Author Topic: [C] Simple Crypter + Stub (Read 16476 times)

B1N4RY2.0 · « **Reply #15 on:** August 06, 2015, 03:12:24 pm »

Quote from: x0nic on May 25, 2015, 02:50:45 pm

Ye, still shocked that some basic knowledge is all one needs to bypass em. I don't want to imagine what some of the more experienced people could achieve... this shit kicked my paranoia up to a whole new level >.<

That's the problem with signature based scanning ( simple file scanning for example ) all one needs to do is write their own code and payload, if that even ( sometimes as simple as stripping all the comment out of the code ). Heuristic scanning takes it a step further and looks for behavior in a virtual machine (some decompile and examine the code) but it can't lock out all attempts to say hook your keyboard driver as legitimate applications do this as well. Correct me if I'm wrong, but I believe I've explained properly

The scary shit happens in Ring 0

Deque · « **Reply #16 on:** August 08, 2015, 02:46:57 pm »

Quote from: B1N4RY2.0 on August 06, 2015, 03:12:24 pm

That's the problem with signature based scanning ( simple file scanning for example ) all one needs to do is write their own code and payload, if that even ( sometimes as simple as stripping all the comment out of the code )

No one complains that a fork is not really good for eating soup.
Signatures are just one part of the arsenal and should be treated as that. They are not problematic, they are just not suitable for everything.

Quote from: B1N4RY2.0 on August 06, 2015, 03:12:24 pm

Heuristic scanning takes it a step further and looks for behavior in a virtual machine

Heuristics and the way of how you obtain information are completely separate. You may use behavioural information, but you may also use anything else, like the structure of the file, the code, etc. Heuristics just describes how you use the information (see also this article).
What you mean is emulation in a sandbox, which can be and often is combined with heuristics.

Quote from: B1N4RY2.0 on August 06, 2015, 03:12:24 pm

(some decompile and examine the code)

Decompilation is done for humans only, computers don't need it. It does not add any information for automatic code examination. So, no, I don't believe that.

TheWormKill · « **Reply #17 on:** August 08, 2015, 03:20:30 pm »

Quote from: Deque on August 08, 2015, 02:46:57 pm

Decompilation is done for humans only, computers don't need it. It does not add any information for automatic code examination. So, no, I don't believe that.

Well at least some analysis techniques used for decompilation are useful in other contexts, too. For example, a call- or
controlflow-graph might be more useful than raw assembly code. So maybe B1N4RY2.0 meant "obtaining more high-level and thus abstract information" when (s)he said "decompiling".

Anyway, your post was very concise and informative. +1

B1N4RY2.0 · « **Reply #18 on:** August 09, 2015, 01:40:47 am »

Quote from: Deque on August 08, 2015, 02:46:57 pm

No one complains that a fork is not really good for eating soup.
Signatures are just one part of the arsenal and should be treated as that. They are not problematic, they are just not suitable for everything.

Never said they in themselves are problematic. Just that they can easily be bypassed, which is a problem specific to the task they perform. Nothing more

Quote from: Deque on August 08, 2015, 02:46:57 pm

Heuristics and the way of how you obtain information are completely separate. You may use behavioural information, but you may also use anything else, like the structure of the file, the code, etc. Heuristics just describes how you use the information (see also this article).
What you mean is emulation in a sandbox, which can be and often is combined with heuristics.

I should have expanded upon this with a simple "etc" after behavioral scanning, didn't mean to imply heuristics was interchangeable.

Quote from: Deque on August 08, 2015, 02:46:57 pm

Decompilation is done for humans only, computers don't need it. It does not add any information for automatic code examination. So, no, I don't believe that.

As for this one, I was under the impression some try to decompile the code for further analysis, maybe not?

Deque · « **Reply #19 on:** August 12, 2015, 07:50:26 am »

Quote from: B1N4RY2.0 on August 09, 2015, 01:40:47 am

As for this one, I was under the impression some try to decompile the code for further analysis, maybe not?

Well, like I said. The code does not contain more information if you decompile it. It is just a better structure for a human to read. Malware analysts will of course decompile code, but I don't see any use for an antivirus product in doing that. It will unpack and analyse code, but the code does not need to be in that human friendly form to do so.

B1N4RY2.0 · « **Reply #20 on:** August 12, 2015, 02:31:30 pm »

Quote from: Deque on August 12, 2015, 07:50:26 am

Well, like I said. The code does not contain more information if you decompile it. It is just a better structure for a human to read. Malware analysts will of course decompile code, but I don't see any use for an antivirus product in doing that. It will unpack and analyse code, but the code does not need to be in that human friendly form to do so.

Ah ya gotcha, never really thought about why it would decompile it ( talking the AV itself, not for like you said "human" readability ) So I'm sure I either misread or mistook what I read something lol

EvilZone

News:

Author Topic: [C] Simple Crypter + Stub (Read 16476 times)

B1N4RY2.0

Re: [C] Simple Crypter + Stub

Deque

Re: [C] Simple Crypter + Stub

TheWormKill

Re: [C] Simple Crypter + Stub

B1N4RY2.0

Re: [C] Simple Crypter + Stub

Deque

Re: [C] Simple Crypter + Stub

B1N4RY2.0

Re: [C] Simple Crypter + Stub