Hello, a tutorial made some weeks ago on Trojanforge, got the idea to write after seeing this:
And also because malware builders seems to be fashion these days.
When malware writers give only bins and no builder, the only way to fuck them up is to codecave the bin for make it do what we want.
You have many advantages because you can remove bugs, add features... you are free.
For make this, you will need: .ollydbg, HexDecCharEditor v1.02 (or any other hex editor) and a minimum of intelligence.
For the coding part i've choose 2 languages: Visual Basic 6 and Assembly with masm32 and WinASM as IDE. (two extreme, one high and one low-level language)
So let's start.
The first step is to locate things you need to modify inside the malware (e.g: gate urls, timers, enc keys)
For malware, do to ethical issue i will chose a simple unNagMe coded fastly in ASM.
And like that you can try to modify things without the fear of being infected.
Run Ollydbg and load the executable inside to have a look and see what the code look's like
Pretty simple with a good zone of zero filled bytes, and we see strings are pointing to 0x403000 and 0x403023
We need to find a zone with enought nullbytes to insert our url, the zero filled place on the screenshot can be good but i've choose to add my strings under original one.
This green place can be good and used, i've used HexDecCharEditor to find it:
Now that we have found a place for our URL we need to modify the executable to make it go on our string.
Double click on the line and modify the code, then: Right Click>Copy to executable>All modification
A window appear: Click 'Copy all' then another window appear, right click on it and click "Save file".
Everything is cool now.
We just need to code a program who will edit our binary at 0x403043
For that i will modify some of my old VB6 and ASM codes
Please note that for Visual Basic i've used a commonDialog mean the program is dependent of one ocx: COMDLG32.
The code for boths are a bit hardcoded and can be improved but that work and it's enought for me.
One the file is builded the hexed version is named "Malware.exe.ViR"
ASM Code, patch.asm:
Don't hesitate to show examples of codes if you are motivated.
No password on archive because nothing is infected.
And if you want some fun: InjectMe #1, InjectMe #2
Other tutorials (in French sorry)
Etude sur l'indétection du Server de Bifrost 1.2d auprés des Antivirus
ShmeitCorp Memento 6: StartClean Patcher
Package download: http://temari.fr/PackageHex.zip