Board view
Mix viewHX updated (DOSX)
posted by Rugxulo 
, Usono, 22.11.2012, 09:32
> > Which ones in particular flag it?
>
> They didn't tell in this case. Just this info:
Not sure if this particular DKRNL32.DLL is the same as online, I haven't re-downloaded here locally. Anyways, a quick (re)scan (of the one I do have) via http://www.virustotal.com/ shows 18/43 false positives:
Antivirus Result Update
--------------------------------------------------------------
Agnitum Trojan.Monder!9aKet0RsdrA 20121121
DrWeb Trojan.Virtumod.9813 20121122
Fortinet W32/Monder.DKMF!tr 20121122
Ikarus Trojan.Win32.Monder 20121122
K7AntiVirus Trojan 20121121
Kaspersky Trojan.Win32.Monder.dkmf 20121122
Kingsoft Win32.Troj.Monder.(kcloud) 20121119
McAfee Generic.dx!b2r4 20121122
McAfee-GW-Edition Generic.dx!b2r4 20121122
Norman W32/Suspicious_Gen2.FQPJV 20121121
nProtect Trojan/W32.Monder.80896.DZ 20121121
Panda Trj/CI.A 20121121
TheHacker Trojan/Monder.dkmf 20121121
TrendMicro TROJ_GEN.R42Z2JS 20121122
TrendMicro-HouseCall TROJ_GEN.R42Z2JS 20121122
VBA32 Trojan.Monder.dkmf 20121122
VIPRE Trojan.Win32.Generic!BT 20121122
ViRobot Trojan.Win32.S.Monder.80896.B 20121122
>
>
rexx -e"do random(1,20) ; say 'Nein sprechen sie Deutsch!' ; end"
(Google Translate helps a little but not much.) 
> But a month ago ( there was a "problem" with file ENUMMODE.EXE in
> HXRT216.zip ), they told me:
>
>
>
At least that part was fairly obvious. It does actually make sense to avoid false positives, esp. with the five most popular, but even better if it can be recompiled / reassembled without problematic bits (even if it's really their fault, not yours ... dumb $@%@%$Ss heuristics).
> So I guess they used exactly those scanners again.
>
> The "problem" in ENUMMODE.EXE was that the code and data section was
> "merged" in the link step ( to save 512 bytes space ). This is something
> you shouldn't do these days if your file is to be public, but back then in
> 2005 it was pretty innocent.
I can't imagine it being a big deal. They must be really dumb to just search for specific bytes only and blindly assume there is no clash in the (big, complex) real world.
> I guess I'm going to switch to a server in West Samoa.
Please don't. Or do, I have no idea if that would be better or not.
Anyways, a quick brute force attempt at isolating the problematic area was this: I copied a random kilobyte of code from further down in DKRNL32.DLL over the header. Granted, it's not valid code anymore, but it at least was an attempt to see if that was the problem area. I rescanned online via VirusTotal and now it passes with 0/42 (and not 0/43, heh, dunno why).
I don't know if that helps, but it's a small hint (maybe). 
Complete thread:
- HX bugs - DOS386, 19.12.2009, 14:26
![[Board]](img/board_d.gif "Open in board view")
![[Mix]](img/mix_d.gif "Open in mix view")
- OLEeeee, OLEeeeeeeee - 1 more bug - "StringFromGUID2" - DOS386, 20.12.2009, 07:45
- OLEeeee, OLEeeeeeeee - 1 more bug - "StringFromGUID2" - Japheth, 20.12.2009, 16:45
- HX 2.17 improvements | even one more bug - DOS386, 21.12.2009, 08:50
- OLEeeee, OLEeeeeeeee - 1 more bug - "StringFromGUID2" - Japheth, 20.12.2009, 16:45
- GPF in "GetProcessHeapEx" | trun in "GetExitCodeProcess" - DOS386, 24.12.2009, 09:59
- GPF's | buggy thing | "CreateProcessA" | ZERO'izing FS - DOS386, 25.12.2009, 16:16
- GPF's | buggy thing | "CreateProcessA" | ZERO'izing FS - Japheth, 28.12.2009, 16:37
- GPF's | buggy thing | "CreateProcessA" | ZERO'izing FS - DOS386, 29.12.2009, 09:39
- 6 more bugs | PETITE | DGDI32.DLL | docs sugx - DOS386, 17.03.2010, 06:02
- 6 more bugs | PETITE | DGDI32.DLL | docs sugx - Japheth, 18.03.2010, 08:59
- 6 more bugs | PETITE | DGDI32.DLL | docs sugx - DOS386, 06.06.2010, 16:04
- discovered 3 more buggs - DOS386, 14.07.2010, 14:38
- discovered 3 more buggs - Japheth, 17.07.2010, 15:58
- discovered 3 more buggs - DOS386, 23.07.2010, 07:33
- discovered 3 more buggs - Japheth, 17.07.2010, 15:58
- discovered 3 more buggs - DOS386, 14.07.2010, 14:38
- 6 more bugs | PETITE | DGDI32.DLL | docs sugx - DOS386, 06.06.2010, 16:04
- 6 more bugs | PETITE | DGDI32.DLL | docs sugx - Japheth, 18.03.2010, 08:59
- 6 more bugs | PETITE | DGDI32.DLL | docs sugx - DOS386, 17.03.2010, 06:02
- GPF's | buggy thing | "CreateProcessA" | ZERO'izing FS - DOS386, 29.12.2009, 09:39
- GPF's | buggy thing | "CreateProcessA" | ZERO'izing FS - Japheth, 28.12.2009, 16:37
- GPF's | buggy thing | "CreateProcessA" | ZERO'izing FS - DOS386, 25.12.2009, 16:16
- Generic horse power 15.CHINA for HX :-) - DOS386, 23.05.2010, 07:07
- HX bugs - DOS386, 17.11.2010, 04:43
- HX bugs - DOS386, 17.11.2010, 05:26
- HX bugs | GNASH - DOS386, 27.12.2010, 09:25
- HX bugs | GNASH - DOS386, 28.12.2010, 07:52
- HX bugs | GNASH - DOS386, 27.12.2010, 09:25
- HX bugs - DOS386, 17.11.2010, 05:26
- HX bugs - innounp - DOS386, 18.02.2011, 05:03
- HX issues | MUH-pdf | Is Processor Feature Present - DOS386, 19.02.2011, 11:58
- HX issues | MUH-pdf | Is Processor Feature Present - Japheth, 19.02.2011, 12:48
- HX issues | MUH-pdf | Is Processor Feature Present - DOS386, 19.02.2011, 11:58
- HX bugs | PETITE & 7-ZIP PF in Ring0 - DOS386, 03.07.2011, 11:18
- HX bugs | PETITE & 7-ZIP PF in Ring0 - Japheth, 03.07.2011, 20:01
- HX bugs | missing imports | Dillo | MUPDF | TryEnter - DOS386, 20.11.2011, 04:33
- HX bugs 2 more | ME bugs 1'000'000'000 more - DOS386, 24.11.2011, 06:11
- HX updated - DOS386, 20.11.2012, 11:34
- HX updated - Rugxulo, 22.11.2012, 05:56
- HX updated - Japheth, 22.11.2012, 07:03
- HX updated - Rugxulo, 22.11.2012, 09:32
- HX updated - Rugxulo, 22.11.2012, 10:16
- HX updated - Japheth, 23.11.2012, 09:13
- HX updated - Rugxulo, 25.11.2012, 07:09
- HX updated - george_breese, 07.01.2013, 18:43
- HX updated - Japheth, 08.01.2013, 08:44
- HX updated (5 years ago) ... but FFMPEG 1.1.1 works almost - DOS386, 08.02.2013, 10:50
- HX and INNOUNP (yeah: BUG isolated !!!) - DOS386, 08.02.2013, 14:41
- HX and INNOUNP (yeah: BUG isolated !!!) - Japheth, 09.02.2013, 08:48
- HX bugs (3 more) - DOS386, 10.04.2013, 12:08
- HX and MSVCRT.DLL - DOS386, 08.03.2014, 18:52
- HX and MSVCRT.DLL - Rugxulo, 23.03.2014, 06:47
- HX and MSVCRT.DLL - DOS386, 08.03.2014, 18:52
- WINE and INNOUNP (and Delphi) - Rugxulo, 11.06.2015, 02:15
- HX and INNOUNP (yeah: BUG isolated !!!) - DOS386, 08.02.2013, 14:41
- HX updated (5 years ago) ... but FFMPEG 1.1.1 works almost - DOS386, 08.02.2013, 10:50
- HX updated - Japheth, 08.01.2013, 08:44
- HX updated - Japheth, 23.11.2012, 09:13
- HX updated - Rugxulo, 22.11.2012, 10:16
- HX updated - Rugxulo, 22.11.2012, 09:32
- HX full of virii - DOS386, 22.11.2012, 16:09
- HX full of virii - Rugxulo, 23.11.2012, 00:24
- HX full of virii - DOS386, 16.12.2012, 13:00
- HX (not) full of virii - Rugxulo, 16.12.2012, 22:07
- HX (not) full of virii - Japheth, 16.12.2012, 22:24
- HX (not) full of virii - Rugxulo, 17.12.2012, 21:59
- HX (not) full of virii - DOS386, 17.12.2012, 05:32
- HX (not) full of virii - Japheth, 17.12.2012, 08:47
- HX (not) full of virii - Rugxulo, 17.12.2012, 22:14
- HX (not) full of virii - Rugxulo, 18.12.2012, 20:55
- HX (not) full of virii - Japheth, 16.12.2012, 22:24
- HX (not) full of virii - Rugxulo, 16.12.2012, 22:07
- HX full of virii - DOS386, 16.12.2012, 13:00
- HX full of virii - Rugxulo, 23.11.2012, 00:24
- HX updated - Japheth, 22.11.2012, 07:03
- HX updated - Rugxulo, 22.11.2012, 05:56
- HX updated - DOS386, 20.11.2012, 11:34
- HX bugs 2 more | ME bugs 1'000'000'000 more - DOS386, 24.11.2011, 06:11
- HX bugs | missing imports | Dillo | MUPDF | TryEnter - DOS386, 20.11.2011, 04:33
- HX bugs | PETITE & 7-ZIP PF in Ring0 - Japheth, 03.07.2011, 20:01
- OLEeeee, OLEeeeeeeee - 1 more bug - "StringFromGUID2" - DOS386, 20.12.2009, 07:45
