Adding extra junk to work around false positives.
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
include \masm64\include64\masm64rt.inc
.code
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
entry_point proc
LOCAL lError :QWORD
LOCAL hInstance :QWORD
LOCAL hMem :QWORD
LOCAL pbuf :QWORD
LOCAL buff[260]:BYTE
mov pbuf, ptr$(buff) ; |
mov hInstance, rvcall(GetModuleHandle,0) ; |
rcall GetModuleFileName,hInstance,pbuf,260 ; | USELESS JUNK TO AVOID FALSE POSITIVES
invoke MessageBox,0,pbuf,"GetModuleFileName",MB_OK ; |
rcall GlobalAlloc,GMEM_FIXED,1024*1024 ; |
mov hMem, rax ; |
invoke SendMessage,0,WM_COMMAND,50,0 ; missing window handle
mrm lError, LastError$() ; get the error status
invoke MessageBox,0,lError,"Forced Error",MB_OK ; display the last error
rcall GlobalFree,hMem ; | USELESS JUNK TO AVOID FALSE POSITIVES
invoke ExitProcess,0
ret
entry_point endp
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
end
Hi Hutch,
Thanks, could you explain more about your method? What are the effects of those extra API calls to the AV engines?
Hi Erol,
Its is as much trial and error as design but the idea was to include some basic "kernel32" functions so that the crappy end of AV scanners had something they could recognise. I could get the test piece through Jotti with no problems but VirusTotal spat on 3 of the unknown AV scanners so I am getting around to the idea that nothing will defeat all of them.
A manifest and version control block used to help as well but it defeats making small examples that are easy to understand.
Nice try :thumbsup:
These are the three that spit on this simple example.
CrowdStrike Falcon Win/malicious_confidence_70% (D)
SecureAge Malicious
Trapmine Suspicious.low.ml.score
Seems that AI AV scanners still live in false positives fantasy land.
Here is a modified test piece.
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
include \masm64\include64\masm64rt.inc
crapin MACRO
.data?
hInstance dq ?
hMem dq ?
hLib dq ?
pbuf dq ?
buff dq 260 dup(?)
.code
mov pbuf, ptr$(buff) ; |
mov hInstance, rvcall(GetModuleHandle,0) ; |
rcall GetModuleFileName,hInstance,pbuf,260 ; |
rcall LoadLibrary,"kernel32.dll" ; |
mov hLib, rax ; | USELESS JUNK TO AVOID FALSE POSITIVES
invoke MessageBox,0,pbuf,"GetModuleFileName",MB_OK ; |
rcall GlobalAlloc,GMEM_FIXED,1024*1024 ; |
mov hMem, rax ; |
ENDM
crapout MACRO
rcall GlobalFree,hMem ; | USELESS JUNK TO AVOID FALSE POSITIVES
rcall FreeLibrary,hLib
ENDM
.code
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
entry_point proc
crapin ; reduce AV false positives
; --------------------------------------------------------
; the test code
; --------------------------------------------------------
rcall SendMessage,0,WM_COMMAND,50,0 ; missing window handle
rcall MessageBox,0,LastError$(),"Forced Error",MB_OK ; display the last error
; --------------------------------------------------------
crapout ; reduce AV false positives
invoke ExitProcess,0
ret
entry_point endp
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
end
Hi Hutch,
Thanks for the info. Jotti must be the best online malware analyzer. Virustotal is just a bad joke :
http://masm32.com/board/index.php?topic=9811.0
Building this code :
include \masm32\include\masm32rt.inc
.code
start:
ret
END start
Rising
Trojan.Generic@AI.96 (RDML:yRXTXVmgE0AT6fw1LknjfQ)
SecureAge
ERROR Unable To Scan (corrupt PE File).
Trapmine
Malicious.high.ml.score
VBA32
Trojan.Click
https://www.virustotal.com/gui/file/6ad4e1eb0153e8c138d9204ded45bdefd81dfc0ffa2bd815992dc6ddd87c0e7a?nocache=1