Created
January 4, 2014 10:07
-
-
Save c0d3inj3cT/12bf517aa00656f6e641 to your computer and use it in GitHub Desktop.
This is a proof of concept to show how the debugger can be confused by overwriting the RETN instruction with its own opcode (0xc3) which will result in the debugger executing the code instead of trapping into the return address.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Overwrite RETN opcode | |
| ; Control Flow Obfuscation | |
| ; c0d3inj3cT | |
| include \masm32\include\masm32rt.inc | |
| .data | |
| hMod dd 0 | |
| .code | |
| start: | |
| push cfm$("RETN -- 0xc3 Overwrite\n") | |
| call crt_printf | |
| push cfm$("Make the code section writable\n") | |
| call crt_printf | |
| call nextaddr | |
| nextaddr: pop eax | |
| mov ebx, eax | |
| push 4 | |
| call crt_malloc | |
| mov esi, eax | |
| invoke LoadLibrary, chr$("kernel32.dll") | |
| mov hMod, eax | |
| invoke GetProcAddress, hMod, chr$("VirtualProtect") | |
| mov ecx, eax | |
| push esi | |
| push 040h | |
| push 0100h | |
| push ebx | |
| call ecx | |
| pushad | |
| push cfm$("Enter the proof of concept routine\n") | |
| call crt_printf | |
| call label1 | |
| popad ; Debugger will not trap here and instead execute the code | |
| mov eax, 01h | |
| shl eax, 08h | |
| push eax | |
| push cfm$("2 ^ 8 is: %#0x\n") | |
| call crt_printf | |
| call ExitProcess | |
| label1: | |
| call label2 | |
| label3: retn | |
| label2: | |
| pop eax | |
| sub eax, offset label3 | |
| lea esi, dword ptr [eax+label3] | |
| lea edi, dword ptr [eax+label4] | |
| mov ecx, 1 | |
| rep movs byte ptr [edi], byte ptr [esi] | |
| label4: retn | |
| end start |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment