Thursday, January 1, 2015

About the recent claims of viruses in devcppPortable.exe

Recently, a lot of reports of antivirus programs marking the file devcppPortable.exe as a virus/trojan/unwanted program have surfaced. I can assure you that the files you download from SourceForge do NOT contain any of that.

To prove my statement, let us check the source code of devcppPortable.exe. It can be found in the Source\Tools\DevCppPortable folder in the source zip files provided here or in the Git repo here.

Let's walk through the code step by step:
#include <windows.h>
#include <Shlwapi.h>
#include <string>
using std::wstring;
The included files are unchanged versions of the ones found in TDM-GCC 4.8.1.
int main() {
int ArgumentCount = 0;
wchar_t** ArgumentInput = CommandLineToArgvW(GetCommandLineW(),&ArgumentCount);
wstring ArgumentsToDev = L"-c .\\config ";
for(int i = 1;i < ArgumentCount;i++) {
  ArgumentsToDev += '\"';
  ArgumentsToDev += ArgumentInput[i];
  ArgumentsToDev += '\"';
  if(i != ArgumentCount - 1) {
    ArgumentsToDev += ' ';
  }
}
LocalFree(ArgumentInput);
Over here, devcppPortable builds a string ArgumentsToDev which consists of the -c command that tells devcpp.exe to store its configuration files elsewhere AND the commands that have been passed to devcppPortable. Think of files that are dragged onto devcppPortable.exe in explorer or Auto-Open binds that use devcppPortable. All it does is forward these commands to devcpp.exe
wchar_t CurrentDirectory[32768];
GetModuleFileNameW(NULL,CurrentDirectory,32768);
PathRemoveFileSpecW(CurrentDirectory);
Over here, the directory where devcppPortable is located is stored in array CurrentDirectory.
int Result = (INT_PTR)ShellExecuteW(
  NULL, // no parent window
  L"open", // open the file
  L"devcpp.exe", // the file to open
  ArgumentsToDev.c_str(), // extra parameters to pass
  CurrentDirectory, // use the current directory
  SW_SHOWNORMAL // activate and display window
);
if(Result <= 32) {
  switch(Result) {
    case ERROR_FILE_NOT_FOUND: {
      MessageBoxW(NULL,L"devcpp.exe",L"File not found",MB_OK);
      break;
    }
    default: {
      MessageBoxW(NULL,L"An unspecified error has occured!",L"Error",MB_OK);
      break;
    }
  }
}
return 0;
Lastly, devcpp.exe is launched using the provided arguments and using the current directory using the not-so special ShellExecute function.

In other words, this file is harmless. My educated guess as to why this file is marked as an unwanted file is that real unwanted files (especially trojans) exhibit the same behaviour. They also function as hosts that execute external code. Since devcppPortable exhibits the same behaviour, the scanner will think "Hey, this program shows behaviour similar to the other million trojan files in our database. Let's tell the user it is one too to be sure".

What can you do as a user? Please report devcppPortable.exe as a false positive.

6 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. Probably some lazy Antivirus definition database that doesn't know how to classify the behaviour and so takes the safest option, it's dangerous. A lot of false positives start out this way.

    ReplyDelete
  3. Would be nice if you could tag all release posts as "download" or something or a dedicated Download page for the latest (stable) version with a link to the SourceForge page for previous versions. Thanks.

    ReplyDelete
  4. Yes i really agree with you. How we save our C++ data

    ReplyDelete
  5. Looks like you are out-of-touch with Sourceforge. This is not your fault. Sourceforge's new policy has been bundling malware automatically with *every* .exe hosted on its website. A recent case was with that of Filezilla. See:

    https://www.reddit.com/r/sysadmin/comments/1kxuul/beware_of_sourceforge_downloads_new_owner_is/

    http://www.ghacks.net/2013/07/17/sourceforges-new-installer-bundles-program-downloads-with-adware/

    ReplyDelete
  6. Looks like you are out-of-touch with Sourceforge. This is not your fault. Sourceforge's new policy has been bundling malware automatically with *every* .exe hosted on its website. A recent case was with that of Filezilla

    sua nha dep | tam chong am khoi | da hoa cuong | unionshirts | gearlaunch | teespring | teechip | sunfrogshirts | snorgtees | bonfire funds | promopays | elephant shirt | diversethreads | viralstyle | teezily

    ReplyDelete