Hi,
Lookin for a tool.
Does anyone know of at tool that can preform code insertion in a section and that does not overwrite bytes but shifts them. Thats a pretty nifty task, I know: it has to prform disassembly and adjust offsets in all relevant instructions, cals, jms etc.
I really need this. Tried Snippet Creator, its not what i am looking for.
Greets

I doubt there's a tool that can do this for anything other than the simplest cases. A single jmp eax would screw the entire thing. Is there a reason you can't steal a few bytes somewhere for a jmp to code you inserted elsewhere?

What do you think about inserting your new code in a "cave" at the end of the section, where normally you find all full of zeroes, because of the file alignment, and call to that code redirecting from the main code?

It seems to be less dramatical for the original code...

Anyway I am doing call and jump re-addressing in a rebuilder, because of the resizing of sections, included import address table, and it is running OK, but this issue needs much care not to get the code fooling.

Cheers

Nacho_dj

Sorry for the quote: You are asking for the Holly grail of code injection.
The only one with a hope of working:

You need the source code, all the Modules, Then recompile the executable.

The way X86 works, in which all addresses are relative, and all the object oriented based runtime address resolution, indirect adressing of code flow, as well as data, does not tolerate byte insertion in almost any case.

You would destroy a magic quantum superposition state!

Diablo binary rewriter

(Unix-only)

This is the standard method of inserting extra code into a PE, and it works quite well and is simple to implement. That's why noone has tried to make a code inserter to your description.

maybe that tool could be done.. like this: make it read where you want to overwrite or modify your bytes, the tool most be able to read the replace bytes where you will insert your call ... from there make it call other empty space.. rewrite the original bytes you replaced before.. now write your owns bytes/code .. make it C3 .. the tool should be able to calculate the offsets to make good calls from xxxx place to xxx place (where you'll insert your code) also could pe possible to insert new section instead of using empty space.. also should be able to nop ... when neccesary.. just ideas.. can't code this myself ... but got many ideas

something like this you're looking for??

My Regards

That is exactly what "Snippet Creator" does...
The only other program I have seen do this is "Memory Hacking Software" by L. Spiro.
http://memoryhacking.com/
The only problem with "Memory Hacking Software" is that the interface really sucks.

Thanks for your help so far, lads! But the purpose of the tool would NOT be to insert extra functionality of any kind but just to create post-compilation variants of the same program with totally different offsets and relative mappings. Well, I guess I'll have to shift to pre-compilation variants and use inline assembler in some high level language for that. Or do you guys have any other ideas to mess up offsets and relative references?
Greets again,
K.

PS:I'll check out how Diablo binary rewriter does its thing. Maybe Memoryhacking?

Hi,

Are you looking for ways of producing SMC, or something even beyond that?

For example?
How to write spaghetti code
http://www.woodmann.com/forum/showthread.php?t=7319

Kayaker

keeth, what will you be using this tool for?

If you have access to your source code, you can generally unset a few compiler and linker flags (in particular, size optimisation) and simply copy-paste the order of your functions around (and their declarations) in the source. I'm not sure about VS.NET (and I don't know which IDE you're using) but I know you can completely reorder your code, on the function level, in this manner using VC++ 4. I don't see why this would have changed.

Failing this, you may have some success writing a simple tool to work a similar idea on the intermediate asm file produced by your compiler. This method can also be automated, say if you wanted to produce many different builds.

Regards
Admiral

I'll echo disavowed's question. I can think of one reason you'd want to do this...

It converts the binary into a representation where addresses are turned into labels. Then it can reassemble a new binary easily despite code insertions and deletions.

That means that it would be limited to programs using only static functions...
No virtual functions function pointers (Vtables) ECT.

That is quite a limitation considering most software I see written today is written using OOP Delphi, MFC, most C++.......

These can also be turned into labels, but yes, dynamically computed addresses and addresses that look like data are a problem. The new binary will blow up.

Hmm, just happened over this interesting post, somewhat related.

Code Perversion
http://tibbar.blog.co.uk/2006/02/16/code_perversion~568650

An unfinished experiment in creating modified code instructions which are equivalent in function. This is an expansion on Zombie's code pervertor but instead of creating equivalent instructions of equal size in bytes the idea is to create instruction sets of differing sizes, i.e.

mov EAX, 5;
equivalent to:
push 5; pop EAX;

The steps:

1) disassemble each instruction in a section of code;
2) select a random equivalent operation;
3) calculate extra space required to fit new equivalent operations and insert space in code;
4) assemble the equivalent operations.
5) scan entire code section looking for jmp's, jcc's, call's and adjusting the address they reference to allow for the extra space inserted in step 3.

Thoughts?..

Kayaker

This makes it tough...
Unfortunately he doesn't offer any code or binaries...

The offsets of every function, function pointer, class, call, jmp, ECT, below each insertion point must be adjusted, also the values of any vtable, and some other structures that hold offset data (Jump tables ECT) The analysis engine to do this properly would be a lot of work. An IDA plugin may be the easiest route.

This is what polymorphic viruses do. I sure hope that keeth isn't working on writing malware

I'm sure the author meant "permutation"... since "pervert" came to mind when I read that title

Almost all polymorphic permuters that I've seen don't attempt to use different-length instructions, they will just change the registers around due to the orthogonal nature of the i386+ instruction set. E.g.
Becomes

Fine, call it metamorphic then if that makes you happier. Either way, I hope we're not helping keeth write a virus.

Indeed. This technique in a self-modifying executable would cause many problems for AV / antimalware signatures. Comprehensively changing the bytecode of an exe without changing its function doesn't have that many uses outside of bypassing security mechanisms that are in our best interests not to bypass.

Hopefully the original poster will explain why he wants to do this...

Even if he wants to write a virus, modern AVs use emulation (i.e. heuristics) in addition to signatures, so with just a polymorphic encrypter he isn't going to write a truly undetected virus.

Many packers use polymorphic code too... Xprotector/Themida being one example I can think of. Quote from its description:

Hey guys, sorry. I made you wait for such a long time.
I can assure you i wasn't looking for any means of devising a virus or other malware. I need this for my thesis (that's why it took so long, too busy) ; as a means of software protection. It won't prevent an individual cracker from cracking the app (so don't worry), but the variance should prevent offset patches from being applicable, right?

Any comments might be interesting, maybe the jury will have the same remarks

I found a solution that will do but it requires that i have the sourcecode of the proggy i'm trying to protect.

Greets and thanks again to y'all
Keeth

Lo,

i actually coding such a tool for another purpose.
It's called Z3NJECT at v0.1.1.3854.

I do this for defeating Themida inside it's own process which looks much more promising than fucking with the decreasing ring0 stuff in it.
I did not finished it yet but i hope i will so this summer.

It will be public availible then.
The injection feature of the Z3NJECT wont be specialized to any protection so you can use it for your own purposes.

Checkout the project homepage in another weeks, and keep your eyes open

Cheers,

OHPen