ALERT!
Click here to register with a few steps and explore all our cool stuff we have to offer!

Jump to content



Photo

DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB


  • Please log in to reply
DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB

#1

Killpot
Killpot
    Offline
    2
    Rep
    27
    Likes

    Member

Posts: 31
Threads: 17
Joined: Jan 22, 2016
Credits: 0
Four years registered
#1
Yo.
 
So I've been getting into assembly lately and decided I wanted to make something practical, so I made a simple Download & Execute in MASM32, then made a builder for it in C#.
In hindsight, I could've made the builder in MASM as well, but the builder was more of an afterthought once I decided I wanted to release it.
 
Ended up remaking the stub in FASM.
 
How the builder works:
1: Enter direct URL to file
2: URL is parsed and inserted into the assembly file
3: Assembly file is built into an executable ready to go
 
How the assembly file works:
.5: Decrypt emulation testing region
1: Use HeapAlloc to test if we're being emulated, and corrupt the stack frame to force a crash if we are
1.5: Decrypt real code
3: Load all the needed libs
4: Get the function addresses of all the functions - Using a different method now
5: Replace the regex key in HKEY_CLASSES_ROOT\\mscfile\\shell\\open\\command to our file path in temp
5: Create or use a key located at HKEY_CURRENT_USER\software\classes\mscfile\shell\open\command to our file path inside of temp
6: start eventvwr.exe, which automatically launches the path in registry as admin
7: Restore registry values so we don't leave a trail
 
That's about it, it's mostly FUD with only 2 4 (Seems this is getting around) 2 detections, one by Avaira(For not creating a window(SUBSYSTEM:WINDOWS)), and one by some random AV called twistor, and as far as I can tell it's only because I have a lot of strings, it shouldn't be very hard to bypass the two, and I don't want to completely spoon feed, so you'll have to figure that one out for yourself :^).
 
Not going to release source on this one, because the people that I feel deserve the source can simply reverse the app, there's no obfuscation so it should be a piece of cake for anyone competent. 
 
Before memory decryption(if you can even call it that, just simple xor):
61c2a317be174b8bbc23c73c8b145640.png
 
Disassembler view:
c3a4bee7e512499f997dd4ed26a47641.png
 
Gif of OllyDbg while it's decrypting itself:
AqQW.gif
 
A small note that the file that is dropped onto the system needs to be the same platform as the computer, ex: 64 bit, 32 bit, AnyCPU doesn't seem to work.
Fixed. Seemed to be a byproduct of setting the registry key in HKEY_CLASSES_ROOT
 
When you run the builder, it will output the executable to the same directory the builder is in, and it will be called, "Assembly.exe", and also, the file is downloaded to the temp folder and named "NotSuspicious.exe"
 
Hidden Content
You'll be able to see the hidden content once you reply to this topic or upgrade your account.
Builder Scan - Calls it AdWare kek
 
Yet another note, Adding version info and an Icon may also help with detections, I was too lazy to test.
 
Enjoy you filthy animals

Edited by Killpot, 23 October 2016 - 06:37 AM.

  • 4

#2

nickeljohn65
nickeljohn65
    Offline
    0
    Rep
    0
    Likes

    Lurker

Posts: 8
Threads: 0
Joined: Oct 20, 2016
Credits: 0
Four years registered
#2

thanks for the update. i will love you if it works.


  • 0

#3

Killpot
Killpot
    Offline
    2
    Rep
    27
    Likes

    Member

Posts: 31
Threads: 17
Joined: Jan 22, 2016
Credits: 0
Four years registered
#3

Big update on how I resolve functions, I was just doing it statically with the offset to the function from the base address of the library, but in hindsight that was a stupid idea and will have tons of compatibility issues, I've now switched to a different method that should work fine on any windows system (That has access to LoadLibrary and GetProcAddress).


  • 0

#4

fox3
fox3
    Offline
    0
    Rep
    0
    Likes

    New Member

Posts: 22
Threads: 0
Joined: Jul 04, 2016
Credits: 0
Four years registered
#4

no need for builder if you just add string wich can be done easy by adding it in the asm file and using batch for the fasm cmd wich is simple


  • 0

#5

riacom
riacom
    Offline
    0
    Rep
    0
    Likes

    New Member

Posts: 21
Threads: 0
Joined: Nov 02, 2016
Credits: 0
Four years registered
#5

Thank you for the share! ^^


  • 0

#6

emreesrefpasali
emreesrefpasali
    Offline
    0
    Rep
    0
    Likes

    Member

Posts: 40
Threads: 0
Joined: Dec 27, 2016
Credits: 0
Three years registered
#6

test


  • 0

#7

AdoceeCrypt
AdoceeCrypt
    Offline
    0
    Rep
    36
    Likes

    Working on a botnet

Posts: 608
Threads: 17
Joined: Feb 17, 2016
Credits: 0
Four years registered
#7

Thanks for the tool mate.


  • 0

#8

TriLogy
TriLogy
    Offline
    0
    Rep
    4
    Likes

    Advanced Member

Posts: 85
Threads: 0
Joined: Sep 07, 2015
Credits: 0

Four years registered
#8

Thanks for share :)


  • 1

#9

pruned_51041567
pruned_51041567
    Offline
    0
    Rep
    0
    Likes

    Addicted

  • PipPipPipPipPip
Posts: 244
Threads: 1
Joined: Oct 15, 2016
Credits: 0
Four years registered
#9

Thanks for share bro :D


  • 0

#10

n0x90
n0x90
    Offline
    0
    Rep
    0
    Likes

    New Member

Posts: 17
Threads: 0
Joined: Feb 23, 2016
Credits: 0
Four years registered
#10

ty

 


  • 0


 Users browsing this thread: