Comments (2)
Thanks for the report and testcase! If I dump the engine output, I see it does recognize it as TrojanDownloader:Win32/Tugsp
, but the Flags are not what I was expecting.
Normally, Scan->Flags & 0x08000022
is non-zero when it's got a Name, but this time it only sets 0x40050000
. I don't know what that means, maybe it means "Potentially Unwanted Application"?
I can at least handle that case for now while I figure it out. I'll commit a temporary patch for that.
If you run into any others that don't look right, please let me know. I'll figure out all the flags eventually 😄
from loadlibrary.
Thanks for looking into this.
I have not tried your patch yet, I will test it out tonight.
Perhaps I can help but I am not a good reverse engineer.
Did you use gdb to get the engine output dump and scan flags? Could you give me more details on how you were able to get this?
Would it help if I gave you this type of output for a set of viruses (I can also provide the viruses):
Name: Worm:Win32/Vobfus.EK
ID: 2147656017
Severity: Severe
Category: Worm
Path: file:_C:\virus\VirusShare_00206\.VirusShare_f000bf4d50cdfe9a93f6f23098b159c0.r4aXzr
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User: test1\test
Process Name: C:\cygwin64\bin\rsync.exe
Signature Version: AV: 1.239.1384.0, AS: 1.239.1384.0, NIS: 116.88.0.0
Engine Version: AM: 1.1.13601.0, NIS: 2.1.12706.0"
from loadlibrary.
Related Issues (20)
- APIs patching fails with selinux enabled
- Unable to load multiple dll images HOT 5
- mpclient: failed to resolve function HOT 16
- __rsignal(RSIG_BOOTENGINE) returned failure, missing definitions? HOT 13
- scan(): __rsignal(RSIG_SCAN_STREAMBUFFER) returned failure, file unreadable HOT 2
- Engine version 1.349.149.0 (2021/09/04) breaks mpclient HOT 2
- Replacing a thiscall function HOT 1
- Trying to load library and link to module HOT 2
- Is there any way to load a dll depends on msvcrt*.dll
- About msvc##.dll solution
- mpclient fails with latest defender update. HOT 2
- Trace/breakpoint trap (core dumped) HOT 2
- lastest windows defender can't work
- Segmentation fault at fixup_reloc HOT 3
- mpclient: function at 0x5a741c8a attempted to call an unknown symbol HOT 6
- Trace/breakpoint trap - error/unknown symbol HOT 2
- Possible to check the virus database version and timestamp?
- MPClient - No debugging symbols found HOT 1
- Engine version 1.339.932.0 (2021/05/18) breaks mpclient HOT 3
- Take care of floating point registers during calling convention switches
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from loadlibrary.