OpenRCE Blog Entry

Dennis Elser (dennis) <dennis

backtrace

de>

Friday, June 29 2007 09:43.02 CDT

...without creating it on disk. Ever wondered how to do that?
So did I. So I've taken apart an interesting executable crypter that
I found the other day. Not one of those crypters adding code/sections
to an existing PE file but one of those crypters that embed the "target"
executable as a resource into its loader code.

The technique is simple, yet interesting (for _various_ purposes).

1. launch a copy of the loader process in suspended mode.
2. get the context structure of the copy of the loader process.
3. retrieve the imagebase of the process by parsing its PEB structure (ebx at process start!).
4. free all the data belonging to the process by calling ZwUnmapViewOfSection and passing it the imagebase.
5. get the SizeOfImage value of the embedded executable from its PE header.
6. allocate a new block of memory starting at the imagebase with the size of the SizeOfImage value.
7. copy all the headers (pe header, section header etc.) to the allocated block of memory.
8. copy each section of the embedded executable to the allocated block of memory, setting their memory protection according to their section characteristics.
9. the imagebase in the PEB of the process has to patched to equal the address of the allocated block of memory
10. set eax of the process to point to the entrypoint of the process
11. resume the process, if all went well.

For a better understanding, have a look at the disassembly.

halsten	Posted: Friday, June 29 2007 09:51.40 CDT
Thanks for sharing the information.

jms	Posted: Friday, June 29 2007 11:38.33 CDT
Righteous, this looks interesting.

RolfRolles	Posted: Friday, June 29 2007 20:01.22 CDT
Thanks Dennis, solid information.

Piotr

Posted: Saturday, June 30 2007 01:41.44 CDT

Hey,

My memory may be wrong, but i guess i saw similiar thing in one of the FI challenge crackmes, few years ago, in that case they were messing in similiar way with svchost.exe if i remember correctly :)

cheers!

4F 6E 20 6B 6F 6C 6D 65-6E 6C 61 69 73 69 61 20 "On kolmenlaisia "
69 68 6D 69 73 69 E4 2C-20 6E 69 69 74 E4 20 6A "ihmisi�, niit� j"
6F 74 6B 61 20 6F 76 61-74 20 6D 61 74 65 6D 61 "otka ovat matema"
61 74 74 69 73 65 73 74-69 20 6C 61 68 6A 61 6B "attisesti lahjak"
6B 61 69 74 61 20 6A 61-20 6E 69 69 74 E4 2C 20 "kaita ja niit�, "
6A 6F 74 6B 61 20 65 69-76 E4 74 20 6F 6C 65 2E "jotka eiv�t ole."

skape	Posted: Saturday, June 30 2007 01:55.18 CDT
We integrated support for this type of process execution in Metasploit's Meterpreter at one point. It works in pretty much the exact same manner as what you described :) If anyone is curious to see an implementation, take a peek here: http://www.metasploit.com/dev/trac/browser/framework3/trunk/external/source/meterpreter/source/extensions/stdapi/server/sys/process/in-mem-exe.c

frankboldewin	Posted: Saturday, June 30 2007 05:21.43 CDT
thanx for sharing this information dennis. the rustock.b rootkit i've analyzed did something similar after its last stage of decryption.

dennis

Posted: Saturday, June 30 2007 05:33.32 CDT

It's actually good to know this technique is being used here and there already. What I have seen so far were programs launching legitimate windows processes (suspended), then simply overwriting its process space and setting the eip using SetThreadContext(). I pretty much liked the technique used here as it seems to do its work in a pretty clean and straight forward way (altho relying on undocumented structures).

Veritas	Posted: Saturday, June 30 2007 10:24.28 CDT
This technique is old, but nevertheless quite effective against many AVs. See this PoC from 2004: http://www.security.org.sg/code/loadexe.html

mugg	Posted: Sunday, July 1 2007 01:44.20 CDT
Sneaky. What is at sub_401EF8 in the first function listed in the disas? Everything in the deadlisting is around 402xxx.

dennis Posted: Sunday, July 1 2007 04:41.28 CDT



sub_401EF8  proc near   ; CODE XREF: launch_image_in_memory+18p

                        ; launch_image_in_memory+20p ...

    test	eax, eax

    jz	short locret_401F05



    mov	edx, [eax-8]

    inc	edx

    jle	short locret_401F05



    inc	dword ptr [eax-8]





locret_401F05:          ; CODE XREF: sub_401EF8+2j

                        ; sub_401EF8+8j

    retn



sub_401EF8	endp

In case you want to have a look at the crypter, google for
"fearz crypter" (I was having a look at fearz crypter 1.0 beta 1).