We discussed the cryptor in the previous post. As for the loader part, we are going to document some carefully designs, which are use to evade security products.
Encrypt partial data at the beginning of the buffer.
The cryptor procedure decrypts a buffer that contains API names, payloads, and loader.
Later the loader decrypts the first few bytes to correct API name, and used by loader itself.
My guess is, some security products scan the newly allocated memory to match the heuristic patterns. By encrypting first few bytes, it makes the confusion.
Also, the following scripts is available for decrypting payload:
Carefully setting the payload’s metadata in LDR_MODULE and PEB.
The sample doesn’t do process injection to other process, instead it runs the payload in its own process.
It inserts the new value to the entry point, dll base, size of image to LDR_MODULE.
Correcting the image base of PEB.
My guess is — to make the process looks normal in order to evade scanning from security products.
