   .ri
    dec ecx
    jl fwd xi
    mov edx,eax
    xor dl,[esi]
    and edx,0xff
    shr eax,8
    xor eax,[edi+edx*4]
    inc esi
    jmp ri
   .xi
   not eax
   return
   '
  }

  'tests
  'string s="A" 'crc32 should be: D3D99E8B
  'string s="a" 'crc32 should be: E8B7BE43
  'string s="123456789" 'crc32 should be: CBF43926
  'print hex crc32 strptr s, len s


Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 22, 2016, 01:02:42 PM

Cool! :)

GCC doesn't understand Intel asm, and it's a real PITA to write GCC's inline AT&T where there's no direct register notation but rather read/write "attributes" only (or are they called "properties"? ... too lazy to check; I'm currently under Win 10) that also have their own queer "syntax" into the bargain. Not worth the effort at all, though there were some pieces of code like DLL call/DynC/DynAsm interfaces where inline AT&T really proved to be approx. 50% faster than GCC's own va_calls, at least in GCC 4.3.3.

Title: Re: Avira antiVirus
Post by: Charles Pegge on December 23, 2016, 02:44:24 AM

There is an option for Intel notation, but you still have to interface your variables: %1 %2 %0 etc

gcc -masm=intel myprog.c

Code: [Select]

// gcc -masm=intel asmtest.c
//
// http://stackoverflow.com/questions/199966/how-do-you-use-gcc-to-generate-assembly-code-in-intel-syntax
// http://www.ibiblio.org/gferg/ldp/GCC-Inline-Assembly-HOWTO.html
// http://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html

#include <stdio.h>

int main(int argc, char *argv[])
{
  int a=0;
  int b=101;
  int c=102;
  // a=b+c
  asm
  (
    "mov eax, %1;"
    "add eax, %2;"
    "mov %0, eax;"
    : "=m" (a)          // output
    : "m" (b), "m" (c)  // operands "m" from memory : "r" load to register first
    // : "eax","ecx"    // clobbered registers
  );
  printf("a = %d\n", a);
  printf("b = %d\n", b);
  printf("c = %d\n", c);
  return 0;
};


Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on December 23, 2016, 10:38:43 AM

Not in GCC 4.3.3, Charles. :)

Title: Re: Avira antiVirus
Post by: Arnold on January 27, 2017, 04:15:51 AM

Hi Charles,

since I must use a different AV scanner with my notebook I experience restless times sometimes. Of course I know that there must be at least a basic protection against malware but sometimes it is a little bit problematic, e.g. I read this blog and the responses:

http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/

As I wanted to learn a bit more about malware I found a link for some tools at:
https://blog.malwarebytes.com/threat-analysis/2014/05/five-pe-analysis-tools-worth-looking-at/

I used the freeware version of PEStudio - which is no virus scanner but looks for markers - for a quick start, because I wanted to know why gxo2.exe and oxygen.dll are not marked as infected but co2.exe and oxide.exe are flagged as malware by some AV scanners. I found that oxygen.dll and gxo2.exe contain some strings with gcc... which might be sufficient for these scanners.

I experimented a little bit and added version info and manifest to co2.exe and oxide.exe and I can confirm Mike's statement that this helps with some AV scanners (results got down from 9 to 4). Maybe using an icon group with 32*32/256 and 16*16/256 will help too.

As this did not work for Avira I reported the original files and was confirmed that these results were false positives. Thus the original co2.exe/14.11.2016 and oxide.exe/15.11.2016 will be accepted by Avira, the executables created by the apps will not. Even worse: my co2.exe with version info and manifest are still marked as TR/Crypt.XPACK.Gen2 although it is the same compiled code. So Avira must use a different heuristic but I got no detailed information.
 
I looked for some information about TR/Crypt.XPACK.Gen2 and found this link:
https://home.mcafee.com/virusinfo/virusprofile.aspx?key=9217231

Virus characteristics show other names used:
McAfee Detection  RDN/Ransom!el
AVG (GriSoft)       Win32/DH{O1AWgQVU}
avira                   TR/Crypt.XPACK.Gen2
Kaspersky            HEUR:Trojan.Win32.Invader
Dr.Web                Trojan.Encoder.815
Microsoft              Ransom:Win32/Denisca.A
Symantec             Suspicious.MH690.A
Eset                     a variant of Win32/LockScreen.BHI
norman                Dogkild.E
vba32                  BScope.Trojan.Diple

It seems that you have to satisfy at least Avira, McAfee, Avast/Avg, Symantic to be on the safe side. Mike's other hints about checksums certainly can help further. Is there an instructive link anywhere about PE files?

Roland

Title: Re: Avira antiVirus
Post by: Mike Lobanovsky on January 27, 2017, 05:06:42 PM

You've done a great job, Roland, thanks a lot!

Judging by the time it took you to dig up all this info since your last post on the site, you now realise in full how laborious and complicated the task of fighting AV false positives is. And how in fact destructive all this AV business has become, both morally and materially, to the interests of law abiding indie developers in the recent 10 years or so.

I recon a compiler development project should enroll at least one technician on a full-time basis to handle all the relevant bureaucracy. But this is something that a one person project like OxygenBasic simply cannot afford. The developer is meant to develop and not to waste his life fighting the spam and unfair competition on behalf of the numerous AV sharks all around that have turned their "free" scanners into a kind of ransomware that's much, much worse than the malware it is allegedly supposed to fight.

Title: Re: Avira antiVirus
Post by: JRS on January 27, 2017, 06:27:46 PM

I'm about to releease a beta test of Script BASIC for Windows and not looking forward to the AV noise that might come of it. My hope being an interpreter the bastards will cut me some slack.

Title: Re: Avira antiVirus
Post by: Charles Pegge on January 28, 2017, 05:04:46 AM

Binaries created by GCC and VS are less prone to AntiVirus attack, which is why gxo2.exe and Oxygen.dll, using FreeBasic, which in turn, uses the GCC toolchain, are not attacked.

In my search for a new notebook, I came across a customer review, which described how installing AVG on his new PC (after removing macafee), trashed the Windows OS, requiring a full re-installation - taking several hours to recover.

Title: Re: Avira antiVirus
Post by: Arnold on January 30, 2017, 04:42:50 AM

Hi Charles,

although I know that I cannot be of any help with this issue, I wanted at least inform you about my observations (and my frustration).
As long as oxygen.dll, gxo2.exe, co2.exe and oxide.exe are accepted by the scanners I do not encounter problems with running the .o2bas files. So using oxygen.dll embedded in other languages like Thinbasic or Scriptbasic there should be no problem.

The trouble starts if I compile the files to an exe, with or without Rtl32.inc - Rtl64.inc seems to have less problems at the moment. So probably you have to find a solution for the runtime.

Checking some files with PeStudio and studying the information of Virustotal I found that some compiled files have a signature (e.g. Pelles C), some files compiled with freebasic contain strings gcc... and  Powerbasic files contain Powerbasic in the string section. I read about authentihash, imphash, TrID but in fact I do not know if anything could really help to improve the acceptance of the runtime library.

This is the third (Freeware version) of AV scanner which I installed on my old machine and I will keep it until it is broken or Vista is completely dead. But I feel like expressed in this blog:

http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html (http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html)

Three weeks ago there was peace and harmony with my machine. Now I am surrounded by all kind of threats. Lot of apps experience an extreme vetting, green cards are not valid any more, general travel bans are in command. My apps end up in quarantine and ask: what have we done? Are we really the threat?

BTW: I tried to start the LV StatusBar.exe of Chris just some minutes ago - hush - it was shooed into inquisition. Now the app is blocked and I have to wait for permission to start the example. I know I can treat this differently, but I wanted to feel like thousands (millions?) of trusting users.

Roland

Title: Re: Avira antiVirus
Post by: chrisc on January 30, 2017, 03:38:43 PM

Hi Roland

I have attached a Virustotal antivirus scan of LV statusbar.exe showing there is NO virus except 2 false positive?
This is just an exe file from Powerbasic compiler?


.

Title: Re: Avira antiVirus
Post by: Arnold on January 31, 2017, 01:40:04 AM

Hi Chris,

there is nothing wrong with your files. I just wanted to show the behaviour of my AV scanner. Even Powerbasic files and Pelles C compiled files are scanned heavily by my scanner. But all (Free version) scanners do this. Sometimes more, sometimes less.
The difference with Oxygen compiled exe files is that these scanners block the files and report them as (possible) malware. I tested a little bit and reported some of the files and they are all (all) confirmed as false positives. But what does this help? The next time I compile the same file some minutes later again the trouble starts anew, only because of a different sha checksum. It is dreary.

Roland

Title: Re: Avira antiVirus
Post by: Charles Pegge on January 31, 2017, 04:15:13 AM

Our o2 DLLs do not seem to trigger any false positives, testing with VirusTotal.com. So I wonder whether this phenomenon can be utilised to find a solution.