Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- ; Fake EP trick
- ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- ; The idea is simple: After loading our program, we change the loaded PE image entry point
- ; dynamically to another routine inside our code (In this example is a simple messagebox).
- ;
- ; So, when the reverse guy dumps it will get the changed EP and change the PE behaviour
- ; when the dumped file run. This is just an educational trick with PE headers for my
- ; students understand better the PE Format in a practical way on malware analysis classes.
- ;
- ; This trick defeats:
- ; - Process Dump v2.1 (https://github.com/glmcdona/Process-Dump)
- ; - OllyDumpEx
- ; - Every dumper that grabs info from loaded PE header
- ;
- ; We move the file location to defeat Scylla too.
- ;
- ; SWaNk 2020 - VX
- ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- format PE GUI 4.0
- entry start
- ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- ; includes
- ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- include '%fasm%\INCLUDE\win32a.inc'
- ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- section '.text' code readable writeable executable
- ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- ; if the file was dumped from memory, with one tool that grab the loaded image,
- ; the EP will chage to this instruction
- push 0
- push szTitle
- push szFuckOff
- push 0
- call [MessageBoxA]
- push 0
- call [ExitProcess]
- start:
- invoke GetModuleHandleA, 0 ;get imageBase
- mov [mHandle], eax
- mov ebx, eax ;save into ebx
- add ebx, 0xa8 ;EP
- invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READWRITE, Old
- mov byte[ebx], 0x00 ;Change EP to our joke payload
- invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READ, Old
- ;Now we rename the file so Scylla can't find it on disk (MoveFileA)
- invoke GetModuleFileNameA,0,szfileName, 255 ; return length in eax
- add eax, szfileName ; eax now is in the end of the PE filename
- ;Find for the first '\' from backwards to grab the filename
- @@:
- dec eax
- cmp byte[eax],'\'
- jne @B
- inc eax ;skip slash
- mov ebx, eax ;save to rename file back
- invoke MoveFileA, eax, tmpName, NULL
- ;normal behaviour, just a messagebox, if the file is dumped here the trap is set
- push 0
- push szTitle
- push szExample
- push 0
- call [MessageBoxA]
- ;rename to the original name
- invoke MoveFileA, tmpName, ebx, NULL
- push 0
- call [ExitProcess]
- error:
- push 0
- call [ExitProcess]
- ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- section '.data' data readable writeable
- ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- szExample db 'Original file',0
- szFuckOff db 'Hands off asshole',0
- szTitle db 'Fake EP trick',0
- mHandle dd ?
- szfileName rb 250
- tmpName db "1.exe",0
- Old dd ?
- ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- data import
- library kernel,'KERNEL32.DLL',\
- user32,'USER32.DLL'
- import user32, MessageBoxA,'MessageBoxA'
- import kernel, ExitProcess,'ExitProcess',\
- GetModuleHandleA,'GetModuleHandleA',\
- GetModuleFileNameA,'GetModuleFileNameA',\
- MoveFileA,'MoveFileA',\
- VirtualProtect,'VirtualProtect'
- end data
Advertisement
