Flag: Tornado!
Hurricane!
|
|
ProcDump PE Header Corruption |
Dumping |
ap0x |
AntiProcDump.zip |
March 11 2006 |
|
|
.386
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
OLDProtect dd 02040001h
.code
start:
; MASM32 antiProcDump example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; This example takes advantage of ProcDump making full image dump
; including the header. So this example will erase sections from PEHeader.
; To do this we must first make PEHeader writable by using VirtualProtect
; after which we access the header and place 0x00 in PEHeader.
PUSH offset OLDProtect
PUSH 40h
PUSH 00001000h
PUSH 00400000h
CALL VirtualProtect
; Read elfanew from PEHeader
MOV EBX,0040003Ch
MOV ECX,DWORD PTR[EBX]
ADD ECX,00400006h
XOR EBX,EBX
; BX is SectionNumber
MOV BX,WORD PTR[ECX]
PUSH ECX
; ECX is a pointer to PESections table
ADD ECX,0F2h
@clear_section:
; One section table item size
MOV EDX,28h
@clear_section_s:
; Clear byte
MOV BYTE PTR[ECX],0h
INC ECX
DEC EDX
JNE @clear_section_s
; Erase all sections
DEC EBX
JNE @clear_section
; Clear SectonNumber from PEHeader
POP ECX
MOV WORD PTR[ECX],BX
PUSH 0
CALL ExitProcess
end start
|
|
|
|
There are 31,320 total registered users.
|
|