Code Injections: Injecting Spyware in EXE

In this tutorial you will learn how to inject spyware into an EXE.

Implanting malicious code in the form of spyware to an existing running process is a very sophisticated task. Before the advent of disassemblers or patching tools, the malevolent code is usually invoked from the hard-core programming code that was a very exhaustive process in itself because we had gone through with programming code written especially in C or VC++. This paper shows exclusively how to invoke a covert code along with the foremost executable using OllyDbg and IDA Pro Disassemblers. Such covert malicious code is triggered without permission from the user; more precisely, the moment the specific method of the leading exe executes, the spyware becomes automatically activated surreptitiously.

Essential

The subsequent operation requires exhaustive understanding of Hexadecimal Code and Assembly Programming. The following lists the tools of the trade:

  • The Victim Binary
  • Spyware Executable
  • OllyDbg
  • IDA Pro Interactive Dissembler

The Target Binary (Victim)

We shall deploy the spyware in a simple Game Registration executable to showcase the code injections mechanism. The Game Registration typically requires serial keys to validate the authentic copy of this product and register or enable the full version as below.

Target GUI
                                 Figure 1.1: Target GUI

This EXE is chosen to be the victim for infection with the covert spyware. It doesn't matter what the actual Name is and the serial keys of that program. We are in fact, not provided such sensitive information. The key matter of interest for the reverse engineer is the subsequent Error box that typically appears when serial keys are not validated.

Error Message in Target
                                    Figure 1.2: Error Message in Target

This Error message box would become the entry point of the malicious covert code. The moment the user is confronted with the previous error message box, the spyware becomes executed and that is what we are trying to do in this paper.

Spyware Code

Well, the following code will produce a simple spyware program which typically shows the machine name and IP address of the computer where it runs and returns such critical information to the hacker server.

  1. Using System;  
  2. using System.Net;  
  3. using System.IO;  
  4. using System.Windows.Forms;  
  5.   
  6. namespace victimIP  
  7. {  
  8.     public partial class Form1 : Form  
  9.     {  
  10.         public Form1()  
  11.         {  
  12.             InitializeComponent();  
  13.         }  
  14.   
  15.         private void Form1_Load(object sender, EventArgs e)  
  16.         {  
  17.             try  
  18.             {  
  19.                 string strHostName = Dns.GetHostName();  
  20.                 label4.Text = strHostName;  
  21.                 label5.Text = GetIP();  
  22.             }  
  23.             catch (Exception)  
  24.             {  
  25.                 MessageBox.Show("Unable to Connect Internet");  
  26.             }  
  27.         }  
  28.         static string GetIP()  
  29.         {  
  30.             // check IP using DynDNS's service  
  31.             WebRequest request = WebRequest.Create("http://checkip.dyndns.org");  
  32.             WebResponse response = request.GetResponse();  
  33.             StreamReader stream = new StreamReader(response.GetResponseStream());  
  34.   
  35.             // read complete response  
  36.             string ipAddress = stream.ReadToEnd();  
  37.   
  38.             // replace everything and keep only IP  
  39.             return ipAddress.  
  40.                 Replace("<html>  
  41.                          <head><title>Current IP Check</title></head>  
  42.                          <body>Current IP Address: ", string.Empty).  
  43.                          Replace("</body></html>"string.Empty);  
  44.   
  45.         }  
  46.         private void button2_Click(object sender, EventArgs e)  
  47.         {  
  48.             SendDetails();       
  49.             Application.Exit();    
  50.         }  
  51.     }  
  52. }  
We don't need to go into the details of the spyware code. It could be any exe program indeed which is injected into a binary as the means of this paper. After compiling that code, it will look as in the following figure. It is showing a fake value of the computer name and IP address because crucial values are not being disclosed for security purposes.

The Spyware GUI
                        Figure 1.3: The Spyware GUI

Victim Binary Analysis


One question might bother you, why do we need IDA Pro, since we can do code injection using OllyDbg itself? IDA Pro in fact, assists you to identify the entry point instruction code of the jump statement where from the message box assembly instruction starts to execute. As we have described earlier, the prime matter of interest is to get the details of the message box activation code. Here, we can easily identify the first message box occurrence after the 0040115E offset. Well, this code manipulated a couple of other message boxes indeed. But we have to recognize the very first message box existence.

Message Box invoking instruction in Target
                                    Figure 1.4: Message Box invoking instruction in Target

So, we will search at 0040115E offset in the OllyDbg to find the message box assembly code to be modified to suit our needs. We can duly confirm the message box occurrence by placing a breakpoint at 0040115E in IDA Pro and start debugging. If we entered the short name then the graph view of the assembly code clearly indicates the execution flow towards the message box code as in the following:

Target Execution Flow
                                                   Figure 1.5: Target Execution Flow

Spyware Injection

It's now showtime. Open the victim.exe binary in the OllyDbg to inject the spyware code. Here, the $ sign at offset 004015ED indicates the entry point of the executable as in the following:

Target Entry Point in OllyDbg
                                                   Figure 1.6: Target Entry Point in OllyDbg

Every executable has some empty space referred to as Code Caves where we can place or inject any external binary code. So, if you scroll down a little bit, you will easily identify the blank area named DB 00 or NOP in the assembly code.

NOTE: Sometimes the assembly code hides the form of DB 00 instructions code caves. So press CTRL+A to unhide them.

Empty Regions Code caves in Target
                                    Figure 1.7: Empty Regions (Code caves) in Target

As from the previous Figure 1.7, the DB 00 instruction starts from the 00405188 offset. So, we shall place our external spyware code in these code caves. So select a couple of code cave instructions and right-click, choose Binary and then edit as in the following:

Binary Editing in Target
                                                      Figure 1.8: Binary Editing in Target

NOTE: place both victim.exe and spyware.exe into a single directory folder.

Now, label the spyware program executable as spyware.exe in the ASCII box, since we have selected code caves from 0040518A, which means start editing from this instruction. Its corresponding hex code is automatically generated and placed at the 0040518A offset.

Placing Spyware Name in Target
               Figure 1.9: Placing Spyware Name in Target

NOTE: The assembly is a strict case-sensitive language. So be cautious when entering the names in the ASCII box.

After pressing the OK button in the Figure 1.9, some raw uncomprehendable code is generated at offset 0040518A in the Red color as in the following:

Injected Spyware code in Target
                                          Figure 1.10: Injected Spyware code in Target

Don't worry, just analyze the code by pressing CTRL+ A now and this time, we get the original entered code which virtually shows the spyware victim.exe name as in the following:

Analysis in Target
                     Figure 1.11: Analysis in Target

Now, we have to write the spyware offset address value into memory. However, move forward just one step and at offset 00405195, press the space bar button. Here, we found the assemble code box. Just enter PUSH 1 here and click on the Assemble button.

Injecting PUSH instruction Target
               Figure 1.12: Injecting PUSH instruction Target

Again go to the 00405197 offset and press the space bar; here enter the PUSH 40518A code which pushes the spyware exe instruction into memory.

Injecting Spyware name in PUSH
               Figure 1.13: Injecting Spyware name in PUSH

Here, note that we are giving the reference of spyware.exe located at offset 0040518A to 00405198 as in the following:

Giving Spyware name in PUSH
                                                Figure 1.14: Giving Spyware name in PUSH

Our spyware has the *.exe format. So we have to instruct the Assembly code by calling the CALL WinExec instruction that we are injecting an external executable which has of course .exe extension.

Calling Exe in Assembly Language
               Figure 1.15: Calling Exe in Assembly Language

After finishing with the code injection for the spyware, the modified assembly looks such as in the following:

Injected Assembly Code
                                                         Figure 1.16: Injected Assembly Code

We now must connect that new injected code with the message box occurrence instruction, otherwise it won't be executed. As a reference of Figure 1.4, press CTRL+G and enter the 0040115E offset.

Jump to 0040115E via Expression
               Figure 1.17: Jump to 0040115E via Expression

This action lets us reach directly the entry point of the first message box as in the following. Here, we have to perform some significant modifications.

Message Box code entry point
                                                Figure 1.18: Message Box code entry point

Now, select the 0040115E offset and press the space bar, then copy the JNB 00401189 instruction into the clipboard as in the following:

Copy the code
                           Figure 1.19: Copy the code

Thereafter, return to the inject code by pressing the “-“ (minus) button, there select offset 004051A1 to assemble the new code and press the space button and paste in the JNB 00401189 instruction. We shall discuss shortly what we are doing.

Paste instruction
                           Figure 1.20: Paste instruction

Okay, now copy the offset address 00405196 in the clipboard from the first PUSH 1 in the new injected code.

Copy offsets
                                                                  Figure 1.21: Copy offsets

Again go to offset 0040115E where the message box code is located, select the instruction set at 0040115E and press the space bar. Finally replace the existing code with the new assembly instruction JNB 00405196 here.

Assemble instruction
                       Figure 1.22: Assemble instruction

So, what we are actually doing here is, first we give the reference of the PUSH 1 instruction at offset (00405196) to jump the instruction located at offset 0040115E. Secondly, paste the JNB 00401189 instruction to 004051A1 offset as in the following:

Graph diagram of offsets jumping
                                 Figure 1.23: Graph diagram of offsets jumping

Basically, the previous figure indicates that after entering the user name and serial key in the victim.exe, first the error message box would be displayed and then our spyware program activates.

We are done with the code injections. Now make the changes permanent and write the modified bytes into memory by right-clicking on the ASM code and select the Copy to Executable option, where choose All Modifications as in the following.

Saving changes
                                    Figure 1.24: Saving changes

Now, select the Copy all option in the forthcoming dialog box, that produces a separate dialog box as in the following where the final assembly code collectively resides.

New Assemble code
                     Figure 1.25: New Assemble code

Finally, close the dialog box in Figure 1.25. The moment, you close the dialog box, the save as dialog box will appear and it asks for a new name to the patched exe file. We shall provide victim_Patched.exe as in the following:

save as binary
                              Figure 1.26: Save As binary

Now, run the victim_Patched.exe and enter any fake values such as a user name and serial key. It is obvious that such entered credentials are invalidated and an error message will be displayed.

Testing

The moment the error message appears about invalid credentials and we move forward by clicking the OK button, the spyware program shall be automatically activated and shows the machine name and IP address on which it is running and later sends back the information to a remote server.

Spyware program
                           Figure 1.28: Spyware program

Final Note

This rare research paper presents a step-by-step tutorial of injecting a malicious spyware program into any executable using IDA Pro and OllyDbg. The IDA Pro was basically employed to identify the entry point message box occurrence and OllyDbg in fact, implanting the existing exe. Basically, this tutorial is showing how to place an exe into another exe. The idea behind code injection is to identify the occurrence of the entry point referred to as the triggering point to the injected exe indeed and later modify the JUMP statements to divert the execution towards the injected code.