I read an article speaking about trojans and how to hide it. Anti-virus detect trojan with a pattern but if we modify that pattern, A-V don't detect it anymore. One method the author used is to add some NOP (Assembly Instruction that mean No OPeration) in the executable every x bytes (That don't modify the manner how the backdoor/trojan work but it is undetectable by A-V).

I programmed this. With this program you can add how many NOP you want every x bytes (that's 2 parameters you can specify).
You can also execute the program without parameters to get help.

ok great i ll test it and if it works it s a BIT STRONG

Thx, but doesn't work @me.
My AV-Scanner now does not identify the trojaner server as such, but he doesn't work anymore.
Whenn I start the Server, nothing matters, only a Prompt with no content opens for 1second.

thx, but it didn't work for me either ... :/
bt nice try, plz go on, this would be a nice tool ...

[EDIT]
Im wonderin if it is workin anyway ...
If you change some bytes the prog should work :/
but then im askin myself how polymorphic virii are workin ...
[/EDIT]

[EDIT]
Mhh i couldn't sleep so i was thinkin of your prog ...
It adds every X byte(s) a NOP .. if you do that in the whole
prog, it destroys the resources. (if you have a BMP or somethin,
it could get crashed) So you have to filter the resources from the binary.

im not sure, if nav or somethin like that, will read the binary file,
sort out the NOP (right, because they doin nothin) and check the code ...

Win2k & XP are not parsin the ASM code directly to the cpu, it filters it, before
it makes its way ... maybe the av is doin the same to lower the cpu usage

just a few thoughts on a sleepless nite ....
[/EDIT]

This could and might bypass Heuristic scanners but signiture based scanners forget

hm, do you consider and take care all the jump branch and what not that could happen in the asembly flow? i think if you just expand the file it would mess the program up.

also i'm wondering if AV can detect a program that's been "rearranged" at the assembly level, kindda hard but not possible

i heard some AV has artificial intelligence that adapt its way of scanning?

I will answer to all of your question and give some explanation.
First, this program was intended for executable programs and not BMP an other files.
I tested it too after posting it and doesn't work with a backdoor.
I thought about it and I think that's because the program takes value inside itself.

About polymorphic virri, i don't know anything and this program was not intended for this
You can find more informations about it on google. I found informations about it in a magazine, "Hackerz voice"
but that's a french magazine.
What erky said is interresant. Here's a little example:

...
xxxx:JMP [1245] ;Jump at adress 1245
...
1245:MOV AX,5
MUL BX

if we put a NOP at the adress 1245 that doesn't change anything because nop doesn't make any operation. It'll become:

...
xxxx:JMP [1245] ;Jump at adress 1245
...
1245:NOP
MOV AX,5
MUL BX

also i'm wondering if AV can detect a program that's been "rearranged" at the assembly level, kindda hard but not possible
i heard some AV has artificial intelligence that adapt its way of scanning?
=> I think smart AV can detect "rearranged" program. I heard about a very good (perhaps the best) AV that is ViGuard but i don't tested it
(It is only available for buying, there no trial/shareware version)
Another good is AVP (russian AV). It is available for download.

A last thing, excuse me for my english, some explanation can be hard to understand (Sometimes it's hard for me to explain it in english)

Articifical Intelligence = Heuristic Scanner, knows virii behavior and from that can classify it.

You can liter an executable w/ NOP instructions and nothing will occur other than knocking maybe knocking off Heuristic Scanners as I said above however I doubt that is a `real` sure way because the heuristic scanner would disregard the NOP's as a trickery.

An effective method for concealing or hiding is having something like this (win32):
PE Header
Stub
Body (encrypted).

Where the PE header is a normal PE header or packed w/ FSG or UPX. then the stub decrypts the main body of the virii code, Mosucks the trojan implments this for a like 60% difference but you still have your stub and to really get into that you have to metamorphic which I believe theres been like 1 engine or 2 but a bunch of papers on it.

thank you!!! nice tool