A very good article on this topic: http://schierlm.users.sourceforge.net/avevasion.html

Interesting read, thanks.  Once I have time this afternoon, to digest it, I'll have to compare it to some other stuff I've got.  I've done a lot of runtime encryption / decryption to bypass AV's and the like (using xor's and some other methods,) and I've been playing with R3l1k's method, from the SET stuff, on the secmaniac link, and have been having some fun, too.

Again, as I said in another thread, this morning, it's ncie to see different methods for accomplishing a task.  You can never be too reliant on any one, as each has both their own advantages and drawbacks.

As I'm not a heavy-duty programmer (I tend to analyze and fix code, more often than I have opportunity to write my own,) I play with encryption and such, when I have time.  Lately, the only stuff I've done was with R3l1k's stuff, as I mentioned, so I could compare it to what I've done, in the past...

Some places with info on encryption methods:

ELF
http://www.phrack.org/issues.html?issue=58&id=5#article

Polymorphic Encryption (xor again)
http://web17.webbpro.de/index.php?page=polymorphic-encryption-methods

I've done some things like putting the decryption key into dll's, and calling them from within the encrypted exe.  Another trick I've used, a little bit, is to combine methods / concepts (like xor and ELF) and use a decryption key, which I provide as a command-line variable at runtime, when, which combined with other key info within the code, allows for decryption.  I don't have a sample of any of my code handy (I'd have to dig through my VM's and toolboxes to find them, as lately, my focus was shifted onto some other things, outside of security, and I had to backburner a lot of my research and tool building / gathering,) but the concept really isn't that difficult, if you want to work on similar ideas, yourself.

If I can make some time to dig out my code snippets I've done, etc, I will.  In the meantime, perhaps sil or another has something handy?

You can also use the techniques used in this paper to encode your Metasploit payloads, if they're executables. (It is possible to encode them on the fly in a debugger as well, but that may require a bit more experience in case there is none.)

Link: Bypassing Anti-Virus Scanners

No problem, and thanks!  There isn't much going on at those forums currently, but there is a lot of nice content, which is why they're up (and may be forever), plus there is also a lot of visitors daily