Jump to content
Sign in to follow this  
TouchOdeath

Autoit used for Virus Entry

Recommended Posts

TouchOdeath

Ok.. so one of my Autoit scripts was accused of an 'entry' point for the virus. I looked at my code, and it is an impossibility.

here is what I am asking:

if you have this for example "Run(notepad.exe)". I need to beable to look up the Run() function, basically I have to look at exactly 'how' autoit does what it does.

Share this post


Link to post
Share on other sites
BrewManNH

The source code for the current version isn't available to the public. There are older versions of the source code for AutoIT available on the homepage, but nothing for the newest versions.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
hannes08

Hi TouchOdeath,

did you read

Some virus scanners do a "False positive" with compiled AutoIT scripts. If it's critical, you might want to disable UPX compression on compilation.


Regards,Hannes[spoiler]If you can't convince them, confuse them![/spoiler]

Share this post


Link to post
Share on other sites
smartee

Run() works through a standard call to CreateProcess last I checked.

No need to point fingers at AutoIt, read the link Hannes123 posted to find out why your script may have been flagged.

Maybe its something else your script does that is suspicious, (like FileInstall-ing an infected file or injecting code into explorer or something) care to spare us a look at it?

Share this post


Link to post
Share on other sites
TouchOdeath

Thank you Hannes123, I have infact read that thread. As far as my source code is concerned I can't post it :/. But I can post two things that could even POSSIBLY be in question.

1. My program writes to a log file that is linked to a SHARED FOLDER.

2. It executes a program using a shared path Run(\\Computer\C$\folder\program.exe)

That is it as far as my code is concerned. But It would be great if I could lookup exactly how things work, So I can say FOR SURE that autoit IS NOT the problem at hand.

Share this post


Link to post
Share on other sites
BrewManNH

If Autoit is being flagged by the AV software for any script you're running, then it's probably your AV software at fault. If your script is doing something that's flagging it, then it would be something YOUR code is doing rather than something Autoit is doing that is causing it to be flagged.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
TouchOdeath

It is the AV softwares fault... Not autoit.. But so I can prove to these people who are making the accusation about my script, that it is not my code nor autoit, I know how my code works, I just don't know how the functions of autoit work. Functions like Run() or Processclose() ProcessExists(), everything.

I am sure that it has absolutely nothing to do with Autoit, or the code I have written. But I need to know exactly how it works so I can prove to the people accusing me that they are infact in the wrong. Thanks for the help guys I appreciate it!

Share this post


Link to post
Share on other sites
kaotkbliss

I'm sure those basic functions haven't changed much between the last source release and now, so that should help give the understanding you are looking for.


010101000110100001101001011100110010000001101001011100110010000

001101101011110010010000001110011011010010110011100100001

My Android cat and mouse game
https://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek

We're gonna need another Timmy!

Share this post


Link to post
Share on other sites
Bert

simplest way to prove it is this:

Have the accuser download the full autoit suite from the autoit site

have them wite a simple script that is just one line like msgbox(0, "Test", "This is a test")

They compile it.

Have their PC scan the file. If I'm right their AV software should flag it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×