OK, so easiest way to make trojan undetectable is by changing entry point with OllyDbg or whatever... But how do I do it with source code?? I am specially talking about C++ source codes. Here is starting entry point code in C++ for some simple RAT:
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { ... ... ... ... return repeat; }
setthesun
Feb 18 2005, 08:45 PM
CODE
#pragma comment(linker,"/ENTRY:startupfunction")
If you're using link.exe by yourself just use "/ENTRY:startupfunction" as an argument. Also you can set it from VS project, linker settings.
extreme
Feb 20 2005, 05:32 AM
Can you explain it a bit more thoroughly? I am just a middle class C coder, and this is all new to me..
setthesun
Feb 20 2005, 07:44 AM
QUOTE(extreme @ Feb 20 2005, 05:32 AM)
Can you explain it a bit more thoroughly? I am just a middle class C coder, and this is all new to me..
Just add this code to top of your main file.
CODE
#pragma comment(linker,"/ENTRY:startupfunction")
and then user;
CODE
startupfunction()
as your entry point.
Killaloop
Feb 20 2005, 09:36 AM
remember this is an entry point for a win32 application not for a console application.
KarachiKing555
Jun 2 2005, 09:35 AM
what u can doo with Delphi console app so thet it won't get detected by AV's !! ??
belgther
Jun 3 2005, 09:09 AM
normally, when you write a program with main() or winmain() function, it doesn't start there immediately. The program processes lots of other codes before entering the main function, so changing the main function doesn't do the trick.
belgther
Jul 6 2005, 09:45 AM
QUOTE(KarachiKing555 @ Jun 2 2005, 10:35 AM)
what u can doo with Delphi console app so thet it won't get detected by AV's !! ??
Anything you wrote is always undetectable at first. But to make them undetectable forever, use it for private purposes. Or make a program that changes its port and commands randomly.
strohunter
Jul 10 2005, 10:27 PM
QUOTE(KarachiKing555 @ Jun 2 2005, 09:35 AM)
what u can doo with Delphi console app so thet it won't get detected by AV's !! ??
This is just a name, only the compiler will see it, changing it will not trick AV's.
strohunter
Jul 10 2005, 10:28 PM
QUOTE(belgther @ Jun 3 2005, 09:09 AM)
normally, when you write a program with main() or winmain() function, it doesn't start there immediately. The program processes lots of other codes before entering the main function, so changing the main function doesn't do the trick.
True, the real entry point is mainCRTStartup (or wmainCRTStartup if UNICODE is defined). This function prepares some stuff depending on the fact that you are writing a main console app or a WinMain graphical app (wmain or wWinMain if UNICODE is defined) then calls your entry procedure (w)/main/WinMain and finally calls ExitProcess.
Like you, I would like to change the real entry point in order to write my own mainCRTStartup, i'll search a bit further but I hope someone here will be able to spare me some googling ^^
regards.
Bedosman
Jul 19 2005, 12:23 PM
Just one noob question , but I know wath the entry point is , but what is OllyDbg ? A tool to change entry point very easily ?
thx for your answers
A2_
Jul 19 2005, 04:17 PM
QUOTE(Bedosman @ Jul 19 2005, 07:23 AM)
Just one noob question , but I know wath the entry point is , but what is OllyDbg ? A tool to change entry point very easily ?
You must change AddressOfEntryPoint in the PE header with the new address of your main/WinMain, use OllyDbg to find it
tibbar
Jul 30 2005, 05:13 PM
this thread is pointless. changin entry point will not make a trojan undetected.
extreme
Jul 30 2005, 08:36 PM
Heh, when I started this topic, changing entry point was everything that was needed....
For now, I know only 2 things I can do... 1. encrypt the code section 2. replace OEP into address of JMP function that is going back to function at OEP.
But that is still not enough for some AVs.. Plus my 2. trick is detected by BitDefender as ExplorerHijack!??!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
