Thread: "Undetecting" Already Compiled Executables?

I've noticed a lot of people have UD copies of bifrost.
I was wondering, is it possible to UD an already compiled EXE, or..
Do these people have the source and are altering it in such manner.

I've used packers etc. but all they have done from my POV is tack on more AV's for scan

Now saying you don't have the source but rather a commercial RAT, perhaps it does not pick up on initial scan but lets say the user has some of those AV's listed in virustotal.com... And in runtime it reads the process memory as the program is being "unpacked" or "decrypted" whatever. Wouldn't these same files that are UD on initial scan then be picked up by AV's (if the user has them) ? ?

Did i confuse anyone, or just myself?:confused:

I mean the infected code is crypted\packed into an exe which is now UD
So scans dont pick it up..
But can AV pick it up in runtime (while the program opens and unfolds)


idk, any help appreciated. if u wanna email me some help on this subject i'd appreciate it. mac.drizzle@yahoo.com

btw sorry for posting it in this forum, didnt know where else to put it. should have a general questions forum. any help appreciated. thanks
-alex

hex editing maybe?

unless you know what your hexing your probably not gonna hit the infected code, and unless you know how to hex it your probably gonna mess up the code.. theres gotta be a legit way

Split the file into 1 byte files and scan them all. Sort the infected ones out and open those in your hex editor. Then bind them all back together. Theres a few tutorials laying around the net if you look hard enough.

This wouldn't compromise some of the infected files coding?
So you would have to be knowledgeable in ASM then correct?
to know where and what to change? I could see how this could work, sounds difficult though

Originally Posted by drizzle

unless you know what your hexing your probably not gonna hit the infected code, and unless you know how to hex it your probably gonna mess up the code.. theres gotta be a legit way

ROFL stop trying to pretend you know what your talking about when your talking bollox,


use a tool such as kims to scan the infected file,
split the file in to two scan both halfs
-->what ever half is detect you split in two / \
-->Scan with kims/ virustotal ---------------|
->Do the above two steps until you get a small enough file that is detected this will be the detected string of antivirus company x.
->change one byte in the string ......................................../ \
->repackage file (put file back together with the modification...|
->Run / Vm to see if file works............................................|
-> If Corrupt go back and change a differnet string -----------|
Sounds more difficult then it is once you get the hang of it. Read some hex tutorials by Ender/ Warpboy etc.

either do what kriPpler said or GTFO??

Appreciate the help but you seemed to say yourself what I was saying..

You change important data and your going to mess the program up. (duh)
That would have been your last step you listed..

To hex a program and not know what you are supposedly "hexing" is bullox.
I've cracked programs before so in order to do so you either need to be hexing strings or know what Intel Opcodes you can replace your infected data with. (and for this, you DO need some knowledge in ASM, or a lot of spare time to go through and pick random codes to mess with)

What use is there in undetecting a program that is now corrupt?
Again thanks for the help

replace NOP codes or just change default values. You don't need to know opcodes in order to do this, just their initialized values...so, in other words, don't change the jmp's and njmp's (or whatever the x86 version of jumpto is). Rather, change the value next to it and see if that works. If it doesn't, then try something else. It's trial and error, unless you really want to learn how to do redirects of pointers using code caves.

Or use some STRONG packer or protector.

i talked to ksv from chasenet for a about an hour.. about different things but i brough this up to him.

He pretty much concluded what i had to say, and what I was thinking.

Hexing could work, but you would have to know what your hexing without corrupting the program.

Crypters\Obfuscators might take off the initial scan, but likely would be picked up in the process memory if the person has the active AV that would pick it up by default.


i think i've come to the conclusion that it's probably better to just make your own

thanx everyone for the help