{"id":10770,"date":"2021-03-24T14:58:09","date_gmt":"2021-03-24T14:58:09","guid":{"rendered":"http:\/\/www.max-sperling.bplaced.net\/?p=10770"},"modified":"2024-02-16T10:16:23","modified_gmt":"2024-02-16T10:16:23","slug":"static-code-injection-pe","status":"publish","type":"post","link":"http:\/\/www.max-sperling.bplaced.net\/?p=10770","title":{"rendered":"Static code injection (PE)"},"content":{"rendered":"<p><strong>In general<\/strong><\/p>\n<ol>\n<li>Use either available space in an existing section or add a new one.<\/li>\n<li>Add your code either directly or load a dll that contains your code.<\/li>\n<\/ol>\n<hr>\n<p><strong>By example<\/strong><\/p>\n<pre>\r\n$ .\\crackme.exe\r\nCan you add another output?\r\n<\/pre>\n<ol>\n<li>Let&#8217;s add a new PE section (with CEF Explorer)\n<ol>\n<li>Open the PE file<\/li>\n<li>Click on &#8216;Section Header&#8217; -> Right click -> Click on &#8216;Add Section (Empty Space)&#8217; -> Enter size -> Click on &#8216;OK&#8217;<\/li>\n<li>Double click on the &#8216;Name&#8217; cell of the new row (section) to enter a name<\/li>\n<li>Click on new row (section) -> Right click -> Click on &#8216;Change Section Flags&#8217; -> Enable: is executable\/readable\/writeable, contains code\/un-\/initialized data<\/li>\n<li>Save (overwrite) the PE file<\/li>\n<\/ol>\n<p>Hint: If the section isn&#8217;t empty (like in my case) use a hex editor to make it empty (&#8230;0x00&#8230;).\n<\/li>\n<li>Let&#8217;s detour the code (with Cutter\/Radare2)\n<ol>\n<li>\nOur new section starts at 0x00412000. So let&#8217;s add a new string there.<\/p>\n<pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\r\n           | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F |\r\n           |-------------------------------------------------------------------------------------------------|\r\n0x00412000 | 59 65 73 20 49 20 63 61 6e 2c 20 63 61 75 73 65 20 49 27 6d 20 61 20 70 72 6f 2e 00 00 00 00 00 | Yes I can, cause I&#039;m a pro.\\x00\\x00\\x00\\x00\\x00\r\n0x00412020 | 00 00 00 ...\r\n<\/pre>\n<\/li>\n<li>\nLet&#8217;s modify the main function to jump behind the new string.<\/p>\n<pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\r\n36: int main (int argc, char **argv, char **envp);\r\n0x00401550      push    rbp\r\n0x00401551      mov     rbp, rsp\r\n0x00401554      sub     rsp, 0x20\r\n0x00401558      call    __main     ; sym.__main\r\n0x0040155d      lea     rcx, str.Can_you_add_another_output ; section..rdata\r\n                                   ; 0x404000 ; const char *s\r\n0x00401564      call    puts       ; sym.puts ; int puts(const char *s)\r\n0x00401569      mov     eax, 0\r\n0x0040156e      add     rsp, 0x20\r\n0x00401572      pop     rbp\r\n0x00401573      ret\r\n<\/pre>\n<p>Replace &#8216;mov eax, 0&#8217; with &#8216;jmp 0x41201d&#8217;. Both instructions consume the same amount of bytes. So we don&#8217;t have to add &#8216;nop&#8217; instructions.\n<\/li>\n<li>\nLet&#8217;s print out the new string, excecute the replaced instruction and jump back.<\/p>\n<pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\r\n0x0041201d      lea rcx, 0x412000\r\n0x00412024      call puts          ; sym.puts ; int puts(const char *s)\r\n0x00412029      mov eax, 0\r\n0x0041202e      jmp 0x40156e       ; sym.main+0x1e\r\n<\/pre>\n<\/li>\n<\/ol>\n<pre>\r\n$ .\\crackme.exe\r\nCan you add another output?\r\nYes I can, cause I'm a pro.\r\n<\/pre>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>In general Use either available space in an existing section or add a new one. Add your code either directly<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false},"categories":[39],"tags":[],"_links":{"self":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/10770"}],"collection":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10770"}],"version-history":[{"count":1,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/10770\/revisions"}],"predecessor-version":[{"id":16712,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/10770\/revisions\/16712"}],"wp:attachment":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10770"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}