Home > Cloud Computing > Cloud Applications

Input table hiding

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Hide all input table functions: general functions of exe and DLL ---------- implement simple and silly operations and code universality as much as possible, using common technologies of viruses, thank you for watching xfish and its masterpiece: [AntiVirus topics] series !!! Follow these steps: 1. open the file with LoadPE, click the directory, and write down the RVA address of the input table. 2:

 

Hide all input table functions:
EXE and DLL generic ---------- Bing Lang


We would like to thank you for using some common virus technologies to implement simple, silly operations and code universality.
Watching xfish and its masterpiece: [Anti Virus topics] series !!!


Follow these steps:

1: open the file with LoadPE, click the directory, and write down the RVA address of the input table.
2: load the program with OD, add the following code in the blank space, and fill in the RVA address you just wrote down and the address returned to the original entry point ..
3: Change the entry point to the beginning of this Code (not required, but make sure the code runs before the program calls the function ).
4: Set the RVA address of the original input table to 0, and change the partition attribute of the input table to writable.



The complete code is as follows:

10074280> $ E8 01000000 CALL 1291SS. 10074286
10074285 00 DB 00
10074286. 58 POP EAX
10074287. 8038 00 cmp byte ptr ds: [EAX], 0
1007428A. 0F85 F5000000 JNZ 1291SS. 10074385
10074290. FE00 inc byte ptr ds: [EAX]
10074292 64: A1 3000000> mov eax, dword ptr fs: [30]
10074298 8B40 0C mov eax, dword ptr ds: [EAX + C]
1007429B 8B40 1C mov eax, dword ptr ds: [EAX + 1C]
1007429E 8B00 mov eax, dword ptr ds: [EAX]
100742A0 8B40 08 mov eax, dword ptr ds: [EAX + 8]
100742A3. 8BD8 mov ebx, EAX
100742A5. E8 0F000000 CALL 1291SS. 100742B9
100742AA. 47 INC EDI
100742AB. 65: 74 50 je short 1291SS. 100742FE
100742AE. 72 6F jb short 1291SS. 1007431F
100742B0. 6341 64 arpl word ptr ds: [ECX + 64], AX
100742B3. 64: 72 65 jb short 1291SS. 1007431B
100742B6. 73 jnb short 1291SS. 1007432B
100742B8 00 DB 00
100742B9. 59 POP ECX
100742BA. 60 PUSHAD
100742BB. 89C3 mov ebx, EAX
100742BD. 89CF mov edi, ECX
100742BF. 30C0 xor al, AL
100742C1> AE SCAS BYTE PTR ES: [EDI]
100742C2. ^ 75 fd jnz short 1291SS. 100742C1
100742C4. 4F DEC EDI
100742C5. 29CF sub edi, ECX
100742C7. 87F9 xchg ecx, EDI
100742C9. 8B43 3C mov eax, dword ptr ds: [EBX + 3C]
100742CC. 8B7403 78 mov esi, dword ptr ds: [EBX + EAX + 78]
100742D0. 8D741E 18 lea esi, dword ptr ds: [ESI + EBX + 18]
100742D4. ad lods dword ptr ds: [ESI]
100742D5. 92 xchg eax, EDX
100742D6. ad lods dword ptr ds: [ESI]
100742D7. 50 PUSH EAX
100742D8. ad lods dword ptr ds: [ESI]
100742D9. 95 xchg eax, EBP
100742DA. ad lods dword ptr ds: [ESI]
100742DB. 95 xchg eax, EBP
100742DC. 01D8 add eax, EBX
100742DE. 897C24 18 mov dword ptr ss: [ESP + 18], EDI
100742E2. 894C24 14 mov dword ptr ss: [ESP + 14], ECX
100742E6> 4A DEC EDX
100742E7. 74 27je SHORT 1291SS. 10074310
100742E9. 8B3490 mov esi, dword ptr ds: [EAX + EDX * 4]
100742EC. 01DE add esi, EBX
100742EE. F3: A6 repe cmps byte ptr es: [EDI], byte ptr ds:>
100742F0. 74 0A je short 1291SS. 100742FC
100742F2. 8B7C24 18 mov edi, dword ptr ss: [ESP + 18]
100742F6. 8B4C24 14 mov ecx, dword ptr ss: [ESP + 14]
100742FA. ^ eb ea jmp short 1291SS. 100742E6
100742FC> D1E2 shl edx, 1
100742FE> 01D5 add ebp, EDX
10074300. 0FB7441D 00 movzx eax, word ptr ss: [EBP + EBX]
10074305. C1E0 02 shl eax, 2
10074308. 030424 add eax, dword ptr ss: [ESP]
1007430B. 8B0403 mov eax, dword ptr ds: [EBX + EAX]
1007430E. 01D8 add eax, EBX
10074310> 59 POP ECX
10074311. 894424 1C mov dword ptr ss: [ESP + 1C], EAX
10074315. 895C24 18 mov dword ptr ss: [ESP + 18], EBX
10074319 E8 DB E8
1007431A 12 DB 12
1007431B. 0000 add byte ptr ds: [EAX], AL
1007431D. 0000 add byte ptr ds: [EAX], AL
1007431F. 0000 add byte ptr ds: [EAX], AL
10074321. 004C6F 61 add byte ptr ds: [EDI + EBP * 2 + 61], CL
10074325. 64: 4C DEC ESP
10074327 69 DB 69
10074328. 6272 61 bound esi, qword ptr ds: [EDX + 61]
1007432B. 72 79 jb short 1291SS. 100743A6
1007432D. 41 INC ECX
1007432E. 0000 add byte ptr ds: [EAX], AL
$59 pop ecx 10074330
10074331. 83C1 04 add ecx, 4
10074334. 51 PUSH ECX
10074335. 53 PUSH EBX
10074336. FFD0 CALL EAX
10074338. 894424 14 mov dword ptr ss: [ESP + 14], EAX
1007433C. E8 00000000 CALL 1291SS. 10074341
10074341 $ 5D POP EBP
10074342. 81E5 0000 ffff and ebp, FFFF0000
10074348. 33C0 xor eax, EAX
1007434A. EB 06 jmp short 1291SS. 10074352
1007434C> 81ED 00100000 sub ebp, 1000
10074352> 66: 8B45 00 mov ax, word ptr ss: [EBP]
10074356. 66: 3D 4D5A cmp ax, 5A4D
1007435A. 90 NOP
1007435B. ^ 75 ef jnz short 1291SS. 1007434C
1007435D. 8B45 3C mov eax, dword ptr ss: [EBP + 3C]
10074360. 8B0428 mov eax, dword ptr ds: [EAX + EBP]
10074363. 3D 50450000 cmp eax, 4550
10074368. ^ 75 E2 jnz short 1291SS. 1007434C
1007436A. B8 48611100 mov eax, 116148 // enter the RVA address of the input table shown in LoadPE.
1007436F. 36: 8D1C28 lea ebx, dword ptr ss: [EAX + EBP]
10074373> 8B43 0C mov eax, dword ptr ds: [EBX + C]
10074376. 85C0 test eax, EAX
10074378. 74 0A je short 1291SS. 10074384
1007437A. E8 0D000000 CALL 1291SS. 1007438C
1007437F. 83C3 14 add ebx, 14
10074382. ^ eb ef jmp short 1291SS. 10074373
10074384> 61 POPAD
10074385> ^ E9 828FF9FF JMP 1291SS. 1000D30C // after loading the input table, the original entry point is returned.
1007438A 90 NOP
1007438B 90 NOP
1007438C $53 PUSH EBX
1007438D. 8D1428 lea edx, dword ptr ds: [EAX + EBP]
10074390. 52 PUSH EDX
10074391. FF5424 20 call dword ptr ss: [ESP + 20]
10074395. 8BD0 mov edx, EAX
10074397. 8B5B 10 mov ebx, dword ptr ds: [EBX + 10]
1007439A. 8D1C2B lea ebx, dword ptr ds: [EBX + EBP]
1007439D> 8B03 mov eax, dword ptr ds: [EBX]
1007439F. 85C0 test eax, EAX
100743A1. 74 23 je short 1291SS. 100743C6
100743A3. 3D 00000080 cmp eax, 80000000
100743A8. 72 07 jb short 1291SS. 100743B1
100743AA. 2D 00000080 sub eax, 80000000
100743AF. EB 06 jmp short 1291SS. 100743B7
100743B1> 8D0428 lea eax, dword ptr ds: [EAX + EBP]
100743B4. 83C0 02 add eax, 2
100743B7> 52 PUSH EDX
100743B8. 50 PUSH EAX
100743B9. 52 PUSH EDX
100743BA. FF5424 30 call dword ptr ss: [ESP + 30]
100743BE. 8903 mov dword ptr ds: [EBX], EAX
100743C0. 83C3 04 add ebx, 4
100743C3. 5A POP EDX
100743C4. ^ EB D7 jmp short 1291SS. 1007439D
100743C6> 5B POP EBX
100743C7. C3 RETN

The binary code is as follows:
E8 01 00 00 00 00 58 80 38 00 0F 85 F5 00 00 FE 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 00
8B 40 08 8B D8 E8 0F 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 59 60 89 C3 89 CF 30
C0 AE 75 FD 4F 29 CF 87 F9 8B 43 3C 8B 74 03 78 8D 74 1E 18 AD 92 AD 50 AD 95 AD 95 01 D8 89 7C
24 18 89 4C 24 14 4A 74 27 8B 34 90 01 DE F3 A6 74 0A 8B 7C 24 18 8B 4C 24 14 eb ea D1 E2 01 D5
0F B7 44 1D 00 C1 E0 02 03 04 24 8B 04 03 01 D8 59 89 44 24 1C 89 5C 24 18 E8 12 00 00 00 00
00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 59 83 C1 04 51 53 FF D0 89 44 24 14 E8 00 00
00 5D 81 E5 00 00 FF 33 C0 EB 06 81 ED 00 10 00 00 66 8B 45 00 66 3D 4D 5A 90 75 EF 8B 45 3C
8B 04 28 3D 50 45 00 00 75 E2 B8 48 61 11 00 36 8D 1C 28 8B 43 0C 85 C0 74 0A E8 0D 00 00 83
C3 14 eb ef 61 E9 82 8F F9 FF 90 90 53 8D 14 28 52 FF 54 24 20 8B D0 8B 5B 10 8D 1C 2B 8B 03 85
C0 74 23 3D 00 00 00 80 72 07 2D 00 00 00 80 EB 06 8D 04 28 83 C0 02 52 52 FF 54 24 30 89 03
83 C3 04 5A EB D7 5B C3

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More