Just wondering what are all the ways to make a file undetected without the source?


Here are some

- Packing
- Binding
- Crypting
- Hex modifying
- Packing, then removing the packers headers.
- Changing the entry point.
- Using something like code pervertor which can replace instructions
in the file with other instructions which will do the same thing.

Can anybody else think of any other methods?

i have an idea:
adding codes so that it kills AV or adds itself to the trusted list of the firewall software to bypass them

not much usefor virus scanners which actual scan files in a "live" state

ok than instead of being lazy, we can write our own virus/trojan so the AV doesn't detect it... i know, he means modifying an existing file, but this is such a lazy method...

Well you want to add some code to the file that will kill the A/V right?

Okay, so we have our detected file, and we have our A/V killer code, we add it together. We send it to the computer but.... How are we going to open it? In order to kill the A/V you have to open the file, so that the A/V killer code is executed, but you cannot do that because it is attached to a file which is detected.

That method won't work, unless you sent an undetected A/V killer first than executed that.

Also aswell as file packers, file protectors can make files undetected some times.

i have a 100% undetected Bifrost server

pm me if ur interested...

Antivirus Version Update Result
AntiVir 6.29.0.7 01.13.2005 -
AVG 718 01.12.2005 -
BitDefender 7.0 01.14.2005 -
ClamAV devel-20041205 01.13.2005 -
DrWeb 4.32b 01.13.2005 -
eTrust-Iris 7.1.194.0 01.14.2005 -
eTrust-Vet 11.7.0.0 01.14.2005 -
F-Prot 3.16a 01.12.2005 -
Kaspersky 4.0.2.24 01.14.2005 -
NOD32v2 1.970 01.13.2005 -
Norman 5.70.10 01.11.2005 -
Panda 8.02.00 01.13.2005 -
Sybari 7.5.1314 01.14.2005 -
Symantec 8.0 01.13.2005 -

checked with virustotal

packers/encryptors detected by DRWeb AntiVrus (the best av)

ASPACK
BITARTS
BJFNT
COM2EXE
COMPACK
CONVERT
CryptCOM
CryptEXE
DEFILER
DIET
DXPACK
ENCODED
SCRIPT
EXE32PACK
EXEPACK
EZIP
FSG
HDD
IMAGE
JDPACK
KRYPTON
LZEXE
MEW
MOLEBOX
MORPHINE
MSFT
OPTLINK
PCSHRINK
PEBUNDLE
PECOMPACT
PECRYPT
PEDIMINISHER
PELOCK
PEPACK
PESHIELD
PESPIN
PETITE
PEX
PGMPAK
PHANTASM
PKLITE
PROTECT
SHAOLIN
SPLASHER
TELOCK
TINYPROG
UCEXE
UPC
UPX
VECNAPACK
VGCRYPT
WWPACK
WWPACK32
WINEXE
WINKRIPT
YODA
CPAV
F-XLOCK
PGPROT
VACCINE

good luck people

Make your own packer? I know the list so far has been quick script-kiddie ways of getting around AV, but as crafty noted most packers/encrypters these days are picked up by up-to-date good AV's.

In case someone's interested or looking for more info here is a tutorial on writing your own packer

Grtz,
droppunx

I often Hex Edit files myself, change header or just mix something up and 99.9% of the time it becomes undetctable by any AV.. just wanna let you guys know.


Thanks Drop that is a great tut.. hope some will learning something from it.
Gonna Bookmark that one!

ScOOt3r!

Agree that hex editing works in many cases but it would be nice to make your own packer like in the tut provided by droppunx.

Btw. thanks for the link, just what i've been looking for to get started on this project.

to make bifrost and any trojan undetected the simple and easiest way is to find a win32 PE .exe file source code protection software, thats the best hint i can give you.

example: search google for "win32 source code protection", download

test your virus/trojan at www.virustotal.com

if you still need help msg me.

LOL I still dont know why people think it is script kiddish to not write there own software, if we take it to the extreme using c++ or VB etc is script kiddish you would have to create your own scripting language not to use someone elses creation... I say find the fastest meathod using the avaliable assets to you to get the result you want. Its only script kiddish if you are doing it without a purpose and have no idea why it works.

here some tools u can use

PE EXE modifier:
32lite 0.03a
AHTeam EP Protector v0.3 ASPack 2.12
ASPack 1.01b
ASPack 1.02b
ASPack 1.04b
ASPack 1.05b
ASPack 1.061b
ASPack 1.061b [DLL]
ASPack 1.07b
ASPack 1.07b [DLL]
ASPack 1.08
ASPack 1.081
ASPack 1.082
ASPack 1.083
ASPack 1.084
ASPack 2.000
ASPack 2.001
ASPack 2.100
ASPack 2.12
ASProtect 1.23 - 1.31 b0427
ASProtect 1.23 RC1
Adobe PhotoShop Plugin
Alloy 1.04.14.2000
AppLok 95 2.0
Armadillo 1.80 (console)
Armadillo 1.80 (gui)
Armadillo 1.80b3 (console)
Armadillo 1.80b3 (gui)
Armadillo 1.90b2 (console)
Armadillo 1.90b2 (gui)
Armadillo 1.90b3 (console)
Armadillo 1.90b3 (gui)
Armadillo 1.90b4 (console)
Armadillo 1.90b4 (gui)
Armadillo 1.91c (console)
Armadillo 1.91c (gui)
Armadillo 2.00 (console)
Armadillo 2.00 (gui)
Armadillo 2.00b1 (console)
Armadillo 2.00b1 (gui)
Armadillo 2.00b2/b3 (console)
Armadillo 2.00b2/b3 (gui)
Armadillo 2.01 (console)
Armadillo 2.01 (gui)
Armadillo 2.10 - 2.20 (console)
Armadillo 2.10 - 2.20 (gui)
Armadillo 2.50 (console)
Armadillo 2.50 (gui)
Armadillo 2.50b1a (gui)
Armadillo 2.50b3 (console)
Armadillo 2.50b3 (gui)
Armadillo 2.51 (DLL)
Armadillo 2.51 (console)
Armadillo 2.51 (gui)
Armadillo 2.52 (DLL)
Armadillo 2.52 (console)
Armadillo 2.52 (gui)
Armadillo 2.52b2 (console)
Armadillo 2.52b2 (gui)
Armadillo 3.40 (DEMO)
Armadillo 3.50a (DEMO)
Armadillo 3.50b1 (DEMO)
BJFNT 1.1
BJFNT 1.2
BJFNT 1.3
Borland C++ (1994)
Borland C++ (1995)
Borland C++ (1999) [DLL]
Borland C++ (1999) [EXE]
Borland Delphi 3 (1)
Borland Delphi 3 (2)
Borland Delphi 4
Cexe 1.0a/1.0b
CodeCrypt 0.14b
CodeCrypt 0.15b
CodeCrypt 0.163b
CodeCrypt 0.164b
CodeCrypt 0.16b - 0.161b
CodeSafe 2.0
CodeSafe 3.0
Crunch 2.0.0.2
CrypKey Instant Stealth 5.0.161
Digital Mars D 0.88
Ding Boys PE-lock 0.07
EXE Protector 1.37a
EXE Shield v0.5
EXE Stealth 2.73
ExeShield 2.7a
ExeShield 2.7b
FSG 1.0
FSG 1.1
FSG 1.2
FSG 1.3
FSG 1.31
FSG 1.33
Harlequin Dylan 1.2
JDPack 1.01
JDProtected 0.90b
Lcc-win 32 1.3
Microsoft CAB SFX
Mingw GCC
NFO 1.0
NeoLite 1.0 - 1.01
NeoLite 1.04
NeoLite 2.00
PCPEC [alpha]
PE password protector by SMT
PE-Crypt 1.0
PE-Crypt 1.01
PE-Crypt 1.02
PE-Prot 0.9
PEBundle 0.03
PEBundle 0.05
PEBundle 0.05wtd
PEBundle 0.06
PEBundle 0.12wtd
PEBundle 0.14wtd
PEBundle 0.15wtd
PEBundle 1.00b3 - 1.02
PEBundle 1.00b3wtd
PEBundle 1.02wtd
PECompact 0.92
PECompact 0.977
PECompact 0.978
PECompact 0.978.1
PECompact 0.978.4
PECompact 0.98
PECompact 0.99
PECompact 1.00
PECompact 1.10 b1
PECompact 1.10 b2
PECompact 1.10 b3
PECompact 1.10 b4
PECompact 1.10 b5
PECompact 1.10 b6
PECompact 1.10 b7
PECompact 1.10 b8
PECompact 1.20 - 1.20.1
PECompact 1.22
PECompact 1.23 b3 - 1.24.1
PECompact 1.24.2 - 1.24.3
PECompact 1.25
PECompact 1.26b1 - 1.26b2
PECompact 1.33
PECompact 1.34 - 1.40b1
PECompact 1.40 - 1.45
PECompact 1.40b2 - 1.40b4
PECompact 1.40b5 - 1.40b6
PECompact 1.46
PECompact 1.50
PECompact 1.55 - 1.56
PECompact 1.60 - 1.65
PECompact 1.66
PECompact 1.67
PECompact 1.68 - 1.84
PECompact 2.00b build 100
PECompact 2.02 - 2.07
PELOCknt 2.01
PELOCknt 2.02ß
PELOCknt 2.03
PELOCknt 2.04
PELock 1.06
PEShield 0.2b2
PESpin v0.3
PKLite32 1.1
PeX 0.99
Petite 1.2
Petite 1.3a
Petite 1.4
Petite 2.0
Petite 2.1
Petite 2.2 [PE DLL]
Petite 2.2 [PE EXE]
PowerBasic 7
Private EXE 2.0a
Private EXE 2.0a - 2.2
SPEC beta 3
SecuPack 1.5
Shrinker 3.2
Shrinker 3.4
Stone's PE Encrypter 1.0
Stone's PE Encrypter 1.13
Stone's PE Encrypter 2.0
Symantec Visual Cafe 3.0
UPX 0.50 - 0.51 [PE DLL]
UPX 0.50 - 0.51 [PE]
UPX 0.61 [PE DLL]
UPX 0.61 [PE]
UPX 0.62 [PE DLL]
UPX 0.62 [PE]
UPX 0.70 [PE DLL]
UPX 0.70 [PE]
UPX 0.71 - 0.72 [PE DLL]
UPX 0.71 - 0.72 [PE]
UPX 0.80 - 0.84 [PE DLL]
UPX 0.80 - 0.84 [PE]
UPX 0.81 - 0.84 [PE] (Delphi/C Builder)
UPX 0.89.6 - 0.94 [PE DLL]
UPX 0.89.6 - 1.02 / 1.05 - 1.24 [PE]
UPX 0.89.6 - 1.02 / 1.06 - 1.07 [PE] (Delphi/C Builder)
UPX 0.89.6 [PE DLL]
UPX 0.93 [PE] UnHack32 1.1
UPX 0.93 [PE] UnHack32 1.2
UPX 0.99 / 1.00 - 1.02 / 1.05 - 1.07 [PE DLL]
UPX 0.99.1 - 0.99.2 [PE DLL]
UPX 1.03 - 1.04 [PE DLL]
UPX 1.03 - 1.04 [PE]
UPX 1.03 - 1.04 [PE] (Delphi/C Builder)
UPX 1.05 - 1.07 [PE DLL]
UPX 1.05 - 1.24 [PE]
UPX 1.08 - 1.24 [PE DLL]
UPX$HiT 0.0.1
UPXShit 0.06 (snaker)
VGCrypt 0.75
Virtual Pascal 2.1
Visual C 2.0
Visual C++ 3.1
Visual C++ 4.2 (DLL)
Visual C++ 4.2 (EXE - 1)
Visual C++ 4.2 (EXE - 2)
Visual C++ 4.2 (EXE - 3)
Visual C++ 4.2 (EXE - 4)
Visual C++ 5.0
Visual C++ 5.0 (debug)
Visual C++ 5.0 (no debug)
Visual C++ 5.0 SP3
Visual C++ 5.0 SP3 (debug)
Visual C++ 6.0 (DLL) (nodebug) [1]
Visual C++ 6.0 (DLL) (nodebug) [2]
Visual C++ 6.0 (EXE) (nodebug)
Visual C++ 7.0 / .NET 2002
Visual C++ 7.1 / .NET 2003 (debug; -MDd)
Visual C++ 7.1 / .NET 2003 (nodebug)
Visual C++ 7.1 / .NET 2003 (nodebug; -MD)
Visual Protect 1.1
WATCOM C/C++ runtime system 1995
WWPack32 1.0
WWPack32 1.09
WWPack32 1.10 - 1.11
WWPack32 1.12 - 1.20
WinKript 1.00
WinZip SFX
Xtreme Protector 1.06
Xtreme Protector 1.07
frp 0.17
kkrunchy
tELock 0.41c
tELock 0.42
tELock 0.51
tELock 0.60
tELock 0.61
tELock 0.70
tELock 0.71
tELock 0.80
tELock 0.85
tELock 0.90
tELock 0.92a [PE DLL]
tELock 0.92a [PE EXE]
tELock 0.95 [PE DLL]
tELock 0.95 [PE EXE]
tELock 0.96 [PE DLL]
tELock 0.96 [PE EXE]
tELock 0.98 [PE DLL]
tELock 0.98 [PE EXE]
yoda's Crypter 1.0
yoda's Crypter 1.1
yoda's Crypter 1.2

DOS EXE modifier:
624 1.0
ABKprot 1.00
AEP 1.00
AVPack 1.2x [COM]
AVPack 1.2x [EXE]
AdFlt2
Ady's Glue 1.10
AinEXE 2.1
AinEXE 2.22
AinEXE 2.23
Aluwain 8.03
BINLock 1.0
BITLOK 3.1
Batch Compiler 1.0
Borland C++ (TR.EXE)
Borland C++ 3.0 or higher
Borland PE loader
C-Crypt 1.02
CC 2.61b
CC286x2 2.1
COM2TXT 1.00
COM2TXT 1.03 - 1.12
COM2TXT 1.20 - 1.41
COMCRYPT [by unknown]
COMPACK 4.5
COMPACK 5.1
COP 1.0
CRK Compiler 1.20
CRYPACK 3.0
CRYPTCOM 1.1
CRYPTCOM [by unknown]
CSV 0.1
CWC 3.01
Ciphator 4.6
Com Cryptor BTS 9.12
Com4Mail 1.0
ComLock 0.10
ComProt 1.0 beta
ComProtector 1.0
Compact 1.05
ComprEXE 1.0 [COM]
ComprEXE 1.0 [EXE]
Comt 0.10 (duckling)
Comt 0.10d (original)
Crackstop 1.03a
Cruncher 1.0
CryEXE 4.0
Crypt 1.20
Crypt 1.21
Crypt 1.7 [COM]
Crypt 1.7 [EXE]
Crypt.Trivial.173
CryptC [by unknown]
CryptEXE 1.0
Crypta II 2.0
Crypta II 3.0
CrypteXeC 0.9ß
CrypteXeC 1.01
DOS Extender by Doug Hoffmann 1994
DOS/4GW Extender by Tenberry Software
DOS32 3.3
DShield
Diet 1.00 [EXE]
Diet 1.10 - 1.20 [COM]
Diet 1.10a/1.20 [EXE]
Diet 1.43/1.44 [EXE]
Diet 1.44 - 1.45 [COM]
Diet 1.45f [EXE]
DoP's CryptExe 1.04
Docmaker 1.20
EEXE 1.12 - 1.13
ENcryptCOM 3.01
EPW 1.20 [COM]
EPW 1.20 [EXE]
EPW 1.30 [COM]
EPW 1.30 [EXE]
EXE Manager 3.0
EXE Manager 3.2
EXE2COM 2.00
EXEGuard 1.3
EXEHigh 1.01
EXELOCK 666 1.03
EXELOCK 666 1.04
EXELOCK 666 1.05
EXEPACK 3.69
EXEPACK 4.06
Elite 2.00
Encriptor 1.00ß
ExeCode 1.0
ExeCode 1.00 [COM]
ExeLock 1.00
F-Xlock 1.16
FFSE 0.4R
File Analyser 1.4 Encryptor
Gardian Angel 1.0
HackStop 0.98 [COM]
HackStop 0.98 [EXE]
HackStop 0.99 [COM]
HackStop 0.99 [EXE]
HackStop 1.00 [EXE]
HackStop 1.12 [EXE]
HackStop 1.13 [EXE]
HackStop 1.14a [EXE]
HackStop 1.15 - 1.17 [EXE]
HackStop 1.17ß [EXE]
HackStop 1.17ßs [EXE]
HackStop 1.18 [EXE]
HackStop 1.19 build 195/198 [EXE]
HackStop 1.19 build 197 [EXE]
HackStop 1.19 build 204 [EXE]
HackStop 1.19 build 217
HelpCOM 1.2
HelpEXE 1.2
Ice 1.00
Immun 1.2 [COM]
Immun 1.2 [EXE]
Immun 1.2 registered [COM]
Immun 1.2 registered [EXE]
JMCryptExe 0.7 (general)
JMCryptExe 0.7g
JMCryptExe 0.7i
JMCryptExe 0.7j
Jam 2.11 [COM]
Jam 2.11 [EXE]
Jam 2.21 [COM]
Jam 2.21 [EXE]
Khrome Crypt 0.3
LC 3.00 (1986)
LGLZ 1.03b - 1.04b
LZEXE 0.90
LZEXE 0.91 / 1.00
LZEXE 0.91ß
LamerStop 1.0ß
Loader for Dos Extender by Doug Hoffmann
LockProg 0.5a
LockTite+
MCLOCK 1.3
MINI [COM]
MINI [EXE]
MSCC 1.0bs
Mask 2.3
Mask 2.5
MegaLite 1.20
Mess 1.07 [COM]
Mess 1.07 [EXE]
Mess 1.14 [COM]
Mess 1.15 [COM]
Mess 1.17 [COM]
Microsoft C (1988/89)
Microsoft C++ (1990/92)
Microsoft C++ NE Loader
Microsoft QBasic
Mr.HDKiLLeR ProtectioN 1.0
N0Ps Shit Protector 0.002b
NT Shell 4.0
NetRun 3.10
NetSafe ZIP-Prot
Netsend 1.00
NoClip 4.1
OptLink Pass 1
OptLink Pass 2
PCC 1.2
PCrypt 3.50 [COM]
PGMPAK 0.13
PGMPAK 0.14
PGMPAK 0.15
PK Smart 1.0b
PKLite 1.00 - 1.05 [EXE]
PKLite 1.00 [COM]
PKLite 1.03 [COM]
PKLite 1.05 [COM]
PKLite 1.12 / 1.20 [COM]
PKLite 1.12 / 1.20 [EXE]
PKLite 1.13 [COM]
PKLite 1.14 [COM]
PKLite 1.14 [EXE]
PKLite 1.15 [COM]
PKLite 1.15 [EXE]
PKLite 1.50 - 2.01 [EXE]
PKLite 1.50 [COM]
PKLite 2.00ß [COM]
PKLite 2.00ß [EXE]
PKLite 2.01 [COM]
PKTiny 1.62
PMODE/W 1.20
PMODE/W 1.21
PMODE/W 1.33
Pack 1.0
PackWin 1.0à - 2.02
PassCOM 2.0 / PPC
PassEXE 2.0
Powerbasic 2.10
ProPack 2.08 -m1 [EXE]
ProPack 2.08 -m2 [EXE]
ProPack 2.14 -m1 [COM]
ProPack 2.14 -m1 [EXE]
ProPack 2.14 -m2 [COM]
ProPack 2.14 -m2 [EXE]
ProtEXE 2.11 [COM]
ProtEXE 2.11 [EXE]
ProtEXE 3.0
Protect! 3.0
Protect! 3.0/3.1 [COM]
Protect! 3.1 [EXE]
Protect! 4.0 [COM]
Protect! 4.0 [EXE]
Protect! 6.0
R-Crypt 0.91 - 0.93
RCC II/286 1.14 (hard)
RCC II/286 1.14 (mild)
RCC II/286 1.15 (hard)
RCC II/286 1.15 (mild)
RCC II/286 1.16 (hard)
RCC II/286 1.16 (mild)
RCC II/286 1.17 (hard)
RCC II/286 1.17 (mild)
RCC II/286 1.18 (hard)
RCC II/286 1.18 (mild)
REC.Small 1.01
REC.Small 1.02
REC.Small 1.02a
REC/Small 1.03
REC/Small 1.05
REC/Small 1.05b
REC/Small/AV 1.00
REC/Small/AV 1.05
REC/Small/AV 1.05b
RELOC 1.00
RERP 0.02
RJ Crush 1.10
RUE 1.32
Rec 0.14
Rec 0.27
Rec 0.28
Rec 0.32
Rec 0.33a
Rec 0.38
Rose Tiny 1.02
RoseTiny 0.95
SCRAMB 1.20
SCRAMBLE 0.2 beta3
SENs debug protection
Scram 0.7c1 - 0.8a1
Scrunch 1.02
Scrypt 1.2
Secure 2.1b
SelfEnc 1.0
Shadow 1.0 beta
Shield 1.70
Shrink 1.0
Shrink 2.0 (1)
Shrink 2.0 (2)
SnoopStop 1.15
Spirit 1.5
SuckStop 1.08
SuckStop 1.10
SuckStop 1.11
TPC's COM scrambler 1.00
TPack 0.5ß -m1
TPack 0.5ß -m2
Tiny Xor 0.1
Trap 1.13 [COM]
Trap 1.13 [EXE]
Trap 1.14
Trap 1.14a
Trap 1.15
Trap 1.16 - 1.17
Trap 1.16ß1
Trap 1.16ß2
Trap 1.18 [EXE]
Trap 1.19 [EXE]
Trap 1.20 [EXE]
Trap 1.21 [EXE]
Turbo Basic
Turbo C 1.0 (1987)
Turbo C 2.0 (1988) [COM]
Turbo C 2.0 (1988) [EXE]
Turbo C++ 3.0 [COM]
Turbo C++ 3.0 [EXE]
Turbo Pascal 3
Turbo Pascal 4 (1)
Turbo Pascal 4 (2)
Turbo Pascal 5
Turbo Pascal 6
Turbo Pascal 7
Turbo Pascal 7 (RTL by Norbert Juffa)
Turbo Prolog 1986
TurboChainer 1.03
UC 2 EXE 2.4
UComCry
UPX 0.20 [COM]
UPX 0.20 [EXE]
UPX 0.30 - 0.40 [COM]
UPX 0.30 [EXE]
UPX 0.40 - 0.51 [EXE]
UPX 0.51 - 0.72 [COM]
UPX 0.62 [EXE]
UPX 0.70 [EXE]
UPX 0.71 - 0.72 [EXE]
UPX 0.81 - 0.84 [EXE]
UPX 0.82 - 0.84 [COM]
UPX 0.90 - 1.03 [EXE]
UPX 0.92 - 1.03 [COM]
UPX 1.04 - 1.24 [COM]
UPX 1.04 - 1.24 [EXE]
USCC 1.3
Unknown virus 1
Unýpack 2.0
Username 3.00 [COM]
Username 3.00 [EXE]
V-Load 0.9b
V-Load 0.9b used in Kartz 0.3
VSS
Vaccine 1.03 - 1.10
Virus Self Destructor 2.00
WWPack
WWPack Mutator 1.1c
Watcom C (1994)
Watcom C (1995)
WordPerfect EXEPack
X3
XCOM 1.00
XPack 1.0j [EXE]
XPack 1.0m - 1.20 [EXE]
XPack 1.29 - 1.30 [COM]
XPack 1.29 - 1.30 [EXE]
XPack 1.31 - 1.66 [COM]
XPack 1.31 [EXE]
XPack 1.33 [EXE]
XPack 1.34 [EXE]
XPack 1.36 [EXE]
XPack 1.39 [EXE]
XPack 1.40 [EXE]
XPack 1.44 [EXE]
XPack 1.45 [EXE]
XPack 1.52 - 1.64 [EXE]
XPack 1.65b2 [EXE]
XPack 1.65b3/b4 [EXE]
XPack 1.66 [EXE]
XPack 1.67 [COM]
XPack 1.67 [EXE]
XcomOR 0.99a
XcomOR 0.99f/g
XcomOR 0.99h
XcomOR 0.99i
XoReR 1.0
XoReR 2.0
XoReR 2.1
XorCopy 1.0
Zortech C 2.00 (1)
Zortech C 2.00 (2)
aPack 0.58 - 0.74 (2) [EXE]
aPack 0.58 - 0.82 (1) [EXE]
aPack 0.58 [COM]
aPack 0.61 [COM]
aPack 0.66 [COM]
aPack 0.69 [COM]
aPack 0.71 - 0.74 [COM]
aPack 0.73 - 0.74 -m [EXE]
aPack 0.73 - 0.82 -d [EXE]
aPack 0.82 -d [EXE]
aPack 0.82 -m -p [COM]
aPack 0.82 [COM]
aPack 0.82 [EXE]
aPack 0.90 - 0.99 -d/-s -m [EXE]
aPack 0.90 - 0.99 -d/-s [EXE]
aPack 0.90 - 0.99 -m [EXE]
aPack 0.90 - 0.99 [EXE]
aPack 0.90 -m -p [COM]
aPack 0.90 -m -x [EXE]
aPack 0.90 [COM]
aPack 0.96
aPack 0.96 -i -m
aPack 0.96 -m
aPack 0.98 - 0.99 -t [EXE]
aPack 0.98 - 0.99 [COM]
aPack 0.98 -f -m [COM]
aPack 0.98 -i -m [COM]
aPack 0.98 -x
aPack 0.99 -f -m [COM]
aPack 0.99 -i -m [COM]
aPack 0.99 -m -x [EXE]
deeP-CRyPTeR 0.1b
fds-cp 0.4
iLUCRYPT 4.014 - 4.015
iLUCRYPT 4.019
jmt-cp 0.5a / fds-cp 0.4a
unknown by GyikSoft 1
unknown by GyikSoft 2
unknown by JVP
unknown by Mr. Wicked
unknown by RAO
unknown by Synopsis
unknown by Woody

i could think of a few more thou

Wow, very nice list you got there. I think going in and hexing the detected part is pretty easy, It only takes me 4-5 min to do a server per AV, and works 95% of the time.

ive found PC Guard For Win32 or PC Guard for DOS, works the best...



beats all AV in one hit...

I think u dont know what realy up
Your hexing method is not more sure.
Maybe AV´s same Norton

Some Av´s (example KAV) changing by famous RAT´s (bifrost) the signature after updates.

And why change same AV´s the signature,
because lot of people use the Hex method, (before avpoffset,ok not more work)and today like offsetfinder AVdevil.

And second, not all Signature´s can you easy change.i mean same signatures are hard in code and when you change this... the file is then broken.

And your Hex Method does not 95% work!


btw:nice undetected thread from here

best regards

herman2k

Do you have the serial for this soft ?

WARNED FOR THE LAST TIME ....read the rules account disabled for 10 days for serial request

Here's some good sites for this:

hxxp://www.exetools.com/
hxxp://protools.cjb.net/
hxxp://unpack.cjb.net/
hxxp://yodap.cjb.net/

Another way to get close to the same goal is to make the file difficult to delete

We will not tolerate your request for serials. Your posting ability has been disabled and I want to know why you broke GSO rules.

Just remember registration is closed so if you value your membership follow the rules.

1. For Macafee is changing the recource section good.

2. For KAV ist good the NOP method with changing the entrypoint.

3. Rebasing the server file is an other good method

4. For Norton, we dont must speak about that

another good link

When somebody want know more about make undetected, i´ve a top-secret link about lot of undetected methods they can write me a PM!... i´m free4chat

btw: somebody know how i can make files undetected for Ewido Security Suite without crypter.

Who this can is some one the best!

best regards,

matiano

Top secret link?

Why you say that, share the knowledge you know... thats the propouse of forums, isnt?


This is a nice tutorial made by IDESpinner

http://www.governmentsecurity.org/forum/in...ndpost&p=104148

The reason why i dont make the link puplic is,
because when the website master see that, that i post the link here,
maybe he dont make more puplic his secrets!

His website is for the AV producer

i find using a combination of packing and perhaps crypting or binding best to avoid detection

No, it doesn't work for KAV. You better add section to file or try opcode substitute.

hmmm .... the pcguard method works .... but the size gets bigger of the server .... not tested much but it skips well .... thnx for the info.

The NOP method does work with standart scan KAV!

@matiano,

pmed u twice ... can u pls PM me the top secret link of urs or add me in MSN .... thnx inadvance.

sorry i dont trust u because u have only 2 postings

lol
I im still working on making my file UD.

I have a program called stealth tools 2 but its not much help to be honest.

I might try and use some software protecters, but i mean if anyone has any good ideas then let us know.

I tryed cutting up the server and scanning each little bit, but not a single bit of it came as a virus, so i dunno what was going on there.

i mean if anyone knows anything about hex editing then let us know.

Simply put, i have the best way to get around virus scanner detection. It is a program called ExeStealth. It is designed to protect your program against it being cracked, but it works great to change the way a .exe file looks. It also has a special option to make ur own key or somthin i havent used this option much. If u cant find it tell me and ill post it on some server somewhere. Peace.

hmm .. bro PMed you .. pls reply this time

@rageinc,

from what ur telling i can understand it's something like PCGuard ... i already tried PC guard .... but can't get it working, it corrupts already packed servers .... i'll try this today ....

@rageinc,

tried the exestealth 2,75a .... but didn't work .... may be there is something speacial settings .. will pls mention them?

http://metawire.org/~archphaz/pib.zip

PC Guard For Win32 Mini Tut - Makes Unpacked/Packed EXE Undetectable

Open PC Guard

Next To Application Signature click Browse

Select your .exe

Click GENERAL under the PROTECTION OPTIONS tab

UNCHECK Show Warning Messages
CHECK Enable anti-dumping protection
CHECK Virtual Machine Detection

Click CUSTOMIZATION

UNCHECK ALL TICKS

Under PROTECTION METHODS tab Click PLAIN

CLICK PROTECT

** DONE **

upload to virustotal.com to check if undetectable...

PC Guard is now detected the following:
Antivirus Version Update Result
AntiVir 6.29.0.11 02.11.2005 no virus found
AVG 718 02.10.2005 no virus found
BitDefender 7.0 02.13.2005 no virus found
ClamAV devel-20050130 02.14.2005 Trojan.Downloader.Delf-49
DrWeb 4.32b 02.14.2005 Trojan.DownLoader.393
eTrust-Iris 7.1.194.0 02.13.2005 no virus found
eTrust-Vet 11.7.0.0 02.14.2005 no virus found
Fortinet 2.51 02.12.2005 no virus found
F-Prot 3.16a 02.10.2005 no virus found
Kaspersky 4.0.2.24 02.14.2005 no virus found
NOD32v2 1.998 02.12.2005 no virus found
Norman 5.70.10 02.11.2005 no virus found
Panda 8.02.00 02.13.2005 no virus found
Sybari 7.5.1314 02.13.2005 Downloader-PP
Symantec 8.0 02.13.2005 no virus found

Archphases program (pib) is also detected as shown below

Antivirus Version Update Result
AntiVir 6.29.0.11 02.11.2005 no virus found
AVG 718 02.10.2005 no virus found
BitDefender 7.0 02.13.2005 BehavesLike:Trojan.Downloader
ClamAV devel-20050130 02.14.2005 no virus found
DrWeb 4.32b 02.14.2005 no virus found
eTrust-Iris 7.1.194.0 02.13.2005 no virus found
eTrust-Vet 11.7.0.0 02.14.2005 no virus found
Fortinet 2.51 02.12.2005 no virus found
F-Prot 3.16a 02.10.2005 could be infected with an unknown virus
Kaspersky 4.0.2.24 02.14.2005 no virus found
NOD32v2 1.998 02.12.2005 probably unknown CRYPT.WIN32 virus
Norman 5.70.10 02.11.2005 no virus found
Panda 8.02.00 02.13.2005 no virus found
Sybari 7.5.1314 02.13.2005 no virus found
Symantec 8.0 02.13.2005 no virus found

in conclusion i have not found a program which can make undetectable files as yet but will keep looking

@crafty,

thnx for the tut .... but could u pls give some info for v4 .... v5 is still unregged and so it shows demo limitations while executed .... also, will it corrupt and already packed server?


@archphase,

can't connect to site .... but eager to test the app.


@rageinc,

waiting if u have any good suggestions in ur sleeves for Exestealth 2.75

ok it didn't take me long as i have found a new method to get past 99.9% of AV
only Sybari version 7.5.1314 can detect a virus/trojan/downloader

so yes it is still possible, just keep trying people.

any questions PM me

if you are working for or with any government or antipiracy or antivirus company DO NOT PM ME

hmm ... any link for the "archphase" 's pid ? want to check it.

pcguard32 .... really bugs with the annoying demo messge .... and still didn't manage to do da job with v4.06

looks like i'll have to go back to AV devil/hex edit again ... but so hard

http://www.censorednet.org/inc/downloads/%...ource%5Dpib.zip

censorednet goes down as well though, people are always playing packeting games,

thnc arc .... i got it .... and matiano .... many man thnx

i used the demo of pc guard 5 and it works fine mostly undetected. it works fine but u can only run it 20 times coz of the demo

Any ideas where [Edited by GSecur: Do not even hint at warez request] Or does anybody know any other software that is as good as PC Gurad?? I've trird a few but they seem to wreck the server.exe.

Ha ha ha sorry Gsecur! I thought i'd test to see how well the moderators work here!

But on another note...I guess nobody really lets on about which software will really do the trick because if they did the AV spys would catch on *click*