Article author: icyfoxlovelace/ice Fox prodigal son[EST] Information source: evil octal
Note: this article was originally published in hackers Defense of
Network thief deserves is a professional-grade remote file access tool, its operation is simple, the function“designed and refined”, but as the author said,“all along, we are adhering to the free of spirit, as we provide a variety of software, but the only downside is now a lot of antivirus software on the network thieves were hunted, dubbed the virus's name!”and In that case, I also had to do-it-yourself well-fed, do afree to killversion of the network thief, but also free of the troublesome vegetable brother, small-time to me to do a personal version of the software., Oh^*^the [hopefully the author won't take offense to]
Cut the crap, from the author's home page http://www. greenstuffsoft. net download to the“network gods to steal the 5.8 version”, see“the Server. bud”(this is the service end, the author changed the extension only),find the modified date is 2 0 0 3 years 1 0 months to 3 November, it seems the authors believe that the service end has been relatively Mature, long time didn't update the service end of the program!!
Off the UPX shell
Use WinHex to open the“Server. bud”[personal habits, prefer to use WinHex to view it!], the Find the file offset 000003DBh at“1.08 UPX!” The words, the better the author didn't take immediately version“later 0C 0 9 0 2 0 9”4 bytes after the 2 to 4 bytes modified out, or, if you don't know which is the correct value shelling up also really a little trouble. First we put the block name of recovery, i.e., the file offset 000001F8h at the“text”to“UPX0”, the 00000220h at the“data”to“UPX1”, and then directly use the“UPX-d Server. bud”command shelling[novice use LoadPE modify block names to more easily point], and after shelling the file size is 56KB the.
Remove the check
Run the network gods to steal the client to use after shelling“Server. bud”generating a service end, run service end and preliminary test, weird? The program didn't display a run-time error, but in the Task Manager process list but no there is a new process, the system directory is also not seen to produce a new file, it seems that things did not imagine so simple, Lenovo to own just in the“Server. bud”the file was last seen more out of the 1 6 The Unknown role of the byte“19A4F940378B8F7EAA15D260BC2FE64B”, may be a file of checksum values(because if 1 6 bits of the MD5 value!), the It seems that the author probably in the service end of the program added a file check code, use Ollydbg to open the generated service after the end of the track after running the analysis in 00407828h found the following code[I more stupid, for MFC code to call don't understand, with a N long to find the~V~]: the
0 0 4 0 7 8 2 8 B9 1 0 0 0 0 0 0 0 MOV ECX, 1 0 ;1 6 bytes^*^ 0040782D 8D7424 5 8 LEA ESI, DWORD PTR SS:[ESP+5 8] 0 0 4 0 7 8 3 1 8D7D 3 8 LEA EDI, DWORD PTR SS:[EBP+3 8] 0 0 4 0 7 8 3 4 33C0 XOR EAX, EAX 0 0 4 0 7 8 3 6 F3:A6 REPE CMPS BYTE PTR ES:[EDI], BYTE PTR DS:[ESI] ;Byte-by-byte comparison 0 0 4 0 7 8 3 8 7 4 0 5 JE SHORT Fi thief. 0040783F ;Key to jump to the statement 1, Change here the code to jump to 00407847h at you can also reach storm broken effect 0040783A 1BC0 SBB EAX, EAX 0040783C 83D8 FF SBB EAX, -1 0040783F 85C0 TEST EAX, EAX 0 0 4 0 7 8 4 1 0F85 E4060000 JNZ network thief. 00407F2B ;key jump statement 2, nop off! 0 0 4 0 7 8 4 7 8B7424 3 8 MOV ESI, DWORD PTR SS:[ESP+3 8] .................. 00407ECD 6A 0 0 PUSH 0 ;FailIfExists = FALSE 00407ECF 5 0 PUSH EAX ;NewFileName 00407ED0 5 1 PUSH ECX ;ExistingFileName 00407ED1 FF15 74A04000 CALL DWORD PTR DS:[<&KERNEL32. CopyFileA>];CopyFileA 00407ED7 8D4C24 2C LEA ECX, DWORD PTR SS:[ESP+2C] 00407EDB E8 6C070000 CALL <JMP.& amp;MFC42.# 8 0 0> 00407EE0 8D4C24 3 0 LEA ECX, DWORD PTR SS:[ESP+3 0] 00407EE4 C68424 0 4 0 3 0 0 0 MOV BYTE PTR SS:[ESP+3 0 4], 6 00407EEC E8 5B070000 CALL <JMP.& amp;MFC42.# 8 0 0> 00407EF1 8B5424 1 8 MOV EDX, DWORD PTR SS:[ESP+1 8] 00407EF5 8B4424 3C MOV EAX, DWORD PTR SS:[ESP+3C] 00407EF9 6A 0 1 PUSH 1 ;IsShown = 1 00407EFB 5 2 PUSH EDX ;DefDir 00407EFC 6A 0 0 PUSH 0 ;Parameters = NULL 00407EFE 5 0 PUSH EAX ;FileName 00407EFF 6A 0 0 PUSH 0 ;Operation = NULL 00407F01 6A 0 0 PUSH 0 ;hWnd = NULL 00407F03 FF15 54A34000 CALL DWORD PTR DS:[<&SHELL32. ShellExecuteA>];ShellExecuteA 00407F09 8D4C24 3C LEA ECX, DWORD PTR SS:[ESP+3C] 00407F0D C68424 0 4 0 3 0 0 0 MOV BYTE PTR SS:[ESP+3 0 4], 5 00407F15 E8 3 2 0 7 0 0 0 0 CALL <JMP.& amp;MFC42.# 8 0 0> 00407F1A 8D4C24 4 4 LEA ECX, DWORD PTR SS:[ESP+4 4] 00407F1E C68424 0 4 0 3 0 0 0 MOV BYTE PTR SS:[ESP+3 0 4], 4 00407F26 E8 2 1 0 7 0 0 0 0 CALL <JMP.& amp;MFC42.# 8 0 0> ;If from 00407841h directly jump to this is no. Oh, firmly opposed to, Oh 00407F2B 8D8C24 8 8 0 0 0 0 0 LEA ECX, DWORD PTR SS:[ESP+8 8] 00407F32 C68424 0 4 0 3 0 0 0 MOV BYTE PTR SS:[ESP+3 0 4], 3 00407F3A E8 01E6FFFF CALL the network thief. 0 0 4 0 6 5 4 0
From the above code you can see if the 00407841h at the jump, then it will skip CopyFileA[file copy]and ShellExecuteA[run the program]the API call, the resulting services end does not copy itself to the system directory and run, I put the file offset 7841h at the code to nop out, i.e., put“0F 8 5 E4 0 6 0 0 0 0”to“9 0 9 0 9 0 9 0 9 0 9 0”to save after running a test success! It seems that a check, rejoice!
Later, I carefully analyzed what the disassembly code, The discovery service end file the last 1 6 bytes are the file's MD5 value with the“LA|}t~k”A simple encrypted value, you can use the IT services end to reverse to get the correct value, not the storm break are also available, as follows: First with the MD5 software to get to remove the last excess of 1 6 bytes after the“Server. bud”the MD5 value, and then the resulting MD5 value is added back to the“Server. bud”the end of the post, generating a service end, and then use Ollydbg to debug the service side, the next breakpoint in the 00407838h, after the interruption with WinHex open the memory RAM in the service end of the process, the memory offset 00852758h is that we need the encrypted md5 value, with this 1 6-bit md5 value replace“Server. bud”the last 1 of the 6 bytes you can generate the normal running of the service end, sorry a bit of a hassle, interested readers can write their own check value generator^^
Get feature code
Up to now somehow managed to complete the service side of the shell off., i.e., the service-end“Server. bud”after shelling, use WinHex to put“Server. bud”the file offset 7841h at“0F 8 5 E4 0 6 0 0 0 0”to“9 0 9 0 9 0 9 0 9 0 9 0”get the storm after the break of Can arbitrary modify the“Server. bud”the file backup, the next back feature code modification is to modify this file.
We start to get network God steal the service side of the pattern, first put a variety of antivirus software ready, and today I mainly prepared the following four types: rising antivirus 2 0 0 4 Edition, Duba 6, Jiang people KV2004, Symantec Norton 8. 1 Enterprise Edition, the antivirus full installed, of course, may be some software between each other prompted the conflict, but anyway just as a test and, right after installation can be normal use, the various antivirus software are turned off, or haven't modified it to be OVER La, and are set to check the file when a virus is found directly deleted, as the following feature code to get ready. [Prodigal naive to think: if each of the virus signature are the same as the multi-well Yeah, you hit my head??]
Because the antivirus in order to protect their own interests and prevent the feature code is other antivirus software false alarms, the feature code is encrypted to protect you direct access to their feature code library is difficult[Swiss Star can be in memory in the direct access feature code library], today I bring you a comparison of the lower ofFeature Code Access Method:“byte-by-byte substitution method search pattern”, that is, to obtain the feature Code of the Trojan server or virus[I do not recommend you to change the virus to play, care to be the police uncle caught]program from start to finish by one byte of the modified alternative to 00h or ffh(of course you use other value of the replaced row), each replacing one of the bytes saved to a file, replace the next byte when you remember to put the upper byte of the modified restore, after generating the file is saved as four parts, using each of the antivirus software to kill the poison, and finally in each of the left has not been deleted is to be modified the feature code, the remainder of the file is modified the bytes together, you get each virus against this Trojan or Virus the definition of the“feature code.”
Obtain the signature of the principle is such, I believe there are also a lot of people know this method, below I mainly say about this method of practice requires attention to place:
First point: substitute bytes from the code segment start replacement, and not from the beginning of the file to replace, because in General the file header does not appear in the feature code, and even if the feature code in the file header, also not as good as the snippet in the modifications to the simple; code segment start offset from the beginning of the file offset 3Ch－3Fh of the four bytes in the Get, such as shelling after the network gods to steal the service end of the 3Ch－3Fh value: 0 0 0 1 0 0 0 0, because when stored low byte first, high byte in the post, over: 0 0 0 0 1 0 0 0, i.e., the code segment in the file offset is 00001000h; and
Second point: it was reported that byte-by-byte replacement of the resulting file too much, take up too much space, and kill them slowly die, do so, if really in accordance with the principle to generate the file, the light of a size just 5 7,3 6 0-Byte network thief would need 5 7 3 6 0*5 7 3 6 0 i.e., about 3G of space, 5 7 3 6 0 a file, this also is merely a parts of it, like my hard drive is only 4G left and right of the space, is not going to die? In fact, we can completely work around it, using the segmentation method to gradually narrow the feature code range, that is the beginning of the first not to“byte-by-byte replacement”, but divided into several large sections to be replaced, for example, can to 1000h(4K)for the unit to be replaced, the per 1000h size of all the bytes are all changed to FFh to generate a file, for killing, and killing is left after the file let us know the feature code range, in order to 50h byte size of the unit on the characteristics of the code where the range of(4K size), be replaced and killing, the last of the 50h range of re-use byte-by-byte substitution to find the exact signature, so every time you only need a few M size of the space is sufficient, and the speed is very fast!
The third point: the feature code will usually be located in the program entry point“Program Entry Point”below a piece of code, such as the network gods to steal the service end after shelling the entry point for 00408A0Ah, located at file offset 8A0Ah;
Fourth point: hand to replace the will tired you to death, you can't learn from me this nuts? [I have used the whole day time using WinHex alternative to obtain the feature code] now! Write the software right, should not be too difficult! But you have to if you really want to learn from me and I really have nothing to say^*^
The revised service-end“Server. bud”using the above method of decomposition, and finally get the antivirus software for the network God steal feature code is defined as follows:
Rising antivirus 2 0 0 4 Edition This software I didn't find it on the network gods to steal the definition of the feature code, you use it to check the shelling after the services end, no reaction Oh, wouldn't they shelling it? Oh joke, probably because the network thieves of the service end of not too concealed, it was not extermination, if everyone is so okay, more 省劲.):
Duba 6 Feature code: 1, File offset 8A12h to 8A22h: 400068968B400064A10000000050648925 2, The file offset C1A0h to C1C2h: 20474F544F204552524F520D0A64656C204E6574686965665F5365727665722E626174 Neither[ GOTO ERROR del Nethief_Server. bat] Paragraph 2 of the feature code seems to not have the feature code, since the byte-by-byte replacement of the second segment will all be killed, but if the paragraph 2, all of the change out is not to kill, wondering in
The river people KV2004 The river people KV2004 feature of the code segment up to, also most, do believe it's a virus false alarm probability should be small points, the feature code range is as follows:
The file offset 1A39h to 1A78h, the 8A0Ah to 8A31h, the 8B32h to 8B33h, the 8B38h to 8B3Fh, the 8B41h to 8B43h, the 8BA2h to 8BB2h and 8BB7h
Symantec Norton 8. 1 Enterprise Edition The file offset C20Ch to C228h at 4B45524E454C3332000000004E6574686965665F536572766572202D20 namely: “KERNEL32 Nethief_Server - ”as the feature code, The only one feature code is not in the code segment, the test as if Norton's signature often is not in the code snippet Oh yeah, and often the letters!
Modify the characteristics of the code
Above busy for half a day, just for this point“to modify the feature code to evade antivirus”service, finally fast to see results! The rising of nothing to say, Norton's signature turned out to be not within the code segment of the letter, wanted to change the case of letters should not have an error bar, the file offset C20Ch to C211h“4B45524E454C”[KERNEL]with“6B65726E656C”[kernel]after running normal, and successfully escaped Norton; and compare Duba and river people KV2004 feature code, we found that 8A12h to 8A22h the signature of both coincide, it seems to modify this section of code at the same time escaped the two antivirus software, and its disassembled code as follows:
//**** Program Entry Point** :00408A0A 5 5 push ebp :00408A0B 8BEC mov ebp, esp :00408A0D 6AFF push FFFFFFFF :00408A0F 6848A64000 push 0040A648 :00408A14 68968B4000 push 00408B96 :00408A19 64A100000000 mov eax, dword ptr fs:[0 0 0 0 0 0 0 0] :00408A1F 5 0 push eax :00408A20 6 4 8 9 2 5 0 0 0 0 0 0 0 0 mov dword ptr fs:[0 0 0 0 0 0 0 0], esp :00408A27 83EC68 sub esp, 0 0 0 0 0 0 6 8 :00408A2A 5 3 push ebx
Analysis under the above code, you can find modifications :00408A14 68968B4000 push 00408B96 :00408A19 64A100000000 mov eax, dword ptr fs:[0 0 0 0 0 0 0 0] These two code sequence, will not affect the stack contents of the reading, and also change the feature code, i.e. instead of: :00408A14 64A100000000 mov eax, dword ptr fs:[0 0 0 0 0 0 0 0] :00408A1A 68968B4000 push 00408B96
Use WinHex to open the“Server. bud”, the file offset 8A14h to 8A1Eh at the“68968B400064A100000000”with“64A10000000068968B4000”after saving, generate a network God to steal the service end of the program, the test run is normal, four kinds of antivirus software are not of their correct Alarm! Network God steal feature code to modify the combat smooth finish!
Finally confessed about it, if you think shelling after the services end is too large, you can re-packers, of course, can not use UPX Oh, otherwise rising, boss is absolutely looking for your trouble, we suggest using aspack packers; in addition to that, modify the characteristics of the code, change the code order is a good choice.