VxKex icon indicating copy to clipboard operation
VxKex copied to clipboard
verified publisher icon i486

When using Vekex, I encountered a security software virus issue, and I tried to investigate what caused it

Open Ares17282 opened this issue 9 months ago • 2 comments

When I was downloading Vekex, the security software intercepted it, and I felt worried and confused, so I tried to investigate whether it was really a virus. My security software prompted me that this is a Trojan virus, so I downloaded the source code for KexSetup Release _1_1_2_1428.exe and VxKex_Source eCode_1_2_1428.7z. Then I tried to verify these two files using security software, and the security software detected that they were safe. Then I unzipped the source code, and at this point, the security software warned me because "Trojans usually modify these DLL files to launch themselves and invade your computer. If you did not make the modifications voluntarily, please stop them." The location pointed to is \VxKex_Source_Cde_1_2_1428 \ VxKex \ 02-Prebuild DLLs \ x64 \ ucrtbasedll, which are usually located in two folders: x64 and x86. In fact, ucrtbase.dll is an important runtime library at the bottom of Windows, and any operation on it seems to be considered a serious risk by security software. The operating principle of vxkex seems to be to change the DLL file that the application originally pointed to the Win7 system to a DLL file that points to the vxkex compilation location, which may be the reason for the virus. Of course, I also conducted a brief study on the two versions of ucrtbase.dll in the source code. By comparing the file sizes, I believe that the version of ucrtbase.dll in the source code should be 1.0.19041.1. The above are my personal research results, but I still have concerns about its safety due to drug reporting. If possible, I hope someone can conduct research and verification on it together and tell me the results. Thank you very much.

Ares17282 avatar Mar 07 '25 12:03 Ares17282

To be honest, when I first discovered Vxkex, I was shocked that it could make applications designed for Win10/11 run on Win7 again, which was truly amazing. I really want to use it, but due to the historical background of this project and the chaotic community discussions, I'm not sure if it has a Trojan virus. I tried to compile the source code to address my concerns, but I am not familiar enough with C++. Please forgive me. Anyway, thank you very much to vxiidu and i486 for letting me see this project.

Ares17282 avatar Mar 07 '25 12:03 Ares17282

Trojans usually modify these DLL files to launch themselves and invade your computer. If you did not make the modifications voluntarily, please stop them

In this case VxKex needs to redirect dll calls that does not exist in windows 7, hence why it detects it as a virus, i'm pretty sure it's a false positive because of that

Windows 7 does not have certain API calls that windows 10/11 programs use, if you try to run them they give you a weird error you have never seen, what VxKex does is to get those calls, redirect them to it's DLLs and then return whatever the api call needed to return

brunoman4006 avatar Mar 09 '25 13:03 brunoman4006

That ucrtbase.dll is an unmodified, stock UCRT DLL from Windows 10. It's a false positive.

Image

Also read: https://github.com/i486/VxKex/issues/65

i486 avatar May 31 '25 07:05 i486

Linked to:

  • https://github.com/i486/VxKex/issues/26
  • https://github.com/i486/VxKex/issues/41
  • https://github.com/i486/VxKex/issues/55
  • https://github.com/i486/VxKex/issues/65
  • https://github.com/i486/VxKex/issues/85
  • https://github.com/i486/VxKex/issues/107
  • https://github.com/i486/VxKex/issues/117
  • https://github.com/i486/VxKex/issues/166
  • https://github.com/i486/VxKex/issues/187
  • https://github.com/i486/VxKex/issues/191

Neustradamus avatar Aug 28 '25 19:08 Neustradamus