Beware of Malware created with PB
Beware of Malware created with PB
From time to time, it is quite surprising to see here people who want to create malware with PB, please open your eyes !
A much bigger damage can hardly be inflicted on PB
A much bigger damage can hardly be inflicted on PB
Re: Beware of Malware created with PB
i don't think that because pb is compiled to native language ,.....
interested in Cybersecurity..
Re: Beware of Malware created with PB
You think or you know ?
Or you think you know ?
Or you think you know ?
Re: Beware of Malware created with PB
Now I'm sure, No
pb translate code to asm code
pb translate code to asm code
interested in Cybersecurity..
Re: Beware of Malware created with PB
Meaningless. Any tool/language can be used to code yet-another cryptolocker and nothing to do with that.
The problem is rather with some stupid AV vendors, putting language-specific signatures to their bases (instead of program-specific).
The problem is rather with some stupid AV vendors, putting language-specific signatures to their bases (instead of program-specific).
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
Re: Beware of Malware created with PB
A good answer Lunasole !
Of course it is possible and simple to code many malware with PB
Of course it is possible and simple to code many malware with PB
- Kwai chang caine
- Always Here
- Posts: 5342
- Joined: Sun Nov 05, 2006 11:42 pm
- Location: Lyon - France
Re: Beware of Malware created with PB
It's unfortunately the bad side of the power, low level, small and portable (Without dependancies) of pb.
It's not always good persons who need all this advantages in the same language...
It's not always good persons who need all this advantages in the same language...
The happiness is a road...
Not a destination
Not a destination
Re: Beware of Malware created with PB
Yep KCC,
so it's very important we give this persons or late puberty boys absolutely not support for coding here.........
so it's very important we give this persons or late puberty boys absolutely not support for coding here.........
- Kwai chang caine
- Always Here
- Posts: 5342
- Joined: Sun Nov 05, 2006 11:42 pm
- Location: Lyon - France
Re: Beware of Malware created with PB
Walbus wrote:late puberty
The happiness is a road...
Not a destination
Not a destination
Re: Beware of Malware created with PB
PB creates PE, ELF, and MACH binaries with no runtime requirements, and API support.. Of course people use it for malware.. People actually use .NET and Java more for userland binaries and then something low level for the driver rootkit.
Competent anti-virus researchers will extract unique stubs for their signatures.
Competent anti-virus researchers will extract unique stubs for their signatures.
The truth hurts.
Re: Beware of Malware created with PB
few years ago, there was a thread about how to identify a purebasic exe. sadly there is a lot of malware written in purebasic. the anti virus software checks if its a purebasic exe and flags it as potential malware. they dont even go deeper to see if it actually could do damage. they simply flag everything that is written with purebasic. it sucks and hurts all of us. but there is not much you can do about it, except sending the exe to your anti virus manufacturer and demand a fix.
c ya,
nco2k
c ya,
nco2k
If OSVersion() = #PB_OS_Windows_ME : End : EndIf
Re: Beware of Malware created with PB
A lot of internal PureBasic code has "PB_" as a prefix, which I assume gets into the final exe, and could be the identifier that you speak of. Maybe if PureBasic could allow us to set a custom prefix string (such as "MyCompanyName_") then the exe wouldn't be recognized as a PureBasic app? Or maybe we can do it ourselves by modifying the assembly output before manually re-compiling it. Thoughts if that would work?nco2k wrote:the anti virus software checks if its a purebasic exe and flags it as potential malware
Re: Beware of Malware created with PB
Anti-virus engines never use PE headers or reloc data or symbol tables. They use code section only. If a researcher gets a EXE or DLL made in PB they look for a unique stub and put the bytes in their database. Nothing else.
If it has an advanced protector/obfuscation on it they get the unique compression block or VM byte code stub and add that. Warez cracks and such get flagged because reused patching code or behavioral analysis.
I have seen stubs from cracked VMProtect and TheMida and PEProtect builds get entered before because they were used on malware. This was the case of poor quality researchers though and the entries eventually got pulled.
If it has an advanced protector/obfuscation on it they get the unique compression block or VM byte code stub and add that. Warez cracks and such get flagged because reused patching code or behavioral analysis.
I have seen stubs from cracked VMProtect and TheMida and PEProtect builds get entered before because they were used on malware. This was the case of poor quality researchers though and the entries eventually got pulled.
The truth hurts.