30 days from 1st installation of trial i think!!

Well I can safely say my version is not time-bombing. I don't know if its detected by KAV (I need to find someone with it) but I know its not timebombing right now. I'll let you know more once I get it scanned on a KAV machine.

out of interest, open your server in a resource editor, and see if you can spot the time countdown...if its the proper version it will be 69kb.

the time out version is 71kb.

first of all

THX 4 this very kewl info ;-)

But with my luck it doesn't work...

I used your instructions and successfull created the .exe file, where I've changed the variables .... My Norton AV 2004 also said "Hack Defender Virus" .....

thx
very useful tuto

i'll have a go at this good work mate

Ment0r, you messed up somewhere. I think I forgot to say you need to change the name of the logfile... and the mailserver lines etc etc.

Tibbar, 69KB here =D And I'm using 7 Trial -> Enterprise patch.

Still haven't gotten it done on KAV though. Need to find someone...

yup.. 69KB here too and using the same delphi "patch" as phaenton.. And mine doesn't get detected by KAV

Jipsu did you follow my guide or did you do something else?

ok this is interesting...

i tried two compile methods.

1) on legitimate delphi 7 enterprise, from install cd...

result KAV detects it.

2) on trial + crack... undetected by KAV.

it seems that the cracked trial must leave some residual time code that doesnt run in the .exe, which hides it from KAV.

Ok good Last time I checked it was bypassed by KAV, so some people must be doing something wrong =D

@phaeton

i changed the values successfull

i dont dispute that the compile file from the cracked delphi 7 trial is undetected.

all im saying is if you recompile it on the legitimate delphi 7, it is detected by KAV.

mentor, make sure you change all RK_ values also, and all other hxdef strings

didn't find any more RK_ variables, everything seems ok, don't know ^^

i'd reward someone who hexs my kit.

Why would you need to hex a kit? Mine is 100% undetectable and I just recompiled it.

mmm. i just add some byte's an pack it with upx and olso it isn't detected..

nice post dude ... I was looking for a tut on hxdef and you post it ^^

THX

This still workin ? Think Im gonna give it a shot

Yessir Skeelow, still works (modifying the source never gets old )

Hello, I would like to know how to as hide file known ftp, i.e., as in the list (ex: /c:/winnt/system32/hxdef100.exe ) one do not see them

mchakal: can you be a bit more specific, sorry I couldn't understand what you said...

nice!

Great Tutorial
Thanks for sharing!

latest symantec update detects the modified version now

Good tut, but now the rootkit is detected by nav.

Interesting, I'll take a look @ it when I get a chance.

mine is still undetected by norton , only detected by kav

it's detecting the switch initializer.

change it.

there is another reference to hxdef there.... in .\Device\UDP\.\?.?\HxDef, also it could be detecting names of the fields in .ini, also switches could be detectable too I'll try too update this thread with what needs to be changed after I go through it all.

I made mine undetected by McAfee and NAV as of March 1st. There are a crapload of things you need to change. Also, it looks like any file packed with morphine is now detected by McAfee as virii, wether it's virii or not :-( That really really sucks.

you need to change all the rk- instances (and hxdef too)

http://yousmelllikeshit.com/files/hxdef-builder-3.rar

with this u can compile hxdef without delphi vc ddk..

I changed the driver source files und tried to build a new driver.sys with DDK.
DDK gives no errors and compiles. But there is no new driver in /objfre/386 !?

Edit: Already fixed that prob. It was the jvc problem.

Should I also rename the new hxdef.exe?
If yes: Rename it with the same characters that replaced "hxdef" in source?

F:\hxdef-builder-3>comp\dcc32 -Udcus;units hxdef100.dpr

Borland Delphi Version 15.0
Copyright © 1983,2002 Borland Software Corporation
hxdef100.dpr(15) Fatal: File not found: 'USysUtils.dcu'



and there is on 'USysUtils.dcu' no in the hxdef100.zip where to get 'USysUtils.dcu' help plz..



//edit found it ,this one with src.zip http/rootkit.host.sk/release/hxdef100.zip

axora the name of the exe doesnt matter.

and that hxdef builder is hosted on my site

wow. much appreciation for this. Had been curious how to do so but didn't know where to start, thanks again. *goes off to fiddle*

thanks for the info, it´s so easy to make a (anti-vir) trojan and rootkit, with a little bit modifications, thanks

metrox

phaeton:
Thank you for this really good, easy and working tutorial.

Finally I worked out some time to test this. Everything is working fine but rdrbs100.exe is detected by NAV 2004 Pro.

Anyone got rdrbs100.exe undetected and could give little tips what to modify?

And should I also modify bdcli100(backdoor client)? Because nav detects it in original pack.

Works fine now. Thanks for tut.

as of the 31 march macaffe enterprise virus defintions :4346 scan engine :4.3.20 compled hxd
are picking up all versions hxd source code and driver
can not seem to work out what they are pickig up as yet and one else found this ! think they have changed there check sum strings

When you view sources of hxdef, and change all references, looks good, but check the hex of the compiled exe, still reference to hxdef in one line change that... also change switch names (helps if other user finds your hxdef ;P), also it doesnt hurt to change non api strings so they cant find it in the future gl

NAV is detecting the driver for some while know (edited with the method mentioned above). Any idea how to make it undetecable again?

I got no problem to hide the files from NAV (enterprise edition). but mcaffe picks up the driver for some reason. I don't seem to get it ..
anyone knows what mcaffe looks for? changed alot without luck