Hmm, so I submitted this simple test exe to check the results:
Code:
a=1
First, VirusTotal said it has 5/66 malware results (

):
https://www.virustotal.com/#/file/a5e37 ... /detectionAnd here is what the malware analysis said:
https://www.hybrid-analysis.com/sample/ ... mentId=100Malware analysis wrote:
Reads terminal service related keys (often RDP related)
Imports suspicious APIs
PE file contains unusual section name
Matched Compiler/Packer signature
PureBasic 4.x -> Neil Hodgson (who the hell is this?

)
I did a scan of all files in my PureBasic folder for "Neil Hodgson" and there were 0 matches, so I have no idea where this is coming from.
Are the above issues something that Fred can fix? Encrypt them internally or something to avoid detection?
For example, why is an exe of "a=1" even reading this Registry key?
Malware analysis wrote:
Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED"
And this bit:
Malware analysis wrote:
PE file contains unusual section name
"a5e37dde2d2c96f8e842957d32479d5ea1cec7416a6196ec2c5f172986f4fb73.exe.bin" has a section named ".code"
Maybe Fred can give it a different name to ".code" if that's triggering alerts? And so on.
BTW, here's the assembly output of "a=1" for reference. Why is "OpenGLSubsystem" included? Isn't that for graphics?
Code:
;
; PureBasic 5.61 (Windows - x86) generated code
;
; (c) 2016 Fantaisie Software
;
; The header must remain intact for Re-Assembly
;
; :System
; kernel32.lib
; :Import
;
format MS COFF
;
;
extrn _ExitProcess@4
extrn _GetModuleHandleW@4
extrn _HeapCreate@12
extrn _HeapDestroy@4
extrn _memset
public _PB_Instance
public _PB_ExecutableType
public _PB_OpenGLSubsystem
public _PB_MemoryBase
public PB_Instance
public PB_MemoryBase
public _PB_EndFunctions
macro pb_public symbol
{
public _#symbol
public symbol
_#symbol:
symbol:
}
macro pb_align value { rb (value-1) - ($-_PB_DataSection + value-1) mod value }
macro pb_bssalign value { rb (value-1) - ($-_PB_BSSSection + value-1) mod value }
public PureBasicStart
;
section '.code' code readable executable align 4096
;
;
PureBasicStart:
;
PUSH dword I_BSSEnd-I_BSSStart
PUSH dword 0
PUSH dword I_BSSStart
CALL _memset
ADD esp,12
PUSH dword 0
CALL _GetModuleHandleW@4
MOV [_PB_Instance],eax
PUSH dword 0
PUSH dword 4096
PUSH dword 0
CALL _HeapCreate@12
MOV [PB_MemoryBase],eax
; a=1
MOV dword [v_a],1
;
_PB_EOP_NoValue:
PUSH dword 0
_PB_EOP:
CALL _PB_EndFunctions
PUSH dword [PB_MemoryBase]
CALL _HeapDestroy@4
CALL _ExitProcess@4
_PB_EndFunctions:
RET
;
;
section '.data' data readable writeable
;
_PB_DataSection:
_PB_OpenGLSubsystem: db 0
pb_public PB_DEBUGGER_LineNumber
dd -1
pb_public PB_DEBUGGER_IncludedFiles
dd 0
pb_public PB_DEBUGGER_FileName
db 0
pb_public PB_Compiler_Unicode
dd 1
pb_public PB_Compiler_Thread
dd 0
pb_public PB_Compiler_Purifier
dd 0
pb_public PB_Compiler_Debugger
dd 0
_PB_ExecutableType: dd 0
align 4
align 4
align 4
s_s:
dd 0
dd -1
align 4
;
section '.bss' readable writeable
_PB_BSSSection:
align 4
;
I_BSSStart:
_PB_MemoryBase:
PB_MemoryBase: rd 1
_PB_Instance:
PB_Instance: rd 1
;
align 4
PB_DataPointer rd 1
v_a rd 1
align 4
align 4
align 4
align 4
I_BSSEnd:
section '.data' data readable writeable
SYS_EndDataSection: