PaulDotCom mailing list archives
hiding netcat
From: nberthaume at gmail.com (Nicholas B.)
Date: Wed, 19 May 2010 13:55:12 -0400
I have had issues using these methods with some programs that I've attempted to sheild from AV. On occassion I've found that I've needed to extend .text section(s) inside of the binaries using lordpe for programs like gsecdump in order to get scramblers or encoders to work well. On Wed, May 19, 2010 at 9:20 AM, xgermx <xgermx at gmail.com> wrote:
I get most things through A/V the same way (be it nc or fgdump). I split the executable in half and scan each piece with the A/V. I discard the piece that passes and focus on the piece that gets flagged. I then split that piece in half and repeat the process. I do this multiple times until I'm left with a small amount of code responsible for triggering the A/V. I then use a hex editor on the original executable to make very small modifications to that specific block of code. Usually it only takes a few character changes for the A/V not to recognize it anymore. This, in combination with editing the PE (I second PE scrambler) rarely fails me. On Wed, May 19, 2010 at 1:07 AM, Ali Alhebshi <alialhebshi at gmail.com> wrote:Has anyone succeeded in getting fgdump past AV systems? On Mon, May 17, 2010 at 4:04 PM, bytes abit <bytesabit at gmail.com> wrote:Also, as a side note.. perhaps if you want to keep ncat on the systemyoucould use the "Copy CON" techniques discussed in PDC... Can't remember the episode, think it was in the 160-170 range... On Mon, May 17, 2010 at 8:35 AM, Jim Halfpenny <jim.halfpenny at gmail.comwrote:Hi, Busybox provides netcat functionality plus lots more with a small footprint. I have not come across any AV software which detects busybox as a potentially unwanted program. Regards, Jim On 16 May 2010 17:49, Chris Teodorski <chris.teodorski at gmail.com>wrote:Thanks to all for the great advice. I was using NetCat, because I'm putting it on a Teensy++ and I'm very limited in space. The executable needs to be super small... I followed the article here: http://packetstormsecurity.nl/papers/virus/Taking_Back_Netcat.pdf It seems to have worked. Thanks to all for the help. On Sat, May 15, 2010 at 2:15 PM, Rob Fuller <jd.mubix at gmail.com>wrote:Just curious, by why are you using Netcat? -- Rob Fuller | Mubix Room362.com | Hak5.org | TheAcademyPro.com Ignore this: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*On Sat, May 15, 2010 at 1:02 PM, Professor Thread <professorthread at gmail.com> wrote:On 05/15/2010 03:08 PM, Chris Teodorski wrote: All, Does anyone know a good way to sneak netcat past modern AV? Chris Have you tried nmap's "ncat" version? _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Ali Al-Hebshi _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100519/65d331fa/attachment.htm
Current thread:
- hiding netcat Chris Teodorski (May 15)
- hiding netcat Professor Thread (May 15)
- hiding netcat Michael Allen (May 15)
- hiding netcat Paul Asadoorian (May 17)
- hiding netcat Rob Fuller (May 15)
- hiding netcat Chris Teodorski (May 16)
- hiding netcat Jim Halfpenny (May 17)
- hiding netcat bytes abit (May 17)
- hiding netcat Ali Alhebshi (May 18)
- hiding netcat xgermx (May 19)
- hiding netcat Nicholas B. (May 19)
- hiding netcat Nils (May 19)
- hiding netcat Michael Allen (May 15)
- hiding netcat Professor Thread (May 15)