Make File Undetectable
So, I wanted to Backdoor to One Of My Friends PC, Netcat Is a great tool, which helps in accomplishing the task.
But unfortunately, he has got Malwarebytes Installed in his PC, When I tried, smart Malwarebytes gave an alert, saying "Hacking.Backdoor"
Then he smiled and said, He keeps Malwarebytes updated to escape from Backdoor Trojans Attack. And I was silent.
Now here is what I did...
I downloaded Malwarebytes, updated it, and scanned the "nc.exe" with it. And as obvious, it gave the alert.
Now I opened by the "nc.exe" with Hex-Editor, but why?
Generally, Antivirus and AntiMalwares checks for digital signatures, in declared Virus files and claims it as Virus. And signatures are certain blocks of code, or may be the exact copy of the virus code.
Now with that in mind, If i can somehow find the signature in "nc.exe" used by Malwarebytes to claim it as Hacktool. My work is done.
So I opened it up, though this wont apply for all Antivirus, But anyhow you get the general Idea, because my target was to prove him,
" If Someone is THE CHOSEN ONE, He is not safe even with latest updated Antivirus "
On general, this is a trail and error basis, which needs patience. You need to find the last offset from the hexdump, and divide it by 2.
Logically, thinking, you are making two parts of the code, now that I have the hexvalue of the point that divides the "nc.exe", I selected the whole part from the middle to the bottom, right click and fill with 0, save it, It will ask to save a backup, CLICK ON YES.
Now scan the nc.exe, and woops, its no more a hacktool, yeah. But here is the problem, we have now only half part of the code, which wont run. So now we know that the signature is somewhere between the mid-point hex-value to last-offset.
Keep a note of the hex-values that you are editing. Now delete the "nc.exe", in the same folder, there will be the backup of the original named, "nc.BAK" rename it to nc.exe, once again, keep selecting blocks until you find, the alert with AV Scan.
Once you get an alert, this means the last selection was the signature used by the Virus Scanner to detect it as Virus.
I usually go in this way,
1. 1/2 >> replace the second half with 0's >> Scan, If not detected, signature is here, need to find, else the signature is on the first half.
2. 1/4 >> replace with 0's the 4th half >> scan, if not detected, it here, else on the 3rd half, and I keep going.
Notice, with this method, sometimes you will find that you exhausted all the hex-num, and last hex-num you replace with 0, makes it Undetectable, it means, a minor change in the File, will make it Undetectable, which happened in the case of Malwarebytes.
You should not change any value, if you are not knowing what you are changing. Probably then we need to take help of another tool, 'Ollydbg'
Which I wont discuss in this post.
Anyways, most exe files will have a useless line, that has nothing to do with the Virus or Trojan Coding.
"!This program cannot be run in DOS mode"
I replaced the Hex-Value of H with '00' and saved it, and scanned it again, and Voila, Malwarebytes says, No Malicious Software Found.
So this is how Virus can be Escaped and make UD from Antivirus
And Successfully Backdoored to my Friends PC, leaving a doc there, "I was there in his PC"
Hope This was Informative.
Feel Free To Leave A Comment
If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Its 'OllyDbg' btw :)
ReplyDeleteThanks Partha, I do Make Sometimes These kinda typos.. Updated.. :)
ReplyDeletehow one can come to know which hex value has to be edited?
ReplyDeleteis there any trick???
please guide...
thanks in advance :)
@Stifler, This post about Hex-Editing is one of the part of Reverse Engineering.... If you are not familiar with crackings, this would be little tuff for you to understnd, anyhow, To answer you question, There is another Tool "OllyDbg" with which one can know which Hex Value is not in use and edit accordingly..
ReplyDeleteΙ do not еven know how I finished up here, but I assumeԁ thiѕ publish
ReplyDeletewas once gгeat. I dο not undeгstand whο you're however definitely you are going to a well-known blogger if you are not already. Cheers!
Here is my blog :: raspberry ketone