Maldev for fun and stealth
Kylm ft MrNoodle
Summary
- More depth in Win32Api
- Avoid detection
- Don't let people debug you
- Analysis a real "malware"
More depth in Win32Api
quésakpo
Syscalls / NtApi
Why it's not a good opsec
Direct syscall
Catch Direct syscall
Indirect syscall
Avoid detection
VEH
VEH Syscall
LONG CALLBACK VectoredExceptionHandler(EXCEPTION_POINTERS* ExceptionInfo) {
if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {
// printf("Access violation detected! so i doo magic things \n");
ExceptionInfo->ContextRecord->R10 = ExceptionInfo->ContextRecord->Rcx;
ExceptionInfo->ContextRecord->Rax = ExceptionInfo->ContextRecord->Rip;
ExceptionInfo->ContextRecord->Rip = g_syscall_addr;
return EXCEPTION_CONTINUE_EXECUTION;
}
if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT) {
return EXCEPTION_CONTINUE_EXECUTION;
}
return EXCEPTION_CONTINUE_SEARCH;
}
CallStack spoofing
CallStack spoofing
Text
CallStack spoofing
int main(void) {
PVOID pAddress = NULL;
PTP_WORK WorkReturn = NULL;
unsigned char ecole[] = "Hello 2600 from custom callstack";
SIZE_T sEcole = 0x10000;
HANDLE hProcess = GetCurrentProcess();
DWORD dwBytesWritten = 0;
NTALLOCATEVIRTUALMEMORY_ARGS NtAllocateVirtualMemory_Struct = { 0 };
NtAllocateVirtualMemory_Struct.pNtAllocateVirtualMemory = (ULONG_PTR)GetProcAddress(GetModuleHandleA("ntdll"), "NtAllocateVirtualMemory");
NtAllocateVirtualMemory_Struct.hProcess = hProcess;
NtAllocateVirtualMemory_Struct.BaseAddress = &pAddress;
NtAllocateVirtualMemory_Struct.RegionSize = &sEcole;
NtAllocateVirtualMemory_Struct.Protect = PAGE_READWRITE;
FARPROC pTpAllocWork = GetProcAddress(GetModuleHandleA("ntdll"), "TpAllocWork");
FARPROC pTpPostWork = GetProcAddress(GetModuleHandleA("ntdll"), "TpPostWork");
FARPROC pTpReleaseWork = GetProcAddress(GetModuleHandleA("ntdll"), "TpReleaseWork");
((TPALLOCWORK)pTpAllocWork)(&WorkReturn, (PTP_WORK_CALLBACK)WorkCallback, &NtAllocateVirtualMemory_Struct, NULL);
((TPPOSTWORK)pTpPostWork)(WorkReturn);
((TPRELEASEWORK)pTpReleaseWork)(WorkReturn);
while (pAddress == NULL) {
WaitForSingleObject((HANDLE)-1, 1000);
}
// WriteProcessMemory(hProcess, pAddress, &ecole, sEcole, &dwBytesWritten);
okay("Base address -> 0x%p", pAddress);
RtlCopyMemory(pAddress, ecole, sizeof(ecole));
okay("Content -> %s", pAddress);
getchar();
return 0;
}CallStack spoofing
.CODE
WorkCallback PROC
mov rbx, rdx
mov rax, [rbx]
mov rcx, [rbx + 8h]
mov rdx, [rbx + 10h]
xor r8, r8
mov r9, [rbx + 18h]
mov r10, [rbx + 20h]
mov [rsp+30h], r10
mov r10, 3000h
mov [rsp+28h], r10
jmp rax
WorkCallback ENDP
ENDAPI Hashing
Rewrite winapi func
API Hashing
A cool windows "feature"
Module stomping
Module stomping
Module stomping
Module stomping
Don't let people debug you
Cool Opcodes
Flags
NtGlobalFlag
Hardware Breakpoint
Is my opcode change ?
Analysis a real "malware"
Analysis a real "malware"
Analysis a real "malware"
deck
By 0xkylm
