OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Friday, June 29 2007 09:43.02 CDT

Modified: Friday, June 29 2007 09:46.41 CDT

Printer Friendly ...

How to launch an executable...

Author: dennis

# Views: 12145

...without creating it on disk. Ever wondered how to do that?
So did I. So I've taken apart an interesting executable crypter that
I found the other day. Not one of those crypters adding code/sections
to an existing PE file but one of those crypters that embed the "target"
executable as a resource into its loader code.

The technique is simple, yet interesting (for _various_ purposes).

1. launch a copy of the loader process in suspended mode.
2. get the context structure of the copy of the loader process.
3. retrieve the imagebase of the process by parsing its PEB structure (ebx at process start!).
4. free all the data belonging to the process by calling ZwUnmapViewOfSection and passing it the imagebase.
5. get the SizeOfImage value of the embedded executable from its PE header.
6. allocate a new block of memory starting at the imagebase with the size of the SizeOfImage value.
7. copy all the headers (pe header, section header etc.) to the allocated block of memory.
8. copy each section of the embedded executable to the allocated block of memory, setting their memory protection according to their section characteristics.
9. the imagebase in the PEB of the process has to patched to equal the address of the allocated block of memory
10. set eax of the process to point to the entrypoint of the process
11. resume the process, if all went well.

For a better understanding, have a look at the disassembly.

Blog Comments

halsten	Posted: Friday, June 29 2007 09:51.40 CDT
Thanks for sharing the information.

jms	Posted: Friday, June 29 2007 11:38.33 CDT
Righteous, this looks interesting.

RolfRolles	Posted: Friday, June 29 2007 20:01.22 CDT
Thanks Dennis, solid information.

Piotr

Posted: Saturday, June 30 2007 01:41.44 CDT

Hey,

My memory may be wrong, but i guess i saw similiar thing in one of the FI challenge crackmes, few years ago, in that case they were messing in similiar way with svchost.exe if i remember correctly :)

cheers!

4F 6E 20 6B 6F 6C 6D 65-6E 6C 61 69 73 69 61 20 "On kolmenlaisia "
69 68 6D 69 73 69 E4 2C-20 6E 69 69 74 E4 20 6A "ihmisi�, niit� j"
6F 74 6B 61 20 6F 76 61-74 20 6D 61 74 65 6D 61 "otka ovat matema"
61 74 74 69 73 65 73 74-69 20 6C 61 68 6A 61 6B "attisesti lahjak"
6B 61 69 74 61 20 6A 61-20 6E 69 69 74 E4 2C 20 "kaita ja niit�, "
6A 6F 74 6B 61 20 65 69-76 E4 74 20 6F 6C 65 2E "jotka eiv�t ole."

skape	Posted: Saturday, June 30 2007 01:55.18 CDT
We integrated support for this type of process execution in Metasploit's Meterpreter at one point. It works in pretty much the exact same manner as what you described :) If anyone is curious to see an implementation, take a peek here: http://www.metasploit.com/dev/trac/browser/framework3/trunk/external/source/meterpreter/source/extensions/stdapi/server/sys/process/in-mem-exe.c

frankboldewin	Posted: Saturday, June 30 2007 05:21.43 CDT
thanx for sharing this information dennis. the rustock.b rootkit i've analyzed did something similar after its last stage of decryption.

dennis

Posted: Saturday, June 30 2007 05:33.32 CDT

It's actually good to know this technique is being used here and there already. What I have seen so far were programs launching legitimate windows processes (suspended), then simply overwriting its process space and setting the eip using SetThreadContext(). I pretty much liked the technique used here as it seems to do its work in a pretty clean and straight forward way (altho relying on undocumented structures).

Veritas	Posted: Saturday, June 30 2007 10:24.28 CDT
This technique is old, but nevertheless quite effective against many AVs. See this PoC from 2004: http://www.security.org.sg/code/loadexe.html

mugg	Posted: Sunday, July 1 2007 01:44.20 CDT
Sneaky. What is at sub_401EF8 in the first function listed in the disas? Everything in the deadlisting is around 402xxx.

dennis Posted: Sunday, July 1 2007 04:41.28 CDT



sub_401EF8  proc near   ; CODE XREF: launch_image_in_memory+18p

                        ; launch_image_in_memory+20p ...

    test	eax, eax

    jz	short locret_401F05



    mov	edx, [eax-8]

    inc	edx

    jle	short locret_401F05



    inc	dword ptr [eax-8]





locret_401F05:          ; CODE XREF: sub_401EF8+2j

                        ; sub_401EF8+8j

    retn



sub_401EF8	endp

In case you want to have a look at the crypter, google for
"fearz crypter" (I was having a look at fearz crypter 1.0 beta 1).

There are 31,314 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit