Hex workshop

Hello friends. Some days back, I posted on Hexing to make files undetectable which is useful to
make trojan undetectable to antiviruses.
As you know, I am working a lot on Undetection Techniques these days and many of readers found it difficult to implement Hexing. So, I thought of answering to the queries by writing this article.

Hexing Queries Solved:

The most asked query was how to compare two files using Hex Workshop. So, I am demonstrating this in below article.

1. Download Hexing Files Package which I will be using in this article.

2. The downloaded file is zipped and password protected. Click here to get the password.

3. Consider files 7107.exe and 7108.exe in the package. Also, install Hex workshop by double clicking on "hw32v601.exe".

4. Open Hex Workshop. Now, Go to Tools ->Compare ->Compare Files to see:

5. Now, select the file 7107.exe in first option and 7108.exe in second one. Hit on OK. You will see hex values arranged in Green and Red color as shown below.

There are two categories:
Green: Matched values
Red : Unmatched / Deleted values.

So, here we want Deleted value which is shown in Red. Thus, we have obtained hex offset which contains virus signature which is 0x00001BC3 over here (red value).

Also, I was asked about what is Dos Prompt. So, here is clarification in below image:

Now, if you will click on "00" offset, you will find "."(full-stop) underlined in Dos Prompt. Similarly, if you click on "."(full-stop) present after "FreezerLive" in Dos Prompt, you will find "00" underlined.

Now, open IceGoldFreezer.exe and goto offset 0x00001BC3. So, to change virus signature, you have to change "." to space. So, click on "." present after "FreezerLive" in Dos Prompt and simply hit space bar and its hex value will be changed(its "20").

Save the file and scan this IceGoldFreezer.exe with Avira antivirus. You will have this Freezer undetectable to antivirus.

I hope many of you will be now having your queries solved after reading this article. If you still have queries and not addressed in this article, please mention it in comments.

Enjoy Hexing to make virus undetectable...

Antivirüs Bypass Part 3

I have previously mentioned how to find required virus definition in my article Hexing Part II. But, I just forgot to post further part of hexing. Lately.Now,I am writing next and final part of Hexing tutorial.

Finding virus definition is important so that we can change found virus definition and prevent antivirus from detecting our virus. The article below shows how to change virus offset to
bypass antivirus detection and make our trojan undetectable from antiviruses.

Make Trojan undetectable:

To change virus definition we need to have a hex editor. Hex Workshop is one of the best hex editors, I found.

1. Free Download Hex Editor to make trojan undetectable.

2. The downloaded file is zipped and password protected. Click here to get the password.

3. Now, install Hex Editor on your computer.

4. Right click on 7107.exe (obtained from Hexing Part II) and select 'Edit with Hex Workshop'.

5. You will see something like this:

                                               Click on image to see enlarged view

6. Repeat this for 7108.exe.

7. Now, compare both files. You will see at the end 7108.exe will have offset "00" and 7107.exe does not have. So, we conclude that "00" is recognized as virus by antivirus. Note that offset. Here, offset is 0x00001BC3.

                                                  Click on image to see enlarged view


8. Now, open original IceGoldFreezer.exe in Hex Workshop and move to offset 0x00001BC3. Simply select the Dos Prompt of Hex Workshop corresponding to virus signature found in Step 6. and hit on space bar.

                                                 Click on image to see enlarged view

9. Save the file as IceGoldFreezer.exe and again run antivirus scan. Avira will not detect any virus. Also, run, IceGoldFreezer.exe on computer. It will run normally to indicate that we have made it undetectable from Avira antivirus....cheers. We have FUD freezer.

Update: Many readers had problems implementing this Hexing technique and hence I have written an article to solve those queries. If you have any problem, refer my article Hexing Queries Solved for more information.


Now, you can
make any trojan undetectable from antivirus
using this trojan undetection technique. If you have any problem while using this method to make trojan undetectable from antiviruses, please mention it in comments.

Enjoy Hexing to make trojan undetectable from antiviruses...

Antivirus Bypass part 2

Hello friends. In my previous article, I introduced you to the basics of Hexing to bypass antivirus detection. As a reference to that post, I am writing this article to inform you about how Hexing is actually done using Dsplit. Dsplit is a software used to detect virus signature. Hexing is very much important for us to evade antivirus detection. If you will learn how to bypass antivirus by Hexing, you don't have to search for FUD keyloggers and trojans. You can hex files to make them FUD.

Downloads:

I will be using Dsplit as virus signature detector and Ice Gold Freezer as virus over here. You can use any other virus containing file you want.

Download these two files over here:
1. Avira antivirus (Because I've used it in tute).
2. Ice Gold Freezer and Dsplit.exe program (used for detecting virus signature).

The downloaded file is zipped and password protected. Click here to get the password.

Hexing Ice Gold Freezer using Dsplit:

First of all, let me tell you that Ice Gold Freezer is detected as "SPR/Tool.Freezer.8" virus (actually malware as Avira.com says) by my Avira antivirus which I use on my computer
. So, I will be telling you how to bypass Avira detection for Ice Gold Freezer. So, lets start.

1. Download Avira antivirus, Dsplit and Ice Gold Freezer from links provided above. Extract Dsplit folder to desktop.

3. Scan Ice Gold Freezer.exe file you've downloaded with antivirus. My Avira says its "SPR/Tool.Freezer.8" malware. So, lets work on it.

4. Copy IceGoldFreezer.exe to Dsplit folder.

5. Now, open Command Prompt (Start ->Run -> cmd ->OK). Change directory to Dsplit folder. So, enter

cd "Replace with your path to Dsplit folder"

and hit Enter.

eg: Say I have saved Dsplit on desktop and have path to Dsplit folder as:

C:\Users\RAJ\Desktop\DSplit-0.2

In above path, RAJ is my user account name. So, to change directory to Dsplit folder, I will enter:

cd C:\Users\RAJ\Desktop\DSplit-0.2

in command prompt so that control will be passed to Dsplit.

So, find out your path and enter it accordingly. You can refer first line in the command prompt image below for more information.

6. Now, type in this command:
dsplit.exe 0 max 1000 IceGoldFreezer.exe

and hit Enter.

                                                  Click on image to see enlarged view

What does this command means?? Simple. Dsplit is command line software and requires this command for its running. The meaning of command:

dsplit.exe startbyte endbyte numberofbytesinbetween target

7. Now, Dsplit.exe will create around 234 files in current directory. Now, scan all these 234 files created with Avira antivirus. Avira will detect all files from 8000.exe to 233472.exe as virus. So, there is something (virus signature) in 8000.exe which is not present in 7000.exe. Thus, 7000.exe lacks virus signature and hence not detected by Avira, while 8000.exe has virus signature.

                                              Click on image to see enlarged view


Delete all files except 7000.exe, 8000.exe, Dsplit.exe and original IceGoldFreezer.exe.

8. Move on to command prompt and type this:
dsplit.exe 7000 8000 100 IceGoldFreezer.exe

and you'll get 10 files created in current directory. Scan all these 10 created files with Avira antivirus. Avira will detect all files except 7000, 7100.exe as virus. So, again we can say that there is something (actually virus signature) in 7200.exe which is not present in 7100.exe. Delete all files except 7100, 7200, Dsplit.exe and IceGoldFreezer.exe.

9. Now, type in command prompt:
dsplit.exe 7100 7200 10 IceGoldFreezer.exe

                                                Click on image to see enlarged view


and you'll get 10 new files created in current directory. Scan all 10 files with avira and avira will give all files except 7100.exe as virus. So, 7110.exe contains virus signature which 7100.exe doesn't have.

10. Now, comes the last step. Type in command prompt:
dsplit.exe 7100 7110 1 IceGoldFreezer.exe

Again scan all 10 files created with avira antivirus and avira will detect 7108, 7109 and 7110.exe as virus. So, 7108.exe contains virus signature which 7107.exe lacks. Since, these two files are just 1 byte different, this different 1 byte is actually the virus signature which is detected by Avira.

So, we have to change this one byte contained in 7108.exe to make it UD from Avira. We can change this using a Hex editor which I will explain have explained in my next article Hexing Part III. If you have any problem in using Dsplit to detect virus signature, please mention it in comments section.

Antivirus Bypass

Things that are required for Hexing

• File Splitter
• Hex Editing Software
• Keylogger - Winspy / Sniperspy / Ardamax
• Antivirus

Now follow the following steps to make file undectable to antivirus,

First make server file (Keylog file) using keylogger after that place that server server in a folder. Here I have created folder "A" and put that server(My server name is test.exe) file in it.
Okay now once you have placed the server in the folder lets scan it.

Here my test.exe file is infected.

Now open The File Splitter to split the file.

In the file splitter, browse to the test.exe file which you want to split and choose Custom size option.
Now File Splitter tells me that this test.exe is exactly 53,495 bytes and I want to split it into 4 pieces. So I divide 53,495 by 4, now place the number you got after dividing it and place it in the splitter custom size box like I have at the bottom. Now click on Split.

Now you will get the splitted files in the same directory like I have below which is in Folder "A".

Now scan each of them to figure out which file is infected and after that we have to split that infected file again. Now once you have figured out that infected file, make a new folder in same folder. Here I got test.exe.3 file infected, so I'm gonna make a new folder with name "3" .

Now again split that infected file test.exe.3 file into 4 pieces and change the output folder to 3 like I have in the picture below.

Now you will get splitted files inside folder named "3".

Now scan all the files to figure out which file is infected and after that we have to split that infected file again.

Now once you have figured out that infected file, make a new folder in same folder. Here I got test.exe.3.3 file infected, so I'm gonna make a new folder with name "3" again in folder "3". Once you made new folder named "3", again open up file splitter and browse to the file that got detected, mine was test.exe.3.3 and select the output directory to the folder we just made which was the folder named "3" which is in the folder named "3".

Now open that new folder which is "3" and scan the all files. Now once you have figured out that infected file, make a new folder in same folder. Here I got test.exe.3.3.4 file infected, so I'm gonna make a new folder and name it "4".

Now in file splitter pick the file that got detected which was test.exe.3.3.4 for me and choose the new folder we made with named "4".

Now lets scan all the new files and see which got detected. Once we find that infected file, open that infected file with the HEX editor and see if its still to big to figure out what we need to change.

Ok so here it's test.3.3.4.1 that we need to edit, do open it with hex editor,

Now the virus signature is in here in hex editor and its not that much hard now to find it out. I finger it out by looking for something that stands out or guesssing. After that you have to do is change a letter from capital to a lower case. here in my example I changed the word D to a lower case from the word DLLHOOKSTRUCT.

Now save it and exit and scan it. It should be undectable.

Finally its FUD .. Now you need to do compile it and scan it one more time and run it to test.

How to Complile : Here i will show you one example and after that you can figure out the rest by your own.

Now you see the splitter icon inside your folder, here in my example it is create_test.exe.3.3, click on it and it will recompile the file, and create one more file. Here in my example it create file "test.exe.3.3.4"

Now copy that newly created file which is "test.exe.3.3.4" and go back one directory and past it then it will ask you to replace it click yes and keep doing this till you go back to first directory. And your done.
After that scan one more time to check whether its FUD or not.