What do anti-viruses look for in a file?
Here I will show you a very basic model of how a crypter works to bypass Antivirus software.
Exe files are simply lines of instruction, and each line is called an offset.
(This is a screenshot of Hex Workshop)
Anti-virus’s have databases of these lines that are known to be associated with malicious files. They use that database to check against your file to see if it matches. If it does, then it is marked as infected or malicious. This type of detection is called signature detection. Antiviruses also use behavior detection (also called heuristic detection), that’s why we will execute the malicious code directly from memory.
What will the crypter do?
Your crypter is going to take the contents of an
infected file, encrypt them (to bypass signature detection), and place
it at the bottom of a seemingly virus-free file called your “stub”.
Your stub file will then extract the encrypted data from itself, decrypt it, then extract and run it in memory (to bypass heuristic detection).
This may sound like a complicated and confusing process, but it isn’t. Here are some diagrams to show you: