AV false positive detection work around

[hutch--]

Adding extra junk to work around false positives.

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    include \masm64\include64\masm64rt.inc

    .code

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

entry_point proc

    LOCAL lError :QWORD
    LOCAL hInstance :QWORD
    LOCAL hMem  :QWORD
    LOCAL pbuf  :QWORD
    LOCAL buff[260]:BYTE

    mov pbuf, ptr$(buff)                                ; |
    mov hInstance, rvcall(GetModuleHandle,0)            ; |
    rcall GetModuleFileName,hInstance,pbuf,260          ; | USELESS JUNK TO AVOID FALSE POSITIVES
    invoke MessageBox,0,pbuf,"GetModuleFileName",MB_OK  ; |
    rcall GlobalAlloc,GMEM_FIXED,1024*1024              ; |
    mov hMem, rax                                       ; |

    invoke SendMessage,0,WM_COMMAND,50,0                ; missing window handle
    mrm lError, LastError$()                            ; get the error status
    invoke MessageBox,0,lError,"Forced Error",MB_OK     ; display the last error

    rcall GlobalFree,hMem                               ; | USELESS JUNK TO AVOID FALSE POSITIVES

    invoke ExitProcess,0

    ret

entry_point endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    end

[Vortex]

Hi Hutch,

Thanks, could you explain more about your method? What are the effects of those extra API calls to the AV engines?

[hutch--]

Hi Erol,

Its is as much trial and error as design but the idea was to include some basic "kernel32" functions so that the crappy end of AV scanners had something they could recognise. I could get the test piece through Jotti with no problems but VirusTotal spat on 3 of the unknown AV scanners so I am getting around to the idea that nothing will defeat all of them.

A manifest and version control block used to help as well but it defeats making small examples that are easy to understand.

[daydreamer]

Nice try

[hutch--]

These are the three that spit on this simple example.

CrowdStrike Falcon Win/malicious_confidence_70% (D)
SecureAge Malicious
Trapmine Suspicious.low.ml.score

Seems that AI AV scanners still live in false positives fantasy land.

[hutch--]

Here is a modified test piece.

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    include \masm64\include64\masm64rt.inc

    crapin MACRO
      .data?
        hInstance dq ?
        hMem dq ?
        hLib dq ?
        pbuf dq ?
        buff dq 260 dup(?)
      .code

      mov pbuf, ptr$(buff)                                ; |
      mov hInstance, rvcall(GetModuleHandle,0)            ; |
      rcall GetModuleFileName,hInstance,pbuf,260          ; |
      rcall LoadLibrary,"kernel32.dll"                    ; |
      mov hLib, rax                                       ; | USELESS JUNK TO AVOID FALSE POSITIVES
      invoke MessageBox,0,pbuf,"GetModuleFileName",MB_OK  ; |
      rcall GlobalAlloc,GMEM_FIXED,1024*1024              ; |
      mov hMem, rax                                       ; |
    ENDM

    crapout MACRO
      rcall GlobalFree,hMem                               ; | USELESS JUNK TO AVOID FALSE POSITIVES
      rcall FreeLibrary,hLib
    ENDM

    .code

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

entry_point proc

    crapin                                                  ; reduce AV false positives

  ; --------------------------------------------------------
  ; the test code
  ; --------------------------------------------------------

    rcall SendMessage,0,WM_COMMAND,50,0                     ; missing window handle
    rcall MessageBox,0,LastError$(),"Forced Error",MB_OK    ; display the last error

  ; --------------------------------------------------------

    crapout                                                 ; reduce AV false positives

    invoke ExitProcess,0

    ret

entry_point endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    end

[Vortex]

Hi Hutch,

Thanks for the info. Jotti must be the best online malware analyzer. Virustotal is just a bad joke :

http://masm32.com/board/index.php?topic=9811.0

Building this code :

Code: [Select]

include     \masm32\include\masm32rt.inc

.code

start:

    ret

END start


Code: [Select]

Rising
Trojan.Generic@AI.96 (RDML:yRXTXVmgE0AT6fw1LknjfQ)

SecureAge
ERROR Unable To Scan (corrupt PE File).

Trapmine
Malicious.high.ml.score

VBA32
Trojan.Click
https://www.virustotal.com/gui/file/6ad4e1eb0153e8c138d9204ded45bdefd81dfc0ffa2bd815992dc6ddd87c0e7a?nocache=1