Overwrite Strings in an executable

Mark Mo
Mark Mo
Feb 7 · 3 min read

This is a quick and dirty POC with no frills, no guard rails and almost no testing 😊.

It looks for things like “mimikatz” and “sekurlsa” in the executable and replaces it with a string like “mimifish” and “sekufish” but in the executable rather than the source code. Helpful if you don’t have the source code!

All this does is takes an EXE and turns it into a HEX string. It converts the string to search for and string to replace into HEX and then searches for it in the HEX representation of the file. Then replaces the value and converts it back to a file. In this POC, the FIND string size needs to be the same as the REPLACE string size.

This is what normal mimikatz looks like from Benjamin Delpy and Vincent le Toux.

And here is what it looks like after I replace some strings in the executable. Notice it didn’t find “sekurlsa” because I replaced it with “sekufish”. Also I’ve butchered the the ASCII art (I believe I once read that some AV’s look for the ascii art of mimikatz).

And when I run “sekufish” instead of “sekurlsa” it still runs like normal and I’m dumping credentials on my machine. Hooray I didn’t destroy the functionality.

Here is a quick virus total look of the binary before the string replacement.

After here is virus total after the string replacement. It made a difference!

I only spent an hour on changing a few of the strings so it is likely, with some effort, this might fare better in Virus Total. One thing to note, when I ran DITTO on the binary (and cloned notepad) it also dropped the detection rate further.

Here is the POC code for a console program. I hard coded the input and output files (sorry I’m super busy).

feel free to follow me on twitter

https://twitter.com/_markmo_

@_markmo_

reference code:

C#
https://codereview.stackexchange.com/questions/3226/replace-sequence-of-strings-in-binary-file
Linux
https://everydaywithlinux.blogspot.com/2012/11/patch-strings-in-binary-files-with-sed.html?m=1

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade