Developing PE file packer step-by-step. Step 3. Unpacking

Previous step is here.

Let’s continue! It’s time to write an unpacker, this is what we are going to do during this step. We will not process import table for now, because we have some other things to do at this lesson.

We will begin from the following thing. To operate, the unpacker definitely needs two WinAPI functions: LoadLibraryA and GetProcAddress. In my old packer (that I’ve written once) I developed unpacker stub in MASM32 without creating import table at all. I looked for these function addresses in kernel, which is rather complicated and hardcore, besides that, this may cause serious antivirus suspicions. This time, let’s create import table and make loader to tell us these function addresses. Of course, set of these two functions in import table is as suspicious as their total absence, but nothing prevents us from adding more random imports from different .dll files in future. Where will the loader store these two function addresses? It’s time to expand our packed_file_info structure!

Continue reading “Developing PE file packer step-by-step. Step 3. Unpacking”

Developing PE file packer step-by-step. Step 2. Packing

Previous step is here.

Straight off I want to say that as I write this series of articles I fix some things and update my PE library (Note, that this step is for 0.1.x versions, too).

And we continue to develop our own packer. At this step it is time to turn directly to PE file packing. I shared a simple packer long time ago, which was ineffective by two reasons: firstly, it uses standard Windows functions for data packing and unpacking, which are rather slow and have low compression rate, secondly, all PE file sections were packed individually, which is not very optimal. This time I will do this differently. We are going to read data of all sections at once, assemble them into one block and pack. So, the resulting file will have only one section (actually two, I will explain this later), we can place all the resources, the packer code and helper tables into it. This will provide some benefits, because we don’t need to spend space for file alignment, besides that, LZO algorithm is much more effective than RtlCompressBuffer in all respects.

Continue reading “Developing PE file packer step-by-step. Step 2. Packing”

Developing PE file packer step-by-step. Step 1

Since I completed portable executable C++ library development, it would be totally wrong not to use it in any more or less serious project. Thus I am going to develop a packer with step-by-step explanations of what I am doing, and C++ library will make our life easier. So, where do we start the development? Maybe, from choosing some free simple compression algorithm. After short search I found such one: LZO. It supports lots of compression modes, and LZO1Z999 is the most effective by compression ratio of all available. Of course, it is not like ZIP, but its performance is close: 550 Kb file was compressed to 174 Kb with zip with maximum compression level, at the same time LZO compressed this file to 185 Kb. However, LZO has much more fast unpacker. It is also base-independent, that means, it can be placed at any virtual address and it will work without any address corrections. This algorithm will be right for us.

Continue reading “Developing PE file packer step-by-step. Step 1”

Scripts for task automation in Windows. Cool WSH features

WSH

Probably many people know, that Windows 98 and later includes Windows script host (WSH) by default, which allows to run VBScript and JScript code, but few ones used it at least once. In this article I am going to show you useful WSH snippets and script examples and convince you that this feature is really worthwhile. I will also tell you about very useful and cool WSH features, which are almost unknown, and therefore it is not easy to find information about them on the Internet.

Continue reading “Scripts for task automation in Windows. Cool WSH features”

PHP script deobfuscation for dummies

Uninitiated people often ask questions like “How do I decode an obfuscated PHP-script?”, “Is PHP-script obfuscation safe enough?” and even like “Would you help me to deobfuscate it please, wouldn’t you?”. The main purpose of this article is to show, that obfuscators provide absolutely no protection in 90% cases (which are able to provide protection only from people, who got acquainted with programming language for the first time in their lives). It can be removed in 10 to 20 minutes, as a result you get PHP script in its original form. The rest 10% cases demonstrate slightly stronger protection, which can be removed in similar ways though. If you wish to learn how to remove obfuscation from scripts on your own, then this article is what you need!

Continue reading “PHP script deobfuscation for dummies”

Exe2Pdf

Earlier this year several people have found a “vulnerability” in PDF format, which allows arbitrary code execution on file open. Two types of the vulnerability were published: with JavaScript usage and without.
After fluent studying of a format and specifics of this problem the program for executables injection into pdf files has been developed. Certainly, there will be a warning at pdf file opening, however, there is a possibility to display any text in the warning window (actual for Acrobat Reader 9.*).

Program features:
[+] Custom warning text
[+] Custom temporary vbs name (used for exe file creation)
[+] Custom temporary exe name
[+] Exe deletion after specified delay

The program interface is extremely simple and looks like this:

Download: Exe2Pdf (password: coder.pub)

PHP Obfuscator by dx

Here is a nice PHP-code obfuscator.

It can:
[+] obfuscate variable names
[+] obfuscate function names
[+] encode static strings
[+] obfuscate built-in PHP functions names
[+] obfuscate INTEGERs
[+] compress the script
[+] archivate the script
[+] add some trash-comments
[+++] do lots of other interesting functions

The obfuscator does not support eval() and $$var_name constructions.

Screenshot:

Download

SSH Tool

This is a simple SSH bruteforce script, also it can be used for batch command execution on multiple computers.
Basically this script loops through the list of IPs specified in iplist.txt, then uses all possible combinations of authorization credentials (from users.txt and passw.txt) and tries to login. If authorization is successful, the script executes a shell command specified in the $cmd variable, grabs the output and stores it in the res.txt file.

Also, the Net::SSH::Perl module must be installed. If you have troubles with installation of this module, then try to install one of the following modules first:
Math::BigInt::GMP
Math::BigInt::Pari
Math::BigInt::BitVector

Script: download.

Site File Checker

Here is the script allowing you to check the integrity of your site’s files.

Site File Checker script will help you to know, that all of files on your site was not changed without your notice, that they don’t contain any virus, exploit or backdoor inserts. Script will count checksums of all of your files situated in the script root directory and also in nested directories. Then script will also save all last change timestamps of files.

While checking, the script will show directory changes (it will show new ones and deleted), file changes (it will display deleted, created and modified files).

It is recommended to remove the script from your server each time you create checksums to make it safe to hacker’s changes.

Before the first use, open the script in the notepad and edit your administrator’s login and password.

The script can be downloaded here.