I get most things through A/V the same way (be it nc or fgdump). I split the executable in half and scan each piece with the A/V. I discard the piece that passes and focus on the piece that gets flagged. I then split that piece in half and repeat the process. I do this multiple times until I'm left with a small amount of code responsible for triggering the A/V. I then use a hex editor on the original executable to make very small modifications to that specific block of code. Usually it only takes a few character changes for the A/V not to recognize it anymore. This, in combination with editing the PE (I second PE scrambler) rarely fails me.
On Wed, May 19, 2010 at 1:07 AM, Ali Alhebshi <[email protected]> wrote: > Has anyone succeeded in getting fgdump past AV systems? > > On Mon, May 17, 2010 at 4:04 PM, bytes abit <[email protected]> wrote: >> >> Also, as a side note.. perhaps if you want to keep ncat on the system you >> could use the "Copy CON" techniques discussed in PDC... >> Can't remember the episode, think it was in the 160-170 range... >> >> >> >> On Mon, May 17, 2010 at 8:35 AM, Jim Halfpenny <[email protected]> >> wrote: >>> >>> Hi, >>> Busybox provides netcat functionality plus lots more with a small >>> footprint. I have not come across any AV software which detects >>> busybox as a potentially unwanted program. >>> >>> Regards, >>> Jim >>> >>> On 16 May 2010 17:49, Chris Teodorski <[email protected]> wrote: >>> > Thanks to all for the great advice. I was using NetCat, because I'm >>> > putting it on a Teensy++ and I'm very limited in space. The >>> > executable needs to be super small... >>> > >>> > I followed the article here: >>> > http://packetstormsecurity.nl/papers/virus/Taking_Back_Netcat.pdf >>> > >>> > It seems to have worked. >>> > >>> > Thanks to all for the help. >>> > >>> > >>> > >>> > On Sat, May 15, 2010 at 2:15 PM, Rob Fuller <[email protected]> wrote: >>> >> Just curious, by why are you using Netcat? >>> >> >>> >> >>> >> -- >>> >> Rob Fuller | Mubix >>> >> Room362.com | Hak5.org | TheAcademyPro.com >>> >> Ignore this: >>> >> x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >>> >> >>> >> >>> >> >>> >> On Sat, May 15, 2010 at 1:02 PM, Professor Thread >>> >> <[email protected]> wrote: >>> >>> >>> >>> On 05/15/2010 03:08 PM, Chris Teodorski wrote: >>> >>> >>> >>> All, >>> >>> >>> >>> Does anyone know a good way to sneak netcat past modern AV? >>> >>> >>> >>> Chris >>> >>> >>> >>> >>> >>> >>> >>> Have you tried nmap's "ncat" version? >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> >>> Pauldotcom mailing list >>> >>> [email protected] >>> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >>> Main Web Site: http://pauldotcom.com >>> >> >>> >> >>> >> _______________________________________________ >>> >> Pauldotcom mailing list >>> >> [email protected] >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >> Main Web Site: http://pauldotcom.com >>> >> >>> > _______________________________________________ >>> > Pauldotcom mailing list >>> > [email protected] >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> > Main Web Site: http://pauldotcom.com >>> > >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > -- > Ali Al-Hebshi > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
