Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Part one of an ASM ghostwriting PoC script

Hybrid View

  1. #1
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Lightbulb Part one of an ASM ghostwriting PoC script

    This is now on github https://github.com/Shadow-Master/

    I'd like to start off by apologizing in advance. This is posted in the experts section for a reason. This is not a script for people who want to zOMG hax0R things. This is for people who appreciate hacking.
    While reading blog posts about AV bypass, one method described was ASM ghostwriting. I thought it was a really cool method, and wanted to look beyond static string replacement in the ASM code. So I came up with several ideas.

    The first part of my script (this part) is a parser. It will read in an ASM.s file, and output the stack and reg values acc. to its parser. Please read the readme for a more full explanation.

    The second two parts will be added to the main part, hopefully, and will be ASM generators/obfuscators and a static string replacement method.

    Again, I apologize for sounding like a jerk, but since this is made for people who write shellcode, and not just disassemble a metasploit payload, it *ONLY* reads in files of *VALID* ASM code. Please see the readme for what is considered valid.

    I am posting it here half-done for several reasons:
    1) Find any bugs.
    2) Comment about the script, and functionality you want added.
    3) Stoke people's interest, so I can gauge how much work I should be putting into it.
    4) Get people on the team to help me
    The help necessary is to come up with an engine of some sort to generate ASM code based on a saved framestate. Again, see the readme...

    I've included the script, the readme, and some test shellcode files. One will obviously fail.
    Last edited by ShadowMaster; 08-15-2012 at 03:46 PM.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  2. #2
    Senior Member savioboyz's Avatar
    Join Date
    Oct 2010
    Location
    Nigeria
    Posts
    118

    Default Re: Part one of an ASM ghostwriting PoC script

    Good Stuff Dude.. Well Done
    Saviour Emmauel Ekiko

  3. #3
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Part one of an ASM ghostwriting PoC script

    Thanks, I've only been writing shellcode for about five months. Let me know what you think about it, and what I should add. I appreciate any input.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  4. #4
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Part one of an ASM ghostwriting PoC script

    Thanks, for the jumps you could make people enter jz 0x40 in the asm code rather than jz label.

  5. #5
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Part one of an ASM ghostwriting PoC script

    Thanks for the input, that's a cool idea. I was thinking something like this. As opposed to having to know all the byte lengths of the assembled instructions, I would implement two different arrays or hash tables.
    Since all ASM code is funneled to parsecmd to be processed, if I read the file into a hash table or array, then jump on cmd to a specific element inside that table(meaning, just pass the cmd that comes after the label to the sub), it can be done. It would take some working out, but I feel that that is the right path.


    Edit:
    Meaning something like this:
    1) Add a new flag to the script called $currentline
    2) Read in the ASM file of valid lines only( including labels) to an array called @LINES
    3) Create a hash table named #POINTERS (or something) with the same number of elements as the @LINES array, and whenever a label is read in, the key name is LABEL, otherwise the key name is line(currline)
    3a) the values of each line would be incremented by one
    4) Instead of the current loop to read in cmds, switch it to a do loop, and send @LINES($currentline) to parsecmd.
    5) If a jmp is hit with a matching flag, then set $currentline to be #POINTERS({LABEL})'s value. The do loop would automatically be updated, and the code would continue as normal.

    Tell me what you think about this...


    Thanks for the input, and let me know what you think of the rest of the script.
    Last edited by ShadowMaster; 08-11-2012 at 09:37 PM.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  6. #6
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Part one of an ASM ghostwriting PoC script

    Its a good base, was thinking you've keeping track of the registers, you could have a brute force part that takes from one line forward ten say(auto or manual), and get it to generate different combinations to make the value the same. 1) Get current line 2)Save regs to temp 3)process lines 4)get current line 5)save regs to temp1 6)loop 7)bruteforce and/or/xor/not/shr/ror 8)compare to save regs temp/temp1 9)break Maybe a database of micro function, connect/sendmessage etc and one instruction like connect(123) with 123 the rand function to the bruteforce. Sorry more ideas than help
    Last edited by compaq; 08-12-2012 at 03:43 AM.

  7. #7
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Part one of an ASM ghostwriting PoC script

    These all sound like good ideas, and any idea is appreciated. But I'm not sure what you mean with this? Is this for the ASM generator? for the parser? for the line-by-line substitution? I'm interested in understanding, please explain more in depth.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  8. #8
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Part one of an ASM ghostwriting PoC script

    The line by line substation, say you have xor eax, eax; push eax push eax inc eax push eax connect The brute force part will workout that it needs two push of 0x00 and one of 0x01, and will create a combination that will make the same thing, like add 0x80..80 , add 80..80 push eax
    Code:
     for(i=0;;i++) {       array[0]++;      if(array[0] > 10) {           array[0]=0           array[i]++;           if(array[i] > 10) {                 array[i+1]++;                array[i]=0;         }     }   }  tempeax = 0x00  tempstack = 0x02  for(i=0;i 0x00) if(array[i] == 0x00)  
       eax=eax^val
    }
    if(array[i] ==0x01)
      eax= eax&val
    }
    if(array[i] == 0x02)
       mov [esp], eax
       add esp, 0x04
    }
     printf(combination success)
    Last edited by compaq; 08-12-2012 at 06:30 PM.

  9. #9
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Part one of an ASM ghostwriting PoC script

    Interesting. My thoughts were something along those lines for the ASM generating engine. For the Line-by-line, I was thinking something like this:
    Every time the code found an register clearing XOR, it would replace it with something equivalent in result but not in action.
    Meaning:
    XOR EAX, EAX would be changed into something like this:

    PUSH BYTE 0x55
    POP EAX
    NOP
    PUSH EBX
    NOP
    NOP
    INC EBX
    MOV BYTE BH, 0xF5
    MOV EBX, EAX
    SUB EAX, EBX
    POP EBX

    These would all be community created modules that would do the exact same thing as the line replaced, only with multiple lines, and *ONLY* affect the registers that are affected in the lines. All other registers would remain the same.
    Also the stack would remain the same.

    I'm working on implementing JMP's and CALL's, CMP's and TEST's, but since I have no definitive list of which instructions set which flags when, and which JMP's and CALL's unset which flags when, it is slow going for now... Any help in that area is appreciated as well.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  10. #10
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Part one of an ASM ghostwriting PoC script

    jmp and calls shouldn't set any eflags, jz/jnz,test and cmp sets zero flag, jge/jae/ele/jl/jg set overflow and carry flags. you can use popf and pushf with and/or &0x40(zero flag i think etc)

Page 1 of 2 12 LastLast

Similar Threads

  1. Pentest Part one
    By pentest09 in forum BackTrack 5 Videos
    Replies: 9
    Last Post: 09-12-2011, 04:51 PM
  2. Replies: 6
    Last Post: 10-08-2010, 11:40 PM
  3. Replies: 10
    Last Post: 07-12-2010, 03:04 PM
  4. Knowing part of the key
    By new2bt3 in forum OLD Wireless
    Replies: 10
    Last Post: 05-31-2009, 09:09 AM
  5. BT3 USB Part 2
    By Crazy8 in forum OLD BT3beta General
    Replies: 4
    Last Post: 01-16-2008, 06:53 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •