NO

Author Topic: PeExpLib2Inc1 import library functions to inc-file for poasm  (Read 9483 times)

Offline Vortex

  • Member
  • *
  • Posts: 797
    • http://www.vortex.masmcode.com
Re: PeExpLib2Inc1 import library functions to inc-file for poasm
« Reply #15 on: December 07, 2013, 08:48:03 PM »
You can check virustotal's scan report. No any heuristics problem as you mentioned.
Code it... That's all...

Offline jj2007

  • Member
  • *
  • Posts: 536
Re: PeExpLib2Inc1 import library functions to inc-file for poasm
« Reply #16 on: December 07, 2013, 09:00:13 PM »
Hi Jochen,

Converting the equates and structure definitions from the SDK C\C++ header files is a difficult task. As you mentioned, some manual tweakings are unavoidable. ...my converter assumes everything as DWORDs.

Thanks, Erol. I've studied some of the C header files in C:\Program Files\Microsoft SDKs\Windows\v7.0A\Include, and they look messy indeed, but for a seasoned C programmer it looks feasible (not for me, though).

As to DWORDs, I guess it would be feasible to load the System32 DLLs, get the address tables and the functions' start addresses, and then check for specific actions linked to arguments, such as fld [ebp+8] meaning "a REAL4 was passed".

Re Avast: I don't think Timo intended to mark your tool as a potential threat. False positives are a really nasty phenomenon, and it would be really great if one day an institution with a good standing and reputation would sue the AV companies for damaging smaller software companies. As it stands, the AV get better ratings if they find more threats, but nobody downgrades their benchmarks for false positives. It's an unhealthy situation.