A lot of my code has raised warnings in various anti-viral software.
No, not "malware", but various test pieces (manual importing,
tricks with SEH, import wrappers, exe compression, . . .)
And with good reason, as the code can be rather "suspicious" and
ought not be in normal programs :).

As for ordinals... be careful. The only benefit it has is that your
executables will be a tad smaller - and for me "a tad smaller" when
combined with "might break if a new version of the DLL is released"
isn't really worth the trouble :). It's not much faster to do ordinal
importing, and it doesn't add any 'security' to the program either.
Posted on 2002-06-30 09:37:38 by f0dder
ThoughtCriminal and bAZiK, what I have typed before in absolutely no way defies the rules of this message board.
Posted on 2002-06-30 12:12:50 by comrade
hrm he just means that he's written a program, any program, that AVP mistakingly identifies as a trojan due to beforementioned reasons. That's what I make of it. Much fuss about nothing.
Posted on 2002-06-30 16:19:06 by Hiroshimator
The absence of IAT may not force KAV/AVP to detect programs as malware. There's something wrong with the code (it may look like a startup code of some virus).

Most of Win32 viruses use API scanning/searching algos for getting all functions they need, while they do not import anything directly. As I checked, WinXP easily loads and executes programs that import nothing.
Posted on 2002-07-04 06:51:31 by IIS
check the attached sample... will probably work on 9x, XP, and
some other flavors of NT... but definitely not on my win2k. So,
don't try to avoid including an IAT, at least include kernel32!exitprocess.
Posted on 2002-07-04 07:38:24 by f0dder
always helps to actually attach the file ;)
Posted on 2002-07-04 07:40:08 by f0dder
I've checked this prog under W2kSp0.. It didn't launch at all, as you've said.. :(
Posted on 2002-07-07 05:12:53 by IIS

I've checked this prog under W2kSp0.. It didn't launch at all, as you've said.. :(


If prog has no import table the w2k's loader will not run it.
So, at least one DLL/Proc should be imported.
Posted on 2002-07-07 09:08:27 by Four-F
Quoting myself:

Masquer, you're wrong. You can *not* totally remove the import table,
there's at least one (and probably more) windows versions where the
PE loader will (silently) refuse to load your EXE if you don't import
from kernel32.

And yes, it's not just "any import", it's "end up importing from kernel32",
either directly (like importing Kernel32!ExitProcess), or indirectly
(importing a DLL that ends up importing kernel32). If you don't
believe me, make a dummy DLL and import from it - the app still wont launch.
Posted on 2002-07-07 09:14:43 by f0dder