Shulou(Shulou.com)06/02 Report--

How to use codecaves to insert backdoor code into PE files, I believe many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

The editor will introduce the use of codecaves to populate backdoor code into PE files. There are some good tools that can help you. For example, BackdoorFactory and Shelter will do the same thing, even bypassing some static analysis of several antiviruses.

Start

Let's understand some terms:

PE files: portable executable file (PE) format is an executable file, object code, and DLL file format for 32-bit and 64-bit versions of the Windows operating system. Code Cave:

According to Wikipedia:

"Code Cave is a series of empty bytes in process memory. Code Cave in process memory is usually a reference to part of the script function of code that has the ability to inject custom instructions. For example, if the memory of a script allows 5 bytes and uses only 3 bytes, the remaining 2 bytes can be used to add external code to the script." Shellcode:

According to Wikipedia:

"shellcode is a small piece of code with payload. It is called" shellcode "because it usually starts a command shell through which attackers can control the invaded machine, so any code that performs similar tasks can be called shellcode."

Let's get started. You can download the Putty version I used here. I'll use Immunity Debugger for debugging. You can use any other debugger, such as Ollydbg. First, we need to find the available Code Cave, and then insert malicious code. You can add a section or modify an existing section to use Code Cave. I use the cave-miner script to locate available unused bytes. You can see that cave starts with 00445CD5. I will inject my shellcode from 00445CD6. Next, I hijack the entry point of the program and redirect the execution process to our shellcode. First, we must use Lord PE or any PE header editor tool to make the .data part executable. When finished, we copy the first few instructions of the entry point and save them in notepad. Insert the first instruction JMP 00445CD6, which redirects the execution process to our newly discovered code cave. After replying to the entry point through the JMP instruction, we need to record which instructions are overwritten because they need to be restored later. Now, let's look at some of the instructions:

1.PUSHAD2.PUSHFD3.Shellcode4.Stack Allignment (stack alignment) 5.POPFD6.POPAD7.RETORE instructions8.JMP to next instruction (JMP to next instruction PUSHAD instruction)

The use of PUSHAD is the same as writing:

Push EAXPush ECXPush EDXPush EBXPush ESPPush EBPPush ESIPush EDI

POPAD pops values from the stack in reverse order, restoring all register values. PUSHAD and POPAD can be used to perform the save and recovery of general registers without pressing the PUSH and POP of each register. Similarly, PUSHFD and POPFD are used to save and restore EFLAGS registers. The PUSHFD instruction generates a reverse tcp shell code from mstoxic in hexadecimal and binary format in code cave. Note the ESP values before and after shellcode execution to identify differences and align the stack. Before shellcode execution: after shellcode execution-difference = 0018FF68-0018FD6C now aligns the stack by adding this value to esp. Save the newly modified executable file and listen for reverse connections on the netcat after recovery. Once I start putty, it gets stuck unless I close the reverse connection. This is a problem because a function called WaitforSingleObject is used in msfvenom shellcode.

Here's a good article on how to solve this problem, https://simonuvarov.com/msfvenom-reverse-tcp-waitforsingleobject/.

Msfvenom shellcode uses INFINITE as the value of the dwMilliseconds parameter. Fix the waitforsingleobject problem by setting the dwMilliseconds parameter value from-1 to 0 (because I use the dec esi directive that NOP replaces). Finally, fix it and save the executable file, and you're done!

POC

Last

Once putty.exe is opened, it produces a reverse shell. .. Happy Hacking.. :)

After reading the above, have you learned how to use codecaves to inject backdoor code into PE files? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.