Before we can finish this course, we need to see how we can bypass some antivirus by using some manual obfuscation techniques. What we are going to need, is an already compiled version of our malware and a hex editor (I’ll be using wxHexEditor). In this lesson we will talk about two different techniques:
- The hex manipulation technique
- The comments technique
Hex manipulation techniques
For this technique we wil need a hex editor (it could be anyone as it will be the same independently of its editor).
With our hex editor, we will open our malware “.exe” file. If you are using wxHexEditor too, a window like the following shall open:
Every hex editor will usually be splitten into two sections, the hex value, and a string-like value of the entered file. You can see the HEX values at the left and the string values at the right.
As you can see, at the beginning of our program there’s a “This program cannot be run in DOS mode.” string, it is added in every windows program, and that’s tthe first thing we are going to change. But first… What are we doing and… Why?.
Even if we change the source code slightly that could help us to avoid the shasum of some antivirus vendors, which could also help us. Any change you make to your program whether if it is simply adding a new “else/if” statement, comments or changing the binary value of the program as we will do it soon, all of those things will help you to bypass some antivirus. For example, let’s suppose you followed every lesson until this point and you probably made the exact same program as shown here, you compiled it and therefore, you, and every person who created a person by using this same source code will have equal binary value. But if you change simply one single byte, it will make the program completely different than yours and mine, so that program probably won’t get caught by some antivirus. Note that you can’t change every single byte inside of this hex editor, because modifying bytes that shouldn’t be modified, will break your program and make it not runnable. So you can only change string values, such as “This program cannot be run in DOS mode”. To modify any value, click it and type the new value that will overwrite the focused one, keep in mind that if you are modifying this string, you could only do it until the “e” (“DOS mode”).
Note: If you modified a byte that shouldn’t be modified or simply want to undo something, you can press CTRL+Z.
These are the strings I modified:
The comments technique
Another way to bypassing antivirus, is as easy as going to your Backdoor.c file and add random comments anywhere. It doesn’t need to mean something, contain any information, it simply needs to modify the size (and therefore the shasum) of your malware. When you do that, simply compile your program again with all of those comments, and it could help you to avoid some antivirus. For example: