c0d3inj3cT
c0d3inj3cT
/ rop.c
Last active
December 24, 2015 06:59
This code can be used to extract opcodes corresponding to ROP gadgets in a shellcode. It detects whether the DWORD is a ROP gadget or a parameter to the ROP gadget. The new file created by this code can be loaded in IDA Pro to analyze the ROP shellcode.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <psapi.h> | |
| // Compile this code using: cl /TC rop.c /link psapi.lib | |
| int main(int argc, char **argv) | |
| { | |
| FILE *fp; | |
| FILE *rop; |
c0d3inj3cT
/ processinjector.c
Last active
December 28, 2015 13:49
This program can be used to test code injection in a remote process on Windows x86.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| This code can be used to test the code injection in a remote process | |
| The CPU usage will be at its peak after running this code | |
| as a result of injecting the bytes, 0xeb, 0xfe into the remote process | |
| If you get a high CPU usage for the remote process, you have successfully | |
| injected the code. You can also confirm it by attaching a debugger to the | |
| remote process and setting a breakpoint at the return address of VirtualAllocEx() | |
| c0d3inj3cT | |
| */ |
c0d3inj3cT
/ unpacker.asm
Created
November 20, 2013 05:51
I have written an example of decrypting the stage 1 of custom packer used in Win32/Injector. Its polymorphic engine makes use of a lot of junk instructions. However, the decryption routine is not complicated. I have extracted the encrypted code from stage 1 and written this program to decrypt it. It uses a 4 byte ADD key as the decryption key. I…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; decryption routine for Stage 1 of the custom packer used in Win32/Injector virus | |
| ; c0d3inj3cT | |
| include \masm32\include\masm32rt.inc | |
| .data | |
| Message db "decryption stage1 completed!",0 | |
| .code |
c0d3inj3cT
/ iat.c
Created
November 20, 2013 06:01
This code can be used for hooking the IAT. In this particular example, I overwrite the function pointer of Sleep() imported from Kernel32.dll in the IAT of the main executable image. Sleep function is called two times in the code, both before and after hooking the IAT to confirm that it was hooked successfully.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| This code will hook the IAT by overwriting the function pointer of Sleep() imported from Kernel32.dll | |
| It can be modified to hook any other function in the IAT | |
| */ | |
| #include <stdio.h> | |
| #include <windows.h> | |
| void spoofedfunction(DWORD); |
c0d3inj3cT
/ wmtimer.asm
Last active
October 18, 2017 05:29
This code demonstrates the method used by the virus family, Win32/Gepys to introduce delay in execution before invoking the malicious code.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Below are the first few lines of code of the Window Procedure: | |
| 00402680 55 PUSH EBP | |
| 00402681 8BEC MOV EBP,ESP | |
| 00402683 83E4 F8 AND ESP,FFFFFFF8 | |
| 00402686 83EC 4C SUB ESP,4C | |
| 00402689 A1 04A04000 MOV EAX,DWORD PTR DS:[40A004] | |
| 0040268E 33C4 XOR EAX,ESP | |
| 00402690 894424 48 MOV DWORD PTR SS:[ESP+48],EAX | |
| 00402694 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; window message code |
c0d3inj3cT
/ hookdetect.c
Last active
January 2, 2022 04:20
This pintool was written to detect the API hooks by checking the calls to VirtualProtect() that mark the memory region of Win32 APIs as PAGE_EXECUTE_READWRITE. This method is often used in API hooking.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Pintool to detect API hooks in a process | |
| c0d3inj3cT | |
| */ | |
| #include <stdio.h> | |
| #include <iostream> | |
| #include "pin.H" | |
| int i=0; |
c0d3inj3cT
/ hookapi.asm
Last active
July 27, 2022 19:43
API hooking code in Assembly from Win32/Gepys
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ESI - Function Pointer | |
| EDI - Buffer | |
| 00C816F9 803E E9 CMP BYTE PTR DS:[ESI],0E9 ; check if the first instruction of API is a jump instruction | |
| 00C816FC 75 09 JNZ SHORT 00C81707 | |
| 00C816FE 8B46 01 MOV EAX,DWORD PTR DS:[ESI+1] | |
| 00C81701 8D4430 05 LEA EAX,DWORD PTR DS:[EAX+ESI+5] | |
| 00C81705 EB 12 JMP SHORT 00C81719 | |
| 00C81707 8D46 05 LEA EAX,DWORD PTR DS:[ESI+5] ; point eax to the 5th byte of the function | |
| 00C8170A A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; store 5 bytes from the function into the buffer |
c0d3inj3cT
/ vmware-detect.c
Created
December 11, 2013 05:08
This code will scan the process address space of csrss.exe for the string, "MS_VM_CERT". It is the OEM String of VMWare present in the SMBIOS structures.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Detect VMWare using OEM String in Memory | |
| Tested on Windows XP SP3/VMWare Workstation 7.1.0 | |
| c0d3inj3cT | |
| */ | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #define MARKER "MS_VM_CERT" |
c0d3inj3cT
/ retn_overwrite.asm
Created
January 4, 2014 10:07
This is a proof of concept to show how the debugger can be confused by overwriting the RETN instruction with its own opcode (0xc3) which will result in the debugger executing the code instead of trapping into the return address.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Overwrite RETN opcode | |
| ; Control Flow Obfuscation | |
| ; c0d3inj3cT | |
| include \masm32\include\masm32rt.inc | |
| .data | |
| hMod dd 0 | |
| .code |
c0d3inj3cT
/ instrace.cpp
Last active
January 4, 2021 21:13
This pintool was written to identify interesting sequence of instructions which are often used by malwares to either obfuscate the control flow, to be position independent, to identify virtual machine, to perform anti debugging tricks, usage of encryption and decryption routines.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Instruction Tracer to identify | |
| interesting sequence of instructions | |
| in malwares. | |
| c0d3inj3cT | |
| */ | |
| #include <stdio.h> | |
| #include <iostream> |
OlderNewer