A random page with some information of the PE format file and its main headers. Main usage: malware development and malware research.

Considerations

• RVA (Relative Virtual Address): Offset from Image Base. To obtain the absolute virtual address the calculation “Image Base + RVA” must be performed. Several PE sections include RVAs.
• Check the official Microsoft documentation if you want to know more! This is only a summary and my personal studies about the topic.

DOS header

• IMAGE_DOS_HEADER structure definition from winnt.h.
• First 64 bytes of the PE file.
• Was very important in the MS-DOS era, right now it is not.
• The actual Windows OS loader uses a field in this header to navigate to the new executable header , which is the header containing most of the needed information.
• Kept in the binaries for compatibility purposes.

We only want to know about the first and last members of this header:

Continue reading 

Heaven’s gate lore

The Heaven’s Gate tutorial was written by an anonymous hacker going online as Roy G. Biv, a member of a group called 29A. After the group disbanded and their e-zine’s site went down, the Heaven’s Gate technique was later reprinted in the 2009 edition of the Valhalla hacker e-zine. I personally would check this resource, as it was the first time the technique was commented.

Continue reading 

Prelude

Around this last month I have been digging into the Malware Development world. I have always wanted to expand my knowledge within this field, and I felt like it was the moment to do so.

As mentioned in many other blogposts, Sektor7 Malware Development Essentials course was a good point to start. Nevertheless, I found this course very short and I felt like most of the important concepts are ignored (e.g., what is a handle?) and are just used like if I already know them.

Continue reading 

Custom function declaration. Used when hooking, to get a pointer to the original function to get it dinamically resolved via IAT and then override this pointer, or to craft a new function that points to a shellcode with the function behavior (used in reflective DLL shellcode)

Case of getting the function pointer to a resolving Windows API call:

Continue reading 

Shellcodes that will be useful for testing/developing your malware.

I usually work on the same OS and with the same Compiler version for better reproducibility so here are my specs:

• Windows 10 Pro 22H2
  • OS Build 19045.4046
  • MSVC vc.exe compiler (64-bit and 32-bit) version 19.41.34123

Shellcodes are not encrypted. You should encrypt them if you want evasion, as these shellcodes are public and not crafted manually by me.

Continue reading 