mirror of
https://github.com/dobin/SuperMega
synced 2026-06-02 17:27:10 +00:00
refactor: removed DataReuser
This commit is contained in:
Dobin
@@ -64,6 +64,7 @@ class ExeHost():
|
||||
pe = pefile.PE(self.filepath)
|
||||
self.pe = pe
|
||||
self.superpe = SuperPe(pe)
|
||||
self.superpe.init()
|
||||
|
||||
if pe.FILE_HEADER.Machine != 0x8664:
|
||||
raise Exception("Binary is not 64bit: {}".format(self.filepath))
|
||||
|
||||
@@ -27,7 +27,6 @@ class SuperPe():
|
||||
|
||||
def get_section_by_name(self, name: str) -> PeSection:
|
||||
for section in self.pe_sections:
|
||||
#print("{} {}".format(section.name, name))
|
||||
if section.name == name:
|
||||
return section
|
||||
return None
|
||||
|
||||
@@ -2,6 +2,7 @@ import os
|
||||
import pprint
|
||||
import logging
|
||||
import shutil
|
||||
from typing import List, Dict
|
||||
|
||||
from helper import *
|
||||
from config import config
|
||||
|
||||
@@ -6,23 +6,6 @@ import os
|
||||
|
||||
from model.exehost import DataReuseEntry
|
||||
|
||||
class PeSection():
|
||||
def __init__(self, pefile_section):
|
||||
self.name: str = pefile_section.Name.rstrip(b'\x00').decode("utf-8")
|
||||
self.raw_addr: int = pefile_section.PointerToRawData
|
||||
self.raw_size: int = pefile_section.SizeOfRawData
|
||||
self.virt_addr: int = pefile_section.VirtualAddress
|
||||
self.virt_size: int = pefile_section.Misc_VirtualSize
|
||||
#self.permissions = pefile_section.Characteristics
|
||||
|
||||
|
||||
class PeRelocation():
|
||||
def __init__(self, reloc):
|
||||
self.rva: int = reloc.rva
|
||||
self.base_rva: int = reloc.base_rva
|
||||
self.offset: int = reloc.rva - reloc.base_rva
|
||||
self.type: str = pefile.RELOCATION_TYPE[reloc.type][0]
|
||||
|
||||
|
||||
def bytes_to_asm_db(byte_data: bytes) -> bytes:
|
||||
# Convert each byte to a string in hexadecimal format
|
||||
@@ -120,82 +103,3 @@ class ReusedataAsmFileParser():
|
||||
for line in self.lines:
|
||||
asmfile.write(line + "\n")
|
||||
|
||||
|
||||
class DataReuser():
|
||||
def __init__(self, filepath):
|
||||
self.pe = pefile.PE(filepath)
|
||||
self.pe_sections: List[PeSection] = []
|
||||
self.base_relocs: List[PeRelocation] = []
|
||||
|
||||
|
||||
def init(self):
|
||||
# Sections
|
||||
for section in self.pe.sections:
|
||||
self.pe_sections.append(PeSection(section))
|
||||
|
||||
# Base Relocations
|
||||
if hasattr(self.pe, 'DIRECTORY_ENTRY_BASERELOC'):
|
||||
for base_reloc in self.pe.DIRECTORY_ENTRY_BASERELOC:
|
||||
for entry in base_reloc.entries:
|
||||
self.base_relocs.append(PeRelocation(entry))
|
||||
|
||||
#self.pe.close()
|
||||
|
||||
|
||||
def get_section_by_name(self, name: str) -> PeSection:
|
||||
for section in self.pe_sections:
|
||||
print("{} {}".format(section.name, name))
|
||||
if section.name == name:
|
||||
return section
|
||||
return None
|
||||
|
||||
|
||||
def get_relocations_all(self) -> List[PeRelocation]:
|
||||
return self.base_relocs
|
||||
|
||||
|
||||
def get_relocations_for_section(self, section_name) -> List[PeRelocation]:
|
||||
section = self.get_section_by_name(section_name)
|
||||
if section is None:
|
||||
return []
|
||||
return [reloc for reloc in self.base_relocs if reloc.base_rva == section.virt_addr]
|
||||
|
||||
|
||||
def get_reloc_largest_gap(self, section_name=".rdata"):
|
||||
tree = IntervalTree()
|
||||
section = self.get_section_by_name(section_name)
|
||||
|
||||
#print("MOTHERFUCKER: {}".format(section))
|
||||
#print("MOTHERFUCKER: {}".format(self.base_relocs))
|
||||
print("-- Relocations: {}".format(len(self.base_relocs)))
|
||||
print("-- section: 0x{:x}".format(section.virt_addr))
|
||||
|
||||
for reloc in self.base_relocs:
|
||||
#print("FUCK: 0x{:x} 0x{:x}".format(reloc.base_rva, section.virt_addr))
|
||||
|
||||
if reloc.base_rva == section.virt_addr:
|
||||
print("Adding reloc: {} {}".format(reloc.offset, reloc.offset + 8))
|
||||
tree.add(Interval(reloc.offset, reloc.offset + 8))
|
||||
tree.add(Interval(section.virt_size, section.virt_size + 1))
|
||||
|
||||
# Initialize variables to track the largest gap and its bounds
|
||||
max_gap = 0
|
||||
gap_start = None
|
||||
gap_end = None
|
||||
|
||||
# Sort intervals for sequential comparison
|
||||
sorted_intervals = sorted(tree)
|
||||
for i in range(len(sorted_intervals) - 1):
|
||||
current_end = sorted_intervals[i].end
|
||||
next_start = sorted_intervals[i + 1].begin
|
||||
gap = next_start - current_end
|
||||
if gap > max_gap:
|
||||
max_gap = gap
|
||||
gap_start = current_end # Adjusted for the actual start of the gap
|
||||
gap_end = next_start - 1 # Adjusted for the actual end of the gap
|
||||
|
||||
# Adjust for the artificial +1 in interval ends
|
||||
if gap_start is not None and gap_end is not None:
|
||||
gap_start -= 1
|
||||
|
||||
return max_gap - 1, gap_start, gap_end
|
||||
|
||||
+23
-49
@@ -12,7 +12,6 @@ from model.exehost import *
|
||||
from observer import observer
|
||||
from helper import rbrunmode_str
|
||||
from derbackdoorer.derbackdoorer import PeBackdoor
|
||||
from phases.datareuse import DataReuser
|
||||
|
||||
|
||||
logger = logging.getLogger("Injector")
|
||||
@@ -64,83 +63,59 @@ def injected_fix_iat(exe_out: FilePath, carrier: Carrier, exe_host: ExeHost):
|
||||
# get code section of exe_out
|
||||
code = extract_code_from_exe(exe_out)
|
||||
|
||||
for IatRequest in carrier.get_all_iat_requests():
|
||||
if not IatRequest.placeholder in code:
|
||||
raise Exception("IatResolve ID {} not found, abort".format(IatRequest.placeholder))
|
||||
addr = exe_host.get_addr_of_iat_function(IatRequest.name)
|
||||
if addr == None:
|
||||
raise Exception("IatResolve: Function {} not found".format(IatRequest.name))
|
||||
for iatRequest in carrier.get_all_iat_requests():
|
||||
if not iatRequest.placeholder in code:
|
||||
raise Exception("IatResolve ID {} not found, abort".format(iatRequest.placeholder))
|
||||
destination_virtual_address = exe_host.get_addr_of_iat_function(iatRequest.name)
|
||||
if destination_virtual_address == None:
|
||||
raise Exception("IatResolve: Function {} not found".format(iatRequest.name))
|
||||
|
||||
off = code.index(IatRequest.placeholder)
|
||||
current_address = off + exe_host.image_base + exe_host.code_virtaddr
|
||||
#current_address += 2
|
||||
destination_address = addr
|
||||
logger.info(" Replace at 0x{:x} with call to 0x{:x}".format(
|
||||
current_address, destination_address
|
||||
offset_from_code = code.index(iatRequest.placeholder)
|
||||
instruction_virtual_address = offset_from_code + exe_host.image_base + exe_host.code_virtaddr
|
||||
logger.info(" Replace {} at VA 0x{:x} with call to IAT at VA 0x{:x}".format(
|
||||
iatRequest.placeholder, instruction_virtual_address, destination_virtual_address
|
||||
))
|
||||
jmp = assemble_and_disassemble_jump(
|
||||
current_address, destination_address
|
||||
instruction_virtual_address, destination_virtual_address
|
||||
)
|
||||
code = code.replace(IatRequest.placeholder, jmp)
|
||||
code = code.replace(iatRequest.placeholder, jmp)
|
||||
|
||||
# write back our patched code into the exe
|
||||
write_code_section(exe_file=exe_out, new_data=code)
|
||||
|
||||
|
||||
def injected_fix_data(exe_path, carrier: Carrier, exe_host: ExeHost):
|
||||
data_reuser = DataReuser(exe_path)
|
||||
data_reuser.init()
|
||||
#ret = data_reuser.get_reloc_largest_gap(".rdata")
|
||||
#size = ret[0]
|
||||
#start = ret[1]
|
||||
#stop = ret[2]
|
||||
#print("GAP: {} {} {}".format(size, start, stop))
|
||||
#addr = start
|
||||
|
||||
# Insert my data into the .rdata section
|
||||
sect = data_reuser.get_section_by_name(".rdata")
|
||||
addr = sect.raw_addr + 0x1AB0 #+ 0x1000
|
||||
#addr += 0x100
|
||||
#addr = 0
|
||||
print("Write into .data:".format())
|
||||
data_reuser.pe.close()
|
||||
|
||||
# Insert my data into the .rdata section.
|
||||
# Chose and save each datareuse_fixup's addres.
|
||||
reusedata_fixups: List[DataReuseEntry] = carrier.get_all_reusedata_fixups()
|
||||
|
||||
sect = exe_host.superpe.get_section_by_name(".rdata")
|
||||
addr = sect.raw_addr + 0x1AB0 # NEEDED, > 1A00!
|
||||
with open(exe_path, "r+b") as f:
|
||||
for datareuse_fixup in reusedata_fixups:
|
||||
var_data = datareuse_fixup.data
|
||||
|
||||
print(" Addr: {} / 0x{:X} Data: {}".format(
|
||||
addr, addr, len(var_data)))
|
||||
|
||||
# Overwrite data in the .rdata section with ours
|
||||
#data_reuser.pe.set_bytes_at_offset(addr, var_data)
|
||||
f.seek(addr)
|
||||
f.write(var_data)
|
||||
#f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAA")
|
||||
print("ADD: 0x{:X} 0x{:X} 0x{:X}".format(addr, sect.virt_addr, exe_host.image_base))
|
||||
datareuse_fixup.addr = addr + sect.virt_addr + exe_host.image_base - sect.raw_addr
|
||||
addr += len(var_data) + 8
|
||||
#data_reuser.pe.write(exe_path + ".tmp")
|
||||
#data_reuser.pe.close()
|
||||
#shutil.move(exe_path + ".tmp", exe_path)
|
||||
|
||||
# patch code section
|
||||
# replace the placeholder with a LEA instruction to the data we written above
|
||||
code = extract_code_from_exe(exe_path)
|
||||
for datareuse_fixup in reusedata_fixups:
|
||||
if not datareuse_fixup.randbytes in code:
|
||||
raise Exception("DataResuse: ID {} not found, abort".format(
|
||||
datareuse_fixup.randbytes))
|
||||
|
||||
off = code.index(datareuse_fixup.randbytes)
|
||||
current_address = off + exe_host.image_base + exe_host.code_virtaddr
|
||||
destination_address = datareuse_fixup.addr
|
||||
logger.info(" Replace at 0x{:x} with call to 0x{:x}".format(
|
||||
current_address, destination_address
|
||||
offset_from_datasection = code.index(datareuse_fixup.randbytes)
|
||||
instruction_virtual_address = offset_from_datasection + exe_host.image_base + exe_host.code_virtaddr
|
||||
destination_virtual_address = datareuse_fixup.addr
|
||||
logger.info(" Replace {} at VA 0x{:x} with call to IAT at VA 0x{:x}".format(
|
||||
datareuse_fixup.randbytes, instruction_virtual_address, destination_virtual_address
|
||||
))
|
||||
lea = assemble_lea(
|
||||
current_address, destination_address, datareuse_fixup.register
|
||||
instruction_virtual_address, destination_virtual_address, datareuse_fixup.register
|
||||
)
|
||||
code = code.replace(datareuse_fixup.randbytes, lea)
|
||||
|
||||
@@ -148,7 +123,6 @@ def injected_fix_data(exe_path, carrier: Carrier, exe_host: ExeHost):
|
||||
write_code_section(exe_file=exe_path, new_data=code)
|
||||
|
||||
|
||||
|
||||
def verify_injected_exe(exefile: FilePath) -> int:
|
||||
logger.info("---[ Verify infected exe: {} ".format(exefile))
|
||||
# remove indicator file
|
||||
|
||||
Reference in New Issue
Block a user