TheJach.com

Jach's personal blog

(Largely containing a mind-dump to myselves: past, present, and future)
Current favorite quote: "Supposedly smart people are weirdly ignorant of Bayes' Rule." William B Vogt, 2010

masm32/examples/exampl10/threads/multidl/multidl.exe is not a virus

This file came up in my antivirus scans because it downloads a few zip files in parallel from the masm32 website. You can see the threat report here.

But it's not a virus, it's an example! The files it downloads are (possibly helpful) tools for a windows32 assembly programmer.

It even comes with the source code:


; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
include \masm32\include\masm32rt.inc
include \masm32\include\urlmon.inc
includelib \masm32\lib\urlmon.lib
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

comment * -----------------------------------------------------
Build this template with
"CONSOLE ASSEMBLE AND LINK"
----------------------------------------------------- *

start_new_thread PROTO :DWORD, :DWORD
new_thread PROTO :DWORD

tblock STRUCT
strn1 db 260 dup (?)
strn2 db 260 dup (?)
reserved dd ? ; this is used internally
thcount dd ? ; thread counter
tblock ENDS

.code

start:

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

call main
inkey
exit

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

main proc

LOCAL tblk:tblock

mov tblk.thcount, 0 ; set counter to zero.

cst ADDR tblk.strn1, "http://www.masm32.com/website/files/nre.zip"
cst ADDR tblk.strn2, "nre.zip"
invoke start_new_thread,OFFSET new_thread, ADDR tblk

cst ADDR tblk.strn1, "http://www.masm32.com/website/files/owde.zip"
cst ADDR tblk.strn2, "owde.zip"
invoke start_new_thread,OFFSET new_thread, ADDR tblk

cst ADDR tblk.strn1, "http://www.masm32.com/website/files/pfe101i.zip"
cst ADDR tblk.strn2, "pfe101i.zip"
invoke start_new_thread,OFFSET new_thread, ADDR tblk

cst ADDR tblk.strn1, "http://www.masm32.com/website/files/random.zip"
cst ADDR tblk.strn2, "random.zip"
invoke start_new_thread,OFFSET new_thread, ADDR tblk

cst ADDR tblk.strn1, "http://www.masm32.com/website/files/td_win32asm_all.zip"
cst ADDR tblk.strn2, "td_win32asm_all.zip"
invoke start_new_thread,OFFSET new_thread, ADDR tblk

; ---------------------------------
; wait until all threads are closed
; ---------------------------------
spinlock:
invoke SleepEx,1,0
cmp tblk.thcount, 0
jnz spinlock

ret

main endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

start_new_thread proc pthread:DWORD, pstruct:DWORD

LOCAL tID :DWORD

push esi

; -----------------------------------------
; load the "reserved" flag address into ESI
; -----------------------------------------
mov eax, pstruct
lea esi, (tblock PTR [eax]).reserved

; ----------------------------
; set the "reserved" flag to 1
; ----------------------------
mov DWORD PTR [esi], 1

invoke CreateThread,0,0,pthread,pstruct,0,ADDR tID

; ------------------------------------
; run a yielding loop until new thread
; sets "reserved" flag back to zero
; ------------------------------------
spinlock:
invoke SleepEx,1,0
cmp DWORD PTR [esi], 0
jne spinlock

pop esi

mov eax, tID
ret

start_new_thread endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

new_thread proc pstruct:DWORD

LOCAL pst1 :DWORD
LOCAL pst2 :DWORD
LOCAL flen :DWORD
LOCAL buffer1[260]:BYTE
LOCAL buffer2[260]:BYTE

mov pst1, ptr$(buffer1)
mov pst2, ptr$(buffer2)

push esi
push edi

; *****************************************************
; copy arguments passed in structure to local variables
; *****************************************************
mov edi, pstruct
lea esi, (tblock PTR [edi]).reserved

; ----------------------------------
; copy each string to a local buffer
; ----------------------------------
lea ecx, (tblock PTR [edi]).strn1
cst pst1, ecx
lea ecx, (tblock PTR [edi]).strn2
cst pst2, ecx

; ---------------------------------
; reset the "reserved" flag back to
; zero to unlock calling thread
; ---------------------------------
mov DWORD PTR [esi], 0
; *****************************************************

; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
; perform normal thread operations once the arguments have been written.
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

add (tblock PTR [edi]).thcount, 1 ; increment thread counter on start

print "Downloading "
print pst2,13,10

fn URLDownloadToFile,0,pst1,pst2,0,0

invoke filesize,pst2
mov flen, eax

print pst2," Downloaded at "
print str$(flen)," bytes",13,10

sub (tblock PTR [edi]).thcount, 1 ; decrement thread counter on exit

pop edi
pop esi

ret

new_thread endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

end start


It downloads nre.zip, which contains nre.exe. What is it? The source doesn't say, nor is there a readme, which is annoying. Fortunately you can just go up a level on the masm32 website to see the files, and go up another level to see a useful page of stuff. And under the Selected Files link, we find the explanations.

NRE is "An ancient but still useful resource editor." It probably helps one edit the "resources" in a binary, which is useful if one doesn't have the source or doing it in the source is a pain/costly for some reason. Microsoft has their own for changing WinForm resources, specifically if you're trying to translate text to other languages.

ODWE is "A well written modern Dialog Editor from the team that develops the Open Watcom C++ compilers." I assume this serves the same purpose as NRE, but maybe less general? Or it's just an alternative.

PFE101i is "This is the final version of Alan Phillip's PFE project. A very large capacity high performance no frills programming editor with more options than you can learn in a lifetime." I doubt it's better than vim or emacs. You can find unfavorable reviews around the internet, it's old. (And "large capacity" is apparently 32 MB.)

Random is "A specialised random number sequence analyser that John Walker placed in the public domain. A very useful tool when designing and testing random number algorithms." In other words it measures the entropy (which is probably why it's called ent.c) of a sequence, which is useful. This is from 1998 though, there are probably better programs out there by now. (At least the zip contains everything, including the source! Might be interesting as study.)

TD_win32asm_all is " Archive of Test Department's classic low level MASM examples." It's a neat collection of assembly examples as stated. A random perusal turned up some interesting pieces of code, again possibly useful for study.

So this exe is not a virus. Take note assembly application developers, and obfuscate your downloading if you don't want to be flagged! Will this post get my blog flagged as dangerous? I hope not...


Posted on 2012-09-15 by Jach

Tags: assembly, programming

Permalink: https://www.thejach.com/view/id/266

Trackback URL: https://www.thejach.com/view/2012/9/masm32examplesexampl10threadsmultidlmultidlexe_is_not_a_virus

Back to the top

Back to the first comment

Comment using the form below

(Only if you want to be notified of further responses, never displayed.)

Your Comment:

LaTeX allowed in comments, use $$\$\$...\$\$$$ to wrap inline and $$[math]...[/math]$$ to wrap blocks.