diff --git a/.gitignore b/.gitignore index c7b208f..b22178d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ *.exe.injected *-verify.exe *.infected.exe + app/upload/* data/exes_more/ data/shellcodes/*.txt diff --git a/tests/data/data_reuse_pre_fixup.asm.test b/tests/data/data_reuse_pre_fixup.asm.test deleted file mode 100644 index 26d101e..0000000 --- a/tests/data/data_reuse_pre_fixup.asm.test +++ /dev/null @@ -1,190 +0,0 @@ -; Listing generated by Microsoft (R) Optimizing Compiler Version 19.37.32822.0 - -include listing.inc - -INCLUDELIB LIBCMT -INCLUDELIB OLDNAMES - -_DATA SEGMENT -COMM supermega_payload:QWORD -_DATA ENDS -PUBLIC main -PUBLIC mystrcmp -EXTRN __imp_GetEnvironmentVariableW:PROC -EXTRN __imp_VirtualAlloc:PROC -pdata SEGMENT -$pdata$main DD imagerel $LN8 - DD imagerel $LN8+266 - DD imagerel $unwind$main -$pdata$mystrcmp DD imagerel $LN6 - DD imagerel $LN6+109 - DD imagerel $unwind$mystrcmp -pdata ENDS -_DATA SEGMENT -$SG72513 DB 'U', 00H, 'S', 00H, 'E', 00H, 'R', 00H, 'P', 00H, 'R', 00H - DB 'O', 00H, 'F', 00H, 'I', 00H, 'L', 00H, 'E', 00H, 00H, 00H -$SG72514 DB 'C', 00H, ':', 00H, '\', 00H, 'U', 00H, 's', 00H, 'e', 00H - DB 'r', 00H, 's', 00H, '\', 00H, 'h', 00H, 'a', 00H, 'c', 00H, 'k' - DB 00H, 'e', 00H, 'r', 00H, 00H, 00H -_DATA ENDS -xdata SEGMENT -$unwind$main DD 040a01H - DD 010f010aH - DD 060027003H -$unwind$mystrcmp DD 010e01H - DD 0220eH -xdata ENDS -; Function compile flags: /Odtp -_TEXT SEGMENT -i$ = 0 -str1$ = 32 -str2$ = 40 -mystrcmp PROC -; File C:\Users\hacker\source\repos\supermega\build\main.c -; Line 40 -$LN6: - mov QWORD PTR [rsp+16], rdx - mov QWORD PTR [rsp+8], rcx - sub rsp, 24 -; Line 41 - mov DWORD PTR i$[rsp], 0 -$LN2@mystrcmp: -; Line 42 - movsxd rax, DWORD PTR i$[rsp] - mov rcx, QWORD PTR str1$[rsp] - movzx eax, WORD PTR [rcx+rax*2] - test eax, eax - je SHORT $LN3@mystrcmp - movsxd rax, DWORD PTR i$[rsp] - mov rcx, QWORD PTR str2$[rsp] - movzx eax, WORD PTR [rcx+rax*2] - test eax, eax - je SHORT $LN3@mystrcmp -; Line 43 - movsxd rax, DWORD PTR i$[rsp] - mov rcx, QWORD PTR str1$[rsp] - movzx eax, WORD PTR [rcx+rax*2] - movsxd rcx, DWORD PTR i$[rsp] - mov rdx, QWORD PTR str2$[rsp] - movzx ecx, WORD PTR [rdx+rcx*2] - cmp eax, ecx - je SHORT $LN4@mystrcmp -; Line 44 - mov eax, 1 - jmp SHORT $LN1@mystrcmp -$LN4@mystrcmp: -; Line 46 - mov eax, DWORD PTR i$[rsp] - inc eax - mov DWORD PTR i$[rsp], eax -; Line 47 - jmp SHORT $LN2@mystrcmp -$LN3@mystrcmp: -; Line 48 - xor eax, eax -$LN1@mystrcmp: -; Line 49 - add rsp, 24 - ret 0 -mystrcmp ENDP -_TEXT ENDS -; Function compile flags: /Odtp -_TEXT SEGMENT -n$1 = 32 -dest$ = 40 -result$ = 48 -envVarName$ = 56 -tocheck$ = 80 -buffer$ = 112 -main PROC -; File C:\Users\hacker\source\repos\supermega\build\main.c -; Line 6 -$LN8: - push rsi - push rdi - sub rsp, 2168 ; 00000878H -; Line 10 - lea rax, QWORD PTR envVarName$[rsp] - DB 0b1H, 070H, 04bH, 02fH, 095H ; .rdata Reuse for $SG72513 (rcx) - mov rdi, rax - mov rsi, rcx - mov ecx, 24 - rep movsb -; Line 11 - lea rax, QWORD PTR tocheck$[rsp] - DB 0eeH, 0c0H, 0a1H, 044H, 0d6H ; .rdata Reuse for $SG72514 (rcx) - mov rdi, rax - mov rsi, rcx - mov ecx, 32 ; 00000020H - rep movsb -; Line 13 - mov r8d, 1024 ; 00000400H - lea rdx, QWORD PTR buffer$[rsp] - lea rcx, QWORD PTR envVarName$[rsp] - call QWORD PTR __imp_GetEnvironmentVariableW - mov DWORD PTR result$[rsp], eax -; Line 14 - cmp DWORD PTR result$[rsp], 0 - jne SHORT $LN5@main -; Line 15 - mov eax, 6 - jmp $LN1@main -$LN5@main: -; Line 17 - lea rdx, QWORD PTR tocheck$[rsp] - lea rcx, QWORD PTR buffer$[rsp] - call mystrcmp - test eax, eax - je SHORT $LN6@main -; Line 18 - mov eax, 6 - jmp SHORT $LN1@main -$LN6@main: -; Line 23 - mov r9d, 64 ; 00000040H - mov r8d, 12288 ; 00003000H - mov edx, 347 ; 0000015bH - xor ecx, ecx - call QWORD PTR __imp_VirtualAlloc - mov QWORD PTR dest$[rsp], rax -; Line 29 - mov DWORD PTR n$1[rsp], 0 - jmp SHORT $LN4@main -$LN2@main: - mov eax, DWORD PTR n$1[rsp] - inc eax - mov DWORD PTR n$1[rsp], eax -$LN4@main: - cmp DWORD PTR n$1[rsp], 347 ; 0000015bH - jge SHORT $LN3@main -; Line 30 - movsxd rax, DWORD PTR n$1[rsp] - movsxd rcx, DWORD PTR n$1[rsp] - mov rdx, QWORD PTR dest$[rsp] - mov rdi, QWORD PTR supermega_payload - movzx eax, BYTE PTR [rdi+rax] - mov BYTE PTR [rdx+rcx], al -; Line 31 - movsxd rax, DWORD PTR n$1[rsp] - mov rcx, QWORD PTR dest$[rsp] - movsx eax, BYTE PTR [rcx+rax] - xor eax, 49 ; 00000031H - movsxd rcx, DWORD PTR n$1[rsp] - mov rdx, QWORD PTR dest$[rsp] - mov BYTE PTR [rdx+rcx], al -; Line 32 - jmp SHORT $LN2@main -$LN3@main: -; Line 35 - call QWORD PTR dest$[rsp] -; Line 37 - xor eax, eax -$LN1@main: -; Line 38 - add rsp, 2168 ; 00000878H - pop rdi - pop rsi - ret 0 -main ENDP -_TEXT ENDS -END diff --git a/tests/test_datareuse.py b/tests/test_datareuse.py index cc6c2db..08e3e13 100644 --- a/tests/test_datareuse.py +++ b/tests/test_datareuse.py @@ -2,6 +2,7 @@ import shutil from typing import List import unittest import logging +import os from model.exehost import ExeHost from phases.datareuse import ReusedataAsmFileParser @@ -71,4 +72,4 @@ class DataReuseTest(unittest.TestCase): lines = f.readlines() self.assertTrue("\tDB " in lines[108-1]) self.assertFalse("OFFSET FLAT:$SG" in lines[108-1]) - + os.remove(asm_out + ".test")