Click here to Skip to main content
15,212,180 members
Rate this:
Please Sign up or sign in to vote.
See more:
I am working on PE32+ .text segment encryption. I have added the .stub segment and encrypted the .text segment. I am trying to load the PE sections into memory, decrypt the .text segment there and execute it from memory at runtime. But I'm not able to add this logic to the stub.
I found many articles for 32bit encryption using assembly language. Is it possible to do it without assembly language for 64bit PE? Please help me to do it in C++.

What I have tried:

void (*stub_addr)(void) = stub_fun;// stub_fun is the function to add the 
                                        // decryption logic in .stub segment
unsigned int stub_size = get_stub_size(stub_addr);

//added .stub segment as follows
PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)image_addr;
if (dos_header->e_magic != 0x5A4D) 
{
        return NULL;
}
PIMAGE_NT_HEADERS nt_headers = (PIMAGE_NT_HEADERS)((DWORD_PTR)dos_header +  
            dos_header->e_lfanew);
const int name_max_length = 8;
PIMAGE_SECTION_HEADER last_section = IMAGE_FIRST_SECTION(nt_headers) +     
            (nt_headers->FileHeader.NumberOfSections - 1);
PIMAGE_SECTION_HEADER new_section = IMAGE_FIRST_SECTION(nt_headers) +      
            (nt_headers->FileHeader.NumberOfSections);
memset(new_section, 0, sizeof(IMAGE_SECTION_HEADER));
new_section->Characteristics = IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE | 
            IMAGE_SCN_CNT_CODE;
memcpy(new_section->Name, section_name, name_max_length);
new_section->Misc.VirtualSize = section_size;
new_section->PointerToRawData = align_to_boundary(last_section->PointerToRawData + 
            last_section->SizeOfRawData,
nt_headers->OptionalHeader.FileAlignment);
new_section->SizeOfRawData = align_to_boundary(section_size,                
            nt_headers->OptionalHeader.SectionAlignment);
new_section->VirtualAddress = align_to_boundary(last_section->VirtualAddress + 
            last_section->Misc.VirtualSize,
nt_headers->OptionalHeader.SectionAlignment);
nt_headers->OptionalHeader.SizeOfImage = new_section->VirtualAddress +     
            new_section->Misc.VirtualSize;
nt_headers->FileHeader.NumberOfSections++;

//Changed the stub as Entry Point Encrypted the .text segment
//Now I am confused about how to add the decryption logic in the .stub segment.

#pragma code_seg(".stub")
void stub_fun () {
//How to load the PE32+ to the memory, decrypt the .text segment and run it from memory.
//Trying in C++ without using assembly language
}
Posted
Updated 13-Nov-19 14:17pm
v3
Comments
Richard MacCutchan 13-Nov-19 4:44am
   
Not enough information in your question. Please elaborate and show any code that is not working correctly.
PECoder 13-Nov-19 6:17am
   
Thank you for the reply. I have added the code which I am trying. I read many articles on PE32 (32bit) .text segment encryption that is using inline assembly in the stub function. I can’t use inline asm as 64bit won’t support it and I am new to assembly language. Please guide me with some good materials or sample code.
PECoder 14-Nov-19 0:06am
   
I am trying to do it without assembly language. I'm trying CreateFileMapping, OpenFileMapping and MapViewOfFile to load the PE to memory.
Is it possible to run the mapped PE from the memory itself, using the handle returned from MapViewOfFile?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100