Backdooring PE

Table of content

• Trojans, what is is ?
• Use case
• How to backdoor PE files
• Hands on
  • Find the code cave
  • Jump on your code cave
  • Save the program state
  • Paste the shellcode
  • Restore the machine state

Trojans, what is is ?

Trojans are regular programs mimicking a legit program and running a malware in the foreground.

The purpose is to convince the victim the program she used is a legit one and she can use it.

Use case

You have access to a file server used by a company.

You can backdoor one of their legit program to turn it into a trojan and make it execute your malware.

If you target an executable that need high privileges, such as PsExec you can use it for privileges escalation and move laterally.

How to backdoor PE files

1. Code cave : spare space in a PE file such as a text segment that is not occupied by data. The downsize is the avalaible size you get to inject your malware (few hundred bytes of space).

2. New section : it is the most powerfull method cause it gives you the freedom to create a size on any size you need. The downsize is that you have to set the section as executable and EDR can easily spot it.

3. Extending section : you pick some section and increase its size to host your code. It can be done with the text section but need more effort

These methods can be combined : you find a little code cave in the text section and then you load your shellcode in it. Your shellcode will then load additional code from another section or resources. This section does not need to be set as executable and thus, it limits the detection.

Hands on

Find the code cave

You can use a decompiler or a debugger to find free space in the .text section.

Usually, there is free space at the end of the program:

Jump on your code cave

The program must be patched to jump on the code cave. Thus, locate the address of the code cave, and replace one instruction with :

jmp ${codeCaveAddress}

Do not forget to save the instruction erased to restore them at the end of you shellcode.

To avoid program disruption, the shellcode must return to the primary address or the program will crash.

Save the program state

The shellcode will change the program state (register, stack, etc...). Thus, the state must be saved before executing the shellcode.

The first shellcode instruction must be :

• pushad : push all registers on the stack
• pushfd : push all flags on the stack

Paste the shellcode

The shellcode can be pasted on the code cave.

Restore the machine state

At the end of the shellcode, the stack, register and flag state must be restored :

• popfd : restore the flags from the stack
• popad : restore the registers from the stack

Then you need to restore the instructions replaced by the originel jump.

Finally, jump just after the initial jump.