Simply modifying the Trojan shell header has cheated Kaspersky.

"Look, do you think I don't know you when you wear a vest ?" This line is familiar. Now users use this sentence to describe the anti-virus vendor's shelling technology. The emergence of this technology is closely related to the "shelling" technology used by virus programmers.

As we all know, the so-called "Shelling" is a process of modifying the encoding of executable program files or dynamic link library files through a series of mathematical operations, to reduce the file size or encryption program code. During running, the shell program is first executed, and then the shell program is responsible for extracting the user's original program in the memory, and returning the control to the real program after shelling. All operations are automatically completed, and you do not know how the shell program runs. In general, Shell programs run the same result as those without Shell programs.

In the face of virus writers "Shelling" their viruses, anti-virus vendors naturally adopt the "Shelling" technology. The general process of shelling includes shell check, OEP search (entry point to Prevent Cracking), Dump (unload), and repair. Currently, anti-virus software has become an important measure of virus removal capabilities.

A new round of game between virus writers and anti-virus vendors is between the two symbiotic technologies: Shelling and shelling.

Among the many anti-virus products, Kaspersky has a good reputation among users. Many users say that Kaspersky's Virtual Machine shelling technology is very strong. However, I only made a small adjustment to the general "Shelling" step, but it was amazing that Uncle Kabbah was speechless only by modifying the shell header.

I randomly set up a foreign downloader Deception4.0 (DT) on the Internet ). Kabbah will kill it, otherwise the test will fail. Although only the 9 value added to DT is modified, Kabbah does not report any virus when it is added to other executable files in this way. The modified program ensures the re-running of the program, otherwise, this modification is meaningless. Start the operation. The following eight most common shells are prepared.

I. First test NSPACK3.6

Load the DT with the NSPACK shell with OD, and copy the top 10 lines as follows (the blue bold area is the part to be modified, as shown in the following format)
004CF302 E8 00000000 call duplicate _ (2). 004CF307
004CF307 5D pop ebp
004CF308 83C5 F9 sub ebp, 7
004CF30B 8D85 0 CFFFFFF lea eax, dword ptr ss: [ebp-F4]
004CF311 8338 01 cmp dword ptr ds: [eax], 1
004CF314 0F84 47020000 je reply _ (2). 004CF561
004CF31A c70001000000 mov dword ptr ds: [eax], 1
004CF320 8BD5 mov edx, ebp
004CF322 2B95 A0FEFFFF sub edx, dword ptr ss: [ebp-160]
004CF

1 2 3 Next Page

[Content navigation]
Page 1st: simple modification of Trojan shell headers has cheated Kaspersky	Page 2nd: simple modification of Trojan shell headers has cheated Kaspersky
Page 3rd: simple modification of Trojan shell headers has cheated Kaspersky