PDA

View Full Version : Make your trojans undetected by hexing you malware!



carlo
12-22-2005, 11:37 AM
You must use Hex workshop or some of this wont make sense!
This was written by eyeless and eddited by carlo:
-------------------------------------------------------------------
*.Cut Code in half by selecting some code from the middle of the dump (ie. Cut at Offset: *6068) to the BOTTOM and right-click. Select "Fill" and fill code with "00" Make sure to make note of where you cut it!!!!Now SAVE AS "TOPCODE.exe"

2.Next, Open your original server and cut code in half by selecting some code from the middle of the dump (ie. Cut at Offset: *6040 next line above offset you cut at in no.*) to NEAR the top.. I would give it *5-25 lines from top and right-click. Select "Fill" and fill
code with "00". Now SAVE AS "BottomCODE.exe"

*.Now scan both EXE's you created (ie. TOPCODE.exe & BOTTOMCODE.exe) At this point I know that I have Isolated BOTH signatures, this is because BOTH halfs are detected.If one isnt

detected, then both sigs are in the half that is detected.Sooo we repeat the operation of

splitting the code into two executables using the half that is detected.(you only want to

split the part that actually has code, not the part you filled!)! Soo just repeat number *!
With some files there will vary the amount of signatures that AV uses to detect it. For the

most part there are 2 signatures for EACH AV that detects your malware, however sometimes

there is only one and sometime there are * (I have never seen more than *) you will have to

use your brain to figure out how to find these signatures.

4.OK, now you have two detected halfs! (hopefully) Now we must isolate the detected code. To

do this, I go down the code *0 lines at a time. Select *0 lines of code, then right-click
and select "Fill" again. Fill it with "00" and saveing the file.

5.So open "TOPCODE.exe" and after those first *5 lines I told you NOT to "Fill" start

filling code *0 lines at a time. After every ten lines you fill, save the changes by

clicking File>Save as and save it as "editTOPCODE.exe"

6. Now Scan the file with whatever AV you are trying to bypass. If the file is detected,

then the signature was NOT inside the *0 lines of code we "Filled". OK now some of you are

saying, but it isnt detected anymore!Then make note of the offsets that is at the beging and

at the end of the *0 lines of code that you last filled and Jump Down too *A. if not OPEN

"editTOPCODE.exe" and just keep filling *0 lines at a time till it isnt detected. Just

follow 5 using "editTOPCODE.exe"




User: "Wee hehe haha hoho hehe haha, thank you eyeless I have found the *0 lines of code

that my AV Detects!"
Eyeless: "OK, calm down sunny... There is MORE!"
User: "MORE!"
Eyeless: "Untwist the panties, You're almost there!"


OK, enuf senseless rambling, on to buisness!

*A OK, you dont need "editTOPCODE.exe" anymore, so we dont complicate things, just delete

this file.

2A. OK, so you got the *0 lines of code! Your first half isnt detected, you've almost

isolated the AV signature. Now, what we do is open up "TOPCODE.exe"

*A. Now go to the offset that your *0 lines starts at. Select the first 5 lines, and again

"Fill" the code with "00" and SAVE AS "AVTOPCODE.exe" and scan with youre AV. Detected? Move

to *B! Not detected by AV? Move to *C!

*B. OK, the signature wasnt in the first five of the *0 lines.... But thats ok! Cause it IS

in the last five! So now what you want to do is open up the file you saved "AVTOPCODE.exe"

select the line after the first 5 you filled and Fill this line. Now save, Detected? Move to

then continue to do this line by line for the rest of the ten lines; IT WILL BE ONE OF THEM!

Once not detected by AV, Move to *D "The Grand Finnaly (Is that how you spell it?)"! (Make

sure to make note of what offset the line is on!)




*C. OK, The AV sig WAS inside the first 5 lines, so open up your "TOPCODE.exe" and find the

offset where the *0 lines Begins.Next, Starting with the first line, fill it line by line.

Do this by slecting a line and righ-clicking>Fill. After the first line is "Filled" you must

SAVE AS "AVTOPCODE.exe". Scan this file with you're AV.. Is it detected, then this isnt the

line with the signature, so repeat on the next line and so on.... Till it isnt detectd, then

make note of what offet the line was on!!



The Grand Finnaly (Is that how you spell it?)

OK, Your a solider, you made it this far means you can make it the rest of the way.Cut off

that green toe, and muck up man!


*D.Open up "TOPCODE.exe" in your editor. Delete "AVTOPCODE.EXE" it is not needed anymore!

2D. OK, YOU HAVE THE LINE THE CODE IS ON! You are very close to finding the signature.
now you will notice that when you select ONE offset such as *6068 ( you may have this offset

or not depending on how bigyour malware is.) it highlights TWO numbers or letters in the HEX

view. (View of numbers and letters on the left).Go to the line your came up with from *B or

*C Select ONE offset and "Fill" with "00". Now save as "UNDETECTTOP.exe" Scan it! Still

detected? Go to the next offset and "FILL" then save etc... Do this in'till when you scan it

and it isnt detected then move to *D. If you fill the whole line and it is detected. You

(filtered) up. Start over.

*D. USER: "Wholly shit I deleted this one offset and now it isnt detected!"
OK That last offset you delted before it became undetectd is the AV signature (or part of

it, this will be explined in "TROUBLESHOTING") Sooo Make note of this Offset!

4D. OK open up the "TOPCODE.exe" and find the Offset! and modify it! A good rule to follow

here is, if the offset was a "G" make it a "H" or little "g". and now scan with AV. It isnt detected is it?!?!? Hoorrrra!



Finishing it up!

*E. OK so reapet everything on the second half of the server, remember "SECONDHALF.EXE" we made? I am not typing it over again modifying everything to "***SECONDHALF.EXE".




MAKE YOUR EXE'S BACK TO ONE!

*F. Now, this is easy, remember how I said make note of where you split the file in *.?

While open "BOTTOMCODE.exe" and select the code from the offset you originally split and right-click>copy.

2F. Now open "TOPCODE.exe" and find where you split the code and select all the code you "filled". Now right click on the code a select "Paste". Now click File>Save AS and save it as UNDETECTED******.exe making ***** the name of your malware!


*F. THATS ALL FOLKS!




TROUBLE SHOOTING!


OK, so you did it all right and now your malware doesnt work right. It wont open, does nothing, gives errors etc... Here are some tips to try.

* Try modifying the values directly to the side of the offset, some times a signature is 5 offsets long and modifying the ANY of them will make it undetected. Modifying one of them might cause the server to crash, while modifying the one next to it may allow it to slip by av and still work perfectly.

2 Try modifying the value of the offset to something else in hex, there is 00 to FF; try all f them

JotaC
11-11-2006, 06:52 PM
Sorry for bumping old thread, here is my duvid:

Well, the antivirus detect this:

http://img486.imageshack.us/img486/4**7/istohe2.jpg

It detects the PE text or the 5045 string, that are the same thing...

Now i need to put there something that means the same thing to the keylogger work, i tryed to put there a lot of things but all of them do the program not work, so i need to put there something to the antivirus dont detect it and to it continue working but what?

Ty all

Access__
03-07-2007, 09:58 PM
I'm So Happy That i found this site...Im friends with alot of programmers and not many how them really know how to make a trojan undected....

There seems like there is alot of hexediting to do to make a trojan undetect i wonder why no one has made a prog to skim thew and edit a trojan to make it undetected? any easyer ways to hex to make it undetected

Anarchy2k3
01-19-2008, 02:56 AM
Hi,

If you need to make quickly UD Files , to all antivirus, sandbox and virtuals machines look this WebSite :

http://exestub.awardspace.com/

Thank you,

Have a good Day !

coz
01-19-2008, 10:06 AM
Sorry for bumping old thread, here is my duvid:

Well, the antivirus detect this:

http://img486.imageshack.us/img486/4**7/istohe2.jpg

It detects the PE text or the 5045 string, that are the same thing...

Now i need to put there something that means the same thing to the keylogger work, i tryed to put there a lot of things but all of them do the program not work, so i need to put there something to the antivirus dont detect it and to it continue working but what?

Ty all

LOL!!! This post is to good. A little old but just too good.