This post will be short comes quite late. I would like to introduce you my latest creation: PympMyBinary (GitHub URL). PympMyBinary is a binary infector with the purpose of injecting shellcode into legitimate binaries. The entrypoint for the binary is overwritten so that the shellcode is executed first. The execution is then passed on to the legitimate code. Xzibit be like:
So far, the infector works with x86/x64 PE files for Windows and i have set as a roadmap to infect ELF and .NET binaries. If you are familiar with the PE format you know that injecting anything on a compiled binary is far from trivial. Lots of adjustments must be performed (e.g. raw/virtual sizes, rvas, section alignments, etc) in order to avoid crashes. There are multiple ways to skin a cat. However, for binaries, the same recipe won’t work for everything. As such, i have implemented multiple infection techniques:
- Injection at virtual section slack: assuming a shellcode with size x, the last x bytes of the virtual space for the section containing the entrypoint are overwritten with the shellcode. This mode may overwrite legitimate assembly from the application so a warning is provided.
- Entrypoint section append: shellcode is appended at the end of the entrypoint section. If the virtual size of the entrypoint section and the shellcode cross the RVA for the following section, the tampering fails. Messing with section RVAs is unwise since the code application relies on relative addresses.
- New section: a minimalistic section is created containing the shellcode. If the new section header together with the remaining header crosses the RVA for the first section, the tampering fails. Messing with section RVAs is unwise since the code application relies on relative addresses.
Another way to infect would be using TLS (Thread Local Storage) but this feature is not yet implemented. I have tested my application with software such as Mozilla Firefox, Google Chrome, Skype, Immunity Debugger, Wireshark, etc. I have managed to get at least one of the methods to work on all of them. Bear in mind that for applications like Skype where packing is used, you must unpack the application first. PympMyBinary does not account for packing.
PympMyBinary can be used for Red Team purposes (e.g. trick user into executing a seemingly legitimate binary). For applications that use software like NSIS to create Windows installers, you need to pass a flag to disable integrity verifications. This should not represent an issue if an attacker leverages a well-crafted email and a PowerShell script to download and launch the malware. You can also inject shellcode that launches the binary again with the flag i referred. Please don’t use this to infect your parents’ computer with a legitimate Skype. That is lame and you should be ashamed of even considering it.
Stay safe 😉