将二进制EXE倾倒到十六进制中，然后将其嵌入C＆＃x2B;＆＃x2B;文件导致执行错误

发布于 2025-01-28 15:02:27 字数 1661 浏览 0 评论 0原文

我正在使用XXD将Relec恶意软件的样本转移到十六进制中，将其嵌入C ++文件中，并使用CreateProcess执行。当我获取十六进制相关文件时，我将其复制到数组并将其写入磁盘。我致电CreateProcess执行Relec可执行文件，但我会收到以下错误消息：“程序可以运行，因为它与64位Windows版本不兼容……”。也许问题是使用XXD修改了恶意软件的内容。我还尝试过在线对话者，但显示出同样的消息。如果将原始EXE调用，则可以使用CreateProcess，但我需要嵌入它。我使用Linux使用XXD并在Windows 10中使用结果转储。我正在使用的IS IS Visual Studio社区2019。这是代码：

unsigned char relec[] = {
  0x4d, 0x5a, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
  0xff, 0xff, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00...

void main(){

        FILE* f = fopen("relec", "w");
        fwrite(relec, sizeof(relec), 1, f);
        fclose(f);

        STARTUPINFOA si;
        PROCESS_INFORMATION pi;

        ZeroMemory(&si, sizeof(si));
        si.cb = sizeof(si);
        ZeroMemory(&pi, sizeof(pi));

        if (!CreateProcessA("relec",   // No module name (use command line)
            NULL,        // Command line
            NULL,           // Process handle not inheritable
            NULL,           // Thread handle not inheritable
            FALSE,          // Set handle inheritance to FALSE
            0,              // No creation flags
            NULL,           // Use parent's environment block
            NULL,           // Use parent's starting directory 
            &si,            // Pointer to STARTUPINFO structure
            &pi)           // Pointer to PROCESS_INFORMATION structure
            )
        {
            printf("CreateProcess failed (%d).\n", GetLastError());
            return;
        }

}

原文

I am dumping a sample of relec malware to hexadecimal using xxd to embed it in a c++ file and execute it with createprocess. When I get the hexadecimal relec file I copy it to an array and write it to disk. I call createprocess to execute the relec executable but I get the following error message: "The program can´t be run because it is incompatible with 64-bits Windows Versions...". Maybe the problem is that using xxd modify the content of the malware. I have also tried online conversors and it fails showing the same message. If the original exe is called with createprocess it work but I need it to be embedded. I use Linux to use xxd and use the resulting dump in windows 10. The IDE I am using is visual studio community 2019. Here is the code:

unsigned char relec[] = {
  0x4d, 0x5a, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
  0xff, 0xff, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00...

void main(){

        FILE* f = fopen("relec", "w");
        fwrite(relec, sizeof(relec), 1, f);
        fclose(f);

        STARTUPINFOA si;
        PROCESS_INFORMATION pi;

        ZeroMemory(&si, sizeof(si));
        si.cb = sizeof(si);
        ZeroMemory(&pi, sizeof(pi));

        if (!CreateProcessA("relec",   // No module name (use command line)
            NULL,        // Command line
            NULL,           // Process handle not inheritable
            NULL,           // Thread handle not inheritable
            FALSE,          // Set handle inheritance to FALSE
            0,              // No creation flags
            NULL,           // Use parent's environment block
            NULL,           // Use parent's starting directory 
            &si,            // Pointer to STARTUPINFO structure
            &pi)           // Pointer to PROCESS_INFORMATION structure
            )
        {
            printf("CreateProcess failed (%d).\n", GetLastError());
            return;
        }

}

分享到QQ

分享到微博