search

charles2gan / GDA-android-reversing-Tool

the fastest and most powerful android decompiler(native tool working without Java VM) for the APK, DEX, ODEX, OAT, JAR, AAR, and CLASS file. which supports malicious behavior detection, privacy leaking detection, vulnerability detection, path solving, packer identification, variable tracking, deobfuscation, python&java scripts, device memory extraction, data decryption, and encryption, etc.
https://twitter.com/charles_gan1
Apache License 2.0
4.19k stars 525 forks source link

windows defender Virus detected !! #7

Closed xuxiaoyuspallow closed 4 years ago

xuxiaoyuspallow commented 5 years ago

Could you let me know which part of your software triggered the detection?

charles2gan commented 5 years ago

For dumping mem in android device, the bin file will release adb.exe file and the gdump file in %APPDATA%/GDA. and bin file is packed by Themida. this is the reasons to trigger the detection.

krviolent commented 5 years ago

While I was downloading .zip archieve Windows Defender counted GDA3.65.zip as a virus and deleted it.

ryu-s-r commented 5 years ago

For your information, below is scan result of GDA3.66 https://www.virustotal.com/gui/file/42f343bc07bbb522f9ae8f7e055366a00b7efbbdd751e41635e53d0555612b30/detection

julianxhokaxhiu commented 4 years ago

Although it looks clean here: https://www.virustotal.com/gui/url/05b55743d627f3754e9b7e4fc94a30d81ac743c5c8eb844d1fcb4a34bd52506a/detection

Windows Defender still complains for 3.70. Anything you can do to fix that?

blshkv commented 4 years ago

"clean" does not mean uninfected. This software is NOT opensource. One can think that there is indeed a virus/trojan build-in intentionally and it got detected. Developers repackaged it so the latest version is not getting detected. This is all speculation, but I strongly advise not to use this software until the source code is available (and you compile it yourself).

charles2gan commented 4 years ago

"clean" does not mean uninfected. This software is NOT opensource. One can think that there is indeed a virus/trojan build-in intentionally and it got detected. Developers repackaged it so the latest version is not getting detected. This is all speculation, but I strongly advise not to use this software until the source code is available (and you compile it yourself).

I didn't deliberately do the work of bypassing anti-virus software. Please don't speculate maliciously. When each new version is released, it won't be killed and killed in a while. I use Themida to prevent anti-decompilation, which leads to be detected by some anti-virus software .I have my own full load of work, and I don't have much energy to do such work. Most anti-virus software will report virus to any packed PE file. If my goal is to spread the virus, why spend a lot of time developing an decompiler and putting my name and contact information in Gda? Am I stupid? If it is commercialized, is it not more beneficial than spreading the virus? so, If you don't trust it, you can use it in a pure virtual machine, thanks!

blshkv commented 4 years ago

sorry, I didn't want to cause an anger or blame anyone. The intention of my message was to encourage you to release an open source version. I expected source code available for a project hosted at github. I have bad experience with close source programs. They fail to run on various systems or die out after a while. Please consider ;-)

Peace!

Kungergely commented 4 years ago

I'm sorry, but your explanation really doesn't add up. Windows still keeps detecting even the latest version (3.72) as containing Win32/Occamy.C (and not for an unpacked program called adb.exe, but in the executable, GDA3.72.exe itself!). And what's worse is that I found the following in my netstat output after I ran the program:

  TCP    192.168.1.49:62250     123.112.20.158:9090    CLOSE_WAIT
 [GDA3.72.exe]

Why does your program try to connect to an IP in Beijing, CN?