How to Make a Trojan,Keyloggers,Virus Undetectable by Antivirus Software-Hex Editing
I've been writing a lot about keylogging on this blog. Now as you know, most of the keyloggers are detected by anti-virus softwares, so what you really want is a FUD Keylogger (Fully Undetactable). That means no anti-virus software will alrert the victim saying its a virus. There are very few FUD Keyloggers on web and the most of the time you need to buy a keylogger that will be FUD for a long time. They normally cost about 3$-20$, depending on the functions of the Builder.
Since the FUD keyloggers cost money, i decided to show you how to make them undetectable for free, using hexediting method.
Here I will try to explain how to hexedit your favorite Trojan in order to make it undetected by certain anti-virus programs. I will try to put this as simple as possible so everyone understands it.
Content:
General info about hexediting
If you want to make your server undetectable, you need to know how AVs work and how they detect your files, right? There are a few ways that AVs use to detect your server heuristics, sandboxing, etc., and one of them is using so called "definition files" that carry information about strings inside your server. Well, that's the way we are going again in this tutorial because hexing is pretty much useless for other methods of detection. So when AVs scan your files it searches for specific stings on specific parts in your server, and if strings match with strings in the AV database, your file is detected.
Let as say that detected strings are "XX" so we need to change that string to something else (e.g. "XY","YY") that isn't in the AV definition database so the file can not be matched with any of the AV definitions and that way the file will be undetectable. There are going to be a few tagged strings in your server - not only one, depending on what trojan you are using and how popular is. Less popular trojans tend to have less tagged parts, and with that they are easier to make it undetectable.
First of all, hexing is not the best method for undetecting files because AVs can change old tagged parts, and once your AV is updated, new definition files are downloaded and your once undetected server might become detected again. Also not all AVs use the same tagged parts - this way you need to hex your server against more AVs to make it fully undetected. This can be annoying because you need to download wanted AVs then hex it your server, then download another etc., etc. Sometimes AVs tag critical parts of the server, and if that part is altered will corrupt the server. Also, heavily edited servers can become unstable, some functions might not work, or even you can corrupt your server and make it useless.
That's why you need to check your server if its still working after every single change you made while hexing it.
Now how to find detected strings in your server?
There are few ways you can do this: Manually cut your server in half adding parts to one half and scanning it until you find the detected string (which is slow and time consuming); use file splitters to split your server into bytes, and after that scan all split files and find out what byte is detected then alter it in original exe, or you can use an offset AV .
What tools you need to get started
Since the FUD keyloggers cost money, i decided to show you how to make them undetectable for free, using hexediting method.
Here I will try to explain how to hexedit your favorite Trojan in order to make it undetected by certain anti-virus programs. I will try to put this as simple as possible so everyone understands it.
Content:
- General info about hexediting .
- What tools you need to get started.
- How to hex.
General info about hexediting
If you want to make your server undetectable, you need to know how AVs work and how they detect your files, right? There are a few ways that AVs use to detect your server heuristics, sandboxing, etc., and one of them is using so called "definition files" that carry information about strings inside your server. Well, that's the way we are going again in this tutorial because hexing is pretty much useless for other methods of detection. So when AVs scan your files it searches for specific stings on specific parts in your server, and if strings match with strings in the AV database, your file is detected.
Let as say that detected strings are "XX" so we need to change that string to something else (e.g. "XY","YY") that isn't in the AV definition database so the file can not be matched with any of the AV definitions and that way the file will be undetectable. There are going to be a few tagged strings in your server - not only one, depending on what trojan you are using and how popular is. Less popular trojans tend to have less tagged parts, and with that they are easier to make it undetectable.
First of all, hexing is not the best method for undetecting files because AVs can change old tagged parts, and once your AV is updated, new definition files are downloaded and your once undetected server might become detected again. Also not all AVs use the same tagged parts - this way you need to hex your server against more AVs to make it fully undetected. This can be annoying because you need to download wanted AVs then hex it your server, then download another etc., etc. Sometimes AVs tag critical parts of the server, and if that part is altered will corrupt the server. Also, heavily edited servers can become unstable, some functions might not work, or even you can corrupt your server and make it useless.
That's why you need to check your server if its still working after every single change you made while hexing it.
Now how to find detected strings in your server?
There are few ways you can do this: Manually cut your server in half adding parts to one half and scanning it until you find the detected string (which is slow and time consuming); use file splitters to split your server into bytes, and after that scan all split files and find out what byte is detected then alter it in original exe, or you can use an offset AV .
What tools you need to get started
- Unpacked trojan/keylogger server. (That's your virus)
- Hex editor > Download
- Av devil > Download
- File Splitter > Download(Optional)
- AV-antivirus
How to hex
-Step 1.
Turn your AV real-time protection â***65533;***65533;OFFâ***65533;***65533; . Make your Trojan server and
make sure that is not packed.
Open AV Devil and select your server. After selecting, the server msg will pop up
click OK, and the next msg will popup asking you to turn your AV real-time
protection back â***65533;***65533;ONâ***65533;***65533;. After you do that just click "OK" and lets AV Devil
search for detected offsets.
During the search your AV will pop up a couple of times. Just click on "Skip" and let
AV Devil finish.
After its done you will see something like this:
As you can see this Trojan server has only two detected offsets.
That means that first detected offset begins at 53F7 and ends at 5476.
Also you can see where the second offset starts and ends. Thatâ***65533;***65533;s the part that the AV
is checking in this definition database. If the part in the server matches with part in
AV database your server is detected. You can hex beginning and ending offset or in
between.
Step 2.
Now when we have detected offsets, we open our server in Hex WorkShop. Type
"Ctrl+G" and this will come up:
Type the first offset in, select from â***65533;***65533;Beginning of File,â***65533;***65533; and make sure that you
selected "hex," because offsets in AV Devil are displayed in that manner. Unless you
save via AV Devil, then they are converted into a decimal. Click â***65533;***65533;Goâ***65533;***65533; and you will
be sent to that offset location. Now we need to change that â***65533;***65533;31â***65533;***65533; to something else, so
we will change it to â***65533;***65533;32â***65533;***65533;.
Select â***65533;***65533;31â***65533;***65533; right click to it and select fill.
You will see the window below. In â***65533;***65533;Fill with the following hex byteâ***65533;***65533; we are going to
fill in â***65533;***65533;32â***65533;***65533; and hit OK.
After clicking â***65533;***65533;OK,â***65533;***65533; the changed hex byte going to be shown in red.
[slika]http://img377.imageshack.us/img377/876/slika6gy9.jpg[/img]
__________________________________________________ __________________
Now repeat this for every offset that you found in AV Devil.
__________________________________________________ ___________________
Going to change it â***65533;***65533;FEâ***65533;***65533; to â***65533;***65533;EEâ***65533;***65533; and so on for all other detected offsets.
Once youâ***65533;***65533;ve completed editing all offsets, save your server and scan if itâ***65533;***65533;s UD, and
then youâ***65533;***65533;re done. If the AV still detecting it, repeat steps 1 and 2.
Hereâ***65533;***65533;s a little tip on how to change detected bytes: Try to make minor changes like
32 =>31, 22, 42, 33, 34, or FE =>EE ,FF etc., etc. Basically, one character up/down
for each - thatâ***65533;***65533;s the best way and will minimize chances to corrupt your server. If that
doesnâ***65533;***65533;t work for some reason, you can try and change it to something completely
different, but always check your server after editing bytes. That way you can see if the
server works or if itâ***65533;***65533;s corrupted (you can keep track of what change caused the
corruption and you can try and edit that byte with some other character).
Another thing in some Trojans servers is that AV Devil canâ***65533;***65533;t find the beginning of the
first offset and will mark it with â***65533;***65533;0.â***65533;***65533; Letâ***65533;***65533;s say youâ***65533;***65533;ve hexed all other found offsets
but your server is still detected. Split the file into half and run AV Devil on the first
half. That way you will be able to find the first offset that is missing and finish your
hexing. If some tagged part is a letter, e.g. â***65533;***65533;Yâ***65533;***65533; change it to â***65533;***65533;yâ***65533;***65533; or just PlAy wItH
ThE CaPs.
Ex:
So there you have it! Now you know how to hex your server and make it undetected
from wanted AVs.
Turn your AV real-time protection â***65533;***65533;OFFâ***65533;***65533; . Make your Trojan server and
make sure that is not packed.
Open AV Devil and select your server. After selecting, the server msg will pop up
click OK, and the next msg will popup asking you to turn your AV real-time
protection back â***65533;***65533;ONâ***65533;***65533;. After you do that just click "OK" and lets AV Devil
search for detected offsets.
During the search your AV will pop up a couple of times. Just click on "Skip" and let
AV Devil finish.
After its done you will see something like this:
As you can see this Trojan server has only two detected offsets.
That means that first detected offset begins at 53F7 and ends at 5476.
Also you can see where the second offset starts and ends. Thatâ***65533;***65533;s the part that the AV
is checking in this definition database. If the part in the server matches with part in
AV database your server is detected. You can hex beginning and ending offset or in
between.
Step 2.
Now when we have detected offsets, we open our server in Hex WorkShop. Type
"Ctrl+G" and this will come up:
Type the first offset in, select from â***65533;***65533;Beginning of File,â***65533;***65533; and make sure that you
selected "hex," because offsets in AV Devil are displayed in that manner. Unless you
save via AV Devil, then they are converted into a decimal. Click â***65533;***65533;Goâ***65533;***65533; and you will
be sent to that offset location. Now we need to change that â***65533;***65533;31â***65533;***65533; to something else, so
we will change it to â***65533;***65533;32â***65533;***65533;.
Select â***65533;***65533;31â***65533;***65533; right click to it and select fill.
You will see the window below. In â***65533;***65533;Fill with the following hex byteâ***65533;***65533; we are going to
fill in â***65533;***65533;32â***65533;***65533; and hit OK.
After clicking â***65533;***65533;OK,â***65533;***65533; the changed hex byte going to be shown in red.
[slika]http://img377.imageshack.us/img377/876/slika6gy9.jpg[/img]
__________________________________________________ __________________
Now repeat this for every offset that you found in AV Devil.
__________________________________________________ ___________________
Going to change it â***65533;***65533;FEâ***65533;***65533; to â***65533;***65533;EEâ***65533;***65533; and so on for all other detected offsets.
Once youâ***65533;***65533;ve completed editing all offsets, save your server and scan if itâ***65533;***65533;s UD, and
then youâ***65533;***65533;re done. If the AV still detecting it, repeat steps 1 and 2.
Hereâ***65533;***65533;s a little tip on how to change detected bytes: Try to make minor changes like
32 =>31, 22, 42, 33, 34, or FE =>EE ,FF etc., etc. Basically, one character up/down
for each - thatâ***65533;***65533;s the best way and will minimize chances to corrupt your server. If that
doesnâ***65533;***65533;t work for some reason, you can try and change it to something completely
different, but always check your server after editing bytes. That way you can see if the
server works or if itâ***65533;***65533;s corrupted (you can keep track of what change caused the
corruption and you can try and edit that byte with some other character).
Another thing in some Trojans servers is that AV Devil canâ***65533;***65533;t find the beginning of the
first offset and will mark it with â***65533;***65533;0.â***65533;***65533; Letâ***65533;***65533;s say youâ***65533;***65533;ve hexed all other found offsets
but your server is still detected. Split the file into half and run AV Devil on the first
half. That way you will be able to find the first offset that is missing and finish your
hexing. If some tagged part is a letter, e.g. â***65533;***65533;Yâ***65533;***65533; change it to â***65533;***65533;yâ***65533;***65533; or just PlAy wItH
ThE CaPs.
Ex:
So there you have it! Now you know how to hex your server and make it undetected
from wanted AVs.
No comments:
Post a Comment