Single cave

The remaining 2096 filled of 0 bytes are called Code cave .

Once you have mastered the concept of caves tails, and because these are generated, go to see how to inject shellcode inside of the same, illustrating the technique. To enumerate caves code in PE, we can use tools such as

Cminer

(Github.com/EgeBalci/Cminer). We can run them manually using the API Windows documented on MSDN (or the format that interests us with relative documentation), but not to extend further (would require a separate document) We will use tool create a for this purpose, come Cminer e Backdoor-Factory (github.com/secretsquirrel/the-backdoor-factory).

The injection into one 'cave' of code can only be applied in the case we could find a section with enough bytes of caves queues, such as to insert ourselves the complete shellcode, and return at normal running.

Therefore, in the case it had any shellcode written individually (or found in the network) n Therefore, in the case it had any shellcode written individually (or found in the network) n

Therefore, in the case it had any shellcode written individually (or found in the network) n byte, we should make sure of a queue quarries that can integrally contain (in case Conversely, one can resort to the use of multiple caves , treated later). But before moving on to practice, we illustrate graphically Conversely, one can resort to the use of multiple caves , treated later). But before moving on to practice, we illustrate graphically Conversely, one can resort to the use of multiple caves , treated later). But before moving on to practice, we illustrate graphically Conversely, one can resort to the use of multiple caves , treated later). But before moving on to practice, we illustrate graphically Conversely, one can resort to the use of multiple caves , treated later). But before moving on to practice, we illustrate graphically

what we're going to apply, with

explanation:

The arrows show jumps

Section one we can identify as the section . text already seen previously. In Section one we can identify as the section . text already seen previously. In Section one we can identify as the section . text already seen previously. In

Section one we can identify as the section . text already seen previously. In position 2 (2 square, the red rectangle) we have the first instruction in the program, which It will be aggregated at the end of the shellcode, before the jump to the second original instruction.

AddressOfEntryPoint ( present in the header of PE and other executable formats) indicates the address of

AddressOfEntryPoint ( present in the header of PE and other executable formats) indicates the address of 'Entry' of the program, which is nothing but the first instruction to be executed. In the case of 'normal' program, our education would

have been in position 2

(Square 2), but since we have to run our shellcode, the first will be a jmp (Square 2), but since we have to run our shellcode, the first will be a jmp

(Square 2), but since we have to run our shellcode, the first will be a jmp the address of the first instruction of the shellcode.

Thus, once injected shellcode in a code quarries and changed the first instruction at a jump on the shellcode, we will find at the end of this aggregate the first original instruction, and a jump to the second.

In this manner, the shellcode is executed when the program starts without affecting anything for its operation.

Summarizing what was said in two brief points:

1) In a code quarries is injected shellcode with at the end of the first original instruction;

2) The shellcode is executed, but at the end of this there must be a jmp 2) The shellcode is executed, but at the end of this there must be a jmp

2) The shellcode is executed, but at the end of this there must be a jmp

<IndirizzoSecondaIstruzioneOriginale> to resume normal execution flow.

The advantage of this technique is that the header of the executable remain unchanged from the original, as well as the size.

To automate can be used, as shown below, backdoor-factory .

The parameters used:

● f specifies the file to be used; f specifies the file to be used; f specifies the file to be used;

● shell specifies the type of shellcode to use. We can use one part of theshell specifies the type of shellcode to use. We can use one part of the tool ( -- shell show to see the available payload). Or manually import one

tool ( -- shell show to see the available payload). Or manually import one tool ( -- shell show to see the available payload). Or manually import one

tool ( -- shell show to see the available payload). Or manually import one using the parameter (BOO);

using the parameter (BOO);

● H e P respectively specify the IP address and the port for the reverse shell; H e P respectively specify the IP address and the port for the reverse shell; H e P respectively specify the IP address and the port for the reverse shell; H e P respectively specify the IP address and the port for the reverse shell; H e P respectively specify the IP address and the port for the reverse shell; H e P respectively specify the IP address and the port for the reverse shell; H e P respectively specify the IP address and the port for the reverse shell;

● w He adds privileges RWX to the sections where the shellcode is injected, in a mannerw He adds privileges RWX to the sections where the shellcode is injected, in a mannerw He adds privileges RWX to the sections where the shellcode is injected, in a manner that can be executed without problems;

● FROM resets the signature of the header of the PE program. Useful for bypass controlFROM resets the signature of the header of the PE program. Useful for bypass controlFROM resets the signature of the header of the PE program. Useful for bypass control firma in Windows.

There will then be prompted interactively cavities that we are interested in, in this case we will choose the 1:

As a result, the two md5 file original and amended, will be different:

In document Fully Undetectable Malware (Page 66-69)