PaulDotCom mailing list archives
PEScrambler
From: nils at hemmann.de (Nils)
Date: Thu, 20 Aug 2009 16:18:09 +0200
I gave it a try, too. To me it looks like that especially files smaller than 100KB don't get changed (no MD5 sum changes) PEscrambler worked OK for e.g. netcat. Before scrambling it 23/40 catched it, after scrambling there were just 14/40 on Virustotal. I did some further research with PEscrambler and it does not work for e.g. fgdump or pwdump. These tools don't work anymore. I went the dsplit road on these two examples but it didn't work out either. Either the tools crash afterwards or my AV (AVG) still catches them. Anyone else who did some research on this? Nils Adrian Crenshaw wrote:
Thanks for posting PEScrambler <http://pauldotcom.com/PEScrambler_v0_1.zip> guys, I was one of the guys asking for it. I've locked the slides for my anti-forensics class this Saturday, but I'll try to remember to mention this tool. That said, I'm not sure it's working right. For example, as a test I do: PEScrambler.exe -i hfs.exe -o x.exe but checking the hashes of x and hfs, it seems x is just an exact copy. Any ideas? Thanks, Adrian ------------------------------------------------------------------------ _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- PEScrambler Adrian Crenshaw (Aug 19)
- PEScrambler Nils (Aug 20)
- PEScrambler Dimitrios Kapsalis (Aug 20)
- PEScrambler Nils (Aug 20)