Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Latest dist v5.2

From: Ron <ron () skullsecurity net>
Date: Wed, 27 Jan 2010 17:51:02 -0600

On Wed, 27 Jan 2010 23:12:12 +0000
Brandon Enright <bmenrigh () ucsd edu> wrote:

[...]
There are other well-known offsets in the MZ stub and PE header that AV
products will check against for XOR encoding too.

So, if we want to defeat dumb signatures and still obfuscate in a
simple, easy to decode way, I'd suggest we XOR by 4 bytes, say,
0xabcd1234, and prepend a null to the result.

So our file would be \x00<xor of the file>

This will defeat all generic, accidental signatures.  Of course, it
won't defeat deliberate targeting by AV companies.  If AV companies
take issue with our binary and write signatures for it, no amount of
obfuscation we try is going to work in the long run.  We can take the
issue up with them if it comes to that.

Brandon


Hey, sorry I missed this earlier. I only read part of the email (*facepalm*). 

I just experimented with replacing the first byte (the 'M') with something else, that that passed virustotal.com with 0 
hits. Pre-pending a NULL-byte to the .exe also works (as I'm sure you know, because somebody else already checked 
earlier today :) ). 

Anybody want to make a call on which to use? Or both? Or should we go with the "include it separately" idea after all?

-- 
Ron Bowes
http://www.skullsecurity.org
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: