Penetration Testing mailing list archives
Re: Loading EXE files directly from memory?
From: "Esteban Lucena" <esteban.lucena () gmail com>
Date: Tue, 5 Dec 2006 15:24:49 -0300
mmm let me think about it first, you must decide in which OS the program you write will live.. second, you must consider the different executable file formats, ELF (linux) or PE (win), etc. anyway, maybe its nos necessary to put the entire executable file in an array, you can put only the code that you need, and that its useful. don't forget that the PE or the ELF headers, have a lot of information and sections... the steps: 1- put the asm code in an array, the opcodes (like shellcode) 2- modify the execution flow of the program to the array. 3* return to the program or with some crypto (previusly, encrypt the code-array, in other place) 1- put the encrypted asm code in an array (in the source) 2- decrypt the array 3- execute the code 4- return to program or with some crypto and for example a webserver 1- get the array with encrypted code from some server on the internet 2- decrypt the array 3- execute the code that is in the array 4- return to program note: you can modify the execution flow of the program to the array by modifing the return adress that is in the stack, i've made some code to do that in a friendly manner, but in the internet there is a lot of material. anyway, if you need help,i could paste my code here. I hope you can see this is a rich area.. with a little effort you can make polimorphic code and stuff. Advantages: if the array code is encripted, in a remote server, is dificult, maybe impossible to analize the program, whitout access to the server, this gives you an advantage over the reverse ingeniers. -If you analize ,disassembling the code with the IDA ( http://www.datarescue.com), obviously, you will see a diferent code, a short one, and non representative static code. you can also debug step by step until you arrive to your array-code. in that case, you can make the analisis harder by filling the array whit non-action opcodes, so the analisis will be a tedius thing.. but never impossible. Anything write me. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Loading EXE files directly from memory? Jeroen (Dec 03)
- Re: Loading EXE files directly from memory? Peter Parker (Dec 04)
- RE: Loading EXE files directly from memory? Omar Herrera (Dec 05)
- Re: Loading EXE files directly from memory? Justin Ferguson (Dec 05)
- Re: Loading EXE files directly from memory? Krugger (Dec 07)
- Re: Loading EXE files directly from memory? Esteban Lucena (Dec 05)
- Re: Loading EXE files directly from memory? dork (Dec 07)
- RE: Loading EXE files directly from memory? Marc Doudiet (Dec 17)
- Re: Loading EXE files directly from memory? Peter Parker (Dec 04)