Malware
36

Undetectable backdooring PE file






Edited  04-Sep-2022 03:06:34





Undetectable backdooring PE file

Methods used:

- Adding a new section header to add shellcode

- User interaction based shellcode Trigger + codecaves.

- Dual code caves with custom encoder + triggering shellcode upon user interaction

Criteria for PE file selection for implanting backdoor

Unless you are forced to use a specific binary for backdooring PE file the following points must be kept in mind. They are not required to be followed but preferred because they will help reducing the AV detection rate and making the end product more feasible.

- The file size of executable should be small < 10mb, Smaller size file will be easy to transfer to the victim during a penetration testing engagement. You could email them in ZIP or use other social engineering techniques. It will also be convenient to debug in case of issues.

- Backdoor a well known product, for example Utorrent, network utilities like Putty, sysinternal tools, winRAR , 7zip etc. Using a known PE file is not required, but there are more chances of AV to flag an unknown PE backdoor-ed than a known PE backdoor-ed and the victim would be more inclined to execute a known program.

- PE files that are not protected by security features such as ASLR or DEP. It would be complicated to backdoor those and won’t make a difference in the end product compared to normal PE files.

- It is preferable to use C/C++ Native binaries.

- It is preferable to have a PE file that has a legitimate functionality of  communicating over the network. This would fool few anti viruses upon execution when backdoor shellcode will make a reverse connection to our desired box.  Some anti viruses would not flag and will consider it as the functionality of the program. Chances are network monitoring solutions and people would consider malicious communication as legitimate functionality.

The Program we will be backdooring is 7Zip file archiver (GUI version).  Firstly lets check if the file has ASLR enabled.

Read more 


DISCUSSION
Nothing comment here :(
Login for comment and discussion.
Login Here
Sponsored

Oppss... No sponsors yet

Popular Posts
Complete Basic Course in Kali...
Djie sam soe Djie sam soe
Linux
9914
2
Top

Gps Tracker Seccodeid Free Too...
Djie sam soe Djie sam soe
General
6133
167
Top

Free Proxy List
Sandidi Sandidi
Networking
3051
3
Top

Mass Reverse IP Unlimited
ImamWawe ImamWawe
Tools Hacking
2336
11
Top

Report McAfee Antivirus Hurrri...
Indrasp Indrasp
Windows
1684
93
Top

Related Post

Youtube Video

Subscribe