Hi there, today we’ll be evading antivirus by using a basic xor stub.
Firs of all, select your favourite RAT or MALWARE and copy that, then scan the file with some AV and make sure that it gets detected as malware.
After selecting our favourite malware, we will add some extra space inside it. We can use lordPE as well.
Next step will be to add the following piece of code(from the image below) inside the extra space.
What does the code do? Well the code moves the starting encrypt address to a register, then it starts encrypting from the address located in EAX to the end address, hardcoded in the CMP line. After encrypting the code it restores the first instructions obtained in the entry point and overwrited by our jmp, after runing these instructions the program jumps back with another JMP to the next instruction to be executed.
How is encryption done? Using the XOR function with a random key, if I run XOR 1234, AF2 I will obtain some new value let’s guess 4321, but if I run XOR 4321, AF2 I will obtain the previous value -> 1234.
The idea of this is quite simple, insert the encryption routine, set a breakpoint at the end, run the program once inside the debugger, we will obtain the encrypted program, and then that program will be ready to be used, because when it gets executed one more time, it will be decrypted in memory and executed perfectly.
So we run the encryption rountine with our breakpoint.
We overwrited the first instruction of the program’s entry point with a jmp to our rountine.
When the routine gets executed all the code appears now encrypted
And then if we run that one more time, the code will be decrypted in memory
This is quite simple but we can improve the technique by inserting multiple staged encryption routines. P-)