Hexing Malware

Lyecdevf · Post by **Lyecdevf** » 14 Jun 2007, 03:44

Credit goes to synsta

Goal: To learn how to hex edit "trojans" or anything else making them UD to AV programs.

Definitions:

UD: Undetected
AV: Anti-Virus
FW: FireWall

*Make sure the program which you are reading this in has WORD WRAP *ON*
*And the word *Click* in the tutorial is written that way so you can easily scim through the tutorial if you would like.
_________________________________

To begin, HexEditing is a difficult and partially effective method used to make "trojans" UD. In some cases this method will not work because the AV has tagged a vital part of the code. There are a few necessities you will need:

Hex Workshop or another HexProgram (Hex Workshop is used in this tutorial)

: Download Link
http://www.bpsoft.com/downloads/ on

:Your Server is needed (this is what you are hexing)

__________________________________

Ok lets begin...

1) First open up "Hex Workshop" and *Click* File:Open: Find your server or whatever you are hexing and *Click* it and then *Click* open.

2) In you workfield all the HexValues should pop-up. Get familiar with the file look at certain bytes this will help you understand more.

3) Scroll down to about the middle and *Click* the first offsett on the left side. Grab it and drag down as you drag down do NOT let go or you will have to return and do it again. Keep holding it down until your at the bottom of the file Offsett 1.

4) Seeing half the file highlighted. Right *Click* and *Click* Fill. A new window should open, in the textbox instead of 0 put 00. Then *Click* Ok.

5) What you have just done is cut the file in half. The 00 byte has no values at all, another common used byte used in hexing is 90 it is the no-operation byte.

6) Ok now you have half the file filled with 00's right? Good... Point your arrow to the left hand corner. *Click* File: Save As. Save the file 1.exe. Be sure to remember the offsett you cut the file at.

7) Go to the directory you saved 1.exe in, and right *Click* it and find a tab called Scan It For Viruses with your AV logo beside it. Once its done scanning if it is detected that means the detected string is not in that half which you filled with 00's.

_How an AV detects Malware_

An AV program is very powerfull it stops about 98% of common malware from infecting your PC. Our goal like said earlier is to be apart of that 2%. An AV when it scans a file looks for a string it could be anywhere in the file. Most likely it is in the most vulnerable spot, via if you arn't carefull you could corrupt your server. The detected string is a digital string that is in the database of the AV. Have you ever seen your AV connect to the internet and look for updates? This is your AV downloading new strings that it will later use to defend your computer against malware. That is how a common AV works!

Cool Ok lets move on once again, right now you should have your original server, and the detected half of your server (1.exe). Now in HexWorkshop open up your Original Server. Why we are doing this is, because the AV when it detected (1.exe) it deleted all the bytes. So now find the offsett in the middle which you started at, and pull it down or up again, but this time do not go all they way (cutting it in half). Bring it down or up about 5-10,000 offsetts from the middle point. Fill the highlighted area with 00's. Then save the file as Scan.exe, also save it as scanbackup.exe.

FootNote: The names are examples you may name them whatever you like just remember them. Also me personally i record all the offsetts i stop and start at in notepad.

9) Now in the directory you saved Scan.exe right click it and Scan it for viruses once more. If it is still detected then you have not found the offsett yet.

How you know when you find it?
You know that you have found the offsett when your AV no longer detects the file. Be sure to remember that if your AV detects the file you scanned it will delete the whole file. This is why you should always keep a backup.

10) Ok by now you should get the jist of how to find the detected string. Most AV's detect 2-3 strings sometimes though it could be as little as 2 bytes or as large as 10 strings. Continue until you find the detected strings.....

11) Ahh yes you have found them. Congratulations!!! Now your not through quite yet, just a little more to go. You have located the detected strings now you must edit them ever so slightly to make the file UD and the server to still work. Change the numbers around using the fill option explained earlier to do this. If you do it just right and things aren't to different you will have successfully HexEdited. "

Panagiotis · Post by **Panagiotis** » 29 Aug 2007, 19:19

What if when i cut it in half the part i cuttet was infected and the other half is infected too? I tried it with SubSeven server but damn this will take forever :S

Lyecdevf · Post by **Lyecdevf** » 30 Aug 2007, 02:07

I am not sure what you are talking about. Besides use some other RAT than Sub7 as it is detected by most AV.