Open Mecanik opened 1 year ago
JustasMasiulis
commented
1 year ago A random seed for the hash is already used. I can't really help much besides suggesting things like changing the hash algorithm or something like that. The code generated is rather small, so I'd assume it's more of a heuristic detection rather than the specific generated code.
Mecanik
commented
1 year ago A random seed for the hash is already used. I can't really help much besides suggesting things like changing the hash algorithm or something like that. The code generated is rather small, so I'd assume it's more of a heuristic detection rather than the specific generated code.
I see, can you provide a small example how to change the hash algorithm? Also, very curious... what do you mean by heuristics? As far as I know, these is compiled time code that does not load any libraries etc so... does not really apply?
JustasMasiulis
commented
1 year ago A random seed for the hash is already used. I can't really help much besides suggesting things like changing the hash algorithm or something like that. The code generated is rather small, so I'd assume it's more of a heuristic detection rather than the specific generated code.
I see, can you provide a small example how to change the hash algorithm?
Fork the project and replace the hashing function hash_single or it might be easier with other algos to replace hash functions that rely on this single character hashing thing.
Also, very curious... what do you mean by heuristics? As far as I know, these is compiled time code that does not load any libraries etc so... does not really apply?
Lack of imports and general runtime analysis performed in their sandboxes showing the fact that imports are being resolved manually. Also, AI garbage bunching similar (or literally lazy importer) code used in malware into the same boat.
CycloneRing
commented
9 months ago I'm using both lazy importer and xorstr for years and never had one AV detection, Are you sure you're code is not what actually detected? However if you really want to bypass that you can do two things
Hello,
I've mentioned this before and I am fully aware this is not the scope of the project, however I will ask the question again as I am sure many others face the same issue. It seems that quite a few AV vendors created patterns that detect both lazy_importer and xorstr somehow as "virus".
It really doesn't matter if your .exe is x86 or x64, console or UI, has version/checksum, etc; they will still detect it. Most detected files are .dll's unfortunately. It's a real bummer.
Is there / do you have some ideas on how could one improve on this? Perhaps give the user the option to set some sort of "seed" and created obfuscation based on that? So each build / project would have unique "patterns". Idk.
Many thanks