Backdooring PE Files

C0deRed

Backdooring PE (Portable Executable) files is a technique often used by attackers to gain unauthorized access to a system. In this context, a "backdoor" refers to a method of bypassing normal authentication or encryption in a computer system, a product, or an embedded device (often for remote control or to extract information). In the context of PE files, this usually involves modifying a legitimate file in such a way that it executes malicious code, typically without affecting the file's normal operation.

Here are some techniques that attackers might use to backdoor PE files:

  1. Code Cave Injection: A "code cave" is a section of a PE file that is not used by its normal operations. This could be an area of null bytes or simply extra space allocated for future use. An attacker can place their malicious code into this unused space, and then modify the file's execution flow to jump to their code and then back again. This method is often used because it does not increase the size of the PE file, which can help evade detection.

  2. Section Injection: This involves adding a new section to the PE file to hold the malicious code. This method is simpler than code cave injection, but it increases the size of the PE file and may require more modifications to the PE header, which could attract attention.

  3. Import Table/Appending Code: The Import Table of a PE file contains information about external functions that the file uses. By adding entries to the Import Table, an attacker can cause their malicious code to be executed when one of these functions is called. Alternatively, an attacker could append their malicious code to the end of an existing function.

  4. Export Table: If the PE file is a DLL that exports functions for other programs to use, an attacker could modify these functions to include malicious code.

  5. TLS (Thread Local Storage) callbacks: TLS callbacks are functions that are automatically executed by the Windows loader whenever a new thread is created or exits in the context of the process. An attacker can add a TLS callback that points to their malicious code, causing it to be executed before the program's main function.

  6. Resource Modification: The Resources section (.rsrc) of a PE file can be used to store additional data or code. By placing their malicious code in this section and modifying the execution flow, an attacker can execute their code.

  7. API hooking: This technique involves modifying the PE file to change the addresses of API calls to point to malicious code.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *