Log in

View Full Version : Problem rebuilding a PE using CFF Explorer


Ignatius
November 14th, 2011, 07:34
Hi everyone

I did some C++ and assembly coding ages ago when I was at College but have dealt with IT administration subsequently (mainly Windows systems). My interest in coding and the internal workings of .exe and .dll files has been resurrected recently.

I saw a workshop at Brucon 2011 when shellcode (as a .bin file) was added in a new section header in calc.exe to enforce DEP permanently and the technique works perfectly using Lord PE. However, I'd like to reproduce the technique using CFF Explorer but, when I rebuild the PE, the amended calc.exe doesn't open. I know that the shellcode works. I've changed the entry point to the start of the newly added section (0x0001F000) but, whatever I do to rebuild the file, it fails. Can anyone give me any clues? I'm using 32-bit XP Pro, SP3. I've looked around NTCore's site but there aren't any explicit instructions about reuilding a PE using CFF Explorer. Here's what I do:

1. Open calc.exe in CFF Explorer > Section Headers [x] > Right click in the section header area > Add Section (File Data), then navigate to the shellcode .bin file.

2. Give the newly added section a name (.mine).

3. The Virtual Address column of the newly added Section is 0001F000.

4. Optional Header > change the value of AddressOfEntryPoint from 00012475 to 0001F000 (it changes the content of the cell in the "meaning" column to .mine).

5. Return to Section Headers > Right click > Rebuild Image Size then > Rebuild PE Header.

6. File > Save > then overwrite the original file.

7. Close CFF Explorer.

When I execute the modified calc.exe, it hangs and returns an error message:

"This application has failed to start because dll.dll was not found. Re-installing the application may fix this problem"

or it might just not open calc.exe.

As I said, the shellcode works flawlessly when I use Lord PE so I guess it's something to do with how I'm rebuilding the PE using CFF Explorer. Can anyone give me any tips?

Thanks for your time (and patience!).

Kayaker
November 14th, 2011, 22:06
Hi

I checked it out and had the same problem initially. Solved it by selecting 'Bind Import Table' option in CFF Explorer.

Alternatively, you can zero out the Bound Import Directory RVA and Bound Import Directory Size under Data Directories (don't select the right click Remove Data Directory option, just change the two values to 0).

Comparing the CFF vs LordPE rebuilds I noticed that's exactly what LordPE does by default (Bound Imports were zeroed), and that's what led me to trying the 'Bind Import Table' option in CFF.

Interesting shellcode workshop, thanks for bringing it up.

Kayaker

Ignatius
November 16th, 2011, 05:51
Thank you Kayaker for taking the time to respond.

I've tried to reproduce the steps that you took, but the rebuilt executable still crashes on my system.

I looked carefully at the rebuilt executable from LordPE and saw that the characteristics of the added section were E00000E0 whilst the characteristics of the newly added section in the CFF-rebuilt executable were C0000000. This section was only readable and writable so I modified the flags and made it executable also (the characteristics changed to E0000000). I rebuilt the executable and everything worked as planned. When I examined it using Process Explorer (from Sysinternals), DEP was enforced.

I'm not sure why the process that you described didn't work for me.

jagger
April 28th, 2013, 15:08
Having a similar issue with PELord/CFF Explorer & calc.exe.

I'm using PELord/CFF Explorer to add a section, setting the virtual & raw size to 4096. I then use a hex editor to insert 4096 bytes to the end of the executable. If I use this process on a nonWindows app, e.g. winRar.exe, it works fine. I can run the modified executable normally.

However, this same process does not work on a windows exe, e.g. calc.exe. Is the process different somehow for windows applications?