Infected compiler, or malfunction?
Asked Answered
L

2

9

I've encountered something very strange, and things just don't add up. First of all, I posted this here because I'm not sure if this has anything to do with computer virusses at all. And if it does, could you please direct me to a place to find help?

So now:

I'm having some kind of weird problem here, both my anti virus and malwarebytes flag code* compiled with masm and masm examples as a virus. I've googled and found that this problem has occured before so I didn't take this too seriously and at first thought that it was a false-positive.

But I compiled the code you see on the bottom of this post to test some other things of mine out. And I ran it through ollydbg (meanwhile ignoring my comodo anti-virus) and then I saw this:

00401000 >  -E9 FBEF6F71    JMP 71B00000  ; this is a weird jump I did not put there
00401005     90             NOP
00401006     8BC0           MOV EAX,EAX
00401008   . 8BD8           MOV EBX,EAX
0040100A   . 33D9           XOR EBX,ECX
0040100C   . 8BC3           MOV EAX,EBX
0040100E   . 03CB           ADD ECX,EBX
00401010   . 33C3           XOR EAX,EBX
00401012   . 2BC1           SUB EAX,ECX
00401014   . 8BCB           MOV ECX,EBX
00401016   . 33D9           XOR EBX,ECX

The code below couldn't possibly compile into that jump, so I was stepping in to the code. And a while later I saw that the strange code began enumerating through api's in the ntdll.dll library. What's happening? If this is indeed a virus where to get help?

But I'm still not sure, both comodo and malwarebytes flagg only the examples as viruses, but not the file (test.exe) as a virus

Test code I was using to test...

*: include \masm32\include\masm32rt.inc

.data

.code

Start:

nop
nop
nop
nop
nop
nop

mov eax, eax
mov ebx, eax
xor ebx, ecx
mov eax, ebx
add ecx, ebx
xor eax, ebx
sub eax, ecx
mov ecx, ebx
xor ebx, ecx

invoke ExitProcess, 0h


end Start

Update:

The code isn't on disk, but in memory, so it's probably a library of some sort doing this:

Disassembly

00401000                    start:
00401000 90                     nop
00401001 90                     nop
00401002 90                     nop
00401003 90                     nop
00401004 90                     nop
00401005 90                     nop

And I've removed the invoke exit process and it's still there

Lu answered 9/1, 2011 at 19:22 Comment(0)
C
8

Regarding the unexplained jump, a quick search on google lead to this thread on masm32.com which seem to provide interesting information, and most notably :

"COMODO" Internet Security is the culprit.
It is modifying executables on the fly to implement a unique partial "sanbox".

Crossman answered 9/1, 2011 at 19:37 Comment(1)
It does? Thank god! man I was so scared for a second :O I thought I was going to lose all my data (happened before...) deinstalls comodoLu
H
1

The address 71B00000 is quite far away from your current code, check if it is in fact inside some other loaded module. Could even be a side-effect of using the invoke macro (or simply using DLLs - since ExitProcess is imported from a DLL). Try what happens if you replace that with a simple endless loop, ie. JMP . or somesuch. You will then have to kill your program manually, of course, but will be an interesting data point. Also, examine your exe file on disk to see if it already has the JMP at the start or not.

Hagy answered 9/1, 2011 at 19:33 Comment(2)
Absolutely right that calling ExitProcess should be expected to start executing code in ntdll.dll.Siegler
Will do, and post back in a minute, but meanwhile I've checked the other files in the directory(also ollydb) and I found that olly had the same jump to that address, on the same place (address of entry point) I've then reloaded olly in memory and the debugging olly warned me that the code could be self modefing, from what little I know of viruses this is pretty bad isn't it?Lu

© 2022 - 2024 — McMap. All rights reserved.