search

ledoge / dwm_lut

Apply 3D LUTs to the Windows desktop for system-wide color correction/calibration
GNU General Public License v3.0
289 stars 31 forks source link

Windows defender #11

Open alansleep opened 2 years ago

alansleep commented 2 years ago

Hello there, general ledoge, thanks again for your awesome work :) however I can't use the 3.2 version, the antivirus deletes .exe immediately with a message "Trojan:Win32/Wacatac.B!ml", I've used every single version and it's the only one that behaves like that, sadly

ledoge commented 2 years ago

Yeah, no idea why it suddenly thinks that version is malicious when it didn't do that for older versions... I reported the false positive to Microsoft just now, maybe that'll do something?

activedecay commented 1 year ago

So, if I'm trying to duplicate what windows defender is doing, where do I find the trojan called, "Trojan:Win32/Wacatac.B!ml"?

Is the trojan a dll? Is it a section of the code? Is it in the object files? Is it in a DLL? Is it in a dependency of the project downloaded from vcpkg? Are there tools I can use to inspect the output of the build (It's happening on the DwmLutGUI.exe)?

What is the source of the "false positive" claim made to Microsoft? What's going on with the trojan that exhibits the behavior that is triggering the windows defender to quarantine the file?

activedecay commented 1 year ago

After uploading the generated executable to VirusTotal, this is the result from the behavior tab:

 Execution  data-description="The adversary is trying to run malicious code.

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. "

  | Native API   T1106
-- | --
Execution TA0002
    Native API T1106

.NET source code references suspicious native API functions
Execution TA0002
    Command and Scripting Interpreter T1059

accept command line arguments
Privilege Escalation TA0004
    Process Injection T1055

.NET source code contains process injector
Privilege Escalation TA0004
    Process Injection T1055

write process memory
Defense Evasion TA0005
    Process Injection T1055

.NET source code contains process injector
    Virtualization/Sandbox Evasion T1497

Checks if the current process is being debugged
    Disable or Modify Tools T1562.001

Creates guard pages, often used to prevent reverse engineering and debugging
Defense Evasion TA0005
    Process Injection T1055

write process memory
Discovery TA0007
    Process[ Discovery ](https://www.virustotal.com/gui/search/attack_tactic%253ATA0007)T1057

Queries a list of all running processes
    System Information Discovery T1082

Queries the cryptographic machine GUID

Reads software policies

Queries the volume information (name, serial number etc) of a device
    Virtualization/Sandbox Evasion T1497

Checks if the current process is being debugged
    Security Software Discovery T1518.001

Checks if the current process is being debugged

AV process strings found (often used to terminate AV products)
Discovery TA0007
    Process[ Discovery ](https://www.virustotal.com/gui/search/attack_tactic%253ATA0007)T1057

find process by name
    File and Directory Discovery T1083

check if directory exists

check if file exists
activedecay commented 1 year ago

by inspection, the code seems OK. I'm just curious why some virus scans detect it as a trojan.

cheers! :)