Of course, if you ever dumped the hidden script from perl2exe you may wonder why would I even bother to try – knowing that the script can be easily dumped using typical reversing tricks. Well, it was simply an appealing idea to me to be able to do it in a neat way. In the end I couldn’t find a way to do it. The only consolation is that I was able to at least print the names of the routines used in the code, and enable various debugging messages.<\/p>\n
In\u00a0the aforementioned post I mentioned you can load an arbitrary perl code when the perl2exe-compiled script is loaded.<\/p>\n
For example, we can create a\u00a0(null)\\sitecustomize.pl<\/em> script that will be executed before the main script.<\/p>\n If it contains the code<\/p>\n it will load like this (running the old wmi.exe perl2exed script here)<\/p>\n Running the code before the script is one thing, it may be handy to run code at the end of the execution as well – at that stage we will be able to enumerate some properties that are not available\u00a0until the main script actually executes.<\/p>\n We can add the END section to our backdoor:<\/p>\n that will do the following:<\/p>\n To dump \u00a0the code of the perl script one needs to employ the\u00a0B::Deparse module.<\/p>\n One can write something like this:<\/p>\n and when executed it will print the source code of the foobar<\/em> function :<\/p>\n A more complex script:<\/p>\n will produce\u00a0something\u00a0like this:<\/p>\n It is kinda getting close to a quine<\/a> and what we need, but…<\/p>\n But unfortunately, B::Deparse is\u00a0not available inside the compile perl2exe-compiled binary. It also doesn’t seem to be possible to include this module from a\u00a0separate perl\u00a0repository. One can change the content of the INC environment variable (responsible for inclusion of modules) with a push f.ex.:<\/p>\n at the top of our backdoor, but\u00a0for some reason the B::Deparse doesn’t load (the engine finds the files, but you can’t use its\u00a0functionality\u00a0. Perhaps the appropriate version of perl (same as in perl2exe used to compile the script) may work – this is one of the potential paths\u00a0that I have not explored. Perhaps other ways to load a library may work as well.<\/p>\n At this stage I kinda gave up, but still played a bit with some environmental variables.<\/p>\n For example, adding these to the top of the backdoor (so they are executed before the main script executes):<\/p>\n will enable a lot of debugging messages.<\/p>\n and also related to Registry:<\/p>\n Finally, adding this bit to the END section:<\/p>\n so that the final script looks like<\/p>\n will allow us to print all the routines defined in the main script:<\/p>\n GetSoftwareInfo<\/em> &\u00a0GetHardwareInfo<\/em> are indeed functions defined inside the wmi.exe – these may be still handy pieces of information if you want to quickly narrow down where the source of the original script is in memory (if you do a memory dump).<\/p>\n At this stage it is not a very useful piece of research. One could potentially employ this in sandboxing to produce a very detailed log, but \u00a0dumping the actual source code would be a much better choice.<\/p>\n Was it a wasted time? Hmm probably.<\/p>\n If you know, or come up with an idea how to print more useful info, or maybe even a source code – please let me know.<\/p>\n","protected":false},"excerpt":{"rendered":" Most of the stuff I publish here are stories of a successful research. Today, for a change, I will talk about a little failed project. Little, because I didn’t spend too much time on it, failed – because it did … Continue reading print \"foobar\\n\";<\/pre>\n
![\"foobar1\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/foobar1.png\")
<\/a><\/p>\nprint \"foobar - start\\n\";<\/pre>\n
sub END\r\n{\r\n print \"foobar - end\\n\";\r\n}<\/pre>\n
\n<\/a> ![\"foobar2\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/foobar2.png\")
<\/a><\/p>\nuse B::Deparse;\r\nmy $deparser = B::Deparse->new;<\/pre>\n
print $deparser->coderef2text(\\&foobar);\r\nsub foobar\r\n{\r\n print \"Hello world\\n\";\r\n}<\/pre>\n![\"foobar3\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/foobar3.png\")
<\/a><\/p>\nuse warnings;\r\nuse B::Deparse;\r\n\r\nprintit (\\%main::, 0);\r\n\r\nsub printit\r\n{\r\n my $hash1 = shift;my %hash=%{$hash1};\r\n my $n = shift;\r\n\r\n foreach my $k ( keys %hash )\r\n {\r\n #print \"-\" x $n;\r\n\r\n if (defined $h{$k})\r\n {\r\n print \"(hash)\";\r\n printit (%{$h{$k}}, $n+1);\r\n }\r\n if (defined &{$k})\r\n {\r\n my $deparser = B::Deparse->new;\r\n print \"$k\\n\";\r\n print $deparser->coderef2text(\\&{$k});\r\n }\r\n\r\n }\r\n}\r\n\r\nsub foobar\r\n{\r\n print \"Hello world\\n\";\r\n}\r\n<\/pre>\n![\"foobar4\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/foobar4-300x206.png\")
<\/a><\/p>\npush (@INC, \"C:\/Perl\/site\/lib\");\r\npush (@INC,\"C:\/Perl\/lib\" );<\/pre>\n
$ENV{PERL_DL_DEBUG}=1;\r\n$ENV{DEBUG_TIE_REGISTRY}=1;<\/pre>\n![\"foobar5\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/foobar5-300x109.png\")
<\/a><\/p>\n![\"foobar6\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/foobar6-300x113.png\")
<\/a><\/p>\n foreach my $k ( keys %main:: )\r\n {\r\n print \"FUNCTION: $k\\n\" if (defined &{$k});\r\n }<\/pre>\nprint \"foobar - start\\n\";\r\n\r\n#$ENV{PERL_DL_DEBUG}=1;\r\n#$ENV{DEBUG_TIE_REGISTRY}=1;\r\n\r\nsub END\r\n{\r\n print \"foobar - end\\n\";\r\n \r\n foreach my $k ( keys %main:: )\r\n {\r\n print \"FUNCTION: $k\\n\" if (defined &{$k});\r\n }\r\n\r\n}\r\n<\/pre>\n![\"foobar7\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/foobar7.png\")
<\/a><\/p>\n