Nehe tutorial in a dynamic dialog

[Mike Lobanovsky]

Maybe we need someone other than Charles to take on the task?

Not until O2 is finalized as a compiler. Then first, the compiler binaries should be made PE loader and AV heuristics compatible (icons, version info, manifests, checksums and stuff) and thus stable and recognizable binary-wise by their signatures.

And then, the executables that the compiler binaries would generate should undergo the same procedure so as to make the signatures the compiler leaves in them stable and known to the AV software.

We must live through this never ending stage of O2's WIP amorphousness, and see it come to an end before any serious work against false positives can be started. Otherwise we're going to simply waste our time and effort. Currently, O2 looks to the outside world as a polymorphic something that had better be avoided and quarantined just to be on the safe side.

[JRS]

I hate anti-virus software that assumes something is a risk and deletes it without giving the user the ability to override the decision.

[Aurel]

chrisc

If your mcAfee detect something ... that mean that your computer is
already infected by malware.
I use Stringer and he detect trojan but cannot remove it.
So i use Kaspersky and clean computer without problem..
 every exe in oxygen folder was infected.

[Arnold]

I downloaded the zip file of reply #7 and checked again with Virustotal. Then I did this also with my original files. As Virustotal also verifies some checksums I can be sure that the files are identical. This time the results are:

NeheTut08_64.exe: 0 / 66
NeheTut08_32.exe: 5 / 66 - Avira, Bkav, Cylance, Ikarus, Trendmicro-HouseCall
NeheTut08_exes.zip: 5 / 60 - Avira, Bkav, Cylance, Ikarus, Trendmicro-HouseCall

The number of vendors has changed a little bit and also the number of warnings, although I used the same files to examine. But this is no surprise as the vendors change their definition files daily. The results for 64-bit executables are better than for 32-bit exes. In the meantime I know that it makes no sense to get the executables whitelisted, because the next time I compile the same file anew I will get the same problem again.

Nevertheless I would like to provide some code and working examples. Is there a place where I could do this without creating an own website?

I will delete the zip file of reply #7 in the next two days.

Roland

[JRS]

You can upload the zips but also include a message what false positives may exist if you feel it's necessary. The members of the forum trust you.

I would like to agree on an online scanner results and post a link to the results.

I'm taking Mike's advice and not worrying about false positives until proper signing is part of the compiling process.

If someone is worried about the precompiled example, let them compile it from source.

[Mike Lobanovsky]

In the meantime, we could try and introduce the following convention to allow for executable files in our attachments on this site:

• rename .exe, .dll, .chm, .cmd, .bat (did I miss any?) to .ex_, .dl_, .ch_, .cm_, .ba_ before adding them to an archive;
• always put renamed executable files in an archive and never upload them directly;
• use 7-zip rather than an ordinary zip compressor; it compresses up to 30% better and thus yields significantly smaller archives. Make sure to compress to .7z files rather than usual .zips which is also possible using this compressor.

Note that this measure may still require that the files in the archive be explicitly unblocked upon downloading from the net. Once downloaded and extracted from the archive, rename the files back to their original extensions following the convention as per Item 1 above.

NOTE: The LZMA compression/decompression algorithm (a.k.a. deflate/inflate) is in the Public Domain, which means unrestricted use for any puspose. LZMA is 7-zip's main algorithm to archive binary executable code.

[Arnold]

Hi Mike,

I tried the procedure of renaming the files too, but these special AV-Scanners are clever enough to recognize the type of a file. But to compress the files to .7z is a good idea, it will reduce the size of the files still more.

The reason why I do not want to operate my own website are the regulations in my country for the legal notice. Although it would be only a private site, I could be required to make public my private address and telephone number to avoid litigation. And since I do not do anything commercial this is not worth the effort.

Roland

[Mike Lobanovsky]

Ah yes!

"In the meantime" since I visited virustotal last (which was probably a year ago), Avira, Ikarus and TrendMicro-HouseCall  have been "clever" enough to add .7z and linuxoid .X (a.k.a. LZMA) archive file formats to their engines (or they may as well use common "malware signatures database" thus parasitizing on one another) to be able to inflate them and check the insides literally against possible PE file header content.

Well, we could write our own custom compressor that would use neither 7-zip nor LZMA signatures ("fourcc" codes) directly yet remain as efficient at compressing its archived content. Then virustotal would have no hints left at their disposal to guess it's dealing with an archive rather than some meaningless binary stream.

Should we, do you think?

[jcfuller]

Mike,
  I've used this for years for my own internal work.
http://ibsensoftware.com/products_aPLib.html
James

[Mike Lobanovsky]

James,

Thanks for pointing this one out; it's cool.

However, LZMA goes significantly deeper than pure LZ. So, if we're talking in terms of static archive compression rather than Windows PE executable packing and decompression on the fly (similar to UPX), and (de)compression speed and memory footprint aren't too much of a concern, then on the average, general-purpose LZMA/LZMA2 would probably be better suited for the task than anything else these days.

[chrisc]

Hello all

i think we should include a version info into any dll and exe that we produce, doing this way will
at least inform AVs that the executables are not unknowns.   AVs are always on the look out for
unknown executables and then check their behavior against their benchmark of known malwares
characteristics and signatures. 

 when i was using PB,  my AV would sometimes quarantin those executables
without version info.  but once i placed in the version info,  the AV would stop capturing them.
So for O2, i will place in the version info for most of the executables.

some thing like this

Code: [Select]

1 VERSIONINFO
FILEVERSION 1, 0, 0, 0
PRODUCTVERSION 1, 0, 0, 0
FILEOS 0x00000004     // WINDOWS32
FILETYPE 0x00000001   // APP
BEGIN
  BLOCK "StringFileInfo"
  BEGIN
    BLOCK "040904E4"
    BEGIN
      VALUE "CompanyName",      "Your company\0"
      VALUE "FileDescription",  "myApp\0"
      VALUE "FileVersion",      "1.0.0.0\0"
      VALUE "InternalName",     "myApp\0"
      VALUE "OriginalFilename", "myApp.exe\0"
      VALUE "LegalCopyright",   "Copyright(c) 2018 Your company\0"
      VALUE "ProductName",      "myApp\0"
      VALUE "ProductVersion",   "1.0.0.0\0"
    END
  END
  BLOCK "VarFileInfo"
  BEGIN
    VALUE "Translation", 0x409, 0x04E4
  END
END 

1 MANIFEST "win10theme.xml"


[chrisc]

By the way, i found that my version info (in the above post) has a line

Code: [Select]

FILEOS 0x00000004     // WINDOWS32

as this pertains to 32bit windows how to to change this to windows 64?

can someone help me on this? Thanxx and appreciate your help

[Arnold]

Hi Chris,

in my winver.h include file I found these definitions:

#define VOS_UNKNOWN  0x00000000
#define VOS_DOS  0x00010000
#define VOS_OS216  0x00020000
#define VOS_OS232  0x00030000
#define VOS_NT  0x00040000
#define VOS_WINCE  0x00050000L

#define VOS__BASE  0x00000000
#define VOS__WINDOWS16  0x00000001
#define VOS__PM16  0x00000002
#define VOS__PM32  0x00000003
#define VOS__WINDOWS32  0x00000004

#define VOS_DOS_WINDOWS16  0x00010001
#define VOS_DOS_WINDOWS32  0x00010004
#define VOS_OS216_PM16  0x00020002
#define VOS_OS232_PM32  0x00030003
#define VOS_NT_WINDOWS32  0x00040004

So I am not sure if there is a special value for win64. The value 0x04 should be sufficient. See also this VERSIONFINFO Resource example:


https://thronic.com/Notes/C/Win32-VERSIONINFO/


The values for VFT_ are defined as:

#define VFT_UNKNOWN  0
#define VFT_APP  1
#define VFT_DLL  2
#define VFT_DRV  3
#define VFT_FONT  4
#define VFT_VXD  5
#define VFT_STATIC_LIB  7

Roland

[chrisc]

Thanxx Roland

i think i'll keep the version info as it is since it doesn't have any bearing with the executables
as when included into the compile assembly for 64bit,  the executables are functioning in 64bits
as  reviewed by the Task Manager.  So lets' keep it as it is

[Arnold]

This is NeHe tutorial 10 using a dialog as main window, a little bit modified. It can be run in JIT mode, compiled to 32-bit or 64-bit executable. F1 will open the Help Message. Some nice effects are possible.

Roland