noviembre 27, 2012
10:25

How to make your Stubs-Virus FUD against ant-virus

So firstly make sure you have your particular AV which you wish to FUD your exe against installed, for this i will be using Eset Nod32.
http://www.eset.com/download/home/

Here is what you will need:

You need a Hex Workshop i recommend this one here http://thepiratebay.se/torrent/4740213/H...6.0.1.4603
You need Exidous AV Signature Tool http://bayfiles.com/file/iFtP/ibCgVe/Exi...e_Tool.exe

Exidous AV Signature Tool scanned: https://www.virustotal.com/file/3c7797eb...328132169/

Now to start off we need our stub I will be using this one on my desktop.

Now open Exidous AV Signature Tool and open your stub by clicking this button, locate your stub and select it.




Now select “Hybrid method” and leave everything else at the default settings.



Now select your output folder I will just be creating a folder on my desktop and calling it “Offsets”.



Now click “Split!” and let it create the output bins in your output folder (“Offsets”).



Now just close the AV signature tool and go to your output folder (“Offsets”) and hit ctrl + A to select all the files and select scan with your AV of choice (Eset Nod32 in my case).



So now you can see it scanned 213 items (Bins), but it only detected 205 items. So here we scroll to the top and see where the detections start. In my case they start at “output3.bin”



So now go to the output folder again and drag your first detected item “output3.bin” < (This will change depending on your stub) and also drag “output2.bin” (This will be the one that’s before the detections start).



Now open Hex Workshop and go to “Tools”, “Compare” and finally “Compare Files…”



This dialog will open now just select the directory of your two output bins, once you have selected both of them just click “ok”.



You will see both of the bins open up and near the bottom right of Hex Workshop the part where the detection is will be highlighted in red click on that it will take you to the part where the detection happens once there write down the start and end offset numbers located on the left into notepad. (You will have to hover over the numbers on the left to see the offset number)

Now start filling 1byte by 1byte with c1 this means only fill one value at a time, Each time you fill 1byte with a c1 save the “output3.bin” and scan it again with Eset nod32.



Repeat these steps until the “output3.bin” is undetected like so, You can see in my first attempt filling 1 byte with a c1 failed and that it is still detected but in the second image I succeeded and its now FUD against Eset Nod32!

Failed!



Succeeded!



Now open the stub in Hex Workshop.
Now click ctrl + F to open the search dialog and click on the “Range” tab, now copy the start and end offset number from our notepad and enter it in the search.



Click ok it should show you the detected part from “output3.bin”.



Now fill the bytes you previously filled in the “output3.bin” with c1’s (Fill the exact same bytes!).




All that’s left to do is compile the edited stub! So in Hex Workshop go to file and save as edited stub.exe (I save it as stub3.exe)