Source: Computer Knowledge Network
According to a recent survey report, the anti-virus software of well-known brands only finds 20% of new computer viruses, while the leakage rate is as high as 80%. So what causes this situation? Is today's virus too powerful, or is Anti-Virus Software Limited? Today, we will take an example to see what the eyes of anti-virus software are.
Hacker name: Yu Qian
Hacker expertise: creation of kill-free programs
Tools used: MaskPE
Tool used: Super flower Extender
Tool: Private exe Protector
Hacker confession: Because trojan software has a "black" feature, it will be scanned and killed by anti-virus software whenever it is published soon. In order to avoid this situation, I began to study how to stop hacking programs and make various anti-virus software "blind" in front of them ". How can we achieve a no-kill effect?
The current anti-virus software detects and removes any virus based on the pattern of the virus. In order to prevent trojan programs from being scanned and killed by antivirus software, hackers modify or disguise the programs in various ways, that is, do not kill them.
Currently, common kill-free methods include shelling, adding flowers (instructions), modifying signatures, changing entry points, and encryption of entry points. At the same time, the mainstream anti-virus software uses a combination of signatures, so it is difficult to achieve the effect of no-kill through a method. In this case, several methods are required to achieve the effect of no-kill. Actual programs do not kill 1. Kill-free starts from inside the program
Prepare the hacker programs that we want to eliminate. First, encrypt the file and run the encryption program MaskPE. It is a software that automatically modifies the PE file. It can disrupt the original source code of the program, so as to generate a kill-free trojan or virus.
Click the "Load File" button to Select a kill-free program, Select any item in the "Select Information" list, and click the "Make File" button, in the pop-up window, save the encrypted file. 2. Confuse anti-virus software with instructions
Run the "super flower generator", which is a brand new flower addition program. First, drag the server program directly to the main interface of the Program for release. Then, select a flower instruction from the "Flower instruction" drop-down list and click "add flower. In this way, a flower command is successfully added to the front of the hacker program code, and anti-virus software that extracts the signature from the file header is powerless. 3. shells to prevent anti-virus software analysis
Then perform shell processing to prevent anti-virus software from comparing the source code with the signature. Run the Private exe Protector shell program and set the hacker program to be killed in the "application" list that appears. In the "Settings" option below, select "dynamic protection", and click "Start protection" in the toolbar to immediately shell.
Iv. Comparison of anti-attack signatures at entry points
Finally, the modification entry point is processed. Its purpose is similar to shelling, that is, preventing anti-virus software from obtaining source code from the hacker program entry point. Run the software modify program PEditor, click "Browse" to select the hacker program, find the "entry point" option, and Add 1 to the original value, click "application change" to confirm the settings.
After a hacker program completes the virus-free process, it must first use multiple anti-virus software to detect the virus. users who do not have any anti-virus software installed can also use a multi-engine sample scanning website to detect the virus.
If you have not been killed by antivirus software, you must locally test whether the programs that have been killed-free can run properly. Only after this series of tests can we determine whether the hacker program is successfully killed.