Two days ago I noticed that a zip file named as PPEE puppy, is submitted to virustotal and is identified as a variant of Trojan by five AVs. The file name was in the form of files downloaded from woodmann.org tool library.
I guessed that probably my computer was infected by a trojan before I compile the code. Hence I installed Avira free AV on a fresh system and compiled the code from scratch. But at the time of building project, Avira prevented the creation of PPEE.exe in release mode. I concluded that it’s a false positive. After several times reviewing code I found the line that caused those AVs to mark PPEE.exe as a trojan.
#pragma comment(linker, "/merge:.rdata=.text")
Yes, merging sections and silly AVs! Such AVs could misdirect people who trust on them.
It’s obvious that to keep binary files as small as possible, I’ve packed them using upx which is very prevalent among developers but it seems that some AVs have never heard of it! That’s why the TheHacker false positively marks PPEE.exe as a Posible_Worm32.
After all, I repackaged the PPEE(puppy) 1.04.zip with new build of PPEE.exe which is now downloadable from mzrst.com . Feel free to use it and report the bugs 😉