Undetectable backdooring PE file
Methods used:
- Adding a new section header to add shellcode
- User interaction based shellcode Trigger + codecaves.
- Dual code caves with custom encoder + triggering shellcode upon user interaction
Criteria for PE file selection for implanting backdoor
Unless you are forced to use a specific binary for backdooring PE file the following points must be kept in mind. They are not required to be followed but preferred because they will help reducing the AV detection rate and making the end product more feasible.
- The file size of executable should be small < 10mb, Smaller size file will be easy to transfer to the victim during a penetration testing engagement. You could email them in ZIP or use other social engineering techniques. It will also be convenient to debug in case of issues.
- Backdoor a well known product, for example Utorrent, network utilities like Putty, sysinternal tools, winRAR , 7zip etc. Using a known PE file is not required, but there are more chances of AV to flag an unknown PE backdoor-ed than a known PE backdoor-ed and the victim would be more inclined to execute a known program.
- PE files that are not protected by security features such as ASLR or DEP. It would be complicated to backdoor those and won’t make a difference in the end product compared to normal PE files.
- It is preferable to use C/C++ Native binaries.
- It is preferable to have a PE file that has a legitimate functionality of communicating over the network. This would fool few anti viruses upon execution when backdoor shellcode will make a reverse connection to our desired box. Some anti viruses would not flag and will consider it as the functionality of the program. Chances are network monitoring solutions and people would consider malicious communication as legitimate functionality.
The Program we will be backdooring is 7Zip file archiver (GUI version). Firstly lets check if the file has ASLR enabled.
Read more
*Beware click the link!