Tiny PE - The Frenzy Ends!
Tuesday 17th October, 2006 09:44 Comments: 2
I know you lot think I'm a geek, but sometimes I come across people that are far worse than me, like these guys that are trying to make a very small executable that will download and execute a file (notepad.exe in this case). For some reason I also found it quite cool and interesting. Here's a snippet of the conversation that they had :
Arkon: The problem with that URLDownloadToFileA is that it creates another thread,
Arkon: and that thread never terminates for some unknown reason to me.
Arkon: So I HAD to call ExitProcess and finish it, otherwise my process will hang.
Arkon: But now what I'm going to do is raising a silent exception
Matthew: Just blow away the SEH chain and trigger an INT3.
Arkon: It will eliminate the string "ExitProcess" and the GetProcAddress code for it as well.
Matthew:
MOV FS:[0], 0xFFFFFFFF
INT3
Matthew: BAM! Instant process death...
Arkon: This is too long.
Matthew:
PUSH 0
POP FS:[0]
Arkon: Nah
Matthew: XOR ESP, ESP might also do the trick
Arkon: LOL!!!
Matthew:
XOR ESP, ESP
PUSH EAX
Arkon:
XCHG EAX, ESP
PUSH 0
Arkon: Wait I'm stupid, push 0 is 2 bytes long.
Arkon:
XCHG EAX, ESP
PUSH EAX
Arkon: 2 bytes ExitProcess OMFG
Matthew: You're a maniac
The filesize is merely 384 bytes, 99% usage of all spared room in the file. You can see it here: http://ragestorm.net/tiny/tiny2.exe
Arkon: The problem with that URLDownloadToFileA is that it creates another thread,
Arkon: and that thread never terminates for some unknown reason to me.
Arkon: So I HAD to call ExitProcess and finish it, otherwise my process will hang.
Arkon: But now what I'm going to do is raising a silent exception
Matthew: Just blow away the SEH chain and trigger an INT3.
Arkon: It will eliminate the string "ExitProcess" and the GetProcAddress code for it as well.
Matthew:
MOV FS:[0], 0xFFFFFFFF
INT3
Matthew: BAM! Instant process death...
Arkon: This is too long.
Matthew:
PUSH 0
POP FS:[0]
Arkon: Nah
Matthew: XOR ESP, ESP might also do the trick
Arkon: LOL!!!
Matthew:
XOR ESP, ESP
PUSH EAX
Arkon:
XCHG EAX, ESP
PUSH 0
Arkon: Wait I'm stupid, push 0 is 2 bytes long.
Arkon:
XCHG EAX, ESP
PUSH EAX
Arkon: 2 bytes ExitProcess OMFG
Matthew: You're a maniac
The filesize is merely 384 bytes, 99% usage of all spared room in the file. You can see it here: http://ragestorm.net/tiny/tiny2.exe
Yamahito - Tuesday 17th October, 2006 10:05
What for?
What for what? :S
I don't think they really said exactly why ("It all began a few days ago, a few friends challenged me to write a smaller PE executable than theirs"). I presume it's a proof of concept to show just how small trojans can be that will download and execute further programs ("It might sound fairly easy at first, but it's not, and there is merely one simple goal: Grab a file from the Internet and execute it."), and with all the strings obfuscated and very little code, it'd be difficult to accurately block with anti-virus signatures.
I don't think they really said exactly why ("It all began a few days ago, a few friends challenged me to write a smaller PE executable than theirs"). I presume it's a proof of concept to show just how small trojans can be that will download and execute further programs ("It might sound fairly easy at first, but it's not, and there is merely one simple goal: Grab a file from the Internet and execute it."), and with all the strings obfuscated and very little code, it'd be difficult to accurately block with anti-virus signatures.