Could you please elaborate a bit on this. What do mean in detail? I used the "split and search for AV signature" method for nc.exe on Windows and it did work. But for other tools I didnĀ“t succeed yet.
Nicholas B. wrote: > I have had issues using these methods with some programs that I've > attempted to sheild from AV. On occassion I've found that I've needed > to extend .text section(s) inside of the binaries using lordpe for > programs like gsecdump in order to get scramblers or encoders to work > well. > > On Wed, May 19, 2010 at 9:20 AM, xgermx <[email protected] > <mailto:[email protected]>> wrote: > > I get most things through A/V the same way (be it nc or fgdump). > I split the executable in half and scan each piece with the A/V. I > discard the piece that passes and focus on the piece that gets > flagged. I then split that piece in half and repeat the process. I do > this multiple times until I'm left with a small amount of code > responsible for triggering the A/V. I then use a hex editor on the > original executable to make very small modifications to that specific > block of code. Usually it only takes a few character changes for the > A/V not to recognize it anymore. This, in combination with editing the > PE (I second PE scrambler) rarely fails me. > > > On Wed, May 19, 2010 at 1:07 AM, Ali Alhebshi > <[email protected] <mailto:[email protected]>> wrote: > > Has anyone succeeded in getting fgdump past AV systems? > > > > On Mon, May 17, 2010 at 4:04 PM, bytes abit <[email protected] > <mailto:[email protected]>> wrote: > >> > >> Also, as a side note.. perhaps if you want to keep ncat on the > system you > >> could use the "Copy CON" techniques discussed in PDC... > >> Can't remember the episode, think it was in the 160-170 range... > >> > >> > >> > >> On Mon, May 17, 2010 at 8:35 AM, Jim Halfpenny > <[email protected] <mailto:[email protected]>> > >> wrote: > >>> > >>> Hi, > >>> Busybox provides netcat functionality plus lots more with a small > >>> footprint. I have not come across any AV software which detects > >>> busybox as a potentially unwanted program. > >>> > >>> Regards, > >>> Jim > >>> > >>> On 16 May 2010 17:49, Chris Teodorski > <[email protected] <mailto:[email protected]>> wrote: > >>> > Thanks to all for the great advice. I was using NetCat, > because I'm > >>> > putting it on a Teensy++ and I'm very limited in space. The > >>> > executable needs to be super small... > >>> > > >>> > I followed the article here: > >>> > > http://packetstormsecurity.nl/papers/virus/Taking_Back_Netcat.pdf > >>> > > >>> > It seems to have worked. > >>> > > >>> > Thanks to all for the help. > >>> > > >>> > > >>> > > >>> > On Sat, May 15, 2010 at 2:15 PM, Rob Fuller > <[email protected] <mailto:[email protected]>> wrote: > >>> >> Just curious, by why are you using Netcat? > >>> >> > >>> >> > >>> >> -- > >>> >> Rob Fuller | Mubix > >>> >> Room362.com | Hak5.org | TheAcademyPro.com > >>> >> Ignore this: > >>> >> > x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > >>> >> > >>> >> > >>> >> > >>> >> On Sat, May 15, 2010 at 1:02 PM, Professor Thread > >>> >> <[email protected] > <mailto:[email protected]>> wrote: > >>> >>> > >>> >>> On 05/15/2010 03:08 PM, Chris Teodorski wrote: > >>> >>> > >>> >>> All, > >>> >>> > >>> >>> Does anyone know a good way to sneak netcat past modern AV? > >>> >>> > >>> >>> Chris > >>> >>> > >>> >>> > >>> >>> > >>> >>> Have you tried nmap's "ncat" version? > >>> >>> > >>> >>> > >>> >>> > >>> >>> _______________________________________________ > >>> >>> Pauldotcom mailing list > >>> >>> [email protected] > <mailto:[email protected]> > >>> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> >>> Main Web Site: http://pauldotcom.com > >>> >> > >>> >> > >>> >> _______________________________________________ > >>> >> Pauldotcom mailing list > >>> >> [email protected] > <mailto:[email protected]> > >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> >> Main Web Site: http://pauldotcom.com > >>> >> > >>> > _______________________________________________ > >>> > Pauldotcom mailing list > >>> > [email protected] > <mailto:[email protected]> > >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> > Main Web Site: http://pauldotcom.com > >>> > > >>> _______________________________________________ > >>> Pauldotcom mailing list > >>> [email protected] > <mailto:[email protected]> > >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> Main Web Site: http://pauldotcom.com > >> > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > <mailto:[email protected]> > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > > > > > -- > > Ali Al-Hebshi > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > <mailto:[email protected]> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] <mailto:[email protected]> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
