3 replies to this topic

[EpicOut]

Hey, i share my downloader, i make it for fun and instructive purpose;

my downlader just use UrlDownloadToFile and CreateProcess, all dynamcally for bypass some avs. I could have use the PEB to perfom a better downloader but im lazy :].

Please Login or Register to see this Hidden Content

[iCode]

Nice contribute. Just so you know this isn't dynamic since the API addresses are still hard-coded.

[EpicOut]

They are not hard-coded, and this is dynamic because the functions used are not reported in the IAT, unless GetProc & LoadLibrary, but i could have use PEB to hide them.

Hard-coded suppose the addresses are already known (not in this case), and in other words it's impossible to known in advance the addresses, (ASLR) every reboot the DLL/EXECUTABLE change their execution addresses.

[iCode]

EpicOut, on 25 Oct 2013 - 8:09 PM, said:

They are not hard-coded, and this is dynamic because the functions used are not reported in the IAT, unless GetProc & LoadLibrary, but i could have use PEB to hide them.

Hard-coded suppose the addresses are already known (not in this case), and in other words it's impossible to known in advance the addresses, (ASLR) every reboot the DLL/EXECUTABLE change their execution addresses.

 

I meant for if you were to turn this into a shellcode, the addresses for GetProcAddresses and LoadLibraryA would be static. Sorry I completely forgot to finish my comment before I posted it Since you are creating an executable and not just a binary, you can use Invoke instead of directly calling them from Kernel32.