Gray dove is a very good remote control software, users are also many, and therefore the major object will kill soft kill. Newer pigeons with DLL to achieve the main function code, which increases the invisibility of the program, but also increased the difficulty of amending the signature. For all of the features from an EXE file to complete the program, such as pigeons and WinShell like the old version, only need to modify the EXE itself, either; while for run-time DLL file version is released, not only have their own signature EXE file (usually in code segment) and DLL also contains a large number of signatures. Therefore, modify the general process is: Export DLL, modify the DLL, DLL into EXE, modify EXE. The following is not a gray pigeon packers server version 1.05, Kaspersky's signature, for example, explain in detail the modification process. He Koushui, prepared for the grass.
DLL file export
Get the server files, the old rules, the first detection, alarm Kabbah found Backdoor.Win32.Feutel.a. Export server contains the following DLL, gray pigeons used in the official tutorial is ResHacker, but I prefer to use PE Explorer. Open the server document, click on the toolbar of the "Resource Viewer / Editor", will display the tree structure of resources, including RCData? MAINDLL that we need to export the file.
See PE Explorer has automatically determine the resource is a PE file. In MAINDLL right click the icon and select "save resources as", you can export the MAINDLL resources. What do the following? Start modifying it? Do not worry, MAINDLL there are two DLL needs to export. Then open the newly exported resources, can be two DLL, the name is actually very straightforward, a man named HOOK, called GETKEY.
Both were export DLL, use Kaspersky detected about the alarm found Backdoor.Win32.Feutel.a and Trojan-PSW.Win32.KeyLogger.c. Here, the basic idea should be identified, first modify the HOOK and GETKEY two DLL, then import the MAINDLL, and then modify the MAINDLL the code contains the signature, after the completion of the original server into EXE files, last amended EXE file contains the signature code! Can not back down, let's step by step.
Changes HOOK
This is the first time we modify the DLL, but the DLL file EXE file format and common no difference in fact, is a standard PE file, if you read the first two locators on the signature to use the article, then there should be no operation problem. Our thoughts remain: manual positioning to determine the scope of signature in general, automatically determine the precise location positioning.
Open the CCL, set to manual, generated 300 files, then open the HOOK, do not select any paragraph, replace the entire file, and other procedures, all documents generated after the prompt, use the Kaspersky folder on the target detection and alarm files deleted, the final results are as follows:
Location Results ------------- ------------
Serial number starting offset size of the end of the shift
0001 00000000 000002B8 000002B8
0002 000140D0 000002B8 00014388
0003 0001479C 0000015C 000148F8
Following the CCL is set to automatically detect an interval of time is 7 seconds, when the input detection section 0002 and 0003 data added to the column to be detected.
If you're careful, you will realize the two are actually in the CODE segment offset, this illustrates the location of the majority of signatures are present in the code in. OK, for automatic detection, the process would not say in detail the operation of animation in the past have provided anti-black, the final positioning results are as follows:
Location Results ------------- ------------
Serial number starting offset size of the end of the shift
0001 00014193 00000015 000141A8
0002 000141A9 0000002A 000141D3
0003 000141D5 0000002A 000141FF
0004 00014200 0000002A 0001422A
0005 0001422C 0000002A 00014256
0006 00014257 0000002A 00014281
000,700,014,283 0,000,001,500,014,298
0008 0001479C 00000015 000147B1
Really a lot, a total of eight. Changes where? My experience is: try to modify the code, to avoid modify the string and the data, because the changes which must be everywhere call it the instructions are so changed, and a specific meaning in uncertain situations are prone to error, is not recommended.
Look at the first, we use IDA to disassemble on the HOOK, and then find the 00,014,193, which is the memory offset 00414D93 (where can I write small tools: offset converter, the input file automatically calculate the memory offset offset), the code is as follows:
CODE: 00414D91 dd offset off_413FB0
CODE: 00414D95 dd 64616D0Bh, 65646F43h, 6B6F6F48h
CODE: 00414DA1 align 4
Obviously, this is some of the data, we do not even know its meaning, to modify is really no start. Then look at the first two, the code is as follows:
... ...
CODE: 00414DAD xor edx, edx
CODE: 00414DAF mov [ebp + var_18], edx
CODE: 00414DB2 mov [ebp + var_8], edx
CODE: 00414DB5 mov ebx, eax
CODE: 00414DB7 xor eax, eax
CODE: 00414DB9 push ebp
CODE: 00414DBA push offset loc_414F97
CODE: 00414DBF push dword ptr fs: [eax]
CODE: 00414DC2 mov fs: [eax], esp
CODE: 00414DC5 xor eax, eax
CODE: 00414DC7 push ebp
... ...
Second Department appears all assembly instructions, you modify it. What method? I introduced the first two "command sequence transform" and "universal jump" two ways, of course, can be used first to make full use, where we also used the method transform command sequence. Note that the instructions with black, we change the order of these two. I still used to modify the file OllyDbg, as can be instruction-level operation, you can also use a binary editor.
Open with OD HOOK, OD will be prompted to "open the DLL, whether loaded with Loaddll" point OK, and then came to 003E4DA7 Department. Here again the question, why have opened with IDA, the location in which it has now become 003E4DA7 00414DA7 it? This is because the DLL loads, load base address is variable. Tell you a load in the OD of the base address of the Method of judging. Click the toolbar OD M, will show all of the current process of memory modules.
According to load our DLL name to find the location, the figure can be seen 00.4 million has been LOADDLL to occupy, so can only be made with HOOK to 003D0000, and accordingly, in IDA's address needs to lose a difference (00.4 million -003D0000) to get the address of OllyDbg.
Will swap the order of the instructions of the blackbody, modified as follows:
003E4DB7 55 push ebp
003E4DB8 33C0 xor eax, eax
Then save the changes, then Kaspersky to detect what the revised HOOK file, and sure enough, HOOK has been free to kill, is not it amazing, just three bytes changed or you have!
Changes GETKEY
Following the second DLL, and the same process and modify HOOK, not detailed, and describe briefly the process: manual positioning of the results are as follows (build 300 files):
Location Results ------------- ------------
Serial number starting offset size of the end of the shift
0001 00000000 000002BC 000002BC
0002 000095B5 0000015E 00009713
0003 00009DE9 000000AF 00009E98
9DE9 95B5 and then automatically locate the two paragraphs, the final results are as follows:
Location Results ------------- ------------
Serial number starting offset size of the end of the shift
000,100,009,621 0,000,001,500,009,636
0002 00009637 0000002A 00009661
0003 00009664 0000002A 0000968E
0004 0000968F 0000002A 000096B9
0005 000096BB 0000002A 000096E5
0006 000096E6 0000002A 00009710
0007 00009E40 0000002A 00009E6A
Total 7, pretty much. The same principle, as revised assembly instructions, to avoid the strings and data. This time, luck, the first paragraph is 0001 assembly instructions:
003DA221. 68 34A63D00 push RC_Data_.003DA634; ASCII "<"
003DA226. 8D95 ECFEFFFF lea edx, dword ptr ss: [ebp-114]
003DA22C. 8B45 F8 mov eax, dword ptr ss: [ebp-8]
003DA22F. E8 68FEFFFF call RC_Data_.003DA09C
I believe amending the Directive has not beat you a few, will exchange about the order of three sentences:
003DA221 68 34A63D00 push RC_Data_.003DA634; ASCII "<"
003DA226 &
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recommended links:
Swf format
SAP sales drop turmoil spread to China, CEO to Resign
Years of wind and rain Lu Hui point achievements and dreams of glory
Neusoft transition stranded behind the overall market rejections
Backup And Restore Expert
Avi to mp4 converter free download
F4v to avi
Matroska ps3
News about AUDIO Players
Expert Games AND Entertainment
Talent war broke out, the direct selling industry executives 300 000 -50 million annual salary
4G stressed highly versatile
About Groovy and GRAILS
P2P Problem Is The Contradiction Between Closed And Open
Directory Cartoons - Screen Savers
No comments:
Post a Comment