Thread: How to make RATs undetected

How to make RATs undetected ( if you have the source code )
by KiD_ZasTRe


Hey, it's my first tutorial... So if it sucks or anything like that, be a nice guy and don't bother me
This tutorial has 3 parts: easy, intermediate and advanced. Easy is for everyone, intermediate is for the average coder and advanced is for freak-wannabes or worse...
I don't really recommend the advanced tips to be used because if you are in the advanced level you don't have to compile a detected RAT, you can easily code your own... Or maybe you are as lazy as i am to code... LOL
By the way, the easy and intermediate tips mainly help to stop the signature-based detection, while the advanced may help to prevent some heuristic scanners too...

PS: Don't forget to backup your files because this can screw up your project real bad! And test if the compiled project is still detected after each step.


PART 1 - EASY

A. Scramble the procedures

Play a lot. Exchange places of every procedure one by one. Turn your code upside down. If it works, good. If not, change the order again. In general this doesn't help very much to make the RAT undetected... yet.

B. Change the strings and the procedure names

Yeah, boring. But it's not a good idea if the RAT has the string 'You are connected to XYZ RAT! Welcome!', the AV companies just love that thing. Change it or remove it. Same with procedure names. Well, not exactly the same but whatever... It will help.

C. Change the image base value

What's that? Here goes an introduction: The $IMAGEBASE directive controls the default load address for an application or DLL. The use is {$IMAGEBASE number} and it must be placed on your project file ( .dpr ). The default number value is $00400000 and it can be almost any value from $00010000 to $7FFFFFFF. Why change it? Because changing this, it will change the entrypoint. What's entrypoint? Google is our best friend, remember? And it changes some other things too, but all you have to know is: this will help, specially on a DLL.


PART 2 - INTERMEDIATE

Keep in mind that these operations can slow down your program. Maybe a lot, maybe just some ms...

A. Change the IF...THEN...ELSE procedure order

Whenever possible, just put the THEN procedure on the ELSE place, and vice versa. Don't forget to change the IF statement, so the procedure works correctly.

B. Create dummy procedures

Create procedures that do nothing, or just return one char of the entire string, or something useless like this:

function DummyInteger(dummy: integer): integer;
begin
result := StrToInt(IntToStr(StrToInt(IntToStr(StrToInt(IntTo Str(StrToInt(IntToStr(dummy))))))));
end;

The main goal is to generate useless code inside procedures. An important thing to remember is: call these procedures :p

C. Insert NOPs

What is a NOP? NOP stands for "No OPeration". It's just a byte in the code that does nothing but slows down your program and increases its size. In case you want to insert a NOP inside the DummyInteger procedure, do this:

function DummyInteger(dummy: integer): integer;
begin
asm // here
nop // is
end; // our NOP
result := StrToInt(IntToStr(StrToInt(IntToStr(StrToInt(IntTo Str(StrToInt(IntToStr(dummy))))))));
end;

Is it hard do do this? No. So why is it in the intermediate section? Because you must use your brains to know where to insert it. Just do me a favor, don't insert NOPs inside a loop that catches the files inside folders...


PART 3 - ADVANCED ( really advanced, i'm not gonna explain anything from this section )

A. Using GetProcAddress to load DLL functions

Almost all the heuristics scanners read the IAT to see what the program can do. So if we don't leave any traces there they can't catch us! Easy, right? Well, not really... There's an example of how to use GetProcAddress on my Tiny Delphi Protected Storage Unit, available for download on the main site. See the initialization section. You have to call all external functions that way...

B. Using shitty ASM procedures

I should warn you that this operation will slow down your application. Probably a lot... First of all, completely turn off the compiler optimizations. Why? Because you're gonna insert lots of useless ASM operations and you don't want any of the optimizations performed by the compiler. What operations should you insert? If you're reading this you should know, but Google helps us a lot! I'm not an ASM-guru but we all should know something in assembler, it's very useful. I'll give only one example:

Instead of using the "clean" well-known GetWindowsDirectory function, you can use this:

function GetWindowsDirectory: string;
var
path : array [0..MAX_PATH] of char;
begin
asm
lea eax, path
test eax, eax
push eax
xor eax, eax
call GetWindowsDirectoryA
end;
result := string(path)+'\'
end;

This is not the easiest thing to understand, but be sure Delphi will NEVER compile anything like that. It works but it's ugly, slow and there are much better ways to do this... Believe me...
In some cases, you could turn optimizations off in the EASY part, after changing the image base value... Without optimizations the compiler generates more code and it can differ significantly from the original ( almost noone disables the compiler optimization ), so weak AV's can be easily bypassed this way... Well, a beginner reading this section has to get some kind of reward



That's it!
I hope you all enjoyed reading this tutorial and i hope it helps...
If anything is wrong here, well... I never said i knew anything about Delphi! LOL

havnt read over all of it...but Good job

Thanks...

More to come when i have some spare time!

Thx very useful.!!

It is really as hacking the minds of AV companies.
Good work.

Nice tutorial.

can someone help me im a real noob at this stuff... what do i do on east what do u mean with Scramble?

because i can't open the project somthings not letting me and i cant run the program im not alowed or somthing...:S

Very good tutorials!!!!
hxxp://undergroundkonnekt.free.fr/selima/

lol that link doesnt work...