Reverse engineering

Injecting spyware in an EXE (code injection)

Implanting malicious code in the form of spyware to an existing running process is one of the more sophisticated tasks. Before the advent of disassembler or patching tools, the malevolent code is usually invoked from the hard-core programming code, which is a very exhaustive process in itself, because we had gone through with programming code written especially in C or VC++. This paper demonstrates exclusively the invoking of a covert code along with the foremost executable by using OllyDbg and IDA Pro disassemblers. Such covert malicious code is triggered without the having the assent of the user; more precisely, the moment when the specific methods are executed from the leading EXE, the spyware becomes automatically activated surreptitiously.

[download]

Essential

The subsequent operation requires an exhaustive understanding of Hexadecimal Code and Assembly Programming. This operation lists the following tools of the trade as:

• The Victim Binary
• Spyware Executable
• OllyDbg
• IDA Pro Interactive Dissembler

The target binary (victim)

We shall deploy the spyware in a simple Game Registration executable to showcase the code injections mechanism. The Game Registration typically requires serial keys to validate the authentic copy of this product and register or enable the full version as shown below.

Figure 1.1: Target GUI

This EXE is chosen to be a victim infected with a covert spyware. It doesn't matter what is the actual name and serial keys of that program. We are in fact not provided with such sensitive information. The key matter of interest for the reverse engineer is the subsequent Error box which typically appears when a serial key is not validated.

Figure 1.2: Error Message in Target

This Error message box would become the entry point of the malicious covert code. The moment when the user is confronted with the aforesaid Error message box, the spyware becomes executed. That is what we are trying to achieve in this paper.

Spyware code

The following spyware program typically shows the machine name and IP address of the computer where it runs and sends back such critical information to the hacker server. We don't need to go into details of the spyware code. It could be any EXE program which injects into a binary. After compiling that code, it will look like as the following figure. It is showing a fake value of the computer name and IP address because crucial values are not disclosed due to a security point view.

Figure 1.3: The Spyware GUI

Victim binary analysis

One question might bother you: why do we need IDA Pro, while we can perform code injection using OllyDbg itself? IDA Pro assists you to identify the entry point instruction code of the jump statement from where the message box assembly instruction starts to execute. As we have described earlier, the prime matter of interest is to get the details about the message box activation code. Here, we can easily identify the first message box occurrence after the 0040115E offset. Well, this code manipulates a couple of other message boxes indeed. But we have to recognize the very first message box.

Figure 1.4: Message Box invoking instruction in Target

So, we will search at 0040115E offset in the OllyDbg to find the message box assembly code in order to modify it to suit our need. We can duly confirm the message box occurrence by placing a breakpoint at 0040115E in IDA Pro and start debugging. If we entered a short name, then the graph view of the assembly code clearly indicates the execution flow toward the message box code as follows:

Figure 1.5: Target Execution Flow

Spyware injection

Now, it's show time. Open the victim.exe binary in the OllyDbg to inject the spyware code. Here, the $ sign at offset 004015ED indicates the entry point of the executable as follows:

Figure 1.6: Target Entry Point in OllyDbg

Every executable has some empty space referred to as Code Caves where we can place or inject any external binary code. So, if you scroll down a little bit, you will easily identify the blank area named as DB 00 or NOP in the assembly code.

Figure 1.7: Empty Regions (Code caves) in Target

As from the aforesaid figure 1.7, the DB 00 instruction starts from the 00405188 offset. So, we shall place our external spyware code in these code caves. Select a couple code caves instructions and right click, choose Binary and then edit as follows:

Figure 1.8: Binary Editing in Target

NOTE: place both victim.exe and spyware.exe into single directory folder

Now, label the spyware program executable as spyware.exe in the ASCII box, as we have selected code caves from 0040518A, which means start editing from this instruction. Its corresponding hex code is automatically generated and placed at the 0040518A offset.

Figure 1.9: Placing Spyware Name in Target

NOTE: Assembly is strict Case-Sensitive language. So be cautious while entering the names in ASCII box.

After pressing the OK button in figure 1.9, some raw uncomprehend-able code is generated at offset 0040518A in the RED COLOR as follows:

Figure 1.10: Injected Spyware code in Target

Don't worry, just analyze the code by pressing CTRL+ A now, and this time, we get the original entered code which virtually shows the spyware victim.exe name as follows:

Figure 1.11: Analysis in Target

Now, we have to write the spyware offset address value into memory. However, move forward just one step and at offset 00405195, press space bar button. Here, we found assemble code box. Just enter PUSH 1 here and click on the Assemble button.

Figure 1.12: Injecting PUSH instruction Target

Again come to the 00405197 offset and press the space bar; here enter the PUSH 40518A code which pushes the spyware EXE instruction into memory.

Figure 1.13: Injecting Spyware name in PUSH

Here, notice that we are giving the reference of spyware.exe located at offset 0040518A to 00405198 as follows:

Figure 1.14: Giving Spyware name in PUSH

Our spyware program is having an *.exe format. So we have to instruct the Assembly code by calling the CALL WinExec instruction: we are injecting an external executable which has of course .exe extension.

Figure 1.15: Calling Exe in Assembly Language

After finishing with arbitrary code injection related to spyware, the modified assembly looks like the following:

Figure 1.16: Injected Assembly Code

Now we have to connect that new injected code with a message box occurrence instruction, otherwise it won't be executed. As referenced in figure 1.4, press CTRL +G and enter the 0040115E offset.

Figure 1.17: Jump to 0040115E via Expression

This action directly lets us reach the entry point of the first message box as follows. Here, we have to perform some significant modifications.

Figure 1.18: Message Box code entry point

Now, select the 0040115E offset and press space bar, then copy the JNB 00401189 instruction into the clipboard as follows:

Figure 1.19: Copy the code

Thereafter, come back to inject code by pressing the "-"(minus) button, there select offset 004051A1 to assemble new code and press the space button and paste the JNB 00401189 instruction. We shall discuss shortly what we are doing.

Figure 1.20: Paste instruction

Ok, now copy the offset address 00405196 in the clipboard from the First PUSH 1 in the new injected code.

Figure 1.21: Copy offsets

Again go to offset 0040115E where the message box code is located, select the instruction set at 0040115E, and press the space bar. Finally, replace the existing code with new. Assemble the JNB 00405196 instruction here.

Figure 1.22: Assemble instruction

So, what are we actually doing here? First we are giving the reference of the PUSH 1 instruction offset (00405196) to the jump instruction located at offset 0040115E. Secondly, pasting the JNB 00401189 instruction to the 004051A1 offset as follows:

Figure 1.23: Graph diagram of offsets jumping

Basically, the aforesaid figure indicates that after entering the user name and serial key in the victim.exe, first the error message box would display and then our spyware program would activate.

We have finished with the code injections tactics. Now make changes permanent and write the modified bytes into memory by right clicking on the ASM code and select the Copy to Executable option, where we choose All Modifications as follows:

Figure 1.24: Saving changes

Now, select the Copy all option in the forthcoming dialog box, which produces a separate dialog box as follows, where the final assemble code collectively resides.

Figure 1.25: New Assemble code

Finally, close the dialog box in figure 1.25. The moment you close the dialog box, the Save as dialog box appears and it asks to get new name to the patched EXE file. We shall provide victim_Patched.exe as follows:

Figure 1.26: Save As binary

Now, run the victim_Patched.exe and enter any fake values as a user name and serial key. It is obvious that such entered credentials are invalidated and an Error message would display.

Figure 1.27: Testing

The moment the Error message appears about invalid credentials and we move forward by clicking the OK button, the spyware program is automatically activated and shows the machine name and IP address on which it is running and later sends this information back to a remote server.

Figure 1.28: Spyware program

Final note

This article presents a step by step tutorial of injecting a malicious spyware program into any executable by using IDA Pro and OllyDbg. The IDA Pro was basically employed in order to identify the entry point message box occurrence and OllyDbg implanted the existing EXE. Basically, this tutorial demonstrates how to place an EXE into another EXE. The idea behind code injection is to identify the occurrence of an entry point which is referred to as a triggering point to an injected EXE, and later modify the JUMP statements in order to divert the execution toward the injected code.