Changing the Pe-File Entry-Point to avoid anti-virus detection.pdf

(428 KB) Pobierz

Changing the Pe-File Entry-Point to avoid anti-virus detection

A little draft by Delikon /

ich[at]delikon.de

www.delikon.de

8.3.2004

needed tools:

-a pe-file editor: for example procdump32

-a debugger (i use here ollydbg)

-a program which is detected by a AV.

I use here a trojan called optix pro

(www.evileyesoftware.com)

-pencil and paper ;)

First of all:

If you read here something which is incorrect, please feel free to write me a mail.

You will find this Draft and the trojan with new EP at

www.delikon.de/zips/EP-changing.zip

Now we start working:

A virus-scanner cannot scan every file for all virus pattern in his database, so he

must find some characteristics to minimize the amount of patterns.

So the scanner use in my opinion the entry-point of a file and file size.

What will happen if we change the entry-point??

Let us have look at the server of optix pro

My virus scanner says after scanning it.

Now we start optix in our debugger.

we see our entry-point of the file is at 0x9A84C + base 0x00400000 = 0x0049A84C

after this small code section is a lot of space to put your own code.

Now we have to put in this empty space some lines of code where we will later point

our new entry-point.

But how should this code look like ??

The easiest was is to put there a jump 0x0049A84C

But this is too simple every AV will notice this simple trick.

But what is if we jump around in the code to get to the address we want??

Now let me explain this simple asm code.

Push ebp

Mov ebp,esp

Sub esp,4

//standart stack frame build

//make space for the push of 4 bytes

Push 0x0049A84C //push the 4 bytes of the old entry point on the stack

Mov eax,0x11223344 //this is the address of a return instruction (i explain it

later )

Jmp eax

//jump to this return instruction

The Return instruction pop one address off the stack and jump(return) to this address.

Browse trough the code for the right address of such a instruction i use this at

0x0049A114

our asm code will now look like this:

Push ebp

Mov ebp,esp

Sub esp,4

//standart stack frame build

//make space for the push of 4 bytes

Push 0x0049A84C //push the 4 bytes of the old entry point on the stack

Mov eax,

0x0049A114

//this is the address of a return instruction (i explain it

later )

Jmp eax

//jump to this return instruction

This is the simplest way to jump back to the old EP.

You can also fill this code with some fake instructions, to avoid detection.

2) Now edit the exe file with ollydbg like this:

go to a line with 0000

press “space” and type in the asm code

after you have typed in the hole asm code save the changes with right click.

after that a windows will pop up, select there “all modifications”

then select with right click this

choose a file name and save it.

now we have to change the old entry-point to point into your code.

Notice : your code was at 0x0049A8D0

Start now procdump32. and open your new file:

this is the old EP now type in the new EP and save it.

now check it with your antivirus-scanner, for me it works well ;-)

Plik z chomika:

qfx

Inne pliki z tego folderu:

Bypassing Stack Cookies, SafeSeh, HW DEP and ASLR.pdf (3140 KB)
Analyse du fonctionnement d un programme suspect.pdf (2383 KB)
Analyse de code malveillant.pdf (1760 KB)
Analyse d un packer de trojan et programmation d un unpacker.pdf (756 KB)
Control Flow Obfuscations in Malwares.pdf (1716 KB)

Changing the Pe-File Entry-Point to avoid anti-virus detection.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: