The MASM Forum

General => The Laboratory => Topic started by: hutch-- on March 02, 2023, 01:56:09 PM

Title: AV false positive detection work around
Post by: hutch-- on March 02, 2023, 01:56:09 PM
Adding extra junk to work around false positives.

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    include \masm64\include64\masm64rt.inc

    .code

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

entry_point proc

    LOCAL lError :QWORD
    LOCAL hInstance :QWORD
    LOCAL hMem  :QWORD
    LOCAL pbuf  :QWORD
    LOCAL buff[260]:BYTE

    mov pbuf, ptr$(buff)                                ; |
    mov hInstance, rvcall(GetModuleHandle,0)            ; |
    rcall GetModuleFileName,hInstance,pbuf,260          ; | USELESS JUNK TO AVOID FALSE POSITIVES
    invoke MessageBox,0,pbuf,"GetModuleFileName",MB_OK  ; |
    rcall GlobalAlloc,GMEM_FIXED,1024*1024              ; |
    mov hMem, rax                                       ; |

    invoke SendMessage,0,WM_COMMAND,50,0                ; missing window handle
    mrm lError, LastError$()                            ; get the error status
    invoke MessageBox,0,lError,"Forced Error",MB_OK     ; display the last error

    rcall GlobalFree,hMem                               ; | USELESS JUNK TO AVOID FALSE POSITIVES

    invoke ExitProcess,0

    ret

entry_point endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    end
Title: Re: AV false positive detection work around
Post by: Vortex on March 03, 2023, 05:19:15 AM
Hi Hutch,

Thanks, could you explain more about your method? What are the effects of those extra API calls to the AV engines?
Title: Re: AV false positive detection work around
Post by: hutch-- on March 03, 2023, 08:56:40 AM
Hi Erol,

Its is as much trial and error as design but the idea was to include some basic "kernel32" functions so that the crappy end of AV scanners had something they could recognise. I could get the test piece through Jotti with no problems but VirusTotal spat on 3 of the unknown AV scanners so I am getting around to the idea that nothing will defeat all of them.

A manifest and version control block used to help as well but it defeats making small examples that are easy to understand.
Title: Re: AV false positive detection work around
Post by: daydreamer on March 03, 2023, 06:47:07 PM
Nice try :thumbsup:
Title: Re: AV false positive detection work around
Post by: hutch-- on March 03, 2023, 08:45:21 PM
These are the three that spit on this simple example.

CrowdStrike Falcon Win/malicious_confidence_70% (D)
SecureAge Malicious
Trapmine Suspicious.low.ml.score

Seems that AI AV scanners still live in false positives fantasy land.
Title: Re: AV false positive detection work around
Post by: hutch-- on March 03, 2023, 09:03:22 PM
Here is a modified test piece.

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    include \masm64\include64\masm64rt.inc

    crapin MACRO
      .data?
        hInstance dq ?
        hMem dq ?
        hLib dq ?
        pbuf dq ?
        buff dq 260 dup(?)
      .code

      mov pbuf, ptr$(buff)                                ; |
      mov hInstance, rvcall(GetModuleHandle,0)            ; |
      rcall GetModuleFileName,hInstance,pbuf,260          ; |
      rcall LoadLibrary,"kernel32.dll"                    ; |
      mov hLib, rax                                       ; | USELESS JUNK TO AVOID FALSE POSITIVES
      invoke MessageBox,0,pbuf,"GetModuleFileName",MB_OK  ; |
      rcall GlobalAlloc,GMEM_FIXED,1024*1024              ; |
      mov hMem, rax                                       ; |
    ENDM

    crapout MACRO
      rcall GlobalFree,hMem                               ; | USELESS JUNK TO AVOID FALSE POSITIVES
      rcall FreeLibrary,hLib
    ENDM

    .code

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

entry_point proc

    crapin                                                  ; reduce AV false positives

  ; --------------------------------------------------------
  ; the test code
  ; --------------------------------------------------------

    rcall SendMessage,0,WM_COMMAND,50,0                     ; missing window handle
    rcall MessageBox,0,LastError$(),"Forced Error",MB_OK    ; display the last error

  ; --------------------------------------------------------

    crapout                                                 ; reduce AV false positives

    invoke ExitProcess,0

    ret

entry_point endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    end
Title: Re: AV false positive detection work around
Post by: Vortex on March 04, 2023, 05:03:57 AM
Hi Hutch,

Thanks for the info. Jotti must be the best online malware analyzer. Virustotal is just a bad joke :

http://masm32.com/board/index.php?topic=9811.0

Building this code :

include     \masm32\include\masm32rt.inc

.code

start:

    ret

END start


Rising
Trojan.Generic@AI.96 (RDML:yRXTXVmgE0AT6fw1LknjfQ)

SecureAge
ERROR Unable To Scan (corrupt PE File).

Trapmine
Malicious.high.ml.score

VBA32
Trojan.Click


https://www.virustotal.com/gui/file/6ad4e1eb0153e8c138d9204ded45bdefd81dfc0ffa2bd815992dc6ddd87c0e7a?nocache=1