Jump to content
Tuts 4 You

Clever tricks against antiviruses...

Teddy Rogers

Recommended Posts

Teddy Rogers

I bet you have come across some software you’ve made which you didn’t want the AV to pick up. This article explains how to import from DLLs without having to call GetProcAddress, and also how to encrypt your data section. Anti-viruses rely heavily on their heuristics, if all other (signature) scans fail. The patterns they search for in your executable, are the functions being imported, and the order they are being called.

No imports!

Having no import table is relatively easy. There are however some functions I haven’t imported dynamically, but which are very normal in any application (libc functions).

The steps you need to do are:

  • Get the kernel32 module base address. (kernel32.dll is always loaded when the process is started, and so is ntdll.dll)
  • Make your own GetProcAddress
  • Use it to find LoadLibrary’s address, so that you can load other DLLs
  • Make the functions usable in a practical way, so that you don’t have to make a prototype for each of the functions that you will load



Link to comment
Share on other sites

well no import is old, dunno if they are same on xp,vista and win7 and again x86 vs x64.

another thing on vista and win7 you can have shifting dlls. so you need to handle exceptions when you scan memory.

such scans can give noticeable slowdowns.

and finally, some av today use own ring0 drivers, so they control windows and will always notice your work.

Edited by human
Link to comment
Share on other sites

Really this is what Themida has been doing for forever..

Is cool, but themida does it better.

Edited by quosego
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...