Code golfing to trigger false positives?

Ask your beginner questions here.
Post Reply
qpok
Posts: 5
Joined: Sun Mar 14, 2010 12:51 pm

Code golfing to trigger false positives?

Post by qpok » Sat Aug 27, 2016 7:25 am

Hello,

Would it be possible to have a thread for code golfing to trigger the largest amount of FPs from AVs with the least amount of instructions possible?

User avatar
TETYYSs
Posts: 98
Joined: Fri Jun 28, 2013 6:51 pm

Re: Code golfing to trigger false positives?

Post by TETYYSs » Sat Aug 27, 2016 9:22 am

browse some yara rules and throw a dozen of them to one binary

qpok
Posts: 5
Joined: Sun Mar 14, 2010 12:51 pm

Re: Code golfing to trigger false positives?

Post by qpok » Sat Aug 27, 2016 10:31 am

TETYYSs wrote:browse some yara rules and throw a dozen of them to one binary
Well, one could consider that cheating (just take EICAR and declare yourself the winner), but there's still the golfing aspect: have the least amount of instructions or smallest binary to trigger FP.

qpok
Posts: 5
Joined: Sun Mar 14, 2010 12:51 pm

Re: Code golfing to trigger false positives?

Post by qpok » Sun Aug 28, 2016 10:49 am

Well, I just briefly tried throwing in an inline NOP asm to a cpp console app, and it triggered 3 behavioural detections, https://virustotal.com/fi/file/6f244cf2 ... 472377017/. Given there are some UWP imports... I've never taken a look at the compiler machinery that makes the c(pp) / asm work. But if an inline asm block triggers a detection, then maybe I should.

Code: Select all

int main()
{	
	_asm {
		nop
	}
    return 0;
}

geoffreyvdb
Posts: 16
Joined: Mon Feb 22, 2016 1:00 pm

Re: Code golfing to trigger false positives?

Post by geoffreyvdb » Mon Aug 29, 2016 9:18 am

drop the EICAR string in there :D

Post Reply