ttern - Free Web Hosting with PHP, MySQL and cPanel
ttern - Free Web Hosting with PHP, MySQL and cPanel
ttern - Free Web Hosting with PHP, MySQL and cPanel
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
34<br />
Table 1. Checking if the �les have been packed<br />
answer is: <strong>with</strong> Python of course. Indeed miasm is<br />
shipped <strong>with</strong> disassembling/assembling capabilities that<br />
we’ll use. Sadly there is no way of doing this <strong>with</strong> pefile<br />
so if you really don’t want to use miasm you’ll have to<br />
consider using a different st<strong>and</strong>alone program (such<br />
as fasm) or another python module <strong>with</strong> assembling<br />
capabilities (such as MOSDEF). Let’s get the binary<br />
blob corresponding to this ASM text: Listing 11.<br />
With those few lines of python we have the binary<br />
code corresponding to the ASM deciphering stub we<br />
wrote earlier. A quick check let us know that this binary<br />
will fit <strong>with</strong>out any problem <strong>with</strong>in the trash-padded<br />
space we spotted earlier.<br />
>>> len(deciphering_stub)<br />
25<br />
Executable Original MD5 Packed MD5<br />
We now only have to add this small piece of binary<br />
code at the end of the .text section <strong>and</strong> modify the PE<br />
file header to enlarge the size of this section that has<br />
to be mapped in memory. Using pefile :<br />
>>> pe.set_bytes_at_rva(tsection.VirtualAddress+<br />
tsection.Misc_VirtualSize, stub)<br />
>>> tsection.Misc_VirtualSize+=len(stub)<br />
Now that everything’s ready we still have to change the<br />
AddressOfEntryPoint in order to start the program <strong>with</strong><br />
our decoding stub; to update some checksums stored<br />
in the headers, <strong>and</strong> to save the resulting PE file on disk<br />
(we use only pefile for this point because some kind of<br />
bug currently seems to corrupt the PE files written<br />
from miasm; although this may be corrected once the<br />
article’s published): Listing 12.<br />
Testing <strong>and</strong> conclusion<br />
Using those few lines of code we packed some usual<br />
Windows binaries, confirmed that they still worked<br />
exactly the way they are supposed to, <strong>and</strong> compared<br />
their md5 signatures: Table 1.<br />
The signatures are definitely different which proves that<br />
the files are different. Using this packer we may be able to<br />
REVERSE ENGINEERING<br />
Calc.Exe 5911f4ae105c7469636f7adcea35349f 5f8a5cc3e415ae17dc3f3295138172fb<br />
Notepad.exe 2dcc5c800f51d487178814ca9eada181 571299065675826205d78b56d2dd2adf<br />
Winmine.exe ea682c022f7204cc8e8c9ef5dce29356 efa6921d3f123c62735d850b3e087cfd<br />
Table 2. Efficiency measurement of our tiny packer<br />
Executable Percent modi�ed<br />
Calc.Exe 4.7%<br />
Winmine.exe 6.3%<br />
Notepad.exe 1.1%<br />
bypass a couple of AV if we pack our pentest tools! In order<br />
to estimate our chances of bypassing AV we measured<br />
the amount of the file that was changed: Table 2.<br />
These percentages are quite low <strong>and</strong> you may feel<br />
like ciphering more sections would be a good idea. After<br />
all there is no reason to cipher only the .data section,<br />
you could cipher almost every section this way <strong>and</strong><br />
reach percentages around 90%...but there is a trap.<br />
Indeed when Windows loads a PE file it does some<br />
magic BEFORE jumping to the AddressOfEntryPoint. This<br />
magic includes things such as loading some DLL the<br />
program needs to run; <strong>and</strong> the glitch is that the list of<br />
DLLs can be stored in any section. If you cipher this<br />
list Windows will fail to underst<strong>and</strong> it <strong>and</strong> will refuse to<br />
launch your program (i.e. your packed version will not<br />
work). There are a couple of traps like those <strong>and</strong> if you<br />
want to improve your packer you’ll especially have to<br />
worry about the IAT (the Import Address Table, i.e. the<br />
list of DLL needed) <strong>and</strong> the .rsrc section (the sections<br />
that holds resources …such as the program’s icon).<br />
Once you’ve managed to spot the parts of the program<br />
you don’t want to encipher (such as the IAT) you can<br />
modify the packer to support ciphering of sections that<br />
holds sensitive data that shall be left in the clear (this<br />
is left as an exercise to the reader). And if this is not<br />
sufficient for you, it may be possible to find really nice<br />
ways of finally modifying those parts <strong>with</strong>out ciphering.<br />
As an example the IAT contains, for every DLL-imported<br />
function needed by the program, the offset of the starting<br />
point of the function in the DLL binary. The trick is that if<br />
this offset happened to be wrong Windows will gracefully<br />
search the whole DLL for the good offset <strong>and</strong> the program<br />
will still work! So a nice <strong>and</strong> quick way of modifying the<br />
IAT is to fill every offset <strong>with</strong> r<strong>and</strong>om values.<br />
As far as I’ve gone (~200 lines of Python) I usually<br />
modify around 80% of my PE files, which is sufficient<br />
to have gsecdump/cachedump/NameYourFavoritePentestToo<br />
lHere bypass around 60% of AVs! If you still want to<br />
do better you may consider ciphering the whole file,<br />
dynamically decipher it in RAM, <strong>and</strong> emulate everything<br />
that Windows does when launching a real PE from disk,<br />
but that’s a lot more work!<br />
ALAIN SCHNEIDER<br />
Alain has been a professional pentester for years but also<br />
published a few papers. Those papers focused both on basic<br />
tricks <strong>and</strong> on-the-edge technics. His favorites subjects are<br />
password cracking <strong>and</strong> cryptography<br />
03/2011
Change language