Malware Analysis 1

Modify malware to baypass AV

Here we try to make malware analysis to modify PE section to Bypass AV As an example we use the very old malware nc.exe and look inside it, We open PEiD v 0.95 which one of the most popular analyzer executables. Good determines many packers and protectors.

IF we follow .text section - is the code section. We see just disassembler code

This tool can detected if the file was encrypted or not.

Using this too we can see the PE header also

Here we can see the memory buffer of our file

Then after this investigation and before modification we must make PE header writable.

But firstly check our file in AV detector

Before the changing signature of our file, make it writable. We will use LordPe  for our goal.

ASSEMBLY BASIC SYNTAX

assembler program is divided into three sections:

data section - initialized data or constants

bss section - variable declarations

text section - Storage code

rdata section    - Const/read-only (and initialized) data

idata section    - contains information about all DLL files required by the program

rsrc section     - holds information about the icon that is shown when looking at the

                                                           <br>executable file in the Explorer<br>

Sections ".idata", ".rdata", ".rsrc", ... do not contain program data (although their name ends with "data")

but they contain meta information that is used by the operating system.

.text: Code

.data: Initialized data

.bss: Uninitialized data

.rdata: Const/read-only (and initialized) data

.edata: Export descriptors

.idata: Import descriptors

Identifying a Signature
Signature of the file – File magic number: bytes within a file used to identify the format of the file; generally a short sequence of bytes (most are 2-4 bytes long) placed at the beginning of the file.

The Portable Executable (PE) format is a file format for executables, object code, DLLs, FON Font files, and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data.

How to find the PE headers? Notice a few text strings such as “This program cannot be run in DOS mode”, “.text”, “.data” and “.rdata”, followed
by several hundred bytes of 0s. This is the PE header section of the program; the actual program instructions begin immediately after the 

section of 0s at offset 1000:

We use HExWorshop to see the signature

Changing File Signatures
Here are some easy ways of changing the signature of a program (packers, encryptors, etc), they may not always be viable options for those wishing to bypass anti virus applications. Additionally, it would be easy for anti virus companies to run a program such as nc.exe through a few popular packers/encryptors and add signatures for the resulting binaries to their virus databases as well. We will manually examining and editing the nc.exe. 

How to edit the signature of file? First open up nc.exe with Hex. If you scroll to the bottom of the hex dump, you see the last byte is located at offset 8EAF. Divide 8EAF in half and you get 4547; open up a goto box (Ctl+G) and go to the offset 4547 from the beginning of the file:

Select everything from 4547 to the end of the file (8EAF), right click, select ‘Fill’, and fill the selected section with 0s




Save your changes; when prompted to make a backup, say yes.

Then we get new  nc1.exe file
We can  eliminate the PE header, as it would not be used as part of a virus signature. Thus, we know that the signature must be somewhere etween offsets 1000 and 4547; this can be confirmed by zeroing or INT3and running a virus scan on nc.exe again:

Use Ollydbg 
The easiest way to identify where and how to change the program code is to open it up in a disassembler/debugger and analyze the resulting assembly code; for this we will use OllyDbg. Open up the original copy of nc.exe in Olly, and scroll up to the top of the code window.
Run F9
The enter point offset 00401160

Here we can see the map memory too

Now we can edit the assembler command

INT3 is a software interrupt that is used by debuggers to pause program execution. Since nc.exe obviously doesn't pause indefinitely during execution, these bytes are just filler and can be modified without worrying about affecting the program execution flow. Additionally, they are within the signature code which we need to modify. If you are using Olly, select one of these INT3 instructions.

We try manipulation with Binary changing NOP to INT3. Then we safe file and get new file. The most important that our new file dosnt lost any funtionality. As a result we get that our modifying malware can bypass the AV. As we see we get good result.