Anti-Resource Editing

Apr 3rd, 2013
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. http://waleedassar.blogspot.com
  2. http://www.twitter.com/waleedassar
  4. ----------------------------Anti-Resource Editing--------------------------
  6. We can exploit bugs in the editors themselves to prevent tampering with our resources.
  7. The interesting part here is that most Resource Editors have no idea how to parse non-typical (not very non-typical) PE files. For example, Some editors assume the resource section name must always be ".rsrc". Exmaples:
  9. 1) Resource Hacker
  11. 1a) Inserting a special resource to cause Resource Hacker to go into an infinite loop.
  12. Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=antiResHacker.exe
  14. 1b) Inserting a special RT_STRING resource to cause Resource Hacker to crash.
  15. Info: http://waleedassar.blogspot.com/2012/05/resource-hacker-heap-overflow.html
  17. 1c) It assumes the size of the "IMAGE_OPTIONAL_HEADER" structure is assumed to be SizeOf(IMAGE_OPTIONAL_HEADER), 0xE0 in hex, while it can even be greater. Having the size to be of a greater value causes Resource Hacker to discard the whole PE file.
  18. Demo:http://code.google.com/p/ollytlscatch/downloads/detail?name=0x15DDs.exe
  20. 2) Restorator
  22. 2a) Same as 1c.
  23. 2b) Uses The "NumberOfRvaAndSizes" field, which can easily be forged to 0xFFFFFFFF. This causes Restorator to discard the whole PE file.
  24. Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=0xFFFFFFFF.exe
  26. 2c) Assumes the resource section name must be ".rsrc". Change it anything else. This causes Restorator to discard the whole PE.
  27. Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=no.rsrc.exe
  29. 2d) Any resource Section with the "Characteristics" field set to IMAGE_SCN_CNT_UNINITIALIZED_DATA among other characteristics will be discarded by Restorator.
  30. Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=UnIniSec.exe
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.