VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

EPO - entrypoint obscuring

Matrix Zine [2]
September 2000

[Back to index] [Comments]


EPO is next of many ways to fuck AVs (at least a litle). The point is, that the entrypoint in PE header will not be overwritten by jump to virus body. This jump must be set somewhere in the 'CODE' section, in the jam of instructions after entrypoint. Problem is, we cant write our jump anywhere we can, coz we could fit in the 'middle' of instruction. Well, the 'we could' expression is not good, better is 'we will probably allways' fit in some instruction. So, we have to find address which wont destroy instruction. There's several ways of EPO now. I'll describe some.

[Read the article]

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka