4. Hacking PuTTY with Immunity (30 pts)

What You Need

A Windows machine, real or virtual. I used a Windows Server 2016 cloud machine.

Purpose

To modify a Windows EXE file and save an altered version. This gives you practice with very simple features of the Immunity debugger.

4.1: Target EXE Recon (10 pts)

First we'll examine how PuTTY works without modifying it.

Get putty.exe

Putty is a common SSH client for Windows. It's harmless, but we will modify it to add Trojan code.

In a Web browser, right-click this link and save the putty.exe file:

https://samsclass.info/127/proj/putty.exe

Running Putty

Double-click putty.exe. In the "Open File - Security Warning" box, clear the "Always ask before opening this file" box, as shown below, and click Run.

PuTTY opens, as shown below.

In the "Host Name (or IP address)" box, type

ad.samsclass.info
At the bottom, click the Open button.

In the "PuTTY Security Alert" box, click Yes.

A black box opens, and shows a "login as:" prompt, as shown below.

You could log in to a server at this point, but that's not the point of this project. We will alter this program to do other things instead of printing "login as".

Close the Putty window. In the "PuTTY Exit Confirmation" box, click OK.

Starting the Immunity Debugger

On your desktop, right-click the Immunity icon and click "Run as Administrator".

In the User Account Control box, click Yes.

From the Immunity menu bar, click File, Open. Navigate to putty.exe and open it.

Immunity opens, as shown below. If your screen doesn't look like this, click View, CPU and maximize the CPU window.

Immunity shows you a lot of data, but for now just notice the Assembly Code in the top left pane, and the yellow Paused message in the lower right corner.

When you load a program into Immunity, it starts in a "Paused" state, with the Assembly Code window showing the first instruction.

Running Putty in Immunity

In Immunity, from the menu bar, click Debug, Run.

Click Debug, Run again.

PuTTY opens, and its icon appears on the taskbar at the bottom of the Windows desktop, as outlined in red in the image below.

Click the PuTTY icon to see the PuTTY window, as shown below.

Click in the Putty window. In the "Host Name (or IP address)" box, type

ad.samsclass.info
At the bottom, click the Open button. The "login as" message appears, as shown below.

Putty is running, but it's under the control of Immunity, so we can modify its execution.

Finding the "login as" Code

Close the Putty window. In the "PuTTY Exit Confirmation" box, click OK.

In Immunity, from the menu bar, click Debug, Restart.

Click Debug, Run.

The top left pane of Immunity shows assembly instructions, starting with PUSH 60, as shown below.

Move the mouse pointer into the top left pane. Right-click. Point to "Search for". Click "All referenced text strings", as shown below.

A "Text strings referenced in putty:.text" window opens, showing all the strings in the program.

Scroll to the top of the window and click on the first line, so it is highlighted.

Right-click in the window, and click "Search for text", as shown below.

In the "Enter text to search for" box, type

login as
as shown below.

Click OK.

Immunity finds the ASCII string "login as", and the instruction that uses it, as shown below. This instruction is at address 00417053.

Right-click again, and click "Search next".

Immunity finds another line of code that uses this string, as shown below. This instruction is at address 0041CB6E.

Using Breakpoints

We'll set a breakpoint at this instruction, at address 0041CB6E.

On your keyboard, press the F2 key. Mac users, press fn+F2. The address turns red, as shown below, to indicate that there's a breakpoint here.

In Immunity, from the menu bar, click Debug, Restart.

A box pops up warning you that "Process 'putty' is active". Click Yes.

In Immunity, from the menu bar, click Debug, Run.

Click Debug, Run again.

PuTTY opens, as shown below.

Click in the Putty window. In the "Host Name (or IP address)" box, type

ad.samsclass.info
At the bottom, click the Open button.

A black window opens, but before the "login as" message appears, the program stops, as shown below.

Notice the "Paused" message in the lower right, and the "Breakpoint at putty.0041CB6E" message in the lower left, as shown below.

The program stopped at instruction 0041CB6E, as shown in the image above.

We'll use this instruction to hijack the program's execution.


4.1. Recording Your Success (10 pts)

In the image above, on the right side, the EAX register points to an ASCII string, covered by a green box in the image above.

Enter that text into the form below to record your success!

Your Name:
ASCII String:

4.2: Alter the Login Message (10 pts)

Now we'll make a slightly modified version of PuTTY, with a login prompt that is missing one letter.

Removing the Breakpoint

We don't need the breakpoint any more, so we'll remove it.

In Immunity, from the menu bar, click View, Breakpoints.

A "Breakpoints" window opens, showing the breakpoint.

Right-click the breakpoint and click Remove, as shown below.

Close the "Breakpoints" window.

Maximize the CPU window.

Viewing the Stored Message

In Immunity, in the CPU window, in the Assembly Code pane, right-click the intruction at address 0041CB6E and click "Follow in Dump", "Immediate constant", as shown below.

The lower left pane shows the stored "login as" message, in hexadecimal and ASCII text, as shown below.

Skipping the First Letter In the Message

In Immunity, in the CPU window, in the Assembly Code pane, right-click the intruction at address 0041CB6E and click Assemble, as shown below.

An "Assemble at 0041CB6E" box appears, as shown below.

This shows the command at this location. It's a PUSH instruction, placing the address 467C7C onto the stack. That address points to the letter "l" in the ASCII string "login as: ", as shown on the right side of the instruction line, outlined in green in the image below.

In the "Assemble at 0041CB6E" box, change the last character to D, as shown below. This will move the pointer from the "l" to the "o" in the string "login as: ".

Click the Assemble button.

Click the Cancel button.

The message on the right now says "ogin as: ", as shown below.

Saving the Modified Program

In Immunity, in the upper left pane, right-click and click "Copy to executable", "All modifications", as shown below.

In the "Copy selection to executable file" box, click the "Copy all" button, as shown below.

A window appears containing only the assembly code.

Right-click in this window and click "Save File", as shown below.

Save the file in your Downloads folder as putty2.exe.

Close Immunity.

Running the Modified File

In your Downloads folder, double-click putty2.exe.

PuTTY opens, as shown below.

In the "Host Name (or IP address)" box, type

ad.samsclass.info
A black box opens, and shows a "ogin as:" prompt, as shown below.

Installing HashCalc

To record your success, you need to calculate a hash value of the modified file.

In Internet Explorer, go to

https://www.slavasoft.com/hashcalc/

On the left side, click Download, as shown below.

Save the file in your Downloads folder. Open the downloaded file and install the software with the default options.

When HashCalc is installed, it opens. In the Data field, on the right side, click the ... button.

In the Find box, navigate to your Downloads folder and double-click putty2.exe.

In the HashCalc window, at the bottom, click the Calculate button.

The MD5 hash of your file should match the value shown in the image below.


4.2. Recording Your Success (10 pts)

In Hashcalc, find the CRC32 value, covered by a green box in the image above.

Enter that value into the form below to record your success!

Your Name:
CRC32:

4.3: Change the Login Message to DARKNESS (10 pts)

Now we want to change the text from "ogin as: " to "DARKNESS".

Launch Immunity. In Immunity, open putty2.exe.

Move your mouse into the lower left pane of the CPU window, which is the "hex dump" pane.

Right click, point to "Go to", and click Expression, as shown below.

Enter 41CB6E into the box, as shown below. Click OK.

Immunity shows the PUSH instruction you modified previously, which references a pointer to the ASCII string "ogin as:", as shown below.

Right-click the PUSH instruction and click "Follow in Dump", "Immediate constant", as shown below.

The lower left pane of Immunity shows the text "ogin as: ", as shown below.

In the top left of the Hex Dump pane, point to 6F, hold down the left mouse button, and highlight the entire row of 8 bytes, as shown below.

Right-click the highlighted bytes. Then point to Binary, and click Edit , as shown below.

An "Edit data at 00467C7D" box opens, as shown below.

Click in the ASCII box, press Backspace to move back to the start, and overwrite the message with DARKNESS as shown below.

Click OK.

Saving the Modified EXE

In Immunity, in the lower left pane of the CPU window, right-click and click "Copy to Executable File", as shown below.

A new window pops up, with a title beginning with "File", as shown below.

Right-click in the new window and click "Save file".

Save the file in your Downloads folder as putty3.exe

Running the Modified EXE

Close Immunity.

Double-click putty3.exe.

In the "Host Name (or IP address)" box, type

ad.samsclass.info
At the bottom, click the Open button.

A black box opens, and shows a prompt of DARKNESS, as shown below.

Calculating the Hash

Use Hashcalc to calculate the hash of the putty3.exe file, as shown below.


4.3. Recording Your Success (10 pts)

In Hashcalc, find the CRC32 value, covered by a green box in the image above.

Enter that value into the form below to record your success!

Your Name:
CRC32:

Sources

Backdooring PE Files - Part 1

Art of Anti Detection 2 – PE Backdoor Manufacturing

https://github.com/EgeBalci/Cminer

https://en.wikipedia.org/wiki/Code_cave

http://stackoverflow.com/questions/787100/what-is-a-code-cave-and-is-there-any-legitimate-use-for-one

The Beginners Guide to Codecaves

Reversing with immunity debugger


Revised 3-3-18
Immunity download link updated 10-6-18