Predict original entry point with alsr (NT based OS)

The constant threat: viruses, trojans, spyware, ... the list goes on

Predict original entry point with alsr (NT based OS)

Post by radiactivo on Mon Aug 01, 2016 8:46 pm
([msg=92718]see Predict original entry point with alsr (NT based OS)[/msg])

Hello,

This last times i ve been improving my knowledge about the PE files. I developed a simple Virus (with and for academical purposes) that injects code inside an executable file and self-replicates when executed the infected file. The project started in windows XP, i went on trough different versions till Windows 10. It works perfect. It replicates itself and so the childs do.

The problem comes when the infected file was compiled with the alsr flag. The calculation of ImageBase + OriginalEntryPoint for reaching where the normal code should start does not work.

So here comes the question: Can someone put me on the path (with papers, articles, whatever..) for the implementation of the solution? Cause i guess that this issue have been solved by someone before.

Thanks in advance.
radiactivo
New User
New User
 
Posts: 4
Joined: Thu Dec 26, 2013 4:44 pm
Blog: View Blog (0)


Re: Predict original entry point with alsr (NT based OS)

Post by amstilllearning on Tue Aug 02, 2016 2:31 am
([msg=92720]see Re: Predict original entry point with alsr (NT based OS)[/msg])

hi,

afaik you should read about possible aslr bypass methods.
(sometimes not all libs are aslr'ed)

I know that this can help with exploit writing. Never tried to use this technique in case of writing malwares,
but maybe it will help you.

if you will have any questions, PM me.
amstilllearning
New User
New User
 
Posts: 6
Joined: Sun Jul 31, 2016 9:20 am
Blog: View Blog (0)


Re: Predict original entry point with alsr (NT based OS)

Post by radiactivo on Tue Aug 02, 2016 3:11 pm
([msg=92725]see Re: Predict original entry point with alsr (NT based OS)[/msg])

Hehe, really simple answer but effective :D
Just typing
aslr bypass
in google was enough.
Thanks!
radiactivo
New User
New User
 
Posts: 4
Joined: Thu Dec 26, 2013 4:44 pm
Blog: View Blog (0)


Re: Predict original entry point with alsr (NT based OS)

Post by e3cb on Tue Aug 02, 2016 5:04 pm
([msg=92727]see Re: Predict original entry point with alsr (NT based OS)[/msg])

If you want, shoot me a PM and we can chat about shellcoding in general <3
<3 FF E4 <3
Do you even asm bruh?
User avatar
e3cb
Poster
Poster
 
Posts: 104
Joined: Fri Feb 15, 2013 11:32 pm
Location: Orange County
Blog: View Blog (0)



Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests