Members Login
Username 
 
Password 
    Remember Me  
 

Topic: Making Your Trojan/rat Undetectable, Making Your Trojan/Rat Undetectable (THIS CAN GET U IN JAIL)

Page 1 of 1  sorted by
Wide (rest of width)
Narrow (200px)
Certified TECH GUY
Status: Offline
Posts: 820
Date:

Making Your Trojan/rat Undetectable, Making Your Trojan/Rat Undetectable (THIS CAN GET U IN JAIL)

Well i tryed to post this under Tutorials, Texts & eBooks but i guess i don't have permission lolz well if your a newbie and a beginner this might be good for u.... this really works and very easy to understand well for me it was... How to make rats undetected if you have the source code

this has 3 easy parrts intermediate and advanced. Easy is for everyone, intermediate is for the average coder and advanced is for freak-wannabes or worse...
I don't really recommend the advanced tips to be used because if you are in the advanced level you don't have to compile a detected RAT, you can easily code your own... Or maybe you are as lazy as i am to code... LOL
By the way, the easy and intermediate tips mainly help to stop the signature-based detection, while the advanced may help to prevent some heuristic scanners too...

PS: Don't forget to backup your files because this can screw up your project real bad! And test if the compiled project is still detected after each step.


PART 1 - EASY

A. Scramble the procedures

Play a lot. Exchange places of every procedure one by one. Turn your code upside down. If it works, good. If not, change the order again. In general this doesn't help very much to make the RAT undetected... yet.

B. Change the strings and the procedure names

Yeah, boring. But it's not a good idea if the RAT has the string 'You are connected to XYZ RAT! Welcome!', the AV companies just love that thing. Change it or remove it. Same with procedure names. Well, not exactly the same but whatever... It will help.

C. Change the image base value

What's that? Here goes an introduction: The $IMAGEBASE directive controls the default load address for an application or DLL. The use is {$IMAGEBASE number} and it must be placed on your project file ( .dpr ). The default number value is $00400000 and it can be almost any value from $00010000 to $7FFFFFFF. Why change it? Because changing this, it will change the entrypoint. What's entrypoint? Google is our best friend, remember? And it changes some other things too, but all you have to know is: this will help, specially on a DLL.


PART 2 - INTERMEDIATE

Keep in mind that these operations can slow down your program. Maybe a lot, maybe just some ms...

A. Change the IF...THEN...ELSE procedure order

Whenever possible, just put the THEN procedure on the ELSE place, and vice versa. Don't forget to change the IF statement, so the procedure works correctly.

B. Create dummy procedures

Create procedures that do nothing, or just return one char of the entire string, or something useless like this:

function DummyInteger(dummy: integer): integer;
begin
result := StrToInt(IntToStr(StrToInt(IntToStr(StrToInt(IntTo Str(StrToInt(IntToStr(dummy))))))));
end;

The main goal is to generate useless code inside procedures. An important thing to remember is: call these procedures

C. Insert NOPs

What is a NOP? NOP stands for "No OPeration". It's just a byte in the code that does nothing but slows down your program and increases its size. In case you want to insert a NOP inside the DummyInteger procedure, do this:

function DummyInteger(dummy: integer): integer;
begin
asm // here
nop // is
end; // our NOP
result := StrToInt(IntToStr(StrToInt(IntToStr(StrToInt(IntTo Str(StrToInt(IntToStr(dummy))))))));
end;

Is it hard do do this? No. So why is it in the intermediate section? Because you must use your brains to know where to insert it. Just do me a favor, don't insert NOPs inside a loop that catches the files inside folders...


PART 3 - ADVANCED ( really advanced, i'm not gonna explain anything from this section )

A. Using GetProcAddress to load DLL functions

Almost all the heuristics scanners read the IAT to see what the program can do. So if we don't leave any traces there they can't catch us! Easy, right? Well, not really... There's an example of how to use GetProcAddress on my Tiny Delphi Protected Storage Unit, available for download on the main site. See the initialization section. You have to call all external functions that way...

B. Using shitty ASM procedures

I should warn you that this operation will slow down your application. Probably a lot... First of all, completely turn off the compiler optimizations. Why? Because you're gonna insert lots of useless ASM operations and you don't want any of the optimizations performed by the compiler. What operations should you insert? If you're reading this you should know, but Google helps us a lot! I'm not an ASM-guru but we all should know something in assembler, it's very useful. I'll give only one example:

Instead of using the "clean" well-known GetWindowsDirectory function, you can use this:

function GetWindowsDirectory: string;
var
path : array [0..MAX_PATH] of char;
begin
asm
lea eax, path
test eax, eax
push eax
xor eax, eax
call GetWindowsDirectoryA
end;
result := string(path)+'\'
end;

This is not the easiest thing to understand, but be sure Delphi will NEVER compile anything like that. It works but it's ugly, slow and there are much better ways to do this... Believe me...
In some cases, you could turn optimizations off in the EASY part, after changing the image base value... Without optimizations the compiler generates more code and it can differ significantly from the original ( almost noone disables the compiler optimization ), so weak AV's can be easily bypassed this way... Well, a beginner reading this section has to get some kind of reward



That's it!
I hope you all enjoyed reading this tutorial and i hope it helps...
If anything is wrong here, well... I never said i knew anything about Delphi! LOL


THIS CAN GET U IN JAIL BE CAREFUL DOINT IT... TRY IT AT YOUR OWN RISK

__________________
........__o
....._ \<,_
....(_)/ (_)

MCITP: Server Administrator,
MCDST, MCTS ,
MCTIP(Vista), MCT, CWNA
RHCT, A+, Sec+, Net+

۞ Shampoo ۞
Status: Offline
Posts: 20869
Date:
definetly not doin this

__________________


species.com
mzchatstudy.com
Shampoo
23ti5ah.gif

<((\\=^=Rimz=^=//))>
Status: Offline
Posts: 5507
Date:
zeeen i see

__________________
Go farther Go further Go harder Is that not Why we came? and if not, Then why bother?
yeezy11111.jpg
THE GOLDEN CHILD
Status: Offline
Posts: 9486
Date:
hmm.gif

__________________

 

 

 

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.