Edited by Killpot, 23 October 2016 - 06:37 AM.
DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB
Started By Killpot, Oct 21 2016 07:38 PM
#1
Posted 21 October 2016 - 07:38 PM
#1
So I've been getting into assembly lately and decided I wanted to make something practical, so I made a simple Download & Execute in MASM32, then made a builder for it in C#.
4: Get the function addresses of all the functions - Using a different method now
5: Replace the regex key in HKEY_CLASSES_ROOT\\mscfile\\shell\\open\\command to our file path in temp
A small note that the file that is dropped onto the system needs to be the same platform as the computer, ex: 64 bit, 32 bit, AnyCPU doesn't seem to work.
Posted 21 October 2016 - 07:38 PM
Yo.
In hindsight, I could've made the builder in MASM as well, but the builder was more of an afterthought once I decided I wanted to release it.
Ended up remaking the stub in FASM.
How the builder works:
1: Enter direct URL to file
2: URL is parsed and inserted into the assembly file
3: Assembly file is built into an executable ready to go
How the assembly file works:
.5: Decrypt emulation testing region
1: Use HeapAlloc to test if we're being emulated, and corrupt the stack frame to force a crash if we are
1.5: Decrypt real code
3: Load all the needed libs
5: Create or use a key located at HKEY_CURRENT_USER\software\classes\mscfile\shell\open\command to our file path inside of temp
6: start eventvwr.exe, which automatically launches the path in registry as admin
7: Restore registry values so we don't leave a trail
That's about it, it's mostly FUD with only 2 4 (Seems this is getting around) 2 detections, one by Avaira(For not creating a window(SUBSYSTEM:WINDOWS)), and one by some random AV called twistor, and as far as I can tell it's only because I have a lot of strings, it shouldn't be very hard to bypass the two, and I don't want to completely spoon feed, so you'll have to figure that one out for yourself :^).
Not going to release source on this one, because the people that I feel deserve the source can simply reverse the app, there's no obfuscation so it should be a piece of cake for anyone competent.
Before memory decryption(if you can even call it that, just simple xor):
Disassembler view:
Gif of OllyDbg while it's decrypting itself:
Fixed. Seemed to be a byproduct of setting the registry key in HKEY_CLASSES_ROOT
When you run the builder, it will output the executable to the same directory the builder is in, and it will be called, "Assembly.exe", and also, the file is downloaded to the temp folder and named "NotSuspicious.exe"
Builder Scan - Calls it AdWare kek
Yet another note, Adding version info and an Icon may also help with detections, I was too lazy to test.
Enjoy you filthy animals
#2
Posted 22 October 2016 - 12:06 PM
#3
Posted 23 October 2016 - 06:38 AM
#3
Posted 23 October 2016 - 06:38 AM
Big update on how I resolve functions, I was just doing it statically with the offset to the function from the base address of the library, but in hindsight that was a stupid idea and will have tons of compatibility issues, I've now switched to a different method that should work fine on any windows system (That has access to LoadLibrary and GetProcAddress).
#5
Posted 02 November 2016 - 11:55 AM
Users browsing this thread: