# PeInjector
## Description
This python tool injects shellcode in Windows Program Executable to
backdoor it with optional polymorphism.
> Support x86 ans x64 architectures.
## Requirements
This package require:
- python3
- python3 Standard Library
## Installation
```bash
python3 -m pip install PeInjector
```
```bash
git clone "https://github.com/mauricelambert/PeInjector.git"
cd "PeInjector"
python3 -m pip install .
```
## Usages
### Command line
```bash
PeInjector # Using CLI package executable
python3 -m PeInjector # Using python module
python3 PeInjector.pyz # Using python executable
PeInjector.exe # Using python Windows executable
PeInjector test.exe 90 # Inject shellcode "NOP" (instruction 0x90) in test.exe
PeInjector -p test.exe 90 # Inject polymorphism shellcode to execute "NOP" (instruction 0x90) in test.exe
```
### Python
```python
from PeInjector import *
shellcode = b"\x90" # NOP instruction
with open("target.exe", "rb") as target, open("backdoor.exe", "wb") as backdoor:
inject(target, backdoor, shellcode, polymorphism=False)
```
## Detections
> Thanks to [VirusTotal](https://www.virustotal.com/) online, public and free service. I use it to test my backdoored files and compare antivirus solution.
My *pe-injector* is not sneaky, there is no antivirus bypass and contains a lot of IOC or suspicious content but only few antivirus detect backdoored files:
1. I sent 32 bits backdoored executable (compiled with gcc and stripped) on [virustotal](https://www.virustotal.com/gui/file/9ac447a91465402917f1b134923a1457728b9e4808fa273a8c71f6357cad4dc6) with a polymorphic shellcode execution but only 15 antivirus detect it as malicious. The following elements should be detected by antivirus:
- Last section have *RWX* permissions (very very suspicious)
- Last section name is `.inject` and contains *executable code* (PE characteristics) (very suspicious)
- Entry point in the last section (very suspicious)
- There are 2 section with *executable code* (PE characteristics) (suspicious)
2. I sent 64 bits backdoored executable (compiled with gcc and stripped) on [virustotal](https://www.virustotal.com/gui/file/762853dbad74578fb6e3eb8ba50ea7ceb284237415b537511bf7ed8acf51f334) with a polymorphic shellcode execution but only 7 antivirus detect it as malicious. The following elements should be detected by antivirus:
- Last section have *RWX* permissions (it's very very suspicious)
- Last section name is `.inject` and contains *executable code* (PE characteristics) (very suspicious)
- Entry point in the last section (very suspicious)
- There are 2 section with *executable code* (PE characteristics) (suspicious)
3. I sent 32 bits backdoored executable (compiled with gcc and stripped) on [virustotal](https://www.virustotal.com/gui/file/1b6d2690c03ff65cc43d44aa5ac77fe5be9566c19bd5d3fec9ff3a637d8b9237) with shellcode execution but only 13 antivirus detect it as malicious. The following elements should be detected by antivirus:
- Last section name is `.inject` and contains *executable code* (PE characteristics) (very suspicious)
- Entry point in the last section (very suspicious)
- Last section *jump* on the first executable section (very suspicious)
- There are 2 section with *executable code* (PE characteristics) (suspicious)
- Last section have *RX* permissions (suspicious)
4. I sent 64 bits backdoored executable (compiled with gcc and stripped) on [virustotal](https://www.virustotal.com/gui/file/0780d9fa7dddf3c9c1a6da67f93f3916cf85f7f6e506a5b97861961b80ccbafa) with a polymorphic shellcode execution but only 4 antivirus detect it as malicious. The following elements should be detected by antivirus:
- Last section name is `.inject` and contains *executable code* (PE characteristics) (very suspicious)
- Entry point in the last section (very suspicious)
- Last section *jump* on the first executable section (very suspicious)
- There are 2 section with *executable code* (PE characteristics) (suspicious)
- Last section have *RX* permissions (suspicious)
### Detection and antivirus solution comparaison
Only 3 antivirus detect all backdoored Program Executable:
- Bkav Pro
- SecureAge
- Zoner
For all of theses antivirus solutions, there is only one interesting detection name, an antivirus solution should detect malicious files, block it and sent some basic informations to SOC analyst. For the least detected backdoored file we have the following detection names:
- `BehavesLike.Win64.Kudj.lt` -> Windows 64 bits, detected as `Kudj.lt`, this detection name is very interesting because `Kudj` is a [file infector](https://www.fortiguard.com/encyclopedia/virus/10072870) but this detection name come from `Skyhigh` and this solution don't detect 32 bits backdoored files
- `Probably Heur.ExeHeaderL` -> heuristic detection for suspicious headers, this detection is not very bad but some informations are missing
- `W64.AIDetectMalware` -> Windows 64 bits, detected as malware by AI module but what is malicious ? No information about PE backdoored file... all techniques i use are documented on internet
- `Malicious` -> What is malicious ? No information about PE backdoored file... all techniques i use are documented on internet
#### Best antivirus solution for PeInjector
The best solution to detect backdoored Program Executable is probably `Zoner` because it's one of the 3 solutions that detect 4 different tests and the detection name not really bad (with `Probably Heur.ExeHeaderL` a SOC analyst can analyze PE headers and identify the file as malicious file).
> I don't know if `Zoner` is a good antivirus, i don't say it's the best antivirus for general detection, but when i wrote theses lines it's probably the best antivirus to detect the PeInjector backdoored files. It's really a specific test. I never use `Zoner` antivirus solution.
## Links
- [Pypi](https://pypi.org/project/PeInjector)
- [Github](https://github.com/mauricelambert/PeInjector)
- [Documentation](https://mauricelambert.github.io/info/python/security/PeInjector.html)
- [Python executable](https://mauricelambert.github.io/info/python/security/PeInjector.pyz)
- [Python Windows executable](https://mauricelambert.github.io/info/python/security/PeInjector.exe)
## License
Licensed under the [GPL, version 3](https://www.gnu.org/licenses/).
Raw data
{
"_id": null,
"home_page": "https://github.com/mauricelambert/PeInjector",
"name": "PeInjector",
"maintainer": "Maurice Lambert",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "Maurice Lambert <mauricelambert434@gmail.com>",
"keywords": "PE, shellcode, backdoor, polymorphism, pe-injector, injection",
"author": "Maurice Lambert",
"author_email": "Maurice Lambert <mauricelambert434@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/78/14/81e2009df7cce7ed775284effe2dd40c9268dcbfb9af3adab0d982906f91/PeInjector-1.0.3.tar.gz",
"platform": "Windows",
"description": "![PeInjector Logo](https://mauricelambert.github.io/info/python/security/PeInjector_small.png \"PeInjector logo\")\n\n# PeInjector\n\n## Description\n\nThis python tool injects shellcode in Windows Program Executable to\nbackdoor it with optional polymorphism.\n\n> Support x86 ans x64 architectures.\n\n## Requirements\n\nThis package require:\n - python3\n - python3 Standard Library\n\n## Installation\n\n```bash\npython3 -m pip install PeInjector\n```\n\n```bash\ngit clone \"https://github.com/mauricelambert/PeInjector.git\"\ncd \"PeInjector\"\npython3 -m pip install .\n```\n\n## Usages\n\n### Command line\n\n```bash\nPeInjector # Using CLI package executable\npython3 -m PeInjector # Using python module\npython3 PeInjector.pyz # Using python executable\nPeInjector.exe # Using python Windows executable\n\nPeInjector test.exe 90 # Inject shellcode \"NOP\" (instruction 0x90) in test.exe\nPeInjector -p test.exe 90 # Inject polymorphism shellcode to execute \"NOP\" (instruction 0x90) in test.exe\n```\n\n### Python\n\n```python\nfrom PeInjector import *\n\nshellcode = b\"\\x90\" # NOP instruction\n\nwith open(\"target.exe\", \"rb\") as target, open(\"backdoor.exe\", \"wb\") as backdoor:\n inject(target, backdoor, shellcode, polymorphism=False)\n```\n\n## Detections\n\n> Thanks to [VirusTotal](https://www.virustotal.com/) online, public and free service. I use it to test my backdoored files and compare antivirus solution.\n\nMy *pe-injector* is not sneaky, there is no antivirus bypass and contains a lot of IOC or suspicious content but only few antivirus detect backdoored files:\n\n1. I sent 32 bits backdoored executable (compiled with gcc and stripped) on [virustotal](https://www.virustotal.com/gui/file/9ac447a91465402917f1b134923a1457728b9e4808fa273a8c71f6357cad4dc6) with a polymorphic shellcode execution but only 15 antivirus detect it as malicious. The following elements should be detected by antivirus:\n - Last section have *RWX* permissions (very very suspicious)\n - Last section name is `.inject` and contains *executable code* (PE characteristics) (very suspicious)\n - Entry point in the last section (very suspicious)\n - There are 2 section with *executable code* (PE characteristics) (suspicious)\n2. I sent 64 bits backdoored executable (compiled with gcc and stripped) on [virustotal](https://www.virustotal.com/gui/file/762853dbad74578fb6e3eb8ba50ea7ceb284237415b537511bf7ed8acf51f334) with a polymorphic shellcode execution but only 7 antivirus detect it as malicious. The following elements should be detected by antivirus:\n - Last section have *RWX* permissions (it's very very suspicious)\n - Last section name is `.inject` and contains *executable code* (PE characteristics) (very suspicious)\n - Entry point in the last section (very suspicious)\n - There are 2 section with *executable code* (PE characteristics) (suspicious)\n3. I sent 32 bits backdoored executable (compiled with gcc and stripped) on [virustotal](https://www.virustotal.com/gui/file/1b6d2690c03ff65cc43d44aa5ac77fe5be9566c19bd5d3fec9ff3a637d8b9237) with shellcode execution but only 13 antivirus detect it as malicious. The following elements should be detected by antivirus:\n - Last section name is `.inject` and contains *executable code* (PE characteristics) (very suspicious)\n - Entry point in the last section (very suspicious)\n - Last section *jump* on the first executable section (very suspicious)\n - There are 2 section with *executable code* (PE characteristics) (suspicious)\n - Last section have *RX* permissions (suspicious)\n4. I sent 64 bits backdoored executable (compiled with gcc and stripped) on [virustotal](https://www.virustotal.com/gui/file/0780d9fa7dddf3c9c1a6da67f93f3916cf85f7f6e506a5b97861961b80ccbafa) with a polymorphic shellcode execution but only 4 antivirus detect it as malicious. The following elements should be detected by antivirus:\n - Last section name is `.inject` and contains *executable code* (PE characteristics) (very suspicious)\n - Entry point in the last section (very suspicious)\n - Last section *jump* on the first executable section (very suspicious)\n - There are 2 section with *executable code* (PE characteristics) (suspicious)\n - Last section have *RX* permissions (suspicious)\n\n![VirusTotal screenshot for x86 backdoored PE with polymorphic shellcode](https://mauricelambert.github.io/info/python/security/virustotal_x86_backdoored_polymorphic.png \"VirusTotal screenshot for x86 backdoored PE with polymorphic shellcode\")\n\n![VirusTotal screenshot for x86 backdoored PE with polymorphic shellcode](https://mauricelambert.github.io/info/python/security/virustotal_x64_backdoored_polymorphic.png \"VirusTotal screenshot for x64 backdoored PE with polymorphic shellcode\")\n\n![VirusTotal screenshot for x86 backdoored PE with polymorphic shellcode](https://mauricelambert.github.io/info/python/security/virustotal_x86_backdoored.png \"VirusTotal screenshot for x86 backdoored PE with shellcode\")\n\n![VirusTotal screenshot for x86 backdoored PE with polymorphic shellcode](https://mauricelambert.github.io/info/python/security/virustotal_x64_backdoored.png \"VirusTotal screenshot for x64 backdoored PE with shellcode\")\n\n### Detection and antivirus solution comparaison\n\nOnly 3 antivirus detect all backdoored Program Executable:\n\n - Bkav Pro\n - SecureAge\n - Zoner\n\nFor all of theses antivirus solutions, there is only one interesting detection name, an antivirus solution should detect malicious files, block it and sent some basic informations to SOC analyst. For the least detected backdoored file we have the following detection names:\n\n - `BehavesLike.Win64.Kudj.lt` -> Windows 64 bits, detected as `Kudj.lt`, this detection name is very interesting because `Kudj` is a [file infector](https://www.fortiguard.com/encyclopedia/virus/10072870) but this detection name come from `Skyhigh` and this solution don't detect 32 bits backdoored files\n - `Probably Heur.ExeHeaderL` -> heuristic detection for suspicious headers, this detection is not very bad but some informations are missing\n - `W64.AIDetectMalware` -> Windows 64 bits, detected as malware by AI module but what is malicious ? No information about PE backdoored file... all techniques i use are documented on internet\n - `Malicious` -> What is malicious ? No information about PE backdoored file... all techniques i use are documented on internet\n\n#### Best antivirus solution for PeInjector\n\nThe best solution to detect backdoored Program Executable is probably `Zoner` because it's one of the 3 solutions that detect 4 different tests and the detection name not really bad (with `Probably Heur.ExeHeaderL` a SOC analyst can analyze PE headers and identify the file as malicious file).\n\n> I don't know if `Zoner` is a good antivirus, i don't say it's the best antivirus for general detection, but when i wrote theses lines it's probably the best antivirus to detect the PeInjector backdoored files. It's really a specific test. I never use `Zoner` antivirus solution.\n\n## Links\n\n - [Pypi](https://pypi.org/project/PeInjector)\n - [Github](https://github.com/mauricelambert/PeInjector)\n - [Documentation](https://mauricelambert.github.io/info/python/security/PeInjector.html)\n - [Python executable](https://mauricelambert.github.io/info/python/security/PeInjector.pyz)\n - [Python Windows executable](https://mauricelambert.github.io/info/python/security/PeInjector.exe)\n\n## License\n\nLicensed under the [GPL, version 3](https://www.gnu.org/licenses/).\n",
"bugtrack_url": null,
"license": "GPL-3.0 License",
"summary": "This python tool injects shellcode in Windows Program Executable to backdoor it with optional polymorphism.",
"version": "1.0.3",
"project_urls": {
"Documentation": "https://mauricelambert.github.io/info/python/security/PeInjector.html",
"Download": "https://mauricelambert.github.io/info/python/security/PeInjector.pyz",
"Github": "https://github.com/mauricelambert/PeInjector",
"Homepage": "https://github.com/mauricelambert/PeInjector",
"Python Executable": "https://mauricelambert.github.io/info/python/security/PeInjector.pyz",
"Windows Executable": "https://mauricelambert.github.io/info/python/security/PeInjector.exe"
},
"split_keywords": [
"pe",
" shellcode",
" backdoor",
" polymorphism",
" pe-injector",
" injection"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "781481e2009df7cce7ed775284effe2dd40c9268dcbfb9af3adab0d982906f91",
"md5": "ff0f7c69c10cf6488e5d07a61d52c28f",
"sha256": "d7858220308d3b97fee11d30be5f93512359b46e1113c8e4e0bce541ef20236a"
},
"downloads": -1,
"filename": "PeInjector-1.0.3.tar.gz",
"has_sig": false,
"md5_digest": "ff0f7c69c10cf6488e5d07a61d52c28f",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 23822,
"upload_time": "2024-07-10T20:45:07",
"upload_time_iso_8601": "2024-07-10T20:45:07.449525Z",
"url": "https://files.pythonhosted.org/packages/78/14/81e2009df7cce7ed775284effe2dd40c9268dcbfb9af3adab0d982906f91/PeInjector-1.0.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-07-10 20:45:07",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "mauricelambert",
"github_project": "PeInjector",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "peinjector"
}
JSON
