refactor: remove derbackdoorer/ dir into peparser/ to pe/

2026-06-03 01:27:11 +00:00 · 2024-03-01 19:25:28 +00:00
parent 1e2911504d
commit aed5b168c2
13 changed files with 32 additions and 31 deletions
@@ -8,7 +8,7 @@ class Config(object):
    def __init__(self):
        self.data = {}
        self.ShowCommandOutput: bool = False
-        self.debug: bool = True
+        self.debug: bool = False
        self.xor_key: int = 0x31
        self.data_fixups = None
@@ -4,9 +4,8 @@ import pefile
 from intervaltree import Interval, IntervalTree
 from model.defs import *
-import peparser.pehelper as pehelper
+import pe.pehelper as pehelper
-from peparser.superpe import SuperPe
+from pe.superpe import SuperPe
 from peparser.misc import get_physical_address
 from model.carrier import Carrier
 logger = logging.getLogger("ExeHost")
@@ -64,7 +63,7 @@ class ExeHost():
            raise Exception("Binary is not 64bit: {}".format(self.filepath))
        self.ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
-        self.ep_raw = get_physical_address(pe, self.ep)
+        self.ep_raw = self.superpe.get_physical_address(self.ep)
        # image base
        self.image_base = pe.OPTIONAL_HEADER.ImageBase
@@ -3,7 +3,7 @@ import pprint
 from capstone import Cs, CS_ARCH_X86, CS_MODE_64
 from model import *
-from peparser.r2helper import r2_disas
+from pe.r2helper import r2_disas
 from helper import delete_all_files_in_directory
 from model.defs import *
@@ -12,7 +12,7 @@ from enum import IntEnum
 import logging
 from helper import hexdump
-from derbackdoorer.mype import MyPe
+from pe.mype import MyPe
 from model.defs import *
 logger = logging.getLogger("DerBackdoorer")
@@ -32,5 +32,18 @@ class SuperPe():
        return None
    def get_physical_address(self, virtual_address):
        # Iterate through the section headers to find which section contains the VA
        for section in self.pe.sections:
            # Check if the VA is within the range of this section
            if section.VirtualAddress <= virtual_address < section.VirtualAddress + section.Misc_VirtualSize:
                # Calculate the difference between the VA and the section's virtual address
                virtual_offset = virtual_address - section.VirtualAddress
                # Add the difference to the section's pointer to raw data
                return virtual_offset
                #physical_address = section.PointerToRawData + virtual_offset
                #return physical_address
        return None
@@ -1,14 +0,0 @@
 def get_physical_address(pe, virtual_address):
    # Iterate through the section headers to find which section contains the VA
    for section in pe.sections:
        # Check if the VA is within the range of this section
        if section.VirtualAddress <= virtual_address < section.VirtualAddress + section.Misc_VirtualSize:
            # Calculate the difference between the VA and the section's virtual address
            virtual_offset = virtual_address - section.VirtualAddress
            # Add the difference to the section's pointer to raw data
            return virtual_offset
            #physical_address = section.PointerToRawData + virtual_offset
            #return physical_address
    return None
@@ -3,7 +3,7 @@ import logging
 from model import *
 from config import config
 from observer import observer
-from peparser.pehelper import *
+from pe.pehelper import *
 from helper import *
 logger = logging.getLogger("Assembler")
@@ -4,11 +4,11 @@ import time
 import logging
 from model.carrier import Carrier, DataReuseEntry
-from peparser.pehelper import *
+from pe.pehelper import *
 from model.exehost import *
 from observer import observer
-from derbackdoorer.derbackdoorer import PeBackdoor
+from pe.derbackdoorer import PeBackdoor
-from derbackdoorer.mype import MyPe
+from pe.mype import MyPe
 from model.project import Project
 from model.settings import Settings
@@ -76,8 +76,7 @@ def inject_exe(
 def injected_fix_iat(mype: MyPe, carrier: Carrier, exe_host: ExeHost):
    """replace IAT-placeholders in shellcode with call's to the IAT"""
-    code = mype.get_code_section_data()  # BUG WITHOUT PLACEHOLDR
+    code = mype.get_code_section_data()
    observer.add_code("exe_extracted_iat", code)
    for iatRequest in carrier.get_all_iat_requests():
        if not iatRequest.placeholder in code:
@@ -104,6 +103,10 @@ def injected_fix_data(mype: MyPe, carrier: Carrier, exe_host: ExeHost):
    # Insert my data into the .rdata section.
    # Chose and save each datareuse_fixup's addres.
    reusedata_fixups: List[DataReuseEntry] = carrier.get_all_reusedata_fixups()
    if len(reusedata_fixups) == 0:
        # nothing todo
        return
    sect = exe_host.superpe.get_section_by_name(".rdata")
    addr = sect.raw_addr + 0x1AB0 # NEEDED, > 1A00!
@@ -130,7 +133,7 @@ def injected_fix_data(mype: MyPe, carrier: Carrier, exe_host: ExeHost):
        instruction_virtual_address = offset_from_datasection + exe_host.image_base + exe_host.code_virtaddr
        destination_virtual_address = datareuse_fixup.addr
        logger.info("    Replace {} at VA 0x{:x} with .rdata LEA at VA 0x{:x}".format(
-            datareuse_fixup.randbytes, instruction_virtual_address, destination_virtual_address
+            datareuse_fixup.randbytes.hex(), instruction_virtual_address, destination_virtual_address
        ))
        lea = assemble_lea(
            instruction_virtual_address, destination_virtual_address, datareuse_fixup.register
@@ -12,7 +12,7 @@ import phases.compiler
 import phases.assembler
 import phases.injector
 from observer import observer
-from peparser.pehelper import extract_code_from_exe_file_ep
+from pe.pehelper import extract_code_from_exe_file_ep
 from model.project import Project
 from model.settings import Settings
@@ -5,11 +5,11 @@ import logging
 from model.exehost import ExeHost
 from model.defs import *
-from peparser.pehelper import extract_code_from_exe_file
+from pe.pehelper import extract_code_from_exe_file
 from helper import hexdump
 from observer import observer
-from derbackdoorer.derbackdoorer import PeBackdoor
+from pe.derbackdoorer import PeBackdoor
 # What to make sure of: