admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-03 01:27:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: make .rdata offset grabber better

Browse Source
This commit is contained in:
Dobin
2024-03-03 17:14:40 +00:00
parent 286ad055d3
commit 903add2c4f
2 changed files with 18 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pe/superpe.py
+5 -16
View File
@@ -16,6 +16,7 @@ class PeSection():
self.raw_size: int = pefile_section.SizeOfRawData self.raw_size: int = pefile_section.SizeOfRawData
self.virt_addr: int = pefile_section.VirtualAddress self.virt_addr: int = pefile_section.VirtualAddress
self.virt_size: int = pefile_section.Misc_VirtualSize self.virt_size: int = pefile_section.Misc_VirtualSize
self.pefile_section: pefile.SectionStructure = pefile_section
class SuperPe(): class SuperPe():
@@ -44,13 +45,6 @@ class SuperPe():
if self.arch == 'x64': if self.arch == 'x64':
self.ptrSize = 8 self.ptrSize = 8
##################
def get_section_by_name(self, name: str) -> PeSection:
for section in self.pe_sections:
if section.name == name:
return section
return None
def get_physical_address(self, virtual_address): def get_physical_address(self, virtual_address):
# Iterate through the section headers to find which section contains the VA # Iterate through the section headers to find which section contains the VA
@@ -90,15 +84,10 @@ class SuperPe():
return bytes(sect.get_data()) return bytes(sect.get_data())
def get_section_data(self, sect_name) -> bytes: def get_section_by_name(self, name: str) -> PeSection:
sect = self.get_section_by_name_b(sect_name) for section in self.pe_sections:
return bytes(sect.get_data()) if section.name == name:
return section
def get_section_by_name_b(self, name):
for sect in self.pe.sections:
if sect.Name.decode().lower().startswith(name.lower()):
return sect
return None return None
phases/injector.py
+11 -15
View File
@@ -106,27 +106,23 @@ def injected_fix_data(superpe: SuperPe, carrier: Carrier, exe_host: ExeHost):
# nothing todo # nothing todo
return return
# Offset of strings in .rodata # Put stuff into .rdata section in the PE
sect = exe_host.superpe.get_section_by_name_b(".rdata") peSection = exe_host.superpe.get_section_by_name(".rdata")
sect_data = sect.get_data() if peSection == None:
string_off = find_first_utf16_string_offset(sect_data) raise Exception("No .rdata section found, abort")
sect_data_copy = peSection.pefile_section.get_data()
string_off = find_first_utf16_string_offset(sect_data_copy)
if string_off == None: if string_off == None:
raise Exception("Strings not found in .rdata section, abort") raise Exception("Strings not found in .rdata section, abort")
if string_off < 100: if string_off < 100:
logging.warn("weird: Strings in .rdata section at offset {} < 100".format(string_off)) logging.warn("weird: Strings in .rdata section at offset {} < 100".format(string_off))
fixup_offset_rdata = peSection.raw_addr + string_off
sect = exe_host.superpe.get_section_by_name(".rdata") # Do all .rdata patches
addr = sect.raw_addr + string_off
for datareuse_fixup in reusedata_fixups: for datareuse_fixup in reusedata_fixups:
var_data = datareuse_fixup.data var_data = datareuse_fixup.data
#print(" Addr: {} / 0x{:X} Data: {}".format( superpe.pe.set_bytes_at_offset(fixup_offset_rdata, var_data)
# addr, addr, len(var_data))) datareuse_fixup.addr = fixup_offset_rdata + peSection.virt_addr + exe_host.image_base - peSection.raw_addr
superpe.pe.set_bytes_at_offset(addr, var_data) fixup_offset_rdata += len(var_data) + 8
#f.seek(addr)
#f.write(var_data)
datareuse_fixup.addr = addr + sect.virt_addr + exe_host.image_base - sect.raw_addr
addr += len(var_data) + 8
# patch code section # patch code section
# replace the placeholder with a LEA instruction to the data we written above # replace the placeholder with a LEA instruction to the data we written above