deviated trainers marked as suspicious
I am posting this again, for some reason the thread i made got deleted ? removing the link to virustotal in case that was the problem
I am a game trainer maker at deviated and i have always wanted to bring this to your attention but i didn't know if you guys would care or not but now i am making this thread out of pure desperation.
My trainers are marked as trojan/suspicious by F-secure or "Gen:Trojan.Heur.LP.hv4@aukLcubi" to be precise. This virustotal result for example for my new trainer:
In case you don't know a game trainer is a basically a cheat that is made by third parties (other than game developers themselves) through memory modification. I guess this presents a suspicious signature because the trainer is modifying another program's memory (game's) to achieve its effects.
But it is really weird, i know what triggers F-secure to generate that false-positive and i can make it not complain anymore but it is at a huge cost to the functionality of my trainers and suffering the user-friendliness of my programs/trainers.
My trainer uses dll injection and when you activate a cheat, there is either a beep or a sound (depending on which one i use) played letting the user know that the cheat was activated successfully. There is also built-in hotkeys in the DLL used for activating the trainer. These two functions are what triggers the F-secure to think the trainer is bad, if i remove them BOTH then f-secure is totally okay, removing just one doesn't help. The hotkeys part is what most other antivirus also have a problem with (they think its a keylogger) but using them both somehow creates a weird signature for f-secure ?. These are the APIs
invoke PlaySound, offset off_snd, 0, SND_MEMORY OR SND_ASYNC
or if i am using the beep sound (in my old trainers)
xor eax, eax
mov al, byte ptr [CurrentHotkey]
As you can see removing those functions is a disadvantage to my users because they have no way to know if the cheat is activated and they can't even activate the trainer actually without the hotkeys. There is a workaround however, but it is just a huge inconvenience.
Sorry for the long post but i wanted to go in great details so you understood. I will gladly send you the source to both the DLL and trainer if that will help (in private please, my techniques are unique to our site only and not open-source) or any other information you need.
Please either let me know what i can do to make it f-secure friendly without losing the core-functionality of trainer or update f-secure to not falsely mark my trainer as bad and scare our users please.