0ne Posted December 24, 2015 Posted December 24, 2015 I want to write a simple Packer, but before I start writing, I was planning the design of the Packer. The design is as following picture:http://imgur.com/qsKI7ty Step one, encrypt the code segment and data segment. Step two, add a new segment, which will be the Stub. Step Three, Change the OEP.to stub EP. The first step and third step are easy, but the second step is not simple. The Stub contains function calls (eg VirtualProtect). 1)From what I realized every external function should be in IAT, I have to add the function to the IAT? Is there any other method to call external function, without get in trouble? I saw several articles on this subject, but there is no examples how to resolve import. 2)And what about ASLR? Can you give me tips for writing Packer? Thank you!
Apuromafo Posted December 25, 2015 Posted December 25, 2015 google and youtube today there have many infohttp://www.stonedcoder.org/~kd/lib/61-267-1-PB.pdfhttp://stackoverflow.com/questions/16580345/executable-packer-decompression-decryption-stub
0xNOP Posted December 25, 2015 Posted December 25, 2015 (edited) 15 hours ago, 0ne said: I want to write a simple Packer, but before I start writing, I was planning the design of the Packer. The design is as following picture:http://imgur.com/qsKI7ty Step one, encrypt the code segment and data segment. Step two, add a new segment, which will be the Stub. Step Three, Change the OEP.to stub EP. The first step and third step are easy, but the second step is not simple. The Stub contains function calls (eg VirtualProtect). 1)From what I realized every external function should be in IAT, I have to add the function to the IAT? Is there any other method to call external function, without get in trouble? I saw several articles on this subject, but there is no examples how to resolve import. 2)And what about ASLR? Can you give me tips for writing Packer? Thank you! I will give you two other things... Understand the PE 32 File Structure from inside out, from top to bottom: http://www.pelib.com/resources/kath.txt (if the above is too much TL;DR and you wanna cut the baloney, CTRL + F -> "Predefined Sections", done.) The best PE Library to make what you want: http://www.pelib.com/index.php Rest is just reading tutorials and getting your work done really nice hope this helps! and if you make it, share it with us! Edited December 25, 2015 by 0xNOP
kao Posted December 25, 2015 Posted December 25, 2015 In addition to links already provided, here's first part of a good tutorial: http://coder.pub/2014/08/pe-file-packer-step-by-step-1/ And you can also search this forum for @mudlord's posts - he was making own packer too and ran into some problems occasionally.. 1
mudlord Posted December 27, 2015 Posted December 27, 2015 (edited) In fact kao, my packer is pretty much complete on the 32bit side, just some bugs left and overlay support. Full DLL and TLS callback support is in it. The 64bit port however will be a nice challenge, since there is some x64 specific things like the exception directory. I recommend kao's link, the PE library there is excellent and will help you build up your IAT, though it is possible to build your IAT from scratch though. When doing that, you need to build up your thunk list. How I do it is by getting a single import for each DLL the application/dll imports and then allocating the space needed for the thunks, and then I save a pointer for where the original location of imports are in the exe/dll. I then on depack time go to those original imports and resolve them. I also build up a list of internal functions which are used though, which are limited to kernel32.dll calls. ASLR is when a EXE is loaded at a different location than usual. To handle that on the depacking side, I resolve all addresses by a offset which is handled by a added relocation. I then shift the needed addresses by the offset. Simple really. Quote Is there any other method to call external function, without get in trouble? GetProcAddress/encrypted string. You could get a ptr doing that and do what you want. My stub is almost entirely written in C using function pointers for all API calls though, that use IAT entries for internal api usage. To do a complete packer though you got a long road, there is also relocations to take care of, TLS callbacks, TLS index variables, TLS directories, proper resource handling, exports in cases, ASLR, DEP, etc. Edited December 27, 2015 by mudlord something 1
0ne Posted December 28, 2015 Author Posted December 28, 2015 On 25.12.2015 at 3:32 AM, Apuromafo said: google and youtube today there have many infohttp://www.stonedcoder.org/~kd/lib/61-267-1-PB.pdfhttp://stackoverflow.com/questions/16580345/executable-packer-decompression-decryption-stub Thanks for the link first, it looks interesting! On 25.12.2015 at 9:40 AM, 0xNOP said: I will give you two other things... Understand the PE 32 File Structure from inside out, from top to bottom: http://www.pelib.com/resources/kath.txt (if the above is too much TL;DR and you wanna cut the baloney, CTRL + F -> "Predefined Sections", done.) The best PE Library to make what you want: http://www.pelib.com/index.php Rest is just reading tutorials and getting your work done really nice hope this helps! and if you make it, share it with us! I learned the PE format from various sources, I have knowledge on this subject. And because I learned it, I decided to program a project that contains this subject. Thank you:) On 25.12.2015 at 2:09 PM, kao said: In addition to links already provided, here's first part of a good tutorial: http://coder.pub/2014/08/pe-file-packer-step-by-step-1/ And you can also search this forum for @mudlord's posts - he was making own packer too and ran into some problems occasionally.. Thank you 22 hours ago, mudlord said: In fact kao, my packer is pretty much complete on the 32bit side, just some bugs left and overlay support. Full DLL and TLS callback support is in it. The 64bit port however will be a nice challenge, since there is some x64 specific things like the exception directory. I recommend kao's link, the PE library there is excellent and will help you build up your IAT, though it is possible to build your IAT from scratch though. When doing that, you need to build up your thunk list. How I do it is by getting a single import for each DLL the application/dll imports and then allocating the space needed for the thunks, and then I save a pointer for where the original location of imports are in the exe/dll. I then on depack time go to those original imports and resolve them. I also build up a list of internal functions which are used though, which are limited to kernel32.dll calls. ASLR is when a EXE is loaded at a different location than usual. To handle that on the depacking side, I resolve all addresses by a offset which is handled by a added relocation. I then shift the needed addresses by the offset. Simple really. GetProcAddress/encrypted string. You could get a ptr doing that and do what you want. My stub is almost entirely written in C using function pointers for all API calls though, that use IAT entries for internal api usage. To do a complete packer though you got a long road, there is also relocations to take care of, TLS callbacks, TLS index variables, TLS directories, proper resource handling, exports in cases, ASLR, DEP, etc. Thank you very much!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now