Created
November 27, 2024 04:18
-
-
Save struppigel/a976c04d8cc549bf47961703779939f3 to your computer and use it in GitHub Desktop.
Anti-Dump: Header Erase
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| format PE GUI | |
| entry start | |
| include 'win32a.inc' | |
| section '.text' code readable executable | |
| start: | |
| ; get handle to calling process | |
| push 0 | |
| call [GetModuleHandleA] | |
| ; make page writeable | |
| push esp ; old protect | |
| push 4 ; option PAGE_READWRITE | |
| push 1 ; size | |
| push eax ; address of starting page | |
| mov edi, eax ; save handle in edi | |
| call [VirtualProtect] | |
| ; erase header | |
| xor ecx, ecx | |
| mov ch, 0x10 ; set counter to 0x1000 | |
| xor eax, eax ; fill with 0 bytes | |
| rep stosb ; will erase 0x1000 bytes | |
| ; starting at edi = handle | |
| ; show our message | |
| push 0 ; type MB_OK | |
| push _caption ; dialog title | |
| push _message ; message | |
| push 0 ; no owner window | |
| call [MessageBoxA] | |
| push 0 ; success | |
| call [ExitProcess] | |
| section '.data' data readable writeable | |
| _caption db 'Win32 assembly program',0 | |
| _message db 'Header is erased, now try dumping',0 | |
| section '.idata' import data readable writeable | |
| library kernel,'KERNEL32.DLL',\ | |
| user,'USER32.DLL' | |
| import kernel,\ | |
| GetModuleHandleA, 'GetModuleHandleA',\ | |
| ExitProcess,'ExitProcess',\ | |
| VirtualProtect,'VirtualProtect' | |
| import user,\ | |
| MessageBoxA, 'MessageBoxA' | |
| section '.reloc' fixups data readable discardable |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment