Sunday, March 3, 2013

Backdooring PE Files - Part 1

Sometimes during an engagement, whether it be a social engineering gig or network penetration test, you may find that you need to create a backdoored EXE and then trick a user into running it. There are several ways to achieve this.  And this series of posts, is aimed at discussing a few of them.

This topic has of course been covered several times on the interwebs. However, I am currently preparing for  the Offsec OSCE challenge and thought what better way to solidify a concept than to share it with others.

In this two part series I will go over:
  1. Setting up the executable for code injection
  2. Code Injection and execution
The easiest method is to probably use the msfpayload option in the Metasploit framework. The process is quite simple. You start by first downloading the executable you wish to manipulate. And then pass it as a parameter to msfpayload.

The command is as shown in the diagram below:

When the user tries to execute this file our shellcode is triggered and its game over. However, you will note that in this scenario the "backdoored" executable file did not launch the application. Now this might raise a red flag for the keen user. And he may suspect that something fishy is going on.

So how how can we prevent this behaviour? That's easy. Well we could use the -k(run it in another thread) option with msfencode and be done. There are also a number of other publicly available tools or we could simply do it ourselves. By now you must have guessed that we will be choosing the latter option. Why? Because that's what we do :)  

Before we go any further take some time to configure your environment with the following tools:

I am also using BackTrack 5 R3 and WIN XP SP3.

The approach we will take is simple:
  1. Hijack code execution
  2. Redirect execution to our shellcode
  3. Execute shellcode
  4. Return to normal execution
That's it. So let's get started. 

First off, we need to modify the executable and add enough space for the shellcode we are going to inject. To do this, open the the executable using LordPE. Click the sections button and you should see something similiar to:

From this you can see the current structure of our PE file. As a side note for more information on the structure of PE files you can check here. We are going to add a new section and later use this to house our shellcode. We do this by right clicking on one of the current sections and choosing add section header. The new header is called .NewSec. We want to add at least 1000 bytes as this should be enough space for our shellcode. Right click on .NewSec and select edit section header. In the Edit SectionHeader window change the VirtualSize and RawSize to 1000 as shown:

It is important to note that our newly added section needs to be writeable. Click on Flags and ensure that the writeable option is checked. See below:

 At this point we have:
  1. Added a new section called .NewSec
  2. Allocated 1000 bytes
  3. Marked section as writeable
We are almost done. Save your changes. If you try to run the executable again you should receive an error similiar to :

It would appear as if we have borked our executable file. As it stands now, the file expects to have 1000 bytes at the end of it. Let's fix this error. Open the file using XVI32 and navigate all the way to the end.

Go to Edit -> Insert String and insert a 1000 bytes as shown:

Save your changes and close the application. If you try to execute the file again it should function as normal. At this stage our modified executable is ready for our backdoor.

That's all for now. In part 2, we will add our shellcode and achieve total pwnage.