Site Officiel

Site Officiel
Site Officiel

jeudi 29 novembre 2012

[Analysis] PE Structure - Make the smallest executable

Blog post has moved here: http://www.adlice.com/pe-smallest-executable/
Sorry for the convenience.

7 commentaires:

  1. did you submit the file to VT for a try ?
    http://siri-urz.blogspot.nl/2010/03/antivirus-and-fp.html


    RépondreSupprimer
  2. hi S!ri!
    Clean (1/42)! https://www.virustotal.com/file/7861be9df2ce869c5d4701a05766c4faf05239459619019b1b58766872d6e47a/analysis/

    What is make your file suspicious is ExitProcess, which can be used in a shell code to kill process with injection. Here only a XOR EAX,EAX and RET

    RépondreSupprimer
  3. FYI, the OpenRCE PDF got updated since @ http://blog.dkbza.org/2012/08/pe-file-format-graphs.html

    RépondreSupprimer
  4. You can still go smaller..

    http://www.phreedom.org/research/tinype/

    RépondreSupprimer
    Réponses
    1. this doesn't work anymore since Windows Vista. extra padding is required.

      Supprimer
    2. Yeah I was aware of this.
      But I didn't want to play with ASM :)
      VS to dig deeep as possible, then some cleanup by hand (and with WinHex and LordPE)

      What is not working anymore since Vista?
      Mine or with tinyPE? (Didn't try yet on Vista+)

      Supprimer
    3. sotirov's tinyPE (92 bytes) wouldn't work after XP, it would require some padding, otherwise the truncated OptionalHeader would fail to be parsed, failing loading.

      Supprimer