Main:advertisement
Learn how to hide your trojans, backdoors, etc from anti virus.
Hiding backdoors and trojans from antivirus software
---------------------------------------------------------
This is a POC on how to evade detection from AV. In this article I will try to
guide you through the generic steps needed for this process, and show you by
example on a specific back door available. This is a POC and not applicable
to modern AV. However, the process for developing your own encoding/decoding
scheme, so that this will work, is entirely valid.
Programs used
http://www.white-scorpion.nl/programs/backdoor.zip -- basic back door
http://www.4shared.com/file/32660382/3562d77f/LordPE.html -- LordPE
http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm -- Hex Editor
http://www.ollydbg.de/ -- ollydbg
General Overview
----------------
We are going to start by increasing the file size of our backdoor giving us room
of our own to write code in. We will then hijack then entry point of the program,
redirect it to our own encoder. This encoder for the POC will XOR the file contents,
and then jump back to the original starting place. XOR is a reversible process, so
that when saved in this encoded state, the signatures will not match those in the
AV database. When ran however, the same XOR loop, will decode the program
while in memory where AV does not affect it.
Lets get started
----------------
Note: Your addresses might not match mine exactly, so look at the general
structure and you will be able to follow along.
Step - 1
--------
Open up backdoor.exe (located in the bin folder) in LordPE. LordPE is a
portable executable viewer and editor.
-Click on PE editor to open file
-Click sections in the new window
Here we see 3 sections .text .rdata and .data. For this example we will
select .data. Right click and select edit section header.
-Add 1000 hex bytes to the virtual size and the raw size.
VirtualSize = 00001B4A
RawSize = 00001200
-Click on the (...) next to the flags and set 'Executable as code'. This is where
we will build our encoder/decoder and thus need to have it executed.
-Edit the section header for .text as well to writable (also under
flags)
-Save and close LordPE
Step - 2
--------
If you tried to open your backdoor now you will notice an error indicating it is
not a valid Win32 Application. This is because our sizes do no balance. We
indicated there were an extra 1000 hex bytes, but have not actually added
anything to the program. So we will now pad our program.
-Open it up in XVI32 (or other hex editor of your choice)
-Scroll to the end of the file, and this is where we will add our 1000 hex bytes.
-Edit > insert (Select Hex String: 00 Insert <n> times - choose hexadecimal $1000)
This inserts our 1000 bytes needed to write our code in. Now save and close the
hex editor.
If you were to run the backdoor.exe now, you will notice it does work, but still
detected by the antivirus. We have not changed our code, or signature yet.
Step - 3
--------
Ollydbg: I am going to assume you have a basic understanding of what olly is
and how to use a few basic features.
--Preparing for our code injection--
Open the back door and first look at a few things.
-Address of the entry point
-Address of our 1000 hex bytes (you can select an address anywhere in this area)
Copy the first few lines of the backdoor.exe to clipboard, and keep available in
notepad for later reference.
Now scroll down to the padded 00 bytes and choose and address where we will inject
our encoder. For this example I am going to choose address 00401590.
--Altering the code--
First thing we will need to do now, is hijack the ModuleEntryPoint and redirect it to our
section.
JMP 00401590 #This will force the jump from module entry point to our code cave
select this line and save the file. Rightclick > copy to executable > selection. Then save file as
backdoor_v2.exe.
Note if you change the file name from the original like I did, go ahead and close the first and
open up the altered one.
You will now notice the first two lines of code have changed.
00401000 > $ E9 8B050000 JMP backdoor.00401590
00401005 . 68 34 31 40 00>ASCII "h41@",0
If you step 1 time in this program now you will notice you end on address, 00401590.
Now we can begin writing our XOR loop.
After this we need to put the code in that we overwrote at the beginning.
CALL 00401468
PUSH 00403134
Then we will jump to the address after the push command. At address 0040100A
JMP 0040100A
At this point we now have the XOR loop written, the following commands, and a return to
the beginning. However we are not quite done yet. Save your modifications, and set a break
point (f2) after the JLE SHORT command. Now run the program, and it will stop in at the break
point, and the program will now be encoded. Highlight the entire program and again save this file
(backdoor_v3.exe).
The program is now entire encoded except the first few lines, and our code cave. When this is
now ran, it will again, jump to our XOR loop, decode itself, and then proceed to function as it
was written.
This article was written by stdio in reference to a demo preformed by Mati Aharoni (Muts).
---------------------------------------------------------
This is a POC on how to evade detection from AV. In this article I will try to
guide you through the generic steps needed for this process, and show you by
example on a specific back door available. This is a POC and not applicable
to modern AV. However, the process for developing your own encoding/decoding
scheme, so that this will work, is entirely valid.
Programs used
http://www.white-scorpion.nl/programs/backdoor.zip -- basic back door
http://www.4shared.com/file/32660382/3562d77f/LordPE.html -- LordPE
http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm -- Hex Editor
http://www.ollydbg.de/ -- ollydbg
General Overview
----------------
We are going to start by increasing the file size of our backdoor giving us room
of our own to write code in. We will then hijack then entry point of the program,
redirect it to our own encoder. This encoder for the POC will XOR the file contents,
and then jump back to the original starting place. XOR is a reversible process, so
that when saved in this encoded state, the signatures will not match those in the
AV database. When ran however, the same XOR loop, will decode the program
while in memory where AV does not affect it.
Lets get started
----------------
Note: Your addresses might not match mine exactly, so look at the general
structure and you will be able to follow along.
Step - 1
--------
Open up backdoor.exe (located in the bin folder) in LordPE. LordPE is a
portable executable viewer and editor.
-Click on PE editor to open file
-Click sections in the new window
Here we see 3 sections .text .rdata and .data. For this example we will
select .data. Right click and select edit section header.
-Add 1000 hex bytes to the virtual size and the raw size.
VirtualSize = 00001B4A
RawSize = 00001200
-Click on the (...) next to the flags and set 'Executable as code'. This is where
we will build our encoder/decoder and thus need to have it executed.
-Edit the section header for .text as well to writable (also under
flags)
-Save and close LordPE
Step - 2
--------
If you tried to open your backdoor now you will notice an error indicating it is
not a valid Win32 Application. This is because our sizes do no balance. We
indicated there were an extra 1000 hex bytes, but have not actually added
anything to the program. So we will now pad our program.
-Open it up in XVI32 (or other hex editor of your choice)
-Scroll to the end of the file, and this is where we will add our 1000 hex bytes.
-Edit > insert (Select Hex String: 00 Insert <n> times - choose hexadecimal $1000)
This inserts our 1000 bytes needed to write our code in. Now save and close the
hex editor.
If you were to run the backdoor.exe now, you will notice it does work, but still
detected by the antivirus. We have not changed our code, or signature yet.
Step - 3
--------
Ollydbg: I am going to assume you have a basic understanding of what olly is
and how to use a few basic features.
--Preparing for our code injection--
Open the back door and first look at a few things.
-Address of the entry point
-Address of our 1000 hex bytes (you can select an address anywhere in this area)
Copy the first few lines of the backdoor.exe to clipboard, and keep available in
notepad for later reference.
Now scroll down to the padded 00 bytes and choose and address where we will inject
our encoder. For this example I am going to choose address 00401590.
--Altering the code--
First thing we will need to do now, is hijack the ModuleEntryPoint and redirect it to our
section.
JMP 00401590 #This will force the jump from module entry point to our code cave
select this line and save the file. Rightclick > copy to executable > selection. Then save file as
backdoor_v2.exe.
Note if you change the file name from the original like I did, go ahead and close the first and
open up the altered one.
You will now notice the first two lines of code have changed.
00401000 > $ E9 8B050000 JMP backdoor.00401590
00401005 . 68 34 31 40 00>ASCII "h41@",0
If you step 1 time in this program now you will notice you end on address, 00401590.
Now we can begin writing our XOR loop.
MOV EAX, 0040100A # Start of encoding address.
XOR BYTE PTR DS: [EAX], 5E # XOR the contents of EAX with the key 5E
INC EAX # Increase EAX
CMP EAX, 004014EB # Tests to see if we've reached the end of our enc
JLE SHORT 00401595 # If not, jump back to XOR command
After this we need to put the code in that we overwrote at the beginning.
CALL 00401468
PUSH 00403134
Then we will jump to the address after the push command. At address 0040100A
JMP 0040100A
At this point we now have the XOR loop written, the following commands, and a return to
the beginning. However we are not quite done yet. Save your modifications, and set a break
point (f2) after the JLE SHORT command. Now run the program, and it will stop in at the break
point, and the program will now be encoded. Highlight the entire program and again save this file
(backdoor_v3.exe).
The program is now entire encoded except the first few lines, and our code cave. When this is
now ran, it will again, jump to our XOR loop, decode itself, and then proceed to function as it
was written.
This article was written by stdio in reference to a demo preformed by Mati Aharoni (Muts).
Posted by 
