PureBasic Forums - English

From time to time, it is quite surprising to see here people who want to create malware with PB, please open your eyes !
A much bigger damage can hardly be inflicted on PB

i don't think that because pb is compiled to native language ,.....

You think or you know ?
Or you think you know ?

Now I'm sure, No

pb translate code to asm code

Meaningless. Any tool/language can be used to code yet-another cryptolocker and nothing to do with that.
The problem is rather with some stupid AV vendors, putting language-specific signatures to their bases (instead of program-specific).

A good answer Lunasole !

Of course it is possible and simple to code many malware with PB

It's unfortunately the bad side of the power, low level, small and portable (Without dependancies) of pb.
It's not always good persons who need all this advantages in the same language...

Yep KCC,
so it's very important we give this persons or late puberty boys absolutely not support for coding here.........

Walbus wrote:late puberty

PB creates PE, ELF, and MACH binaries with no runtime requirements, and API support.. Of course people use it for malware.. People actually use .NET and Java more for userland binaries and then something low level for the driver rootkit.

Competent anti-virus researchers will extract unique stubs for their signatures.

few years ago, there was a thread about how to identify a purebasic exe. sadly there is a lot of malware written in purebasic. the anti virus software checks if its a purebasic exe and flags it as potential malware. they dont even go deeper to see if it actually could do damage. they simply flag everything that is written with purebasic. it sucks and hurts all of us. but there is not much you can do about it, except sending the exe to your anti virus manufacturer and demand a fix.

c ya,
nco2k

nco2k wrote:the anti virus software checks if its a purebasic exe and flags it as potential malware

A lot of internal PureBasic code has "PB_" as a prefix, which I assume gets into the final exe, and could be the identifier that you speak of. Maybe if PureBasic could allow us to set a custom prefix string (such as "MyCompanyName_") then the exe wouldn't be recognized as a PureBasic app? Or maybe we can do it ourselves by modifying the assembly output before manually re-compiling it. Thoughts if that would work?

Anti-virus engines never use PE headers or reloc data or symbol tables. They use code section only. If a researcher gets a EXE or DLL made in PB they look for a unique stub and put the bytes in their database. Nothing else.

If it has an advanced protector/obfuscation on it they get the unique compression block or VM byte code stub and add that. Warez cracks and such get flagged because reused patching code or behavioral analysis.

I have seen stubs from cracked VMProtect and TheMida and PEProtect builds get entered before because they were used on malware. This was the case of poor quality researchers though and the entries eventually got pulled.