Follow us on Twitter!
Become the change you seek in the world. - Gandhi
Thursday, April 17, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 14
Guests Online: 14
Members Online: 0

Registered Members: 82815
Newest Member: medjiking
Latest Articles

Evading Anti Virus Detection

Arrow Image Learn how to hide your trojans, backdoors, etc from anti virus.



Hiding backdoors and trojans from antivirus software
---------------------------------------------------------

This is a POC on how to evade detection from AV. In this article I will try to
guide you through the generic steps needed for this process, and show you by
example on a specific back door available. This is a POC and not applicable
to modern AV. However, the process for developing your own encoding/decoding
scheme, so that this will work, is entirely valid.

Programs used
http://www.white-. . .ckdoor.zip -- basic back door
http://www.4share. . .ordPE.html -- LordPE
http://www.chmaas. . ./xvi32.htm -- Hex Editor
http://www.ollydb. . . -- ollydbg

General Overview
----------------

We are going to start by increasing the file size of our backdoor giving us room
of our own to write code in. We will then hijack then entry point of the program,
redirect it to our own encoder. This encoder for the POC will XOR the file contents,
and then jump back to the original starting place. XOR is a reversible process, so
that when saved in this encoded state, the signatures will not match those in the
AV database. When ran however, the same XOR loop, will decode the program
while in memory where AV does not affect it.

Lets get started
----------------

Note: Your addresses might not match mine exactly, so look at the general
structure and you will be able to follow along.

Step - 1
--------

Open up backdoor.exe (located in the bin folder) in LordPE. LordPE is a
portable executable viewer and editor.

-Click on PE editor to open file
-Click sections in the new window
Here we see 3 sections .text .rdata and .data. For this example we will
select .data. Right click and select edit section header.
-Add 1000 hex bytes to the virtual size and the raw size.
VirtualSize = 00001B4A
RawSize = 00001200
-Click on the (...) next to the flags and set 'Executable as code'. This is where
we will build our encoder/decoder and thus need to have it executed.
-Edit the section header for .text as well to writable (also under
flags)
-Save and close LordPE

Step - 2
--------

If you tried to open your backdoor now you will notice an error indicating it is
not a valid Win32 Application. This is because our sizes do no balance. We
indicated there were an extra 1000 hex bytes, but have not actually added
anything to the program. So we will now pad our program.

-Open it up in XVI32 (or other hex editor of your choice)
-Scroll to the end of the file, and this is where we will add our 1000 hex bytes.
-Edit > insert (Select Hex String: 00 Insert <n> times - choose hexadecimal $1000)

This inserts our 1000 bytes needed to write our code in. Now save and close the
hex editor.

If you were to run the backdoor.exe now, you will notice it does work, but still
detected by the antivirus. We have not changed our code, or signature yet.

Step - 3
--------
Ollydbg: I am going to assume you have a basic understanding of what olly is
and how to use a few basic features.

--Preparing for our code injection--

Open the back door and first look at a few things.
-Address of the entry point
-Address of our 1000 hex bytes (you can select an address anywhere in this area)

Copy the first few lines of the backdoor.exe to clipboard, and keep available in
notepad for later reference.

Now scroll down to the padded 00 bytes and choose and address where we will inject
our encoder. For this example I am going to choose address 00401590.

--Altering the code--

First thing we will need to do now, is hijack the ModuleEntryPoint and redirect it to our
section.

JMP 00401590 #This will force the jump from module entry point to our code cave

select this line and save the file. Rightclick > copy to executable > selection. Then save file as
backdoor_v2.exe.

Note if you change the file name from the original like I did, go ahead and close the first and
open up the altered one.

You will now notice the first two lines of code have changed.


00401000 > $ E9 8B050000 JMP backdoor.00401590
00401005 . 68 34 31 40 00>ASCII "h41@",0

If you step 1 time in this program now you will notice you end on address, 00401590.
Now we can begin writing our XOR loop.

Code

MOV EAX, 0040100A                # Start of encoding address.
XOR BYTE PTR DS: [EAX], 5E    # XOR the contents of EAX with the key 5E
INC  EAX                               # Increase EAX
CMP EAX, 004014EB                # Tests to see if we've reached the end of our enc
JLE  SHORT 00401595              # If not, jump back to XOR command





After this we need to put the code in that we overwrote at the beginning.

CALL 00401468
PUSH 00403134

Then we will jump to the address after the push command. At address 0040100A

JMP 0040100A

At this point we now have the XOR loop written, the following commands, and a return to
the beginning. However we are not quite done yet. Save your modifications, and set a break
point (f2) after the JLE SHORT command. Now run the program, and it will stop in at the break
point, and the program will now be encoded. Highlight the entire program and again save this file
(backdoor_v3.exe).

The program is now entire encoded except the first few lines, and our code cave. When this is
now ran, it will again, jump to our XOR loop, decode itself, and then proceed to function as it
was written.

This article was written by stdio in reference to a demo preformed by Mati Aharoni (Muts).

Comments

Uber0non July 27 2008 - 10:58:10
Really interesting and very well written. I'm impressed B)
korgon August 19 2008 - 09:15:29
Nice job. I have read most of Mati's articles I have found, He has some interesting topics.
Zephyr_Pureon August 29 2008 - 05:17:11
It's very rare that I say this... but, that was a damn good article. Showed a great deal of technique and knowledge, while keeping it simple.
stdioon August 29 2008 - 18:54:11
Thanks for all the kind replies. However I did manage to stumble across a more detailed paper describing the same process written after mine. Here's the link if interested: http://www.milw0r. . .papers/217
sam207on October 17 2008 - 08:07:53
very nice one... Thanks a lot for this one..
hellboundhackersokon November 08 2008 - 21:28:57
The backdoor program makes McAfee SiteAdvisor turn red. nice job. ahahah
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.