OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Friday, June 29 2007 09:43.02 CDT

Modified: Friday, June 29 2007 09:46.41 CDT

Printer Friendly ...

How to launch an executable...

Author: dennis

# Views: 9356

...without creating it on disk. Ever wondered how to do that?
So did I. So I've taken apart an interesting executable crypter that
I found the other day. Not one of those crypters adding code/sections
to an existing PE file but one of those crypters that embed the "target"
executable as a resource into its loader code.

The technique is simple, yet interesting (for _various_ purposes).

1. launch a copy of the loader process in suspended mode.
2. get the context structure of the copy of the loader process.
3. retrieve the imagebase of the process by parsing its PEB structure (ebx at process start!).
4. free all the data belonging to the process by calling ZwUnmapViewOfSection and passing it the imagebase.
5. get the SizeOfImage value of the embedded executable from its PE header.
6. allocate a new block of memory starting at the imagebase with the size of the SizeOfImage value.
7. copy all the headers (pe header, section header etc.) to the allocated block of memory.
8. copy each section of the embedded executable to the allocated block of memory, setting their memory protection according to their section characteristics.
9. the imagebase in the PEB of the process has to patched to equal the address of the allocated block of memory
10. set eax of the process to point to the entrypoint of the process
11. resume the process, if all went well.

For a better understanding, have a look at the disassembly.

Blog Comments

halsten	Posted: Friday, June 29 2007 09:51.40 CDT
Thanks for sharing the information.

jms	Posted: Friday, June 29 2007 11:38.33 CDT
Righteous, this looks interesting.

RolfRolles	Posted: Friday, June 29 2007 20:01.22 CDT
Thanks Dennis, solid information.

Piotr

Posted: Saturday, June 30 2007 01:41.44 CDT

Hey,

My memory may be wrong, but i guess i saw similiar thing in one of the FI challenge crackmes, few years ago, in that case they were messing in similiar way with svchost.exe if i remember correctly :)

cheers!

4F 6E 20 6B 6F 6C 6D 65-6E 6C 61 69 73 69 61 20 "On kolmenlaisia "
69 68 6D 69 73 69 E4 2C-20 6E 69 69 74 E4 20 6A "ihmisiñ, niitñ j"
6F 74 6B 61 20 6F 76 61-74 20 6D 61 74 65 6D 61 "otka ovat matema"
61 74 74 69 73 65 73 74-69 20 6C 61 68 6A 61 6B "attisesti lahjak"
6B 61 69 74 61 20 6A 61-20 6E 69 69 74 E4 2C 20 "kaita ja niitñ, "
6A 6F 74 6B 61 20 65 69-76 E4 74 20 6F 6C 65 2E "jotka eivñt ole."

skape	Posted: Saturday, June 30 2007 01:55.18 CDT
We integrated support for this type of process execution in Metasploit's Meterpreter at one point. It works in pretty much the exact same manner as what you described :) If anyone is curious to see an implementation, take a peek here: http://www.metasploit.com/dev/trac/browser/framework3/trunk/external/source/meterpreter/source/extensions/stdapi/server/sys/process/in-mem-exe.c

frankboldewin	Posted: Saturday, June 30 2007 05:21.43 CDT
thanx for sharing this information dennis. the rustock.b rootkit i've analyzed did something similar after its last stage of decryption.

dennis

Posted: Saturday, June 30 2007 05:33.32 CDT

It's actually good to know this technique is being used here and there already. What I have seen so far were programs launching legitimate windows processes (suspended), then simply overwriting its process space and setting the eip using SetThreadContext(). I pretty much liked the technique used here as it seems to do its work in a pretty clean and straight forward way (altho relying on undocumented structures).

Veritas	Posted: Saturday, June 30 2007 10:24.28 CDT
This technique is old, but nevertheless quite effective against many AVs. See this PoC from 2004: http://www.security.org.sg/code/loadexe.html

mugg	Posted: Sunday, July 1 2007 01:44.20 CDT
Sneaky. What is at sub_401EF8 in the first function listed in the disas? Everything in the deadlisting is around 402xxx.

dennis Posted: Sunday, July 1 2007 04:41.28 CDT



sub_401EF8  proc near   ; CODE XREF: launch_image_in_memory+18p

                        ; launch_image_in_memory+20p ...

    test	eax, eax

    jz	short locret_401F05



    mov	edx, [eax-8]

    inc	edx

    jle	short locret_401F05



    inc	dword ptr [eax-8]





locret_401F05:          ; CODE XREF: sub_401EF8+2j

                        ; sub_401EF8+8j

    retn



sub_401EF8	endp

In case you want to have a look at the crypter, google for
"fearz crypter" (I was having a look at fearz crypter 1.0 beta 1).

There are 28,631 total registered users.

Recently Created Topics
windbg - olly/immunity	May/14
Reverse a WinRAR pac...	May/13
Add comments to resu...	May/10
can we code script ...	May/09
Type Casting Structu...	May/07
How to Reverse Engin...	May/03
Sulley on OS X (10.7)	May/01
Help me guys	May/01
IDA Resource Viewer ...	Apr/28
How do i use plugins...	Apr/27

Recent Forum Posts
windbg - olly/immunity	blowcheck
Help me guys	Olivier
Reverse a WinRAR pac...	NirIzr
windbg - olly/immunity	anonymouse
Reverse a WinRAR pac...	DriEm
Add comments to resu...	phn1x
IDA Resource Viewer ...	DriEm
Add comments to resu...	qiuhan
IDA Resource Viewer ...	waleeda...
IDA Resource Viewer ...	DriEm

Recent Blog Entries
	waleedassar	Apr/20
OllyDbg NumberOfSections Crash
	icegood	Apr/13
Advanced labels plugin for ...
	waleedassar	Mar/31
GetModuleFileNameEx And Inf...
	waleedassar	Mar/31
OllyDbg v1.10 And Wow64
	waleedassar	Mar/29
OllyDbg Resource Table Pars...
More ...

Recent Blog Comments
	raxen on:	Mar/27
Anti-Dumping
	Dallas on:	Mar/22
ChapljaVM Code Obfuscator
	Dallas on:	Mar/22
Hack stuff, get paid
	Dallas on:	Mar/22
Exe Packer TAGGANT system f...
	Dallas on:	Mar/22
Olly2 SystemTray Plugin
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit