autohotkey) Virus?

by 디케 posted Dec 31, 2011


Prev이전 문서

Next다음 문서


크게 작게 위로 아래로 댓글로 가기 인쇄

autohotkey) Virus?


   관련 게시물 :


   AUTOhotKEY 웹페이지 열지않고 소스 가져오기 또는 로그인 하기 

   AUTOhotKEY 오토핫키 콤보박스 제어하기

   AUTOhotKEY 웹페이지 감시결과에 따라 마이피플로 글 전송하기

   AUTOhotKEY 윈도우 ahk_id 추출하기

   Autohotkey 엑셀(Excel)에서 행값 증가시키기

   Autohotkey 30분마다 자동으로 디스크 정리하기



did you search the forums at all?

AutoIt3 has an option in the compression menu of its "Script to EXE Converter" app to disable UPX compression, which effectively avoids this situation albeit producing a larger executable file, but I see no such similar option in AutoHotkey's converter app.

Renaming UPX.EXE will disable compression. One may toggle between names like: 


IFExist, C:\Program Files\AutoHotkey\Compiler\UPX.EXE
   FileMove, C:\Program Files\AutoHotkey\Compiler\UPX.EXE, C:\Program Files\AutoHotkey\Compiler\UPX.XXX
IFExist, C:\Program Files\AutoHotkey\Compiler\UPX.XXX
   FileMove, C:\Program Files\AutoHotkey\Compiler\UPX.XXX, C:\Program Files\AutoHotkey\Compiler\UPX.EXE


January 3rd, 2011, 07:05 PM

You will see here some others with same issue. Compile hello world and get false positives.
I found using latest avast to cure one false positive with tag.exe which is said to be a threat because it modified other files. It is very powerful dos commandline mp3 tagger!

These things (AV detection) are tools, you need to understand how to use them.

First you start by scanning your system from a fresh install, you need a "known good" baseline.

Second you need to know what is "normal" for your usage on your computer. Obviously it goes without saying normal activity on your OS may be abnormal on mine.

Third you need to understand how these tools work. They are based on rules. If foo.exe can modify other files it might be a problem and an alert will be generated. It is then up to you to determine if this is a problem or not. If not it is a false positive. You need to understand that these tools will always err on the side of false positives as false negatives (missing an "infected" file) is by far more unacceptable then a false positive.

Last you need to understand that running these tools on linux is an exercise in false positives as there are no known active viruses for Linux (you system was patched long ago to the known viruses) and these tools can not protect you against zero day exploits.

Thus the tool is functioning normally and PEBKC in that you are not understanding the tool, it's use, and it's limits.

Use UPX to make Firefox load faster

All AutoHotkey (AHK) coders read: No more upx packing of compiled ahk utils;wap2

As of today, I am advocating that we no longer host any compiled ahk utilities that have been "packed" with upx, which is something that autohotkey does by default when it builds exes.

The process of packing the executable with UPX results in a smaller sized file, but causes a continuous an inevitable false virus malware alert sooner or later.

Any application packed with upx by ahk compilation is almost guaranteed to be marked as a virus sooner or later and is going to cause trouble for any site that hosts it, and any users who get scared by it.

The true fault of this lies with the antivirus programs, but until we can get them to stop their bullshit, this is the only thing we have control over.

SO: If you are an ahk coder, go to your autohotkey /Compiler folder and delete the upx.exe executable.  That will stop ahk from packing your executable with UPX, and should solve the problem.

Again i repeat -- if you use AHK, do not upload to this site any compiled ahk program that is packed with upx -- remove the upx.exe from your ahk and recompile please.
Hrm, is disabling UPX packing enough to not get AHK scripts flagged? I thought that every virus scanner today knows how to unpack UPX (and several other packers) and do the scanning on the unpacked executable.
if that's the case, then things are worse than i thought.
Even back in the pre-Win9x DOS days, ThunderByte AntiVirus (TBAV, which was the product back then) could decompress exepackers, and it even had a "virtualization" mode for unknown packers1 - afaik today's antivirus products, at least the better ones, have fast depackers for known exepackers and emulation for unknowns.

I assume the problem with all those false positives is static (or pattern-based) signatures that are simply too short... or heuristic engines that get confused for whatever fscktarded reason.

1: and there was at least one virus that figured out how to break out of the sandboxed mode, in effect causing a virus scan to infect your system :)
Stoic Joker:
Even tho I loved UPXs efficiency I quit using it years ago because of the tendency to FP on anything packed with it (Which is the root of why I hate heuristics). I just got tired of being cut off while trying to run a diagnostic on site because the client's AV ate my tool.

Is is "fair" (to UPX) to impose this limitation? No. But it does appear to be necessary. Even if it is only to eliminate it as the culprit...and/or expose a larger problem if it exists.


디컴파일러 하는방법이 잇을가요?


Autohotkey 를 컴파일 하면 자동으로 UPX 로 되버리는데


툴사용해서 언패킹 해봐도 안보이는거같더라구요..

autohotkey 사이트에 보시면 디컴파일러가 따로 있습니다.


컴파일시 암호를 걸거나 디컴파일 불가 옵션을 두었다면 디컴파일 되지 않습니다.