How to hex a malware and make a builder (VB6/ASM source code incl)

Hello TF,
I got time to kill and after seeing this thread i got the idea to write.
So here is a tutorial about "How to hex a malware and make a builder"
When malware writers give only bins and no builder, the only way to fuck them up is to codecave the bin for make it do what we want.
Sometime that can be complicated like here
But you have many advantages, because you can remove bugs, add features... you are free.
For make this, you will need: Ollydbg, an editor hexadecimal and a minimum of intelligence.
For the coding part i've choose 2 languages: Visual Basic 6 and Assembly with MASM32 and WinASM as IDE (two extreme, one high and one low-level language)

So let's start.
The first step is to locate things you need to modify inside the malware (e.g: gate urls, timers, enc keys)
For malware, do to ethical issue i will chose a simple unNagMe coded fastly in ASM, and like that you can try to modify things without the fear of being infected.


This executable can be downloaded with both sources code in attach.

Run Ollydbg and load the executable inside to have a look and see what the code look's like


Pretty simple with a good zone of zero filled bytes, and we see strings are pointing to 0x403000 and 0x403023
We need to find a zone with enought nullbytes to insert our url, the zero filled place on the screenshot can be good but i've choose to add my strings under original one.
This green place can be good and used, i've used HexDecCharEditor to find it:


Now that we have found a place for our URL we need to modify the executable to make it go on our string.

(843, VA=0x403043)
Double click on the line and modify the code, then: Right Click>Copy to executable>All modification
A window appear: Click 'Copy all' then another window appear, right click on it and click "Save file".

Everything is cool now.
We just need to code a program who will edit our binary at 0x403043
For that i will modify some of my old VB6 and ASM codes

Basic interface:


Please note that for Visual Basic i've used a commonDialog mean the program is dependent of one ocx: COMDLG32.
The code for boths are a bit hardcoded and can be improved but that work and it's enought for me.
One the file is builded the hexed version is named "Malware.exe.ViR"



The end.
Don't hesitate to show examples of codes if you are motivated.
No password on archive because nothing is infected.
And if you want some fun InjectMe #1, InjectMe #2.

Maybe u need TrojanForge ACC to download ---** 

 Attached Files

•  Package VB6+ASM Source code of builder + ExampleApp.zip (14.4 KB, 189