Reverse Engineering Asked by AcCoder on July 9, 2021
I am working on PE segment encryption(in C++). I completed the PE32 .text segment encryption. I added stub segment to the PE that will decrypt .text segment at runtime. Used inline assembly in the stub function. But I can’t implement the same method in PE32+ executable(64bit exe) as it won’t support inline assembly. I am able to add the stub and encrypt the text segment.
Issue is with the decryption logic in the stub.
I tried adding separate .asm files but failed as I am new to assembly language.
Is it possible to do without assembly language? Please help me with any good documentation or samples on PE32+ segment encryption.
If you're going to use assembly stubs, you can just patch it directly to the binary. You don't really need to use c++ to do that for you.
To do that for both 32 and 64 bit, you can use CreateFile, CreateFileMapping, and MapViewOfFile. This will allow you to dump the .text section, basically all sections, of the PE and you can do whatever you want to it. Then you can add a function to decrypt it or whatever and/or write a stub to do the decrypting portion of it in a space big enough to fit that stub or just add another section to the PE
Answered by Jon on July 9, 2021
You don't need the assembly language to add a decoder stub for the .text section. You can just write the code in C/C++ compile it as a Position independent executable & extract the ONLY .text section it'll have. After that you can just use a normal PE editor (CFF explorer is pretty robust) to manually add the .stub section and paste the content of the .text section extracted from your position independent compiled code. If you don't wanna go into trouble of creating Position independent code you can just use Position Independent Shellcode available on github.
Answered by rustam Shirinov on July 9, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP