From e16e932b839a7839958a499fbc07f25b1865dfe7 Mon Sep 17 00:00:00 2001 From: vxunderground <57078196+vxunderground@users.noreply.github.com> Date: Sun, 11 Oct 2020 00:35:02 -0500 Subject: [PATCH] Add files via upload --- The Fake Entry Point Trick.txt | 112 +++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 The Fake Entry Point Trick.txt diff --git a/The Fake Entry Point Trick.txt b/The Fake Entry Point Trick.txt new file mode 100644 index 0000000..f9fd1c5 --- /dev/null +++ b/The Fake Entry Point Trick.txt @@ -0,0 +1,112 @@ +;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +; Fake EP trick +;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +; The idea is simple: After loading our program, we change the loaded PE image entry point +; dynamically to another routine inside our code (In this example is a simple messagebox). +; +; So, when the reverse guy dumps it will get the changed EP and change the PE behaviour +; when the dumped file run. This is just an educational trick with PE headers for my +; students understand better the PE Format in a practical way on malware analysis classes. +; +; This trick defeats: +; - Process Dump v2.1 (https://github.com/glmcdona/Process-Dump) +; - OllyDumpEx +; - Every dumper that grabs info from loaded PE header +; +; We move the file location to defeat Scylla too. +; +; SWaNk 2020 - VX +;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +format PE GUI 4.0 + +entry start + +;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +; includes +;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +include '%fasm%\INCLUDE\win32a.inc' + +;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +section '.text' code readable writeable executable +;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + ; if the file was dumped from memory, with one tool that grab the loaded image, + ; the EP will chage to this instruction + push 0 + push szTitle + push szFuckOff + push 0 + call [MessageBoxA] + + push 0 + call [ExitProcess] + +start: + invoke GetModuleHandleA, 0 ;get imageBase + mov [mHandle], eax + + mov ebx, eax ;save into ebx + add ebx, 0xa8 ;EP + + invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READWRITE, Old + mov byte[ebx], 0x00 ;Change EP to our joke payload + invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READ, Old + + ;Now we rename the file so Scylla can't find it on disk (MoveFileA) + + invoke GetModuleFileNameA,0,szfileName, 255 ; return length in eax + add eax, szfileName ; eax now is in the end of the PE filename + + ;Find for the first '\' from backwards to grab the filename + @@: + dec eax + cmp byte[eax],'\' + jne @B + inc eax ;skip slash + mov ebx, eax ;save to rename file back + + invoke MoveFileA, eax, tmpName, NULL + + ;normal behaviour, just a messagebox, if the file is dumped here the trap is set + push 0 + push szTitle + push szExample + push 0 + call [MessageBoxA] + + ;rename to the original name + + invoke MoveFileA, tmpName, ebx, NULL + + push 0 + call [ExitProcess] + +error: + push 0 + call [ExitProcess] + +;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +section '.data' data readable writeable +;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +szExample db 'Original file',0 +szFuckOff db 'Hands off asshole',0 +szTitle db 'Fake EP trick',0 +mHandle dd ? +szfileName rb 250 +tmpName db "1.exe",0 +Old dd ? + +;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +data import + library kernel,'KERNEL32.DLL',\ + user32,'USER32.DLL' + + import user32, MessageBoxA,'MessageBoxA' + import kernel, ExitProcess,'ExitProcess',\ + GetModuleHandleA,'GetModuleHandleA',\ + GetModuleFileNameA,'GetModuleFileNameA',\ + MoveFileA,'MoveFileA',\ + VirtualProtect,'VirtualProtect' + +end data