making the keylogger undectable again

skywing · Post by **skywing** » 25 Jan 2008, 17:31

so, i was able to get a keylogger undetectable by kaspersky and AVG (by chaging the keyloggers hex values) until somedays ago, now another string gets detected by AVG, but its a single value, C0, in the middle of mutiple 00, im a newbie so i dont know what to do now, any ideas? heres an image:

Post by **ayu** » 25 Jan 2008, 18:41

Well it's hard to say exactly what "method" AVG is using to detect the files, as in what parts of the files it is using as the signature for it.

You might want to try and "scramble" the file, or add bytes to it to try to make it undetectable again.

Either way, try experimenting with it, like remove that byte that you marked. make backups of the original and play around ^^ that's what i would have done at least.

skywing · Post by **skywing** » 25 Jan 2008, 19:26

when i first started chaging the hex values i only had in mind making it UD for kaspersky, after some weeks I made it undetactable for AVG for "scrambling" the string detected by kaspersky and the one by AVG, now, after some scans this happened, a new string is detected, the "C0", I'm trying to "scramble" but everytime I change "C0" from it place the keylogger no longer works = /

Post by **CommonStray** » 25 Jan 2008, 23:46

have you attempted not using hex and disassembling the keylogger, and perhaps running it in a debug mode so it steps through every line?

skywing · Post by **skywing** » 26 Jan 2008, 03:01

i dont know how to do that...

Post by **Gogeta70** » 26 Jan 2008, 04:25

Download a program called ollydbg and use google to find a tutorial for it.

skywing · Post by **skywing** » 26 Jan 2008, 04:45

i've been using W32dasm the thing is, the "C0" offset is less than 1000, and W32dasm only shows offsets starting at 1000