Sign in to follow this  
Followers 0
DCCD

How can made safer application that is not detect by antivirus

8 posts in this topic

How can made safer application that is not detect by antivirus, This does not mean AutoIt Specifically, but all languages C++ VB ..etc.

[setWindowsHookEx] Function

i'd like to use this func It's probably a bad idea, but Does AV software detect this func as a threat?.

Any comments are welcome.

.

Share this post


Link to post
Share on other sites



Hi there im a bit lost at what you wanted but this might


Work smarter not harder.My First Posted Script: DataBase

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

hmmmm.... lets put it this way

would i reply to your post if i didn't read it?

sorry if this isn't the one you need.... nvm my post :)

Edited by Ace08

Work smarter not harder.My First Posted Script: DataBase

Share this post


Link to post
Share on other sites

Hi!

Some antivirus will detect such behavior. But since alot of software do hook functions that way, it is largely allowed...

The big problem though with hooking this way is that in worst case you will be taking away your/someoneelses virus selfprotection.

That is one of the reasons we are often adviced not to run multiple similar protection systems, with the missguided idea that protection will double/trippel or quadrouple... :)

What specifically do you want to hook and what end are you trying to achieve?

There are many other ways to achieve any one goal.

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Hi!

Some antivirus will detect such behavior. But since alot of software do hook functions that way, it is largely allowed...

The big problem though with hooking this way is that in worst case you will be taking away your/someoneelses virus selfprotection.

That is one of the reasons we are often adviced not to run multiple similar protection systems, with the missguided idea that protection will double/trippel or quadrouple... :)

What specifically do you want to hook and what end are you trying to achieve?

There are many other ways to achieve any one goal.

/Manko

Oooops! Sorry! These are windows-messages-hooks... so long since i worked these things, so I confused things...

I REALLY don't think antivirus will be complaining much about these... Well, there's that infamous technique that injects a dll into most gui-apps... Might be stopped by some... Again, though... What do you wanna do? It can probably be done in many other ways...

Well... Sorry about the mixup...

Also, unlike the thing I was thinking of, this is safe to do.

/Manko

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

thank you for your reply, I ask this question because If you use the FileInstall function! A lot of antivirus software will detect this func as a warm.

It does not matter if "false positive", For me, if my best friend gave me a file and my antivirus detect it as a warm i'll ask myself "why my best friend gave me a virus", about me I know it's a false positive, but what about someone that don't know much about "false positive" he'll say IT'S A VIRUS. :)

that's why i'm here i need any information about "SetWindowsHookEx" func

NB:even i don't use UPX, that's all, Thanks Again.

.

Share this post


Link to post
Share on other sites

that's why i'm here i need any information about "SetWindowsHookEx" func

Depends if you do malicious-like stuff...

WH_KEYBOARD_LL might be stopped by some and flagged by some... (Spyware/keylogger)

...and if you push .dll into other apps, heuristics will get known bad .dlls...

I'm NO expert on what VIRUS-proggys do or dont do though...

(Am still qurious what you're trying to do...)

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0