c0d3inj3cT
c0d3inj3cT
/ iat.c
Created
November 20, 2013 06:01
This code can be used for hooking the IAT. In this particular example, I overwrite the function pointer of Sleep() imported from Kernel32.dll in the IAT of the main executable image. Sleep function is called two times in the code, both before and after hooking the IAT to confirm that it was hooked successfully.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| This code will hook the IAT by overwriting the function pointer of Sleep() imported from Kernel32.dll | |
| It can be modified to hook any other function in the IAT | |
| */ | |
| #include <stdio.h> | |
| #include <windows.h> | |
| void spoofedfunction(DWORD); |
c0d3inj3cT
/ unpacker.asm
Created
November 20, 2013 05:51
I have written an example of decrypting the stage 1 of custom packer used in Win32/Injector. Its polymorphic engine makes use of a lot of junk instructions. However, the decryption routine is not complicated. I have extracted the encrypted code from stage 1 and written this program to decrypt it. It uses a 4 byte ADD key as the decryption key. I…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; decryption routine for Stage 1 of the custom packer used in Win32/Injector virus | |
| ; c0d3inj3cT | |
| include \masm32\include\masm32rt.inc | |
| .data | |
| Message db "decryption stage1 completed!",0 | |
| .code |
c0d3inj3cT
/ processinjector.c
Last active
December 28, 2015 13:49
This program can be used to test code injection in a remote process on Windows x86.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| This code can be used to test the code injection in a remote process | |
| The CPU usage will be at its peak after running this code | |
| as a result of injecting the bytes, 0xeb, 0xfe into the remote process | |
| If you get a high CPU usage for the remote process, you have successfully | |
| injected the code. You can also confirm it by attaching a debugger to the | |
| remote process and setting a breakpoint at the return address of VirtualAllocEx() | |
| c0d3inj3cT | |
| */ |
c0d3inj3cT
/ rop.c
Last active
December 24, 2015 06:59
This code can be used to extract opcodes corresponding to ROP gadgets in a shellcode. It detects whether the DWORD is a ROP gadget or a parameter to the ROP gadget. The new file created by this code can be loaded in IDA Pro to analyze the ROP shellcode.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <psapi.h> | |
| // Compile this code using: cl /TC rop.c /link psapi.lib | |
| int main(int argc, char **argv) | |
| { | |
| FILE *fp; | |
| FILE *rop; |
NewerOlder