crazy file size + high mem usage

[Tescoo]

From a 2.16mb file to a 4gb file that is mainly null bytes. It's the ProcessHacker installer: https://sourceforge.net/projects/processhacker/files/processhacker2/processhacker-2.39-setup.exe/download

Found when testing all .exes in my downloads folder that this one just bugs it out.

inf.exe -> injected executable pc.exe -> processhacker installer

Sorry if I'm yapping out my ass, I don't have a history in C.

[MastMind]

Thanks for the question. I couldn't test my utility with any kind of executables. Please can you tell which technique did you use with that installer? And which shellcode did you use?

[Tescoo]

Hey so the shellcode was generated using msfvenom like so: msfvenom -p windows/messagebox TEXT="infected" EXITFUNC=none -f raw > shellcode.raw ^ I can't upload the shellcode.

And it was attached with the resize (resz) method. PE-infector.exe -i pc.exe -o inf.exe -s shellcode.raw -m resz

Edit: takes a solid minute to finish, and hangs on the "dll_characteristics" part for the majority of it.

[MastMind]

I'd researched this situation. Now PE-infector has some issues with unusual sections tables. It's installer and it has section which points to the beginning of file (I guess it's necessary for integrity checking). I'm working on the fix.

[MastMind]

I made a new commit. It should patch your installer but I warn you that it has integrity checking and the patched installer will say "The setup files are corrupted. Please obtain a new copy of the program." with -m resz. Your shellcode will be executed. Please try -m sect option it will work without error message but shellcode spawns twice. Installers are unusual programs sometimes.

[Tescoo]

As you said, resz did show the error and sect didn't. Both injected the shellcode fine I'll just make it try sect first in that case and if error then try resz. No more issues with making the file as far as I can see.

Thank you very much for looking into it, Kind regards.