Malware

Check if running inside a VM

bool res = true;

__try {
        __asm           {
                push   edx
                push   ecx
                push   ebx
                mov    eax, 'VMXh'
                mov    ebx, 0      // any value but not the MAGIC VALUE
                mov    ecx, 10     // get VMWare version
                mov    edx, 'VX'   // port number
                in     eax, dx     // read port
                // on return EAX returns the VERSION
                cmp    ebx, 'VMXh' // is it a reply from VMWare?
                setz[res]       // set return value                     
                pop    ebx
                pop    ecx
                pop    edx
        }
}       __except (EXCEPTION_EXECUTE_HANDLER) {
          res = false;
          }

if (res) printf("In a VM !!!");

Hiding from import table

#include <stdio.h>

typedef void (*type_print) (char *c, ...);

int main(int argc, char *argv[]){

        type_print monprint;

        // evaluate delta between scanf and printf 
        printf("%p, %p, %li" ,scanf,printf, (scanf - printf) );
//      long int delta=scanf - printf;
        long int delta=94272;
        monprint = (type_print) ((char *) scanf -delta) ;
        monprint("Hello world\n");
        return 0;
}

Position independant

Use only stack variables to write position independent code in C/C++, so we can’t write :

char *v=new char[100];
char *str="I'm a string";

because that array would be allocated on the heap.

Instead use :

char str[]={'I','\'','m','','a','','s','t','r','i','n','g','\0'}

Disable SAFESEH

Project Properties | Configuration Properties | Linker | Advanced | Image has Safe Exception Handling

rdtsc

rdtsc - part 1


int loValue;
int hiValue;

__asm{		
	rdtsc
	mov loValue, EAX
	mov hiValue, EDX   
}

rdtsc - part 2


__asm{
	rdtsc
	sub EAX,loValue
	sbb EDX,hiValue
	cmp EDX,0
	jnz exit_				// JNZ - jump if ZF = 1
	cmp EAX,20000000
	jb continue_				// JB - jump if CF = 1
exit_:
	mov eax,seed
	add eax,3
	rol eax,5		
	mov seed,eax

continue_:
}

Detection of debugger or decompiler

for (;;;)
{
	string[] array= new string[]
	{
		"IDA",
		"Hopper",
		"Squalr"
	};

	Process[] processes =Process.getProcesses();
	for (Process process in processes)
	{
		String text=process.ProcessName.ToString().ToUpper();
		foreach(string debugStr in array)
		{
			if (text.Contains(debugStr.ToUpper())
			{
				Application.Exit();
			}
		}
	}
	Thread.Sleep(1000);
}

IDA Script to dump memory

// Memory dump script 
// Edit the start_address / end_address
// Run it from IDA: File -> Script File (SHIFT F2)
 
static main()
{
auto fp, ea;
auto fname      		= "dump_mem.bin";
auto start_address    	= 0x400000;  
auto end_address       	= 0x40b200;  
 
auto file= fopen(fname, "wb");
for (ea=start_address; ea < end_address; ea++)
    fputc(Byte(ea),file);
fclose(file);

Message("[!] Saved as: %s\n", fname);
Message("[*] From: 0x%x\n", start_address);
Message("[*] End: 0x%x\n", end_address);
}