;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ; Truco para falsificar el EP ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ; La idea es sencilla: después de cargar nuestro programa, cambiamos el punto de entrada ; (EP) del PE cargado dinámicamente a otra rutina en nuestro código (en este ejemplo, un ; sencillo mensaje en una ventana emergente). ; ; Así, cuando el reverser lo dumpee tendrá el EP cambiado y el PE se comportará diferente ; cuando ejecute el binario dumpeado. Este es un truco únicamente educacional con las ; cabeceras PE para que mis estudiantes tengan un mejor entendimiento del formato PE de ; una manera práctica en las clases de análisis de malware. ; ; Este truco engaña a: ; - Process Dump v2.1 (https://github.com/glmcdona/Process-Dump) ; - OllyDumpEx ; - Cualquier dumpeador que obtenga información de la cabecera de un PE cargado en memoria ; ; Movemos la ubicación del archivo para derrotar a Scylla también. ; ; SWaNk 2020 - VX ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% format PE GUI 4.0 entry start ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ; includes ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% include '%fasm%\INCLUDE\win32a.inc' ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% section '.text' code readable writeable executable ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ; Si el fichero fue dumpeado de memoria con una herramienta que extraiga imagenes ; cargadas, el EP cambiará a esta instruccion push 0 push szTitle push szFuckOff push 0 call [MessageBoxA] push 0 call [ExitProcess] start: invoke GetModuleHandleA, 0 ;obten la base de la imagen mov [mHandle], eax mov ebx, eax ;salvala en ebx add ebx, 0xa8 ;EP invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READWRITE, Old mov byte[ebx], 0x00 ;Cambia el EP hacia tu payload alternativo invoke VirtualProtect, ebx, 4, PAGE_EXECUTE_READ, Old ;Ahora renombramos el fichero para que Scylla no lo encuentre en disco (MoveFileA) invoke GetModuleFileNameA,0,szfileName, 255 ; devuelve la longitud en eax add eax, szfileName ; ahora eax esta al final del nombre del PE ;Encuentra el primer '\' desde atras hasta hallar el nombre del fichero @@: dec eax cmp byte[eax],'\' jne @B inc eax ;saltamos la barra mov ebx, eax ;guardamos para renombrar el fichero invoke MoveFileA, eax, tmpName, NULL ;comportamiento normal, en este caso un mensaje de texto, si el fichero se dumpea aqui la trampa esta lista push 0 push szTitle push szExample push 0 call [MessageBoxA] ;renombramos el fichero original invoke MoveFileA, tmpName, ebx, NULL push 0 call [ExitProcess] error: push 0 call [ExitProcess] ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% section '.data' data readable writeable ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% szExample db 'Fichero original',0 szFuckOff db 'No toques, capullo',0 szTitle db 'Truco EP falso',0 mHandle dd ? szfileName rb 250 tmpName db "1.exe",0 Old dd ? ;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% data import library kernel,'KERNEL32.DLL',\ user32,'USER32.DLL' import user32, MessageBoxA,'MessageBoxA' import kernel, ExitProcess,'ExitProcess',\ GetModuleHandleA,'GetModuleHandleA',\ GetModuleFileNameA,'GetModuleFileNameA',\ MoveFileA,'MoveFileA',\ VirtualProtect,'VirtualProtect' end data