forwarder
October 2nd, 2003, 15:27
hi, i am implementing some sort of upx like executable packer but i got some probs with it - sometimes the compressed executables are detected as unknown virii by some well known avs (nod32 and norton for example) - i think its my loader which does not do things in their normal way. any general suggestions how i can avoid such false detection alarms? i noticed that changing a simple signature check from
if(e_magic == IMAGE_DOS_SIGNATURE)
if(Signature+1 == IMAGE_NT_SIGNATURE+1)
to
if(e_magic+1 == IMAGE_DOS_SIGNATURE+1)
if(Signature+1 == IMAGE_NT_SIGNATURE+1)
seems to help a little bit @nod32 (not @norton tho) but if i change my entry point from f.ex VA 0x1000 to 0x1010 it does yell again.
if(e_magic == IMAGE_DOS_SIGNATURE)
if(Signature+1 == IMAGE_NT_SIGNATURE+1)
to
if(e_magic+1 == IMAGE_DOS_SIGNATURE+1)
if(Signature+1 == IMAGE_NT_SIGNATURE+1)
seems to help a little bit @nod32 (not @norton tho) but if i change my entry point from f.ex VA 0x1000 to 0x1010 it does yell again.