DxWnd v2.05.83 virus detection
Window hooker to run fullscreen programs in window and much more...
Status: Beta
Brought to you by:
ghotik
Menu
▾
▴
Uhm, it seems I made a little mistake and I had to repair.
The virus notifications of the last release were not due to the InjectACP method but a variant called InjectACP2 that has more assembly code in it. The ironic thing is that code was not only harmless but also completely disabled and impossible to reach, but evidently the AV were sensing it.
So I uploaded a fix that has identical features but doesn't compile the suspicious code. It seems that my AV is treating it quite more kindly, I hope that this could be enough to recover the situation.
Please, try the new DxWnd.exe in v2_05_83_fx1.rar: it shouldn't be much worse than any previous DxWnd release.
Unable to download through a web browser, using Edge 100.0.1185.39 and the file refuses to download with a virus detected error. I am able to download it directly through powershell with Invoke-WebRequest however at least.
Last edit: Squid 2022-04-17
@gho
Well, it's better... a little bit. There are still 24 detections on Virustotal, including Microsoft and Avast. The number decreased from 29 to 24 since the last scan when I entered rescan (this version), so it is possible that some antiviruses it have reconsidered this as a false alarm. However, I don't think this will be for dippy dipper enough...
I wonder what is still changed from the previous versions. Maybe moving them to somewhere else will help
This build has all ACP stuff stripped. Virustotal reports it as pretty good (only 3 reports from non-sandboxed AV). Since there are currently no situations where ACP is mandatory, I suppose I'll post a fx2 bundle.
I just wonder how comes that, since ACP comes from the OTVDM64 project, this doesn't get into the same sort of troubles.
Last edit: gho 2022-04-17
I did the user test myself: this v2.05.83.fx2 without ACP injection can be safely downloaded. When run, my Avast AV tells it has some suspicions but, after a few seconds of analysis, it reports the file as good. It doesn't seem worse than all other releases.
Don't confuse ntvdmx64 with Otvdm/winevdm they are different projects. Otvdm is based on wine codebase as far as I know while ntvdmx64 is based on illegally leaked Microsoft WinNT source code.
I have never used ntvdmx64 so I cant tell for sure but a couple of things that may reduce the ammount of false positives are:
1. 64-bit programs are less likely to be flagged than 32-bit.
2. Newer versions of VisualStudio tend to produce executables with less false positives.
The sad thing is both of the options aren't viable, probably that will break compatibility with XP or might bring recessive errors.
Malwarebytes now sees this as a threat without ACP. But 2.05.82 didn't have it. What changed here?
And I see the ACP injection is gone. That's sad, you probably could have had released both: 2.05.83fx2.rar and 2.05.83fx2noacp.rar
In case you see this, remember to remove the help.wip folder you kept by mistake in the build
Last edit: BEEN_Nath_58 2022-04-17
Update: Microsoft is probably trailing DxWnd cause it didn't detect it as a threat few hours ago but now.
Last edit: BEEN_Nath_58 2022-04-17
@BEEN_Nath_58
This may not be the end of APC, @gho may try to load this injection from some external dll as he wrote.
The problem is that the whole .rar file gets deleted either by the Edge browser upon download or at least when you try to extract it MS Defender takes action. So I don't know if separating the APC logic into a dll file would make any difference to the end user unless it becomes a separate download.
But of course. It can be under the password inside the archive, just like winmm.rar.
Use would be at your own risk :-)
Well there's work to be removed from dxwnd.exe still because now the executable gets removed. After that things are put under password protected dxwnd.dll.rar.
I wonder what's going on. After I posted the new build v2.05.83.fx2 I downloaded it myself (and I just repeated the operation right now) with Avast AV active and nothing bad happened. I also asked Avast to scan the archive and the response was positive, no threats were found.
I wonder if the previous DxWnd.exe triggered some AV memory of the previous threats and now the AV became hyper-reactive about anything with the same name.
Also, the message on Been's computer, "Behavior:Win32/DefenseEvasion.A!" , could be interpreted as the detection of a very malicious and sophisticated virus that, once detected, is able to modify itself and appear innocuous. Obviously the AV is not aware that the hidden thread was in reality deleted by my rebuild.
Anyway I'll put first on my to-do list the new build with ACP in external and encrypted dlls.
Well guess what, dxwnd.exe is two threat at once now. Now MS AV says it's Trojan:Win32/Tilevn.A
Trojan:Script/Wacatac.B!ml
and the earlier
Behavior:Win32/DefenseEvasion.A!
The most annoying part is when AV decides to shut DxWnd itself.
Last edit: BEEN_Nath_58 2022-04-17
My mistake again: I concentrated my efforts on the GUI, but I forgot that there was (unused and unreferenced) an ACP procedure in dxwnd.dll (to handle a possible future son process injection with ACP). In effect, in fx2 DxWnd.exe was clean, but dxwnd.dll was not!
I uploaded a new file v2_05_83_fx3.rar now, this results clean enough, I passed to VirusScan all the files: DxWnd.exe, dxwnd.dll and v2_05_83_fx3.rar.
@BEEN_Nath_58: And I also deleted the help.wip folder.
I confirm that v2_05_83_fx3_build.rar comes up as clean now.
Of course, because DxWnd is a very dangerous virus. It spreads like a plague all over the internet and forces users to play old obscure games into the night :-)
@BEEN_Nath_58
No. This would be inconvenient for users. I imagined another library something like apc.dll(apc.rar).
Here is the prototype of dynamic linking of potentially malicious modules.
It works pretty much like the winmm proxy: the bundle includes a injectAPC.rar archive compressed with password injectAPC and injectAPC.dll inside.
In turn, DxWnd.exe will try to link the InjectAPC function dynamically and warn you if it can't find the injectAPC.dll.
So, the usage is this:
- download and override v2.05.83.fx3 files
- use DxWnd as usual
- when you want to take some chance, disable the AV and extract injectACP.rar in the local folder
- if the AV wakes up, it should delete the dll, but it is possible that it may delete also DxWnd.exe, so keep a backup just in case
Useless to say, I don't recommend all this because,at the moment, the traditional InjectDLL method is still the best one for early injection, so there's no real reason to use InjectAPC unless for testing purposes.
Super... but I can't unpack it. The password you entered is incorrect. Is the password inside injectapc.txt definitely correct?
Last edit: huh 2022-04-19
Oh, noo! I did it again: it's "injectAPC", not "injectACP" !
I wrote this wrong in a million places (fixed) plus one.
As a funny story, I will tell you this:
moving the injectAPC stuff out of DxWnd reduced the AV detection (from VirusTotal) from a dozen to just 3. Encouraged by ths success I wondered if it was possible to improve and reduce that count even more. So I tentatively commented out all the Debugger injection to evaluate the improvement. When I sent the new stripped DxWnd.exe to VirusTotal, this time the counter was .... 4!
:-)
I confirm that the password now works. I tried different combinations, but swapping letter couldn't think of me , you got me ;-)