Home

Published

- 5 min read

Make Payloads That Cannot be Identified as Executable

offensive security Evasion cybersecurity Persistence Redteam
img of Make Payloads That Cannot be Identified as Executable

Another personal, small-time experiment - not exactly sure how we should classify it:
Delivery, Evasion, Persistence…

Making payloads that cannot be identified as executable: using a few tricks we can make a PE payload, that looks like a PDF - including file name. Well, yeah, we were clickbaiting when we said, that the exe cannot be identified as such - in fact, we hope that after reading this article, also non-hackers are able to check on a suspicious file and tell regular from irregular.

Spoof File Extension with RTL character

You can copy the Unicode right-to-left character U+202E using the Windows Character table.

Change Executable Icon

Changing File Icon

Here’s a table covering various file extensions, indicating whether they can be executed by clicking and if their icons can be directly changed within Windows without using shortcuts or third-party tools:

ExtensionCan be executedCan change icons (directly)
.exeYesNo*
.lnkYesYes
.comYesNo
.pifYes (Legacy)No
.scrYesNo*
.batYesNo
.cmdYesNo
.htaYesYes**
.vbsYesNo
.jsYesNo
.msiYesNo

  • No*: Indicates that while the file itself cannot have its icon changed directly through properties, the executable (.exe, .scr) can potentially have its icon changed through resource editing tools, but this is an advanced technique and not directly supported through Windows UI.

  • Yes**: For .hta files, the icon can be specified within the file itself using HTML application specific tags.

Changing Icons

Changing the icon can become quite cumbersome, if you try it on-the-fly. For executables like .exe it’s best you build it from bottom up, create your own app in Visual Studio or use a special editor to do so.

Change PIF Icon

Many Redteamers use self extracting archives, that also allow for custom icons. We tried to find an even easier way - that’s still shortcuts. They come with the downside of the additional arrow in the bottom left.

pdf.ico triggers Defender

Funny enough, using a PDF.ico file will trigger Defender with a generic Trojan warning, deleting the manipulated file. Renaming the .ico file to custom.ico bypasses this.

Character Editor

Change it Again

If you change the type several times, Windows will allow you to do more than usual, or rather: it will allow you all the things for the current extension. That may or may not carry over when changing the extension again. Just try it, start by copying cmd.exe, make a few copies & shortcuts, experiment with changing the extension to lnk, scr, bat… then add the fdp (pdf backwards) along with the RTL character. Eventually you’ll hit this point:

Character Editor

cmd.scr -> cmd_rcs.pdf

without exe in the name. However, when viewing the File Properties you can easily spot, what it really is.

Character Editor

Double Click

When we now double click the screensaver pdf mutation, we’ll trigger the payload. Sneaky and scary.

Character Editor

Note that, althought the file still looks like a Shortcut, it is not. It’s a self-contained executable that will run on double-click.

Defender

When you play with this kind of stuff, at some point Defender may start snagging your experiments. You may find yourself in the situation, that suddenly combinations, that were previously succesfull, will now be detected.

This is likely due to the DynamicSignatures - you can remove them and start over.

powershell
   PS C:\Program Files\Windows Defender> .\MpCmdRun.exe  -RemoveDefinitions -DynamicSignatures

Especially files that are manipulated after the fact, i.e. with Resource Hacker, quickly become suspicious. That can include everything about the initial finding: the icon content, the icon filename, the original exe (even if it was only a copy of cmd.exe) - as we mentioned earlier: Your best bet it to write custom payloads, that appear as completely legitimate software - including icon.

Character Editor

Some software vendors also run into these issues by now, that their actual non-malicious software is constantly being flagged. I get regular warnings about Blender.exe (the Open Source 3D software), pretty much all Coin Mining and Mining Rig Control software hardly can be installed or run with Defender active - albeit those vendors aren’t experts in Evasion, it shows that certain characteristics already wake suspicion in Defender. This is always a Balancing Act for the Blue Side, finding the sweet spot between too little and too much detection.

Bonus - Go Pro

For tweaking an .exe file’s icon, there are several tools you might find handy. Here’s a quick list to consider:

  1. Resource Hacker - It’s a freeware utility to view, modify, rename, add, delete, and extract resources in 32bit & 64bit Windows executables and resource files (*.res). Changing icons is one of its features.

  2. IconChanger - Although it’s not been updated for a while, IconChanger does what its name suggests. It allows you to easily change the icon of executable files by searching and replacing the existing icon with a new one.

  3. PE Explorer - More than just an icon changer, PE Explorer lets you open, view, and edit a variety of different 32-bit Windows executable file types (e.g., .exe, .dll, .ocx) including changing icons.

  4. Resource Tuner - This tool allows you to customize your software by replacing icons and logos in your compiled Windows programs.

  5. XN Resource Editor - A free, powerful, fully featured resource editor and PE module explorer for Windows. It’s great for editing and replacing icons in executables.

  6. IcoFX - An award-winning professional icon and cursor editor. It’s an all-in-one solution for icon creation, extraction, and editing. It supports editing of icons inside executables.

  7. Greenfish Icon Editor Pro - A professional tool to create and edit icons, cursors and other small images. It can also modify icons inside executables.

  8. Restorator - An utility for editing Windows resources in applications and their components; e.g., files with .exe, .dll, .res, .rc, and .dcr, extensions.

That’s it for today. Have a great time.