tutorials icon indicating copy to clipboard operation
tutorials copied to clipboard
verified publisher icon lief-project

PE setting off antivirus.

Open Piggo4676 opened this issue 2 years ago • 0 comments

I have created an PE exe using lief, but it sets of my antivirus. it is an identical executable to the one in the pefromscratch tutorial, except I added a "," and a "!" to the text "Hello world". When I remove those symbols, it doesn't flag it as a virus. Why? How could I fix this? I don't want to have to add anything to the microsoft defender allowed viruses section.

Here's the code: from lief import PE, parse

def create_exe():
    title   = "LIEF is awesome\0"
    message = "Hello World\0"

    data =  list(map(ord, title))
    data += list(map(ord, message))
    
    code = [
        0x6a, 0x00,                         # push 0x00 uType
        0x68, 0x00, 0x20, 0x40, 0x00,       # push VA(title)
        0x68, 0x10, 0x20, 0x40, 0x00,       # push VA(message)
        0x6a, 0x00,                         # push 0 hWnd
        0xFF, 0x15, 0x54, 0x30, 0x40, 0x00, # call MessageBoxA
        0x6A, 0x00,                         # push 0 uExitCode
        0xFF, 0x15, 0x4C, 0x30, 0x40, 0x00  # call ExitProcess
        ]

    binary = PE.Binary("myexe", PE.PE_TYPE.PE32)

    section_text                 = PE.Section(".text")
    section_text.content         = code
    section_text.virtual_address = 0x1000


    section_data                 = PE.Section(".data")
    section_data.content         = data
    section_data.virtual_address = 0x2000


    section_text = binary.add_section(section_text, PE.SECTION_TYPES.TEXT)
    section_data = binary.add_section(section_data, PE.SECTION_TYPES.DATA)


    binary.optional_header.addressof_entrypoint = section_text.virtual_address
    #binary.optional_header.subsystem = lief.PE.SUBSYSTEM.WINDOWS_GUI


    kernel32 = binary.add_library("kernel32.dll")
    kernel32.add_entry("ExitProcess")
    #kernel32.add_entry("WriteConsoleA")
    user32 = binary.add_library("user32.dll")
    user32.add_entry("MessageBoxA")


    builder = PE.Builder(binary)
    builder.build_imports(True)
    builder.build()
    builder.write("myexe.exe")

    unpacked = parse('myexe.exe')
    for func in unpacked.imported_functions:
        print(func)
        print(int(str(func).split(' - ')[1][-2:], 16))
create_exe()

Update: Changing ANY of the text in the .data section trips the antivirus. Further update: So I fixed the issue. It was due to a header that was being automatically added (not by me) that had the flags mem_execute and mem_write which apparently many viruses use or something. I fixed it by afterwards going in and changing the flags after compilation. Why is this header being added without me explicitly saying it should be?

THIRD UPDATE: the header is only there when build imports is on.

Piggo4676 avatar Dec 30 '23 00:12 Piggo4676