Skip to main content

This python tool injects shellcode in Windows Program Executable to backdoor it with optional polymorphism.

Project description

PeInjector Logo

PeInjector

Description

This python tool injects shellcode in Windows Program Executable to backdoor it with optional polymorphism.

Support x86 ans x64 architectures.

Requirements

This package require:

  • python3
  • python3 Standard Library

Installation

python3 -m pip install PeInjector
git clone "https://github.com/mauricelambert/PeInjector.git"
cd "PeInjector"
python3 -m pip install .

Usages

Command line

PeInjector                # Using CLI package executable
python3 -m PeInjector     # Using python module
python3 PeInjector.pyz    # Using python executable
PeInjector.exe            # Using python Windows executable

PeInjector test.exe 90    # Inject shellcode "NOP" (instruction 0x90) in test.exe
PeInjector -p test.exe 90 # Inject polymorphism shellcode to execute "NOP" (instruction 0x90) in test.exe

Python

from PeInjector import *

shellcode = b"\x90" # NOP instruction

with open("target.exe", "rb") as target, open("backdoor.exe", "wb") as backdoor:
    inject(target, backdoor, shellcode, polymorphism=False)

Detections

Thanks to VirusTotal online, public and free service. I use it to test my backdoored files and compare antivirus solution.

My pe-injector is not sneaky, there is no antivirus bypass and contains a lot of IOC or suspicious content but only few antivirus detect backdoored files:

  1. I sent 32 bits backdoored executable (compiled with gcc and stripped) on virustotal with a polymorphic shellcode execution but only 15 antivirus detect it as malicious. The following elements should be detected by antivirus:
    • Last section have RWX permissions (very very suspicious)
    • Last section name is .inject and contains executable code (PE characteristics) (very suspicious)
    • Entry point in the last section (very suspicious)
    • There are 2 section with executable code (PE characteristics) (suspicious)
  2. I sent 64 bits backdoored executable (compiled with gcc and stripped) on virustotal with a polymorphic shellcode execution but only 7 antivirus detect it as malicious. The following elements should be detected by antivirus:
    • Last section have RWX permissions (it's very very suspicious)
    • Last section name is .inject and contains executable code (PE characteristics) (very suspicious)
    • Entry point in the last section (very suspicious)
    • There are 2 section with executable code (PE characteristics) (suspicious)
  3. I sent 32 bits backdoored executable (compiled with gcc and stripped) on virustotal with shellcode execution but only 13 antivirus detect it as malicious. The following elements should be detected by antivirus:
    • Last section name is .inject and contains executable code (PE characteristics) (very suspicious)
    • Entry point in the last section (very suspicious)
    • Last section jump on the first executable section (very suspicious)
    • There are 2 section with executable code (PE characteristics) (suspicious)
    • Last section have RX permissions (suspicious)
  4. I sent 64 bits backdoored executable (compiled with gcc and stripped) on virustotal with a polymorphic shellcode execution but only 4 antivirus detect it as malicious. The following elements should be detected by antivirus:
    • Last section name is .inject and contains executable code (PE characteristics) (very suspicious)
    • Entry point in the last section (very suspicious)
    • Last section jump on the first executable section (very suspicious)
    • There are 2 section with executable code (PE characteristics) (suspicious)
    • Last section have RX permissions (suspicious)

VirusTotal screenshot for x86 backdoored PE with polymorphic shellcode

VirusTotal screenshot for x86 backdoored PE with polymorphic shellcode

VirusTotal screenshot for x86 backdoored PE with polymorphic shellcode

VirusTotal screenshot for x86 backdoored PE with polymorphic shellcode

Detection and antivirus solution comparaison

Only 3 antivirus detect all backdoored Program Executable:

  • Bkav Pro
  • SecureAge
  • Zoner

For all of theses antivirus solutions, there is only one interesting detection name, an antivirus solution should detect malicious files, block it and sent some basic informations to SOC analyst. For the least detected backdoored file we have the following detection names:

  • BehavesLike.Win64.Kudj.lt -> Windows 64 bits, detected as Kudj.lt, this detection name is very interesting because Kudj is a file infector but this detection name come from Skyhigh and this solution don't detect 32 bits backdoored files
  • Probably Heur.ExeHeaderL -> heuristic detection for suspicious headers, this detection is not very bad but some informations are missing
  • W64.AIDetectMalware -> Windows 64 bits, detected as malware by AI module but what is malicious ? No information about PE backdoored file... all techniques i use are documented on internet
  • Malicious -> What is malicious ? No information about PE backdoored file... all techniques i use are documented on internet

Best antivirus solution for PeInjector

The best solution to detect backdoored Program Executable is probably Zoner because it's one of the 3 solutions that detect 4 different tests and the detection name not really bad (with Probably Heur.ExeHeaderL a SOC analyst can analyze PE headers and identify the file as malicious file).

I don't know if Zoner is a good antivirus, i don't say it's the best antivirus for general detection, but when i wrote theses lines it's probably the best antivirus to detect the PeInjector backdoored files. It's really a specific test. I never use Zoner antivirus solution.

Links

License

Licensed under the GPL, version 3.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

peinjector-1.2.0.tar.gz (24.9 kB view details)

Uploaded Source

File details

Details for the file peinjector-1.2.0.tar.gz.

File metadata

  • Download URL: peinjector-1.2.0.tar.gz
  • Upload date:
  • Size: 24.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.6

File hashes

Hashes for peinjector-1.2.0.tar.gz
Algorithm Hash digest
SHA256 a0117fca049ba731127cb7e5d48b5d0b7087afec10503792553390ad3bb25d72
MD5 40ea52188939d4e45f2209ef43f8ef21
BLAKE2b-256 244c0e91e2cfa05a5d62e6f0aab9090c87f2fd0b53f5508394313faf72e84205

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page