diff --git a/data/source/carrier/alloc_rw_rwx/template.c b/data/source/carrier/alloc_rw_rwx/template.c index 31f027c..6a48f2f 100644 --- a/data/source/carrier/alloc_rw_rwx/template.c +++ b/data/source/carrier/alloc_rw_rwx/template.c @@ -29,6 +29,9 @@ int main() return 6; } + // Decoy + WinExec("C:\\windows\\system32\\notepad.exe", 1); + // Allocate 1 // char *dest = ... char *dest = VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, p_RW); diff --git a/helper.py b/helper.py index 0641db8..6fd16b6 100644 --- a/helper.py +++ b/helper.py @@ -4,6 +4,7 @@ import pathlib import glob import logging import pickle +import math from model.project import WebProject from config import config @@ -163,3 +164,15 @@ def find_first_utf16_string_offset(data, min_len=8): return None # No string found that meets the criteria + +def round_up_to_multiple_of_8(x): + return math.ceil(x / 8) * 8 + + +def ui_string_decode(data): + if len(data) > 32: + return "Data with len {}".format(len(data)) + elif b"\x00\x00" in data: + return "(utf16) " + data.decode("utf-16le") + else: + return "(utf8) " + data.decode("utf-8") diff --git a/observer.py b/observer.py index 70f4fba..e9831b3 100644 --- a/observer.py +++ b/observer.py @@ -1,7 +1,10 @@ from typing import List, Dict +import logging from pe.r2helper import r2_disas +logger = logging.getLogger("Observer") + class Observer(): """Central class to store all logs and files created during the build process""" @@ -53,7 +56,10 @@ class Observer(): # Our log output with open(f"{working_dir}log-supermega.log", "w") as f: for line in observer.get_logs(): - f.write(line + "\n") + try: + f.write(line + "\n") + except Exception as e: + logger.warn("Error: {}".format(e)) # Stdout of executed commands with open(f"{working_dir}log-cmdoutput.log", "w") as f: diff --git a/phases/injector.py b/phases/injector.py index 90a4986..9040f6b 100644 --- a/phases/injector.py +++ b/phases/injector.py @@ -86,6 +86,7 @@ def inject_exe(main_shc: bytes, settings: Settings, carrier: Carrier): shellcode_len, CODE_INJECT_SIZE_CHECK_ADD, sect_size )) shellcode_offset = int((sect_size - shellcode_len) / 2) # centered in the .text section + #shellcode_offset = round_up_to_multiple_of_8(shellcode_offset) shellcode_offset += sect.PointerToRawData shellcode_rva = superpe.pe.get_rva_from_offset(shellcode_offset) @@ -206,12 +207,8 @@ def injected_fix_data(superpe: SuperPe, carrier: Carrier): data_rva = hole_rva[0] superpe.pe.set_bytes_at_rva(data_rva, var_data) datareuse_fixup.addr = data_rva + carrier.superpe.get_image_base() - if len(var_data) <= 32: # show strings (hope they are less than that, and shellcode is larger) - logging.info(" Add to .rdata at 0x{:X} ({}): {}: {}".format( - datareuse_fixup.addr, data_rva, datareuse_fixup.string_ref, var_data.decode("utf-16le"))) - else: - logging.info(" Add to .rdata at 0x{:X} ({}): {}: Data with len {}".format( - datareuse_fixup.addr, data_rva, datareuse_fixup.string_ref, len(var_data))) + logging.info(" Add to .rdata at 0x{:X} ({}): {}: {}".format( + datareuse_fixup.addr, data_rva, datareuse_fixup.string_ref, ui_string_decode(var_data))) # patch code section # replace the placeholder with a LEA instruction to the data we written above