Comments (6)
We directly submodule corkami/pocs for these tests, so no_dd64.exe
in our test suite should be identical to the one in the parent repository: https://github.com/corkami/pocs/blob/master/PE/bin/no_dd64.exe
There's a very good chance this is a false positive, since Ange Albertini is a well-known reverse engineer and this PE dataset has been around for a long time. In any case, you should probably report it upstream to the Corkami org, since they might have a way to get it whitelisted.
from pe-parse.
Thanks. I am currently following up with the Microsoft Defender team to understand why it's getting flagged. This was more as an FYI on the off chance this was real.
from pe-parse.
Gotcha, thanks for the heads up! Yeah, as best I can tell, this is a false positive. Here's what Binary Ninja shows me for the one function in the PE:
That mostly looks like gibberish to me (it's popping into RBP instead of creating a stack frame?) and then calling whatever happens to be at that stack address, which is probably why it looks malicious.
Virustotal finds a bunch of mixed results: https://www.virustotal.com/gui/file/6a68f15b358267d78e6b2aed9e7e1ae2fc037a2c6635242a2afa9627ab2c02bd
from pe-parse.
Here's the assembly for it (it's hand coded, which explains the bizarre control flow): https://github.com/corkami/pocs/blob/master/PE/no_dd64.asm
So yeah, I think this is a false positive. It's just doing some nasty tricks to demonstrate that a PE doesn't need a data directory to load imports 🙂
from pe-parse.
Thanks, I appreciate your taking a look. My project, ebpf-for-windows, recently took a dependency on pe-parse and is getting flagged as containing malware, so this was just due diligence to make sure it's a false positive.
from pe-parse.
No problem! Thanks for the diligence.
from pe-parse.
Related Issues (20)
- Corkami PE Testing - Known Failure Fixes
- Compile error HOT 6
- peaddrconv compile error with GCC 11.0.0 HOT 3
- Compilation with warnings-as-errors should be optional
- Error parsing resource id with invalid unicode characters HOT 1
- pepy: Remove support for Python 3.6, add 3.8, 3.9, 3.10
- Workflows are referencing vulnerable actions HOT 1
- Invalid user-defined conversion (compiling error) - latest release HOT 4
- Add a CHANGELOG
- Reduce our build matrix
- Build failure/failure with `-Wconversion` HOT 6
- Publish Python wheels
- python setup.py sdist builds incorrect packages due to missing files in MANIFEST.in
- RIIR HOT 4
- codecvt_utf8 deprecated in C++17 HOT 1
- Reduce reference set of pe-parse - peparse::`dynamic initializer for 'ProductIdMap'' HOT 1
- Problem in parsing 2 files HOT 4
- Switch to trusted publishing
- CONTRIBUTING.md deserves an update!!! HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pe-parse.