Home > Cloud Computing > Cloud Security

Execyptor shelling script

Source: Internet
Author: User
Tags ibase
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Just for test ~

/*
Script written by okdodo 2007/03
Tested for execryptor v2.24/v2.25

Ollyice: Ignore all tions (add 0 EEDFADE, C0000005, C000001E)
HideOD: Check HideNtDebugBit and ZwQueryInformationProcess (method2)

Test Environment: Ollyice 1.1 + HideOD
ODBGScript 1.51 under WINXP
Thanks:
Kanxue-author of HideOD
Hnhuqiong-author of ODbgScript 1.51
*/

Data:
Var hInstance
Var codeseg
Var vmseg
Var ep
Var oep
Var esptmp
Var _ esp
Var iat_start
Var iat_end
Var iat_cur
Var addr
Var c_gpa
Var ibase
Var iend
Var temp
Var tmp
Var SBM
Var TOA
Var mbase
Var msize

Code:
Bphwcall
Gpa "SetBkMode", "GDI32.dll"
Mov SBM, $ RESULT
REV SBM
Mov SBM, $ RESULT
Itoa SBM
Gpa "TextOutA", "GDI32.dll"
Mov TOA, $ RESULT
REV TOA
Mov TOA, $ RESULT
Itoa TOA

Gpa "VirtualFree", "kernel32.dll"
Bphws $ RESULT, "x"
Run
Bphwc $ RESULT
Rtu
Gmi eip, MODULEBASE
Mov hInstance, $ RESULT
Mov temp, $ RESULT
Add temp, 3c
Mov temp, [temp]
Add temp, hInstance
Add temp, 28
Mov temp, [temp]
Add temp, hInstance
Mov ep, temp

Bc ep

Gmemi eip, MEMORYBASE
Mov codeseg, $ RESULT

Find $ RESULT, # 2ECC9D #
Mov [$ RESULT], #2ECC90 #

Gpa "EnumWindows", "user32.dll"
Mov [$ RESULT], #8BC09C85C09D0578563412C20800 #

Gpa "CreateThread", "kernel32.dll"
Find $ RESULT, # FF7518 #
Mov [$ RESULT], #6A0490 #

Gpa "ZwCreateThread", "ntdll. dll"
Bp $ RESULT

Loop1:
Esto
Cmp eip, $ RESULT
Jne loop1
Bc $ RESULT
Bp ep

Bpep:
Run
Cmp eip, ep
Je loop2
Jmp bpep

Loop2:
Bc ep
Mov esptmp, esp
Sub esptmp, 4

Mov temp, codeseg
Sub temp, 1
Gmemi temp, MEMORYBASE
Mov vmseg, $ RESULT
Gmemi temp, MEMORYSIZE
Bprm vmseg, $ RESULT

Loop3:
Esto
Mov tmp, eip
Mov tmp, [tmp]
Cmp tmp, 992C008A
Jne loop5
Mov oep, eax
Sti
Bprm oep, 1

Loop4:
Esto
Cmp eip, oep
Jne loop4
Jmp iat

Loop5:
Cmp esp, esptmp
Jne loop3

Iat:
Bpmc
Mov oep, eip
Cmt eip, "OEP? "
Gmi eip, MODULEBASE
Mov ibase, $ RESULT
Mov temp, ibase
Add temp, 3C
Mov temp, [temp]
Add temp, ibase
Add temp, 50
Mov iend, [temp]
Add iend, ibase

Mov count, 0
Mov iatbase, 0
Mov mbase, codeseg

Hwloop:
Sub mbase, 1
Cmp mbase and ibase
Jb regnext
Gmemi mbase, MEMORYBASE
Mov mbase, $ RESULT
Gmemi msize, MEMORYSIZE
Mov msize, $ RESULT
Mov temp, mbase

Cmp iatbase, 0
Jne vmsegloop
Eval # {SBM }#
Find temp, $ RESULT, msize
Cmp 0, $ RESULT
Je findTextOutA
Gmemi $ RESULT, MEMORYBASE
Mov iatbase, $ RESULT
Jmp vmsegloop

FindTextOutA:
Cmp iatbase, 0
Jne vmsegloop
Eval # {TOA }#
Find temp, $ RESULT, msize
Cmp 0, $ RESULT
Je vmsegloop
Gmemi $ RESULT, MEMORYBASE
Mov iatbase, $ RESULT

Vmsegloop:
Find temp, # 0355FC03C28B000345FC #
Mov tmp, $ RESULT
Cmp tmp, 0
Je regged
Add tmp, 0A
Bphws tmp, "x"
Mov temp, tmp
Mov c_gpa, tmp
Inc count
Jmp vmsegloop

Regged:
Cmp count, 0
Jne hwloop

Regnext:
Mov mbase, codeseg
 
Hwloop1:
Sub mbase, 1
Cmp mbase and ibase
Jb @ iatinit
Gmemi mbase, MEMORYBASE
Mov mbase, $ RESULT
Mov temp, mbase

Cmp iatbase, 0
Jne vmsegloop1
Eval # {SBM }#
Find temp, $ RESULT, msize
Cmp 0, $ RESULT
Je findTextOutA1
Gmemi $ RESULT, MEMORYBASE
Mov iatbase, $ RESULT
Jmp vmsegloop1

FindTextOutA1:
Cmp iatbase, 0
Jne vmsegloop1
Eval # {TOA }#
Find temp, $ RESULT, msize
Cmp 0, $ RESULT
Je vmsegloop1
Gmemi $ RESULT, MEMORYBASE
Mov iatbase, $ RESULT

Vmsegloop1:
Find temp, #0345FC8945F48B45F4 #
Mov tmp, $ RESULT
Cmp tmp, 0
Je hwloop1
Add tmp, 3
Bphws tmp, "x"
Mov temp, tmp
Mov c_gpa, tmp
Inc count
Jmp vmsegloop1

@ Iatinit:
Cmp iatbase, 0
Je @ error
Cmp count, 0
Je @ error
Gmemi iatbase, MEMORYSIZE
Mov iat_end, $ RESULT
Add iat_end, iatbase
Sub iat_end, 4
Mov _ esp, esp

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
cache script encrypt script end script parse script pause script pear script script 0
Related Article
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More