admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-02 17:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: cleanup 3

Browse Source
This commit is contained in:
Dobin
2024-03-01 14:07:18 +00:00
parent 112964c11c
commit 9e551d9a19
8 changed files with 36 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/views.py
+1 -5
View File
@@ -48,11 +48,7 @@ def inject():
settings.exec_style = ExecStyle[exec_style]
inject_style = request.form['inject_style']
inject_style = InjectStyle[inject_style]
if inject_style == InjectStyle.ENTRY:
settings.inject_mode = 1
elif inject_style == InjectStyle.HIJACK:
settings.inject_mode = 2
settings.inject_style = InjectStyle[inject_style]
print(str(settings))
start(settings)
derbackdoorer/derbackdoorer.py
+13 -18
View File
@@ -13,21 +13,16 @@ import logging
from helper import hexdump
from derbackdoorer.mype import MyPe
from model.defs import *
logger = logging.getLogger("DerBackdoorer")
class PeBackdoor:
class SupportedRunModes(IntEnum):
ModifyOEP = 1
BackdoorEP = 2
HijackExport = 4
def __init__(self, mype: MyPe, main_shc, inject_mode):
def __init__(self, mype: MyPe, main_shc: bytes, inject_mode: InjectStyle):
self.mype: MyPe = mype
self.runMode = inject_mode
self.shellcodeData = main_shc
self.runMode: InjectStyle = inject_mode
self.shellcodeData: bytes = main_shc
# Working
self.shellcodeOffset: int = 0 # from start of the file
@@ -77,22 +72,22 @@ Trailing {sect_name} bytes:
def setupShellcodeEntryPoint(self):
if self.runMode == int(PeBackdoor.SupportedRunModes.ModifyOEP):
if self.runMode == InjectStyle.ChangeEntryPoint:
rva = self.mype.pe.get_rva_from_offset(self.shellcodeOffset)
self.mype.set_entrypoint(rva)
logger.info(f'Address Of Entry Point changed to: RVA 0x{rva:x}')
return True
elif self.runMode == int(PeBackdoor.SupportedRunModes.BackdoorEP):
elif self.runMode == InjectStyle.BackdoorCallInstr:
return self.backdoorEntryPoint()
elif self.runMode == int(PeBackdoor.SupportedRunModes.HijackExport):
addr = self.getExportEntryPoint()
if addr == -1:
logger.critical('Could not find any export entry point to hijack! Specify existing DLL Exported function with -e/--export!')
return self.backdoorEntryPoint(addr)
#elif self.runMode == int(PeBackdoor.SupportedRunModes.HijackExport):
# addr = self.getExportEntryPoint()
# if addr == -1:
# logger.critical('Could not find any export entry point to hijack! Specify existing DLL Exported function with -e/--export!')
#
# return self.backdoorEntryPoint(addr)
return False
@@ -250,7 +245,7 @@ Trailing {sect_name} bytes:
self.compiledTrampoline = encoding
self.compiledTrampolineCount = count
logger.info('Successfully backdoored entry point with jump/call to shellcode.\n')
logger.info('Successfully backdoored entry point with jump/call to shellcode')
return instr.address
return 0
derbackdoorer/mype.py
-2
View File
@@ -56,13 +56,11 @@ class MyPe():
def get_code_section_data(self) -> bytes:
sect = self.get_code_section()
print("CODE GET: {}".format(len(sect.get_data())))
return bytes(sect.get_data())
def write_code_section_data(self, data: bytes):
sect = self.get_code_section()
print("CODE SET {} {}".format(len(data), sect.PointerToRawData))
self.pe.set_bytes_at_offset(sect.PointerToRawData, data)
model/defs.py
+3 -2
View File
@@ -27,9 +27,10 @@ class ExecStyle(Enum):
class DataRefStyle(Enum):
APPEND = 1
class InjectStyle(Enum):
ENTRY = "change AddressOfEntryPoint"
HIJACK = "hijack branching instruction at Original Entry Point (jmp, call, ...)"
ChangeEntryPoint = "change AddressOfEntryPoint"
BackdoorCallInstr = "hijack branching instruction at Original Entry Point (jmp, call, ...)"
class SourceStyle(Enum):
peb_walk = "peb_walk"
model/settings.py
+1 -1
View File
@@ -14,7 +14,7 @@ class Settings():
self.short_call_patching: bool = False
# Injectable
self.inject_mode: int = 2
self.inject_mode: InjectStyle = InjectStyle.BackdoorCallInstr
self.inject_exe_in: FilePath = ""
self.inject_exe_out: FilePath = ""
phases/injector.py
+3 -4
View File
@@ -26,8 +26,8 @@ def inject_exe(
shellcode_in = project.payload.payload_path
exe_in = settings.inject_exe_in
exe_out = settings.inject_exe_out
inject_mode = settings.inject_mode
source_style = settings.source_style
inject_mode: InjectStyle = settings.inject_mode
source_style: SourceStyle = settings.source_style
logger.info("--[ Injecting: {} into: {} -> {} (mode: {})".format(
shellcode_in, exe_in, exe_out, inject_mode
@@ -92,7 +92,7 @@ def injected_fix_iat(mype: MyPe, carrier: Carrier, exe_host: ExeHost):
offset_from_code = code.index(iatRequest.placeholder)
instruction_virtual_address = offset_from_code + exe_host.image_base + exe_host.code_virtaddr
logger.info(" Replace {} at VA 0x{:x} with call to IAT at VA 0x{:x}".format(
iatRequest.placeholder, instruction_virtual_address, destination_virtual_address
iatRequest.placeholder.hex(), instruction_virtual_address, destination_virtual_address
))
jmp = assemble_and_disassemble_jump(
instruction_virtual_address, destination_virtual_address
@@ -124,7 +124,6 @@ def injected_fix_data(mype: MyPe, carrier: Carrier, exe_host: ExeHost):
# patch code section
# replace the placeholder with a LEA instruction to the data we written above
code = mype.get_code_section_data()
print("Type of code: ", type(code))
for datareuse_fixup in reusedata_fixups:
if not datareuse_fixup.randbytes in code:
raise Exception("DataResuse: ID {} not found, abort".format(
phases/masmshc.py
+6 -3
View File
@@ -1,9 +1,12 @@
import re
import os
import logging
logger = logging.getLogger("masmshc")
VERSION = "0.3"
g_is32bit = False
class Params:
def __init__(self, infile, outfile, inline_strings, remove_crt, append_rsp_stub):
self.infile = infile
@@ -116,10 +119,10 @@ def process_file(params):
# ofile.write("\tjmp\tmain\n")
elif params.append_rsp_stub:
append_align_rsp(ofile)
print("[INFO] Entry Point: AlignRSP")
logger.debug("[INFO] Entry Point: AlignRSP")
if seg_name == "_BSS":
print(f"[ERROR] Line {line_count + 1}: _BSS segment detected! Remove all global and static variables!\n")
logger.error(f"[ERROR] Line {line_count + 1}: _BSS segment detected! Remove all global and static variables!\n")
if seg_name in ("pdata", "xdata", "voltbl"):
in_skipped = True
supermega.py
+9 -7
View File
@@ -58,17 +58,17 @@ def main():
if args.verify == "peb":
settings.source_style = SourceStyle.peb_walk
settings.inject_mode = 2
settings.inject_mode = InjectStyle.BackdoorCallInstr
settings.inject_exe_in = "exes/7z.exe"
settings.inject_exe_out = "out/7z-verify.exe"
elif args.verify == "iat":
settings.source_style = SourceStyle.iat_reuse
settings.inject_mode = 2
settings.inject_mode = InjectStyle.BackdoorCallInstr
settings.inject_exe_in = "exes/procexp64.exe"
settings.inject_exe_out = "out/procexp64-verify.exe"
elif args.verify == "rwx":
settings.source_style = SourceStyle.peb_walk
settings.inject_mode = 1 # ,2 is broken atm
settings.inject_mode = InjectStyle.ChangeEntryPoint # ,2 is broken atm
settings.inject_exe_in = "exes/wifiinfoview.exe"
settings.inject_exe_out = "out/wifiinfoview.exe-verify.exe"
else:
@@ -101,12 +101,14 @@ def main():
if args.exec == "direct_1":
settings.exec_style = ExecStyle.CALL
if args.rbrunmode:
if args.rbrunmode == "1" or args.rbrunmode == "2":
settings.inject_mode = int(args.rbrunmode)
if args.inject:
if args.rbrunmode == "eop":
settings.inject_mode = InjectStyle.ChangeEntryPoint
elif args.rbrunmode == "backdoor":
settings.inject_mode = InjectStyle.BackdoorCallInstr
else:
logging.error("Invalid mode, use one of:")
for i in ["1", "2"]:
for i in ["eop", "backdoor"]:
logging.error(" {} {}".format(i, rbrunmode_str(i)))
return