ALERT!
Click here to register with a few steps and explore all our cool stuff we have to offer!

Jump to content



Photo

DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB


  • Please log in to reply
DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB

#1

Killpot
Killpot
    Offline

    Member

  • Posts: 27
  • Joined: Jan 22, 2016
  • Reputation: 2
  • Likes: 24
  • Credits: 0
  • Leecher level:-85 85
Three years registered
#1
Yo.
 
So I've been getting into assembly lately and decided I wanted to make something practical, so I made a simple Download & Execute in MASM32, then made a builder for it in C#.
In hindsight, I could've made the builder in MASM as well, but the builder was more of an afterthought once I decided I wanted to release it.
 
Ended up remaking the stub in FASM.
 
How the builder works:
1: Enter direct URL to file
2: URL is parsed and inserted into the assembly file
3: Assembly file is built into an executable ready to go
 
How the assembly file works:
.5: Decrypt emulation testing region
1: Use HeapAlloc to test if we're being emulated, and corrupt the stack frame to force a crash if we are
1.5: Decrypt real code
3: Load all the needed libs
4: Get the function addresses of all the functions - Using a different method now
5: Replace the regex key in HKEY_CLASSES_ROOT\\mscfile\\shell\\open\\command to our file path in temp
5: Create or use a key located at HKEY_CURRENT_USER\software\classes\mscfile\shell\open\command to our file path inside of temp
6: start eventvwr.exe, which automatically launches the path in registry as admin
7: Restore registry values so we don't leave a trail
 
That's about it, it's mostly FUD with only 2 4 (Seems this is getting around) 2 detections, one by Avaira(For not creating a window(SUBSYSTEM:WINDOWS)), and one by some random AV called twistor, and as far as I can tell it's only because I have a lot of strings, it shouldn't be very hard to bypass the two, and I don't want to completely spoon feed, so you'll have to figure that one out for yourself :^).
 
Not going to release source on this one, because the people that I feel deserve the source can simply reverse the app, there's no obfuscation so it should be a piece of cake for anyone competent. 
 
Before memory decryption(if you can even call it that, just simple xor):
61c2a317be174b8bbc23c73c8b145640.png
 
Disassembler view:
c3a4bee7e512499f997dd4ed26a47641.png
 
Gif of OllyDbg while it's decrypting itself:
AqQW.gif
 
A small note that the file that is dropped onto the system needs to be the same platform as the computer, ex: 64 bit, 32 bit, AnyCPU doesn't seem to work.
Fixed. Seemed to be a byproduct of setting the registry key in HKEY_CLASSES_ROOT
 
When you run the builder, it will output the executable to the same directory the builder is in, and it will be called, "Assembly.exe", and also, the file is downloaded to the temp folder and named "NotSuspicious.exe"
 
Hidden Content
You'll be able to see the hidden content once you reply to this topic or upgrade your account.
Builder Scan - Calls it AdWare kek
 
Yet another note, Adding version info and an Icon may also help with detections, I was too lazy to test.
 
Enjoy you filthy animals

Edited by Killpot, 23 October 2016 - 06:37 AM.

  • 3

#2

nickeljohn65
nickeljohn65
    Offline

    Lurker

  • Posts: 8
  • Joined: Oct 20, 2016
  • Reputation: 0
  • Likes: 0
  • Credits: 0
  • Leecher level:75 Bad (-75)
Two years registered
#2

thanks for the update. i will love you if it works.


  • 0

#3

Killpot
Killpot
    Offline

    Member

  • Posts: 27
  • Joined: Jan 22, 2016
  • Reputation: 2
  • Likes: 24
  • Credits: 0
  • Leecher level:-85 85
Three years registered
#3

Big update on how I resolve functions, I was just doing it statically with the offset to the function from the base address of the library, but in hindsight that was a stupid idea and will have tons of compatibility issues, I've now switched to a different method that should work fine on any windows system (That has access to LoadLibrary and GetProcAddress).


  • 0

#4

fox3
fox3
    Offline

    New Member

  • Posts: 22
  • Joined: Jul 04, 2016
  • Reputation: 0
  • Likes: 0
  • Credits: 0
  • Leecher level:-13 13
Three years registered
#4

no need for builder if you just add string wich can be done easy by adding it in the asm file and using batch for the fasm cmd wich is simple


  • 0

#5

riacom
riacom
    Offline

    New Member

  • Posts: 21
  • Joined: Nov 02, 2016
  • Reputation: 0
  • Likes: 0
  • Credits: 0
  • Leecher level:75 Bad (-75)
Two years registered
#5

Thank you for the share! ^^


  • 0

#6

emreesrefpasali
emreesrefpasali
    Offline

    New Member

  • Posts: 19
  • Joined: Dec 27, 2016
  • Reputation: 0
  • Likes: 0
  • Credits: 0
  • Leecher level:-6 6
Two years registered
#6

test


  • 0

#7

AdoceeCrypt
AdoceeCrypt
    Offline

    Working on a botnet

  • Posts: 608
  • Joined: Feb 17, 2016
  • Reputation: 0
  • Likes: 35
  • Credits: 0
  • Leecher level:-78 78
Three years registered
#7

Thanks for the tool mate.


  • 0

#8

TriLogy
TriLogy
    Offline

    Advanced Member

  • Posts: 81
  • Joined: Sep 07, 2015
  • Reputation: 0
  • Likes: 4
  • Credits: 0
  • Leecher level:-9 9

Four years registered
#8

Thanks for share :)


  • 1

#9

pruned_51041567
pruned_51041567
    Offline

    Addicted

  • PipPipPipPipPip
  • Posts: 244
  • Joined: Oct 15, 2016
  • Reputation: 0
  • Likes: 0
  • Credits: 0
  • Leecher level:-16 16
Two years registered
#9

Thanks for share bro :D


  • 0

#10

n0x90
n0x90
    Offline

    New Member

  • Posts: 16
  • Joined: Feb 23, 2016
  • Reputation: 0
  • Likes: 0
  • Credits: 0
  • Leecher level:80 Bad (-80)
Three years registered
#10

ty

 


  • 0


 Users browsing this thread: