WallWorm Pro and your anti-virus

Started by Orvid, February 11, 2015, 04:53:17 PM

Previous topic - Next topic

Orvid

It has come to our attention that a number of Anti-Virus solutions out there are picking up WallWorm.Stubs.dll as malware. I wish to assure all users that this is a false-positive due to overly generic signatures. The stubs DLL is tiny, and is needed for one and exactly one function, as it has to get around the fact that you cannot create a pointer to a managed class in C#. I need to be able to create that pointer in order to work around a bug in the C# interface for 3ds Max that makes it impossible to get an IGameMesh. For this reason, I wrote a tiny stub function in MSIL (which is what C# compiles to) to do an upcast to an arbitrary class, and that is the function that is put in WallWorm.Stubs.dll.

We are currently contacting the AV companies effected, but this will take time.

To help ease any other suspicions, I present to you the entire 80 lines of code that make up WallWorm.Stubs.dll:


.assembly extern mscorlib
{
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 )
.hash = (CD 95 65 AD 55 34 B6 AD 72 9D 3F BB 80 DA 0A 6C 49 E5 F2 5B)
.ver 4:0:0:0
}
.assembly extern Autodesk.Max
{
.hash = (2F 54 6D B7 43 34 A0 B6 DB 14 BA 8D AD 40 23 DF 4C 11 B0 09)
.ver 16:3:0:0
}

.assembly WallWorm.Stubs
{
    .ver 1:0:5419:28332
    .hash algorithm 0x00008004
    .custom instance void [mscorlib]System.Security.SecurityRulesAttribute::.ctor(valuetype [mscorlib]System.Security.SecurityRuleSet) = { uint8(1) }
    .custom instance void [mscorlib]System.Runtime.Versioning.TargetFrameworkAttribute::.ctor(string) = { string('.NETFramework,Version=v4.0') property string 'FrameworkDisplayName' = string('.NET Framework 4') }
    .custom instance void [mscorlib]System.Reflection.AssemblyProductAttribute::.ctor(string) = { string('WallWorm Stubs') }
    .custom instance void [mscorlib]System.CLSCompliantAttribute::.ctor(bool) = { bool(true) }
    .custom instance void [mscorlib]System.Runtime.InteropServices.ComVisibleAttribute::.ctor(bool) = { bool(false) }
    .custom instance void [mscorlib]System.Reflection.AssemblyTrademarkAttribute::.ctor(string) = { string('') }
    .custom instance void [mscorlib]System.Reflection.AssemblyCopyrightAttribute::.ctor(string) = { string('Copyright (c) WallWorm.com 2014') }
    .custom instance void [mscorlib]System.Reflection.AssemblyTitleAttribute::.ctor(string) = { string('WallWorm Stubs') }
    .custom instance void [mscorlib]System.Reflection.AssemblyCompanyAttribute::.ctor(string) = { string('WallWorm.com') }
    .custom instance void [mscorlib]System.Reflection.AssemblyConfigurationAttribute::.ctor(string) = { string('') }
    .custom instance void [mscorlib]System.Reflection.AssemblyDescriptionAttribute::.ctor(string) = { string('') }

.permissionset reqmin = {
[mscorlib]System.Security.Permissions.SecurityPermissionAttribute = { property bool 'SkipVerification' = bool(true) },
[mscorlib]System.Security.Permissions.SecurityPermissionAttribute = { property bool 'UnmanagedCode' = bool(true) }
}
}

.class public abstract sealed auto ansi beforefieldinit WallWorm.Stubs.Activator extends [mscorlib]System.Object
{
.method public hidebysig static !!T  Upclass<([Autodesk.Max]Autodesk.Max.INativeObject) T>(class [Autodesk.Max]Autodesk.Max.INativeObject val) cil managed
{
ldtoken    !!T
call       class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
callvirt   instance class [mscorlib]System.Reflection.ConstructorInfo[] [mscorlib]System.Type::GetConstructors()
ldc.i4.0
ldelem.ref

ldc.i4.2
newarr     [mscorlib]System.Object
dup
dup

ldc.i4.0
// Unfortunately, the API changed between 2014 and 2015 and we can't use this directly.
ldtoken [Autodesk.Max]Autodesk.Max.INativeObject
call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
ldstr "Handle"
call instance class [mscorlib]System.Reflection.PropertyInfo [mscorlib]System.Type::GetProperty(string)
dup
brtrue.s Pre2015
pop
ldtoken [Autodesk.Max]Autodesk.Max.INativeObject
call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
ldstr "NativePointer"
call instance class [mscorlib]System.Reflection.PropertyInfo [mscorlib]System.Type::GetProperty(string)
Pre2015:
ldarg.0
ldnull
callvirt instance object [mscorlib]System.Reflection.PropertyInfo::GetValue(object, object[])
stelem.ref

ldc.i4.1
ldc.i4.0
box        [mscorlib]System.Boolean
stelem.ref

call       instance object [mscorlib]System.Reflection.ConstructorInfo::Invoke(object[])
unbox.any  !!T
ret
}
}

SMF spam blocked by CleanTalk