PE Structure
Make the smallest executable
Recently I faced a problem in my devs. I needed an executable that does nothing, but the smallest possible (to include it in a shellcode).
Here's the C++ code:
#include windows.h
int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
return 0;
}
Nothing complicated.
I followed this tutorial to reduce the size of the PE : http://thelegendofrandom.com/blog/archives/2231
And it led to a tiny PE (1 ko). But not enough for me.
Then I followed this tutorial : http://win32assembly.programminghorizon.com/pe-tut1.html
and took this reference poster : http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf
Updated here: http://blog.dkbza.org/2012/08/pe-file-format-graphs.html
I removed lots of null bytes, and modified the parameters to adjust both size and section offset. To finish, I loaded the PE into OllyDbg and modified the Entry point (which was not at the good place).
My PE is now 500 bytes, and fully functional.
Here's a schematic of the final PE structure. It can help to understand how a PE is structured.
REFERENCES
http://win32assembly.programminghorizon.com/pe-tut1.htmlhttp://thelegendofrandom.com/blog/archives/2231
http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf
http://blog.dkbza.org/2012/08/pe-file-format-graphs.html
did you submit the file to VT for a try ?
RépondreSupprimerhttp://siri-urz.blogspot.nl/2010/03/antivirus-and-fp.html
hi S!ri!
RépondreSupprimerClean (1/42)! https://www.virustotal.com/file/7861be9df2ce869c5d4701a05766c4faf05239459619019b1b58766872d6e47a/analysis/
What is make your file suspicious is ExitProcess, which can be used in a shell code to kill process with injection. Here only a XOR EAX,EAX and RET
FYI, the OpenRCE PDF got updated since @ http://blog.dkbza.org/2012/08/pe-file-format-graphs.html
RépondreSupprimerYou can still go smaller..
RépondreSupprimerhttp://www.phreedom.org/research/tinype/
this doesn't work anymore since Windows Vista. extra padding is required.
SupprimerYeah I was aware of this.
SupprimerBut I didn't want to play with ASM :)
VS to dig deeep as possible, then some cleanup by hand (and with WinHex and LordPE)
What is not working anymore since Vista?
Mine or with tinyPE? (Didn't try yet on Vista+)
sotirov's tinyPE (92 bytes) wouldn't work after XP, it would require some padding, otherwise the truncated OptionalHeader would fail to be parsed, failing loading.
Supprimer