Fuck what fucking time ago out there! Now it is the awkward moment when everyone is back to haunt you. If you get into bed and I enfold, raisins heat. If you poke a foot by the end of the sheet, you run the risk of losing the little freeze. If you come out on long pants, even gayumbos merge with the cheeks of your buttocks, and this with perspiration your balls become number one public enemy. Why you the start to sweat all! And if Instead decide to spend the shorts ... date by fucked because something bad has to happen to you, you listen to me ... this is a no live!
The truth is that I do not want to write the post jajajaa pffffffff ... rather be thrown into the little sun on my terrace sucking flash pole , but as alternatives after a weekend so I was only movidito post something or enter Putalocura , and I know what will be happening, but lately not updated with good content, for that ... I'm losing interest.
So I said ... I will give them to the kids and especially the broads, the new version of my software 4n4lDetector. Jokes aside, I have devoted many hours to make it even more powerful than the previous version, and if I say that I am very happy with the results that this tool is giving me not deceived you. Also I do not have to sell you anything, because everything with me always is free.
What new things brings this version of 4n4lDetector?
If you recall my previous post in which I developed a Crypter to undetectable malware. This used a stub called enelpc.exe , which after use with 4n4lCrypter , the resulting file Crypt.exe finally transport the encrypted malware. This would result both executable dragging the tool.
I have included as are routine screening Droppers , which will work on applications of type Binder , Joiner and Crypters based on stubs .
Following the Crypters , one of the publications indetectables.net by the userMaggicianCOr , was further modified by himself. I decided to download it and use it to check out the encrypted binary, providing a good example to show other information you provide 4n4lDetector .
This new version is studying the possible abundance of strangers, usually randomly generated characters by malware, to include a polymorphism added to the descriptions of the binary generated. The following image shows a polymorphism detection, followed by the amount of code Dropper , and the anomaly after the Entry Point to find a conditional jump JPO , which betrays modification in Visual Basic 6 compiled executable.
If you remember the entry that cifrábamos malware hand rotation algorithms, addition, subtraction and instructions are included XOR after the Entry Point TrojanPoison Ivy . Which also draw the attention of 4n4lDetector and studying the first 25bytes of the starting point for all applications.
Something that could not miss in the execution module, would be the ability to load libraries. Bringing this new version has added a new executable only 2.7 KB , to study their Memory Dumps .
The algorithms responsible for finding executable names have also been improved, so now we have in this section a wider and better information obtained.
A user asked me to be kept in a log extractions, so I prepared a function console tool, where you are if passed as a parameter without quotes of any kind, the name of the executable to be analyzed, this generates a TXT at the root of 4n4lDetector with the name of the application being discussed.
I remember something that had never named in the blog, are the methods Call By Name API or API Call By Hash . These methods are used to invoke the API without declaring them as such. Using the hash algorithms as the name by which to refer to an API or are often call the functions directly loading bookstores with an estimatedLoadLibrary and copying of memory instructions. The malware can use these techniques to hide the static analysis, what are the features you actually use, so it seemed a good idea to incorporate the detection of these methods. The figure below shows a simple Downloader , camouflaging the API URLDownloadToFile .
Strange made me develop methods of antivirus evasion and malware as a hobby and in turn fight as a hobby lol
0 Comments:
Post a Comment