05-06-2011, 03:46 AM
Most people who analyze malware get confused when they get strange results. This is probably because the malware or the crypter has measurements against software who people use who try to analyze the malware, for example for programs like Ollydbg, sandboxie or PEiD. I just found an easy way to do something about the anti's. Enjoy!
First we need to download PEview from here:
*Note: PEview is freeware but I couldn't find the original site to download it from so I uploaded it for you guys.
What PEview does it shows you the PE. The PE is a very common file structure for Windows executables. The PE file structure is build as in the picture below:
![[Image: peheader2.jpg]](http://www.curlybrace.com/words/wp-content/uploads/2008/09/peheader2.jpg)
You do not need to know what everything is in detail but if you are interested I advice you to take a look at this Wikipedia page:
The program is portable which means it does not need to get installed. When we open the file named "PEview.exe" it immediately asks us which file we want to open. This is exactly the same as in many other programs so I don't show a picture with this. I take for example TEApplet. When we open the program we see this screen:
![[Image: L8Ei7.png]](http://i.imgur.com/L8Ei7.png)
It may look confusing but you do not need to understand everything. The left pane shows you every part of the PE structure as in the first picture. We want to know where the PE structure ends so we click in the left pane on the most bottom link. In the picture number 1. It unfolds and we see more 'links'. We again have to click on the most bottom one. Where number 2 is in the picture. Now in the left pane a screen opens with hex values with some strange text besides it. We want to know where the end of the PE is so we find the last 'address'. In this case it is 000E4022, as shown in the picutre where number 3 is. Note down the number somewhere of remember it.
Next we need an hex editor. There are many different hex editors.What a hex editor does is it shows you the raw information on a file. If you want to know more about hex editors check this page:
I recommend you hex workshop but feel free to use any hex editor you like. We are going to make changes in the code so it is a good idea to make a copy of the file you are changing, in my case TEApplet. We do this in case we corrupt the file.
Open up the file in your hex editor. You now see a code a bit similar to the code we saw in PEview. Remember the address? It was 000E4022. Scroll down to that address.
![[Image: bmNx4.png]](http://i.imgur.com/bmNx4.png)
As in the picture you probably see not the exact value but you need to judge whereabout it is. You see there are a few lines filled with dots (.). What we are going to do is delete one '.'. This is different in every hex editor so you have to find out how you do it with your hex editor. Now we save the file. Don't forget the extension, for example .exe.
Now run the program to test if it works. If it works, well done the longest step is done! Wait? What did we just do? What we did is modified the program by deleting a little part which was not necessarily needed by the program. When we do this the MD5 hash changes. Every file has an MD5 hash and it is unique for every program. To read more about the MD5 hash check this link:
We can check the MD5 or by uploading it to virustotal.com, if it isn't bigger than mb. The MD5 hash is below in the result as shown in the picture:
![[Image: VirusTotal-result.png]](http://bl0g.cedricpernet.net/images/VirusTotal-result.png)
We also can check it by using a small program called "MD5 checker 2". You can download the program here:
*NOTE: This program is freeware!
Now we've changed the hash the only thing left to do is change the name of the file. This is easily done by right clicking on the file and then press "Change name". If you then run the file it run's on the name you've changed it to so the malicious software can't recognize the software on it's name.
![[Image: o36tv.png]](http://i.imgur.com/o36tv.png)
Now we have changed both the MD5 hash and the name of the file. I found this is a very effective way to deal with anti's. Beware everyday malware becomes more and more complex and everyday new methods are invented for better anti's. The method I just showed is therefore not always a guarantee you've tricked all anti's.
Thanks for reading my tutorial. Please leave a reply!
First we need to download PEview from here:
Code:
http://www.multiupload.com/N7D4GM72DK*Note: PEview is freeware but I couldn't find the original site to download it from so I uploaded it for you guys.
What PEview does it shows you the PE. The PE is a very common file structure for Windows executables. The PE file structure is build as in the picture below:
You do not need to know what everything is in detail but if you are interested I advice you to take a look at this Wikipedia page:
Code:
http://en.wikipedia.org/wiki/Portable_ExecutableThe program is portable which means it does not need to get installed. When we open the file named "PEview.exe" it immediately asks us which file we want to open. This is exactly the same as in many other programs so I don't show a picture with this. I take for example TEApplet. When we open the program we see this screen:
It may look confusing but you do not need to understand everything. The left pane shows you every part of the PE structure as in the first picture. We want to know where the PE structure ends so we click in the left pane on the most bottom link. In the picture number 1. It unfolds and we see more 'links'. We again have to click on the most bottom one. Where number 2 is in the picture. Now in the left pane a screen opens with hex values with some strange text besides it. We want to know where the end of the PE is so we find the last 'address'. In this case it is 000E4022, as shown in the picutre where number 3 is. Note down the number somewhere of remember it.
Next we need an hex editor. There are many different hex editors.What a hex editor does is it shows you the raw information on a file. If you want to know more about hex editors check this page:
Code:
http://en.wikipedia.org/wiki/Hex_editorI recommend you hex workshop but feel free to use any hex editor you like. We are going to make changes in the code so it is a good idea to make a copy of the file you are changing, in my case TEApplet. We do this in case we corrupt the file.
Open up the file in your hex editor. You now see a code a bit similar to the code we saw in PEview. Remember the address? It was 000E4022. Scroll down to that address.
As in the picture you probably see not the exact value but you need to judge whereabout it is. You see there are a few lines filled with dots (.). What we are going to do is delete one '.'. This is different in every hex editor so you have to find out how you do it with your hex editor. Now we save the file. Don't forget the extension, for example .exe.
Now run the program to test if it works. If it works, well done the longest step is done! Wait? What did we just do? What we did is modified the program by deleting a little part which was not necessarily needed by the program. When we do this the MD5 hash changes. Every file has an MD5 hash and it is unique for every program. To read more about the MD5 hash check this link:
Code:
http://en.wikipedia.org/wiki/MD5We can check the MD5 or by uploading it to virustotal.com, if it isn't bigger than mb. The MD5 hash is below in the result as shown in the picture:
We also can check it by using a small program called "MD5 checker 2". You can download the program here:
Code:
http://www.softpedia.com/get/System/File-Management/MD5-Checker.shtml*NOTE: This program is freeware!
Now we've changed the hash the only thing left to do is change the name of the file. This is easily done by right clicking on the file and then press "Change name". If you then run the file it run's on the name you've changed it to so the malicious software can't recognize the software on it's name.
Now we have changed both the MD5 hash and the name of the file. I found this is a very effective way to deal with anti's. Beware everyday malware becomes more and more complex and everyday new methods are invented for better anti's. The method I just showed is therefore not always a guarantee you've tricked all anti's.
Thanks for reading my tutorial. Please leave a reply!
