View Full Version : HexEditTrojan
primzo_xxl
07-13-2006, 10:46 AM
hi!
I have a question about how to edit trojan offsets or whatever does it take to make trojan undeteced? :eek: I did the server, but unfortunally this is not logically to me, i mean any AntiVirus detect the trojan, becose it allready know the thread...:rolleyes: I heard that if u get the "packer" than the AV doesnt detect the trojan. How do u make undetectablle trojan?:)
thank you for your time.
Seee yaaa!
primzo_xxl
carlo
07-13-2006, 11:07 AM
You got * options:
Make your own in c++
Hex edit a trojan
create your own packer (hard)
Reply with your choice
carlo
primzo_xxl
07-13-2006, 11:27 AM
hi!
Witch is the simple one?:rolleyes: , i mean, I heard about the other languages.
I i decide to do my own packer, ok, how does it the whole procedure looks like?
Thanks for answers.
primzo_xxl
Ezekiel
07-13-2006, 11:34 AM
hi!
Witch is the simple one?:rolleyes: , i mean, I heard about the other languages.
I i decide to do my own packer, ok, how does it the whole procedure looks like?
Thanks for answers.
primzo_xxl
Unless you have a good knowledge of very complex c/c++, you will be wasting your time. It's not the same as writing a simple 'hello world' program in said languages, it involves a very high level of understanding in both the windows operating system (if you are using it for malware, I assume you're on windows) and general c++ code.
From what I can see, you do not possess even a basic knowledge of any relevant programming language, so come back to this task in *-2 years when you're ready. I would not be able to write such a program without doing extensive research and learning a lot more, like I said it's not for amateurs.
primzo_xxl
07-13-2006, 02:03 PM
Yea man, i am on windows OS. But look, if i am just a scriptkiddy. My other frend doesnt have any knowledge on other OS, and he isnt a programmer, but he can edit the trojans, but the problem is that :rolleyes: he is nonspeachless and he didnt tell me how to config the trojan..but whatever, is there anyway to hex edit trojan procedure?, logicaly is got to be dude?, if anyone have the basic knowledge about this .:rolleyes:
thanks
best regards
primzo_xxl:rolleyes:
primzo_xxl
07-15-2006, 12:26 PM
Hey Carlo!
for exp;, If i send u a trojan, witch is in every AV database, can u make it undetected by hexediting?..well if u can do that, why don't u tell me witch part of program to hexedit, offsets and stuff?
primzo_xxl:cool:
Ezekiel
07-15-2006, 03:07 PM
Hey Carlo!
for exp;, If i send u a trojan, witch is in every AV database, can u make it undetected by hexediting?..well if u can do that, why don't u tell me witch part of program to hexedit, offsets and stuff?
primzo_xxl:cool:
Jeez, there have been so many posts on this forum covering this subject, why don't you just learn yourself? A google search brings many relevant tutorials:
http://www.google.com/search?hl=en&q=hex+editing+tutorial&btnG=Google+Search&meta=
And, here is some threads I just found quickly:
http://www.governmentsecurity.org/archive/t**40*.html
http://www.datastronghold.com/archive/t***2*.html
And the tutorial by eyeless on hex editing:
You must use Hex workshop or some of this wont make sense!
*.Cut Code in half by selecting some code from the middle of the dump (ie. Cut at Offset: *6068) to the BOTTOM and right-click. Select "Fill" and fill code with "00" Make sure to make note of where you cut it!!!!Now SAVE AS "TOPCODE.exe"
2.Next, Open your original server and cut code in half by selecting some code from the middle of the dump (ie. Cut at Offset: *6040 next line above offset you cut at in no.*) to NEAR the top.. I would give it *5-25 lines from top and right-click. Select "Fill" and fill
code with "00". Now SAVE AS "BottomCODE.exe"
*.Now scan both EXE's you created (ie. TOPCODE.exe & BOTTOMCODE.exe) At this point I know that I have Isolated BOTH signatures, this is because BOTH halfs are detected.If one isnt
detected, then both sigs are in the half that is detected.Sooo we repeat the operation of
splitting the code into two executables using the half that is detected.(you only want to
split the part that actually has code, not the part you filled!)! Soo just repeat number *!
With some files there will vary the amount of signatures that AV uses to detect it. For the
most part there are 2 signatures for EACH AV that detects your malware, however sometimes
there is only one and sometime there are * (I have never seen more than *) you will have to
use your brain to figure out how to find these signatures.
4.OK, now you have two detected halfs! (hopefully) Now we must isolate the detected code. To
do this, I go down the code *0 lines at a time. Select *0 lines of code, then right-click
and select "Fill" again. Fill it with "00" and saveing the file.
5.So open "TOPCODE.exe" and after those first *5 lines I told you NOT to "Fill" start
filling code *0 lines at a time. After every ten lines you fill, save the changes by
clicking File>Save as and save it as "editTOPCODE.exe"
6. Now Scan the file with whatever AV you are trying to bypass. If the file is detected,
then the signature was NOT inside the *0 lines of code we "Filled". OK now some of you are
saying, but it isnt detected anymore!Then make note of the offsets that is at the beging and
at the end of the *0 lines of code that you last filled and Jump Down too *A. if not OPEN
"editTOPCODE.exe" and just keep filling *0 lines at a time till it isnt detected. Just
follow 5 using "editTOPCODE.exe"
User: "Wee hehe haha hoho hehe haha, thank you eyeless I have found the *0 lines of code
that my AV Detects!"
Eyeless: "OK, calm down sunny... There is MORE!"
User: "MORE!"
Eyeless: "Untwist the panties, You're almost there!"
OK, enuf senseless rambling, on to buisness!
*A OK, you dont need "editTOPCODE.exe" anymore, so we dont complicate things, just delete
this file.
2A. OK, so you got the *0 lines of code! Your first half isnt detected, you've almost
isolated the AV signature. Now, what we do is open up "TOPCODE.exe"
*A. Now go to the offset that your *0 lines starts at. Select the first 5 lines, and again
"Fill" the code with "00" and SAVE AS "AVTOPCODE.exe" and scan with youre AV. Detected? Move
to *B! Not detected by AV? Move to *C!
*B. OK, the signature wasnt in the first five of the *0 lines.... But thats ok! Cause it IS
in the last five! So now what you want to do is open up the file you saved "AVTOPCODE.exe"
select the line after the first 5 you filled and Fill this line. Now save, Detected? Move to
then continue to do this line by line for the rest of the ten lines; IT WILL BE ONE OF THEM!
Once not detected by AV, Move to *D "The Grand Finnaly (Is that how you spell it?)"! (Make
sure to make note of what offset the line is on!)
*C. OK, The AV sig WAS inside the first 5 lines, so open up your "TOPCODE.exe" and find the
offset where the *0 lines Begins.Next, Starting with the first line, fill it line by line.
Do this by slecting a line and righ-clicking>Fill. After the first line is "Filled" you must
SAVE AS "AVTOPCODE.exe". Scan this file with you're AV.. Is it detected, then this isnt the
line with the signature, so repeat on the next line and so on.... Till it isnt detectd, then
make note of what offet the line was on!!
The Grand Finnaly (Is that how you spell it?)
OK, Your a solider, you made it this far means you can make it the rest of the way.Cut off
that green toe, and muck up man!
*D.Open up "TOPCODE.exe" in your editor. Delete "AVTOPCODE.EXE" it is not needed anymore!
2D. OK, YOU HAVE THE LINE THE CODE IS ON! You are very close to finding the signature.
now you will notice that when you select ONE offset such as *6068 ( you may have this offset
or not depending on how bigyour malware is.) it highlights TWO numbers or letters in the HEX
view. (View of numbers and letters on the left).Go to the line your came up with from *B or
*C Select ONE offset and "Fill" with "00". Now save as "UNDETECTTOP.exe" Scan it! Still
detected? Go to the next offset and "FILL" then save etc... Do this in'till when you scan it
and it isnt detected then move to *D. If you fill the whole line and it is detected. You
(filtered) up. Start over.
*D. USER: "Wholly shit I deleted this one offset and now it isnt detected!"
OK That last offset you delted before it became undetectd is the AV signature (or part of
it, this will be explined in "TROUBLESHOTING") Sooo Make note of this Offset!
4D. OK open up the "TOPCODE.exe" and find the Offset! and modify it! A good rule to follow
here is, if the offset was a "G" make it a "H" or little "g". and now scan with AV. It isnt detected is it?!?!? Hoorrrra!
Finishing it up!
*E. OK so reapet everything on the second half of the server, remember "SECONDHALF.EXE" we made? I am not typing it over again modifying everything to "***SECONDHALF.EXE".
MAKE YOUR EXE'S BACK TO ONE!
*F. Now, this is easy, remember how I said make note of where you split the file in *.?
While open "BOTTOMCODE.exe" and select the code from the offset you originally split and right-click>copy.
2F. Now open "TOPCODE.exe" and find where you split the code and select all the code you "filled". Now right click on the code a select "Paste". Now click File>Save AS and save it as UNDETECTED******.exe making ***** the name of your malware!
*F. THATS ALL FOLKS!
TROUBLE SHOOTING!
OK, so you did it all right and now your malware doesnt work right. It wont open, does nothing, gives errors etc... Here are some tips to try.
* Try modifying the values directly to the side of the offset, some times a signature is 5 offsets long and modifying the ANY of them will make it undetected. Modifying one of them might cause the server to crash, while modifying the one next to it may allow it to slip by av and still work perfectly.
2 Try modifying the value of the offset to something else in hex, there is 00 to FF; try all f them!
Who loves ya babby!
OK I want you to tell me what you think, but if I get any emails,pms,*** messages etc. I will remove the post. If you cant follow this you are too stupid.
Edit: Enless of course its I wanna pay you to hex my malware!
primzo_xxl
07-15-2006, 04:11 PM
thanks man!i pissed u oFF!!:(
thanks for directions and links.:D
see yaaa
primzo_xxl:rolleyes:
Powered by vBulletin® Version 4.1.8 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.