Jump to content
Tuts 4 You

signatureZero

a_tek7

By a_tek7
in Programming and Coding

Recommended Posts

a_tek7

a_tek7

Posted
  • Author
Posted
I hope you do not mean that application used to hide malware from antivirus by finding the right offsets to manipulate? :X

yes i mean that but If it's against the rules of site No noooooooo, :laugh: and my new question:I saw a movie they hide a trojan but when they find the right offset ,make nop those offset with hexeditor .the problem is that how is it possible to make nop some parts of an exe file and still be a exe file that run correctly?

Link to comment
HVC

HVC

Posted
Posted (edited)

Having seen this video out of plain curiocity,

i think that this techique is all about determining a particular threat's AV signature via heuristics (nullify parts of the code in a planned matter, and watching the AV results, then narrowing up the boundaries till you get the exact location of the signature).

Once the location of the signature is determined, you can't just nop it, you must rewrite that part of the code in a way that will still remain functional, but will screw up AV detection (mess up the signature).

Having said that, it's a really really lame technique (or , more correctly, a technique for lamers). If you have mediocre skills, you can write your own pc pests (please don't) who dont have a known signature, not using anyone elses shiz. :dots:

Edited by HVC
Link to comment
metr0

metr0

Posted
Posted

Just had a nice answer in fast-reply but my sth disrupted my circuit... :/

Like HVC said, you cannot simply put some nop here and some nop there and still expect the file to run like it did before (except being detected by anti-virus engines). You will probably mess some code up, you'd have to analyse the offset such a program gives you.

It seems like signatureZero simply splits the malware into parts and copies them to disk - this is where an engine scans them on-the-fly -, first 100 bytes, then first 200 bytes, then... and increasing the offset. I don't think it's good to talk about such stuff on a reversing board without mentioning counter-measures. Anyway, good av heuristics will probably get the malware in the end if one simply relies on such lame blind overwriting stuff.

I was thinking about writing some essay about malware hiding techniques and what AVs could do against that, but seeing this thread I don't think it would be put to "good" use. :(

Link to comment
a_tek7

a_tek7

Posted
  • Author
Posted
I was thinking about writing some essay about malware hiding techniques and what AVs could do against that, but seeing this thread I don't think it would be put to "good" use. :(

Dear metr0

It was just a question and I think that here is a place for improving our knowledge and asking question from my lovely friends and I didnot mean for learning lame technique to annoy other people.I ask that just for knowledge and not for misusing.I wanted to know about its code and learning it

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...