News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

Execute any bytecode (ML64.exe)

Started by davef, November 10, 2018, 09:53:59 PM

Previous topic - Next topic

davef

Hello,
I want to share my ML64.exe assembler code snippet for executing bytecode.
Bytes (opcodes) are defined in byte array.

1. Load bytes (opcodes) to payload variable
2. Make memory page executable (VirtualProtect)
3. Load the beginning of bytecode to RAX
4. Call RAX
5. Show MessageBox

;(c) 2018 Dawid_vx7 - http://vx7.pl/
;Assembler MASM64 (ML64.EXE)
extrn ExitProcess : proc
extrn VirtualProtect : proc
extrn MessageBoxA : proc

.const
PAGE_EXECUTE_READWRITE equ 040h

.data
szText db "Done.", 0
dwLen dd 0
dwOldProtect dd 0
payload db 090h, 090h, 090h, 0C3h ;NOP NOP NOP RET

.code

Main proc

mov dwLen, sizeof payload

sub rsp, 28h
lea r9, dwOldProtect
mov r8, PAGE_EXECUTE_READWRITE
mov edx, dwLen
lea rcx, payload
call VirtualProtect
add rsp, 28h

lea rax, payload
call rax

sub rsp, 28h
xor r9, r9
lea r8, szText
lea rdx, szText
xor rcx, rcx
call MessageBoxA
add rsp, 28h

sub rsp, 8h
xor rcx, rcx
call ExitProcess
Main endp

end

jj2007


davef

Quote from: jj2007 on November 11, 2018, 12:58:00 AM
Payload?  8)
I think that this application can be used to test shellcode.
You have shellcode as byte array and this application will execute it.

I haven't written about shellcode, because I don't know how these things are treaten on this forum.

Vortex

Quote from: davef on November 11, 2018, 03:50:56 AM
I haven't written about shellcode, because I don't know how these things are treaten on this forum.

Hi davef,

Shellcode is prohibited in this forum.

jj2007

You have an interesting site there, Dawid  :P

QuoteMalicious software: Command & Control
Posted  July 23, 2018 07:50 by Dawid_vx7

1. Command & Control - general information
Malicious Command and Control software (abbreviated to C & C ) is used to issue orders to infected devices. The easiest way is to create a communication server C & C, which taken over by the attacker machine take the commands you want to perform, eg. A distributed denial of service attack (called. Distributed Denial of Service ) or other malicious actions.

However, a single, standalone server causes centralization and if it is "taken", the attacker may lose access to the entire network of zombie computers ( botnet ) he created.

2. C & C communication channels
In order to hinder the detection and deactivation of networks of infected computers, black hat hackers are coming up with newer ways of communication and remote control.

The following are some of the ways to communicate in C & C programs :

Server with static IP - communication can take place via TCP, IRC ( Internet Relay Chat ), FTP ( File Transfer Protocol ) or HTTP (even using SSL / TLS encryption). The server can be maintained on so-called Bulletproof Hosting , which can severely block the C & C server .
Dynamic DNS ( Dynamic Domain Name System ) - in the case of a "photo" of the server it is possible to run another one under a different IP address, but the same host (domain). Malicious software having a saved server address as a domain can easily connect to and retrieve commands from a new server.
P2P ( peer-to-peer ) connections - a malicious program installed on infected computers acts like a P2P client. This causes the dispersal, decentralization of the control of the network of zombie machines.
Internet portals - remote control of infected computers is done by placing commands, for example, in social networks or other global services. Pretty clever solution. Post or comment on the website may have a hidden command that downloads and executes a malicious application.
and other ... - commands for the botnet can also be, for example, hidden in pictures, etc.
Placing commands for a botnet, for example on a social network portal, gives extra time to the attacker if detected. It can then, for example, change the URL address for remote command issuing to another.

3. Termination
The article presents the ways botnets authors work for information purposes.

davef

Quote from: jj2007 on November 11, 2018, 04:15:00 AM
You have an interesting site there, Dawid  :P

I am also suprized what people can do for SEO and better indexing by search engines of their website :icon_mrgreen:
(I know it's low quality, short, bad, article for SEO)

I read terms now, so I can't link to this (my) website, I have removed links from profile and signature.
I will try to stay here without hacking/VX content.