No subject

[bogus () does not exist com ()]

the process it makes some changes. Wonder if the file is too small, it may
not be able to move stuff around.

While virus total hits were less, it wasn't that great of a difference.

On Thu, Aug 20, 2009 at 9:18 AM, Nils <nils at hemmann.de> wrote:

> I gave it a try, too.
> To me it looks like that especially files smaller than 100KB don't get
> changed (no MD5 sum changes)
> PEscrambler worked OK for e.g.  netcat. Before scrambling it 23/40
> catched it, after scrambling there were just 14/40 on Virustotal.
>
> I did some further research with PEscrambler and it does not work for
> e.g.   fgdump or pwdump.  These tools don't work anymore.
> I went the dsplit road on these two examples but it didn't work out
> either. Either the tools crash afterwards or my AV (AVG) still catches
> them.
>
> Anyone else who did some research on this?
>
> Nils
>
>
> Adrian Crenshaw wrote:
> > Thanks for posting PEScrambler
> > <http://pauldotcom.com/PEScrambler_v0_1.zip> guys, I was one of the
> > guys asking for it. I've locked the slides for my anti-forensics class
> > this Saturday, but I'll try to remember to mention this tool. That
> > said, I'm not sure it's working right. For example, as a test I do:
> > PEScrambler.exe -i hfs.exe -o x.exe
> >
> > but checking the hashes of x and hfs, it seems x is just an exact
> > copy. Any ideas?
> >
> > Thanks,
> > Adrian
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

--001636eefa7e80ce950471943574
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I actually found the file a few weeks go when the site came up again.<br><b=
r>Played with it a bit with meterpreter and msfpayload. In some cases it di=
d work and in some it did not. I didn&#39;t try to play with files of diffe=
rent sizes as is described above.<br>
<br>From what I understand, it disassembles the code and then reassembles i=
t. In the process it makes some changes. Wonder if the file is too small, i=
t may not be able to move stuff around.<br><br>While virus total hits were =
less, it wasn&#39;t that great of a difference.<br>
<br><div class=3D"gmail_quote">On Thu, Aug 20, 2009 at 9:18 AM, Nils <span =
dir=3D"ltr">&lt;<a href=3D"mailto:nils at hemmann.de">nils at hemmann.de</a>&gt;<=
/span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"border-left: 1p=
x solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I gave it a try, too.<br>
To me it looks like that especially files smaller than 100KB don&#39;t get<=
br>
changed (no MD5 sum changes)<br>
PEscrambler worked OK for e.g. =A0netcat. Before scrambling it 23/40<br>
catched it, after scrambling there were just 14/40 on Virustotal.<br>
<br>
I did some further research with PEscrambler and it does not work for<br>
e.g. =A0 fgdump or pwdump. =A0These tools don&#39;t work anymore.<br>
I went the dsplit road on these two examples but it didn&#39;t work out<br>
either. Either the tools crash afterwards or my AV (AVG) still catches them=
.<br>
<br>
Anyone else who did some research on this?<br>
<br>
Nils<br>
<br>
<br>
Adrian Crenshaw wrote:<br>
&gt; Thanks for posting PEScrambler<br>
&gt; &lt;<a href=3D"http://pauldotcom.com/PEScrambler_v0_1.zip"; target=3D"_=
blank">http://pauldotcom.com/PEScrambler_v0_1.zip</a>&gt; guys, I was one o=
f the<br>
<div><div></div><div class=3D"h5">&gt; guys asking for it. I&#39;ve locked =
the slides for my anti-forensics class<br>
&gt; this Saturday, but I&#39;ll try to remember to mention this tool. That=
<br>
&gt; said, I&#39;m not sure it&#39;s working right. For example, as a test =
I do:<br>
&gt; PEScrambler.exe -i hfs.exe -o x.exe<br>
&gt;<br>
&gt; but checking the hashes of x and hfs, it seems x is just an exact<br>
&gt; copy. Any ideas?<br>
&gt;<br>
&gt; Thanks,<br>
&gt; Adrian<br>
&gt;<br>
</div></div>&gt; ----------------------------------------------------------=
--------------<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; Pauldotcom mailing list<br>
&gt; <a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.paul=
dotcom.com</a><br>
&gt; <a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldot=
com" target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/=
pauldotcom</a><br>
&gt; Main Web Site: <a href=3D"http://pauldotcom.com"; target=3D"_blank">htt=
p://pauldotcom.com</a><br>
_______________________________________________<br>
Pauldotcom mailing list<br>
<a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.pauldotco=
m.com</a><br>
<a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom"; =
target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauld=
otcom</a><br>
Main Web Site: <a href=3D"http://pauldotcom.com"; target=3D"_blank">http://p=
auldotcom.com</a><br>
</blockquote></div><br>

--001636eefa7e80ce950471943574--