search

XenocodeRCE / neo-ConfuserEx

Updated ConfuserEX, an open-source, free obfuscator for .NET applications
http://yck1509.github.io/ConfuserEx/
Other
756 stars 89 forks source link

virus signalled when using packer: compressor #61

Open janhec opened 4 years ago

janhec commented 4 years ago

A very basic attempt produced a serious virus error about password stealing. Windows defender. See bottom of log, occured through packer. proj is very simple (and not by anyway an end product): Without packer this does not happen. Makes me quite unhappy.

Threat detected: PWS:MSIL/CryptInjector!MTB Alert level: Severe Category: Password Stealer Details: This program is dangerous and captures user passwords.

`

`

[INFO] ConfuserEx v1.0.0-38-g7889971 Copyright (C) Ki 2014 [INFO] Running on Microsoft Windows NT 6.2.9200.0, .NET Framework v4.0.30319.42000, 64 bits [DEBUG] Discovering plugins... [INFO] Discovered 11 protections, 1 packers. [DEBUG] Resolving component dependency... [INFO] Loading input modules... [INFO] Loading 'SST_Gis.exe'... [INFO] Initializing... [DEBUG] Building pipeline... [DEBUG] Executing 'Type scanner' phase... [INFO] Resolving dependencies... [DEBUG] Checking Strong Name... [DEBUG] Creating global .cctors... [DEBUG] Watermarking... [DEBUG] Executing 'Type scrambler' phase... [DEBUG] 1] Import [DEBUG] 0] Create [DEBUG] 1] Create [DEBUG] 2] Create [DEBUG] 3] Create [DEBUG] 4] Create [DEBUG] 5] Create [DEBUG] 6] Create [DEBUG] 7] Create [DEBUG] 8] Create [DEBUG] 9] Create [DEBUG] 10] Create [DEBUG] 11] Create [DEBUG] 12] Create [DEBUG] 13] Create [DEBUG] 14] Create [DEBUG] 15] Create [DEBUG] 16] Create [DEBUG] 17] Create [DEBUG] 18] Create [DEBUG] 19] Create [DEBUG] Executing 'Name analysis' phase... [DEBUG] Building VTables & identifier list... [DEBUG] Analyzing... [DEBUG] WinForms found, enabling compatibility. [INFO] Processing module 'SST_Gis.exe'... [DEBUG] Executing 'Invalid metadata addition' phase... [DEBUG] Executing 'Renaming' phase... [DEBUG] Renaming... [DEBUG] Executing 'Anti-debug injection' phase... [DEBUG] Executing 'Anti-dump injection' phase... [DEBUG] Executing 'Anti-ILDasm marking' phase... [DEBUG] Executing 'Encoding reference proxies' phase... [DEBUG] Executing 'Constant encryption helpers injection' phase... [DEBUG] Executing 'Resource encryption helpers injection' phase... [DEBUG] Executing 'Constants encoding' phase... [DEBUG] Executing 'Anti-tamper helpers injection' phase... [DEBUG] Executing 'Control flow mangling' phase... [DEBUG] Executing 'Post-renaming' phase... [DEBUG] Executing 'Anti-tamper metadata preparation' phase... [DEBUG] Executing 'Packer info extraction' phase... [INFO] Writing module 'koi'... [INFO] Finalizing... [INFO] Packing... [DEBUG] Encrypting modules... [INFO] Protecting packer stub... [DEBUG] Discovering plugins... [INFO] Discovered 12 protections, 1 packers. [DEBUG] Resolving component dependency... [INFO] Loading input modules... [INFO] Loading 'SST_Gis.exe'... [INFO] Initializing... [DEBUG] Building pipeline... [DEBUG] Executing 'Type scanner' phase... [DEBUG] Executing 'Module injection' phase... [INFO] Resolving dependencies... [DEBUG] Checking Strong Name... [DEBUG] Creating global .cctors... [DEBUG] Watermarking... [DEBUG] Executing 'Type scrambler' phase... [DEBUG] 1] Import [DEBUG] 0] Create [DEBUG] 1] Create [DEBUG] 2] Create [DEBUG] 3] Create [DEBUG] 4] Create [DEBUG] 5] Create [DEBUG] 6] Create [DEBUG] 7] Create [DEBUG] 8] Create [DEBUG] 9] Create [DEBUG] 10] Create [DEBUG] 11] Create [DEBUG] 12] Create [DEBUG] 13] Create [DEBUG] 14] Create [DEBUG] 15] Create [DEBUG] 16] Create [DEBUG] 17] Create [DEBUG] 18] Create [DEBUG] 19] Create [DEBUG] Executing 'Name analysis' phase... [DEBUG] Building VTables & identifier list... [DEBUG] Analyzing... [INFO] Processing module 'SST_Gis.exe'... [DEBUG] Executing 'Packer info encoding' phase... [DEBUG] Executing 'Invalid metadata addition' phase... [DEBUG] Executing 'Renaming' phase... [DEBUG] Renaming... [DEBUG] Executing 'Anti-debug injection' phase... [DEBUG] Executing 'Anti-dump injection' phase... [DEBUG] Executing 'Anti-ILDasm marking' phase... [DEBUG] Executing 'Encoding reference proxies' phase... [DEBUG] Executing 'Constant encryption helpers injection' phase... [DEBUG] Executing 'Resource encryption helpers injection' phase... [DEBUG] Executing 'Constants encoding' phase... [DEBUG] Executing 'Anti-tamper helpers injection' phase... [DEBUG] Executing 'Control flow mangling' phase... [DEBUG] Executing 'Post-renaming' phase... [DEBUG] Executing 'Anti-tamper metadata preparation' phase... [DEBUG] Executing 'Packer info extraction' phase... [INFO] Writing module 'SST_Gis.exe'... [INFO] Finalizing... [DEBUG] Saving to 'F:\TEMP\yqhrl5pa.suw\s0qfxbzj.lsy\SST_Gis.exe'... [DEBUG] Executing 'Export symbol map' phase... [INFO] Finish protecting packer stub. [ERROR] An IO error occurred, check if all input/output locations are readable/writable. Exception: System.IO.IOException: Operation did not complete successfully because the file contains a virus or potentially unwanted software.

at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.File.InternalReadAllBytes(String path, Boolean checkHost) at Confuser.Core.Packer.ProtectStub(ConfuserContext context, String fileName, Byte[] module, StrongNameKey snKey, Protection prot) in C:\projects\neo-confuserex\Confuser.Core\Packer.cs:line 86 at Confuser.Protections.Compressor.Pack(ConfuserContext context, ProtectionParameters parameters) in C:\projects\neo-confuserex\Confuser.Protections\Compress\Compressor.cs:line 91 at Confuser.Core.ConfuserEngine.Pack(ConfuserContext context) in C:\projects\neo-confuserex\Confuser.Core\ConfuserEngine.cs:line 427 at Confuser.Core.ProtectionPipeline.ExecuteStage(PipelineStage stage, Action1 func, Func1 targets, ConfuserContext context) in C:\projects\neo-confuserex\Confuser.Core\ProtectionPipeline.cs:line 135 at Confuser.Core.ConfuserEngine.RunPipeline(ProtectionPipeline pipeline, ConfuserContext context) in C:\projects\neo-confuserex\Confuser.Core\ConfuserEngine.cs:line 256 at Confuser.Core.ConfuserEngine.RunInternal(ConfuserParameters parameters, CancellationToken token) in C:\projects\neo-confuserex\Confuser.Core\ConfuserEngine.cs:line 175 Failed at 20:55, 0:03 elapsed.

XenocodeRCE commented 4 years ago

This is a free and open source project, what are you unhappy with ?

Everything is open-source and has been source-proofed against any malicious code.

I do not want to offer solution to potentially protect malware for malware creator, so if you want to remove that false detection, you can send the file to their false detection submission (because they know such scenario happens frequently, they made an online free plateform for that)

https://www.microsoft.com/en-us/wdsi/filesubmission

AndresRohr commented 2 years ago

In Windows 10 Home still get these warnings. Microsoft Defender is much too inaccurate. If he sees a confused exe he immediately thinks it's malicious. Maybe it's because he is not able to peek into these files, which is kind of the idea of this solution for protecting your hard work from being stolen. My obfuscated software still is regularly flagged. Submitted to Microsoft but nothing improved. 65 other antivirus products don't see a problem with it, two others are also reacting to the inability to peek into it. At least they say "Heuristic guess" and "It's packed", but also not really good info for users who are afraid.

AndresRohr commented 2 years ago

Seems there is only a problem with the files that are written temporarily into the %localtemp% directory. The final produced output doesn't get blocked by Microsoft Defender. So, the solution is quite easy: Not closing the temporary files. I have a working quick & dirty solution now that never closes a temp file but just puts the open handles in a Dictionary<pathName, stream>. If a processing reopens the same file I just give it the same handle and set the position to 0. On closing I do just a 'stream.Length = ...'. Sadly also the dnlib must be patched with this mechanism, although only in one location, in 'ProtectStub()' . So the dictionary with the open file handles must be handed over to dnlib per Dependency Injection. As I said, quick & dirty. But it works, at least (:-).