0

Look into this post which describes a technique to put an executable code in the first 128 bytes of a DICOM file i.e. in the preamble section. This way the DICOM can be viewed as both a DICOM and an PE executable file.

An extract from the link

This git repo demonstrates the same. However they don't show the code, instead only has the binaries.

Now my question. How can an executable be kept only in 128 bytes because I understand a minimal exe will take at least a few KBs from this, this and this SO posts?

Sisir
  • 4,584
  • 4
  • 26
  • 37
  • AFAIK the minimal executable on pre-64-bit windows is two bytes (basically just `INT 20h`), though you couldn't prepend it to any file larger than 64k. The minimal PE executable, as your second link shows, seems to be 97 bytes. Finally, from skimming the article, you don't need to fit the executable into 128 bytes; you just need to fit the PE _header_ into 128 bytes. Such tiny executables will always be hand-crafted in assembly language, so this question is certainly not [tag:language-agnostic]. – Amadan Oct 17 '19 at 10:19
  • @Amadan 'You just need to fit the PE header into 128 bytes' - Then where is the rest of the executable and how do we tell to jump to that? – Sisir Oct 17 '19 at 11:00
  • 1
    Again, not an expert, and I haven't read the article fully; but there's likely no reason additional code couldn't be hiding after the image data (unless the image format is sensitive to end of file); or even inside the image data, as steganographic code. How you jump to it? I'd expect the same way you jump anywhere else in assembly (given that 128-byte PE header can already have executable code). – Amadan Oct 17 '19 at 11:35

2 Answers2

1

From looking at image 1 it appears pretty simple, the valid DOS header is placed in the free area while the full PE image is embedded later in the file, the author put it between two legitimate DICOM meta entries for example. The DOS header is really short and has a field named e_lfanew which holds the file offset to IMAGE_NT_HEADERS. In other words you don't actually need 128 bytes for the full image, you can embed it anywhere in the file as long as it doesn't interfere with DICOM, all that's needed at the start is the dos header.

Pickle Rick
  • 808
  • 3
  • 6
  • Just 1 update: inside the dicom file we can't put the content as is because then it will not be a valid dicom anymore. So it will have to be kept inside a `dicom private tag` – Sisir Oct 24 '19 at 14:48
0

Before answering how to put an executable in 128 bytes, we need to understand a few things first.

  1. A dicom file must have the characters DICM (File extension) on the bytes 121-124 (Prefix section) to be recognized as a dicom file
  2. A windows executable file must have the DOS Header in the first 64 bytes of the file to be able to be executable as per the PE(Portable Executable) File Format.
  3. Combining the above 2 points a new file format is created called PEDICOM which is both a dicom as well as an executable. The PEDICOM has the architecture as shown in the image above.
  4. The PEDICOM contains both the header and content of the executable file in different sections because an entire executable can’t be fit inside 128 bytes.
  5. Windows provides a list of structures and Win32 APIs to read/write these PE files section by section in winnt.h header.

Creating a PEDICOM file:

  1. DOS header (IMAGE_DOS_HEADER) has 1 field named e_lfanew which contains the offset of the actual PE content. This allows to keep an entire executable code in at least 2 memory locations.
  2. The PE Header (IMAGE_NT_HEADER) has the number of sections and the pointes to the sections (Code, Data, Stack etc.)

Now to answer the original question, an entire executable can't be kept in 128 bytes. However 128 bytes of data are sufficient to declare a file as executable i.e. the dos header and the dos stub can be kept in the 128 bytes while the rest of the executable can be kept somewhere else, in this case in a private dicom tag and a field in the header can point to this. Make the containing file a valid and legitimate executable.

Sisir
  • 4,584
  • 4
  • 26
  • 37