A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #9413  by rndbit
 Wed Oct 26, 2011 1:02 pm
I am trying here to make my executable run in disguise of svchost.exe. I believe everyone here should be aware of this technique (start real svchost.exe suspended, copy own sections to the created process and resume thread).

It works as long as no packing to my custom executable is applied. When i pack my exe with upx/mpress then forked instance (code running in windows svchost.exe) can not catch c++ exceptions. Throwing exception results in termination of application.

There was another problem - even original non-packed file did not work, to make it work i had to compile it with name svchost.exe (module name is stored somewhere in pe). Doing that made injected uncompressed image process exceptions just fine. Fyyre gave me idea that it could be DEP that is messing things around, and surely when i changed protection flags to PAGE_EXECUTE_READWRITE for whole copied image to windows svchost.exe process - it works with even name changed. I do not know if this problem is relevant, but maybe..

Does anyone have any ideas what could be killing exception support in this situation?

I attached my test executables, would be cool if anyone got curious enough to poke around since i am out of ideas completely..

EDIT:
i forgot to mention what test files do and should do. so here it goes:
process starts svchost.exe suspended, injects itself and resumes process. resumed process then will in 'try' clause throw and exception, and if successfully caught message box should appear signaling of success. There are some debugging messages to be seen via dbgview also.
Attachments
(33.54 KiB) Downloaded 42 times
 #9415  by newgre
 Wed Oct 26, 2011 2:31 pm
Have you checked whether the original executable has the NO_SEH flag set? This causes the process to get terminated when an exception is triggered which doesn't have a corresponding entry in the exception table.
 #9434  by rndbit
 Fri Oct 28, 2011 12:50 pm
holly wrote:all the 3 exe pop messagebox "Exception thrown and caught" in my pure clean(not install anything) vm.
hmm that is interesting! what os you run on VM?

indeed it runs on my winXPx86 VM, and fails on win7x86..

EDIT:
we solved it. just needed to recompile with /NXCOMPAT:NO and now it works on win7 too. Credit goes to Fyyre for idea ^_^