Friday, April 9, 2010

PE code injection

Trying for awhile now to achieve 0 detection from antivirus engines, i believe the only solution is to move to manual encryption of the exe file or use a commercial cryptor. The problem with most packers/cryptors/protectors is that they are already considered as suspicious from the avs and many of them have requirements on the code.

Muts in 2008 made a nice presentation with the title Bypassing Anti-virus in Windows Vista, or "Piss on your AV" ( http://www.offensive-security.com/videos/shmoocon-presentation-2008-video/piss-on-your-av.html ). The presentation is nice, but not detailed. Some things are omitted,and other things not explained in details. Muts is using the last section of the PE header to add his stub, this is very convenient since the last section is the only one that can be easily extended without affecting other sections. But this is not the case always. Many times you cannot extend the last section and what you really need is to add a section or extend one section in the middle of the PE header. This will be in the next post, going for 0 detection.

No comments:

Post a Comment