{"id":1029,"date":"2015-01-30T00:51:09","date_gmt":"2015-01-30T00:51:09","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1029"},"modified":"2015-01-30T02:34:42","modified_gmt":"2015-01-30T02:34:42","slug":"av-testing-tool","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2015\/01\/av-testing-tool\/","title":{"rendered":"Av testing tool"},"content":{"rendered":"<p>People often wonder &#8220;Joe, how the heck do you know if an AV is worth its weight in sand?&#8221; and to them I answer &#8220;I have to test it first&#8221;.<\/p>\n<p><a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/01\/morph1.png\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/01\/morph1-300x261.png\" alt=\"morph1\" width=\"300\" height=\"261\" class=\"alignnone size-medium wp-image-1030\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/01\/morph1-300x261.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/01\/morph1.png 650w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>This is one of my tools I coded up. Presently I have to do AV evasions with a debugger, modifying the entry point and looking for a &#8216;code cave&#8217; to place the fine tuned opcodes. It&#8217;s not exactly automated &#8211; YET. The other settings though work just fine. The concept is this &#8211; take a known sample, mess with it, then send it back to the AV to see if its found out. <\/p>\n<p>Since I had &#8220;morphing&#8221; on the mind, I chose the &#8220;Mighty Morphing Power Rangers&#8221; as a theme.<br \/>\n<iframe loading=\"lazy\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/q0YkXmebAGM?feature=player_detailpage\" frameborder=\"0\" allowfullscreen><\/iframe><\/p>\n<p>If you want to know more about modifying a PE file and its respective structure, then the source (made in C#) will help.<br \/>\nBecause I&#8217;m a nice guy, I&#8217;m going to share the exe as well as include the <a href=\"http:\/\/gironsec.com\/code\/Exe_Morphing_Util.7z\">source code<\/a>. Be on the look out for v2 when I get around to adding AV evasion modifications statically rather than with source code or with a debugger. <\/p>\n<p>It comes with the packers listed (CLI versions) &#8211; mpress, UPX, xpack, cexe, and kkrunchy. <\/p>\n<p>Use responsibly and enjoy!<br \/>\n<a href=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/01\/1156532129904.gif\"><img decoding=\"async\" loading=\"lazy\" src=\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2015\/01\/1156532129904.gif\" alt=\"1156532129904\" width=\"387\" height=\"234\" class=\"alignnone size-full wp-image-1044\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>People often wonder &#8220;Joe, how the heck do you know if an AV is worth its weight in sand?&#8221; and to them I answer &#8220;I have to test it first&#8221;. This is one of my tools I coded up. Presently I have to do AV evasions with a debugger, modifying the entry point and looking [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1029"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1029"}],"version-history":[{"count":11,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1029\/revisions"}],"predecessor-version":[{"id":1038,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1029\/revisions\/1038"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1029"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1029"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1029"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}