PE32+ .text segment encryption in C++

Question

0.00/5 (No votes)

See more:

I am working on PE32+ .text segment encryption. I have added the .stub segment and encrypted the .text segment. I am trying to load the PE sections into memory, decrypt the .text segment there and execute it from memory at runtime. But I'm not able to add this logic to the stub.
I found many articles for 32bit encryption using assembly language. Is it possible to do it without assembly language for 64bit PE? Please help me to do it in C++.

What I have tried:

void (*stub_addr)(void) = stub_fun;// stub_fun is the function to add the 
                                        // decryption logic in .stub segment
unsigned int stub_size = get_stub_size(stub_addr);

//added .stub segment as follows
PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)image_addr;
if (dos_header->e_magic != 0x5A4D) 
{
        return NULL;
}
PIMAGE_NT_HEADERS nt_headers = (PIMAGE_NT_HEADERS)((DWORD_PTR)dos_header +  
            dos_header->e_lfanew);
const int name_max_length = 8;
PIMAGE_SECTION_HEADER last_section = IMAGE_FIRST_SECTION(nt_headers) +     
            (nt_headers->FileHeader.NumberOfSections - 1);
PIMAGE_SECTION_HEADER new_section = IMAGE_FIRST_SECTION(nt_headers) +      
            (nt_headers->FileHeader.NumberOfSections);
memset(new_section, 0, sizeof(IMAGE_SECTION_HEADER));
new_section->Characteristics = IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE | 
            IMAGE_SCN_CNT_CODE;
memcpy(new_section->Name, section_name, name_max_length);
new_section->Misc.VirtualSize = section_size;
new_section->PointerToRawData = align_to_boundary(last_section->PointerToRawData + 
            last_section->SizeOfRawData,
nt_headers->OptionalHeader.FileAlignment);
new_section->SizeOfRawData = align_to_boundary(section_size,                
            nt_headers->OptionalHeader.SectionAlignment);
new_section->VirtualAddress = align_to_boundary(last_section->VirtualAddress + 
            last_section->Misc.VirtualSize,
nt_headers->OptionalHeader.SectionAlignment);
nt_headers->OptionalHeader.SizeOfImage = new_section->VirtualAddress +     
            new_section->Misc.VirtualSize;
nt_headers->FileHeader.NumberOfSections++;

//Changed the stub as Entry Point Encrypted the .text segment
//Now I am confused about how to add the decryption logic in the .stub segment.

#pragma code_seg(".stub")
void stub_fun () {
//How to load the PE32+ to the memory, decrypt the .text segment and run it from memory.
//Trying in C++ without using assembly language
}

Posted 12-Nov-19 18:09pm

PECoder

Updated 13-Nov-19 14:17pm

v3

Add a Solution

Comments

Richard MacCutchan 13-Nov-19 4:44am

Not enough information in your question. Please elaborate and show any code that is not working correctly.

PECoder 13-Nov-19 6:17am

Thank you for the reply. I have added the code which I am trying. I read many articles on PE32 (32bit) .text segment encryption that is using inline assembly in the stub function. I can’t use inline asm as 64bit won’t support it and I am new to assembly language. Please guide me with some good materials or sample code.

PECoder 14-Nov-19 0:06am

I am trying to do it without assembly language. I'm trying CreateFileMapping, OpenFileMapping and MapViewOfFile to load the PE to memory.
Is it possible to run the mapped PE from the memory itself, using the handle returned from MapViewOfFile?

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)