Wednesday, April 21, 2010

PE code injection part 3

A very good post on http://www.x-n2o.com/clever-tricks-against-antiviruses/, clever tricks against antivirus. Inside the post there is a main topic, "No imports!". Even though it's not new concept it's very nice explained with code examples. The same is done from different commercial packers eg. Themida for a very long time now.

Tuesday, April 20, 2010

Windbg and malware

From the presentation of Mark Russinovich on malware cleaning, he pointed out a very nice way to clear possible kernel patches ( malware with rootkit behavior ) that are hijacking the system.

From the help file,

The !chkimg extension detects corruption in the images of executable files by comparing them to the copy on a symbol store or other file repository.

Using the command in the debugger with the following form we can observe the patches, or mismatched areas according to the symbols:
lkd> !chkimg -d nt
and clearing the patches from the system can be done easily with the following command:
lkd> !chkimg -f nt

More to come

Friday, April 16, 2010

PE code injection part 2

Looking for code injection and trying to add sections on PE, i found a very nice work done by KOrUPt ( http://korupt.co.uk/?cat=6 ) he has already implement a very nice injector that you can download with the source code at http://korupt.co.uk/KInfect2.rar the only piece missing is a custom stub. His improved version is the kcrypter2 available in forums.

Friday, April 9, 2010

PE code injection

Trying for awhile now to achieve 0 detection from antivirus engines, i believe the only solution is to move to manual encryption of the exe file or use a commercial cryptor. The problem with most packers/cryptors/protectors is that they are already considered as suspicious from the avs and many of them have requirements on the code.

Muts in 2008 made a nice presentation with the title Bypassing Anti-virus in Windows Vista, or "Piss on your AV" ( http://www.offensive-security.com/videos/shmoocon-presentation-2008-video/piss-on-your-av.html ). The presentation is nice, but not detailed. Some things are omitted,and other things not explained in details. Muts is using the last section of the PE header to add his stub, this is very convenient since the last section is the only one that can be easily extended without affecting other sections. But this is not the case always. Many times you cannot extend the last section and what you really need is to add a section or extend one section in the middle of the PE header. This will be in the next post, going for 0 detection.