Evading Anti Virus Detection
Evading Anti Virus Detection
- Hiding backdoors and trojans from antivirus software
- General Overview
- Lets get started
- Step - 1
- Step - 2
- Step - 3
Hiding backdoors and trojans from antivirus software
This is a POC on how to evade detection from AV. In this article I will try to guide you through the generic steps needed for this process, and show you by example on a specific back door available. This is a POC and not applicable to modern AV. However, the process for developing your own encoding/decoding scheme, so that this will work, is entirely valid.
Programs used http://www.white-scorpion.nl/programs/backdoor.zip – basic back door http://www.4shared.com/file/32660382/3562d77f/LordPE.html – LordPE http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm – Hex Editor http://www.ollydbg.de/ – ollydbg
General Overview
We are going to start by increasing the file size of our backdoor giving us room of our own to write code in. We will then hijack then entry point of the program, redirect it to our own encoder. This encoder for the POC will XOR the file contents, and then jump back to the original starting place. XOR is a reversible process, so that when saved in this encoded state, the signatures will not match those in the AV database. When ran however, the same XOR loop, will decode the program while in memory where AV does not affect it.
Lets get started
Note: Your addresses might not match mine exactly, so look at the general structure and you will be able to follow along.
Step - 1
Open up backdoor.exe (located in the bin folder) in LordPE. LordPE is a portable executable viewer and editor.
-Click on PE editor to open file
-Click sections in the new window
Here we see 3 sections .text .rdata and .data. For this example we will
select .data. Right click and select edit section header.
-Add 1000 hex bytes to the virtual size and the raw size.
VirtualSize = 00001B4A
RawSize = 00001200
-Click on the (…) next to the flags and set 'Executable as code'. This is where
we will build our encoder/decoder and thus need to have it executed.
-Edit the section header for .text as well to writable (also under
flags)
-Save and close LordPE
Step - 2
If you tried to open your backdoor now you will notice an error indicating it is not a valid Win32 Application. This is because our sizes do no balance. We indicated there were an extra 1000 hex bytes, but have not actually added anything to the program. So we will now pad our program.
-Open it up in XVI32 (or other hex editor of your choice) -Scroll to the end of the file, and this is where we will add our 1000 hex bytes. -Edit > insert (Select Hex String: 00 Insert <n> times - choose hexadecimal $1000)
This inserts our 1000 bytes needed to write our code in. Now save and close the hex editor.
If you were to run the backdoor.exe now, you will notice it does work, but still detected by the antivirus. We have not changed our code, or signature yet.
Step - 3
Ollydbg: I am going to assume you have a basic understanding of what olly is and how to use a few basic features.
–Preparing for our code injection–
Open the back door and first look at a few things. -Address of the entry point -Address of our 1000 hex bytes (you can select an address anywhere in this area)
Copy the first few lines of the backdoor.exe to clipboard, and keep available in notepad for later reference.
Now scroll down to the padded 00 bytes and choose and address where we will inject our encoder. For this example I am going to choose address 00401590.
–Altering the code–
First thing we will need to do now, is hijack the ModuleEntryPoint and redirect it to our section.
JMP 00401590 #This will force the jump from module entry point to our code cave
select this line and save the file. Rightclick > copy to executable > selection. Then save file as backdoor_v2.exe.
Note if you change the file name from the original like I did, go ahead and close the first and open up the altered one.
You will now notice the first two lines of code have changed.
00401000 > $ E9 8B050000 JMP backdoor.00401590 00401005 . 68 34 31 40 00>ASCII "h41@",0
If you step 1 time in this program now you will notice you end on address, 00401590. Now we can begin writing our XOR loop.
MOV EAX, 0040100A # Start of encoding address.
XOR BYTE PTR DS: [EAX], 5E # XOR the contents of EAX with the key 5E
INC EAX # Increase EAX
CMP EAX, 004014EB # Tests to see if we've reached the end of our enc
JLE SHORT 00401595 # If not, jump back to XOR command
After this we need to put the code in that we overwrote at the beginning.
CALL 00401468 PUSH 00403134
Then we will jump to the address after the push command. At address 0040100A
JMP 0040100A
At this point we now have the XOR loop written, the following commands, and a return to the beginning. However we are not quite done yet. Save your modifications, and set a break point (f2) after the JLE SHORT command. Now run the program, and it will stop in at the break point, and the program will now be encoded. Highlight the entire program and again save this file (backdoor_v3.exe).
The program is now entire encoded except the first few lines, and our code cave. When this is now ran, it will again, jump to our XOR loop, decode itself, and then proceed to function as it was written.
This article was written by stdio in reference to a demo preformed by Mati Aharoni (Muts).
korg 16 years ago
Nice job. I have read most of Mati's articles I have found, He has some interesting topics.
ghost 16 years ago
It's very rare that I say this… but, that was a damn good article. Showed a great deal of technique and knowledge, while keeping it simple.
ghost 16 years ago
Thanks for all the kind replies. However I did manage to stumble across a more detailed paper describing the same process written after mine. Here's the link if interested: http://www.milw0rm.com/papers/217
hellboundhackersok 16 years ago
The backdoor program makes McAfee SiteAdvisor turn red. nice job. ahahah