Mostrar mensajes previos
Ordenar por
por asdfgh Sin sí­ntomas
1- Compile a blank project;
2- Add 1 or more sections with any appropriate tool (for example CFF explorer or PE ).

Result: Win32:VBMod [Trj] B (since few days ago)
can somebody guide me any alternative to the addsection module.

Código: Seleccionar todo

Option Explicit

Private Type IMAGE_DOS_HEADER
    e_magic                 As Integer
    e_cblp                  As Integer
    e_cp                    As Integer
    e_crlc                  As Integer
    e_cparhdr               As Integer
    e_minalloc              As Integer
    e_maxalloc              As Integer
    e_ss                    As Integer
    e_sp                    As Integer
    e_csum                  As Integer
    e_ip                    As Integer
    e_cs                    As Integer
    e_lfarlc                As Integer
    e_onvo                  As Integer
    e_res(0 To 3)           As Integer
    e_oemid                 As Integer
    e_oeminfo               As Integer
    e_res2(0 To 9)          As Integer
    e_lfanew                As Long
End Type


Private Type IMAGE_FILE_HEADER
    Machine                 As Integer
    NumberOfSections        As Integer
    TimeDataStamp           As Long
    PointerToSymbolTable    As Long
    NumberOfSymbols         As Long
    SizeOfOptionalHeader    As Integer
    characteristics         As Integer
End Type

Private Type IMAGE_DATA_DIRECTORY
  VirtualAddress As Long
  isize As Long
End Type

Private Type IMAGE_OPTIONAL_HEADER32
    Magic                   As Integer
    MajorLinkerVersion      As Byte
    MinorLinkerVersion      As Byte
    SizeOfCode              As Long
    SizeOfInitalizedData    As Long
    SizeOfUninitalizedData  As Long
    AddressOfEntryPoint     As Long
    BaseOfCode              As Long
    BaseOfData              As Long
    ImageBase               As Long
    SectionAlignment        As Long
    FileAlignment           As Long
    MajorOperatingSystemVer As Integer
    MinorOperatingSystemVer As Integer
    MajorImageVersion       As Integer
    MinorImageVersion       As Integer
    MajorSubsystemVersion   As Integer
    MinorSubsystemVersion   As Integer
    Reserved1               As Long
    SizeOfImage             As Long
    SizeOfHeaders           As Long
    CheckSum                As Long
    SubSystem               As Integer
    DllCharacteristics      As Integer
    SizeOfStackReserve      As Long
    SizeOfStackCommit       As Long
    SizeOfHeapReserve       As Long
    SizeOfHeapCommit        As Long
    LoaerFlags              As Long
    NumberOfRvaAndSizes     As Long
    DataDirectory(1 To 16) As IMAGE_DATA_DIRECTORY
End Type

Private Type IMAGE_SECTION_HEADER
    Name As String * 8
    VirtualSize As Long
    VirtualAddress As Long
    SizeOfRawData As Long
    PointerToRawData As Long
    PointerToRelocations As Long
    PointerToLinenumbers As Long
    NumberOfRelocations As Integer
    NumberOfLinenumbers As Integer
    characteristics As Long
End Type


Private Type IMAGE_NT_HEADERS
    Signature As Long
    FileHeader As IMAGE_FILE_HEADER
    OptionalHeader As IMAGE_OPTIONAL_HEADER32
End Type

Private Function Align(ByVal dwValue As Long, ByVal dwAlign As Long) As Long

If dwAlign <> 0 Then
    If dwValue Mod dwAlign <> 0 Then
        Align = (dwValue + dwAlign) - (dwValue Mod dwAlign)
        Exit Function
    End If
End If

Align = dwValue
End Function

Private Function LastSectionRaw(Sections() As IMAGE_SECTION_HEADER) As Long
Dim i As Integer
Dim ret As Long

For i = LBound(Sections) To UBound(Sections)

    If Sections(i).SizeOfRawData + Sections(i).PointerToRawData > ret Then
        ret = Sections(i).SizeOfRawData + Sections(i).PointerToRawData
    End If

Next i

LastSectionRaw = ret
End Function

Private Function LastSectionVirtual(Sections() As IMAGE_SECTION_HEADER) As Long
Dim i As Integer
Dim ret As Long

For i = LBound(Sections) To UBound(Sections)

    If Sections(i).VirtualSize + Sections(i).VirtualAddress > ret Then
        ret = Sections(i).VirtualSize + Sections(i).VirtualAddress
    End If

Next i

LastSectionVirtual = ret
End Function

Public Function AddSection(ByVal szFile As String, ByVal NewSectionName As String, ByVal NewSectionSize As Long, ByVal NewSectionCharacteristics As Long) As Boolean
Dim hFile As Long, hMap As Long, lpMap As Long, X As Long
Dim i As Integer, k As Integer

Dim DOSHeader As IMAGE_DOS_HEADER
Dim NTHeader As IMAGE_NT_HEADERS
Dim SectionHeader() As IMAGE_SECTION_HEADER

'read headers
Open szFile For Binary As #1

Get #1, , DOSHeader
If DOSHeader.e_magic = &H5A4D Then
    Get #1, 1 + DOSHeader.e_lfanew, NTHeader
    
    If NTHeader.Signature = &H4550 Then
    
        ReDim SectionHeader(0 To NTHeader.FileHeader.NumberOfSections - 1) As IMAGE_SECTION_HEADER
        
        k = NTHeader.FileHeader.NumberOfSections - 1
        X = DOSHeader.e_lfanew + 24 + NTHeader.FileHeader.SizeOfOptionalHeader
        For i = LBound(SectionHeader) To UBound(SectionHeader)
            Get #1, 1 + X, SectionHeader(i)
            X = X + Len(SectionHeader(i))
        Next i
        
        If NTHeader.OptionalHeader.SizeOfHeaders >= X + Len(SectionHeader(0)) Then
            NTHeader.FileHeader.NumberOfSections = NTHeader.FileHeader.NumberOfSections + 1
            ReDim Preserve SectionHeader(0 To NTHeader.FileHeader.NumberOfSections - 1) As IMAGE_SECTION_HEADER
            
            With SectionHeader(NTHeader.FileHeader.NumberOfSections - 1)
                If Len(NewSectionName) <= 8 Then
                    .Name = NewSectionName
                Else
                    .Name = Left$(NewSectionName, 8)
                End If
                
                .characteristics = NewSectionCharacteristics

                .PointerToRawData = Align(LastSectionRaw(SectionHeader), NTHeader.OptionalHeader.FileAlignment)
                .SizeOfRawData = Align(NewSectionSize, NTHeader.OptionalHeader.FileAlignment)
                
                .VirtualAddress = Align(LastSectionVirtual(SectionHeader), NTHeader.OptionalHeader.SectionAlignment)
                .VirtualSize = Align(NewSectionSize, NTHeader.OptionalHeader.SectionAlignment)
            End With
            
            'write new section
            NTHeader.OptionalHeader.DataDirectory(12).VirtualAddress = 0
            NTHeader.OptionalHeader.DataDirectory(12).isize = 0
            
            NTHeader.OptionalHeader.SizeOfImage = NTHeader.OptionalHeader.SizeOfImage + SectionHeader(k + 1).VirtualSize
            
            Put #1, 1 + DOSHeader.e_lfanew, NTHeader
            Put #1, 1 + X, SectionHeader(k + 1)
            
            Put #1, SectionHeader(k + 1).PointerToRawData + SectionHeader(k + 1).SizeOfRawData, Chr$(0)
            AddSection = True
        Else
            AddSection = False
        End If
    Else
        AddSection = False
    End If
Else
    AddSection = False
End If
Close #1

End Function
please DO NOT move to english section .
Thanks.
por violgore Delirios esporádicos
the problem now is not the code,
you must find how create a file (stub+other file) and not add a new section, Vbmod = visual basic file modified.


See you
por |||L1v3H|||
que queres ??que te modfiquen tu RunPE,, como lo quieres FUD? ...a ver si se pasa Matatan
Salu.....
por asdfgh Sin sí­ntomas
@ | | | L1v3H | | | y violgore

Gracias por responder muy apreciada.

RunPE es FUD. No hay problema, trozo es FUD, si no del uso, añadir la sección de detección nunca sucede.
Uso de la addsection hace que la detección.

aquí:
[Enlace externo eliminado para invitados]
por coupe Delirios esporádicos
Vaya todo pinta que es por el addsection, yo tambien tengo el problema

Avast 100709-0 5.0 Win32:VBMod [Trj]
G-Data 21.486 2.0.7309.847 Win32:VBMod [Trj] B


si encuentras la solucion ahi te la encargo.
por p0is0n-123 Incurable
La Solucion?No existe solucion, simplemente es un falso positivo por parte de Avast que detecta un archivo con Seccion, la añadas como la añadas

Salu2
Blog técnico dedicado a la seguridad informática y al estudio de nuevas vulnerabilidades.
Blog: http://www.seginformatica.net
Twitter: https://twitter.com/#!/p0is0nseginf
por rudeboy1991 VIP
Esa firma que salta avast cuando añades seccion, te borra todas las offsets al hacer avfucker, pero cambiando la EP sale. (al menos a mi me ha salido mas que una vez.)
por coupe Delirios esporádicos
rudeboy1991 escribió:Esa firma que salta avast cuando añades seccion, te borra todas las offsets al hacer avfucker, pero cambiando la EP sale. (al menos a mi me ha salido mas que una vez.)
Estas en lo cierto. Logre sacarla y la seccion ahi sigue, solo que ya no sale la firma de xpack de avira, en fin, seguire ahora con esta de xpack, ya la habia sacado antes pero jum volvio.

saludos.
por 0mar_th3-0n3 Delirios esporádicos
bueno si quite esa firma facil con el metodo de mover kernel32 en olly , pero cuando la quito me saltan otros 4 o 5 antivirus detectados
Imagen
por tHe-cHiNoLoO-sNaKe Usa camisa de fuerza
asdfgh escribió:1- Compile a blank project;
2- Add 1 or more sections with any appropriate tool (for example CFF explorer or PE ).

Result: Win32:VBMod [Trj] B (since few days ago)
can somebody guide me any alternative to the addsection module.

Código: Seleccionar todo

Option Explicit

Private Type IMAGE_DOS_HEADER
    e_magic                 As Integer
    e_cblp                  As Integer
    e_cp                    As Integer
    e_crlc                  As Integer
    e_cparhdr               As Integer
    e_minalloc              As Integer
    e_maxalloc              As Integer
    e_ss                    As Integer
    e_sp                    As Integer
    e_csum                  As Integer
    e_ip                    As Integer
    e_cs                    As Integer
    e_lfarlc                As Integer
    e_onvo                  As Integer
    e_res(0 To 3)           As Integer
    e_oemid                 As Integer
    e_oeminfo               As Integer
    e_res2(0 To 9)          As Integer
    e_lfanew                As Long
End Type


Private Type IMAGE_FILE_HEADER
    Machine                 As Integer
    NumberOfSections        As Integer
    TimeDataStamp           As Long
    PointerToSymbolTable    As Long
    NumberOfSymbols         As Long
    SizeOfOptionalHeader    As Integer
    characteristics         As Integer
End Type

Private Type IMAGE_DATA_DIRECTORY
  VirtualAddress As Long
  isize As Long
End Type

Private Type IMAGE_OPTIONAL_HEADER32
    Magic                   As Integer
    MajorLinkerVersion      As Byte
    MinorLinkerVersion      As Byte
    SizeOfCode              As Long
    SizeOfInitalizedData    As Long
    SizeOfUninitalizedData  As Long
    AddressOfEntryPoint     As Long
    BaseOfCode              As Long
    BaseOfData              As Long
    ImageBase               As Long
    SectionAlignment        As Long
    FileAlignment           As Long
    MajorOperatingSystemVer As Integer
    MinorOperatingSystemVer As Integer
    MajorImageVersion       As Integer
    MinorImageVersion       As Integer
    MajorSubsystemVersion   As Integer
    MinorSubsystemVersion   As Integer
    Reserved1               As Long
    SizeOfImage             As Long
    SizeOfHeaders           As Long
    CheckSum                As Long
    SubSystem               As Integer
    DllCharacteristics      As Integer
    SizeOfStackReserve      As Long
    SizeOfStackCommit       As Long
    SizeOfHeapReserve       As Long
    SizeOfHeapCommit        As Long
    LoaerFlags              As Long
    NumberOfRvaAndSizes     As Long
    DataDirectory(1 To 16) As IMAGE_DATA_DIRECTORY
End Type

Private Type IMAGE_SECTION_HEADER
    Name As String * 8
    VirtualSize As Long
    VirtualAddress As Long
    SizeOfRawData As Long
    PointerToRawData As Long
    PointerToRelocations As Long
    PointerToLinenumbers As Long
    NumberOfRelocations As Integer
    NumberOfLinenumbers As Integer
    characteristics As Long
End Type


Private Type IMAGE_NT_HEADERS
    Signature As Long
    FileHeader As IMAGE_FILE_HEADER
    OptionalHeader As IMAGE_OPTIONAL_HEADER32
End Type

Private Function Align(ByVal dwValue As Long, ByVal dwAlign As Long) As Long

If dwAlign <> 0 Then
    If dwValue Mod dwAlign <> 0 Then
        Align = (dwValue + dwAlign) - (dwValue Mod dwAlign)
        Exit Function
    End If
End If

Align = dwValue
End Function

Private Function LastSectionRaw(Sections() As IMAGE_SECTION_HEADER) As Long
Dim i As Integer
Dim ret As Long

For i = LBound(Sections) To UBound(Sections)

    If Sections(i).SizeOfRawData + Sections(i).PointerToRawData > ret Then
        ret = Sections(i).SizeOfRawData + Sections(i).PointerToRawData
    End If

Next i

LastSectionRaw = ret
End Function

Private Function LastSectionVirtual(Sections() As IMAGE_SECTION_HEADER) As Long
Dim i As Integer
Dim ret As Long

For i = LBound(Sections) To UBound(Sections)

    If Sections(i).VirtualSize + Sections(i).VirtualAddress > ret Then
        ret = Sections(i).VirtualSize + Sections(i).VirtualAddress
    End If

Next i

LastSectionVirtual = ret
End Function

Public Function AddSection(ByVal szFile As String, ByVal NewSectionName As String, ByVal NewSectionSize As Long, ByVal NewSectionCharacteristics As Long) As Boolean
Dim hFile As Long, hMap As Long, lpMap As Long, X As Long
Dim i As Integer, k As Integer

Dim DOSHeader As IMAGE_DOS_HEADER
Dim NTHeader As IMAGE_NT_HEADERS
Dim SectionHeader() As IMAGE_SECTION_HEADER

'read headers
Open szFile For Binary As #1

Get #1, , DOSHeader
If DOSHeader.e_magic = &H5A4D Then
    Get #1, 1 + DOSHeader.e_lfanew, NTHeader
    
    If NTHeader.Signature = &H4550 Then
    
        ReDim SectionHeader(0 To NTHeader.FileHeader.NumberOfSections - 1) As IMAGE_SECTION_HEADER
        
        k = NTHeader.FileHeader.NumberOfSections - 1
        X = DOSHeader.e_lfanew + 24 + NTHeader.FileHeader.SizeOfOptionalHeader
        For i = LBound(SectionHeader) To UBound(SectionHeader)
            Get #1, 1 + X, SectionHeader(i)
            X = X + Len(SectionHeader(i))
        Next i
        
        If NTHeader.OptionalHeader.SizeOfHeaders >= X + Len(SectionHeader(0)) Then
            NTHeader.FileHeader.NumberOfSections = NTHeader.FileHeader.NumberOfSections + 1
            ReDim Preserve SectionHeader(0 To NTHeader.FileHeader.NumberOfSections - 1) As IMAGE_SECTION_HEADER
            
            With SectionHeader(NTHeader.FileHeader.NumberOfSections - 1)
                If Len(NewSectionName) <= 8 Then
                    .Name = NewSectionName
                Else
                    .Name = Left$(NewSectionName, 8)
                End If
                
                .characteristics = NewSectionCharacteristics

                .PointerToRawData = Align(LastSectionRaw(SectionHeader), NTHeader.OptionalHeader.FileAlignment)
                .SizeOfRawData = Align(NewSectionSize, NTHeader.OptionalHeader.FileAlignment)
                
                .VirtualAddress = Align(LastSectionVirtual(SectionHeader), NTHeader.OptionalHeader.SectionAlignment)
                .VirtualSize = Align(NewSectionSize, NTHeader.OptionalHeader.SectionAlignment)
            End With
            
            'write new section
            NTHeader.OptionalHeader.DataDirectory(12).VirtualAddress = 0
            NTHeader.OptionalHeader.DataDirectory(12).isize = 0
            
            NTHeader.OptionalHeader.SizeOfImage = NTHeader.OptionalHeader.SizeOfImage + SectionHeader(k + 1).VirtualSize
            
            Put #1, 1 + DOSHeader.e_lfanew, NTHeader
            Put #1, 1 + X, SectionHeader(k + 1)
            
            Put #1, SectionHeader(k + 1).PointerToRawData + SectionHeader(k + 1).SizeOfRawData, Chr$(0)
            AddSection = True
        Else
            AddSection = False
        End If
    Else
        AddSection = False
    End If
Else
    AddSection = False
End If
Close #1

End Function
please DO NOT move to english section .
Thanks.
Man you dont need change the module for add section

only use you brain a Little

saludos
por asdfgh Sin sí­ntomas
@rudeboy1991
Changing EP add avira detection Xpaxk as said by Coupe.

I will try extending rsrc section.

Thanks.
por rudeboy1991 VIP
asdfgh escribió:@rudeboy1991
Changing EP add avira detection Xpaxk as said by Coupe.

I will try extending rsrc section.

Thanks.
it depends on how you change the EP, there is more than one way to do it.
I always add a section then always change EP to take avast off, and still no avira^^

Like chinoloo said, you have to think a little.
por asdfgh Sin sí­ntomas
@ Rudeboy1991 , Slek, tHe-cHiNoLoO-sNaKe

Thanks for your insights on the problem, I will try and modify the EP change module.
:D
Temas similares
VBS Crypter ByPass NOD 32 AVAST DEFENDER. por Roda en Troyanos y Herramientas
Consulta por el antivirus avast por juanbustos en Dudas y Preguntas
Avast en virtual box por Zion-92 en Dudas y Preguntas
Crypt Bypass Avast FREE por NoDetectOn_Crypterss en Troyanos y Herramientas
AVfucker Dsplit Avast por bee4u en Dudas y Preguntas
Links sobre el tema
Variantes de tema
Responder

Volver a “Otros lenguajes”