OK, so easiest way to make trojan undetectable is by changing entry point with OllyDbg or whatever...
But how do I do it with source code??
I am specially talking about C++ source codes.
Here is starting entry point code in C++ for some simple RAT:

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
...
...
...
...
return repeat;
}

If you're using link.exe by yourself just use "/ENTRY:startupfunction" as an argument.
Also you can set it from VS project, linker settings.

Can you explain it a bit more thoroughly? I am just a middle class C coder, and this is all new to me..

Just add this code to top of your main file.



and then user;


as your entry point.

remember this is an entry point for a win32 application not for a console application.

what u can doo with Delphi console app so thet it won't get detected by AV's !! ??

normally, when you write a program with main() or winmain() function, it doesn't start there immediately. The program processes lots of other codes before entering the main function, so changing the main function doesn't do the trick.

Anything you wrote is always undetectable at first. But to make them undetectable forever, use it for private purposes. Or make a program that changes its port and commands randomly.

This is just a name, only the compiler will see it, changing it will not trick AV's.

True, the real entry point is mainCRTStartup (or wmainCRTStartup if UNICODE is defined). This function prepares some stuff depending on the fact that you are writing a main console app or a WinMain graphical app (wmain or wWinMain if UNICODE is defined) then calls your entry procedure (w)/main/WinMain and finally calls ExitProcess.

Like you, I would like to change the real entry point in order to write my own mainCRTStartup, i'll search a bit further but I hope someone here will be able to spare me some googling ^^

regards.

Just one noob question , but I know wath the entry point is , but what is OllyDbg ? A tool to change entry point very easily ?

thx for your answers

http://www.google.com/search?q=ollydbg

and a slap on the wrist

changing entry point will in no way help you beat AV...you need to do a lot more than that.

Check out the first item on the list...


http://forge.thec0re.net/sc/list.php?c=art

You must change AddressOfEntryPoint in the PE header with the new address of your main/WinMain, use OllyDbg to find it

this thread is pointless. changin entry point will not make a trojan undetected.

Heh, when I started this topic, changing entry point was everything that was needed....

For now, I know only 2 things I can do...
1. encrypt the code section
2. replace OEP into address of JMP function that is going back to function at OEP.

But that is still not enough for some AVs.. Plus my 2. trick is detected by BitDefender as ExplorerHijack!??!