Shop OBEX P1 Docs P2 Docs Learn Events
PNut/Spin2 Latest Version (v44 -Data Structures Added, New Methods for Memory Testing/Manipulation) - Page 23 — Parallax Forums

PNut/Spin2 Latest Version (v44 -Data Structures Added, New Methods for Memory Testing/Manipulation)

1202123252663

Comments

  • kg1kg1 Posts: 164
    edited 2020-07-30 04:01
    @Cluso99 I guess you used W10 Pro 1909 build 18363.959 ? This was a repeat of what you tried before?
    @cgracey @"Ken Gracey" Could Parallax carry out a new install of W10 Pro 2004 on a clean PC then update windows then run PNut_v34ua and "run anyway" to see what would happen?
  • In case of my W8.1 Pro system, I was able to run PNut v34ua again, without any further warnings, but, as usual, I had to resort to un-quarantine it, from W Defender history.

    This only solves the first problem (being able to execute and keep it intact, into my system), but, IIRC, it'll last only up to the next time W Defender's database is automatically updated again, since, IIRC, it did happened before, with previous PNut versions.

    For now, I'll let it as is, untill any further "destructive" action is taken, due to new Defender's database update(s).

    I'm also refrainning myself from permanently enableing it (completelly exclude from Defender's "RADAR") because, by doing so, I can, perhaps, expose my system to the "REAL" threats that were previouslly reported, just in case they find any way to infiltrate my system (sure, I know they could do it, by simply finding a way to "invade" the true PNut that resides on my drive, but this is unlikelly, since I usually don't walk without watching my footstep).

    The second action that can be taken to avoid recursive detections to be broadcasted to MS virus database, is accessing Defender's Configuration Settings, and disable "Join Microsoft MAPS" setting.

    But, as always, there is a warning associated to the above actions, and it comes from commom sense, not directly resulting from W Defender actions, but "innactions": by disableing MAPS legitimate activity, one can, though innocently, contribute to the spread of any further malware, that, perhaps, find its way into the guts of one's W machine.

    So, there are ever compromises and bennefits; is up to each one to stay informed, and judge the proper balancing, between convenience and eventual consequences.

    Henrique
  • dMajodMajo Posts: 855
    edited 2020-07-30 09:04
    kg1 wrote: »
    @dMajo
    trigers windows defender
    Please show us what you get e.g. blue dialog box? and what action you took.

    I just reported that both the versions still have a problem.
    I downloaded them with W7Pro-64bit (with all latest updates from WSUS) from an other (remote) place and saved them on a Synology DS1819+. When I opened them locally (on W10Pro 2004) with 7z to extract PNut to system drive (C:\uC\Parallax\Pnut\) Defender complained about a virus and not only removed the exe from C: (or better said it prevented/blocked the copy operation) but also removed the zipped archive from the network share on the NAS.

    The issue has been solved as usual: I've made an exception to allow it and restored the files from the quarantine (hopefully @cgracey is not packaging viruses in PNut :smile: ).

    BTW: W7 is running latest release of SEP (Symantec Endpoint Protection) and it not complains over PNut.

  • cgraceycgracey Posts: 14,134
    Where can one get old versions of PNut?

    I'm using PNut on wine. But somewhere between versions 34k and 34u the font changed. It used to be Monospace. Now it's a variable width font, probably Sans. The big problem is that the cursor moves a fixed amount as if it were a fixed font. The cursor position can be quite far from where the new characters are actually inserted. So the editor is useless.

    Is it supposed to be the Propeller font now? It's not in the zip. But copying Parallax.ttf to .wine/drive_c/windows/Fonts doesn't fix it.

    Oh, no! I had changed the font to Consolas, but it looks like some systems don't have it. I will change back to Courier New. Meanwhile, I suppose you could download Consolas. It is a nice font.
  • cgraceycgracey Posts: 14,134
    I'm thinking maybe I could XOR my x86 Spin2 compiler code with some pattern, and then un-XOR it when the compiler is needed, which wouldn't happen by simulating the .exe launch. Do you guys think this would be sufficient to get the virus programs off our back? It would stop them from seeing the x86 code that triggers their alarm.
  • cgracey wrote: »
    I'm thinking maybe I could XOR my x86 Spin2 compiler code with some pattern, and then un-XOR it when the compiler is needed, which wouldn't happen by simulating the .exe launch. Do you guys think this would be sufficient to get the virus programs off our back? It would stop them from seeing the x86 code that triggers their alarm.

    If the virus detector notices that you're trying to hide some code, then it's *really* going to think there's a virus there :(. Plus, doesn't Windows make the executable code read-only at run time? It should.
  • cgracey wrote: »
    All my work feels like concept development more than final implementation. I can retarget any time. It's just easiest to keep working this way, for now.

    I know monitors and keyboards are cheap, but desk space is not. And field portability is important. I think we will always need tools that run on portable big-OS devices, because that is what people need the option of using.

    There are a few things we've talked about within Parallax, like how come there is no USB class for turning your laptop/PC/phone (USB host) into a terminal display with pointer and keyboard controls (for the USB device)? I mean, it could be sandboxed and made harmless to the host machine. It would be a nice, generic means of system interfacing, providing display, input, file storage, and internet access. I think the reason this does not exist is because it gets people around the big, branded OS monstrosities that the vendors don't want you bypassing. It cuts them out of the spyware opportunity. I guess the closest we can get, which is even superior in some ways, is a web-page serving system that gets to use your host machine as its display, keyboard, etc. We've been talking about that, too, but we need to learn how to approach that goal.

    The BeagleBone has a setup that's quite close to this. Its USB connection is a composite device with mass storage, virtual Ethernet adapter, and serial. One opens a browser and loads web pages that are served from the BeagleBone. It's Cloud9 IDE.

    The Othernet receiver uses OS.js which seems pretty nice. It doesn't seem intended for software development.

    The browser based approach may be superior. All the P2 or ESP32 needs to do is serve files. The browser does the heavy lifting in Javascript.


  • cgracey wrote: »
    Where can one get old versions of PNut?

    I'm using PNut on wine. But somewhere between versions 34k and 34u the font changed. It used to be Monospace. Now it's a variable width font, probably Sans. The big problem is that the cursor moves a fixed amount as if it were a fixed font. The cursor position can be quite far from where the new characters are actually inserted. So the editor is useless.

    Is it supposed to be the Propeller font now? It's not in the zip. But copying Parallax.ttf to .wine/drive_c/windows/Fonts doesn't fix it.

    Oh, no! I had changed the font to Consolas, but it looks like some systems don't have it. I will change back to Courier New. Meanwhile, I suppose you could download Consolas. It is a nice font.

    Installing the font fixes the problem. PNut seems to work perfectly on Wine. I don't think it's a problem to install a font as long as I know which one. Wine needs some serial port setup anyway.

    According to https://docs.microsoft.com/en-us/typography/font-list/consolas it is included since Vista.


    Thanks to @kg1 for supplying older versions. I determined that the font change happened at version 34t.
  • cgraceycgracey Posts: 14,134
    cgracey wrote: »
    Where can one get old versions of PNut?

    I'm using PNut on wine. But somewhere between versions 34k and 34u the font changed. It used to be Monospace. Now it's a variable width font, probably Sans. The big problem is that the cursor moves a fixed amount as if it were a fixed font. The cursor position can be quite far from where the new characters are actually inserted. So the editor is useless.

    Is it supposed to be the Propeller font now? It's not in the zip. But copying Parallax.ttf to .wine/drive_c/windows/Fonts doesn't fix it.

    Oh, no! I had changed the font to Consolas, but it looks like some systems don't have it. I will change back to Courier New. Meanwhile, I suppose you could download Consolas. It is a nice font.

    Installing the font fixes the problem. PNut seems to work perfectly on Wine. I don't think it's a problem to install a font as long as I know which one. Wine needs some serial port setup anyway.

    According to https://docs.microsoft.com/en-us/typography/font-list/consolas it is included since Vista.


    Thanks to @kg1 for supplying older versions. I determined that the font change happened at version 34t.

    I should query if Consolas is present and, if not, use Courier New.
  • cgraceycgracey Posts: 14,134
    ersmith wrote: »
    cgracey wrote: »
    I'm thinking maybe I could XOR my x86 Spin2 compiler code with some pattern, and then un-XOR it when the compiler is needed, which wouldn't happen by simulating the .exe launch. Do you guys think this would be sufficient to get the virus programs off our back? It would stop them from seeing the x86 code that triggers their alarm.

    If the virus detector notices that you're trying to hide some code, then it's *really* going to think there's a virus there :(. Plus, doesn't Windows make the executable code read-only at run time? It should.

    The virus detector wouldn't know, because the code wouldn't be changed until the compiler is invoked. Their limited simulations wouldn't reveal anything. What do you think?
  • cgraceycgracey Posts: 14,134
    edited 2020-07-30 19:47
    ...The browser based approach may be superior. All the P2 or ESP32 needs to do is serve files. The browser does the heavy lifting in Javascript.

    That is our long-term plan. And we get wireless for free.
  • cgraceycgracey Posts: 14,134
    edited 2020-07-30 20:14
    This seems to work in Delphi to select Courier New, in case Consolas is not installed:
      FontName := 'Consolas';
      if FontName <> 'Consolas' then FontName := 'Courier New';
    
  • cgracey wrote: »
    ersmith wrote: »
    cgracey wrote: »
    I'm thinking maybe I could XOR my x86 Spin2 compiler code with some pattern, and then un-XOR it when the compiler is needed, which wouldn't happen by simulating the .exe launch. Do you guys think this would be sufficient to get the virus programs off our back? It would stop them from seeing the x86 code that triggers their alarm.

    If the virus detector notices that you're trying to hide some code, then it's *really* going to think there's a virus there :(. Plus, doesn't Windows make the executable code read-only at run time? It should.

    The virus detector wouldn't know, because the code wouldn't be changed until the compiler is invoked. Their limited simulations wouldn't reveal anything. What do you think?

    I'm not wanting to have to shut off DEP too just to run your code. Neither would a school IT administrator find it amusing.
  • Chip,
    You can't modify code in executables anymore without causing lots of red flags everywhere (not just windows).
  • cgraceycgracey Posts: 14,134
    But, the virus program would not know if you modified part of your code only after the application was running and the user requested some operation, right? My worry is that the signature of our code is now triggering their filters.
  • As said above, it runs your program in a kinda sandbox and will notice if you're doing anything fishy
  • cgraceycgracey Posts: 14,134
    Wuerfel_21 wrote: »
    As said above, it runs your program in a kinda sandbox and will notice if you're doing anything fishy

    Yes, but are they running the program to the extent that the compile I would be in vote? I kind of doubt it. How would they know what command line to give or menu command to execute?
  • cgraceycgracey Posts: 14,134
    Wuerfel_21 wrote: »
    As said above, it runs your program in a kinda sandbox and will notice if you're doing anything fishy


    But how will it know to give an appropriate command line or menu command to invoke the compiler? I think it would just unpack and see that the program is in some idle state, or something.
  • I'm not entirely sure how it works, but it probably just tries each branch or something
  • They look for binary code signatures for what you are talking about doing. They had to get a lot more sophisticated because the virus coders did.

    You are better off using modern compiler tools and signing your executable. You aren't going to win the battle with the antivirus/malware packages.

    I have had few complaints with OpenSpin because it's built with recent Visual Studio and doesn't do anything funky.
  • cgraceycgracey Posts: 14,134
    edited 2020-07-31 09:33
    Roy Eltham wrote: »
    They look for binary code signatures for what you are talking about doing. They had to get a lot more sophisticated because the virus coders did.

    You are better off using modern compiler tools and signing your executable. You aren't going to win the battle with the antivirus/malware packages.

    I have had few complaints with OpenSpin because it's built with recent Visual Studio and doesn't do anything funky.

    My program doesn't do anything funky, either. It writes only to its own memory space, etc. I think our problem now is that the whole matter exploded because I used an .exe packer once, and now PNut.exe is a 'person of interest', right?
  • Eric's Flexgui also did something similar at one stage. I remember the flexgui exe getting 'removed' silently without explanation. Those issues stopped when he started signing flexgui. I think there was a fee of something like $75 to do that
  • cgraceycgracey Posts: 14,134
    Tubular wrote: »
    Eric's Flexgui also did something similar at one stage. I remember the flexgui exe getting 'removed' silently without explanation. Those issues stopped when he started signing flexgui. I think there was a fee of something like $75 to do that

    Was it a one-time $75 fee, or did he have to pay each time?
  • cgracey wrote: »
    Tubular wrote: »
    Eric's Flexgui also did something similar at one stage. I remember the flexgui exe getting 'removed' silently without explanation. Those issues stopped when he started signing flexgui. I think there was a fee of something like $75 to do that

    Was it a one-time $75 fee, or did he have to pay each time?

    I was using a packer of sorts (which packed the GUI data into a .zip file appended to the .exe). When I switched to signing I also had to stop doing that, because signing the executable interfered with the .zip file index. I'm not sure which had more impact on making the anti-virus happy, removing the packing or doing the signing; probably a bit of both.

    I bought an EV (extended verification) signing certificate which was on sale for about $100, which was valid for a year. I can sign as often as I like during that year. Unfortunately, the whole thing seems to be a bit of bait and switch; the certificate is up for renewal and it will cost around $700 (!) to renew it. I'm shopping around but EV certificates are expensive. I may have to drop down to a "regular" signing certificate, which the anti-viruses don't put as much trust in.
  • cgraceycgracey Posts: 14,134
    ersmith wrote: »
    cgracey wrote: »
    Tubular wrote: »
    Eric's Flexgui also did something similar at one stage. I remember the flexgui exe getting 'removed' silently without explanation. Those issues stopped when he started signing flexgui. I think there was a fee of something like $75 to do that

    Was it a one-time $75 fee, or did he have to pay each time?

    I was using a packer of sorts (which packed the GUI data into a .zip file appended to the .exe). When I switched to signing I also had to stop doing that, because signing the executable interfered with the .zip file index. I'm not sure which had more impact on making the anti-virus happy, removing the packing or doing the signing; probably a bit of both.

    I bought an EV (extended verification) signing certificate which was on sale for about $100, which was valid for a year. I can sign as often as I like during that year. Unfortunately, the whole thing seems to be a bit of bait and switch; the certificate is up for renewal and it will cost around $700 (!) to renew it. I'm shopping around but EV certificates are expensive. I may have to drop down to a "regular" signing certificate, which the anti-viruses don't put as much trust in.

    Thanks for explaining all that. That $700 is horrendous. What's to stop a virus writer from buying and using an EV certificate?
  • Wuerfel_21Wuerfel_21 Posts: 4,866
    edited 2020-07-31 14:17
    cgracey wrote: »

    Thanks for explaining all that. That $700 is horrendous. What's to stop a virus writer from buying and using an EV certificate?

    Because then they know that virus writer's name, address, etc and can come kick down their door
  • cgraceycgracey Posts: 14,134
    Wuerfel_21 wrote: »
    cgracey wrote: »

    Thanks for explaining all that. That $700 is horrendous. What's to stop a virus writer from buying and using an EV certificate?

    Because then they know that virus writer's name, address, etc and can come kick down their door

    I think they would go kick down the door of the guy that discovered the virus, instead.
  • cgracey wrote: »
    ersmith wrote: »
    cgracey wrote: »
    Tubular wrote: »
    Eric's Flexgui also did something similar at one stage. I remember the flexgui exe getting 'removed' silently without explanation. Those issues stopped when he started signing flexgui. I think there was a fee of something like $75 to do that

    Was it a one-time $75 fee, or did he have to pay each time?

    I was using a packer of sorts (which packed the GUI data into a .zip file appended to the .exe). When I switched to signing I also had to stop doing that, because signing the executable interfered with the .zip file index. I'm not sure which had more impact on making the anti-virus happy, removing the packing or doing the signing; probably a bit of both.

    I bought an EV (extended verification) signing certificate which was on sale for about $100, which was valid for a year. I can sign as often as I like during that year. Unfortunately, the whole thing seems to be a bit of bait and switch; the certificate is up for renewal and it will cost around $700 (!) to renew it. I'm shopping around but EV certificates are expensive. I may have to drop down to a "regular" signing certificate, which the anti-viruses don't put as much trust in.

    Thanks for explaining all that. That $700 is horrendous. What's to stop a virus writer from buying and using an EV certificate?

    I had to provide identification and real contact information to get the EV certificate, and they verified it (e.g. called and interviewed me on the phone number I gave, and shipped the certificate on a USB stick to the address I gave). If I signed malware with it everyone would know exactly where to find me. Anyway, "signing" a virus doesn't really work, because a virus has to embed itself into other code and then the hash of that code (and of the virus) would change.
  • cgraceycgracey Posts: 14,134
    ersmith wrote: »
    cgracey wrote: »
    ersmith wrote: »
    cgracey wrote: »
    Tubular wrote: »
    Eric's Flexgui also did something similar at one stage. I remember the flexgui exe getting 'removed' silently without explanation. Those issues stopped when he started signing flexgui. I think there was a fee of something like $75 to do that

    Was it a one-time $75 fee, or did he have to pay each time?

    I was using a packer of sorts (which packed the GUI data into a .zip file appended to the .exe). When I switched to signing I also had to stop doing that, because signing the executable interfered with the .zip file index. I'm not sure which had more impact on making the anti-virus happy, removing the packing or doing the signing; probably a bit of both.

    I bought an EV (extended verification) signing certificate which was on sale for about $100, which was valid for a year. I can sign as often as I like during that year. Unfortunately, the whole thing seems to be a bit of bait and switch; the certificate is up for renewal and it will cost around $700 (!) to renew it. I'm shopping around but EV certificates are expensive. I may have to drop down to a "regular" signing certificate, which the anti-viruses don't put as much trust in.

    Thanks for explaining all that. That $700 is horrendous. What's to stop a virus writer from buying and using an EV certificate?

    I had to provide identification and real contact information to get the EV certificate, and they verified it (e.g. called and interviewed me on the phone number I gave, and shipped the certificate on a USB stick to the address I gave). If I signed malware with it everyone would know exactly where to find me. Anyway, "signing" a virus doesn't really work, because a virus has to embed itself into other code and then the hash of that code (and of the virus) would change.

    I see. Well, that sounds like what we need to do. Thanks for explaining that.
  • Cluso99Cluso99 Posts: 18,069
    Wuerfel_21 wrote: »
    cgracey wrote: »

    Thanks for explaining all that. That $700 is horrendous. What's to stop a virus writer from buying and using an EV certificate?

    Because then they know that virus writer's name, address, etc and can come kick down their door
    cgracey wrote: »
    Wuerfel_21 wrote: »
    cgracey wrote: »

    Thanks for explaining all that. That $700 is horrendous. What's to stop a virus writer from buying and using an EV certificate?

    Because then they know that virus writer's name, address, etc and can come kick down their door

    I think they would go kick down the door of the guy that discovered the virus, instead.

    The authorities would probably only bee interested if the virus affected some national security plant. Otherwise they likely wouldn't do a thing.
Sign In or Register to comment.