EXE injection plus

For those interested in metasploit (or whatever) payload injection into EXE files, the metasploit patch (now posted http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896) is based on one case, albeit the most likely to work, of my original program in C and Win32 API.

This original program also can embed the payload if it fits into unused space at the end of a code section, which it tries first. This can infect even weird or UPX’d EXE’s, like some installers are, without unpacking them first and is a less suspicious modification of the executable; more likely to bypass AV’s. It also can take advantage of an already-present import for CreateThread, which is smaller and less suspicious and adds the correct checksum to the file. (also less suspicious) However, the payload is not copied to an RWX page first, so no self-modifying encoders are allowed. This was done to make it more likely to fit into unused space, which usually only gives us 200-500 bytes.

Download source or compiled.

Word of usability warning: Since this is a proof of concept, I just hardcoded it to look for raw shellcode in the file “payload.raw” and infects the executable “input.exe” saving its output in “output.exe”. Feel free to modify that to make it more friendly.

About these ads

, ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: