Thursday, January 1, 2015

About the recent claims of viruses in devcppPortable.exe

Recently, a lot of reports of antivirus programs marking the file devcppPortable.exe as a virus/trojan/unwanted program have surfaced. I can assure you that the files you download from SourceForge do NOT contain any of that.

To prove my statement, let us check the source code of devcppPortable.exe. It can be found in the Source\Tools\DevCppPortable folder in the source zip files provided here or in the Git repo here.

Let's walk through the code step by step:
#include <windows.h>
#include <Shlwapi.h>
#include <string>
using std::wstring;
The included files are unchanged versions of the ones found in TDM-GCC 4.8.1.
int main() {
int ArgumentCount = 0;
wchar_t** ArgumentInput = CommandLineToArgvW(GetCommandLineW(),&ArgumentCount);
wstring ArgumentsToDev = L"-c .\\config ";
for(int i = 1;i < ArgumentCount;i++) {
  ArgumentsToDev += '\"';
  ArgumentsToDev += ArgumentInput[i];
  ArgumentsToDev += '\"';
  if(i != ArgumentCount - 1) {
    ArgumentsToDev += ' ';
  }
}
LocalFree(ArgumentInput);
Over here, devcppPortable builds a string ArgumentsToDev which consists of the -c command that tells devcpp.exe to store its configuration files elsewhere AND the commands that have been passed to devcppPortable. Think of files that are dragged onto devcppPortable.exe in explorer or Auto-Open binds that use devcppPortable. All it does is forward these commands to devcpp.exe
wchar_t CurrentDirectory[32768];
GetModuleFileNameW(NULL,CurrentDirectory,32768);
PathRemoveFileSpecW(CurrentDirectory);
Over here, the directory where devcppPortable is located is stored in array CurrentDirectory.
int Result = (INT_PTR)ShellExecuteW(
  NULL, // no parent window
  L"open", // open the file
  L"devcpp.exe", // the file to open
  ArgumentsToDev.c_str(), // extra parameters to pass
  CurrentDirectory, // use the current directory
  SW_SHOWNORMAL // activate and display window
);
if(Result <= 32) {
  switch(Result) {
    case ERROR_FILE_NOT_FOUND: {
      MessageBoxW(NULL,L"devcpp.exe",L"File not found",MB_OK);
      break;
    }
    default: {
      MessageBoxW(NULL,L"An unspecified error has occured!",L"Error",MB_OK);
      break;
    }
  }
}
return 0;
Lastly, devcpp.exe is launched using the provided arguments and using the current directory using the not-so special ShellExecute function.

In other words, this file is harmless. My educated guess as to why this file is marked as an unwanted file is that real unwanted files (especially trojans) exhibit the same behaviour. They also function as hosts that execute external code. Since devcppPortable exhibits the same behaviour, the scanner will think "Hey, this program shows behaviour similar to the other million trojan files in our database. Let's tell the user it is one too to be sure".

What can you do as a user? Please report devcppPortable.exe as a false positive.