Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to the forum
Board view  Mix view

HX updated (DOSX)

posted by george_breese(R), 07.01.2013, 18:43

> > Well, here's a potential simple workaround: change "PE" text signature
> to
> > "PX". It's only one byte (offset 0x79 or 121). Then I get 0/42 results.
> I
> > can't test well on this silly laptop, but a quick test of 7ZA.EXE under
> > DOSBox ("7za t ccbi-2~1.7z") with slightly older HX (2009-11-16, 2.16
> ??)
> > shows that it still works fine even with "PX". (Can't imagine why it
> > wouldn't, but who knows, heh.) :yes:
>
> Ok, thanks for the hint! However, to encrypt the whole package is probably
> more fool-proved. It's not totally comfortable, but IMO DOS users should be
> used to - and enjoy - uncomfortable weather.

I believe that the virus-scanning software changes its scanning strategy when there is no valid PE header. While the removal of a PE header might be a working solution, it would impact the ability to find a real virus in DKRNL32.DLL in the future.

Here is a more subtle change that helps to reduce the false virus reports. I changed "KERNEL32.DLL" to "KERNEL32.dll" at offset 0x106D2 of the v216 version of DKRNL32.DLL. The results at virustotal.com dropped to 8/43. All of the generic errors disappeared, and only the Virumonde trojan reports remained.

I didn't test the resulting DLL yet. My time has been short lately. I have wanted to use HX to build the DOS-based diagnostics I use in my company's lab, but my apps need to survive a McAfee virus scan.

 

Complete thread:

Back to the forum
Board view  Mix view
15192 Postings in 1365 Threads, 250 registered users, 12 users online (0 registered, 12 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum