Why can't Trojan shells hide from memory? -Unknown author Source

Why can't Trojan shells hide from memory? -Unknown author Source

Creation Time:
Article submitted: pczz
Author: Unknown
Source: Reprinted
Browsing times: 359

X: Why is my trojan killed?
Heart: shell?
X: Of course ~ UPX v1.90 latest Shell
Heart :..............
I often encounter people asking me this question ~ Why is it still killed after shelling?
In fact, this shelling is not another shelling
Let's start with the simplest one ~
You must know about rising's memory anti-virus ~ 'It Looks Like it starts from 2003.
All previous virus detection methods are signature-based virus detection ~ Use specific code to check for viruses ~ You can skip this step by adding a shell, but the current memory virus detection is done by finding the virus pattern in the memory''
Here we need to talk about the types and principle of shelling software ~
Let's talk about the classification of shell software.
Shelling software can be divided into compression protection and encryption protection.
What is compression protection and encryption protection ~
1. compression Protection uses a specific compression algorithm (like WinZip) to compress and package the trojan horse, decompress it in the memory, release the program body, and then run it (all completed in the memory: d ).. because the compression Protection focuses on compression (reducing the program size) with the anti-decompilation and anti-debugging functions. take UPX for example ~ The compression function does not have the anti-debugging function or other functions. You can even find the OEP (program entry point) to shell it (completely restored in the memory ), in this way, the anti-virus software can also find the complete Trojan ontology code in the memory.
Common compression protection:
UPX
ASPack
Petite
Pecompact
PE-PACK
Wwpack32
Neolite
Shrinker
Pklite32
And so on (both have direct shelling machines)
2. encryption protection: This type of software mainly focuses on encryption and protection software, so the anti-decompilation and anti-debugging functions are perfect (or even locking the process in the memory to prevent other processes from being inserted ), we often hear some cracker saying that asprotect shells are hard to take off ~ Why? It is because of its anti-debugging, And the encryption code itself is almost all changed (the ontology is encrypted for segmentation decryption-which segment is used to solve the problem: D virus technology )~ 29A has many such articles on the homepage ~ Let's take a look at it ~ However, English must pass through ~~ Okay. Let's continue ~ The shell of encryption protection is constantly tracked in the memory, and anti-debugging (what seh technology is used ~ I am only familiar with it. I only try to do some simple exception handling ~ 'Hey hey ~ ''') In short, it is difficult to get its own code (you do not know it when you say it to you ~ If you know how to encrypt it, you will not look at it ~~ Alas ~~ Don't hit me )~ Therefore, the shells used by the old bird refer to encrypted shells ~ However, the encrypted protection shell is usually not very compress ~ Additional: even things that are bigger than not shelling after shelling .......
Common encryption protection software:
Asprotect (strong !!!!!!!!! The most difficult shell to remove ~~ Compression Technology)
Telock ~ 'Why? Not to mention ~ Hey hey)
Armadillo)
SVK Protector
Xtreme-Protector
Obsidium
Pelock
Of course, I will not talk about it ~ 'Will be available soon
Let's talk about the classification and encryption principles of the two shells ~. Encryption software will be used for shelling in the future ~ Of course, some well-known anti-virus software authors also know this kind of thing, so they have also taken precautions ~ Check whether the software is shelled before virus detection ~ Take him off and try again ~~ Of course, how to do this ~~~~~ Multiple shelling ~ Principle: if he can take one off, we will add two more to see how he gets off ~ Add layer-3 external layer-3 ~ Can he take it off? (generally, anti-virus software only checks one layer of shells ~ The virus detection speed is slow ~ Hey ~~ 'Think for yourself ~)~ I have previously written a multi-shell tutorial for you to read:
Multiple shells: original question: ---- create your own shell !!!! (Elementary Article ---- master skipping ~~)
The following is my opinion: (I used to protect my shared software)
(1) Add two shells with ASPack
We all know that it is difficult to add a second shell after adding a shell software, but ASPack can
How to Use It (using UPX as an example)
After using UPX with shell, open ASPack with version 2.12.
Select the -------- option item to start setting
Select "compressed resources" and "maximum compression", and "retain additional data ".
Then open the program you used to compress with UPX. Can you compress it? You can try other shells.
(General purpose is not guaranteed)
(2) Add multiple shells, but this time it is not added with ASPack, he is too ..... More users
Here we are looking for two different shells and a software named freeres 0.94, the highest version -- we hope you can register them ~~ Support for domestic software
You think of it as hard work ~~ I sympathize with ing ~~~~~~~~~ Okay, let's get started.
Find a shelled Trojan and open freeres (we recommend that you register it. The author is so pitiful ~ Registration is only 15 circles ~ True) select your Trojan, and freeres will prompt "whether the software has been shelled or not need to analyze software resources ".
Click the "function menu" above and select "release resource". If you cannot select this option, select "create editable resource"
Click OK ~~~~~~ Now, you can use the second shelling software to shell it ~~
You can also repeat the above steps to add "three shells "~~ But the software added with this method will increase by more than 20 k each time!
(Not a hundred thousand chance, not guaranteed to be General)
(3) Shell change
In fact, it is very easy to drag the original shell for another shell. I prefer the FSG shell to be abnormal ~~~~~~
Not only can VC, VB, Delphi and other programs be added, but also programs written by ASM. I wrote a K program using MASM.
FSG turned my program into 856b and fainted ~~~~~~ Yeah, it's hard to take off its shell ~ The program with Shell added has only two sections with no name.
Oh, no ~~~~~~~~~ Abnormal ~~~~~~ There are a lot of good shelling software abroad. If you cannot find it, contact me ~~~
(4) use guw32 to remove and add
It is not clean to shell out with guw32 ~~ This is both a disadvantage and an advantage ~~~~~~~~~~
Add a guw32 shell that can be detached from the market. It can take off 80% of the shells on the market, even if you have never seen them before ~~~~
Use guw32 to remove the shell. Find an uncommon shell and add it ~~~ Do not report me to ug2002 ~~~~~~~~~~~~
(5) processing and shelling with upxpr Technology
This method is actually written to the above (4) method. Sometimes guw32 can be detached, so we have to find a way to make it clean, right! Not clean ~~~ Don't worry about it. Use UPX to shell it.
Open it in a hex editor. I like to use hex workshop! Others, please do it yourself
Haha ~~~ Open the trojan and you will see the file header upx0, upx1, UPX! Is it the de-shell sign of UPX? I just want to change it to text, code, and Haha. All right!
Now we use guw32 For shelling. Why don't we use UPX For shelling ?? Idiot ~ He can't take it off! Have we handled it! Okay, guw32 is taken off. How can I use another shelling software to shell it now! Haha ~~~~~~~~~~~
(6) Customized shelling software or self-writing Shell
In the past, there was a master named D. Boy. You may have heard that his "Shock Wave 0.2" is not a virus ~~~~~
It is a program that can track the entry of the shelling software, that is, the program that tracks the software OEP.
He is now working on the software shell "phantom", which he wrote very well ~~~ Admire ing ~~~~~
His new version of "phantom" is coming out. He also provides customized shell projects ~ Is a little expensive ~
Writing shell by myself is also very easy as long as you understand the problem of "stream" and "Memory", I wrote a "shell" with Delphi, which is too big !~ Write shell with Delphi ~~ Haha Joke ~ 12 K shell Ah dizzy ~~ Oh, c. I have a 15 K shell too big ~~~~~~ It is best to use MASM for Shell writing. I am learning ASM ~~~~
(7) Anti-Antivirus is ~~ Anti-virus software, we know that common shelling software is used
The purpose of the compression encryption software is to reduce the software volume and prevent cracker tracking and disassembly. However, the Trojan shell encryption technology is not used to combat the anti-virus software against cracker, therefore, the general shell cannot be competent. We recommend that you have the ability to write it by yourself. If you do not have the ability, use someone else's skills ~~ Here we recommend an anti-antivirus software that can customize the targets for detection and removal! Haha, this function is already available for some Trojans, but few Trojans Made in China have this function ~ Here we recommend a software called Anti antivirus ~ This software can form a layer of protective shell custom detection and removal targets on the software you want to protect. You can customize it by yourself ~~ Haha
(8) More ~~~~~ If you don't talk about it again ~~~ Some old birds will kill me ~~~~~~~ '
I leaked their secret! Haha ~~~~~~~~~~~~
The skillful younger brother can graffiti freely ~~ The younger brother is very fond of food ~ Please point out something wrong ~