feature: iat support tmp

phases/asmtoshc.py

@@ -1,4 +1,5 @@
 import pefile
+import pprint
 
 from helper import *
 from config import config
@@ -26,33 +27,3 @@ def make_shc_from_asm(asm_file, exe_file, shc_file):
 
     return code
     #print("---[ Shellcode from {} written to: {}  (size: {}) ]".format(exe_file, shc_file, len(code)))
-
-
-def get_code_section(pe_file):
-    try:
-        # Load the PE file
-        pe = pefile.PE(pe_file)
-
-        # Iterate over the sections
-        for section in pe.sections:
-            # Check if this is the code section
-            if '.text' in section.Name.decode().rstrip('\x00'):
-                data = section.get_data()
-                data = remove_trailing_null_bytes(data)
-                print("    > Code Size: {}  (raw code section size: {})".format(
-                    len(data), section.SizeOfRawData))
-                return data
-        else:
-            print("Code section not found.")
-    
-    except FileNotFoundError:
-        print(f"File not found: {pe_file}")
-    except pefile.PEFormatError:
-        print(f"Invalid PE file: {pe_file}")
-
-
-def remove_trailing_null_bytes(data):
-    for i in range(len(data) - 1, -1, -1):
-        if data[i] != b'\x00'[0]:  # Check for a non-null byte
-            return data[:i + 1]
-    return b''  # If the entire sequence is null bytes

phases/ctoasm.py

@@ -1,5 +1,7 @@
 from helper import *
 from config import config
+import os
+import pprint
 
 
 def make_c_to_asm(c_file, asm_file, payload_len, exe_capabilities):
@@ -52,10 +54,25 @@ def make_c_to_asm(c_file, asm_file, payload_len, exe_capabilities):
     return asm
 
 
+def bytes_to_asm_db(byte_data):
+    # Convert each byte to a string in hexadecimal format suffixed with 'h'
+    hex_values = [f"0{byte:02x}H" for byte in byte_data]
+    # Join the hex values into a single string with ', ' as separator
+    formatted_string = ', '.join(hex_values)
+    return "\tDB " + formatted_string
+
+
 def fixup_asm_file(filename, payload_len, exe_capabilities):
-    with open(filename, 'r') as asmfile:
+    with open(filename, 'r', encoding='utf-8') as asmfile:
         lines = asmfile.readlines()
 
+    #pprint.pprint(exe_capabilities)
+
+    # FUCK
+    for idx, line in enumerate(lines):
+        if "jmp\tSHORT" in lines[idx]:
+            lines[idx] = lines[idx].replace("SHORT", "")
+
     # do IAT reuse
     for idx, line in enumerate(lines):
         # Remove definition: 
@@ -72,10 +89,15 @@ def fixup_asm_file(filename, payload_len, exe_capabilities):
             if func_name not in exe_capabilities or exe_capabilities[func_name] == None:
                 print("Capabilities not: {}".format(func_name))
             else:
-                func_addr = exe_capabilities[func_name]
-                lines[idx] = "\tcall  rax\r\n"
-                lines.insert(idx, "\tmov rax, [rax]\r\n")
-                lines.insert(idx, "\tmov rax, {:X}H\r\n".format(func_addr))
+                randbytes = os.urandom(6)
+                lines[idx] = bytes_to_asm_db(randbytes) + "\r\n"
+                exe_capabilities[func_name]["id"] = randbytes
+                #func_addr = exe_capabilities[func_name]
+                #lines[idx] = "\tcall  main\r\n"
+
+                #lines[idx] = "\tcall  rax\r\n"
+                #lines.insert(idx, "\tmov rax, [rax]\r\n")
+                #lines.insert(idx, "\tmov rax, {:X}H\r\n".format(func_addr))
 
             #print("    > Replace__imp_MessageBoxW at line: {}".format(idx))
             #lines[idx] = lines[idx].replace("__imp_MessageBoxW", "ds:[0x123]")

phases/shctoexe.py

@@ -1,8 +1,9 @@
 from helper import *
 import shutil
+import pprint
+from pehelper import *
 
-
-def inject_exe(shc_file, exe_in, exe_out, mode):
+def inject_exe(shc_file, exe_in, exe_out, mode, exe_capabilities):
     print("--[ Injecting: {} into: {} -> {} ]".format(
         shc_file, exe_in, exe_out
     ))
@@ -18,6 +19,50 @@ def inject_exe(shc_file, exe_in, exe_out, mode):
     ], check=True,  stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
 
 
+    # get code section
+    #   get offset from start of code
+    #   get offset of code setion?
+
+    ####
+    print("-------------")
+    #pprint.pprint(exe_capabilities)
+    for cap in exe_capabilities:
+        print("-> 0x{:X}\t\t{}".format(
+            exe_capabilities[cap]["addr"],
+            cap,
+            #exe_capabilities["id"],
+        ))
+    print("-------------")
+    code = get_code_section(exe_out)
+
+    # replace IAT in shellcode
+    for cap in exe_capabilities:
+        #print("AAAA: " + str(cap))
+        if not exe_capabilities[cap]["id"] in code:
+            print("Not found, abort")
+            raise Exception()
+        
+        off = code.index(exe_capabilities[cap]["id"])
+        current_address = off + 0x140000000 + 4096
+
+        print(" Off: 0x{:X}".format(off))
+        print(" Off2: 0x{:X}".format(current_address)) # base addr
+        #print(" Diff: 0x{:X}".format())
+
+        destination_address = exe_capabilities[cap]["addr"]
+
+        jmp = assemble_and_disassemble_jump(
+            current_address, destination_address
+        )
+        print("ONE: {}".format(jmp))
+        print("TWO: {}".format(exe_capabilities[cap]["id"]))
+
+        print("Found! replacing")
+        code = code.replace(
+            exe_capabilities[cap]["id"], jmp)
+        write_code_section(exe_out, code)
+
+
 def verify_injected_exe(exefile):
     print("---[ Verify infected exe: {} ]".format(exefile))
     # remove indicator file