On 18-Jan-18 4:37 AM, VanguardLH wrote:
woo wrote:

Paul wrote:

He also mentions why AVs were false triggering on his InSpectre.exe file
when users were downloading it. One of his on-off toggles involves a
registry change and AVs where triggering on it. So he encrypted the
registry key's name and data item value.

Interesting, I'm not sure how that would work as I'd have thought he'd
have to be calling RegOpenKeyExA and RegSetValueExA where obviously
these are procedures in an external masm library. Or I guess what I'm
saying is that I personally would have no clue how to insert an
encrypted key name in the actual asm code that followed.


Although his tool still writes
to the registry, the AVs stopped triggering on that behavior (they
didn't know what was the registry key's unencrypted name). He submitted
a test version in his private forum to have his subscribers check if the
AVs were still triggering on his .exe file. The download is dated today
but I don't know if it is his test release he gave to his subscribers
and fellow testers. Avast did not alert on the file's download or run.