Flag: Tornado!
Hurricane!
|
|
Topic created on: March 15, 2007 07:40 CDT by stam321  .
For example, an API call that looks like:
insert_instruction(long ea, char *instruction);
ea - where to add the instruction;
instruction - a string like "mov eax, ebx"
Any simple way to do something similar is also good.
Thx,
Stam
Firstly, no.
Secondly, that is a very non-trivial task :P
|
I know its not trivial.
But I hoped :).
|
You may have some limited success if you try to insert it in functions that are bounded by alignment bytes that can be overwritten. The procedure would then be create a gap for the new instruction by shifting bytes. For the most part this should work as long as any relative jumps get fixed to account for the inserted instruction.
In any case, the most you might be able to get is one or two instructions in HLL compiled code with mixed success.
-nevar
|
An insertion of an instruction causes shifting all following instructions.
Then, all addresses referring to the following instructions should be recalculated.
If debugging information like pdb file exists, it may be possible. For example MS Vulcan binary rewriter does it though the tool is not available outside MS.
|
4514N does so (without pdb and any other additional sh*t), this process is called integrating and yes it is not easy :)
All the refferences,jump/call locations need to be updated or extended if we speak about short and long jumps. Then all the PE structure need to be correctly changed, bla bla...
In case u have missed the integrating video file:
http://piotrbania.com/all/4514N/demo.swf
|
I agree with piotr in some point.
I've also tried injecting redundant instructions for obfuscation. In small examples like calculator or notepad, code injection was successful like 4514N.
But code injection is unsafe when disassembly is incorrect or some part of address identification is incorrect or missing.
I mentioned pdb file because pdb file assures us correct code injection. And in MS case, IDAPro gets symbol information from MS symbol server. :)
|
|
Of course man, but i have also tried larger stuffs like windows network drivers etc. etc. 4514N can be used together with IDA disassembly, and if you know what u are doing everything will work correctly :)
|
When will you release 4514N? It seems great!
Can you release what you got already?
Even the assembler code alone will be great :)
thx,
stam
|
> stam321: When will you release 4514N? It seems great!
> Can you release what you got already?
> Even the assembler code alone will be great :)
>
> thx,
> stam
The answer for your question has already been posted :)
Look last 3 posts here: http://www.openrce.org/blog/view/664/Boring._Boring.
cheers
|
> stam321: For example, an API call that looks like:
>
> insert_instruction(long ea, char *instruction);
> ea - where to add the instruction;
> instruction - a string like \"mov eax, ebx\"
>
> Any simple way to do something similar is also good.
>
> Thx,
> Stam
well, if there is an empty block in the code (with 0's or nop's), it's easy to do.
lets say the code is
push eax
*** you want to insert an instruction here, eg. inc ecx
mov ebx, edx
....
so you need to replace mov ebx,edx and the following instructions with jmp empty_block. also add nop's if jmp overwrites part of some instruction.
but before you do that, put your instruction in the empty block, then copy ebx, edx there, plus a few instructions...
in the end it will look like
push eax
jmp empty_block
tmp:...
empty_block:
inc ecx
mov ebx, edx
....
jmp tmp
hope this helps, and sorry for the thread necromancy ^^
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}