Teddy Rogers Posted October 16, 2011 Posted October 16, 2011 (edited) Corkami PE CorpusA set of handmade files showing the various possibilities of the Portable Executable format, under Windows XP and 7. All these files are clean and working. However, they are hand-made and push the PE file format to its limits, so they might be detected as malicious or as corrupted files. Check bin est*.txt for the descriptions of each binary.[media]http://www.youtube.com/watch?v=MJvsshovITEDownload Link:http://code.google.com/p/corkami/wiki/PETed.CPC-20111014.zip Edited April 2, 2012 by Teddy Rogers Updated link...
cozofdeath Posted December 2, 2011 Posted December 2, 2011 (edited) Anyone look at this yet? It doesn't look like it will run on my system (win7 x64) which they said it would but it errors every time. The file looks pretty messed up. I can't imagine it would run with some of those header values. I know most are ignored but the ones that are not look horrible. Could anyone get it to run? *edit - This is looking much cooler already. The author was extremely creative. It doesn't run still but in the debugger (even through it doesn't completely load) it is amazing how it loads and how the author has commented on each trick he has provided in the code itself to show up in Olly as strings. Very creative. I have yet to look at the source. The file has no section headers! No EP which isn't unheard of but cool to see. There seems to be no file/section alignments. It is just one file (no sections, alignments). I will be checking this out for a little Edited December 2, 2011 by cozofdeath
Peter Ferrie Posted December 2, 2011 Posted December 2, 2011 Yes, we spent a lot of time talking about the tricks that are possible.I've documented most of them over the years, but I never shared any examples, so Ange was left to work it out for himself (which he did, and amazingly well).Some of the files aren't supported by x64 because of size checks that were introduced there.
NikolayD Posted January 7, 2012 Posted January 7, 2012 PE page updated bit.ly/xKcLiS multi-subsystem PE, relocated imagebase, mips relocations, virtual entrypointCPC-20120107.rar
Ange Posted April 2, 2012 Posted April 2, 2012 (edited) Just to let you know that I updated the page again, with: * a permanent link to the latest build http://xchg.info/corkami/latest/pe.rar * flash slideshows with more explanations * data PEs, exe2pe, Win32VersionValue, etc...*edit*if you have troubles understanding the video, I did english subtitles, with extra comments, that you can view directly at http://www.universalsubtitles.org/en/videos/MCGL8ABJUdv7/info/-days:%20Ange%20Albertini:%20Such%20a%20weird%20processor%20-%20messing%20with%20x86%20opcodes Edited April 4, 2012 by Ange
deepzero Posted April 2, 2012 Posted April 2, 2012 (edited) very nice maybe you can link to Daniel Pistelis rich documentation:/>http://www.ntcore.com/files/richsign.htm CheckSum simple algorithm required for drivers only afiak, it`s required for all PE files running with system privileges, so e.g. a dll that is injected into winlogon.exe at startup, will have to have this signature, too. you dont happen to posses this algorithm? DllCharacteristics not necessarydll.dll is a working DLL with this value set to 0 on my xpsp3 system this flag is required. If it is not set, LoadLibrary() fails. Edited April 2, 2012 by deepzero
kao Posted April 2, 2012 Posted April 2, 2012 you dont happen to posses this algorithm? />http://doxygen.reactos.org/d2/d40/imagehlp_2modify_8c_source.htmlon my xpsp3 system this flag is required. If it is not set, LoadLibrary() fails. That specific DLL (dll.dll from corkami) has DLLCharacteristics==0 and it loads on both XP and Win7.
Ange Posted April 4, 2012 Posted April 4, 2012 (you can contact me directly if you prefer) * I updated the page yesterday, including Daniel's link, however it was really easy to find and widespread. * PE checksum is trivial and fully documented (PEFile, etc...) very nice maybe you can link to Daniel Pistelis rich documentation:/>http://www.ntcore.com/files/richsign.htm afiak, it`s required for all PE files running with system privileges, so e.g. a dll that is injected into winlogon.exe at startup, will have to have this signature, too. you dont happen to posses this algorithm? on my xpsp3 system this flag is required. If it is not set, LoadLibrary() fails.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now