Tuesday, May 27, 2008

Manual Patching of Malware Binaries

The basic idea behind malware patching is to make it undetectable to anti-virus softwares.Remember that an antivirus signature is nothing but a specific value at a specific address.

Signature = Value x Address

So if we are able to change either the value or the address or a combination of both, we would sucessfully bypass most of the anti-viruses (i am talking about the regular AV's not the one's with the Heuristic Scanning capabilities).This technique has been around for quite some time now and can be divided into two methods

A) Hex editing the malware binary (Alter the value)

Signature = Value x Address

This would involve opening the binary in a hex editor and then trying to find the signature.Assuming that we have the signature present in the bottom half of the binary we open up the binary in a hex editor,scroll to the middle (note the address)then fill the remaining bytes with zero.Now save the binary as top.exe.Again open the orignal binary and fill the upper half with zeroes and save it as bottom.exe.Now scan both halves and you will have the anti-virus triggering at the bottom.exe.Repeat the same procedure with bottom.exe till you are able to locate the signature.Alter the values that are triggering the AV and you have your binary undetected.Repeat the procedure for multiple AV's.You mite have guessed that not only is the procedure time consuming but there is a high probability that you will tender your binary useless.

B) Manual patching of the malware binary (Alter the address)

First let us have a look at the basics of XOR

If A XOR B = c
Then C XOR B = A

Open the bianry in Olly and you will find that it takes you straight to the entry point(EP).An entry point is the first instruction that a processor will execute once you run the binary.Now if there was some way for us to encrypt the bnary contents so that they are undetectable to the AV and at the same time can be understood by the processor we would achieve our goal.I assume you have a functional knowledge of Olly.This can be done as

Assumptions
  • EP is at address 467EB6
  • The last instruction is at 567EB6


  • Copy the first few instructions after the EP to a notepad
  • Execute a jump to the Encryption routine
  • Note the EP address
  • scroll to the bottom of the code until you find an empty space for your code
  • Now put an encryption routine here

667EB6
  • MOV EAX, 467EB7 (i.e we start encrypting from the 'Address of EP + 1'
  • XOR BYTE PTR[EAX,0B] (XOR the contents for of the address with a 'key' '0B')
  • INC EAX
  • CMP EAX, 567EB7 (End of the Address)
  • JNZ 667EB6 (IF not reachd the end then jump to start)

Now run the exexutable and copy changes to the executable.Now we have something that is like

A ( Orignal Malware in our case) XOR B (key '0B' in our case) = C (Encrypted Malware Binary)

Now try scanning the file with the AV and you will find the file is no longer detected by the AV.When you run the file again the encryption routine will run agin.

C (Encrypted Malware Binary) XOR B (key '0B' in our case) = A (Orignal Malware Code)

This will be decrypted in memory and the malware will go unnoticed, some will detect it in the memory as well(Rem i am only talking about the regular AV's ). I will be doing a video tut on this soon.




0 comments: