Professional Documents
Culture Documents
Implanting malicious code in the form of spyware to an existing running process is one of the more
sophisticated tasks. Before the advent of disassembler or patching tools, the malevolent code is usually
invoked from the hard-core programming code, which is a very exhaustive process in itself, because we
had gone through with programming code written especially in C or VC++. This paper demonstrates
exclusively the invoking of a covert code along with the foremost executable by using OllyDbg and IDA
Pro disassemblers. Such covert malicious code is triggered without the having the assent of the user;
more precisely, the moment when the specific methods are executed from the leading EXE, the
spyware becomes automatically activated surreptitiously.
Essential
The subsequent operation requires an exhaustive understanding of Hexadecimal Code and Assembly
Programming. This operation lists the following tools of the trade as:
We shall deploy the spyware in a simple Game Registration executable to showcase the code injections
mechanism. The Game Registration typically requires serial keys to validate the authentic copy of this
product and register or enable the full version as shown below.
This Error message box would become the entry point of the malicious covert code. The moment when
the user is confronted with the aforesaid Error message box, the spyware becomes executed. That is
what we are trying to achieve in this paper.
Spyware Code
The following spyware program typically shows the machine name and IP address of the computer
where it runs and sends back such critical information to the hacker server. We don’t need to go into
details of the spyware code. It could be any EXE program which injects into a binary. After compiling
that code, it will look like as the following figure. It is showing a fake value of the computer name and IP
address because crucial values are not disclosed due to a security point view.
One question might bother you: why do we need IDA Pro, while we can perform code injection using
OllyDbg itself? IDA Pro assists you to identify the entry point instruction code of the jump statement
from where the message box assembly instruction starts to execute. As we have described earlier, the
prime matter of interest is to get the details about the message box activation code. Here, we can easily
identify the first message box occurrence after the 0040115E offset. Well, this code manipulates a couple
of other message boxes indeed. But we have to recognize the very first message box.
So, we will search at 0040115E offset in the OllyDbg to find the message box assembly code in order to
modify it to suit our need. We can duly confirm the message box occurrence by placing a breakpoint at
0040115E in IDA Pro and start debugging. If we entered a short name, then the graph view of the
assembly code clearly indicates the execution flow toward the message box code as follows:
Spyware Injection
Now, it’s show time. Open the victim.exe binary in the OllyDbg to inject the spyware code. Here, the $
sign at offset 004015ED indicates the entry point of the executable as follows:
Figure 1.6: Target Entry Point in OllyDbg
Every executable has some empty space referred to as Code Caves where we can place or inject any
external binary code. So, if you scroll down a little bit, you will easily identify the blank area named as DB
00 or NOP in the assembly code.
NOTE: Some time assembly code hides the form of DB 00 instructions code caves. So press CTRL+A to unhide them.
As from the aforesaid figure 1.7, the DB 00 instruction starts from the 00405188 offset. So, we shall place
our external spyware code in these code caves. Select a couple code caves instructions and right click,
choose Binary and then edit as follows:
Figure 1.8: Binary Editing in Target
NOTE: place both victim.exe and spyware.exe into single directory folder
Now, label the spyware program executable as spyware.exe in the ASCII box, as we have selected
code caves from 0040518A, which means start editing from this instruction. Its corresponding hex code
is automatically generated and placed at the 0040518A offset.
NOTE: Assembly is strict Case-Sensitive language. So be cautious while entering the names in ASCII
box.
After pressing the OK button in figure 1.9, some raw uncomprehend-able code is generated at offset
0040518A in the RED COLOR as follows:
Don’t worry, just analyze the code by pressing CTRL+ A now, and this time, we get the original entered
code which virtually shows the spyware victim.exe name as follows:
Figure 1.11: Analysis in Target
Now, we have to write the spyware offset address value into memory. However, move forward just one
step and at offset 00405195, press space bar button. Here, we found assemble code box. Just enter PUSH
1 here and click on the Assemble button.
Again come to the 00405197 offset and press the space bar; here enter the PUSH 40518A code which
pushes the spyware EXE instruction into memory.
Here, notice that we are giving the reference of spyware.exe located at offset 0040518A to 00405198 as
follows:
Our spyware program is having an *.exe format. So we have to instruct the Assembly code by calling the
CALL WinExec instruction: we are injecting an external executable which has of course .exe extension.
Figure 1.15: Calling Exe in Assembly Language
After finishing with arbitrary code injection related to spyware, the modified assembly looks like the
following:
Now we have to connect that new injected code with a message box occurrence instruction, otherwise it
won’t be executed. As referenced in figure 1.4, press CTRL +G and enter the 0040115E offset.
This action directly lets us reach the entry point of the first message box as follows. Here, we have to
perform some significant modifications.
Now, select the 0040115E offset and press space bar, then copy the JNB 00401189 instruction into the
clipboard as follows:
Ok, now copy the offset address 00405196 in the clipboard from the First PUSH 1 in the new injected
code.
Again go to offset 0040115E where the message box code is located, select the instruction set at
0040115E, and press the space bar. Finally, replace the existing code with new. Assemble the JNB
00405196 instruction here.
So, what are we actually doing here? First we are giving the reference of the PUSH 1 instruction offset
(00405196) to the jump instruction located at offset 0040115E. Secondly, pasting the JNB 00401189
instruction to the 004051A1 offset as follows:
Figure 1.23: Graph diagram of offsets jumping
Basically, the aforesaid figure indicates that after entering the user name and serial key in the victim.exe,
first the error message box would display and then our spyware program would activate.
We have finished with the code injections tactics. Now make changes permanent and write the
modified bytes into memory by right clicking on the ASM code and select the Copy to Executable
option, where we choose All Modifications as follows:
Now, select the Copy all option in the forthcoming dialog box, which produces a separate dialog box as
follows, where the final assemble code collectively resides.
Figure 1.25: New Assemble code
Finally, close the dialog box in figure 1.25. The moment you close the dialog box, the Save as dialog box
appears and it asks to get new name to the patched EXE file. We shall provide victim_Patched.exe as
follows:
Now, run the victim_Patched.exe and enter any fake values as a user name and serial key. It is obvious
that such entered credentials are invalidated and an Error message would display.
Figure 1.27: Testing
The moment the Error message appears about invalid credentials and we move forward by clicking the
OK button, the spyware program is automatically activated and shows the machine name and IP
address on which it is running and later sends this information back to a remote server.
This article presents a step by step tutorial of injecting a malicious spyware program into any executable
by using IDA Pro and OllyDbg. The IDA Pro was basically employed in order to identify the entry point
message box occurrence and OllyDbg implanted the existing EXE. Basically, this tutorial demonstrates
how to place an EXE into another EXE. The idea behind code injection is to identify the occurrence of an
entry point which is referred to as a triggering point to an injected EXE, and later modify the JUMP
statements in order to divert the execution toward the injected code.