./msfencode problem

[PipeDevil]

Hi everybody!

I have such a problem using ./msfencode in BackTrack4 Final life CD. When I'm trying to encode file "0x4553-intercepter.exe" I get the following output:

__________________________________________________ __________________________________________________ ___

root@bt:/pentest/exploits/framework3# ./msfencode -i /tmp/btback/intercepter/0x4553-Intercepter.exe -c 1 -t exe -e x86/shikata_ga_nai -o intercepter.exe[*] x86/shikata_ga_nai succeeded with size 340509 (iteration=1)

[-] x86/shikata_ga_nai failed: The .text section is too small to be usable ./lib/msf/util/exe.rb:93:in `to_win32pe'./msfencode:212./msfencode:179:in `each'./msfencode:179
[-] No encoders succeeded.
__________________________________________________ __________________________________________________ ___

No encoded exe file is generated.

What will you suggest me to do?? Where is the problem?



PS
- CD image is ok(hash is checked)
- File size is 330 kB

[rul3z]

Use another exe file it shall work.

[PipeDevil]

Use another exe file it shall work.

But what's wrong with this one?

Does msfencode have any limitations regarding to exe files?

[hhmatt]

Its not msfencode that has your limitation. Your executable needs more bytes in the .text section in order for it to encode the exe. You should be able to edit it via LORDPE. Add some null bytes to the .text section and you should be able to encode it then. LORDPE is a windows app since I don't know any linux applications that handle this. I'm NOT going to write a tutorial for you on it either. All the information that you should need to edit your exe is on the web somewhere and will take some searching inorder to find all your answers.

Good luck.

[skinnypuppy]

Nice to see someone else using LORDPE and yes it will run under wine. I believe IDA Pro free dissasembler that comes with BT4 will allow you to play with 80x86 and ARM portable execs. I know that the 5.5 full version does and alot more as well, but kinda spendy.

[Takedown32]

i found this

*********
-Click on PE editor to open file
-Click sections in the new window
Here we see 3 sections .text .rdata and .data. For this example we will
select .data. Right click and select edit section header.
-Add 1000 hex bytes to the virtual size and the raw size.
VirtualSize = 00001B4A
RawSize = 00001200
-Click on the (...) next to the flags and set 'Executable as code'. This is where
we will build our encoder/decoder and thus need to have it executed.
-Edit the section header for .text as well to writable (also under
flags)
-Save and close LordPE

Step - 2
--------

If you tried to open your backdoor now you will notice an error indicating it is
not a valid Win32 Application. This is because our sizes do no balance. We
indicated there were an extra 1000 hex bytes, but have not actually added
anything to the program. So we will now pad our program.

-Open it up in XVI32 (or other hex editor of your choice)
-Scroll to the end of the file, and this is where we will add our 1000 hex bytes.
-Edit > insert (Select Hex String: 00 Insert <n> times - choose hexadecimal $1000)

This inserts our 1000 bytes needed to write our code in. Now save and close the
hex editor.
Evading Anti Virus Detection Article at HellBound Hackers
**************
but if i do the same with the .text section,-Add 1000 hex bytes to the virtual size and the raw size than when i add 1000 hex bytes to the end the exe wont run anymore.
In the example shown before the same thing is done with .data section.Perhaps .text does not work like this.
Does anyone know a good place where i can read something about this?

[hhmatt]

i found this
*********
Evading Anti Virus Detection Article at HellBound Hackers
**************

That looks like its a text based tutorial based off of muts piss on your av shmoocon 2008 presentation. I personally use hex workshop and adding 1000 bytes is a little overkill. You can probably get by with a 50-100 byte buffer since your only doing 1 iteration of encoding. This will also ensure your exe stays closer to its original size.
The xor loop they are talking about is small aswell. I forget the exact size, I can usually find enough null bytes in order to xor encode the exe. Making it executable is the most important step so don't forget it.
Also as a warning, not all windows binaries have the same .text .data .rdata sections. But they should contain some sort of .text and .data I believe. Just don't be surprised if you don't see exactly whats presented.

[Takedown32]

this one was much more usefull.
http://sandsprite.com/CodeStuff/add_function.html
I had a really nice read!

[PipeDevil]

Its not msfencode that has your limitation. Your executable needs more bytes in the .text section in order for it to encode the exe. You should be able to edit it via LORDPE. Add some null bytes to the .text section and you should be able to encode it then. LORDPE is a windows app since I don't know any linux applications that handle this. I'm NOT going to write a tutorial for you on it either. All the information that you should need to edit your exe is on the web somewhere and will take some searching inorder to find all your answers.

Good luck.

I tried to change both "VirtualSize" and "RawSize" parameters of ".text" in file header, but msfencode gave me the same error

Is there any precise restriction of ".text" field size in msfencode?

[hhmatt]

I tried to change both "VirtualSize" and "RawSize" parameters of ".text" in file header, but msfencode gave me the same error

Is there any precise restriction of ".text" field size in msfencode?

Did you make it executable and add the bytes via a hex editor?