View Full Version : Code insertion tool
keeth
April 6th, 2006, 03:35
Hi,
Lookin for a tool.
Does anyone know of at tool that can preform code insertion in a section and that does not overwrite bytes but shifts them. Thats a pretty nifty task, I know: it has to prform disassembly and adjust offsets in all relevant instructions, cals, jms etc.
I really need this. Tried Snippet Creator, its not what i am looking for.
Greets
Silver
April 6th, 2006, 05:03
I doubt there's a tool that can do this for anything other than the simplest cases. A single jmp eax would screw the entire thing. Is there a reason you can't steal a few bytes somewhere for a jmp to code you inserted elsewhere?
Nacho_dj
April 6th, 2006, 10:06
What do you think about inserting your new code in a "cave" at the end of the section, where normally you find all full of zeroes, because of the file alignment, and call to that code redirecting from the main code?
It seems to be less dramatical for the original code...
Anyway I am doing call and jump re-addressing in a rebuilder, because of the resizing of sections, included import address table, and it is running OK, but this issue needs much care not to get the code fooling.
Cheers
Nacho_dj
naides
April 6th, 2006, 10:49
Quote:
[Originally Posted by keeth]Hi,
Lookin for a tool.
Does anyone know of at tool that can preform code insertion in a section and that does not overwrite bytes but shifts them. Thats a pretty nifty task, I know: it has to prform disassembly and adjust offsets in all relevant instructions, cals, jms etc.
|
Sorry for the quote: You are asking for the Holly grail of code injection.
The only one with a hope of working:
You need the source code, all the Modules, Then recompile the executable.
The way X86 works, in which all addresses are relative, and all the object oriented based runtime address resolution, indirect adressing of code flow, as well as data, does not tolerate byte insertion in almost any case.
You would destroy a magic quantum superposition state!
Extremist
April 6th, 2006, 18:36
Diablo binary rewriter
(Unix-only)
LLXX
April 6th, 2006, 20:26
Quote:
[Originally Posted by Nacho_dj]What do you think about inserting your new code in a "cave" at the end of the section, where normally you find all full of zeroes, because of the file alignment, and call to that code redirecting from the main code? |
This is the standard method of inserting extra code into a PE, and it works quite well and is simple to implement. That's why noone has tried to make a code inserter to your description.
cRk
April 7th, 2006, 11:28
maybe that tool could be done.. like this: make it read where you want to overwrite or modify your bytes, the tool most be able to read the replace bytes where you will insert your call ... from there make it call other empty space.. rewrite the original bytes you replaced before.. now write your owns bytes/code .. make it C3 .. the tool should be able to calculate the offsets to make good calls from xxxx place to xxx place (where you'll insert your code) also could pe possible to insert new section instead of using empty space.. also should be able to nop ... when neccesary.. just ideas.. can't code this myself ... but got many ideas
something like this you're looking for??
My Regards
goggles99
April 7th, 2006, 12:55
Quote:
[Originally Posted by cRk]maybe that tool could be done.. like this: make it read where you want to overwrite or modify your bytes, the tool most be able to read the replace bytes where you will insert your call ... from there make it call other empty space.. rewrite the original bytes you replaced before.. now write your owns bytes/code .. make it C3 .. the tool should be able to calculate the offsets to make good calls from xxxx place to xxx place (where you'll insert your code) also could pe possible to insert new section instead of using empty space.. also should be able to nop ... when neccesary.. just ideas.. can't code this myself ... but got many ideas 
something like this you're looking for??
My Regards |
That is exactly what "Snippet Creator" does...
The only other program I have seen do this is "Memory Hacking Software" by L. Spiro.
http://memoryhacking.com/
The only problem with "Memory Hacking Software" is that the interface really sucks.
keeth
April 8th, 2006, 17:54
Thanks for your help so far, lads! But the purpose of the tool would NOT be to insert extra functionality of any kind but just to create post-compilation variants of the same program with totally different offsets and relative mappings.

Well, I guess I'll have to shift to pre-compilation variants and use inline assembler in some high level language for that. Or do you guys have any other ideas to mess up offsets and relative references?
Greets again,
K.
PS:I'll check out how Diablo binary rewriter does its thing. Maybe Memoryhacking?
Kayaker
April 8th, 2006, 18:51
Hi,
Are you looking for ways of producing SMC, or something even beyond that?
For example?
How to write spaghetti code
http://www.woodmann.com/forum/showthread.php?t=7319
Kayaker
disavowed
April 9th, 2006, 00:46
keeth, what will you be using this tool for?
Admiral
April 9th, 2006, 06:13
If you have access to your source code, you can generally unset a few compiler and linker flags (in particular, size optimisation) and simply copy-paste the order of your functions around (and their declarations) in the source. I'm not sure about VS.NET (and I don't know which IDE you're using) but I know you can completely reorder your code, on the function level, in this manner using VC++ 4. I don't see why this would have changed.
Failing this, you may have some success writing a simple tool to work a similar idea on the intermediate asm file produced by your compiler. This method can also be automated, say if you wanted to produce many different builds.
Regards
Admiral
Silver
April 9th, 2006, 06:34
I'll echo disavowed's question. I can think of one reason you'd want to do this...
Extremist
April 9th, 2006, 19:45
Quote:
[Originally Posted by keeth]
PS:I'll check out how Diablo binary rewriter does its thing. Maybe Memoryhacking? |
It converts the binary into a representation where addresses are turned into labels. Then it can reassemble a new binary easily despite code insertions and deletions.
goggles99
April 9th, 2006, 23:41
That means that it would be limited to programs using only static functions...
No virtual functions function pointers (Vtables) ECT.
That is quite a limitation considering most software I see written today is written using OOP Delphi, MFC, most C++.......

Extremist
April 10th, 2006, 12:38
These can also be turned into labels, but yes, dynamically computed addresses and addresses that look like data are a problem. The new binary will blow up.
Kayaker
April 10th, 2006, 16:36
Hmm, just happened over this interesting post, somewhat related.
Code Perversion
http://tibbar.blog.co.uk/2006/02/16/code_perversion~568650
An unfinished experiment in creating modified code instructions which are equivalent in function. This is an expansion on Zombie's code pervertor but instead of creating equivalent instructions of equal size in bytes the idea is to create instruction sets of differing sizes, i.e.
mov EAX, 5;
equivalent to:
push 5; pop EAX;
The steps:
1) disassemble each instruction in a section of code;
2) select a random equivalent operation;
3) calculate extra space required to fit new equivalent operations and insert space in code;
4) assemble the equivalent operations.
5) scan entire code section looking for jmp's, jcc's, call's and adjusting the address they reference to allow for the extra space inserted in step 3.
Thoughts?..
Kayaker
goggles99
April 10th, 2006, 17:45
Quote:
3) calculate extra space required to fit new equivalent operations and insert space in code; |
This makes it tough...
Unfortunately he doesn't offer any code or binaries...
The offsets of every function, function pointer, class, call, jmp, ECT, below each insertion point must be adjusted, also the values of any vtable, and some other structures that hold offset data (Jump tables ECT) The analysis engine to do this properly would be a lot of work. An IDA plugin may be the easiest route.

disavowed
April 10th, 2006, 23:47
Quote:
[Originally Posted by Kayaker]mov EAX, 5;
equivalent to:
push 5; pop EAX;
|
This is what polymorphic viruses do. I sure hope that keeth isn't working on writing malware

LLXX
April 11th, 2006, 02:43
Quote:
[Originally Posted by Kayaker]Hmm, just happened over this interesting post, somewhat related.
Code Perversion
http://tibbar.blog.co.uk/2006/02/16/code_perversion~568650
An unfinished experiment in creating modified code instructions which are equivalent in function. This is an expansion on Zombie's code pervertor but instead of creating equivalent instructions of equal size in bytes the idea is to create instruction sets of differing sizes, i.e.
mov EAX, 5;
equivalent to:
push 5; pop EAX;
The steps:
1) disassemble each instruction in a section of code;
2) select a random equivalent operation;
3) calculate extra space required to fit new equivalent operations and insert space in code;
4) assemble the equivalent operations.
5) scan entire code section looking for jmp's, jcc's, call's and adjusting the address they reference to allow for the extra space inserted in step 3.
Thoughts?..
Kayaker |
I'm sure the author meant "permutation"... since "pervert" came to mind when I read that title
Almost all polymorphic permuters that I've seen don't attempt to use different-length instructions, they will just change the registers around due to the orthogonal nature of the i386+ instruction set. E.g.
Code:
mov ecx, eax
xor edx, [ebx]
inc ebx
and eax, edx
Becomes
Code:
mov edx, ebx
xor ecx, [eax]
inc eax
and ebx, ecx
disavowed
April 11th, 2006, 11:12
Fine, call it metamorphic then if that makes you happier. Either way, I hope we're not helping keeth write a virus.
Silver
April 12th, 2006, 06:46
Indeed. This technique in a self-modifying executable would cause many problems for AV / antimalware signatures. Comprehensively changing the bytecode of an exe without changing its function doesn't have that many uses outside of bypassing security mechanisms that are in our best interests not to bypass.
Hopefully the original poster will explain why he wants to do this...
LLXX
April 13th, 2006, 00:18
Even if he wants to write a virus, modern AVs use emulation (i.e. heuristics) in addition to signatures, so with just a polymorphic encrypter he isn't going to write a truly undetected virus.
Many packers use polymorphic code too... Xprotector/Themida being one example I can think of. Quote from its description:
Quote:
The Mutator Engine mutates the real instructions that belong to the protected program, so not only the garbage code is different in each protected program but also the real instructions. |
keeth
May 7th, 2006, 07:18
Hey guys, sorry. I made you wait for such a long time.
I can assure you i wasn't looking for any means of devising a virus or other malware. I need this for my thesis (that's why it took so long, too busy) ; as a means of software protection. It won't prevent an individual cracker from cracking the app (so don't worry), but the variance should prevent offset patches from being applicable, right?
Any comments might be interesting, maybe the jury will have the same remarks
I found a solution that will do but it requires that i have the sourcecode of the proggy i'm trying to protect.
Greets and thanks again to y'all

Keeth
OHPen
May 8th, 2006, 06:39
Lo,
i actually coding such a tool for another purpose.
It's called Z3NJECT at v0.1.1.3854.
I do this for defeating Themida inside it's own process which looks much more promising than fucking with the decreasing ring0 stuff in it.
I did not finished it yet but i hope i will so this summer.
It will be public availible then.
The injection feature of the Z3NJECT wont be specialized to any protection so you can use it for your own purposes.
Checkout the project homepage in another weeks, and keep your eyes open
Cheers,
OHPen
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.