waliedassar

Anti-Resource Editing

Apr 3rd, 2013
590
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. http://waleedassar.blogspot.com
  2. http://www.twitter.com/waleedassar
  3.  
  4. ----------------------------Anti-Resource Editing--------------------------
  5.  
  6. We can exploit bugs in the editors themselves to prevent tampering with our resources.
  7. The interesting part here is that most Resource Editors have no idea how to parse non-typical (not very non-typical) PE files. For example, Some editors assume the resource section name must always be ".rsrc". Exmaples:
  8.  
  9. 1) Resource Hacker
  10.  
  11. 1a) Inserting a special resource to cause Resource Hacker to go into an infinite loop.
  12. Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=antiResHacker.exe
  13.  
  14. 1b) Inserting a special RT_STRING resource to cause Resource Hacker to crash.
  15. Info: http://waleedassar.blogspot.com/2012/05/resource-hacker-heap-overflow.html
  16.  
  17. 1c) It assumes the size of the "IMAGE_OPTIONAL_HEADER" structure is assumed to be SizeOf(IMAGE_OPTIONAL_HEADER), 0xE0 in hex, while it can even be greater. Having the size to be of a greater value causes Resource Hacker to discard the whole PE file.
  18. Demo:http://code.google.com/p/ollytlscatch/downloads/detail?name=0x15DDs.exe
  19.  
  20. 2) Restorator
  21.  
  22. 2a) Same as 1c.
  23. 2b) Uses The "NumberOfRvaAndSizes" field, which can easily be forged to 0xFFFFFFFF. This causes Restorator to discard the whole PE file.
  24. Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=0xFFFFFFFF.exe
  25.  
  26. 2c) Assumes the resource section name must be ".rsrc". Change it anything else. This causes Restorator to discard the whole PE.
  27. Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=no.rsrc.exe
  28.  
  29. 2d) Any resource Section with the "Characteristics" field set to IMAGE_SCN_CNT_UNINITIALIZED_DATA among other characteristics will be discarded by Restorator.
  30. Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=UnIniSec.exe
RAW Paste Data