formatul portable executable
DESCRIPTION
TRANSCRIPT
![Page 1: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/1.jpg)
Defcamp 0x7DB
- Ionut “Nytro” Popescu
- Formatul Portable Executable
......................................................
http://www.rstcenter.com/forum/
![Page 2: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/2.jpg)
Formatul Portable Executable
![Page 3: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/3.jpg)
![Page 4: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/4.jpg)
![Page 5: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/5.jpg)
![Page 6: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/6.jpg)
![Page 7: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/7.jpg)
![Page 8: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/8.jpg)
![Page 9: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/9.jpg)
![Page 10: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/10.jpg)
![Page 11: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/11.jpg)
![Page 12: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/12.jpg)
![Page 13: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/13.jpg)
![Page 14: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/14.jpg)
![Page 15: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/15.jpg)
DLL Injection
- Registry
- SetWindowHookEx
- CreateRemoteThread
![Page 16: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/16.jpg)
Registry
![Page 17: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/17.jpg)
HHOOK SetWindowsHookEx( int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId );
WH_CALLWNDPROC Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure.
WH_CBT Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure.
WH_KEYBOARD Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
SetWindowsHookEx
![Page 18: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/18.jpg)
CreateRemoteThread
HANDLE WINAPI CreateRemoteThread( __in HANDLE hProcess, __in LPSECURITY_ATTRIBUTES lpThreadAttributes, __in SIZE_T dwStackSize, __in LPTHREAD_START_ROUTINE lpStartAddress, __in LPVOID lpParameter, __in DWORD dwCreationFlags, __out LPDWORD lpThreadId );
![Page 19: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/19.jpg)
API Hooking
- Proxy DLL
- SSDT (Service Symbol Dispatch Table)
- Inline Hooking
- IAT Patching
![Page 20: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/20.jpg)
Exemplu API
![Page 21: Formatul Portable Executable](https://reader033.vdocuments.mx/reader033/viewer/2022061205/54816f99b37959652b8b5c95/html5/thumbnails/21.jpg)
Load PE FileCopyMemory idh, abExeFile(0), Len(idh)If idh.e_magic <> IMAGE_DOS_SIGNATURE ThenMsgBox "MZ signature not found!", vbCritical, "File load error"Exit SubEnd IfCopyMemory inh, abExeFile(idh.e_lfanew), Len(inh)If inh.Signature <> IMAGE_NT_SIGNATURE ThenMsgBox "PE signature not found!", vbCritical, "File load error"Exit SubEnd If
si.cb = Len(si)If CreateProcess(vbNullString, fisier, 0, 0, False, CREATE_SUSPENDED, 0, 0, si, pi) = 0 Then Exit Subcontext.ContextFlags = CONTEXT86_INTEGERIf GetThreadContext(pi.hThread, context) = 0 Then GoTo ClearProcessCall ReadProcessMemory(pi.hProcess, ByVal context.Ebx + 8, addr, 4, 0)If addr = 0 Then GoTo ClearProcessIf ZwUnmapViewOfSection(pi.hProcess, addr) Then GoTo ClearProcessImageBase = VirtualAllocEx(pi.hProcess, ByVal inh.OptionalHeader.ImageBase, inh.OptionalHeader.SizeOfImage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE)If ImageBase = 0 Then GoTo ClearProcess
Call WriteProcessMemory(pi.hProcess, ByVal ImageBase, abExeFile(0), inh.OptionalHeader.SizeOfHeaders, ret)lOffset = idh.e_lfanew + Len(inh)
For i = 0 To inh.FileHeader.NumberOfSections - 1CopyMemory ish, abExeFile(lOffset + i * Len(ish)), Len(ish)Call WriteProcessMemory(pi.hProcess, ByVal ImageBase + ish.VirtualAddress, abExeFile(ish.PointerToRawData), ish.SizeOfRawData, ret)Call VirtualProtectEx(pi.hProcess, ByVal ImageBase + ish.VirtualAddress, ish.VirtualSize, Protect(ish.characteristics), addr)Next i
Call WriteProcessMemory(pi.hProcess, ByVal context.Ebx + 8, ImageBase, 4, ret)context.Eax = ImageBase + inh.OptionalHeader.AddressOfEntryPointCall SetThreadContext(pi.hThread, context)Call ResumeThread(pi.hThread)Exit Sub