flat assembler
Message board for the users of flat assembler.

Index > Windows > Adding code to section

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 14 Sep 2015, 13:39
.removed.


Last edited by AssemblerX86 on 24 Sep 2015, 13:41; edited 1 time in total
Post 14 Sep 2015, 13:39
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 14 Sep 2015, 13:49
In the general case it won't work for a number of reasons.

For starters: Jumps and calls are relative so you would need to adjust anything that jumps or calls backwards or forwards over the inserted bytes. Relocations (if included) would be applied incorrectly to the wrong places.

For trivial code in certain specific scenarios it might work fine, but unlikely.
Post 14 Sep 2015, 13:49
View user's profile Send private message Visit poster's website Reply with quote
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 14 Sep 2015, 17:39
revolution wrote:
In the general case it won't work for a number of reasons.

For starters: Jumps and calls are relative so you would need to adjust anything that jumps or calls backwards or forwards over the inserted bytes. Relocations (if included) would be applied incorrectly to the wrong places.

For trivial code in certain specific scenarios it might work fine, but unlikely.


So the only way to inject new code (Into a PE without DLLs) is to put it in a code cave?
Post 14 Sep 2015, 17:39
View user's profile Send private message Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc 14 Sep 2015, 23:57
AssemblerX86
As I already explained here you can relatively safely shift sections, if the executable has relocations. Otherwise you can add a section at the end, provided the executable does not have an overlay.
Quote:
I can't add the instructions to a code-cave since the hack wont work this way.

Why not?

P.S. Please, don't quote my whole post.

_________________
Faith is a superposition of knowledge and fallacy
Post 14 Sep 2015, 23:57
View user's profile Send private message Reply with quote
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 15 Sep 2015, 16:23
l_inc wrote:
AssemblerX86
As I already explained here you can relatively safely shift sections, if the executable has relocations. Otherwise you can add a section at the end, provided the executable does not have an overlay.


I have tried creating a new section and adding a JMP (0xE9) in .text to jump to the first byte of the new section, the PE crashes when I execute it.

Can you give me the data in PE header I need to change so I can go over them? Also, no need to add 0x66 if I am jumping to a faraway address? I mean I need the address to be 4-byte long.
Post 15 Sep 2015, 16:23
View user's profile Send private message Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc 15 Sep 2015, 18:19
AssemblerX86
Quote:
The PE crashes when I execute it

As I already told you, you did something wrong. My telepathy skills aren't good enough to guess without seeing the modified executable.
Quote:
Can you give me the data in PE header I need to change so I can go over them?

I enumerated the fields here. There's no need to fix more in general.
Quote:
Also, no need to add 0x66 if I am jumping to a faraway address?

As I already told you, $66 will crash the program, because it limits the destination address to 2 bytes. If you still put it, it's the reason for the program to crash.

_________________
Faith is a superposition of knowledge and fallacy
Post 15 Sep 2015, 18:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 15 Sep 2015, 23:36
You might want to alter the entry point.

Change the entry point to the beginning of your runtime patching code, and copy the previous entry point into your code to run the original startup code.
Post 15 Sep 2015, 23:36
View user's profile Send private message Visit poster's website Reply with quote
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 16 Sep 2015, 15:55
revolution wrote:
You might want to alter the entry point.

Change the entry point to the beginning of your runtime patching code, and copy the previous entry point into your code to run the original startup code.


What startup code? You mean the 0xE9? If I leave the entry point unchanged how would it matter if the address of .text is not changed? I just put the first 5 bytes of .text to the 0xE9 instruction followed by the address of the new section which has the code .text had, is that right?
Post 16 Sep 2015, 15:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 17 Sep 2015, 01:41
The fist 5 bytes of the .text section might not be the entry point.
Post 17 Sep 2015, 01:41
View user's profile Send private message Visit poster's website Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 17 Sep 2015, 07:15
AssemblerX86, did you read this quite old article? https://msdn.microsoft.com/en-us/library/ms809762.aspx It explains a lot about basic PE structure and functionality. That would be a good starting point together with PE+ file format; the document is available for download from MSDN site.
Post 17 Sep 2015, 07:15
View user's profile Send private message Reply with quote
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 17 Sep 2015, 15:42
revolution wrote:
The fist 5 bytes of the .text section might not be the entry point.


Ohhh, OK now I get it, so the entry point is where I should add the code for JMP since its going to be executed there. And I get the entry point from the PE header. Will try that.

ACP wrote:
AssemblerX86, did you read this quite old article? https://msdn.microsoft.com/en-us/library/ms809762.aspx It explains a lot about basic PE structure and functionality. That would be a good starting point together with PE+ file format; the document is available for download from MSDN site.


I didn't read this article but I have read and learned a lot about PE files from different resources, I also have a reference for each data in the header. Thanks anyways Smile
Post 17 Sep 2015, 15:42
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 17 Sep 2015, 15:55
AssemblerX86 wrote:
Ohhh, OK now I get it, so the entry point is where I should add the code for JMP since its going to be executed there. And I get the entry point from the PE header. Will try that.
I think you should change the entry point, not the code at the entry point. The code there could be anything, you can't simply assume it will be what you expect.
Post 17 Sep 2015, 15:55
View user's profile Send private message Visit poster's website Reply with quote
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 17 Sep 2015, 17:24
revolution wrote:
I think you should change the entry point, not the code at the entry point. The code there could be anything, you can't simply assume it will be what you expect.


Lets say I put the 0xE9 instruction in the PE entry point, how should I calculate the address to jump to? And should I jump to the entry point of the new section so it can be executable or the beginning of it?

Currently I am doing:
0xE9 <((Entrypoint - .text virtual address) + .newsection virtual address) - (EntryPoint + 5)>

I know mathematically EntryPoint will become 0, but that's just for explanation.
Post 17 Sep 2015, 17:24
View user's profile Send private message Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc 17 Sep 2015, 17:31
revolution
Quote:
The code there could be anything, you can't simply assume it will be what you expect.

It's not that much of a problem to copy the overwritten executable code back in memory and pass control to it. In some cases this makes sense, cause some antiviral software might have a critical look at images with an entry point pointing to the last section, which is additionally a second executable section.

_________________
Faith is a superposition of knowledge and fallacy
Post 17 Sep 2015, 17:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 18 Sep 2015, 00:46
l_inc wrote:
It's not that much of a problem to copy the overwritten executable code back in memory and pass control to it. In some cases this makes sense, cause some antiviral software might have a critical look at images with an entry point pointing to the last section, which is additionally a second executable section.
AVs also frown upon writing to an executable section.
Post 18 Sep 2015, 00:46
View user's profile Send private message Visit poster's website Reply with quote
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 18 Sep 2015, 13:59
Guys I have done it and the code seems correct (Tried disassembling the code and seeing where JMP leads).

The problem is that, when I try a debugger, it says that it can't reach that address since its not loaded (radare2 JMPs to 0x00000000).
Post 18 Sep 2015, 13:59
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 18 Sep 2015, 14:02
Show your code. We don't know what you did.
Post 18 Sep 2015, 14:02
View user's profile Send private message Visit poster's website Reply with quote
AssemblerX86



Joined: 05 Sep 2015
Posts: 14
AssemblerX86 18 Sep 2015, 14:32
revolution wrote:
Show your code. We don't know what you did.


Nevermind. How can I convert a virtual address in a section to be an equivalent address in another section? If I get this right I guess everything should work.

Currently I am doing:

(address - .text virtual address) + newsection virtual address

Is that right?
Post 18 Sep 2015, 14:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20363
Location: In your JS exploiting you and your system
revolution 18 Sep 2015, 15:00
JMP is relative so the absolute address is not needed.

Something like: (target RVA - source RVA)
Post 18 Sep 2015, 15:00
View user's profile Send private message Visit poster's website Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc 18 Sep 2015, 15:31
revolution
Quote:
AVs also frown upon writing to an executable section.

Writing to an executable section is too common (in particular among packers) to be suspicious about it. Besides detecting this requires code emulation. While detecting an entry point in the last section is a simple static analysis check.

_________________
Faith is a superposition of knowledge and fallacy
Post 18 Sep 2015, 15:31
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.