I've been writing a lot about keylogging on this blog. Now as you know, most of the keyloggers are detected by anti-virus softwares, so what you really want is a FUD Keylogger (Fully Undetactable). That means no anti-virus software will alrert the victim saying its a virus. There are very few FUD Keyloggers on web and the most of the time you need to buy a keylogger that will be FUD for a long time. They normally cost about 3$-20$, depending on the functions of the Builder.
Since the FUD keyloggers cost money, i decided to show you how to make them undetectable for free, using hexediting method.
Here I will try to explain how to hexedit your favorite Trojan in order to make it undetected by certain anti-virus programs. I will try to put this as simple as possible so everyone understands it.
- General info about hexediting .
- What tools you need to get started.
- How to hex.
General info about hexediting
If you want to make your server undetectable, you need to know how AVs work and how they detect your files, right? There are a few ways that AVs use to detect your server heuristics, sandboxing, etc., and one of them is using so called "definition files" that carry information about strings inside your server. Well, that's the way we are going again in this tutorial because hexing is pretty much useless for other methods of detection. So when AVs scan your files it searches for specific stings on specific parts in your server, and if strings match with strings in the AV database, your file is detected.
Let as say that detected strings are "XX" so we need to change that string to something else (e.g. "XY","YY") that isn't in the AV definition database so the file can not be matched with any of the AV definitions and that way the file will be undetectable. There are going to be a few tagged strings in your server - not only one, depending on what trojan you are using and how popular is. Less popular trojans tend to have less tagged parts, and with that they are easier to make it undetectable.
First of all, hexing is not the best method for undetecting files because AVs can change old tagged parts, and once your AV is updated, new definition files are downloaded and your once undetected server might become detected again. Also not all AVs use the same tagged parts - this way you need to hex your server against more AVs to make it fully undetected. This can be annoying because you need to download wanted AVs then hex it your server, then download another etc., etc. Sometimes AVs tag critical parts of the server, and if that part is altered will corrupt the server. Also, heavily edited servers can become unstable, some functions might not work, or even you can corrupt your server and make it useless.
That's why you need to check your server if its still working after every single change you made while hexing it.
Now how to find detected strings in your server?
There are few ways you can do this: Manually cut your server in half adding parts to one half and scanning it until you find the detected string (which is slow and time consuming); use file splitters to split your server into bytes, and after that scan all split files and find out what byte is detected then alter it in original exe, or you can use an offset AV .
What tools you need to get started
- Unpacked trojan/keylogger server. (That's your virus)
- Hex editor > Download
- File Splitter > Download
How to hex
Now to make this more simple, and understandable i add a video tutorial on how to make virus undetectable by AV , Watch it.
Credits for this video go to Kostaz8
Do you have questions, comments, or suggestions? Feel free to post a comment!
Liked this post? Make a PayPal Donation to keep us strong.