ParadoxosModManagerRework icon indicating copy to clipboard operation
ParadoxosModManagerRework copied to clipboard
verified publisher icon ThibautSF

AV Detection

Open shadoxxhd opened this issue 5 years ago • 5 comments

The LaunchParadoxModManager.exe file is being detected by many different AV programs (https://www.virustotal.com/gui/file/f7f0e66c5e5dfef807892dcf30c41ab0bed8aaf0d4e1b5628954e2747cfc32aa/detection). The sample was taken from the latest release version (0.8.2).

Is this just a hyper-optimized way to start the java runtime, or could the launcher be compromised? If you didn't assembly-optimize this file, I'd guess the latter...

shadoxxhd avatar Jun 08 '20 19:06 shadoxxhd

In fact, the exe file is generated from a bat file (and execute another .bat): https://github.com/ThibautSF/ParadoxosModManagerRework/blob/master/Utils/launchers/LaunchParadoxosModManager.bat

The app used is in this directory. https://github.com/ThibautSF/ParadoxosModManagerRework/tree/master/Utils

The final .bat file executed is the following (in bin/ folder):

@echo off
set DIR="%~dp0"
set JAVA_EXEC="%DIR:"=%\java"
%JAVA_EXEC% -Djavafx.userAgentStylesheetUrl="application.css" -p "%~dp0/../app" -m com.pmm.ParadoxosGameModManager/com.pmm.ParadoxosGameModManager.ModManager  %*
pause

ThibautSF avatar Jun 09 '20 10:06 ThibautSF

Strange ... the bat to exe program isn't recognized by any AV on virustotal, but the generated .exe is flagged by almost half of all AV engines...

When I build the .exe myself using your Slimm bat to exe (with "custom"), it is detected by 15 AVs instead of 30 like the official version - using the windowless express preset, it is detected by 16 AVs.

Using C to build a .exe that directly calls the bin/Launch....bat file, I get not a single AV detection, though my .exe file is almost 3 times as big as the result from the Slimm converter. https://pastebin.com/yXuU8qm8 to build: gcc pmmlauncher.c -o pmmlauncher.exe -Os -Bdynamic (options might reduce file size a bit) strip pmmlauncher.exe (reduces file size a lot)

shadoxxhd avatar Jun 10 '20 02:06 shadoxxhd

Ok so I made multiple compile tests:

  • On a Linux VM basic gcc -> no virus flag but can't launch on windows (seems logic): https://www.virustotal.com/gui/file/bfd4708a70f7c5a46ae1560ea80e450723f43ac57d2f902c3173d78143f46b49/detection
  • On windows with MinGW -> 6 virus flag, can be launched (but not silently): https://www.virustotal.com/gui/file/c6c2c6b5ba99b5c8045dd3a25b9af8eab002d4a536cf6f971f2a5326c3bc2667/detection
  • On a Linux VM (same as 1) with mingw64-x86_64-gcc -> 3 virus flag, 300ko exe, can be launched too (but not silently): https://www.virustotal.com/gui/file/442e665923cdcf6c53977fa405d0fb71f3c2f137bbe9b926782c97f8e0f3672f/detection

ThibautSF avatar Jun 10 '20 11:06 ThibautSF

With the following code, the windows command prompt is launched but immediately minimised at least. (also remove "echo off" line since it doesn't seem to be useful.

#include <stdlib.h>

int main(){
	system("start /MIN bin\\LaunchParadoxosModManager.bat ^& exit");
}

EDIT: This should be a better exe, 6/3 virus flag is much better than 30 ^^

Note also that I'm working on using Jpackage from JDK14 in order to generate an image with executable (instead of batch files).

Visual of what I've manage to do for now image And the scan of the exe produced with JPackage https://www.virustotal.com/gui/file/fc53cb17a9c894faeeb43cdc5124ffff9adca68a959f275dd3dacd6d94008b70/detection

ThibautSF avatar Jun 10 '20 12:06 ThibautSF

Published Indev: https://github.com/ThibautSF/ParadoxosModManagerRework/releases/tag/indev Patch+0.8.2patched: https://github.com/ThibautSF/ParadoxosModManagerRework/releases/tag/0.8.2-novirus

ThibautSF avatar Jun 10 '20 13:06 ThibautSF