DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB

[Killpot]

Yo.

 

So I've been getting into assembly lately and decided I wanted to make something practical, so I made a simple Download & Execute in MASM32, then made a builder for it in C#.

In hindsight, I could've made the builder in MASM as well, but the builder was more of an afterthought once I decided I wanted to release it.

 

Ended up remaking the stub in FASM.

 

How the builder works:

1: Enter direct URL to file

2: URL is parsed and inserted into the assembly file

3: Assembly file is built into an executable ready to go

 

How the assembly file works:

.5: Decrypt emulation testing region

1: Use HeapAlloc to test if we're being emulated, and corrupt the stack frame to force a crash if we are

1.5: Decrypt real code

3: Load all the needed libs

4: Get the function addresses of all the functions - Using a different method now

5: Replace the regex key in HKEY_CLASSES_ROOT\\mscfile\\shell\\open\\command to our file path in temp

5: Create or use a key located at HKEY_CURRENT_USER\software\classes\mscfile\shell\open\command to our file path inside of temp

6: start eventvwr.exe, which automatically launches the path in registry as admin

7: Restore registry values so we don't leave a trail

 

That's about it, it's mostly FUD with only 2 4 (Seems this is getting around) 2 detections, one by Avaira(For not creating a window(SUBSYSTEM:WINDOWS)), and one by some random AV called twistor, and as far as I can tell it's only because I have a lot of strings, it shouldn't be very hard to bypass the two, and I don't want to completely spoon feed, so you'll have to figure that one out for yourself :^).

 

Not going to release source on this one, because the people that I feel deserve the source can simply reverse the app, there's no obfuscation so it should be a piece of cake for anyone competent. 

 

Before memory decryption(if you can even call it that, just simple xor):

 

Disassembler view:

 

Gif of OllyDbg while it's decrypting itself:

 

A small note that the file that is dropped onto the system needs to be the same platform as the computer, ex: 64 bit, 32 bit, AnyCPU doesn't seem to work.

Fixed. Seemed to be a byproduct of setting the registry key in HKEY_CLASSES_ROOT

 

When you run the builder, it will output the executable to the same directory the builder is in, and it will be called, "Assembly.exe", and also, the file is downloaded to the temp folder and named "NotSuspicious.exe"

 

Hidden Content
You'll be able to see the hidden content once you reply to this topic or upgrade your account.

Stub Scan

Builder Scan - Calls it AdWare kek

 

Yet another note, Adding version info and an Icon may also help with detections, I was too lazy to test.

 

Enjoy you filthy animals

Edited by Killpot, 23 October 2016 - 06:37 AM.

[nickeljohn65]

thanks for the update. i will love you if it works.

[Killpot]

Big update on how I resolve functions, I was just doing it statically with the offset to the function from the base address of the library, but in hindsight that was a stupid idea and will have tons of compatibility issues, I've now switched to a different method that should work fine on any windows system (That has access to LoadLibrary and GetProcAddress).

[fox3]

no need for builder if you just add string wich can be done easy by adding it in the asm file and using batch for the fasm cmd wich is simple

[riacom]

Thank you for the share! ^^

[emreesrefpasali]

test

[AdoceeCrypt]

Thanks for the tool mate.

[TriLogy]

Thanks for share

[pruned_51041567]

Thanks for share bro

[n0x90]

ty