Hello people. Since I had many people asking me how to hexedit, I decided to write
this little tutorial. I will try to explain how to hexedit your favourite Trojan in order to
make it undetected by certain antivirus programs. I will try to put this as simple as
possible so everyone understands it.
Content:
1. General info about hexediting .
2. What tools you need to get started.
3. How to hex.
-step 1
-step 2
__________________________________________________ ___________________
1. General info about hexediting?
If you want to make your server undetectable, you need to know how AVs work and
how they detect your files, right? There are a few ways that AVs use to detect your
server heuristics, sandboxing, etc., and one of them is using so called "definition files"
that carry information about strings inside your server. Well, that�s the way we�re
going again in this tutorial because hexing is pretty much useless for other methods of
detection. So when AVs scan your files it searches for specific stings on specific parts
in your server, and if strings match with strings in the AV database, your file is
detected.
Let�s say that detected strings are "XX" so we need to change that string to something
else (e.g. "XY","YY") that isn�t in the AV definition database so the file can�t be
matched with any of the AV definitions and that way the file will be undetectable.
There are going to be a few tagged strings in your server - not only one, depending on
what trojan you�re using and how popular is. Less popular trojans tend to have less
tagged parts, and with that they are easier to make it undetectable.
First of all, hexing is not the best method for undetecting files because AVs can
change old tagged parts, and once your AV is updated, new definition files are
downloaded and your once undetected server might become detected again. Also not
all AVs use the same tagged parts - this way you need to hex your server against more
AVs to make it fully undetected. This can be annoying because you need to download
wanted AVs then hex it your server, then download another etc., etc. Sometimes AVs
tag critical parts of the server, and if that part is altered will corrupt the server. Also,
heavily edited servers can become unstable, some functions might not work, or even
you can corrupt your server and make it useless.
That�s why you need to check your server if it�s still working after every single
change you made while hexing it.
Now how to find detected strings in your server?
There are few ways you can do this: Manually cut your server in half adding 00�s to
one half and scanning it until you find the detected string (which is slow and time
consuming); use file splitters like UKSplitter that are going to split your server into
bytes, and after that scan all split files and find out what byte is detected then alter it
in original exe, or you can use an offset finder like AV Devil.
2. What tools we need.
- Unpacked trojan server.
(your favorite trojan server)
- Hex editor.
(I will use Hex WorkShop, you can find it at http://www.hexworkshop.com/)
- Offset finder
(AVDevil, you can find it at www.trojanfrance.com)
3. How to hex:
-Step 1.
Turn your AV real-time protection �OFF� . Make your Trojan server and
make sure that is not packed.
Open AV Devil and select your server. After selecting, the server msg will pop up
click OK, and the next msg will popup asking you to turn your AV real-time
protection back �ON�. After you do that just click "OK" and lets AV Devil
search for detected offsets.
During the search your AV will pop up a couple of times. Just click on "Skip" and let
AV Devil finish.
After its done you will see something like this:
As you can see this Trojan server has only two detected offsets.
That means that first detected offset begins at 53F7 and ends at 5476.
Also you can see where the second offset starts and ends. That�s the part that the AV
is checking in this definition database. If the part in the server matches with part in
AV database your server is detected. You can hex beginning and ending offset or in
between.
Step 2.
Now when we have detected offsets, we open our server in Hex WorkShop. Type
"Ctrl+G" and this will come up:
Type the first offset in, select from �Beginning of File,� and make sure that you
selected "hex," because offsets in AV Devil are displayed in that manner. Unless you
save via AV Devil, then they are converted into a decimal. Click �Go� and you will
be sent to that offset location. Now we need to change that �31� to something else, so
we will change it to �32�.
Select �31� right click to it and select fill.
You will see the window below. In �Fill with the following hex byte� we are going to
fill in �32� and hit OK.
After clicking �OK,� the changed hex byte going to be shown in red.
[slika]http://img377.imageshack.us/img377/876/slika6gy9.jpg[/img]
__________________________________________________ __________________
Now repeat this for every offset that you found in AV Devil.
__________________________________________________ ___________________
Going to change it �FE� to �EE� and so on for all other detected offsets.
Once you�ve completed editing all offsets, save your server and scan if it�s UD, and
then you�re done. If the AV still detecting it, repeat steps 1 and 2.
Here�s a little tip on how to change detected bytes: Try to make minor changes like
32 =>31, 22, 42, 33, 34, or FE =>EE ,FF etc., etc. Basically, one character up/down
for each - that�s the best way and will minimize chances to corrupt your server. If that
doesn�t work for some reason, you can try and change it to something completely
different, but always check your server after editing bytes. That way you can see if the
server works or if it�s corrupted (you can keep track of what change caused the
corruption and you can try and edit that byte with some other character).
Another thing in some Trojans servers is that AV Devil can�t find the beginning of the
first offset and will mark it with �0.� Let�s say you�ve hexed all other found offsets
but your server is still detected. Split the file into half and run AV Devil on the first
half. That way you will be able to find the first offset that is missing and finish your
hexing. If some tagged part is a letter, e.g. �Y� change it to �y� or just PlAy wItH
ThE CaPs.
Ex:
So there you have it! Now you know how to hex your server and make it undetected
from wanted AVs.
(I TAKE NO CREDIT FOR THIS TUTORIAL JUST POSTING!)
