0

I am performing some Windows malware research on a rogue AV software called SpySheriff (password: infected). I want to edit the IP address within the PE (.exe) file to change it to my honeypot IP address. I know it is easier to set-up IP Tables or use Fiddler to redirect the traffic, but I want to learn something new about reverse engineering.

The malware IPv4 address is 52.90.24.115 which I successfully replaced with a shorter address by adding a space (20 in hex) at the end, and confirmed with netstat. I was expecting to terminate with 0x00 which I found strange.

Since my honeypot IPv4 address is longer, how can I hex edit this into the malware without corrupting the PE? I have had this problem in the past, where I want to increase the length of text within an application, but if I surpass the original text's length is breaks!

If this is not possible with a hex editor (in my case Hex Editor NEO) then I am open minded to other approaches, such as reverse engineering with IDA or OlyDbg, where I can modify the executable file.

Screen shot of hex edit

Improve this question
3
  • Just had my question moved here. Commented May 30, 2022 at 22:44
  • You can lengthen your IPv4 address by two numbers as you have 3 NULLs following the existing embedded IPV4 address string. This is sufficient space to embed any valid IPv4 address of the form NNN.NNN.NNN.NNN. Commented Jun 1, 2022 at 3:34
  • @fpmurphy If I give you the binary, and a fake IP address, could you try this and when it works (verify with netstat command) post an answer? I have tried using a longer IP in the manner you described, but in netstat it gives a completely different IP that is corrupted. It was also strange that I had to replace the first of the 3 NULLs with a space... Commented Jun 3, 2022 at 15:44

2 Answers 2

Reset to default
2

IP addresses can also be represented as a decimal number, for example:

52.90.24.115 == 878319731

This examples saves 3 bytes, maybe give this method a try and pad with 0x20. There are many sites to convert IP to decimal for you.

Improve this answer
4
  • But what if malware only understands/reads dotted decimal representation of ip address? Commented Jun 22, 2022 at 13:01
  • The screenshot shows it using HTTP so I thought it was a possibility that would usually (always?) take up fewer bytes than a dotted decimal address. However I don't have enough creds to comment on the question so had to offer it as an answer even though it's a suggestion to try. Commented Jun 23, 2022 at 0:35
  • @MegaTonnage I appreciate the suggestion, however I was trying to learn whether there was some reverse engineering trick which did not require me to convert the IP address into decimal. I understand your suggestion and it will likely work, but that was not the answer I was looking for. Thank you! Commented Jun 23, 2022 at 21:15
  • Ah, I see. Generally you can't write more bytes than what you're trying to replace, or you'll overwrite/corrupt the item after it. It's worth a try, but it usually fails. When working with executable code, if you need more space than you have you would insert a jump to a "code cave" (an unused portion of memory), do what you need to do, then jump back. Commented Jun 23, 2022 at 23:26
-1

You can create a script to patch the binary contents of the file (In this case ip), I've used perl for this example, as it is a powerful tool for this purpose and the flow is -> (Make sure stub exe has 16-byte allocated buffer)

-> Find xxx.xxx.xxx format hard-coded string and patch. Example change 192.168.1.2 to 137.283.24.11

in a .pl example $ip =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/

Improve this answer
3
  • I'm afraid you did not catch the actual issue: The space to patch is limited by the length of the original data, and you cannot extend it. In your specific example, the original value 192.168.1.2 has 11 characters, and the patch value 137.283.24.11 has 13 characters. It will overwrite 2 bytes of the following data, and most probably crash the executable. This is the symptom the OP describes. Commented Nov 17 at 7:11
  • @thebusybee So code cave it? Since you might not be familiar you can just set the pointer in place of 192.168.1.2 to point to the new address which can be overwritten in empty space in memory (where 0x000.... are) The reason i said specifically 16 bytes is because that is the max length of an IP Commented Nov 17 at 11:57
  • Commonly you do not know where and how many times a pointer to the string is in the machine code. Commented Nov 17 at 12:21

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.