113 lines
4.2 KiB
Plaintext
113 lines
4.2 KiB
Plaintext
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
; Fake EP trick
|
|
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
; The idea is simple: After loading our program, we change the loaded PE image entry point
|
|
; dynamically to another routine inside our code (In this example is a simple messagebox).
|
|
;
|
|
; So, when the reverse guy dumps it will get the changed EP and change the PE behaviour
|
|
; when the dumped file run. This is just an educational trick with PE headers for my
|
|
; students understand better the PE Format in a practical way on malware analysis classes.
|
|
;
|
|
; This trick defeats:
|
|
; - Process Dump v2.1 (https://github.com/glmcdona/Process-Dump)
|
|
; - OllyDumpEx
|
|
; - Every dumper that grabs info from loaded PE header
|
|
;
|
|
; We move the file location to defeat Scylla too.
|
|
;
|
|
; SWaNk 2020 - VX
|
|
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
format PE GUI 4.0
|
|
|
|
entry start
|
|
|
|
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
; includes
|
|
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
include '%fasm%\INCLUDE\win32a.inc'
|
|
|
|
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
section '.text' code readable writeable executable
|
|
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
; if the file was dumped from memory, with one tool that grab the loaded image,
|
|
; the EP will chage to this instruction
|
|
push 0
|
|
push szTitle
|
|
push szFuckOff
|
|
push 0
|
|
call [MessageBoxA]
|
|
|
|
push 0
|
|
call [ExitProcess]
|
|
|
|
start:
|
|
invoke GetModuleHandleA, 0 ;get imageBase
|
|
mov [mHandle], eax
|
|
|
|
mov ebx, eax ;save into ebx
|
|
add ebx, 0xa8 ;EP
|
|
|
|
invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READWRITE, Old
|
|
mov byte[ebx], 0x00 ;Change EP to our joke payload
|
|
invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READ, Old
|
|
|
|
;Now we rename the file so Scylla can't find it on disk (MoveFileA)
|
|
|
|
invoke GetModuleFileNameA,0,szfileName, 255 ; return length in eax
|
|
add eax, szfileName ; eax now is in the end of the PE filename
|
|
|
|
;Find for the first '\' from backwards to grab the filename
|
|
@@:
|
|
dec eax
|
|
cmp byte[eax],'\'
|
|
jne @B
|
|
inc eax ;skip slash
|
|
mov ebx, eax ;save to rename file back
|
|
|
|
invoke MoveFileA, eax, tmpName, NULL
|
|
|
|
;normal behaviour, just a messagebox, if the file is dumped here the trap is set
|
|
push 0
|
|
push szTitle
|
|
push szExample
|
|
push 0
|
|
call [MessageBoxA]
|
|
|
|
;rename to the original name
|
|
|
|
invoke MoveFileA, tmpName, ebx, NULL
|
|
|
|
push 0
|
|
call [ExitProcess]
|
|
|
|
error:
|
|
push 0
|
|
call [ExitProcess]
|
|
|
|
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
section '.data' data readable writeable
|
|
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
szExample db 'Original file',0
|
|
szFuckOff db 'Hands off asshole',0
|
|
szTitle db 'Fake EP trick',0
|
|
mHandle dd ?
|
|
szfileName rb 250
|
|
tmpName db "1.exe",0
|
|
Old dd ?
|
|
|
|
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
data import
|
|
library kernel,'KERNEL32.DLL',\
|
|
user32,'USER32.DLL'
|
|
|
|
import user32, MessageBoxA,'MessageBoxA'
|
|
import kernel, ExitProcess,'ExitProcess',\
|
|
GetModuleHandleA,'GetModuleHandleA',\
|
|
GetModuleFileNameA,'GetModuleFileNameA',\
|
|
MoveFileA,'MoveFileA',\
|
|
VirtualProtect,'VirtualProtect'
|
|
|
|
end data
|