Search This Blog

Sunday, September 16, 2012

Hexing using Dsplit to Hide trojans from antivirus detection

Hello friends. In my previous article, I introduced you to the basics of Hexing to bypass antivirus detection. As a reference to that post, I am writing this article to inform you about how Hexing is actually done using Dsplit. Dsplit is a software used to detect virus signature. Hexing is very much important for us to evade antivirus detection. If you will learn how to bypass antivirus by Hexing, you don't have to search for FUD keyloggers and trojans. You can hex files to make them FUD.

I will be using Dsplit as virus signature detector and Ice Gold Freezer as virus over here. You can use any other virus containing file you want.

Download these two files over here:
1. Avira antivirus (Because I've used it in tute).
2. Ice Gold Freezer and Dsplit.exe program (used for detecting virus signature).

The downloaded file is zipped and password protected. Click here to get the password.

Hexing Ice Gold Freezer using Dsplit:

First of all, let me tell you that Ice Gold Freezer is detected as "SPR/Tool.Freezer.8" virus (actually malware as Avira.com says) by my Avira antivirus which I use on my computer
. So, I will be telling you how to bypass Avira detection for Ice Gold Freezer. So, lets start.

1. Download Avira antivirus, Dsplit and Ice Gold Freezer from links provided above. Extract Dsplit folder to desktop.

3. Scan Ice Gold Freezer.exe file you've downloaded with antivirus. My Avira says its "SPR/Tool.Freezer.8" malware. So, lets work on it.

4. Copy IceGoldFreezer.exe to Dsplit folder.

5. Now, open Command Prompt (Start ->Run -> cmd ->OK). Change directory to Dsplit folder. So, enter

cd "Replace with your path to Dsplit folder"

and hit Enter.


eg: Say I have saved Dsplit on desktop and have path to Dsplit folder as:
C:\Users\RAJ\Desktop\DSplit-0.2

In above path, RAJ is my user account name. So, to change directory to Dsplit folder, I will enter:
cd C:\Users\RAJ\Desktop\DSplit-0.2
in command prompt so that control will be passed to Dsplit.

So, find out your path and enter it accordingly. You can refer first line in the command prompt image below for more information.

6. Now, type in this command:
dsplit.exe 0 max 1000 IceGoldFreezer.exe

and hit Enter.



                                                  Click on image to see enlarged view


What does this command means?? Simple. Dsplit is command line software and requires this command for its running. The meaning of command:

dsplit.exe startbyte endbyte numberofbytesinbetween target

7. Now, Dsplit.exe will create around 234 files in current directory. Now, scan all these 234 files created with Avira antivirus. Avira will detect all files from 8000.exe to 233472.exe as virus. So, there is something (virus signature) in 8000.exe which is not present in 7000.exe. Thus, 7000.exe lacks virus signature and hence not detected by Avira, while 8000.exe has virus signature.


                                              Click on image to see enlarged view


Delete all files except 7000.exe, 8000.exe, Dsplit.exe and original IceGoldFreezer.exe.

8. Move on to command prompt and type this:
dsplit.exe 7000 8000 100 IceGoldFreezer.exe

and you'll get 10 files created in current directory. Scan all these 10 created files with Avira antivirus. Avira will detect all files except 7000, 7100.exe as virus. So, again we can say that there is something (actually virus signature) in 7200.exe which is not present in 7100.exe. Delete all files except 7100, 7200, Dsplit.exe and IceGoldFreezer.exe.

9. Now, type in command prompt:
dsplit.exe 7100 7200 10 IceGoldFreezer.exe

                                                Click on image to see enlarged view


and you'll get 10 new files created in current directory. Scan all 10 files with avira and avira will give all files except 7100.exe as virus. So, 7110.exe contains virus signature which 7100.exe doesn't have.

10. Now, comes the last step. Type in command prompt:
dsplit.exe 7100 7110 1 IceGoldFreezer.exe

Again scan all 10 files created with avira antivirus and avira will detect 7108, 7109 and 7110.exe as virus. So, 7108.exe contains virus signature which 7107.exe lacks. Since, these two files are just 1 byte different, this different 1 byte is actually the virus signature which is detected by Avira.

So, we have to change this one byte contained in 7108.exe to make it UD from Avira.

Finding virus definition is important so that we can change found virus definition and prevent antivirus from detecting our virus. The article below shows how to change virus offset to 
bypass antivirus detection and make our trojan undetectable from antiviruses.

Make Trojan undetectable:

To change virus definition we need to have a hex editor. Hex Workshop is one of the best hex editors, I found.

1. Free Download Hex Editor to make trojan undetectable.

2. The downloaded file is zipped and password protected. Click here to get the password.

3. Now, install Hex Editor on your computer.

4. Right click on 7107.exe (obtained from Hexing Part II) and select 'Edit with Hex Workshop'.

5. You will see something like this:



                                               Click on image to see enlarged view

6. Repeat this for 7108.exe.

7. Now, compare both files. You will see at the end 7108.exe will have offset "00" and 7107.exe does not have. So, we conclude that "00" is recognized as virus by antivirus. Note that offset. Here, offset is 0x00001BC3.


                                                  Click on image to see enlarged view


8. Now, open original IceGoldFreezer.exe in Hex Workshop and move to offset 0x00001BC3. Simply select the Dos Prompt of Hex Workshop corresponding to virus signature found in Step 6. and hit on space bar.



                                                 Click on image to see enlarged view

9. Save the file as IceGoldFreezer.exe and again run antivirus scan. Avira will not detect any virus. Also, run, IceGoldFreezer.exe on computer. It will run normally to indicate that we have made it undetectable from Avira antivirus....cheers. We have FUD freezer.

Update: Many readers had problems implementing this Hexing technique and hence I have written an article to solve those queries. If you have any problem, refer my article Hexing Queries Solved for more information.


Now, you can 
make any trojan undetectable from antivirus
using this trojan undetection technique. If you have any problem while using this method to make trojan undetectable from antiviruses, please mention it in comments.

Enjoy Dsplit to make trojan FUD... 
Enjoy Hexing to make trojan undetectable from antiviruses... 


Add To Google BookmarksStumble ThisFav This With TechnoratiAdd To Del.icio.usDigg ThisAdd To RedditTwit ThisAdd To FacebookAdd To Yahoo

1 comments:

Post a Comment