I gave it a try, too. To me it looks like that especially files smaller than 100KB don't get changed (no MD5 sum changes) PEscrambler worked OK for e.g. netcat. Before scrambling it 23/40 catched it, after scrambling there were just 14/40 on Virustotal.
I did some further research with PEscrambler and it does not work for e.g. fgdump or pwdump. These tools don't work anymore. I went the dsplit road on these two examples but it didn't work out either. Either the tools crash afterwards or my AV (AVG) still catches them. Anyone else who did some research on this? Nils Adrian Crenshaw wrote: > Thanks for posting PEScrambler > <http://pauldotcom.com/PEScrambler_v0_1.zip> guys, I was one of the > guys asking for it. I've locked the slides for my anti-forensics class > this Saturday, but I'll try to remember to mention this tool. That > said, I'm not sure it's working right. For example, as a test I do: > PEScrambler.exe -i hfs.exe -o x.exe > > but checking the hashes of x and hfs, it seems x is just an exact > copy. Any ideas? > > Thanks, > Adrian > > ------------------------------------------------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
