Win32ASM Programming 2nd Edition (From China) - ver UASM x64

[Yuri]

No no, if the named file is blacklisted by AV companies, call it something else and post it somewhere else.

No, renaming doesn't work. I've already tried it, as well as adding a manifest. Shuffling parts of the source code gets rid of some AVs but not all. Getting rid of all of them seems impossible. Baidu, for example, doesn't like my DllMain function if it's longer than a certain number of bytes. It doesn't matter what the function does. But I can't keep it that short because I need to do some initialization. If I try to move initialization to a separate function and call it from DllMain, that doesn't make Baidu happy.

Some time ago I was able to shake off a couple of AVs by simply moving the entry point of the DLL one byte forward. Have no idea why it worked.

[LiaoMi]

Hi Yuri,

I have an old SFX archive example coded with GoAsm. The sample uses Jeremy Collake's JCALG1 compression library. Jotti and virustotal are reporting that the SFX archive is "infected" Of course, this is a false-positive. I tried the technique splitting the executable into multiple files. The idea is to present those file fragments to the AV engines as meaningless binary data files "missing" the important block IMAGE_NT_HEADERS and the sections text and data. Splitting the executable into three parts :

Part 1,  32 bytes , only the first half of IMAGE_DOS_HEADER
Part 2,  32 bytes , second half of IMAGE_DOS_HEADER
Part 3,   the rest of the file

You can use a file splitter. I used dd adapted to Windows :

http://www.chrysocome.net/dd

Split.bat :

Code Select Expand

dd if=Sfxdemo.exe of=Sfxdemo.exe.01 bs=32 count=1

dd if=Sfxdemo.exe of=Sfxdemo.exe.02 bs=32 count=1 skip=1

dd if=Sfxdemo.exe of=Sfxdemo.exe.03 bs=32 skip=2

Result :

Code Select Expand

    Size File name

  24.064 Sfxdemo.exe
      32 Sfxdemo.exe.01
      32 Sfxdemo.exe.02
  24.000 Sfxdemo.exe.03

A simple batch file can be presented to the end user to combine the parts, no need of external tools. Double clicking the batch file :

Code Select Expand

copy /b Sfxdemo.exe.01+Sfxdemo.exe.02+Sfxdemo.exe.03 Sfxdemo.exe

Analysis of Sfxdemo.exe :

https://virusscan.jotti.org/en-US/filescanjob/oh2870yoks

Analysis of the files Sfxdemo.exe.01, Sfxdemo.exe.02 and Sfxdemo.exe.03 :

https://virusscan.jotti.org/en-US/filescanjob/jz07f1ek2k,4peo8klxce,265bda0ds8

Analysis by virustotal :

Sfxdemo.exe.01 :

https://virustotal.com/#/file/9a25e59e4ddb7fede5ee68a2b728912a009c98c7f29b3d1e7745d4b3e8e6d0c3/detection

Sfxdemo.exe.02 :

https://virustotal.com/#/file/a2461009f610d333b185ea0e8d7836d26ca7333b0c0cd8609c4c24073e6dc091/detection

Sfxdemo.exe.03 :

https://virustotal.com/#/file/a5feb198bdd2c5d3177f8621ea5869ee9845991e13270490f19b8abde3fa63ce/detection

Sfxdemo.exe :

https://virustotal.com/#/file/e94fd2fa54056cd0f18fc51177ccfdf4ecc63a333ef6f78ae8e2fa71dfc73186/detection

This is also a malicious technique -

https://en.wikipedia.org/wiki/Dropper_(malware)

I think the best option is to check the content first, then delete the executable files, and leave only the sources.

[Vortex]

LiaoMi,

Where do you see something malicious in the splitting technique? FYI, the UNIX\Linux family is providing the cut\merge method since longtime. Departing from your point of view, self-extracting archives should be forbidden as they can transport malware. The problem is that AV companies are doing their best to discourage some developers.

[jj2007]

There are quite a number of techniques we could apply to hide potentially dangerous routines from the AV brigade. But afaik, you can't download attachments if you are not logged in, so what is the problem? That archives are too big to be posted here? Sorry, but what's the point of assembler if you can't zip the content to 512kB or less?

[Yuri]

Yes, removing the header makes the DLL innocuous: https://www.virustotal.com/en/file/8f9d343b86df6bfb7ad241b2e1647fd7d4d4f8a8904320b03af2c23d97a4f226/analysis/1504089347/.

What if it was real malware? Would they still detect it? :icon_rolleyes:

[jj2007]

What if it was real malware? Would they still detect it? :icon_rolleyes:

Without indulging too much in details, you have to distinguish between "scanners" and "watchdogs":
- Scanners need to find signatures in all files. Try to imagine what "all files" means on your machine, and to imagine how efficient scanners can be...
- Watchdogs must shout foul if a process tries to do strange things. Since many processes access the internet etc, their efficiency depends on user's running processes, firewall, services etc

[Vortex]

Hi Yuri,

This should probably depend on the analysis techniques employed by the AV engine. Deep inspections can take more time and such AV engines would probably slow down computers. Encryption methods can make things even more difficult.  As you said, everything depends on whether the user trusts you or not.

[jj2007]

In the end, the most important thing for malware is to get "a foot in the door", i.e. to get a small proggie running that afterwards can download whatever is necessary. Cheating scanners is easy, encrypting a file, for example, can be done in milliseconds.

[hutch--]

Yuri,

Try another trick, different linkers sometimes place the PE header at different offsets from the MZ header. I don't know how you have produced the binary but I know that most AV scanners have a good look at the MZ/PE header structure and if it deviated from their view of normal, they will flag it as infected or suspicious.

[Yuri]

I used GoLink. But I don't think this is the problem. As far as I know, the DLL has been distributed together with malicious scripts, often in text form inside the script and then stored on disk as a binary file. This probably led some AVs to see it as malware. When it was just built it wasn't flagged as such.