| Reverse engineering creates no-killing backdoors (Continued reverse engineering creates concealed backdoors)
ArticleAuthor: invincible and most lonely [-273 ℃ @ est]
Source: evil baboons China I have previously published an article "reverse engineering creates concealed backdoors" on X, describing how to embed backdoors in an executable file.Code. However, this method may be found by antivirus software. Therefore, this time we will create a no-virus backdoor. Let's first look at what we need ": Olly debug 1.10b in Chinese version-Main reverse Tool
Ultraedit-classic hexadecimal Editor
Peditor v1.7 -- PE file editing tool
Dcmd-a simple backdoor deployed with port 81 will be scanned and killed by rising
I. Principles In fact, the method is a bit similar to the method used in the previous article to create a hidden BACKDOOR: first, we need to find some "empty" places in the executable file. Here we add our encryption/decryption code, then modify the command at the entry address and use a JMP command to transfer it to the code we added for execution. In this way, you can encrypt/decrypt the backdoor code. After executing our code, jump backProgramThe first unmodified command at the entrance. I:
You can refer to reverse engineering to create concealed backdoors. 2. Create a practice After a brief introduction of the principles, as the saying goes, do not practice fake tricks, so let's drill it up. First, use Olly debug to open our backdoor program dcmd and 2.
Well, let's back up a small piece of data at the entrance first (just in case, you can do it yourself), 3.
Next, we need to check whether we have the write permission for the code segment. How can we detect it? Hold back the Olly window scroll bar and find the four places (the "dead space" mentioned in the previous article "),
In the address 004011f0, press the Space key to open the Assembly window and enter the following command:
MoV dword ptr ds: [4011f0], 90909090
After this command is run, it will write 90 of 4 bytes to the F0 address. If the write is successful, it can be written. Otherwise, it cannot be written. So what should I do if it cannot be written? Let's talk about it later. OK, right-click the command we entered-> "create Ip here", 5.
Press F7 to run this command. Result 6.
It can be written. Then we can continue to build it. Next we need to determine the part of the Code to be encrypted. Return to the program entrance, because we need to modify the command at the entrance to a jump command, so we need to select the start part of the encryption/decryption and find the 0040101f $55 push EBP, let's start encryption from here. Then determine the end part of the encryption/decryption, and then read the code to the end part of the seven.
The following line is displayed:
Structure 'image _ import_descriptor'
This structure is IAT (import Address Table), which is the import table in PE file format. Our encryption/Decryption does not include IAT (for details, readers can refer to PE information), so we should choose 004010fe for the final part. So far, we have determined what needs to be encrypted/decrypted. Next we need to confirm our encryptionAlgorithm. Here, we can use an exclusive or very simple algorithm, because the exclusive or the following features are good: XOR source, key = dest
Xor dest, key = Source That is to say, the result we get for source is different or two times is source. After the algorithm is determined, let's start the encryption/decryption program at 004011f0 in the Olly window, as shown below: 004011f0 B8 1f104000 mov eax, d2017.0040101f; start address of the encryption/Decryption part
004011f5 8030 0f XOR byte ptr ds: [eax], 0f; differs from 0f, or this 0f reader can freely replace
004011f8 40 Inc eax; Incremental eax
004011f9 3D fe104000 CMP eax, d2017.004010fe; check whether the end address of the encryption/Decryption part is reached.
004011fe ^ 7E F5 jle short d0000.004011f5; The program is so simple, it looks very easy... This is not complete yet. Continue back to Olly, and press the Space key at the entry address of the Program for assembly. Input: JMP 004011f0, 8.
At this time, we will compare the code we previously backed up to see which commands are covered.
Only sub ESP and 190 commands are overwritten, so we need to add the overwriting commands at the end of the encryption/decryption code, and add a jump command, jump back to the next address of the entry address, complete code 10.
Here, let's save it first. Right-click any code and choose Copy to Executable File> modify all. Expected result 11 is displayed.
It seems that an error has occurred! This error means that our file is not large enough to save our modified code, so we have to manually increase the size of this file. Turn Off Olly and use ultraedit to open the file. Right-click the file and choose hex insert and delete. The Dialog Box 12 is displayed,
Enter 256 in the number of bytes text box, click OK, and then save and exit. Then open the file with peditor and click the section button. There is only one. h4x section in the pop-up section table window. Right-click this section and choose edit section and fourteen.
In the displayed dialog box, change raw size in the new values column to bytes 2e4 (that is, add the hexadecimal number of 256 to 0x100) and 15. Click Apply changes to exit.
At this point, we have increased the length of this program by Bytes. Next we will repeat the previous steps to modify this file. After the modification, we will try dump again, there is no error prompt this time. OK! In the last step, we need to encrypt the file and then dump it into an executable file, in this way, the next time it runs, it will automatically return to the original code for smooth execution. Therefore, in Olly, find the first instruction of the code we added, create an EIP here, and then set the breakpoint at the sub ESP, 190 command.
Then, click the run button of ollydebug, and then 17 after the run is complete.
Have you seen it? All the code we developed is different or different. OK! Right-click any code and choose Copy to Executable File> export ". In the following example, we use rising star to disinfect dcmd.exe and the modified dcmd.exe. The result is 18.
Haha, have you successfully escaped anti-virus software? Run the "dcmd.exe" command after "modify" to see if it can still run? 19th.
At this point, the entire process is complete. A friend of central readers should be able to create their own anti-virus backdoors. What if they cannot write data? There are two methods for your reference: 1. Use the virtualprotect API function. To use this method, you need to use this function before adding the encryption and decryption code to modify the protection attribute so that it can be written. The rest is the same as described above. For specific usage of this function, refer to msdn, which is very simple. I won't say much about it. 2. Use the PE editing tool for modification. This example should be a little new, and also use peditor. let me take the modified dcmd.exe as an example to briefly introduce it. Open peditorat the beginning, open dcmd.exe behind our file ", click the section button to open the Section Table dialog box, right-click the section table you want to modify, select edit section to bring up a new dialog box, and click" char. click "Wizard" to open the feature dialog box, 20.
Do you see the attributes in the red box? "Writable" indicates whether it can be written. It is already writable here. What if we remove it? Try again, remove the check box before "writable", click "take it", select "Apply changes", exit peditor, run the program, and run program 21.
Ah, a write protection error is thrown. Readers and friends can see That you should modify it? Iii. Conclusion It's time to say goodbye again. Qingshan doesn't change, and green water is always flowing. We will have time later! You are welcome to join us! |
