Create a blacker-signature method for the black-character code that is not killed

xiaoxiao2021-03-06  39

Author: tankaiha [NE365] [FCG] http://www.vxer.net/ Note: This article was written two months ago, after two months I have some new experience, have the opportunity to introduce. I wrote two articles, one of the black defense (with video, more complete), here is given here. Because it is introduced, the simplest example is picked (the actual situation may be more complex, because most blacks need to be removed before modifying, some inserted back door needs to export DLL and then modify, and some to handle the tail superimposed Data.) There is BUG, ​​please be pointed out. I. When the sequential virus software detects the black army, the back door, the most traditional is also one of the most effective methods is the signature comparison. The more famous a big black, the more you are chasing the body. Sometimes it is difficult to break through the interception of the other side firewall, I want to pass a believing back door, can be shot by the other anti-virus software. Of course, various casing software can reduce the possibility of the back door to some extent, but now the automatic shelling of anti-virus software is getting stronger and stronger, and it is a way to give the document. Therefore, it is best to start from the program itself, find the signature and modify it, even if it does not housing, it can be ensured that it is not killed. If you don't worry, add a maximum case, come to a double insurance, you are not cool! Second, basic original ideals must modify the feature code to find out it. The article named "Anti-Virus Software Cannail I - Network Intimate Specification Methods Active" introduces the principle of the byte replacement, summarizes a sentence: If the signature in the file is filled in Data (such as 0) replaced, the anti-virus software will not alarm, and determine the position of the feature code. This method is simple and effective, but the workload is too large to operate. Inspired by the author, I wrote a small program to automatically implement the features of the signature positioning. 3. The principle of the parameter setting and precautions CCL is to replace the partition bytes in the original file to 0, then generate a new file, and then detect the results of these files according to the anti-virus software. You should set the parameters first before using the CCL, including the operation mode to automatically manually, generate the path to the file. When automatic operation, there is a parameter is important, that is, each of the seconds of the secondary file waiting. Because we must ensure that anti-virus software detects the replaceable files in a few seconds, and can delete the file (if the signature is included), then the CCL determines whether the following operations are deleted based on the generated file just generated. If the interval is too short, the anti-virus software has no time to detect, the CCL has entered the next round of operation, hey, the result of the light judge is wrong, the system is likely to crash! It is recommended to set the time first, such as 7 to 10 seconds. It should be clear that this detection is invalid for the handled file, because the byte of the shell file is replaced is not a real body of the original program, but the matrixed data. Not much to say, let's enter the actual exercise! Fourth, one of the actual combat: WINSHELL signature automatic positioning! The first goal is WinShell, detects, a harsh call, Kaspersky alarm discovers backdoor.win32.winshell.50 [see Figure 1] Let us use the automatic replacement feature to locate the feature code. First run the CCL, set the parameters to auto, wait for 7 seconds, and the minimum positioning accuracy is set to 16 bytes. Then close the anti-virus instant monitoring function (simply referred to as monitoring later), open the file to be detected. The PE file segment selection window will pop up after successful reading [as shown in Figure 2], which is the user chooses which part of the file is replaced.

We double-click .Text segment (this is the code segment of the executable), and then the user input area displays the corresponding data. Let's click "Add Segment" to successfully add a segment to be detected. Of course, you can also fill the data directly in the User Enter Area and then add it. Double-click the added segment to delete the task. There is a problem here, should we choose several paragraphs to detect? The easiest way is that it is not selected, and the program will detect the entire document by default. But sometimes the document is too large, or you can determine that the signature is located in a certain segment. In order to avoid the replacement time is too long, you can select a specific range to detect. There is also an option called "Whether to fill 0", the function of this option refers to the addition of the part in the generated file in order to pre-exclude the interference of some parts. Oh, one case explained, the files have both A, B. In order to definitely definition A, we can preadense B in one of the paragraphs, and then specifically position a portion where A is located. For the time of filling 0, everyone will slowly summarize during use. Ok, return to Winshell, here we choose "no fill 0", which is normal. We click OK to pop up the operation window. [See Figure 3] The window shows various information, including file name, generating path, operation mode, and hard disk space (manual words). At this time, don't forget to open the monitoring, and it is best to set this function to "automatically delete it when you encounter viruses, no reminders". Then open "My Computer" to enter the folder that generates files, allowing the "My Computer" window to stay at the front desk. why? Because some anti-virus software only make immediate monitoring of files generated by the front desk, such as the Kaspersky on my machine. There are also some anti-virus software, even if the "My Computer" window does not necessarily generate file detection in the front desk, then you can constantly right click on the file icon to "stimulate" anti-virus software. Is it a bit complicated? Back to CCL, confirm that the information displayed by the window is correct, click GO, and start automatically detection. At this time, you will find more than two files in the "My Computer" folder, name is like "out_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_YYYYYYYYYY", where 8 X represents the start offset of the current replacement 0, 8 Y represents how many bytes replace 0. In a few seconds, there will be a file being automatically deleted by the anti-virus software. (I have emphasized, 7 seconds is the wait time you set, to ensure that the file containing the signature is deleted in this 7 seconds.) After 7 seconds, another two files will be generated, this is CCL The next round was detected. So, wait, don't stop in the generated file icon, right-click (do not know in addition to Kaspersky, other anti-virus software do not need such stimuli), after 2 minutes, the result came out. ------------- Location results ------------ serial number start offset size end offset 0001 0000180 0002 00002130 00000050 000028 00002838 0004 000028 00002838 0004 000028 00002838 0004 000028 00000014 000028EC This result indicates that the signature may be in these four segments. Is the positioning success? Oh, don't worry, this just completed half, and then modify the file, and finally determine the position and type of the feature code. Tip: The results are not necessarily changed, and if only one change is successful, it is the best.

Pick a minimum change in the size of the size, the first item, from the 0x14 byte of the file offset 0x180c. We open WINSHELL.EXE with ollydbg to get to 0x0040180c. Here, the file offset and the conversion of the memory offset are omitted, and do not know the course will be completed. Code is as follows: 0040180E 83C0 C1 add eax, -3F 00401811 83F8 39 cmp eax, 3900401814 0F87 5C01000> ja win.004019760040181A 33C9 xor ecx, ecx0040181C 8A88 0C1A400> mov cl, byte ptr ds: [eax 401A0C] 00401822 FF248D E4194> jmp DWORD PTR DS: [ECX * 4 4019E4] How to change? Here you will talk about two universal methods. The signature cannot be determined only by one sentence instruction, so the false positive rate will be very high, so it is usually a combination of multiple instructions, and we only need to disrupose this combination. The easiest way is of course two instructions to adjust the order, we call it instruction order, which is only limited to two instructions mutually uninterrupted. There are many cases, such as the order of execution of the command, such as 6 instructions above, then use the second method, that is, cough, general jump rule: look for a gap in the file (due to The reason for alignment, there will be no code at some voids in the PE document. Why? Why? The first order!) Change the original directive into a jump, jump to this gap to execute, the void is filled in us The instruction, the execution is running and then jumps back. We pull the ruffles of Ollydbg down, LOOK, there is a gap at 0x00405D20. [See Figure 4] Revision method See below (Don't forget to make the original file back up): 0040180E / E9 0D450000 JMP Winshell.00405D2000401814 | 90 NOP00401814 | 0F87 5C010000 JA WINSHELL.00401976 Why do you want to change Add and CMP two sentences? Because the JMP instruction accounts for 5 bytes, and ADD and CMP are 3-byte instructions, they can only be changed together. Ok, we change the 0x0040180e to JMP 00405D20, and we will change to NOP. (Do not change the NOP, but the OLLYDBG will appear flowers, we are pursuit of perfection.) The original Add and CMP will be added to the neck, and the tail is another JMP. When JMP goes back, you can return to NOP, or you can also jump directly to JA, here chooses to jump back NOP. 00405d20 83c0 C1 Add Eax, -3f00405d23 83f8 39 CMP Eax, 3900405d26 ^ E9 E8BAFFFF JMP WINSHELL.00401813 Modified, we save first. Click Right click in the OLLYDBG window to select "Copy to Execute File -> All Save" and save it to Winshell.exe. OK, select "Run" in the menu, return to 0040180E, determine that the modification just saved.

Turn off OLLYDBG, find Winshell.exe, scan with anti-virus software. Hey, Kaspersky has already can't recognize it! [See Figure 5] After you have finished your business! You may ask, do you have such modifications, no matter what anti-virus software? The answer is: NO. The definition of each anti-virus software is different. The only method is to detect each platform, and more targeted modifications respectively. Modifying the method: The order sequential conversion method (this simplest) and universal jump method! Yes, there is still a little: Try to find it in the code segment, but sometimes the gap in the code segment is not enough, write the code of the jump in another segment. Since these segments have no "executable" in the default properties, you will move the code over the way. Nature will be reported. At this time, the PE modification tool will be used to add the segment property. V. Second: Manual and automatic combination of the signature code (later I know there is a little mistake here, because I changed the code of the server, and the service of the black society is running on the machine. But It doesn't matter, it can be regarded as another type of signature.) Winshell is a VC-compiled file, then the program written in other languages, such as compilation, VB, etc., is this positioning effective? In principle, as long as it is a program that is compiled into a machine code, it can be positioned. VB is an explanation language, and its executable code is not simply machine code (assembly instruction), and does not know how CCL is the positioning effect of it. Black society 2.0 is a set of universal management and attacks in VB, and test it below its signature positioning. OK, idle words don't talk, let us go straight theme. The execution file of the black society is the shell of Aspack, which can be automatically taken off with Aspackdie1.41. This time we change the operation method, which is automatically changed to manual and automatic, first using manual replacement. First run the CCL, set the parameters to manually, and output the file according to the specified number of outputs, and the output is 100. After the parameter is set, open the sheckable file, directly click the "OK" button directly in the pop-up PE segment selection dialog, which is to replace the entire file. Close monitoring, then click "Go" in the operation window, and then 100 files are generated. (Friendly Reminder: When generating a lot of documents manually, it must be monitored, otherwise the anti-virus software should handle this hundred thousand poison files at the same time, which may crash!) We use anti-virus software to scan the 100 files. After the anti-virus software deletes all files with the featured file, there are only two files left. We select the "Position" button in the toolbar and open the generated folder just now, determine that the positioning information is displayed on the main window. [See Figure 6] The result of numbered 1 is displayed from the offset 0000, which is not considered on my machine, because the Kaspersky software is not specifically detected, files for files without PE headers. 1 is exactly the PE header is replaced, and it will not be deleted. (It is said that other anti-virus software, such as Norton, no matter whether there is a PE file header to test, the specific situation should be specifically analyzed.) So initial determination of the feature code in the range indicated by the number 2 file, both 0x2dc2 to 0x44a3 The 0x16E1 byte is within the range. Resetting the parameter is automatic, read into the original file, directly enter the starting position 2DC2 and detect size 16E1 in the User Enter Area, and then click Add Segment, and then enter the operation window.

Open monitoring, click GO, start automatic detection, operation methods, and detect WINSHELL. After some tortured the right mouse button, I finally got out the results: ------------ Location results ------------ Sequence start offset end offset 0001 000031C6 00000016 000031DC 0002 00003A16 0000002C 00003A42 0003 00003A44 0000002C 00003A70 0004 00003A71 0000002C 00003A9D 0005 00003AA0 0000002C 00003ACC 0006 00003ACD 0000002C 00003AF9 wow, 6 places Lord! Old rules, persimmons should be soft, let's first check the minimum 0001 0001. OLLYDBG opens the original file, find 0x004031C6, see what is it. what happened? Not a compilation directive! In addition to 0 is a few meaningless data. 004031D4 ba DB BA004031D5 DA DB DA004031D6 C9 DB C9004031D6 C9 DB C9004031D7 E7 DB E7004031D8 BB DB BB004031D9 E1 DB E1004031DA 00 DB 00 ... is not a compilation instruction, can it be a string? We play "DD 004031D4" in the command line, which exhibit both 0x004031D4, and then change the display mode of the data window to "Text Squashcii (32)", and then display "black society" in the lower left corner window. And there are three places. [See Figure 7] The original "Badac9E7bbe1" is the ASCII code of these three Chinese characters. Does the anti-virus software rely on the "black society" in the document to identify the black society? Without proved our thoughts, we opened the original file with 32-bit editing tools UltraEdit, search for the "black society" three words, found 7 sites. Simply, I don't do it, we will replace 7 "Black Society" to "Bai Jingjing". [See Figure 8] Save it, then use anti-virus software to detect. I rely, I can't recognize it! The character code of the black society 2.0 is, which is made by us. It's really not enough to work hard. It turned out to use the Chinese characters as a signature! Run a modified file, very good, is the title on the window from "black society" into "white crystal", huh, huh! Sixth, there are two actual combatations of multiple signatures, and we have multiple signatures, but only one of them can be modified, this situation is not necessarily applicable to all procedures. According to the author's experience, the signature may have a master side. The main feature code is modified, and whether the file can escape the chasing; but if only the sub-feature code is only modified, the file will always be defeated by anti-virus software, but only The identified version is different. Therefore, our revised target focus is the main signature in the file. Seven, the comment is almost, let's sum up! When using the CCL positioning signature, manual replacement and automatic replacement should be used to use, no method is all-round.

转载请注明原文地址:https://www.9cbs.com/read-66754.html

New Post(0)