Im starting a protection / packer / binder project, like a project.
The goal is when you have a complete application catalog with
- /Images/
- /music/
- base * .ini files
- Dlls
- Exs
you just use packer.exe file and all these files are packed, encrypted and saved in the resulting exe.
the resulting exe creates a transparent virtual file system that returns to "real" if the file is not found.
i allready can handle (not very accurately) loading a dll from memory, etc., but I have a problem with hmm hooks.
since ProofOfConcept im attaches debbuger (written in C ++) to target.exe
looks a bit like
======= Started [target.exe] ======= > Placing breakpoint on EP : 0x401130 Process started Loaded module : [target.exe] Loaded module : [ntdll.dll] Loaded module : [kernel32.dll] [...] Break point at [0x401130] > Restored EP byte. Loaded module : [bass.dll] Break point at [0x760fcc4e] Found set bp : kernel32!CreateFileW [!] CreateFileW Callback Function : FileName : C:\Users\user\Desktop\cppve\loader\bin\Debug\target.exe Access : 0x80000000 Return Addr: 0x741b91e6 > Re-setting bp at [0x760fcc4e] Break point at [0x760fcc4e] Found set bp : kernel32!CreateFileW [!] CreateFileW Callback Function : FileName : .\beyond_v.mod Access : 0x80000000 Return Addr: 0x760fcfa0
I handle breakpoints in the debugger for things like CreateFileW ReadFile etc. im having problems with goal setting with useful data.
should i create a fake descriptor and then catch it and process it? or are there too many things that can go very wrong with this approach?
Here is an example callback function for CreateFileW
void callback_createfilew(CONTEXT* ct){ //stub cout<<"[!] CreateFileW Callback Function :"<<endl; void* returnaddr=MemReadDwordPtr(hProcess,(void*)ct->Esp); string fn=MemReadCString(hProcess,MemReadDwordPtr(hProcess,(void*)ct->Esp+4),true); void* access=MemReadDwordPtr(hProcess,(void*)ct->Esp+8); void* sharemode=MemReadDwordPtr(hProcess,(void*)ct->Esp+12); void* dwCreationDisposition=MemReadDwordPtr(hProcess,(void*)ct->Esp+20); void* dwFlagsAndAttributes=MemReadDwordPtr(hProcess,(void*)ct->Esp+24); cout<<" FileName : "<<fn<<endl; cout<<" Access : "<<(void*)access<<endl; cout<<" Return Addr: "<<(void*)returnaddr<<endl; if(fn.compare(".\\beyond_v.mod")==0){ // this is wrong, we need to call it from the target process... HANDLE ret=CreateFileA(".\\_beyond_v.mod",(DWORD)access,(DWORD)sharemode,NULL,(DWORD)dwCreationDisposition,(DWORD)dwFlagsAndAttributes,NULL); ct->Esp+=0x20; ct->Eax=(DWORD)ret; ct->Eip=(DWORD)returnaddr; }
should I make a codec in this process and click shellcodes [Edit: sorry, I use many of these words to describe different things, but I think you will understand what I think :)] to execute my fake code?
or maybe introduce a dll that will handle int3s and transfer control to it through exception handlers configured by the loader? however, this may seem complicated ... what a dll should be in a virtual file system! therefore, I will have to manually download it before starting any other initialization.
I would like to completely drop the debugger in the final version. it will only cause problems and seriously constitute the defensive part of the project.