pe-union
pe-union copied to clipboard
bytecode77
Modify Stub / Private fud
Looking for tips on where to start making a private stub for FUD crypt.
@RyanSpeciale I already assume that everyone who wants to modify another developers' project already knows how to program well enough.
@bl4cklabel88 You need a service such as AntiScan.me, where you can scan with multiple AV without sending your test files to the vendors. That way, you can trial and error until you figure out what causes and what evades detection.
Modifications are primarily relevant to the first stage. This code only checks for emulators and decrypts the second stage. This second stage contains particularly malicious code that performs all the RunPE / dropping and whatever. So, at scantime all this stuff is encrypted. The first stage, however, needs adjustments.
Some things that could be flagged:
- Structure, layout & executable format
- Maybe AV has found the decryption routine? -> Change it
- Lack of anything useful that the binary does - may seem malicious
- I've already found that removing some of the emulator detection routines evades some AV. This might be a good place to start.
Whatever pops into your mind, try it out and upload to AntiScan.me. It's a tedious task that requires a lot of patience, but you will eventually succeed as long as you don't publish your modifications.
@bytecode77 all his repos are forks, that's why I said that. I'm guessing its a kid trying to write malware.
I appreciate your input. I've got a C# project I've been picking apart and customizing. I learn more effectively when I've got an actual project / goal. This is my first real attempt at tackling C.
-------- Original Message -------- On Jun 4, 2022, 7:35 AM, Martin Fischer < @.***> wrote:
@.***RyanSpeciale I already assume that everyone who wants to modify another developers' project already knows how to program well enough.
@.***bl4cklabel88 You need a service such as AntiScan.me, where you can scan with multiple AV without sending your test files to the vendors. That way, you can trial and error until you figure out what causes and what evades detection.
Modifications are primarily relevant to the first stage. This code only checks for emulators and decrypts the second stage. This second stage contains particularly malicious code that performs all the RunPE / dropping and whatever. So, at scantime all this stuff is encrypted. The first stage, however, needs adjustments.
Some things that could be flagged:
- Structure, layout & executable format
- Maybe AV has found the decryption routine? -> Change it
- Lack of anything useful that the binary does - may seem malicious
- I've already found that removing some of the emulator detection routines evades some AV. This might be a good place to start.
Whatever pops into your mind, try it out and upload to AntiScan.me. It's a tedious task that requires a lot of patience, but you will eventually succeed as long as you don't publish your modifications.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.
Message ID: @.***>
I was just messing around, I thought you were some kid just trying to throw some malware together. Glad to see that you are not.