Text only | Text with Images

The MASM Forum

Microsoft 64 bit MASM => MASM64 SDK => Topic started by: hutch-- on January 07, 2023, 05:50:45 AM

Title: AV Comedy
Post by: hutch-- on January 07, 2023, 05:50:45 AM
I have just about worn out my welcome at "jotti" but fixed the first file flagged as malicious.

The latest version of "cpicker.exe" was flagged as having,

    BitDefender Antivirus Jan 6, 2023 Gen:Variant.Razy.683884
    MicroWorld eScan Jan 6, 2023 Gen:Variant.Razy.683884
    G DATA Jan 6, 2023 Gen:Variant.Razy.683884

The Mickey Mouse Club in action out of their common database.

Changed the icon to a 32 bit version and changed the order of the procedures in the source file and BINGO, no false positive.  :tongue:

Identical procedures in the source file with order change of 2 procedures and a bigger icon solved their crap scan, wotta buncha jurx !  :thdn:

The technology these clowns are using would have to be classed as suspect.
Title: Re: AV Comedy
Post by: hutch-- on January 07, 2023, 06:59:20 AM
This is the next piece of genius from the AV crapheaps.

Bye bye to -> F-Secure Anti-Virus Jan 6, 2023 Heuristic.HEUR/AGEN.1253024

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    include \masm64\include64\masm64rt.inc

    .code

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

entry_point proc

    LOCAL hMem  :QWORD
    LOCAL lMem  :QWORD
    LOCAL pMem  :QWORD
    LOCAL aLen  :QWORD
    LOCAL wLen  :QWORD
    LOCAL hIcon :QWORD
    LOCAL hInstance :QWORD

    mov hInstance, rv(GetModuleHandle,0)        ; unneeded, added for crap AV scanners

    mov hMem, rvcall(load_file,"icon.ico")      ; load the file
    mov lMem, rcx                               ; get its length
    mov rax, lMem

    lea rax, [rax*4]                            ; mul length by 4
    mov aLen, rax

    mov pMem, alloc(aLen)                       ; allocate the output buffer
    mov wLen, rvcall(bin2hex,hMem,lMem,pMem)    ; convert the source to hex
    rcall save_file,"bin2hex.txt",pMem,wLen     ; write the file to disk

    mfree pMem                                  ; free the allocated memory
    mfree hMem                                  ; free the file memory

    exec "\masm64\teditor.exe bin2hex.txt"

    invoke ExitProcess,0

    ret

entry_point endp

; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    end
Title: Re: AV Comedy
Post by: HSE on January 07, 2023, 07:25:16 AM
 :biggrin:

A little file size is what trigger alerts, then any suspicious byte sequence make binary flagged as malicious.

Time ago somebody pasted a big useless objet to exes end. I don't remeber who, but say that always worked.
Title: Re: AV Comedy
Post by: hutch-- on January 07, 2023, 09:51:12 AM
The next piece of genius comes from Avast. Anything that is not reported in their local database is flagged as "FileRepMalware" unrelated to the files content.

I have been a bit spoilt by using the Kaspersky KVRT.EXE which is not part of the Mickey Mouse Club and is super reliable.
Title: Re: AV Comedy
Post by: avcaballero on January 07, 2023, 09:57:17 AM
> A little file size is what trigger alerts, then any suspicious byte sequence make binary flagged as malicious.

Yeah, I think so. Maybe the solution would be adding dozens of NOP operations   :bgrin:

When I code, usually disable the AV for some time.
Text only | Text with Images