| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
Many in memory payload and implants utilize the tried and true technique
pioneered by Stephen Fewer for "reflectively" loading a PR file into memory.
This technique is fantastic and allows tools to take a blob in memory and load
it as if it were a PE file existing on disk.
What will be outlined in this talk is a technique to reverse this process and go
from having an image loaded in memory to having a PE blob in memory suitable for
writing to disk. This creates an exact byte for byte copy of an image suitable
for being loaded back into memory (either reflectively or through the Windows
system loader) and repeating the process.
This could be used, for example to have a payload which is running in memory
copy itself out and write itself to an arbitrary location for persistence
without having to download a fresh copy from the network or keep an original in
memory.
The talk will focus on the technical challenges that were present while
developing the technique, and provide a description of the differences of a PE
file as it exists on disk and loaded in memory. Proof of concept code for the
the x86 and x86-64 architectures will be released and demonstrated.
Spencer McIntyre works for SecureState consulting doing R&D. He is an avid open source contributor and Python enthusiast.
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast