Instead, try to store it as an appended data at the end of the PE section. I will just mention that when you try to store the crypted keylogger as a resource, most AVs will flag it. The second stage will be encrypted.īeating static analysis is easy so I won't go into that detail. The cryptor stub will be divided at least in 2 stages. This is how I beat almost all detections, it's a little bit complicated but it works almost always. Most packers claim FUD only on static analysis, and the malware ends up being detected with other methods. This is called behavior detection, detecting the keylogger based on behavior. Third, even if you beat the emulation stage and your keylogger runs, it can probably be stopped when it tries to register a keyboard hook by AVs. They will let your packer run for a while in an emulated environment and use signature detection once it has decrypted the keylogger. Second, your keylogger can still be detected because most AVs support emulation these days. But you should remember that, even though AVs won't be able to detect the keylogger using static signatures anymore, they *CAN* detect your cryptor's stub if they have signature for it. It doesn't make a difference if it's a super strong encryption or just a very simple xor. It's just a matter of encrypting the original executable using whatever kind of encryption you want. I've programmed many types of "crypters" and there are some obstacles you should know about.įor example, let's just say that your trying to pack some keylogger that's easily detected by AVs.įirst of all, just beating static analysis by AVs is easy. The AV will have real time protection and as soon as the malware gets dropped on the hard disk, it will get detected. Or one could just write the PE file to disk and let the Windows loader execute it, couldn't one? Out of interesnt I personally would love to go the "own loader" way, but I fear that there are too many pitfalls.Įdited by inzanez, 30 April 2015 - 02:19 PM. Or one could just write the PE file to disk and let the Windows loader execute it, couldn't one? Or maybe there are other ways to achieve it still? So.not a very 'clear' question, I just wanted to see what others have done, what 'Pro' and 'Cons' there are for the different methods available.before I begin. So.I've seen other methods mentioned here (like Windows style 'fork') for example. Most of my own software was loaded just fine, but when trying other things (like notepad, wordpad) I failed. But as I've already worked on a loader like that I realized that it's not that easy to achieve loading all the different executables there are. Now there's one point I'm not quite sure about though, and I know that there are many other threads about crypters/packers here, but to be honest it all just got more confusing.īefore reading anything here, I thought that the best method might be include a "more or less" complete PE-Loader in the stub that does the unpacking (so map the original image to memory, process iat, do relocation, etc.). I'm currently thinking about writing a simple PE packer, adding compression/encryption later on, if I want.
0 Comments
Leave a Reply. |