PadNull.dll
#11
(11-25-2015, 12:18 AM)Nobbs66 Wrote: I'd say it's because of new malware. the last code change for padnull.dll was 3 months ago

Yeah that could be but I also still think it's related to the VS2015 thing. At the very least would change it because of which DLLs it's now linked against and the functions they export, no?
[Image: XTe1j6J.png]
Gaming Rig: Intel i7 6700k @ 4.8Ghz | GTX 1070 TI | 32GB RAM | 960GB(480GB+480GB RAID0) SSD | 2x 1TB HDD
Reply

Sponsored links

#12
i'd expect more than padnull to be affected then
[Image: gmYzFII.png]
[Image: dvedn3-5.png]
Reply
#13
Yes, something has changes, old versions are 114,176 bytes while new ones are 118,272 bytes. The funny thing is that all PadNull.dll files have different check-sums, all of them, so either they are all a little different - even though they have the same exact size for older versions -, or my hasher is doing something funny.
Reply
#14
(11-25-2015, 12:25 AM)Nobbs66 Wrote: i'd expect more than padnull to be affected then

Not really. That's why I think it's a combination.

If it was a new malware only then it should match padnull.dll at least 3 months back to when it last changed, IDK if it goes that far back or not. Needs test.

Assuming there is a malware with signature 0xA3D950CB somewhere in it. I know signatures are more complex than that but for the sake of argument. Then you can assume padnull.dll used to not have that signature. After *something*, maybe the VS2015 maybe something else, 0xA3D950CB appears in padnull. Then it becomes flagged.

It's either one of those two, and either are readily tested.

(11-25-2015, 12:27 AM)K.F Wrote: Yes, something has changes, old versions are 114,176 bytes while new ones are 118,272 bytes. The funny thing is that all PadNull.dll files have different check-sums, all of them, so either they are all a little different - even though they have the same exact size for older versions -, or my hasher is doing something funny.

It has a version number built into it. I saw it in the source. That's likely affecting your checksum.

Code:
snprintf( libraryName, 255, "Padnull Driver %lld%s",SVN_REV, SVN_MODS ? "m" : "");

Those are constants which change with revision I think. I believe that line of code is what identifies the plugin in the plugin selector dialog.
[Image: XTe1j6J.png]
Gaming Rig: Intel i7 6700k @ 4.8Ghz | GTX 1070 TI | 32GB RAM | 960GB(480GB+480GB RAID0) SSD | 2x 1TB HDD
Reply
#15
(11-25-2015, 12:18 AM)Nobbs66 Wrote: I'd say it's because of new malware. the last code change for padnull.dll was 3 months ago

Still doesn't make a whole lot of sense that 'older' padnulls aren't affected then.

Just did some more digging.


pcsx2-v1.3.1-1415-g9bb990e-windows-x86 (2015-11-08 21:40:08) -- Any version after this one gets padnull flagged by AV.
AMD Ryzen 5 3600 @ 3.60~4.20 GHz | Corsair Vengeance LPX 32 GB (2x16GB) DDR4-3200
MSI GeForce GTX 1660 Super @ 6 GB | Samsung 980 1TB | Windows 10 Pro x64 (22H2)
Reply
#16
(11-25-2015, 12:44 AM)Ryudo Wrote: pcsx2-v1.3.1-1415-g9bb990e-windows-x86 (2015-11-08 21:40:08) -- Any version after this one gets padnull flagged by AV.

Yup, 1416 is the first version built with vs2015. I'd ask turtleli about it since he's the one who handled the switch.
Reply
#17
So there we go. That's what I thought. Good job guys, reps.
[Image: XTe1j6J.png]
Gaming Rig: Intel i7 6700k @ 4.8Ghz | GTX 1070 TI | 32GB RAM | 960GB(480GB+480GB RAID0) SSD | 2x 1TB HDD
Reply
#18
Chiming in, Kaspersky is flagging it also. But only on the newest build, several previous others are ok.

https://www.virustotal.com/en/file/0c002.../analysis/
Reply
#19
PadNull.dll is Safe ?
I deleted
Reply
#20
Is there any use for PadNull? Maybe we should just remove it. We also have no SPU2null plugin or?
Reply




Users browsing this thread: 2 Guest(s)