OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: March 7, 2007 16:50 CST by dotVoid .

I stumbled upon a problem and I would like to know your opinions. I have a closed-source executable and a binary file that contains code (no header etc.). I want to merge the code in the binary file and the executable, so the next time you run the executable, you'll run the binary code first and then continue to the original code.

I'm familiar with the old/common ways to "inject" code, but I need a clean method that won't look suspicious for Anti-Viruses.

My current solution is to do split-merge, but that's way too hard to accomplish.

EDIT: Recompiling and other nasty patching is not what I'm looking for.

fileoffset		March 7, 2007 17:39.29 CST
How long is the binary code? If its short you could search for a data-cave inside the exe and patch your code in there. then its just a matter of modifying the EP in the PE Header to point to the start of your code (and providing a jump back to the original EP at the end of your code). If you can't find any data-cave's large enough, one solution (if the code isn't too large) is to piggy-back your code through a series of smaller data-caves, i've used this before and it works well simply by using the alignment bytes between functions... This has the advantage of not modifying the original file-size.

MohammadHosein		March 7, 2007 18:36.20 CST
when the target is closed-source and you dont want to inject anything , the only solution is a patch . i would simply write a "Loader" for this matter , to arrange and fit address space of binary and place the evil code wherever it could/should be , but you should take care of of this piece of code of yours for JMPs/CALLs etc etc , if there are any .

dotVoid		March 8, 2007 01:44.32 CST
The additional code is about 10KB. If I use the data-caves solution, I'm not sure I'll be able to place my code inside the host executable. Did anyone try the split-merge method that was described in BlackHat 06? By the way, MohammadHosein, the code isn't evil :)

anonymouse		March 8, 2007 11:19.43 CST
if you are talking about pe file and if the file was compiled normally (file align = 0x200 and section align = 0x1000) and if the authour didnt fill it to brim you can create lots and lots of caves by just dumping the process memory as executable for example if you use ollydump on a simple messagebox exe thats originally 2.5 kb you can get a 16 kb executable that runs equally good and in addition get 13.5 kb of caves that you can use to yours hearts content (if you have code that should be executable put them in readonly section and in runtime create valloc vprotect and read it and jump there you can check the last post in this thread http://www.woodmann.com/forum/showthread.php?t=7711&page=2&highlight=ollydump

Orr		March 12, 2007 02:49.00 CDT
what is the split-merge method?

dotVoid		March 12, 2007 13:41.35 CDT
Orr, The best way to understand the split-merge method is to read William Kimball's presentation about LEVI, a code-integrated vulnerability auditing tool - BlackHat 06. I don't have the direct link.

fileoffset		March 12, 2007 18:28.01 CDT
Have you thought about putting your code into a .dll? Then you can just do a LoadLibrary in a data cave...

Orr		March 13, 2007 01:41.07 CDT
dotVoid, and how is it different from Mistfall? EDIT: Try using REVERT4 or any later version by z0mbie.

nezumi		March 23, 2007 07:19.43 CDT
well, the best, most reliable and simplest way is to use dll, as you were told, convert your 10kb code into dll, add this dll to import table, and place actual code to the DllMain/DLL_PROCESS_ATTACH. system loads dll and executes DllMain _before_ OEP gets control. anti-viruses will not be mind. even closed-source file is packed and has only few items in the import table, it always possible to add new one, but! keep in mind, protectors can check integrity of the exe, so, before passing control from dll to OEP you _must_ restore import table back.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit