tcp.direct
/
VXUG-Papers
mirror of https://github.com/vxunderground/VXUG-Papers.git
13
0
Fork 0
Code Issues Releases Wiki Activity

Add files via upload

This commit is contained in:
vxunderground 2020-10-11 00:35:02 -05:00 committed by GitHub
parent a447a29113
commit e16e932b83
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 112 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
The Fake Entry Point Trick.txt Normal file
View File

@ -0,0 +1,112 @@
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; Fake EP trick
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; The idea is simple: After loading our program, we change the loaded PE image entry point
; dynamically to another routine inside our code (In this example is a simple messagebox).
;
; So, when the reverse guy dumps it will get the changed EP and change the PE behaviour
; when the dumped file run. This is just an educational trick with PE headers for my
; students understand better the PE Format in a practical way on malware analysis classes.
;
; This trick defeats:
; - Process Dump v2.1 (https://github.com/glmcdona/Process-Dump)
; - OllyDumpEx
; - Every dumper that grabs info from loaded PE header
;
; We move the file location to defeat Scylla too.
;
; SWaNk 2020 - VX
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
format PE GUI 4.0
entry start
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; includes
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
include '%fasm%\INCLUDE\win32a.inc'
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.text' code readable writeable executable
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; if the file was dumped from memory, with one tool that grab the loaded image,
; the EP will chage to this instruction
push 0
push szTitle
push szFuckOff
push 0
call [MessageBoxA]
push 0
call [ExitProcess]
start:
invoke GetModuleHandleA, 0 ;get imageBase
mov [mHandle], eax
mov ebx, eax ;save into ebx
add ebx, 0xa8 ;EP
invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READWRITE, Old
mov byte[ebx], 0x00 ;Change EP to our joke payload
invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READ, Old
;Now we rename the file so Scylla can't find it on disk (MoveFileA)
invoke GetModuleFileNameA,0,szfileName, 255 ; return length in eax
add eax, szfileName ; eax now is in the end of the PE filename
;Find for the first '\' from backwards to grab the filename
@@:
dec eax
cmp byte[eax],'\'
jne @B
inc eax ;skip slash
mov ebx, eax ;save to rename file back
invoke MoveFileA, eax, tmpName, NULL
;normal behaviour, just a messagebox, if the file is dumped here the trap is set
push 0
push szTitle
push szExample
push 0
call [MessageBoxA]
;rename to the original name
invoke MoveFileA, tmpName, ebx, NULL
push 0
call [ExitProcess]
error:
push 0
call [ExitProcess]
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.data' data readable writeable
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
szExample db 'Original file',0
szFuckOff db 'Hands off asshole',0
szTitle db 'Fake EP trick',0
mHandle dd ?
szfileName rb 250
tmpName db "1.exe",0
Old dd ?
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
data import
library kernel,'KERNEL32.DLL',\
user32,'USER32.DLL'
import user32, MessageBoxA,'MessageBoxA'
import kernel, ExitProcess,'ExitProcess',\
GetModuleHandleA,'GetModuleHandleA',\
GetModuleFileNameA,'GetModuleFileNameA',\
MoveFileA,'MoveFileA',\
VirtualProtect,'VirtualProtect'
end data