How hackers Hex Edit to make Trojans & viruses Undetectable

hex editing virus to make it clean

You may not be familiar that what is hex editing and also you may not be familiar that how hackers use it to hide trojans and viruses. So, We will surely like to tell my readers that how the hackers make it possible and how can you be fooled by hackers too as they may fool your antivirus, So, its necessary that you should have this knowledge as the view of security.

What is Hex editing?

Hex editing can be used as a method to hide miscellaneous programs containing viruses and Trojans from a specific antivirus. Now if the Trojan is popular then its sure that every latest updates of the all antivirus may contain the information about that Trojan as well as virus. In hex editing those part of codes in the program are removed which are cause of the virus detection or altered to some other coding which may not be present in antivirus definition as viral code. So, using this scheme one can easily bypass the required antivirus.

How to remain safe?

Always keep your antivirus database updated when you receive an external file. This will make sure that any hex edited file may not bypass your firewall.

How to do Hex Editing?

Now in order to find that particular viral code which is present in the antivirus definition as the viral code hackers have to split Trojan into many parts. And after that separate those parts which on scan again show virus as an alert in antivirus. Now, again they have to split those parts and thus this scheme is repeated until they find exact part and after that they will need a hex editor the edit the specific code. e-g xx is present in antivirus definition as viral code they shall change it into xy so that antivirus may not detect it. After this we shall again combine all the pieces back into a single executable file. So what tools do they use

  • A unpacked trojan server (Virus)
  • File Splitter 
  • Hex Editor 

A generic example of how it works:

Using  the splitter distribute the infected program into small parts and then scan every part, when a part is detected as virus again distribute that in a new folder and then scan every part and do this until the hacker get smallest part which contains piece of viral code which can be recognized by antivirus. They then Edit that piece or pieces in hex editor and change the value of first line to 0, like this:-


and then re scan that part if they get alert of virus again then do the same with next line and save it and then scan hope after that the alert won’t occur. Then they rebuild those parts by the “File splitter builder exe” given in every folder where they have split a file and then move on like this and start merging parts by the exe given of file splitter for every part which they have distributed in the same folder where they have split any part. And then they scan the Trojan in the end and it's not detectable. 

Note: Obviously this is a very basic example and not an antivirus specific, because a specific example can be exploited for wrong purposes. Hackers Thirst just want to educate people for constructive purposes.