This is the second part of the set of posts about Post Explotation Backdooring. If you haven’t read the previous post, I recommend you do so to understand this post. Again I want to thank OscarAkaElvis, who taught me these PE Backdooring techniques.
In the previous post we saw how to introduce the code of a reverse shell in a program, creating a Trojan. However, in real life this technique is more than known by antivirus, and it will not work.
First of all, because it is very rare for a program to have a JMP as its first instruction.
On the other hand, it is easy to verify that the size of the executable is larger than the original, since we had to create a cave of code to introduce the shell.
In this second post I’ll explain how to avoid these two problems, making the trojan undetectable for almost any antivirus.
[…] These problems will be solved in the next post, that you can see here. […]
[…] first part I showed you how to create a basic code cave in an executable to introduce a shell. In the second part I improved its detection rate using natural code caves and hiding the jump to the cave between the […]