-
Notifications
You must be signed in to change notification settings - Fork 232
/
The Fake Entry Point Trick.txt
112 lines (90 loc) · 4.22 KB
/
The Fake Entry Point Trick.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; Fake EP trick
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; The idea is simple: After loading our program, we change the loaded PE image entry point
; dynamically to another routine inside our code (In this example is a simple messagebox).
;
; So, when the reverse guy dumps it will get the changed EP and change the PE behaviour
; when the dumped file run. This is just an educational trick with PE headers for my
; students understand better the PE Format in a practical way on malware analysis classes.
;
; This trick defeats:
; - Process Dump v2.1 (https://github.com/glmcdona/Process-Dump)
; - OllyDumpEx
; - Every dumper that grabs info from loaded PE header
;
; We move the file location to defeat Scylla too.
;
; SWaNk 2020 - VX
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
format PE GUI 4.0
entry start
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; includes
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
include '%fasm%\INCLUDE\win32a.inc'
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.text' code readable writeable executable
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; if the file was dumped from memory, with one tool that grab the loaded image,
; the EP will chage to this instruction
push 0
push szTitle
push szFuckOff
push 0
call [MessageBoxA]
push 0
call [ExitProcess]
start:
invoke GetModuleHandleA, 0 ;get imageBase
mov [mHandle], eax
mov ebx, eax ;save into ebx
add ebx, 0xa8 ;EP
invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READWRITE, Old
mov byte[ebx], 0x00 ;Change EP to our joke payload
invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READ, Old
;Now we rename the file so Scylla can't find it on disk (MoveFileA)
invoke GetModuleFileNameA,0,szfileName, 255 ; return length in eax
add eax, szfileName ; eax now is in the end of the PE filename
;Find for the first '\' from backwards to grab the filename
@@:
dec eax
cmp byte[eax],'\'
jne @B
inc eax ;skip slash
mov ebx, eax ;save to rename file back
invoke MoveFileA, eax, tmpName, NULL
;normal behaviour, just a messagebox, if the file is dumped here the trap is set
push 0
push szTitle
push szExample
push 0
call [MessageBoxA]
;rename to the original name
invoke MoveFileA, tmpName, ebx, NULL
push 0
call [ExitProcess]
error:
push 0
call [ExitProcess]
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.data' data readable writeable
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
szExample db 'Original file',0
szFuckOff db 'Hands off asshole',0
szTitle db 'Fake EP trick',0
mHandle dd ?
szfileName rb 250
tmpName db "1.exe",0
Old dd ?
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
data import
library kernel,'KERNEL32.DLL',\
user32,'USER32.DLL'
import user32, MessageBoxA,'MessageBoxA'
import kernel, ExitProcess,'ExitProcess',\
GetModuleHandleA,'GetModuleHandleA',\
GetModuleFileNameA,'GetModuleFileNameA',\
MoveFileA,'MoveFileA',\
VirtualProtect,'VirtualProtect'
end data