Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: ./msfencode problem

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Question ./msfencode problem

    Hi everybody!

    I have such a problem using ./msfencode in BackTrack4 Final life CD. When I'm trying to encode file "0x4553-intercepter.exe" I get the following output:

    __________________________________________________ __________________________________________________ ___

    root@bt:/pentest/exploits/framework3# ./msfencode -i /tmp/btback/intercepter/0x4553-Intercepter.exe -c 1 -t exe -e x86/shikata_ga_nai -o intercepter.exe[*] x86/shikata_ga_nai succeeded with size 340509 (iteration=1)

    [-] x86/shikata_ga_nai failed: The .text section is too small to be usable ./lib/msf/util/exe.rb:93:in `to_win32pe'./msfencode:212./msfencode:179:in `each'./msfencode:179
    [-] No encoders succeeded.
    __________________________________________________ __________________________________________________ ___

    No encoded exe file is generated.

    What will you suggest me to do?? Where is the problem?



    PS
    - CD image is ok(hash is checked)
    - File size is 330 kB

  2. #2
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    1

    Default Re: ./msfencode problem

    Use another exe file it shall work.

  3. #3
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Default

    Quote Originally Posted by rul3z View Post
    Use another exe file it shall work.
    But what's wrong with this one?

    Does msfencode have any limitations regarding to exe files?
    Last edited by PipeDevil; 02-04-2010 at 01:58 PM. Reason: Merging...

  4. #4
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default Re: ./msfencode problem

    Its not msfencode that has your limitation. Your executable needs more bytes in the .text section in order for it to encode the exe. You should be able to edit it via LORDPE. Add some null bytes to the .text section and you should be able to encode it then. LORDPE is a windows app since I don't know any linux applications that handle this. I'm NOT going to write a tutorial for you on it either. All the information that you should need to edit your exe is on the web somewhere and will take some searching inorder to find all your answers.

    Good luck.
    Last edited by hhmatt; 02-06-2010 at 06:10 AM.

  5. #5
    Member skinnypuppy's Avatar
    Join Date
    Jan 2010
    Location
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    Posts
    154

    Default Re: ./msfencode problem

    Nice to see someone else using LORDPE and yes it will run under wine. I believe IDA Pro free dissasembler that comes with BT4 will allow you to play with 80x86 and ARM portable execs. I know that the 5.5 full version does and alot more as well, but kinda spendy.
    I may have been born with a silver spoon in my mouth but it does not mean I like to be spoon fed.

  6. #6
    Junior Member
    Join Date
    Jan 2010
    Posts
    47

    Default Re: ./msfencode problem

    i found this

    *********
    -Click on PE editor to open file
    -Click sections in the new window
    Here we see 3 sections .text .rdata and .data. For this example we will
    select .data. Right click and select edit section header.
    -Add 1000 hex bytes to the virtual size and the raw size.
    VirtualSize = 00001B4A
    RawSize = 00001200
    -Click on the (...) next to the flags and set 'Executable as code'. This is where
    we will build our encoder/decoder and thus need to have it executed.
    -Edit the section header for .text as well to writable (also under
    flags)
    -Save and close LordPE

    Step - 2
    --------

    If you tried to open your backdoor now you will notice an error indicating it is
    not a valid Win32 Application. This is because our sizes do no balance. We
    indicated there were an extra 1000 hex bytes, but have not actually added
    anything to the program. So we will now pad our program.

    -Open it up in XVI32 (or other hex editor of your choice)
    -Scroll to the end of the file, and this is where we will add our 1000 hex bytes.
    -Edit > insert (Select Hex String: 00 Insert <n> times - choose hexadecimal $1000)

    This inserts our 1000 bytes needed to write our code in. Now save and close the
    hex editor.
    Evading Anti Virus Detection Article at HellBound Hackers
    **************
    but if i do the same with the .text section,-Add 1000 hex bytes to the virtual size and the raw size than when i add 1000 hex bytes to the end the exe wont run anymore.
    In the example shown before the same thing is done with .data section.Perhaps .text does not work like this.
    Does anyone know a good place where i can read something about this?

  7. #7
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default Re: ./msfencode problem

    Quote Originally Posted by Takedown32 View Post
    i found this
    *********
    Evading Anti Virus Detection Article at HellBound Hackers
    **************
    That looks like its a text based tutorial based off of muts piss on your av shmoocon 2008 presentation. I personally use hex workshop and adding 1000 bytes is a little overkill. You can probably get by with a 50-100 byte buffer since your only doing 1 iteration of encoding. This will also ensure your exe stays closer to its original size.
    The xor loop they are talking about is small aswell. I forget the exact size, I can usually find enough null bytes in order to xor encode the exe. Making it executable is the most important step so don't forget it.
    Also as a warning, not all windows binaries have the same .text .data .rdata sections. But they should contain some sort of .text and .data I believe. Just don't be surprised if you don't see exactly whats presented.

  8. #8
    Junior Member
    Join Date
    Jan 2010
    Posts
    47

    Default Re: ./msfencode problem

    this one was much more usefull.
    http://sandsprite.com/CodeStuff/add_function.html
    I had a really nice read!

  9. #9
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Default Re: ./msfencode problem

    Quote Originally Posted by hhmatt View Post
    Its not msfencode that has your limitation. Your executable needs more bytes in the .text section in order for it to encode the exe. You should be able to edit it via LORDPE. Add some null bytes to the .text section and you should be able to encode it then. LORDPE is a windows app since I don't know any linux applications that handle this. I'm NOT going to write a tutorial for you on it either. All the information that you should need to edit your exe is on the web somewhere and will take some searching inorder to find all your answers.

    Good luck.
    I tried to change both "VirtualSize" and "RawSize" parameters of ".text" in file header, but msfencode gave me the same error

    Is there any precise restriction of ".text" field size in msfencode?

  10. #10
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default Re: ./msfencode problem

    Quote Originally Posted by PipeDevil View Post
    I tried to change both "VirtualSize" and "RawSize" parameters of ".text" in file header, but msfencode gave me the same error

    Is there any precise restriction of ".text" field size in msfencode?
    Did you make it executable and add the bytes via a hex editor?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •