Someone is adding code to my program. I feel insecure!

Post Reply
User avatar
Zofz
Site Admin
Posts: 87
Joined: Wed Apr 20, 2022 10:13 pm
Location: Cologne, Germany

Someone is adding code to my program. I feel insecure!

Post by Zofz »

I have detected this by chance, looking at the crash logs and having problems determining addresses inside library modules. So I have listed all modules ZofzPCB loads into its address space.

Surprise!
There are some extra modules!

Paths are pointing to the antivirus (see below). That is what I would call a virus - a program that is hooking itself to other programs. I can't believe it!

So I started to google my findings, and yes, they do it. Antivirus is a virus. It is manipulating my (and any other) program, slowing it down! Performing who knows what actions - could be sending some data over the internet or collecting user behavior.
That would not be my business, one can say, as the user has installed this software himself. But they do it as me, using my process ID! So how do I explain this to my users, especially if I don't know what exactly happens?

Here is someone collecting information about hooking, which I found on Github: https://github.com/ethereal-vx/Antivirus-Artifacts
Someone else is fighting back: https://breakdev.org/defeating-antiviru ... he-inside/

Check inside your own logs:
  1. pop-up the window's "RUN" dialog, by pressing [windows-key] and R
  2. enter %APPDATA%/ZofzPCB/ZofzDebugLogFile.txt and press return
  3. A text editor should pop up, showing the ZofzPCB log
  4. Search for a line of stars ***********************
  5. That is the start of the program. You will see some basic information about the program version, CPU, etc. Then below, there will be a list of modules. In my case, lines 5 and 6 show the antivirus hooked code.

Code: Select all

0x00007FF7867A0000   0x00335000,    0x00007FF7867F7980   C:\Program Files\ZofzPCB\ZofzPCB\Gerber3D.exe
0x00007FFBF0910000   0x001F5000,    0x0000000000000000   C:\Windows\SYSTEM32\ntdll.dll
0x00007FFBEFF80000   0x000BD000,    0x00007FFBEFF970D0   C:\Windows\System32\KERNEL32.DLL
0x00007FFBEE020000   0x002CD000,    0x00007FFBEE030710   C:\Windows\System32\KERNELBASE.dll
0x00007FFBC61B0000   0x000C9000,    0x00007FFBC61BB780   C:\Program Files\Bitdefender\Bitdefender Security\bdhkm\dlls_265693076916666697\bdhkm64.dll
0x00007FFBC3A60000   0x00123000,    0x00007FFBC3A6DDB0   C:\Program Files\Bitdefender\Bitdefender Security\atcuf\dlls_265936398135507842\atcuf64.dll
0x00007FFBEF0A0000   0x001A0000,    0x00007FFBEF0B7F30   C:\Windows\System32\USER32.dll
0x00007FFBEE3C0000   0x00022000,    0x0000000000000000   C:\Windows\System32\win32u.dll
0x00007FFBEF320000   0x0002A000,    0x00007FFBEF3248D0   C:\Windows\System32\GDI32.dll
0x00007FFBEE5F0000   0x0010B000,    0x00007FFBEE61FE90   C:\Windows\System32\gdi32full.dll
0x00007FFBEE320000   0x0009D000,    0x00007FFBEE335390   C:\Windows\System32\msvcp_win.dll
0x00007FFBEE4F0000   0x00100000,    0x00007FFBEE506110   C:\Windows\System32\ucrtbase.dll
0x00007FFBEEDE0000   0x000AE000,    0x00007FFBEEDF56F0   C:\Windows\System32\ADVAPI32.dll
0x00007FFBF0790000   0x0009E000,    0x00007FFBF0797850   C:\Windows\System32\msvcrt.dll
0x00007FFBF0830000   0x0009C000,    0x00007FFBF084CE10   C:\Windows\System32\sechost.dll
0x00007FFBEE960000   0x00125000,    0x00007FFBEE9BF240   C:\Windows\System32\RPCRT4.dll
0x00007FFBF0040000   0x00744000,    0x00007FFBF0151350   C:\Windows\System32\SHELL32.dll
0x00007FFBEEEF0000   0x0012A000,    0x00007FFBEEF16360   C:\Windows\System32\ole32.dll
0x00007FFBEF840000   0x00354000,    0x00007FFBEF935240   C:\Windows\System32\combase.dll
0x00007FFBEEC20000   0x00055000,    0x00007FFBEEC2A7A0   C:\Windows\System32\SHLWAPI.dll
0x00007FFBE9B40000   0x00007000,    0x00007FFBE9B41170   C:\Windows\SYSTEM32\MSIMG32.dll
0x00007FFBD12F0000   0x004D6000,    0x00007FFBD13CC6A0   C:\Windows\SYSTEM32\WININET.dll

Post Reply