Limitations :
- do not support DLL & .NET
- do not support multi-encryption
- do not compress executable (no size reduction)
How Escargot works ?
1. open the file
2. verify if it's a 32-bit PE and if it's not a DLL or if it's not already crypted with Escargot
3. collect addresses in headers (MZ Header, PE Header and PE Section Table)
4. collect other data in headers (number of sections, sections alignment, file alignment,Image Base, Entry Point, RVA of Import Table)
5. collect data from the first section (offset, RVA, size, virtual size)
6. modify existing sections in Section Table (names, characteristics)
7. add a new section if there is suffisant space
8. modify the headers (SizeOfCode, BaseOfCode, SizeOfHeaders, AddressOfEntryPoint)
9. modify the directories (RVA/size of new IT/IAT, RVA/size of Load Configuration Directory, and set Bound Import Directory to zero)
10. put the loader in memory
11. adjust loader values (EntryPoint)
12. crypt the image
13. close the file
Loader :
1.put a SEH
2.simple anti-debug (IsDebuggerPresent) and if detected DESTROY THE FILE
3. decrypt the image
4. load the original IT and destroy it
5. remove the SEH
