Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Loading EXE files directly from memory?

from [Esteban Lucena] Network Security [Permanent Link]
Subject: Re: Loading EXE files directly from memory?
Date: Tue, 5 Dec 2006 15:24:49 -0300 
mmm let me think about it

first, you must decide in which OS the program you write will live..
second, you must consider the different executable file formats, ELF
(linux) or PE (win), etc. anyway, maybe its nos necessary to put the
entire executable file in an array, you can put only the code that you
need, and that its useful. don't forget that the PE or the ELF
headers, have a lot of information and sections...
the steps:
1- put the asm code in an array, the opcodes (like shellcode)
2- modify the execution flow of the program to the array.
3* return to the program

or with some crypto
(previusly, encrypt the code-array, in other place)

1- put the encrypted asm code in an array (in the source)
2- decrypt the array
3- execute the code
4- return to program

or with some crypto and for example a webserver

1- get the array with encrypted code from some server on the internet
2- decrypt the array
3- execute the code that is in the array
4- return to program

note: you can modify the execution flow of the program to the array by
modifing the return adress that is in the stack, i've made some code
to do that in a friendly manner, but in the internet there is a lot of
material. anyway, if you need help,i could paste my code here.
I hope you can see this is a rich area.. with a little effort you can
make polimorphic code and stuff.

Advantages: if the array code is encripted, in a remote server, is
dificult, maybe impossible to analize the program, whitout access to
the server, this gives you an advantage over the reverse ingeniers.
-If you analize ,disassembling the code with the IDA (
http://www.datarescue.com), obviously, you will see a diferent code, a
short one, and non representative static code. you can also debug step
by step until you arrive to your array-code. in that case, you can
make the analisis harder by filling the array whit non-action opcodes,
so the analisis will be a tedius thing.. but never impossible.

Anything write me.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Loading EXE files directly from memory?, Omar Herrera
Next by Date:  Re: Re: CISSP, Bruno Cesar Moreira de Souza
Previous by Thread:  Re: Loading EXE files directly from memory?, Krugger
Next by Thread:  Re: Loading EXE files directly from memory?, dork
Indexes:  [Date] [Thread] [Top] [All Lists]