Back-dooring PE Files on Windows by Blackhat Pakistan 2023
Today we will learn about Back-dooring PE Files on Windows
Introduction to Back-dooring PE Files on Windows:
Portable Executable (PE) files are very commonly used today. Many people download these files from the internet or get them from friends and run them on their systems without realizing the dangers of running these kinds of files. It is very easy to add malicious code to these files and have it run on the victim’s computer without the victim’s knowledge.
Also Read:UEFI Boot vs. the MBR/VBR Boot Process-byBlackhat Pakistan 2023
Objective:
In this article, we would look at how to backdoor a Windows executable. We will use the popular putty executable and backdoor it with a reverse shell.
The goal is to ensure that the modified putty executable returns the reverse shell back to the attacker’s machine while continuing to function normally without any issues. We would not use any automated tools to backdoor this Putty executable. However, we will do it manually to understand how this whole process works.
Limitations:
In order to follow the steps in this article, it is important to have a basic understanding of the symbolic instruction language and a general understanding of the Debugger (in this case we will be using Immunity) and its usage.
Analysis:
1) We put our malicious reverse shellcode into the Putty executable. First, we need to add the malicious code to the putty executable. This code can be placed directly into the executable (provided there is enough space) using the debugger otherwise; we can use the PE Editor (like Lord PE) to add a new section to the putty executable that can be used to put our shellcode into the binary. I’ll use PE Editor to add a new section to the executable
2) We open the putty executable in Lord PE and add a new section header to it.
After adding a new section header, we select the New Section header (NewSec) and press the edit section header option. At this point we add 1000 bytes to the virtual size and the raw size of the executable. We’ll also click on the flags options and make sure this newly added section is labeled “Executable as Code”. We will save the changes made in the executable putty file.
2) Now if we try to launch the executable, we will get an error telling us that this executable is not a valid binary file.
Right, because we added a new section to the binary and left it empty. So now we’ll use a hex-editor to add another 1000 bytes to the binary. We open the executable file in a hex editor (like XVI32) and put a hex string of 1000 x90 instructions at the end of the file.
We save the file and verify that the putty executable is now working properly.
3) Now that we have added more space for our code. Time to add our malicious reverse shellcode to this space. Before we do this, we need to hijack the program entry point and then redirect the execution of the putty executable to the newly added space that contains the shellcode, and after the shellcode is executed, we redirect the flow back to the normal execution of the Program command.
The diagram below will give a clear picture of what we intend to do:
4) So let us start by hijacking the entry point of the program. At this point, we will load the putty executable in the immunity debugger and make a note of the entry points of the program.
The putty executable entry point instructions are:-
004550F0 > $6A 60 PUSH 60
004550F2. 68 08814700 Putty PUSH.00478108
004550F7. E8 08210000 CALL putty.00457204
004550FC. BF 94000000 MOV EDI,94
- 8BC7 MOV EAX,EDI
We hijack the entry point by overwriting the third instruction with a redirect to our malicious code.
5) Next, we need to find the address of our newly added section (which will contain the malicious code) in the putty executable.
To do this, simply click on the “M” tab at the top of the immunity debugger. This will open the program’s memory map where the name and address of the newly added section can be displayed.
In my case, the newly added section starts at this address: 00485BB0
6) Now we proceed to hijack the entry point of the program by overwriting the third instruction with JMP instructions to the address of the newly added section. (ie 00485BB0). We will refer to this newly added section as Code-Cave (as it will contain our malicious code)
After having made the changes, we will select the changes we have made and do a right click and select the option to Copy to Executable. Then save this file and rename it as Putty01.exe
To ensure that the “-1” argument is not passed, I had to simply convert the instructions “DEC ESI” & “INC ESI” to “NOP” and then select all the changes made and copy them to executables. Then save the file and rename it as Putty04.exe
Conclusion:
We can see that back-dooring PE Executable on Windows is not a very challenging task. Hence, it is highly advisable to avoid running executable from unknown sources without properly verifying what it is doing.
