Clever tricks against antiviruses...

[Teddy Rogers]

I bet you have come across some software you’ve made which you didn’t want the AV to pick up. This article explains how to import from DLLs without having to call GetProcAddress, and also how to encrypt your data section. Anti-viruses rely heavily on their heuristics, if all other (signature) scans fail. The patterns they search for in your executable, are the functions being imported, and the order they are being called.

No imports!

Having no import table is relatively easy. There are however some functions I haven’t imported dynamically, but which are very normal in any application (libc functions).

The steps you need to do are:

• Get the kernel32 module base address. (kernel32.dll is always loaded when the process is started, and so is ntdll.dll)
  
• Make your own GetProcAddress
  
• Use it to find LoadLibrary’s address, so that you can load other DLLs
  
• Make the functions usable in a practical way, so that you don’t have to make a prototype for each of the functions that you will load
  

/>http://www.x-n2o.com/clever-tricks-against-antiviruses/

Ted.

[human]

well no import is old, dunno if they are same on xp,vista and win7 and again x86 vs x64.

another thing on vista and win7 you can have shifting dlls. so you need to handle exceptions when you scan memory.

such scans can give noticeable slowdowns.

and finally, some av today use own ring0 drivers, so they control windows and will always notice your work.

Edited April 20, 2010 by human

[quosego]

Really this is what Themida has been doing for forever..

Is cool, but themida does it better.

Edited April 20, 2010 by quosego