Log in

View Full Version : How to avoid AVS-detection @ packer


forwarder
October 2nd, 2003, 15:27
hi, i am implementing some sort of upx like executable packer but i got some probs with it - sometimes the compressed executables are detected as unknown virii by some well known avs (nod32 and norton for example) - i think its my loader which does not do things in their normal way. any general suggestions how i can avoid such false detection alarms? i noticed that changing a simple signature check from

if(e_magic == IMAGE_DOS_SIGNATURE)
if(Signature+1 == IMAGE_NT_SIGNATURE+1)

to

if(e_magic+1 == IMAGE_DOS_SIGNATURE+1)
if(Signature+1 == IMAGE_NT_SIGNATURE+1)

seems to help a little bit @nod32 (not @norton tho) but if i change my entry point from f.ex VA 0x1000 to 0x1010 it does yell again.

dELTA
October 2nd, 2003, 20:52
I would just perform some more complex arithmetic operations on those numbers than +1, and it should most likely not be a problem anymore. They can't emulate code of higher complexity just to see if it does an exe header signature check. Anyway, is it really on the normal heuristic setting of those AV-programs (contrary to the non-recommended highest setting) that this happens? Sounds quite strange.

forwarder
October 2nd, 2003, 21:37
i have got some success now.

in previous versions i have compressed the sections and copied 5 bytes (necessary space for a long jump) from oep's location to the loader. then i have written a long jump to the beginning of the loader to avoid changing that EP entry in the pe header. after decompression there was just a jump back and everything was fine except that it seems that some av's think its a little too virii like. now i changed my mind and now the loader's address = EP in pe header. no alerts so far.

btw, thanks for replying. thought i was alone