ildasm / ilasm - Symantec false positive
Question
I am having a problem with disassembling and reassembling a .NET executable and it throwing a false positive after.
The error I get specifically is:
Heur.AdvML.B
As of now, I am no longer editing the asm prior to re-compiling it. I literally de-compile it and recompile it, run it and get the error. I am aware that I can attempt to reach out to my network admin to get a folder removed from the "watch" list, as well as attempt to contact Symantec.
What would be ideal, is if someone could help me identify why exactly this is occurring.
Things I have tried:
Strip all debugging references from the asm completely Set System.Diagnostics.DebuggableAttribute/DebuggingModes with 01 00 02 00 00 00 00, which should be release-optimized indicator de-compile and re-compile a known working exe without touching it
What is causing this false positive if the original exe is clean. Do I need to sign the exe ? Really confused any help would be appreciated.
1 answers
solution1
0 2018-10-25 19:20:06
I just had the same issue. When recompiling with ilasm.exe, you need to pass in the .res file that is generated by ildasm.exe during decompile. Just add the following parameter to your ilasm arguments:
/RESOURCE=file.res
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.