-
Jun 11th, 2021, 11:44 AM
#1
Thread Starter
Addicted Member
Bazaar behavior
I have several programs that after running, they open another piece of software, I decided to modify these programs to open a calculator program before performing its duties. The first one I modified worked as expected, the next one works fine when run from the IDE, but when compiled and I click on the .exe file, the .exe file is deleted! Just tried it with a third program and it did the same thing, works fine in IDE, deletes itself when run from the .exe file. The added code is in red.
Code:
Option Explicit
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
(ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, _
ByVal nShowCmd As Long) As Long
Private Const SW_SHOWMAXIMIZED = 3
Private Const SW_SHOWNORMAL = 1
.
.
.
sFileSpec = "C:\Program Files (x86)\J. A. Associates\RPN Engineering Calculator\rpn.exe"
R = True
GoSub DoIt
R = False
sFileSpec = "D:\Documents\DesignCAD\Drawings\Puzzles\star13puzzle.dcd"
.
.
.
DoIt:
rtn = ShellExecute(0, "Open", sFileSpec, vbNullString, vbNullString, SW_SHOWNORMAL)
If R = True Then Return
The only other thing that has changed is I added the "MouseWheel Fix", which was added before modifying the first program.
-
Jun 11th, 2021, 11:59 AM
#2
Re: Bazaar behavior
Sounds like AV is thinking your exe file is malicious for some reason and is deleting the exe file.
-
Jun 11th, 2021, 12:14 PM
#3
Thread Starter
Addicted Member
Re: Bazaar behavior
Not sure what AV is, why would the first one work, the added code is exactly the same.
-
Jun 11th, 2021, 12:24 PM
#4
Re: Bazaar behavior
AV = AntiVirus
It is possible that increasing the number of external processes spawned by your program moved it into a "potentially malicious" category.
Good luck.
-
Jun 11th, 2021, 12:42 PM
#5
Re: Bazaar behavior
That code looks very strange. Been probably 20 years or more since I saw anyone use a gosub in code. and in this case it is adding more code with no real value.
The code below would do the same thing without that ugly gosub and extra lines of code.
Code:
sFileSpec = "C:\Program Files (x86)\J. A. Associates\RPN Engineering Calculator\rpn.exe"
rtn = ShellExecute(0, "Open", sFileSpec, vbNullString, vbNullString, SW_SHOWNORMAL)
sFileSpec = "D:\Documents\DesignCAD\Drawings\Puzzles\star13puzzle.dcd"
rtn = ShellExecute(0, "Open", sFileSpec, vbNullString, vbNullString, SW_SHOWNORMAL)
Or better yet you could get rid of that filespec variable and just have the two shellexecute lines as that is all that is needed.
-
Jun 11th, 2021, 01:11 PM
#6
Thread Starter
Addicted Member
Re: Bazaar behavior
Originally Posted by OptionBase1
AV = AntiVirus
It is possible that increasing the number of external processes spawned by your program moved it into a "potentially malicious" category.
Good luck.
Thanks, that's it, Malwarebytes got it, the trial is over tomorrow so it can wait.
-
Jun 11th, 2021, 01:32 PM
#7
Re: Bazaar behavior
Originally Posted by Gymbo
Thanks, that's it, Malwarebytes got it, the trial is over tomorrow so it can wait.
Glad you tracked it down. I think with all of the recent high profile RansomWare attacks, anti-virus companies are updating their definitions/scanning to be super aggressive with trying to prevent such attacks, with the not-surprising outcome that false-positives will also increase, like in your case.
Good luck.
-
Jun 11th, 2021, 01:37 PM
#8
Thread Starter
Addicted Member
Re: Bazaar behavior
I agree, but it would be nice if they mentioned what they were doing instead of just deleting the file.
-
Jun 11th, 2021, 01:59 PM
#9
Re: Bazaar behavior
Bizarre being in a bazaar, but barely bizarre beyond a bazaar. Bizarre eh?
Does anyone want to buy this gourd? It's worth at least three shekels!
-
Jun 11th, 2021, 02:28 PM
#10
Re: Bazaar behavior
I was expecting Indiana Jones toppling over large baskets in search of a girl.
-
Jun 11th, 2021, 05:15 PM
#11
Sam I am (as well as Confused at times).
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|