anyody have a set of a/v signatures they are willing to share? i am new to the trojan viri bit of our buisness but have been reading up on both and have found it very interesting how changeing a signature can be enough to fool A/V
also i am looking for a site similar to the now defunct trojan forge
thanks to all for any insight you can provide
Full Version: Av Offsets?
It wouldnt be right to post a place where you can get a virii signature . which is nothing but virii itself.
But instead you can mebbe suggest a couple of virii u want to study and if its in my collection i shall send it to you.
But instead you can mebbe suggest a couple of virii u want to study and if its in my collection i shall send it to you.
I use the tool AVdevil
with this can you find the offsets. This tool is from a German www.Ratboard.de coder look at here if you dont trust me.
i´ve tried it with Norton,Antivir and KAV and it work
here a small tutorial for KAV:
1. Turn of your KAV Monitor
2. Open AVdevil (have you problem to open avdevil then you must before exclude this)
3. Select the path from your Trojan
4. Then a message come, you must click OK
5. After then come a new message, you must then turn on the AV monitor and then click OK
6. KAV open some messages which you does not click off
7. at the final waiting u have the offsets
8. Use then a Hex Editor and bla bla bla
with this can you find the offsets. This tool is from a German www.Ratboard.de coder look at here if you dont trust me.
i´ve tried it with Norton,Antivir and KAV and it work
here a small tutorial for KAV:
1. Turn of your KAV Monitor
2. Open AVdevil (have you problem to open avdevil then you must before exclude this)
3. Select the path from your Trojan
4. Then a message come, you must click OK
5. After then come a new message, you must then turn on the AV monitor and then click OK
6. KAV open some messages which you does not click off
7. at the final waiting u have the offsets
8. Use then a Hex Editor and bla bla bla
@herman2k
Hey I tested your method , with the AV devil, when i run the prog just like u say, a folder "test" creates itseld and contains 2 files file0.tmp and file1.tmp
what are those for ? shouldn' the Av devil give you the Av offsets in the Av devil program ?
appreciate your feebback
[edit]
Never give up right ^^ well the Av devil gave me what i was looking for
1.offset
Begin 1300D
End 1313E
End
thats the given result, now lets hex
cheers
[/edit]
Hey I tested your method , with the AV devil, when i run the prog just like u say, a folder "test" creates itseld and contains 2 files file0.tmp and file1.tmp
what are those for ? shouldn' the Av devil give you the Av offsets in the Av devil program ?
appreciate your feebback
[edit]
Never give up right ^^ well the Av devil gave me what i was looking for
1.offset
Begin 1300D
End 1313E
End
thats the given result, now lets hex
cheers
[/edit]
or you can try avpoffset bby sennaspy but i think AV DEVIL is better ;o
Saetji, could you please upload avpoffset,because the homepage of sennaspy isn`t accessible at the moment.
Thanks in advance!
Have a nice day.
//EDIT: Sorry,i found it at last https://vx.helith.net/~sennaspy/
Btw, has anyone tried to AV Devil with F-Prot? I can`t get any results...
Thanks in advance!
Have a nice day.
//EDIT: Sorry,i found it at last https://vx.helith.net/~sennaspy/
Btw, has anyone tried to AV Devil with F-Prot? I can`t get any results...
| QUOTE (easternerd @ Sep 22 2004, 04:50 AM) |
| It wouldnt be right to post a place where you can get a virii signature . which is nothing but virii itself. But instead you can mebbe suggest a couple of virii u want to study and if its in my collection i shall send it to you. |
@easternerd well i am not interested in any one particular virus or one group of viri more in the methods that are used as i have very basic understandings of viri
but thank you very much for the offer of assistance if its ok i will ad you to my icq @herman2k thanks i will experiment with your program
@strasharo thanks i too had read abought this program on this forum but was unable to locate it
Hey... How do i hex the offsets.. im really noob, but i do know how to HEX.. i have founded the offsets on Optix Pro server with Mcafee, but when i find the offsets in the HEX editor, i dont know what do do with it...
delete it: possibly change it to 00 00 00 00 00 or something just a hint =)
QUOTE(RedShadow @ Oct 2 2004, 09:33 PM)
delete it: possibly change it to 00 00 00 00 00 or something just a hint =)
Hmm.. Will just say exactly what i did... I did that stuff with AV Devil, found out that the offsets were Begin - 43FFD, and End - 441EE... Then i opened HEX-workshop and hexed the EXACT offset (i changed 00 -to 01) and the same with End-offset... now the file is UNDETECTED..! BUt.... when i double click on the file with autoprotect on.. DOH.. It detects a heuristic virus called New Malware.b!!
FUUCK god damn..! i dont know what to do with this god damn thing.... IM STUCK...
Just if any1 could help me...! If u have experience with this homo-thingy, then pleease mister.. Can u contact me at kristofferwarming@hotmail.com (MSN or Email)..Thanks for your kindness mister... edit: PS I LOVE GOVSEC FORUMS MAAN!
QUOTE(nEbur-k0rk @ Oct 4 2004, 01:02 PM)
QUOTE(RedShadow @ Oct 2 2004, 09:33 PM)
delete it: possibly change it to 00 00 00 00 00 or something just a hint =)
Hmm.. Will just say exactly what i did... I did that stuff with AV Devil, found out that the offsets were Begin - 43FFD, and End - 441EE... Then i opened HEX-workshop and hexed the EXACT offset (i changed 00 -to 01) and the same with End-offset... now the file is UNDETECTED..! BUt.... when i double click on the file with autoprotect on.. DOH.. It detects a heuristic virus called New Malware.b!!
FUUCK god damn..! i dont know what to do with this god damn thing.... IM STUCK...
Just if any1 could help me...! If u have experience with this homo-thingy, then pleease mister.. Can u contact me at kristofferwarming@hotmail.com (MSN or Email)..Thanks for your kindness mister... edit: PS I LOVE GOVSEC FORUMS MAAN!
Just keep going through it untill its not detected no more 
But be carfule not to corrupt the file 
herman2k.What's wrong with I did?
First I disable McAfee ON-Access Scan and open AV Devil.
Then open the file called server.exe of Beast 2.07.
The message comes,before click OK I found that the server.exe disappeared.
So it's sure that it could not find the Offset.
I don't know why so I put the notepad.exe in the test directory,after the same steps,the file disappeared too.
/edit: Why I can not post second time ?
I think I found the reason, I have changed the original directory to desktop,select the server.exe of Beast 2.07,this time it wasn't disappeared. But,when I going to do next step,AV Devil told me this file already undetect.
Really ? I enable the McAfee and check it....................................it told me that it is BackDoor-AMQ.(Crying..)
sounds like the server melted into your system I would try connecting to yourself with the client
I would try connecting to yourself with the client
I'm sure I didn't run it. Ant there is no any process about server.exe.
Don't joke me,give some advices first.
Don't joke me,give some advices first.
lol, you shouldnt see server.exe in the process list. If you used "injection" you wont see anything if you didnt look for the name YOU specified.
QUOTE(Eyeless @ Oct 14 2004, 07:22 AM)
lol, you shouldnt see server.exe in the process list. If you used "injection" you wont see anything if you didnt look for the name YOU specified.
All is the default configuration,so No DLL Injection.
I just want to know how to hex a server.exe anit KVs, anyone knows?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
