Anti-Resource Editing

http://waleedassar.blogspot.com
http://www.twitter.com/waleedassar

----------------------------Anti-Resource Editing--------------------------

We can exploit bugs in the editors themselves to prevent tampering with our resources.
The interesting part here is that most Resource Editors have no idea how to parse non-typical (not very non-typical) PE files. For example, Some editors assume the resource section name must always be ".rsrc". Exmaples:

1) Resource Hacker

1a) Inserting a special resource to cause Resource Hacker to go into an infinite loop.
Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=antiResHacker.exe

1b) Inserting a special RT_STRING resource to cause Resource Hacker to crash.
Info: http://waleedassar.blogspot.com/2012/05/resource-hacker-heap-overflow.html

1c) It assumes the size of the "IMAGE_OPTIONAL_HEADER" structure is assumed to be SizeOf(IMAGE_OPTIONAL_HEADER), 0xE0 in hex, while it can even be greater. Having the size to be of a greater value causes Resource Hacker to discard the whole PE file.
Demo:http://code.google.com/p/ollytlscatch/downloads/detail?name=0x15DDs.exe

2) Restorator

2a) Same as 1c.
2b) Uses The "NumberOfRvaAndSizes" field, which can easily be forged to 0xFFFFFFFF. This causes Restorator to discard the whole PE file.
Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=0xFFFFFFFF.exe

2c) Assumes the resource section name must be ".rsrc". Change it anything else. This causes Restorator to discard the whole PE.
Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=no.rsrc.exe

2d) Any resource Section with the "Characteristics" field set to IMAGE_SCN_CNT_UNINITIALIZED_DATA among other characteristics will be discarded by Restorator.
Demo: http://code.google.com/p/ollytlscatch/downloads/detail?name=UnIniSec.exe