Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/JLospinoso/gargoyle

A memory scanning evasion technique
https://github.com/JLospinoso/gargoyle

assembly memory-analysis pic rop-gadgets security x86

Last synced: about 1 month ago
JSON representation

A memory scanning evasion technique

Host: GitHub
URL: https://github.com/JLospinoso/gargoyle
Owner: JLospinoso
License: agpl-3.0
Created: 2017-03-04T02:16:52.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2017-05-24T00:23:54.000Z (over 7 years ago)
Last Synced: 2024-04-12T19:38:57.113Z (5 months ago)
Topics: assembly, memory-analysis, pic, rop-gadgets, security, x86
Language: C++
Homepage: https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html
Size: 979 KB
Stars: 803
Watchers: 28
Forks: 112
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - JLospinoso/gargoyle - A memory scanning evasion technique (C++)

README

![gargoyle title](https://github.com/JLospinoso/gargoyle/raw/master/title.png)

![gargoyle infographic](https://github.com/JLospinoso/gargoyle/raw/master/infographic.png)

# Building gargoyle

*gargoyle* is only implemented for 32-bit Windows (64-bit Windows on Windows is fine). You must have the following installed:

* [Visual Studio](https://www.visualstudio.com/downloads/): 2017 Community is tested, but it may work for other versions.
* [Netwide Assembler](http://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D) v2.12.02 x64 is tested, but it may work for other versions. Make sure `nasm.exe` is on your path.

Clone *gargoyle*:

```sh
git clone https://github.com/JLospinoso/gargoyle.git
```

Open `Gargoyle.sln`, build, and run. There is some harness code in `main.cpp` that configures the following three components:

* *gargoyle* stack trampoline, stack, and configuration (read/write memory on the heap)
* *gargoyle* position independent code (PIC) that receives the ROP gadget/stack trampoline and runs arbitrary code
* A ROP gadget. If you have `mshtml.dll`, *gargoyle* will load it into memory and use it. If it is not available, you will have to tell *gargoyle* to allocate its own (3-byte) ROP gadget on the heap:

```cpp
// main.cpp
auto use_mshtml{ true };
auto gadget_memory = get_gadget(use_mshtml, gadget_pic_path);
```

Every 15 seconds, gargoyle will pop up a message box. When you click ok, gargoyle sets up the tail calls to mark itself non-executable and to wait for the timer. For fun, use [Sysinternals's excellent VMMap tool](https://technet.microsoft.com/en-us/sysinternals/vmmap.aspx) to examine when *gargoyle*'s PIC is executable. If a message box is active, *gargoyle* will be executable. If it is not, *gargoyle* should not be executable. The PIC's address is printed to `stdout` just before the harness calls into the PIC.

# More information
See the blog post [available at lospi.net](https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html) for more information.

Also feel free to hop on gitter: [![Join the chat at https://gitter.im/grgyl/Lobby](https://badges.gitter.im/grgyl/Lobby.svg)](https://gitter.im/grgyl/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)