aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-19 07:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update re102_section4.3.md

Browse Source
This commit is contained in:
SECURED.ORG
2017-08-10 22:55:27 -07:00
committed by GitHub
parent 3e05e4b836
commit 937a9d7e19
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
RE102/re102_section4.3.md
View File

@@ -25,10 +25,10 @@ Keep in mind that you dont need to do this step, but converting it to an exe
There are many tools and scripts available that help you convert shellcode into an exe like [shellcode2exe.py](https://github.com/securedorg/shellcode_tools/blob/master/shellcode2exe.py). However I have found that Hexacon provided a nice easy [tutorial for converting shellcode into an executable](http://www.hexacorn.com/blog/2015/12/10/converting-shellcode-to-portable-executable-32-and-64-bit/). This section will be using this YASM and GoLink to create the executable while using CFF explorer to edit the binary header.
1. Download Yasm
[http://www.tortall.net/projects/yasm/releases/yasm-1.3.0-win32.exe](http://www.tortall.net/projects/yasm/releases/yasm-1.3.0-win32.exe)
[yasm-1.3.0-win32.exe](http://www.tortall.net/projects/yasm/releases/yasm-1.3.0-win32.exe)
2. Extract **yasm-1.3.0-win32.exe** and rename it to **yasm.exe**
3. Download GoLink linker
[http://www.godevtool.com/Golink.zip](http://www.godevtool.com/Golink.zip)
[Golink.zip](http://www.godevtool.com/Golink.zip)
4. Extract golink.exe
5. Create a **decrypted_shellcode.asm** file with the following instructions
```
@@ -45,7 +45,7 @@ yasm.exe -f win32 -o decrypted_shellcode.obj decrypted_shellcode.asm
```
golink /ni /entry Start decrypted_shellcode.obj
```
8. Open shellcode.exe with CFF explorer and open the NT Headers->Optional Headers->AddressOfEntryPoint. Add the current value to 0x4B27 which was the offset of where the malware was going to return to in function `sub_45B794`. AddressOfEntryPoint should be `000052B7`. This will ensure that IDA knows where to start the disassembly.
8. Open shellcode.exe with CFF explorer and open the **NT Headers->Optional Headers->AddressOfEntryPoint**. Add the current value to 0x4B27 which was the offset of where the malware was going to return to in function `sub_45B794`. AddressOfEntryPoint should be `000052B7`. This will ensure that IDA knows where to start the disassembly.
Finally, open the decrypted_shellcode.exe into IDA for Section 5.