Teddy Rogers Posted April 20, 2010 Posted April 20, 2010 I bet you have come across some software you’ve made which you didn’t want the AV to pick up. This article explains how to import from DLLs without having to call GetProcAddress, and also how to encrypt your data section. Anti-viruses rely heavily on their heuristics, if all other (signature) scans fail. The patterns they search for in your executable, are the functions being imported, and the order they are being called. No imports!Having no import table is relatively easy. There are however some functions I haven’t imported dynamically, but which are very normal in any application (libc functions).The steps you need to do are:Get the kernel32 module base address. (kernel32.dll is always loaded when the process is started, and so is ntdll.dll)Make your own GetProcAddressUse it to find LoadLibrary’s address, so that you can load other DLLsMake the functions usable in a practical way, so that you don’t have to make a prototype for each of the functions that you will load/>http://www.x-n2o.com/clever-tricks-against-antiviruses/Ted.
human Posted April 20, 2010 Posted April 20, 2010 (edited) well no import is old, dunno if they are same on xp,vista and win7 and again x86 vs x64.another thing on vista and win7 you can have shifting dlls. so you need to handle exceptions when you scan memory.such scans can give noticeable slowdowns.and finally, some av today use own ring0 drivers, so they control windows and will always notice your work. Edited April 20, 2010 by human
quosego Posted April 20, 2010 Posted April 20, 2010 (edited) Really this is what Themida has been doing for forever..Is cool, but themida does it better. Edited April 20, 2010 by quosego
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now