Author Topic: [Question] Assembly Ghostwriting - Problem (Read 2081 times)

Exon · « **on:** April 20, 2012, 01:26:21 am »

Ok so here's my problem. I'm trying to make a RAT undetected by Avira with Assembly Ghostwriting using Hex Workshop, problem is, the Virus Signature that Avast detected seems to be the file padding(?).

-> The Highlited part is the (by Heuretics) as Crypted detected Virus signature (suspicious, not as a threat)!
-> Only the very last Byte of the executable got detected as a Backdoor (by Static Binary Analysis) (threat)!
-> In this case that would be Hex Value 44 or the

Now this seems very strange to me, first because what has been detected seems to be the padding which, afaik is empty code (or is it?), and secondly because only the very last Byte got detected as a trojan.

I tried changing the padding (which im not even sure if that's a string or not) to lowercase to change the Hex Code and spoof the AV; didn't work. Also tried deleting all of the highlighted Hex Code and executing it, but it told me that it was an invalid win32 executable.

Anybody got any ideas?

Thanks!

ca0s · « **Reply #1 on:** April 20, 2012, 09:42:17 am »

It's been a while since the last time I saw someone trying to FUD something by randomly changing its content with an hex editor.
Open it with a debugger and try to see what is happening there. It may be not code, but some PE structures or even RAT internal data.
If it is code, just put a breakpoint there and let it run. If it is data, put a memory bp and see what and why is reading from there.

Exon · « **Reply #2 on:** April 21, 2012, 04:00:52 am »

I'm not randomly changing content. The executable was split with each file being 1 byte bigger than the last. All of them were scanned showing me at which byte the AV starts detecting the signature. The highlighted part is the signature the AV is detecting with static binary analasys and that's what I'm trying to change. Already got it to work though!

ca0s · « **Reply #3 on:** April 21, 2012, 11:51:50 am »

And when you find which part of the executable is being detected, what do you put in its place, if I can know?

s3my0n · « **Reply #4 on:** April 21, 2012, 09:45:49 pm »

Please tell us how you accomplished it

redblack · « **Reply #5 on:** April 22, 2012, 07:55:06 am »

pay attention to some apis like Getsystemdirectory UrlDownToFile,
我也在纠结小红伞的高启发。。。

Exon · « **Reply #6 on:** April 23, 2012, 03:29:03 pm »

That depends on what is being found. If It's a simple string, try re-writing it to lowercase:

e.g.:

Detected: DDOSYNFLOOD
Undetected: ddosynflood

Problem is, if the detected part is for example, in the code section, changing the Hex Code will probably break your Program.

EvilZone

News:

Author Topic: [Question] Assembly Ghostwriting - Problem (Read 2081 times)

Exon

[Question] Assembly Ghostwriting - Problem

ca0s

Re: [Question] Assembly Ghostwriting - Problem

Exon

Re: [Question] Assembly Ghostwriting - Problem

ca0s

Re: [Question] Assembly Ghostwriting - Problem

s3my0n

Re: [Question] Assembly Ghostwriting - Problem

redblack

Re: [Question] Assembly Ghostwriting - Problem

Exon

Re: [Question] Assembly Ghostwriting - Problem