|
|
[ Vojislav Milunovic @ 11.02.2005. 01:08 ] @
|
| Code:
.586
.model flat, stdcall
locals
jumps
null equ 0
MB_OK equ 0
@ansi2unicode macro
xor eax, eax
lodsb
stosw
test al, al
jnz $-5
endm
UNICODE_STRING STRUCT
len dw ?
maxlen dw ?
buff dd ?
UNICODE_STRING ENDS
ANSI_STRING STRUCT
len dw ?
mxalen dw ?
buff dd ?
ANSI_STRING ENDS
extrn ExitProcess:proc
extrn RtlInitUnicodeString:proc
extrn RtlInitAnsiString:proc
extrn LdrLoadDll:proc
extrn LdrGetProcedureAddress:proc
.data
ansiDll db "user32.dll",0
unicodeDll db ($-ansiDll)*2 dup (0)
hDll dd ?
ahUnicode UNICODE_STRING <>
ahAnsi ANSI_STRING <>
mBox db "MessageBoxA",0
pMessageBoxA dd ?
mText db "LdrLoadDll sucks big time",10, 13
db "LdrGetProcedureAddress tooooooo",0
mTitle db "LdrLoadDll",0
.code
start:
mov esi, offset ansiDll
mov edi, offset unicodeDll
@ansi2unicode
call RtlInitUnicodeString, offset ahUnicode, offset unicodeDll
call LdrLoadDll, null, null, offset ahUnicode, offset hDll
call RtlInitAnsiString, offset ahAnsi, offset mBox
call LdrGetProcedureAddress, hDll, offset ahAnsi, null, offset pMessageBoxA
call pMessageBoxA, null, offset mText, offset mTitle, MB_OK
call ExitProcess, null
end start
I ajde 2 sata mi je trebalo da provalim da ove dve API iz ntdll nece samo "unicode" nego hoce UNICODE_STRING i ANSI_STRING strukture, e boze, boze, da mi je da zadavim obog Bill Gejtsa, samo lagano da stegnem ruke oko njegovog vrata...
|
[ Vojislav Milunovic @ 11.02.2005. 01:37 ] @
E sad malo lepse resenje, i elegantnije, sad sam video sta rade ove RtlInitW/AString i dajem mnogo lepsi kod =))
Code:
.586
.model flat, stdcall
locals
jumps
null equ 0
MB_OK equ 0
@ansi2unicode macro
xor eax, eax
lodsb
stosw
test al, al
jnz $-5
endm
AU_STRING STRUCT
len dw ?
maxlen dw ?
buff dd ?
AU_STRING ENDS
extrn ExitProcess:proc
extrn LdrLoadDll:proc
extrn LdrGetProcedureAddress:proc
.data
ansiDll db "user32.dll",0
szlen equ $-ansiDll
unicodeDll db szlen*2 dup (0)
hDll dd ?
ahUnicode AU_STRING <>
ahAnsi AU_STRING <>
mBox db "MessageBoxA",0
pMessageBoxA dd ?
mText db "LdrLoadDll sucks big time",10, 13
db "LdrGetProcedureAddress tooooooo",0
mTitle db "LdrLoadDll",0
.code
start:
mov esi, offset ansiDll
mov edi, offset unicodeDll
@ansi2unicode
mov ahUnicode.len, szlen*2
mov ahUnicode.maxlen, szlen*2
push offset unicodeDll
pop ahUnicode.buff
call LdrLoadDll, null, null, offset ahUnicode, offset hDll
mov ahAnsi.len, szlen
mov ahAnsi.maxlen, szlen
push offset mBox
pop ahAnsi.buff
call LdrGetProcedureAddress, hDll, offset ahAnsi, null, offset pMessageBoxA
call pMessageBoxA, null, offset mText, offset mTitle, MB_OK
call ExitProcess, null
end start
[ Sundance @ 11.02.2005. 01:37 ] @
:)
Pa pod unicode se pod NT se podrazumijeva struktura poput UNICODE_STRING, lijepo ti piše u dokumentaciji šta koji API prima:
Code:
NTSYSAPI
NTSTATUS
NTAPI
LdrLoadDll(
IN PWCHAR PathToFile OPTIONAL,
IN ULONG Flags OPTIONAL,
IN PUNICODE_STRING ModuleFileName,
OUT PHANDLE ModuleHandle );
NTSYSAPI
NTSTATUS
NTAPI
LdrGetProcedureAddress(
IN HMODULE ModuleHandle,
IN PANSI_STRING FunctionName OPTIONAL,
IN WORD Oridinal OPTIONAL,
OUT PVOID *FunctionAddress );
Missim...nisi valjda radio disasm pa PRETPOSTAVLJAO šta koja fja prima? :>
Ali ovo je još milost božja. Ja evo nakon 3 sata konačno skužio heuristike od Pande, detektiraju u onoj mojoj "univerzalnoj" getK32 fji one hardcoded adrese. Psmtr. Još mi je ostao Symantec, koji detektira preko signature.
Ti možeš direktno provjerit rezultat. Ja promijenim po 5 instrukcija, pošaljem na virustotal i 10 min blejim u zid :P
Igra mačke i miša :> [ Vojislav Milunovic @ 11.02.2005. 01:42 ] @
A znam bratac, da je tako, ali ja vidim lepo UNICODE i reko samo unicode =) I sta ce mu leba ti ovo maxlen, len =)
Stavis ih na isto i lepo radi =)
Kako komplikuju pa to je za shamarcinu jednu =)
[ weB_KiLeR @ 11.02.2005. 11:43 ] @
Malo su ga zbudzili ali radi ;)
[ Vojislav Milunovic @ 11.02.2005. 21:03 ] @
Ma de malo, malo vise =)
Copyright (C) 2001-2025 by www.elitesecurity.org. All rights reserved.
|