Most if not all anti virus application work based on file signatures on disk. They have a large database of specific byte patterns, and they look for one or more byte patterns within a file. Some of the more advanced anti virus applications have additional features such as heuristics detection – i.e. looking for suspicious markers in what the application actually does. We’re trying to target basic anti virus signature matching. Currently our ‘nc.exe’ binary is being detected as malicious by AVG, and we want to know which part exactly is triggering the alert.
The utility listed below will allow us to split our binary up into increasing sizes. Using the command:
# ./split.sh nc/nc.exe 100 Creating 593 files. ^C now if this is not what you want... Running... Done
We will create versions of nc.exe of increasing sizes. As we have specified ‘100’ bytes, nc.exe.0 will be 100 bytes in size, nc.exe.1 will be 200 bytes in size, all the way to the original size (59392) which will require 593 files to be created.
Once this is done, we can ship this directory over to our AV machine and run a scan. Everything from nc.exe.0 to nc.exe.162 is clean, whilst nc.exe.163 to nc.exe.593 is detected and quarantined. We now know that something in the last 100 bytes of nc.exe.163 is triggering the pattern match.
ls -al nc.exe.163 -rw-r--r-- 1 root root 16400 2013-04-18 16:50 nc.exe.163
nc.exe.163 is 16400 bytes in size, and therefore, something between 16300 and 16400 is the trigger. Now lets split that down further, this time specifying the offset of 16300 and increments of 10 bytes: