;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; Fake EP trick
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; The idea is simple: After loading our program, we change the loaded PE image entry point 
; dynamically to another routine inside our code (In this example is a simple messagebox).
;
; So, when the reverse guy dumps it will get the changed EP and change the PE behaviour 
; when the dumped file run. This is just an educational trick with PE headers for my 
; students understand better the PE Format in a practical way on malware analysis classes.
;
; This trick defeats: 
;       - Process Dump v2.1 (https://github.com/glmcdona/Process-Dump)
;       - OllyDumpEx
;       - Every dumper that grabs info from loaded PE header
; 
; We move the file location to defeat Scylla too.
;
; SWaNk 2020 - VX 
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

format PE GUI 4.0

entry start

;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
; includes
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
include '%fasm%\INCLUDE\win32a.inc'

;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.text' code readable writeable executable
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
        ; if the file was dumped from memory, with one tool that grab the loaded image, 
        ; the EP will chage to this instruction
        push    0
        push    szTitle
        push    szFuckOff
        push    0
        call    [MessageBoxA]

        push    0
        call    [ExitProcess]

start:
        invoke GetModuleHandleA, 0                              ;get imageBase
        mov     [mHandle], eax
        
        mov     ebx, eax                                        ;save into ebx
        add     ebx, 0xa8                                       ;EP 

        invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READWRITE, Old
        mov     byte[ebx], 0x00                                 ;Change EP to our joke payload
        invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READ, Old

        ;Now we rename the file so Scylla can't find it on disk (MoveFileA)

        invoke GetModuleFileNameA,0,szfileName, 255             ; return length in eax
        add eax, szfileName                                     ; eax now is in the end of the PE filename

        ;Find for the first '\' from backwards to grab the filename
        @@:
        dec     eax
        cmp     byte[eax],'\'             
        jne     @B
        inc     eax                                             ;skip slash 
        mov     ebx, eax                                        ;save to rename file back

        invoke MoveFileA, eax, tmpName, NULL

        ;normal behaviour, just a messagebox, if the file is dumped here the trap is set
        push    0
        push    szTitle
        push    szExample
        push    0
        call    [MessageBoxA]

        ;rename to the original name

        invoke MoveFileA, tmpName, ebx, NULL

        push    0
        call    [ExitProcess]

error:
        push    0
        call    [ExitProcess]

;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.data' data readable writeable
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

szExample       db      'Original file',0
szFuckOff       db      'Hands off asshole',0
szTitle         db      'Fake EP trick',0
mHandle         dd      ?
szfileName      rb      250
tmpName         db      "1.exe",0
Old             dd      ?

;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
data import
        library kernel,'KERNEL32.DLL',\
                user32,'USER32.DLL'

        import user32,  MessageBoxA,'MessageBoxA'
        import kernel,  ExitProcess,'ExitProcess',\
                        GetModuleHandleA,'GetModuleHandleA',\
                        GetModuleFileNameA,'GetModuleFileNameA',\
                        MoveFileA,'MoveFileA',\
                        VirtualProtect,'VirtualProtect'
 
end data
