Skip to content

Commit 04f967a

Browse files
committed
Update image uris
1 parent 976a833 commit 04f967a

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

Readme.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ FormCrypt is a tool for encrypting strings in your C code. The string will be hi
1414
### Technical Info
1515
FormBook used encrypted buffers known as 'enc_bufs' to hide its strings. These buffers attempted to masquerade as functions by pre-pending a function prologue at the beginning of the buffer. When this data is viewed in a disassembler, a function prologue will appear. At first glance, it will appear to be a function. If looked at closer, the 'function' can quickly turn to garble.
1616

17-
![FormBook Function Prolog](/images/formbook_fake_function_prologue.png)
17+
![FormBook Function Prolog](https://github.com/wizardy0ga/FormCrypt/blob/master/images/formbook_fake_function_prologue.png)
1818
###### Image sourced from Arbor Networks
1919

2020
Further reading about FormBook can be found in this [stormshield](https://www.stormshield.com/news/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/) article or in this article from [arbor networks](https://www.netscout.com/blog/asert/formidable-formbook-form-grabber).
@@ -44,7 +44,7 @@ This is the **NEW_BUFFER** macro. When called, the macro will inject the functio
4444
In the examples below, the string **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run** has been hidden in an encrypted buffer generated with the FormCrypt utility.
4545
4646
###### x64 Encrypted Buffer Disassembly
47-
![x64 Demo Buffer](/images/x64_buffer_disasm.png)
47+
![x64 Demo Buffer](https://github.com/wizardy0ga/FormCrypt/blob/master/images/x64_buffer_disasm.png)
4848
4949
###### x64 Encrypted Buffer Memory Dump
5050
![x64 Buffer Dump (Encrypted)](/images/x64_buffer_encrypted_dump.png)

0 commit comments

Comments
 (0)