Jump to content
Tuts 4 You

Corkami PE Corpus...

Teddy Rogers

By Teddy Rogers
in Programming and Coding

Recommended Posts

Teddy Rogers

Teddy Rogers

Posted
Posted (edited)

Corkami PE Corpus

A set of handmade files showing the various possibilities of the Portable Executable format, under Windows XP and 7. All these files are clean and working. However, they are hand-made and push the PE file format to its limits, so they might be detected as malicious or as corrupted files. Check bin est*.txt for the descriptions of each binary.

[media]http://www.youtube.com/watch?v=MJvsshovITE

Download Link:

http://code.google.com/p/corkami/wiki/PE

Ted.

CPC-20111014.zip

Edited by Teddy Rogers
Updated link...
  • 1 month later...
cozofdeath

cozofdeath

Posted
Posted (edited)

Anyone look at this yet? It doesn't look like it will run on my system (win7 x64) which they said it would but it errors every time. The file looks pretty messed up. I can't imagine it would run with some of those header values. I know most are ignored but the ones that are not look horrible. Could anyone get it to run?

*edit - This is looking much cooler already. The author was extremely creative. It doesn't run still but in the debugger (even through it doesn't completely load) it is amazing how it loads and how the author has commented on each trick he has provided in the code itself to show up in Olly as strings. Very creative. I have yet to look at the source. The file has no section headers! No EP which isn't unheard of but cool to see. There seems to be no file/section alignments. It is just one file (no sections, alignments). I will be checking this out for a littledrive1.gif

Edited by cozofdeath
Peter Ferrie

Peter Ferrie

Posted
Posted

Yes, we spent a lot of time talking about the tricks that are possible.

I've documented most of them over the years, but I never shared any examples, so Ange was left to work it out for himself (which he did, and amazingly well).

Some of the files aren't supported by x64 because of size checks that were introduced there.

  • 1 month later...
  • 2 months later...
Ange

Ange

Posted
Posted (edited)

Just to let you know that I updated the page again, with:

* a permanent link to the latest build http://xchg.info/corkami/latest/pe.rar

* flash slideshows with more explanations

* data PEs, exe2pe, Win32VersionValue, etc...

*edit*

if you have troubles understanding the video, I did english subtitles, with extra comments, that you can view directly at http://www.universalsubtitles.org/en/videos/MCGL8ABJUdv7/info/-days:%20Ange%20Albertini:%20Such%20a%20weird%20processor%20-%20messing%20with%20x86%20opcodes

Edited by Ange
deepzero

deepzero

Posted
Posted (edited)

very nice smile.png

maybe you can link to Daniel Pistelis rich documentation:
/>http://www.ntcore.com/files/richsign.htm

CheckSum

simple algorithm

  • required for drivers only

afiak, it`s required for all PE files running with system privileges, so e.g. a dll that is injected into winlogon.exe at startup, will have to have this signature, too.

you dont happen to posses this algorithm? smile.png

DllCharacteristics

  • not necessary
    • dll.dll is a working DLL with this value set to 0

on my xpsp3 system this flag is required. If it is not set, LoadLibrary() fails.

Edited by deepzero
kao

kao

Posted
Posted

you dont happen to posses this algorithm? smile.png


/>http://doxygen.reactos.org/d2/d40/imagehlp_2modify_8c_source.html

on my xpsp3 system this flag is required. If it is not set, LoadLibrary() fails.

That specific DLL (dll.dll from corkami) has DLLCharacteristics==0 and it loads on both XP and Win7.

Ange

Ange

Posted
Posted

(you can contact me directly if you prefer)

* I updated the page yesterday, including Daniel's link, however it was really easy to find and widespread.

* PE checksum is trivial and fully documented (PEFile, etc...)

very nice smile.png

maybe you can link to Daniel Pistelis rich documentation:
/>http://www.ntcore.com/files/richsign.htm

afiak, it`s required for all PE files running with system privileges, so e.g. a dll that is injected into winlogon.exe at startup, will have to have this signature, too.

you dont happen to posses this algorithm? smile.png

on my xpsp3 system this flag is required. If it is not set, LoadLibrary() fails.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...