• 0

How-To write an exe packer in VB ?


Question

Well, first... an exe packer/wrapper is a program that packs an exe file in a third party exe. Just like zip files with the exception that the archive will be an exe file and that the third party exe can automatically extract/unpack the first (packed file) to memory (RAM) without even extracting it to disk first. If you don't understand a word of what i am saying then just go to www.aspack.com and find out! (aspack is a very famous and powerful exe wrapper/packer but it is written in delphi).

The whole meaning of this post is to brainstorm about designing an exe wrapper/packer in VB! It may be impossible to write one in VB but we are gonna find out soon enough! (i hope!). I have thought of lots of ideas but the most of them suck so i will explain the best one till now.

exe(1) = exe that we wanna pack in our packer

exe(2) = our packer

So, my thinking is to open the exe(1) in binary... read all the bytes and add them in an array... afterwards we will use a compression methode on the array, (so we can minimize the size of our data) and then add the compressed array in exe(2). So far so good! Now exe(2) after execution must read the added compressed data from its self; load them up in an array... decompress the data and write them to memory (RAM). My difficulty was (and still is :huh: ) - how - can we write it to memory and executing afterwards! (cause we wanna execute it after extraction) anyway, i have ended to the solution to use an api call to write our decompressed array to memory. ("Private Declare Function WriteProcessMemory Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

"). But the question is... would that work? I've been too busy lately to try this and of course TOO lazy! :shifty:

I hope we can end up at a possible solution of this "exe wrapper/packer" soon! or we can just admit that VB is not able to write such programs! but I'm almost 100% sure that there - must - be a way to write this proggie in VB.

By the way... all the exe wrappers/packers I've seen or heard ar written in delphi, assembly or C/C++.

cheerz,

-thelord

Link to comment
https://www.neowin.net/forum/topic/147713-how-to-write-an-exe-packer-in-vb/
Share on other sites

8 answers to this question

Recommended Posts

  • 0

The first issue that I (as a pro VB dev for the past dozen years) have is that it basically impossible to send out JUST a VB EXE - it tends to need associated DLLs, etc. To create a package program the deal is that it, usually, needs to run without any associations.

Not to be a naysayer... just want to get that point out there. I'd be happy if someone can prove me wrong. (not like I've never been wrong before :blush: )

  • 0

Thanks for the remark jameswjrose, but I already knew that! my goal is to write such a proggie to protect any other of my applications from reverse engineering. I don't want to write a packer and distribute it... I just wanna make a more safe protection for my proggies. Not that I care that much but I consider this as a challenge.

cheerz,

-thelord

  • 0

Ah, I miss construde your point. My appologies.

Have you even tried Decompilers? More often than not they suck (big time!) It seems a big deal to go to this length to protect your intelectual property. Simply copyrighting your software gives you the legal protection you'll need if someone does steal it.

I know, that wont help when/if someone does in the effect that now you have to take time/money and other resources to deal with this issue...

Again, not to be a naysayer... just trying to make sure you're putting your efforts where they can be of best use. I'll think about code-encryption issues and the like over the next few days and see if I can get anything back to you.

  • 0

Well, I know about decompilers but I was not able to find one for VB6. I've been looking for more than a year and still no result! So I guess there must not exist one for VB6 and if it does then its waayy too difficult to find or they cost toooo much money! :pinch: And Copyrighting your software is not enough! In conclusion... we are screwed unless we use a more powerful way to protect our apps from being reversed angineered! Aspack is a greeaat choice to protect your apps although older versions have been cracked, but in my opinion having your own packer with your own encryptions compression types and lots of other protections would be more difficult for crackers cause it will not be a common external protection.

cheerz,

-thelord

  • 0

Hi,

Came across this thread while i was trying to write protection from

reverse engineering, since then i have written an application that does

just that :)

Files & Executables:

You can pretty much just append data to any executable file.

For Example:

Public function AppendExec(ExePath as string, FilePath as string) as boolean
on error goto Err

open ExePath for binary access write as #1
open FilePath for binary access read as #2
put 1, filelen(exepath), "[START]" & input(lof(2),1)
close #1
close #2

AppendExec = True
Exit function
Err:
AppendExec = False
End Function

with that in mind we now have a method of inserting files into

executables in a retrievable manner.

Public function ReadAttatched(Path as string) as string
Dim DTA as string

open path for binary access read as #1
DTA = input(lof(1),1)
close #1

ReadAttatched = mid(DTA, instr(DTA, "[START]") + 8, len(DTA))
end function

IE:

ReadAttatched app.path & "\" & app.exename & ".exe"

Now, the data returned by ReadAttatched could be compressed, encrypted or whatever, you just need to undo whatever changes you made to the data before you can do anything with it, in my project the data was compressed first using an LZW algorythm and then encrypted using a cipher based on the Sandorf Cipher (SCX) which i designed myself.

The Hard Part:

Ok so you have your file(s) in a variable, say for arguments sake its just a single executable, what do you do with it? well you could just dump it to a file and shell it, but then it'd be in "The Wild" again and packing it into your own executable was pointless, so we need to load it directly into memory (im not going to release source for this, as it can be used maliciously)

You load it into memory by starting another instance of your application with the thread frozen, you then over-write the new threads memory with the image of the executable in the variable and finaly resume the thread.

You now have an executable running in memory that doesn't exist on the hard drive and windows thinks the executable's path is that of your application.

Further Protection Ideas:

You could beef up security by adding debug protection, there are several ways to do this, including the win api IsDebuggerPresent, i have a few ideas of my own.

Enumerate hWnds:

Loop through all window handles and get their window titles, if they contain Soft Ice or whatever then thats a debugger, take appropriate action (Close Softice, end your application, end your app and make it delete itself)

Enumerate Process Memory Space:

Get all process ID's (System snapshot) and read their process memory space, if it contains Soft Ice or any other string associated with debugging or disassembling take appropriate action.

You could also scan your own process to check if any key functions have been changed.

Junk math algorythms & Junk function names:

Create a low resource impact math algorythm with many facets, with a function name like "IsKeyvalid" or "Generate Key" it'll waste the time of anyone trying to crack a key within your application, they will be trying to figure out where the junk math takes them, and what its use is within the application, when infact its just pointless, if you do a good job of this it could put all but the most hardy crackers off.

Break-point detection:

When a debugger is attatched to your process and a break-point is set, certain functions may take longer, but its not a good idea to measure this within your application, so we could link two files together and use them to monitor eachother

Security Application + Our application hook together using Memory Mapped files for communication, they then ask eachother "Questions" and time the response.

Security Application: "Are you ok?"

Our application: "Yes thanks, how about you?"

Security Application: "I'm Fine, and you?"

etc etc.

Obviously the questions wouldn't be plain text like that but unique encrypted strings based on changing data, like the time, or X & Y positions of the mouse.

If the security application doesn't respond within say one second then its being debugged and is currently within a break-point so take appropriate action, the same with our application if it doesn't respond its within a break point.

This security executable could be contained within our application as a resource, or appended to the end just like all the other files, and extracted and executed at runtime (to make it even harder it could be memory loaded too)

Compilation:

Some debuggers don't like p-code, so compile it in that, you could also use some compiler strings to change certain things when the executable is created, at least it'll look weird and confusing to anyone snooping around, at most it'll crash the debugger / disassembler.

I used all of that and now i can create packaged Compressed + Encrypted executables which are impossible to disassemble, debug or view in any way, yet execute perfectly normaly.

Hope this helps

Max

  • 0

The actual execution stub is usually in assembly because of size and speed, and because you can directly execute memory in assembly.

You can write the excryption code in VB, and if you follow the PE file format correctly, you could rebuild the PE file correctly, but it is probably more painful than you think. PM me if you want some help.

Edited by b0b
  • 0

Actually, my stub is written in plain VB infact all of the methods i posted above are written in VB for my project :)

Although if you wanted to use InlineASM or C in your VB IDE or create true StdCall DLL's with VB instead of ActiveX Hybrids have a look at ThunderASM :)

Strange enough, over the years iv'e managed to do all sorts of things with VB, Port it directly to PalmOS, Symbian and even Linux with various addins, and tweaks. Now writing asm directly into VB Functions EG:

Public function SomeAsmCode(VarHere as string) as string
' asm ' .586
' asm '
' asm ' mov eax, 10
end function

seems the way to go, they even managed to hijack vb's left, right, instr, mid etc etc functions and code ASM counterparts which are much faster, aswell as using VB's IntelliType when coding ASM in the IDE.

Anyway thats off topic.

Andareed quite correct it probably isn't impossible to break, but its deffinately not easy, you cannot change core functions in memory (they are checked) you do not have access to the executable on disk (Compressed and Encrypted, neither algorythm is documented) and you cannot (easily) debug the stub as it is protected by various methods, and if you did manage to strap a debugger two it (and somehow defeat/emulate the encrypted comms between the SecExe and the Stub loader you'd get lost inside garbage functions)

It'd be a pain-in-the-proverbial to do anything meaningfull too with any reverse engineering applications, it will never be "Impossible" but you get the idea.

the point is, its more than possible (iv'e done it) to create a packer/loader, with some very nice security features built into it using no more than VB.

Regards

Max

Edited by MaxMouse
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Totally different vehicles. Uber has partnered with Waymo for level 5 autonomous vehicles. Waymo has completed 10 million trips and to date, there have been 696 accidents in 4 years and of those 16 of them appear to have been due to an error by the car. In total airbags have only been deployed 38 times. The technology should always be under review and continued to be improved on, but this is a totally different animal to Tesla FSD PS. no I don't work for them etc. I am an analyst for a market intelligence firm and we have a lot of interest from clients looking at the connected car space for advertising etc. so I have studied them
    • But it's not full self driving it's level 2 autonomy. Audi, BMW and Mercedes all have level 3 and make far less noise about it
    • Edge for Business gets secure password deployment for organizations by Paul Hill Microsoft Edge for Business now offers organizations secure password deployments as a generally available feature, the Redmond giant said. Instead of users sharing passwords on sticky notes or via email to access certain websites or tools, admins can deploy encrypted shared passwords to specific users within their organization. When a user receives a password, it is stored in their Edge password manager and can be used to log into websites seamlessly using autofill. Microsoft has made this enterprise-grade solution available to customers at no additional cost. How it works and the user experience Administrators have to manage the feature via the Microsoft Edge management service within the Microsoft 365 admin center. From there, they can add, update, and revoke credentials for specific user groups through configuration policies. Once an admin has set it up and shared passwords with users, the users will see the passwords in their Edge password manager and can be used with autofill on corresponding websites. The passwords are tied to work profiles in Edge on managed Windows devices to limit their misuse. Further boosting security, the shared passwords cannot actually be viewed, edited, or deleted (unless the website allows), or exported from the password manager. This is a good addition for security because if an unauthorized user gains physical access to the computer, they cannot learn what the password is. Administrators reading this do need to be aware of an important caveat related to developer tools. A motivated user who wants to reveal the passwords can do so by digging into the developer tools, for this reason, you should consider restricting access to the developer tools by configuring the DeveloperToolsAvailability policy. The underlying security and encryption Microsoft’s new secure passwords feature has been built using the Information Protection SDK. The passwords are encrypted and the encryption is tied to Entra identities which lets organizations enforce them without manual key management. The decryption of the passwords takes place at runtime using the same SDK, validating the user’s identity. Availability and getting started Secure password deployment is available through the Edge management service in the Microsoft 365 admin center. Once in the admin center, you should choose an existing configuration policy or create a new one. Inside the policy, go to the Customization Settings tab and then to the Secure password deployment page. To use this feature you must have a Microsoft 365 Business Premium, E3, or E5 subscription. The feature also requires the Edge admin or Global admin role. Source: Microsoft
    • Is it though?  I built a new rig a few months ago and it was literally impossible to get one without RGB, but within 10 minutes of setting it up, I turned all that crap off.  It was REALLY distracting, and who needs additional heat INSIDE a PC? It's popular on YouTube for sure, it's neat looking and whatnot, but it's about as practical as a coffee cup with a hole in it. As for the price, a non-enthusiast would just see something priced way above what they can get from a retailer brand new...
    • RollBack Rx Pro 12.9 Build 2710971022 by Razvan Serea RollBack Rx is a robust system restore utility that enables home users and IT professionals to easily restore a PC to a time before certain events occurred. In essence, it turns your PC into a Instant Time Machine. Regardless of what happens to your PC your can quickly and easily restore your PC to a previous time. Making it easy to rescue you from any PC disaster - saving time, money and PC trouble. Windows System Restore only restores Windows system files and some program files. In addition, if Windows crashes to a point were Windows itself can not boot up (ie. BSOD*) you would not be able to access your Windows System Restore points. In contrast, the RollBack Rx technology works at the sector level of the hard drive and restores everything! - right down to the last byte of data. It sits below Windows. So even if Windows crashes, there’s a sub-console (mini OS) that boots prior to windows. This allows you to access Rollback Rx and go back to a point in time when your system was working trouble-free. Key Features Go back to any previous point in time within seconds. Go back minutes, hours, days, weeks, or even months to any previous snapshot. Does not affect computer performance, uses minimal system resources. Supports unlimited snapshots. Creates a complete system snapshot without having to restart the system. Reverse any system crash within seconds (even if Windows cannot startup). Back out of any failed program, OS updates, and botched updates. Recover from any malware or virus attack within seconds. Works with VMWare and Virtual Machines, both as a host or within the virtual machine as a client. Supports Multi-boot, Multi OS workstations. Lock snapshots to prevent deletion. Intuitive GUI based snapshot manager. Explore, browse, and retrieve files and folders from any snapshot. Drag and drop them into your active system. Roll backwards as well as forwards to any available system snapshot. Allows users to safely test any software. Fast, 100% complete uninstaller. Retrieve files from a crashed PC, even if Windows cannot boot. Access control – manage levels of multiple user and administrative privileges. Automatically schedule snapshots to be taken on a fixed schedule or upon execution of specific files (ie. setup.exe) as well as manually. 256 bit AES snapshot encryption. Prevent unauthorized data theft in case of a stolen laptop. Group Management and Enterprise Network Administration Control (FREE utility). Comes with Stealth Mode where you can hide the RollBack Rx tray icon and splash screen (seen during bootup) Change the startup hotkey for sub-console access (default is HOME). Built-in snapshot defragmenter which will optimize system resources and recover free space. Option to keep files and folders unchanged when you roll-back. Advanced setup configuration wizard for system administrators which will set deployment options and predefined RollBack Rx settings. Offers detailed program operation logging. Supports all industry-standard deployment options including silent installations and pre-installation configuration. Explore RollBack Rx Pro with a 14-day trial, fully functional on Windows 11, 10, 8, and Windows 7 SP1** (32 and 64-bit). RollBack Rx Pro 12.9 Build 2710971022 changelog: General Add PnpLockdown in shieldm.inf Fix registry exclusion problem in Windows 11 24H2 release Add detailed logging for file filter driver Add detailed logging for Windows update Add time stamp to kernel drivers Change kernel driver and Win32 IRP structure Other small bug fixes / typos reported through tech support Endpoint Manager Add client report dashboard Add sound effect when receiving a EPM message. Keep EPM message history Fix bug that oversized Windows symbol files cannot be downloaded Download: RollBack Rx Pro 12.9 | 61.0 MB (Shareware) View: RollBack Rx Home Page Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Week One Done
      somar86 earned a badge
      Week One Done
    • One Month Later
      somar86 earned a badge
      One Month Later
    • Apprentice
      Adrian Williams went up a rank
      Apprentice
    • Reacting Well
      BashOrgRu earned a badge
      Reacting Well
    • Collaborator
      CHUNWEI earned a badge
      Collaborator
  • Popular Contributors

    1. 1
      +primortal
      505
    2. 2
      ATLien_0
      260
    3. 3
      +Edouard
      188
    4. 4
      +FloatingFatMan
      175
    5. 5
      snowy owl
      132
  • Tell a friend

    Love Neowin? Tell a friend!