Network Security: Detailed info on Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasi

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Bugtraq

[Top] [All Lists]

Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasi

from [Eygene A. Ryabinkin] Network Security

[Permanent Link]

Subject:	Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte
Date:	Thu, 27 Oct 2005 10:25:48 +0400

Especially in case of EXEs, AFAIK not all EXEs has the same 'MAGIC BYTE'
(MZ). MZ only appears in the first two bytes of Win32 executable files.


 Just for the curiosity: if you'll change "MZ" to "ZM" then the 16-bit
executables (MZ and NE executables) will still run and 32-bit (PE) executables
will execute their DOS stub part. It will be very interesting to check if
such files will be detected as executables at all in all mentioned antiviruses
and what sections PE files will be examined.

 The 'MZ' -> 'ZM' hack is the old feature of MS-DOS loader that still lives in
WinXP (at least, didn't tested others, but believe that they also carry that
feature). That's what is called 'interoperability between various versions' ;)
-- 
 rea
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-disclosure] Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte, Andrey Bayora RE: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte, Debasis Mohanty RE: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte, Debasis Mohanty Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte, Eygene A. Ryabinkin <= Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte, Andrey Bayora

Previous by Date:	Re: [Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability, Florian Weimer
Next by Date:	[Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit., Nicob
Previous by Thread:	RE: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte, Debasis Mohanty
Next by Thread:	Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte, Andrey Bayora
Indexes:	[Date] [Thread] [Top] [All Lists]