Skip to content

Guide: full installation

JonDoNym edited this page Sep 13, 2015 · 7 revisions

Overview

Install all components (server, webgui, proxy) at one system and use it for a small example. This tutorial also works with ubuntu and debian.

Ports

  • 3333: python webserver (GUI)
  • 31337: peinjector data port (communication proxy <-> peinjector)
  • 31338: peinjector control port (communication GUI <-> peinjector)
  • 8080: proxy

Installation

Preparations for git clone

sudo apt-get update
sudo apt-get install git

Clone peinjector project

cd /tmp
git clone https://github.com/JonDoNym/peinjector

Install peinjector-server (Provides PE file patching as a service)

  • The install script installs gcc (if not exist)
  • Compiles the source and copies the binary to /usr/bin/peinjector
  • Installs the server as a service with autostart! (sudo service peinjector start|stop)
  • CONFIG: /etc/peinjector
  • LOG: /var/log/peinjector/
  • HELP: sudo peinjector -h
cd /tmp/peinjector/peinjector/install/
sudo chmod a+x peinjector_install.sh
sudo ./peinjector_install.sh

Install peinjector-control (manages the peinjector server via webgui)

  • The install script installs python3 (if not exists)
  • Copies the controller to /etc/peinjector-control
  • Installs the python webserver as a service with autostart! (sudo service peinjector-control start|stop)
  • CONFIG: /etc/peinjector-control
  • LOG: /var/log/peinjector-control
  • Webserver listen on: https://{your_ip}:3333/
cd /tmp/peinjector/pe-injector-control/install/
sudo chmod a+x peinjector-control_install.sh
sudo ./peinjector-control_install.sh

Install peinjector-interceptor (the MitM-Proxy with peinjector connector)

  • The install script installs mitmproxy (if not exists)!
  • Copies the interceptor to /etc/peinjector-interceptor
  • Installs the interceptor as a service with autostart! (sudo service peinjector-interceptor start|stop)
  • CONFIG: /etc/peinjector-interceptor
  • LOG: /var/log/peinjector-interceptor
  • Proxy listens on: 8080
cd /tmp/peinjector/pe-injector-interceptor/install/
sudo chmod a+x peinjector-interceptor_install.sh
sudo ./peinjector-interceptor_install.sh

hardening

replace the webgui certificate with your own

sudo openssl req -new -x509 -keyout /etc/peinjector-control/cert_example_do_not_use_this.pem -out /etc/peinjector-control/cert_example_do_not_use_this.pem -days 365 -nodes
sudo service peinjector-control stop
sudo service peinjector-control start

set a password for the gui

  1. Go to https://{your_ip}:3333/settings.htm
  2. set a password (set password for user 'admin')
  3. activate the authentication (enable authentication)
  4. USER: admin; PASS: {your_pass}

binding the peinjector ports on localhost
if you do that, only the webgui and the proxy can connect to the injector server (recommend)

  1. Go to https://{your_ip}:3333/injector.htm
  2. click on the local button (control interface)
  3. click on the local button (data interface)
  4. click on the restart button to restart the peinjector

Usage

  1. Go to https://{your_ip}:3333
  2. Navigate to "shellcode"
  3. Scroll to "demo (calc)"
  4. Click on "create and send shellcode"
  5. Set your firefox proxy setting to {your_ip}:8080
  6. Download any PE-File (Example: putty.exe or a hundreds of megabytes big AV setup to see the seamless infection in action)
  7. You will see, the program is infected!

Peinjector features

  • Remove integrated integrity checks, such as PE header checksums, certificates, force-check-checksum-flag, ...
  • Try to inject the shellcode at the end of an executable section. This is possible because of the gap between the SizeOfRawData and the VirtualSize value.
  • Try to resize an executable section and to inject the shellcode there. This is possible because of the gap between the FileAlignment and the SectionAlignment value.
  • Insert a new section and inject the shellcode there.
  • Try to discover if the executable could possibly detect infection (e.g. NSIS setups) and skip the executable.
  • Generate a random name for sections created by the "new section name" flag.
  • Encrypt payload with random keys. The decryption stub is generated and obfuscated individually on-the-fly for each injection, using the integrated polymorphic engine.
  • Inject shellcode with one of the enabled methods and insert an obfuscated jump to the payload in another section. The EP doesn't point to the shellcode now, but this can increase some AV's heuristic detection rate. (default: OFF)
Clone this wiki locally