deepwiki回答：为什么 mouseMaster.exe被误报病毒

The released exe of the mousemaster repository is being flagged as a trojan by Windows Security Center due to several legitimate合法 but suspicious behaviors that match common malware patterns. Here are the main reasons:

Security Token Manipulation and Privilege Escalation

The application attempts to gain elevated UI access privileges by manipulating Windows security tokens, including duplicating the winlogon.exe process token and creating new processes with elevated privileges. 1

The code also searches for and accesses the sensitive winlogon.exe system process to duplicate its security token. 2

Low-Level Input Simulation and Hooking

The application uses extensive low-level Windows APIs to simulate mouse and keyboard input, which is behavior commonly associated with keyloggers and input injection malware. 3

It also manipulates system mouse settings to disable enhanced pointer precision for predictable cursor movement. 4

Executable Embedding Techniques

The build process embeds the VCRUNTIME140.dll directly into the executable using a tool called pefrmdllembed, which is a technique sometimes used by malware to hide dependencies and avoid detection. 5

GraalVM Native Compilation

The application is compiled as a native Windows executable using GraalVM, which can produce binary structures that appear suspicious to antivirus heuristics. 6

Extensive Windows API Usage

The application uses multiple sensitive Windows APIs through JNA, including User32, Kernel32, and Advapi32, for system-level operations that are commonly monitored by antivirus software. 7

Notes

These behaviors are all legitimate and necessary for mousemaster's functionality as a keyboard-driven mouse control application. However, they collectively create a signature that closely resembles malware behavior patterns, leading to false positive detections by Windows Security Center and other antivirus solutions. The application requires administrator privileges and performs system-level operations to provide its core functionality of mouseless mouse manipulation, which unfortunately triggers security software heuristics designed to detect malicious programs with similar capabilities.