Ignatius
November 14th, 2011, 07:34
Hi everyone
I did some C++ and assembly coding ages ago when I was at College but have dealt with IT administration subsequently (mainly Windows systems). My interest in coding and the internal workings of .exe and .dll files has been resurrected recently.
I saw a workshop at Brucon 2011 when shellcode (as a .bin file) was added in a new section header in calc.exe to enforce DEP permanently and the technique works perfectly using Lord PE. However, I'd like to reproduce the technique using CFF Explorer but, when I rebuild the PE, the amended calc.exe doesn't open. I know that the shellcode works. I've changed the entry point to the start of the newly added section (0x0001F000) but, whatever I do to rebuild the file, it fails. Can anyone give me any clues? I'm using 32-bit XP Pro, SP3. I've looked around NTCore's site but there aren't any explicit instructions about reuilding a PE using CFF Explorer. Here's what I do:
1. Open calc.exe in CFF Explorer > Section Headers [x] > Right click in the section header area > Add Section (File Data), then navigate to the shellcode .bin file.
2. Give the newly added section a name (.mine).
3. The Virtual Address column of the newly added Section is 0001F000.
4. Optional Header > change the value of AddressOfEntryPoint from 00012475 to 0001F000 (it changes the content of the cell in the "meaning" column to .mine).
5. Return to Section Headers > Right click > Rebuild Image Size then > Rebuild PE Header.
6. File > Save > then overwrite the original file.
7. Close CFF Explorer.
When I execute the modified calc.exe, it hangs and returns an error message:
"This application has failed to start because dll.dll was not found. Re-installing the application may fix this problem"
or it might just not open calc.exe.
As I said, the shellcode works flawlessly when I use Lord PE so I guess it's something to do with how I'm rebuilding the PE using CFF Explorer. Can anyone give me any tips?
Thanks for your time (and patience!).
I did some C++ and assembly coding ages ago when I was at College but have dealt with IT administration subsequently (mainly Windows systems). My interest in coding and the internal workings of .exe and .dll files has been resurrected recently.
I saw a workshop at Brucon 2011 when shellcode (as a .bin file) was added in a new section header in calc.exe to enforce DEP permanently and the technique works perfectly using Lord PE. However, I'd like to reproduce the technique using CFF Explorer but, when I rebuild the PE, the amended calc.exe doesn't open. I know that the shellcode works. I've changed the entry point to the start of the newly added section (0x0001F000) but, whatever I do to rebuild the file, it fails. Can anyone give me any clues? I'm using 32-bit XP Pro, SP3. I've looked around NTCore's site but there aren't any explicit instructions about reuilding a PE using CFF Explorer. Here's what I do:
1. Open calc.exe in CFF Explorer > Section Headers [x] > Right click in the section header area > Add Section (File Data), then navigate to the shellcode .bin file.
2. Give the newly added section a name (.mine).
3. The Virtual Address column of the newly added Section is 0001F000.
4. Optional Header > change the value of AddressOfEntryPoint from 00012475 to 0001F000 (it changes the content of the cell in the "meaning" column to .mine).
5. Return to Section Headers > Right click > Rebuild Image Size then > Rebuild PE Header.
6. File > Save > then overwrite the original file.
7. Close CFF Explorer.
When I execute the modified calc.exe, it hangs and returns an error message:
"This application has failed to start because dll.dll was not found. Re-installing the application may fix this problem"
or it might just not open calc.exe.
As I said, the shellcode works flawlessly when I use Lord PE so I guess it's something to do with how I'm rebuilding the PE using CFF Explorer. Can anyone give me any tips?
Thanks for your time (and patience!).