chevron_left chevron_right
Login Register invert_colors photo_library
Stay updated and chat with others! - Join the Discord!
Thread Rating:
  • 3 Vote(s) - 5 Average


DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB filter_list
Author
Message
DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB #1
Yo.

So I've been getting into assembly lately and decided I wanted to make something practical, so I made a simple Download & Execute in MASM32, then made a builder for it in C#.
In hindsight, I could've made the builder in MASM as well, but the builder was more of an afterthought once I decided I wanted to release it.


Ended up remaking the stub in FASM.

How the builder works:
1: Enter direct URL to file
2: URL is parsed and inserted into the assembly file
3: Assembly file is built into an executable ready to go

How the assembly file works:
.5: Decrypt emulation testing region
1: Use HeapAlloc to test if we're being emulated, and corrupt the stack frame to force a crash if we are
1.5: Decrypt real code
3: Load all the needed libs
4: Get the function addresses of all the functions - Using a different method now
5: Replace the regex key in HKEY_CLASSES_ROOT\\mscfile\\shell\\open\\command to our file path in temp
5: Create or use a key located at HKEY_CURRENT_USER\software\classes\mscfile\shell\open\command to our file path inside of temp
6: start eventvwr.exe, which automatically launches the path in registry as admin
7: Restore registry values so we don't leave a trail

That's about it, it's mostly FUD with only 2 4 (Seems this is getting around) 2 detections, one by Avaira(For not creating a window(SUBSYSTEM:WINDOWS)), and one by some random AV called twistor, and as far as I can tell it's only because I have a lot of strings, it shouldn't be very hard to bypass the two, and I don't want to completely spoon feed, so you'll have to figure that one out for yourself :^).

Not going to release source on this one, because the people that I feel deserve the source can simply reverse the app, there's no obfuscation so it should be a piece of cake for anyone competent.

Before memory decryption(if you can even call it that, just simple xor):
[Image: 61c2a317be174b8bbc23c73c8b145640.png]

Disassembler view:
[Image: c3a4bee7e512499f997dd4ed26a47641.png]

Gif of OllyDbg while it's decrypting itself:
[Image: AqQW.gif]

A small note that the file that is dropped onto the system needs to be the same platform as the computer, ex: 64 bit, 32 bit, AnyCPU doesn't seem to work.
Fixed. Seemed to be a byproduct of setting the registry key in HKEY_CLASSES_ROOT

When you run the builder, it will output the executable to the same directory the builder is in, and it will be called, "Assembly.exe", and also, the file is downloaded to the temp folder and named "NotSuspicious.exe"

Download
Stub Scan
Builder Scan - Calls it AdWare kek

Yet another note, Adding version info and an Icon may also help with detections, I was too lazy to test.

Enjoy you filthy animals
(This post was last modified: 10-23-2016, 06:36 AM by Killpot.)


[+] 4 users Like Killpot's post
Reply

RE: Silent Download & Execute + UAC Bypass - MASM32 + C# #2
I was planning to push some updates out for this but it's getting really late and I just hit a few more, I plan to have the stub now decide between two links depending on OS architecture, and also solve some issues with the registry key being reset too quickly after EventViewer is launched.


Reply

RE: Silent Download & Execute + UAC Bypass - MASM32 + C# #3
Post updated, fixed registry problems with not being able to modify the registry key without admin (was creating key in the wrong subset), and fixed the need to decide between x86 and x64 at runtime, also extended the time before it resets the registry key from 1/10th a second to 1 second, in case it's a low spec PC, or takes time to for the program to load. I may consider switching from URLDownloadToFileA, to WinInet, as the prior is slow, and you have more control with WinInet.
(This post was last modified: 10-08-2016, 08:33 PM by Killpot.)


Reply

RE: Silent Download & Execute + UAC Bypass - MASM32 + C# #4
Post updated, no longer any lib or inc dependencies, so there're no imports. Will make it harder to debug etc. And removed automatic uploading because it's unreliable and inconsistent in the long run.


Reply

RE: DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB #5
Big update! Now in FASM, alongside some new features Biggrin


Reply

RE: DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB #6
I may need to bookmark this for future reference.

Reply

RE: DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB #7
Big update on how I resolve functions, I was just doing it statically with the offset to the function from the base address of the library, but in hindsight that was a stupid idea and will have tons of compatibility issues, I've now switched to a different method that should work fine on any windows system (That has access to LoadLibrary and GetProcAddress).


Reply

RE: DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB #8
looks neat but I got an error

https://postimg.org/image/65i0asfr7/

Reply

RE: DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB #9
(10-23-2016, 02:18 PM)swatterhat Wrote: looks neat but I got an error

https://postimg.org/image/65i0asfr7/

Your download link is broken, go into the temp folder, and open NotSuspicious, and see what it downloaded, maybe it's an error page or something, if you open it with text editor and it's HTML there's your answer.


Reply

RE: DL&E + UAC Bypass + Self Modifying Code - FASM + C# | 2.00 KB #10
(10-23-2016, 06:46 PM)Killpot Wrote:
(10-23-2016, 02:18 PM)swatterhat Wrote: looks neat but I got an error

https://postimg.org/image/65i0asfr7/

Your download link is broken, go into the temp folder, and open NotSuspicious, and see what it downloaded, maybe it's an error page or something, if you open it with text editor and it's HTML there's your answer.

Got the same error, what service do you recommend for uploading the files too?
i love you, léon


Reply






Users browsing this thread: 1 Guest(s)