PEScrambler

[nils at hemmann.de (Nils)]

I gave it a try, too.
To me it looks like that especially files smaller than 100KB don't get
changed (no MD5 sum changes)
PEscrambler worked OK for e.g.  netcat. Before scrambling it 23/40
catched it, after scrambling there were just 14/40 on Virustotal.

I did some further research with PEscrambler and it does not work for
e.g.   fgdump or pwdump.  These tools don't work anymore.
I went the dsplit road on these two examples but it didn't work out
either. Either the tools crash afterwards or my AV (AVG) still catches them.

Anyone else who did some research on this?

Nils


Adrian Crenshaw wrote:
> Thanks for posting PEScrambler
> <http://pauldotcom.com/PEScrambler_v0_1.zip> guys, I was one of the
> guys asking for it. I've locked the slides for my anti-forensics class
> this Saturday, but I'll try to remember to mention this tool. That
> said, I'm not sure it's working right. For example, as a test I do:
> PEScrambler.exe -i hfs.exe -o x.exe
>
> but checking the hashes of x and hfs, it seems x is just an exact
> copy. Any ideas?
>
> Thanks,
> Adrian
>  
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com