tests\assets\corkami-poc-dataset\PE\bin\no_dd64.exe flagged as Trojan:Win32/Wacatac.B!ml about pe-parse HOT 6 CLOSED

We directly submodule corkami/pocs for these tests, so no_dd64.exe in our test suite should be identical to the one in the parent repository: https://github.com/corkami/pocs/blob/master/PE/bin/no_dd64.exe

There's a very good chance this is a false positive, since Ange Albertini is a well-known reverse engineer and this PE dataset has been around for a long time. In any case, you should probably report it upstream to the Corkami org, since they might have a way to get it whitelisted.

from pe-parse.

Thanks. I am currently following up with the Microsoft Defender team to understand why it's getting flagged. This was more as an FYI on the off chance this was real.

from pe-parse.

Gotcha, thanks for the heads up! Yeah, as best I can tell, this is a false positive. Here's what Binary Ninja shows me for the one function in the PE:

That mostly looks like gibberish to me (it's popping into RBP instead of creating a stack frame?) and then calling whatever happens to be at that stack address, which is probably why it looks malicious.

Virustotal finds a bunch of mixed results: https://www.virustotal.com/gui/file/6a68f15b358267d78e6b2aed9e7e1ae2fc037a2c6635242a2afa9627ab2c02bd

from pe-parse.

Here's the assembly for it (it's hand coded, which explains the bizarre control flow): https://github.com/corkami/pocs/blob/master/PE/no_dd64.asm

So yeah, I think this is a false positive. It's just doing some nasty tricks to demonstrate that a PE doesn't need a data directory to load imports 🙂

from pe-parse.

Thanks, I appreciate your taking a look. My project, ebpf-for-windows, recently took a dependency on pe-parse and is getting flagged as containing malware, so this was just due diligence to make sure it's a false positive.

from pe-parse.

No problem! Thanks for the diligence.

from pe-parse.