| 가장 행복했던 시간이구나...이때가 (0) | 2012.11.28 |
|---|---|
| 책 추천 (0) | 2012.10.22 |
| vm에 mac을 깔아보자~~두두두둥 (0) | 2012.07.07 |
| 브라우저 북마크 동기화 안될때 꽤 좋을듯.....ㅠㅠ (0) | 2012.06.26 |
| 망할 짱개 해커들!!!! (0) | 2012.05.02 |
Int 2Dh debugger detection and code obfuscation - ReWolf^HTB
;
; Date: 14.III.2007
;
;
; I. BACKGROUND
;
; Possibly new method of debugger detection, and nice way for code
; obfuscation.
;
;
; II. DESCRIPTION
;
; Int 2Dh is used by ntoskrnl.exe to play with DebugServices (ref1),
; but we can use it also in ring3 mode. If we try to use it in normal
; (not debugged) application, we will get exception. However if we will
; attach debugger, there will be no exception.
;
; push offset _seh ;\
; push fs:[0] ; > set SEH
; mov fs:[0], esp ;/
;
; int 2dh ; if debugger attached it will run normally,
; ; else we've got exception
; nop
; pop fs:[0] ;\ clear SEH
; add esp, 4 ;/
;
; ...
; debugger detected
; ...
;
; _seh:
; debugger not detected
;
; It can also crash SoftIce DbgMsg driver (ref2).
;
; Besides this, int 2Dh can also be used as code obfuscation method.
; With attached debugger, after executing int 2Dh, system skips one byte
; after int 2Dh:
;
; int 2dh
; nop ; never executed
; ...
;
; If we'll execute step into/step over on int 2Dh different debuggers
; will behave in different way:
;
; OllyDbg - run until next breakpoint (if we have any)
; Visual Studio - stop on instruction after nop in our example
; WinDbg - stop after int 2dh (always even if we 'Go')
;
; Only OllyDbg behaves correctly if we permit to run process without any
; breaks. We can create self debuggable application (as in attached
; example) that will take advantages of int 2Dh code obfuscation.
;
;
; III. Links
;
; 1. http://www.vsj.co.uk/articles/display.asp?id=265
; 2. http://www.piotrbania.com/all/adv/sice-adv.txt
;
;
; IV. Thanks
;
; omega red, Gynvael Coldwind, ved, Piotr Bania
;
;
; comments, suggestions, job opportunities: rewolf@poczta.onet.pl
; http://www.rewolf.prv.pl
;---------------------------------------------------------------------------
;
;change file extensionton .asm and compile
;tested on: Win XP Pro sp2 (x86), Win 2k3 server (x64), Vista Ultimate (x64)
;
;---------------------------------------------------------------------------
.386
.model flat, stdcall
option casemap:none
;---------------------------------------------------------------------------
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32
includelib \masm32\lib\user32
;---------------------------------------------------------------------------
.data
procinfo PROCESS_INFORMATION <0>
startinfo STARTUPINFO <0>
debugEvt DEBUG_EVENT<0>
_str db 100 DUP (0)
_fmt db 'eax: %08X',0dh,0ah,'ebx: %08X',0dh,0ah,'ecx: %08X',0dh,0ah,
'edx: %08X',0
;---------------------------------------------------------------------------
;CLOAKxB -> cloaks x bytes instruction
CLOAK1B macro ;int.int
int 2dh
db 0cdh
endm
CLOAK2B macro ;int.ret
int 2dh
db 0c2h
endm
CLOAK3B macro ;int.enter
int 2dh
db 0c8h
endm
CLOAK4B macro ;int.call
int 2dh
db 0e8h
endm
;If you find some other 'cloaking' opcodes i.e. 5 or more bytes please send
;me e-mail ;-)
;---------------------------------------------------------------------------
;sample mov r32, val macro
MOV_REG macro reg1: REQ, val1:REQ, val2:REQ, val3:REQ, val4:REQ
int 2dh
int reg1 ;\
int val3 ; >mov eax, (val1)CD(val3)CD
int val1 ;/
int 2dh
;enter 78xxh, 90h ; mov al, val4
db 0c8h, reg1 - 8, val4, 90h
int 2dh
;enter 0xxc1h, 10h ; ror eax, 10h
db 0c8h, 0c1h, reg1 + 10h, 10h
int 2dh
;enter 34xxh, 90h ; mov al, val2
db 0c8h, reg1 - 8, val2, 90h
int 2dh
;enter 0xxc1h, 10h ; ror eax, 10h
db 0c8h, 0c1h, reg1 + 10h, 10h
endm
;---------------------------------------------------------------------------
MOV_EAX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0b8h, val1, val2, val3, val4
endm
MOV_EBX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0bbh, val1, val2, val3, val4
endm
MOV_ECX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0b9h, val1, val2, val3, val4
endm
MOV_EDX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0bah, val1, val2, val3, val4
endm
;---------------------------------------------------------------------------
.code
start:
assume fs:nothing
push offset _seh ;\
push fs:[0] ; > set SEH
mov fs:[0], esp ;/
int 2dh ; if debugger attached it will run normally,
; else we've got exception
nop
pop fs:[0] ;\ clear SEH
add esp, 4 ;/
;---------------------------------------------------------------------------
MOV_EAX 98h ,76h, 54h, 32h ; mov eax, 98765432h
MOV_EBX 12h, 34h, 56h, 78h ; mov ebx, 12345678h
MOV_ECX 0abh, 0cdh, 0efh, 0 ; mov ecx, 0abcdef00h
MOV_EDX 90h, 0efh, 0cdh, 0abh ; mov edx, 90efcdabh
;---------------------------------------------------------------------------
CLOAK1B
push edx
CLOAK1B
push ecx
CLOAK1B
push ebx
CLOAK1B
push eax
CLOAK4B
push offset _fmt
CLOAK4B
push offset _str
CLOAK4B
call wsprintf
CLOAK3B
add esp, 18h
CLOAK2B
push 0
CLOAK4B
push offset _str
CLOAK4B
push offset _str
CLOAK2B
push 0
CLOAK4B
call MessageBox
CLOAK2B
push 0
CLOAK2B
jmp _end2
;---------------------------------------------------------------------------
_seh:
; setting mini-debugger ;-)
push offset procinfo
push offset startinfo
push 0
push 0
push DEBUG_PROCESS
push 0
push 0
push 0
call GetCommandLine
push eax
push 0
call CreateProcess
_dbgloop:
push INFINITE
push offset debugEvt
call WaitForDebugEvent
cmp debugEvt.dwDebugEventCode, EXIT_PROCESS_DEBUG_EVENT
je _end
push DBG_CONTINUE
push debugEvt.dwThreadId
push debugEvt.dwProcessId
call ContinueDebugEvent
jmp _dbgloop
_end: push 0
_end2: call ExitProcess
end start
| 프로그램 체크를 통한 안티 리버싱(?) (0) | 2012.10.18 |
|---|---|
| 파일들의 매직넘버 (0) | 2012.09.25 |
| CreateFile 의 인자값 (0) | 2012.06.28 |
| Anti-Reversing Techniques (0) | 2011.12.15 |
| From ROP to JOP (0) | 2011.12.15 |
| 네트워크 캡처 프로그램 (0) | 2021.02.08 |
|---|---|
| 웹 디버거 "피들러" (0) | 2015.09.11 |
| IE10의 향상된 메모리 보호 기능 (0) | 2012.06.21 |
| Stealing Credentials via MITM Attacks -- ARPSpoof + SSLStrip + IPTables (0) | 2011.08.17 |
| owasp 2010 top10 시연 동영상 입니다. (0) | 2011.01.27 |
아고고.....요즘 너무 바쁘고 시간없고 날씨고 안좋고, 무릎도 아프고....술도 많이 먹고 했더니;;;글을 못썼네요^^;;;간만에 하나 투척~~ㅎㅎ
http://www.malware.lu/page/articles.html
좋은사이트네요. 분석정보를 이만큼 잘 제공해주는 사이트는 거의 못본듯 ㅋㅋ 이런걸 보고 나이스~~!!
귀찮으니 스샷은 패스~.....
아....요즘은....파이썬이 대세구나...델파이랑....델파이....제귈 망할 쓰레기 아오!!!~_~ㅋ
| MS13-051 / CVE-2013-1331 What We Know About Microsoft Office Zero Day (0) | 2013.06.18 |
|---|---|
| ice bot (0) | 2013.01.10 |
| 망할 ngr!!!!안보이잖아!!! 왜 바로 코드가 보여!!ㅠㅠ (0) | 2012.06.21 |
| A look at object confusion vulnerability (CVE-2012-0779) in Adobe Flash (0) | 2012.05.15 |
| mbr 바리어스의 Xpaj 에 관한 정보 (0) | 2012.05.03 |
| 책 추천 (0) | 2012.10.22 |
|---|---|
| 우와 자바스크립트의 대단함이다! (0) | 2012.09.06 |
| 브라우저 북마크 동기화 안될때 꽤 좋을듯.....ㅠㅠ (0) | 2012.06.26 |
| 망할 짱개 해커들!!!! (0) | 2012.05.02 |
| 포토스케이프(PhotoScape) -재미있는 사진편집 프로그램 (0) | 2012.03.28 |
Niresh12495-Lion (1).torrent