This project borrows code from the following:
- https://hero.handmade.network/forums/code-discussion/t/94-guide_-_how_to_avoid_c_c++_runtime_on_windows
- https://github.com/LloydLabs/Windows-API-Hashing
- Empty Import Table
- Empty Debug Directory
- No Rich Header
- Write String Decryptor
- Write API Hashing Algorithm
- Prove they work
String Decryption: https://www.youtube.com/watch?v=DxRJKKPmIxQ
sudo apt install git-lfs
git clone https://github.com/c3rb3ru5d3d53c/reworkshop.git
cd reworkshop/
- Download
solutions/samples.zip
- Copy
samples.zip
to your VM (with internet) - In your Windows and Remnux VM, extract
samples.zip
(password isinfected
) - Open
stealer.exe
with x64dbg (32-bit) - In the Remnux VM, create a new Ghidra project and import
stealer.exe
- In the Remnux VM with Ghidra, import the
.h
files from theinclude/
directory - Write a string decryptor in Python
- Write the API hashing algorithm in Python
NOTE: Steps 7 or 8 and be in either order