The realization of the Immaga/shelling of the special collaterals

Editor's note: We will provide you with a comprehensive analysis of the current popular Trojan attack and defense related knowledge, so that you encounter the situation after the recruit, also not only will be formatted and then reload system. Through the Trojan "production → camouflage → planting → prevention" whole strategy, so that everyone seems to have a more systematic understanding of the Trojan horse.

Why do you want to "Add/peel"? For hackers, this technology has been incisively and vividly applied to the Masquerade Trojan client, the purpose is to prevent the anti-virus software to track the killing and be tracked debugging, but also to prevent the algorithm program by others static analysis.

Use Pe-scan to shell the Trojans

Trojan Research enthusiasts CYTKK the first time in a foreign famous hacker forum download to the latest rebound port-type Trojan Horse (hereinafter referred to as Trojan Horse Z), is trying to experience its powerful function, behold, by Norton Antivirus caught a very depressed unceasingly. CYTKK attempt to use the Shell software UPX (Ultra packer for executable) to it simple packaging to cheat antivirus software, which prompted the shell failure, detection of Trojan Z has already been program author with UPX compression, it is imperative to first remove this has been Norton Antivirus to see through the "rotten" shell.

CYTKK runs a software called Pe-scan 3.31. Click the "open" Open Trojan Z client, in the center of the display box to learn that the shell type for UPX, and then click "Unpack" → "start", CYTKK according to the prompts to save the directory and file name to complete the entire shelling operation. This will get the original client program of Trojan Z.

Master pass through: After complex multiple packers, the results of detection is not necessarily accurate, at this time need to use the "Adv.scan" advanced scanning, Pe-scan will be analyzed by a variety of shell-adding tools of the possibility of shell.

Re-shell spoofing anti-virus software

Next CYTKK to do is to the Trojan Z original client to carry out a successful packers, according to past experience, at this time with ASPack1.12 is a wise, it has a standard Windows interface, simple and intuitive operation. In order to ensure the integrity of the program after the shell, Cytkk abandoned the most likely compression, in the "option" to remove the "compressed resources" of the check and select "Keep extra data." The compression option is intuitive, with two progress bars, one of which indicates the compression progress, and the following one is the compressed file size. After the compression is complete, CYTKK can not wait to click the "Test" button on the left to perform the integrity test. The result did not let CYTKK disappointment, Aspack's outstanding performance makes the antivirus of the famous Norton to the shell after the Trojan Z also turned a blind eye.

The software in this paper is packaged and downloaded: Http://www.sixvee.com/520yy/tools/cytkk-1.rar