From 25e504ee09d2cf3e0124fe5f266bd37808c692ff Mon Sep 17 00:00:00 2001
From: Dobin <dobin.rutishauser@gmail.com>
Date: Sat, 27 Apr 2024 20:29:04 +0100
Subject: [PATCH] fix: check for corruption when exes are very small

---
 pe/derbackdoorer.py | 14 +++++++++++---
 phases/injector.py  |  7 ++++---
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/pe/derbackdoorer.py b/pe/derbackdoorer.py
index cbecc75..1779df9 100644
--- a/pe/derbackdoorer.py
+++ b/pe/derbackdoorer.py
@@ -12,7 +12,7 @@ import logging
 from utils import hexdump
 from pe.superpe import SuperPe
 from model.defs import *
-
+from intervaltree import *
 logger = logging.getLogger("DerBackdoorer")
 
 
@@ -33,17 +33,25 @@ class FunctionBackdoorer:
         self.depth_option: DEPTH_OPTIONS = depth_option
 
 
-    def backdoor_function(self, function_addr: int, shellcode_addr: int):
+    def backdoor_function(self, function_addr: int, shellcode_addr: int, shellcode_len: int):
         logger.info("Backdooring function at 0x{:X} (to shellcode 0x{:X})".format(function_addr, shellcode_addr))
         
         addr = self.find_suitable_instruction_addr(function_addr)
         if addr is None:
             raise Exception("Couldn't find a suitable instruction to backdoor")
-        #logger.info("--[ Choosen addr to overwrite: 0x{:X}".format(addr))
 
         compiled_trampoline, text_trampoline, trampoline_reloc_offset = self.get_trampoline(addr, shellcode_addr)
         logger.info("--[ Backdoor 0x{:X}: {}".format(
             addr, text_trampoline))
+        
+        it = IntervalTree()
+        it.addi(addr, addr+len(compiled_trampoline))
+        if it.overlap(shellcode_addr, shellcode_addr+shellcode_len):
+            logger.warn("Attempt to patch jump (0x{:X}-0x{:X}) to shellcode (0x{:X}-0x{:X}) but they overlap and probably dont work".format(
+                addr, addr+len(compiled_trampoline), shellcode_addr, shellcode_addr+shellcode_len
+            ))
+            logger.warn("Text section too small?")
+
         # write
         self.superpe.pe.set_bytes_at_rva(addr, bytes(compiled_trampoline))
 
diff --git a/phases/injector.py b/phases/injector.py
index 2a43bfb..60727dc 100644
--- a/phases/injector.py
+++ b/phases/injector.py
@@ -73,6 +73,7 @@ def inject_exe(
         shellcode_offset = int((sect_size - shellcode_len) / 2)  # centered in the .text section
         shellcode_offset += sect.PointerToRawData
         shellcode_rva = superpe.pe.get_rva_from_offset(shellcode_offset)
+
         logger.info("--( Inject: Shellcode rva:0x{:X} (from offset:0x{:X})".format(
             shellcode_rva, shellcode_offset))
 
@@ -91,7 +92,7 @@ def inject_exe(
                 addr = superpe.getExportEntryPoint(settings.dllfunc)
                 logger.info("--( Inject DLL: Patch {} (0x{:X})".format(
                     settings.dllfunc, addr))
-                function_backdoorer.backdoor_function(addr, shellcode_rva)
+                function_backdoorer.backdoor_function(addr, shellcode_rva, shellcode_len)
 
         else: # EXE
             logger.info("---( Rewire: EXE")
@@ -103,9 +104,9 @@ def inject_exe(
 
             elif carrier_invoke_style == CarrierInvokeStyle.BackdoorCallInstr:
                 addr = superpe.get_entrypoint()
-                logger.info("--( Inject EXE: Patch main() (0x{:X})".format(
+                logger.info("--( Inject EXE: Patch from entrypoint (0x{:X})".format(
                     addr))
-                function_backdoorer.backdoor_function(addr, shellcode_rva)
+                function_backdoorer.backdoor_function(addr, shellcode_rva, shellcode_len)
 
         if source_style == FunctionInvokeStyle.iat_reuse:
             injected_fix_iat(superpe, project.carrier, project.exe_host)