https://github.com/davidtavarez/pinky
https://www.opensc.io/showthread.php?t=20902
http://deciphertech.sitey.me/rat-tools/
Nice advice:
PART 1 - EASY
A. Scramble the procedures
Play a lot. Exchange places of every procedure one by one. Turn your code upside down. If it works, good. If not, change the order again. In general this doesn't help very much to make the RAT undetected... yet.
B. Change the strings and the procedure names
Yeah, boring. But it's not a good idea if the RAT has the string 'You are connected to XYZ RAT! Welcome!', the AV companies just love that thing. Change it or remove it. Same with procedure names. Well, not exactly the same but whatever... It will help.
C. Change the image base value
What's that? Here goes an introduction: The $IMAGEBASE directive controls the default load address for an application or DLL. The use is {$IMAGEBASE number} and it must be placed on your project file ( .dpr ). The default number value is $00400000 and it can be almost any value from $00010000 to $7FFFFFFF. Why change it? Because changing this, it will change the entrypoint. What's entrypoint? Google is our best friend, remember? And it changes some other things too, but all you have to know is: this will help, specially on a DLL.
PART 2 - INTERMEDIATE
Keep in mind that these operations can slow down your program. Maybe a lot, maybe just some ms...
A. Change the IF...THEN...ELSE procedure order
Whenever possible, just put the THEN procedure on the ELSE place, and vice versa. Don't forget to change the IF statement, so the procedure works correctly.
B. Create dummy procedures
Create procedures that do nothing, or just return one char of the entire string, or something useless like this:
function DummyInteger(dummy: integer): integer;
begin
result := StrToInt(IntToStr(StrToInt(IntToStr(StrToInt(IntTo Str(StrToInt(IntToStr(dummy))))))));
end;
The main goal is to generate useless code inside procedures. An important thing to remember is: call these procedures
C. Insert NOPs
What is a NOP? NOP stands for "No OPeration". It's just a byte in the code that does nothing but slows down your program and increases its size. In case you want to insert a NOP inside the DummyInteger procedure, do this:
function DummyInteger(dummy: integer): integer;
begin
asm // here
nop // is
end; // our NOP
result := StrToInt(IntToStr(StrToInt(IntToStr(StrToInt(IntTo Str(StrToInt(IntToStr(dummy))))))));
end;
Is it hard do do this? No. So why is it in the intermediate section? Because you must use your brains to know where to insert it. Just do me a favor, don't insert NOPs inside a loop that catches the files inside folders...
PART 3 - ADVANCED ( really advanced, i'm not gonna explain anything from this section )
A. Using GetProcAddress to load DLL functions
Almost all the heuristics scanners read the IAT to see what the program can do. So if we don't leave any traces there they can't catch us! Easy, right? Well, not really... There's an example of how to use GetProcAddress on my Tiny Delphi Protected Storage Unit, available for download on the main site. See the initialization section. You have to call all external functions that way...
B. Using shitty ASM procedures
I should warn you that this operation will slow down your application. Probably a lot... First of all, completely turn off the compiler optimizations. Why? Because you're gonna insert lots of useless ASM operations and you don't want any of the optimizations performed by the compiler. What operations should you insert? If you're reading this you should know, but Google helps us a lot! I'm not an ASM-guru but we all should know something in assembler, it's very useful. I'll give only one example:
Instead of using the "clean" well-known GetWindowsDirectory function, you can use this:
function GetWindowsDirectory: string;
var
path : array [0..MAX_PATH] of char;
begin
asm
lea eax, path
test eax, eax
push eax
xor eax, eax
call GetWindowsDirectoryA
end;
result := string(path)+'\'
end;
This is not the easiest thing to understand, but be sure Delphi will NEVER compile anything like that. It works but it's ugly, slow and there are much better ways to do this... Believe me...
In some cases, you could turn optimizations off in the EASY part, after changing the image base value... Without optimizations the compiler generates more code and it can differ significantly from the original ( almost noone disables the compiler optimization ), so weak AV's can be easily bypassed this way... Well, a beginner reading this section has to get some kind of reward
