Flag: Tornado!
Hurricane!
|
|
Topic created on: January 31, 2013 05:21 CST by legola  .
Hi guys, i hava a problem. I'm analyzing a malware who goes to exploits office vulnerabilities to exec a backdoor on target. The payload is embedded in document as xored hex encoded ascii string. I have retrevied key for dexor this xored hex ascii and i can successfully view the magic "MZ" of original trojan payload as ascii string (i can save also in pure hex). The problem is that the structure i retrievied is not recognized as a valid PE format. Someone can give me an hand ? Is there some tool to generate a valid PE / exe from pure HEX or from the ascii? Where am i in wrong ? Thanks
I'd use other a HexEditor or NASM.
010 Editor is really good for this kind of stuff.
If you drop the hex data you've got I would like to help you
|
|
codeinject, if you give me a contact, a will send you hex data.
|
Hi. It's possibile now to download hex data here:
http://www.4shared.com/rar/7axoz3_e/output.html (psw: infected)
If you ll translate to ASCII text, you will see a simil PE structure but it's not recognized as valid. Thannks for help.
|
|
Someone who will help? Anyone else? is important to me. are three days that shake my head :(
|
Hi guys, if you have problems with the link above you can download hex data from here if you want:
http://www.2shared.com/complete/zbyVWXUB/output.html (pwd: infected)
Thanks for helps.
|
Hi legola, in attach a valide pe file extracted.
ompldr.org/vaGIwNA
as usual passwd: infected
|
> legola: codeinject, if you give me a contact, a will send you hex data.
Next time, check my profile it contains my email addr.
|
your hex dump is a valid PE exe after filename ...
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (x86)
5 number of sections
509B8C9A time date stamp Thu Nov 08 11:42:34 2012
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
10E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
OPTIONAL HEADER VALUES
10B magic # (PE32)
5.12 linker version
19E00 size of code
68A00 size of initialized data
0 size of uninitialized data
118A4 entry point (004118A4)
1000 base of code
1B000 base of data
400000 image base (00400000 to 00484FFF)
1000 section alignment
200 file alignment
4.00 operating system version
0.00 image version
4.00 subsystem version
0 Win32 version
85000 size of image
400 size of headers
0 checksum
2 subsystem (Windows GUI)
0 DLL characteristics
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
1A60C [ 3C] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
20000 [ 3460] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
1000 [ 120] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
19C78 virtual size
1000 virtual address (00401000 to 0041AC77)
19E00 size of raw data
400 file pointer to raw data (00000400 to 0001A1FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000020 flags
Code
Read Write
SECTION HEADER #2
.data name
3AA8 virtual size
1B000 virtual address (0041B000 to 0041EAA7)
2000 size of raw data
1A200 file pointer to raw data (0001A200 to 0001C1FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
SECTION HEADER #3
.sxdata name
A4 virtual size
1F000 virtual address (0041F000 to 0041F0A3)
200 size of raw data
1C200 file pointer to raw data (0001C200 to 0001C3FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000240 flags
Initialized Data
Info
Read Write
SECTION HEADER #4
.reloc name
3B6E virtual size
20000 virtual address (00420000 to 00423B6D)
3C00 size of raw data
1C400 file pointer to raw data (0001C400 to 0001FFFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
SECTION HEADER #5
.idata name
61000 virtual size
24000 virtual address (00424000 to 00484FFF)
60600 size of raw data
20000 file pointer to raw data (00020000 to 000805FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
Summary
4000 .data
61000 .idata
4000 .reloc
1000 .sxdata
1A000 .text
|
|
Hi guys, there is something that i can't understand.What was the process that you performed to retrieve the executable? From hex, i tried to retrieve a valid PE (converting in ASCII) but software like CFF (and others) fail to recognize a valid PE. Why ? What process have you adopted ?
|
> legola: Hi guys, there is something that i can\'t understand.What was the process that you performed to retrieve the executable? From hex, i tried to retrieve a valid PE (converting in ASCII) but software like CFF (and others) fail to recognize a valid PE. Why ? What process have you adopted ?
i've used python binascii and http://hooked-on-mnemonics.blogspot.it/2013/01/pe-carvpy.html
|
Hi gN3mes1s, have you used binascii and pe-carv starting form my hex data ? If i understand...
Hex -> ASCII -> PE-CARV - EXE
Correct ?
|
|
Nothing to do. This file to me seems cursed. gN3mes1s I tried to save the file in ascii and use pe-carv.py but does not work (can not save the exe...it say nothing. On others bin it works). At this point, you may offer two lines of python code that you used to generate the file to submit to pe-carv.py ? thank you very much
|
that output.txt is a valid pe file it just has its filename msmx21.exe prepended to it
00401000 >6D 73 6D 78 32 31 2E 65 78 65 00 4D 5A 90 00 03 msmx21.exe.MZ�.�
00401010 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 ...�...��..�....
00401020 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
00401030 00
delete the name append a marker to the end and copypaste it as binary into a dummy debugggee that is big enouggh to hold the bytes inside ollydbg
select the bytes from start to marker and right click backup save data to file
you got your exe
to make a big dummy exe
.386
.model flat, stdcall
option casemap:none
.code
start:
db 1100800 dup (0)
end start
use masm to compile and link it load the dummy.exe in ollydbg
copy output1.txt
paste as binary at 401000
select the bytes till marker
right click backup save data to file
|
> legola: Nothing to do. This file to me seems cursed. gN3mes1s I tried to save the file in ascii and use pe-carv.py but does not work (can not save the exe...it say nothing. On others bin it works). At this point, you may offer two lines of python code that you used to generate the file to submit to pe-carv.py ? thank you very much
Sure, here is it:
python2 shell; outputhex is your hexed stream, outputascii.txt as result
>>> import binascii
>>> f=open("outputhex", "r+")
>>> hx=f.read()
>>> ascii=binascii.a2b_hex(hx)
>>> outascii=open("outputascii.txt","r+")
>>> outascii.write(ascii)
and now in your terminal:
$ python2 pecarve.py outputascii.txt
* exe found at offset 0xb
$ ls -la 1.exe
-rw-r--r-- 1 nemesis users 525824 2 feb 09.13 1.exe
$ file 1.exe
1.exe: PE32 executable (GUI) Intel 80386, for MS Windows
PS: It seems you've dropped a file from redoctober campaign ;)
|
|
Hi gN3mes1s, i'm using pe-carve.py under Windows. It run without errors, but fails to retrieve a valid exe (it give me nothing, only a file named "pefile.pyc"). I used also your istruction. Nothing to do. I'm not understand very well operations the actions suggested in the post above by 'anonymouse'. Is there another way or somebody can explain me better please ?
|
ok, just delete the namefile in your outputascii.txt,as anonymouse said (that output.txt is a valid pe file it just has its filename msmx21.exe prepended to it
00401000 >6D 73 6D 78 32 31 2E 65 78 65 00 4D 5A 90 00 03 msmx21.exe.MZ�.�) and save file.
|
i dont know what you cant understand in my post
it is simple create a dummy exe load it in ollydbg
copypaste the output.txt as binary and save it :(
there are probably n number of ways to do it heck you could have coded an asciitohex in an hour including debugging it for errors
take this compile
put the output.txt in the same folder as the compiled exe and run you should get an output.exe all automatic
#include <stdio.h>
#include <Windows.h>
int main(void)
{
FILE * fp = NULL;
FILE * fpout = NULL;
errno_t err = NULL;
ULONG filesize = NULL;
char * Buff = NULL;
char * temp = NULL;
long e = NULL;
char hex[8] = {'0','x',0,0,0,0,0,0};
int exenamelen = 2*sizeof("msmx21.exe");
if (( err = fopen_s(&fp,"output.txt" , "rb")) != 0)
{
printf("cannot open file\n");
exit (FALSE);
}
printf("opened output.txt convert to output.exe\n");
fseek(fp,0,SEEK_END);
filesize = ftell(fp);
if (( Buff = (char *)malloc(filesize) ) == 0)
{
printf("cannot allocate memory\n");
fclose(fp);
exit(FALSE);
}
temp = Buff; // save it for later
memset(Buff,0,filesize);
fseek(fp,exenamelen,SEEK_SET); // skip the exe name 22 bytes
for (ULONG i= 0; i<(filesize-exenamelen);i++) // convert rest of file
{
hex[2] = fgetc(fp); // most significant byte
hex[3] = fgetc(fp); // least significant byte
e = strtol(hex,NULL,16); //take a pair of bytes
sprintf_s(Buff,2,"%c",e); // convert and save
Buff++;
}
fopen_s(&fpout,"output.exe","wb");
fwrite(temp,1,((filesize-exenamelen)/2),fpout); // the saved address of the
fclose(fpout);
fclose(fp);
free(temp); // buffer used as we have manipulated the buffer
printf("Success converted output.txt to output.exe\n");
return 0;
}
|
haahah poor anonymouse, nice work :D
anyway another method is:
>dd bs=11 skip=1 if=outputascii.txt of=trimmed.exe
dozen of method to trim the first 11 bytes
|
> gN3mes1s:
> >dd bs=11 skip=1 if=outputascii.txt of=trimmed.exe
that wont work dd will take 11 as 11 decimal which would be wrong you would need 22 and dd will still make the output as ascii not hex you need to take a pair and put it as single character
you may need awk strtonum something like that
|
yes like i posted dd wont do it
but sed and awk will
:\>type convert.bat
asciitohex
sed s/......................// output.txt | sed s/../"& "/g | gawk -v BINMODE=2
"{for(i=1;i<=NF;i++) printf \"%%c\", strtonum(\"0x\"$i)}" > output1.exe
fc output.exe output1.exe
:\>convert.bat
:\>asciitohex
opened output.txt for converting to output.exe
Success converted output.txt to output.exe
:\>sed s/......................// output.txt | sed s/../"& "/g | gawk -v BIN
MODE=2 "{for(i=1;i<=NF;i++) printf \"%c\", strtonum(\"0x\"$i)}" 1>output1.exe
:\>fc output.exe output1.exe
Comparing files output.exe and OUTPUT1.EXE
FC: no differences encountered
:\>
the first sed deltes 22 bytes from beginning of output.txt
the second sed splits the stream after every two bytes and inserts a space in between
so 4D5A will become 4D 5A and so on
so that we can use gawk on each record
and gawk takes each pair of bytes and converts it into a single charecter ie 4D 5A will become MZ
we need gawk and its BINMODE switch plain awk will make all 0A in 0d0a ie \LF to \CR\LF
done fc encountes no difference :)
|
|
Sorry guy. Finally done. Sorry but often a lose myself in a glass of water. I'm just at the beginning of rem, this may happen i think :( sorry again for disturb.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,313 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}