Flag: Tornado! Hurricane!

OpenRCE Anti Reverse Engineering Technique >> ProcDump PE Header Corruption

Technique Name Category Analysis By Download Added On Last Updated
ProcDump PE Header Corruption Dumping ap0x AntiProcDump.zip March 11 2006
Description:
    .386
      .model flat, stdcall
      option casemap :none   ; case sensitive

      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc

      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib

    .data
OLDProtect dd 02040001h
    .code

start:

; MASM32 antiProcDump example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

; This example takes advantage of ProcDump making full image dump
; including the header. So this example will erase sections from PEHeader.
; To do this we must first make PEHeader writable by using VirtualProtect
; after which we access the header and place 0x00 in PEHeader.

PUSH offset OLDProtect
PUSH 40h
PUSH 00001000h
PUSH 00400000h
CALL VirtualProtect

; Read elfanew from PEHeader
MOV EBX,0040003Ch
MOV ECX,DWORD PTR[EBX]
ADD ECX,00400006h

XOR EBX,EBX  
; BX is SectionNumber
MOV BX,WORD PTR[ECX]
PUSH ECX
; ECX is a pointer to PESections table
ADD ECX,0F2h

@clear_section:
; One section table item size
MOV EDX,28h
@clear_section_s:
; Clear byte
MOV BYTE PTR[ECX],0h
INC ECX
DEC EDX
JNE @clear_section_s
; Erase all sections
DEC EBX
JNE @clear_section
; Clear SectonNumber from PEHeader
POP ECX
MOV WORD PTR[ECX],BX

PUSH 0
CALL ExitProcess

end start

There are 31,320 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit