diff options
| -rw-r--r-- | Makefile | 3 | ||||
| -rw-r--r-- | crypter/Makefile | 4 | ||||
| -rw-r--r-- | crypter/xor2_decoder.asm | 8 | ||||
| -rw-r--r-- | crypter/xor2_encoder.c | 142 | ||||
| -rw-r--r-- | crypter/xor_encoder.c | 2 |
5 files changed, 153 insertions, 6 deletions
@@ -1,6 +1,7 @@ RM := rm CC := gcc STRIP := strip +LBITS := $(shell getconf LONG_BIT) CFLAGS = -Wall -g OCFLAGS = -z execstack -fno-stack-protector X86_FLAGS = -m32 -mpreferred-stack-boundary=2 @@ -36,7 +37,9 @@ disable-prot: %.o : %.c $(CC) $(CFLAGS) $(X86_FLAGS) $(OCFLAGS) -o $(patsubst %.o,%,$@) $< +ifeq ($(LBITS),64) -$(CC) $(CFLAGS) $(X64_FLAGS) $(OCFLAGS) -o $(patsubst %.o,%,$@)_x64 $< +endif ln -s $< $@ clean: diff --git a/crypter/Makefile b/crypter/Makefile index 0508caa..5b1b5d6 100644 --- a/crypter/Makefile +++ b/crypter/Makefile @@ -3,6 +3,7 @@ ASM := nasm CC := gcc LD := ld XXD := xxd +ASMFLAGS = -g CFLAGS = -Wall -fpic -Os LDFLAGS = SUBDIR ?= . @@ -14,12 +15,13 @@ SCC := $(shell if [ -x $(SCDIR)/sc-test ]; then echo "yes"; else echo "no"; fi) all: $(TARGETS) %.o : %.asm - $(ASM) -o $@ $< + $(ASM) $(ASMFLAGS) -o $@ $< %.o : %.c ifneq ($(SCC),yes) $(error Please run 'make' in the main directory) endif + @echo "generating header $(patsubst %.o,%.h,$@) for target $<" -$(shell $(SCDIR)/sc-test -p $(SUBDIR)/`cat "$<" | sed -n 's/.*#DECODER=//p'` | sed 's/shellcode/decoder/' > $(patsubst %.o,%.h,$@)) -$(shell $(SCDIR)/sc-test -p $(SUBDIR)/`cat "$<" | sed -n 's/.*#SHELLCODE=//p'` >> $(patsubst %.o,%.h,$@)) $(CC) $(CFLAGS) -D_USE_CFG -o $(patsubst %.c,%,$<) $< diff --git a/crypter/xor2_decoder.asm b/crypter/xor2_decoder.asm index 0545405..cc102b2 100644 --- a/crypter/xor2_decoder.asm +++ b/crypter/xor2_decoder.asm @@ -3,15 +3,15 @@ BITS 32 jmp short go next: -pop esi -xor ecx,ecx +pop esi ; stackpointer -> start+len(encoder) +xor ecx,ecx ; zero out some regs xor eax,eax xor edx,edx mov cl,0 ; buffer length mov dl,4 ; xor padding change: -xor byte [esi + ecx - 1],0 - +xor byte [esi + ecx],0 +mov byte al,[esi + ecx] dec cl jnz done ; no more bytes left dec dh diff --git a/crypter/xor2_encoder.c b/crypter/xor2_encoder.c new file mode 100644 index 0000000..cc46592 --- /dev/null +++ b/crypter/xor2_encoder.c @@ -0,0 +1,142 @@ +// #DECODER=./xor_decoder.o +// #SHELLCODE=../shellcode/hello.o +#define _GNU_SOURCE 1 + +#include <stdio.h> +#include <string.h> +#include <sys/time.h> +#include <stdlib.h> +#include <unistd.h> + +#ifdef _USE_CFG +#include "xor2_encoder.h" +#else +#error "xor2_encoder.h config file missing including decoder && shellcode" +#endif + +#ifndef _CRYPTVAL +#define _CRYPTVAL 0xff +#endif + +#ifndef _OUTFILE +#define _OUTFILE "xor2_encoded.o" +#endif + + +int +getnumber(int n) +{ + int seed; + struct timeval tm; + + gettimeofday(&tm, NULL); + seed = tm.tv_sec + tm.tv_usec; + srandom(seed); + return (random() % n); +} + +void +print_code(const char *name, char *data, int len) +{ + int i,l = 15; + + printf("unsigned long int l%s = %lu;\nchar %s[] = \n", name, (unsigned long int) strlen(data), name); + for (i = 0; i < len; i++) { + if (l >= 15) { + if (i) { + printf("\"\n"); + } + printf("\t\""); + l = 0; + } + ++l; + printf("\\x%02x", ((unsigned char *)data)[i]); + } + printf("\";\n\n"); +} + +void +err_n_xit(const char *exit_msg, const char *arg) +{ + char *tmp; + if (arg != NULL) { + asprintf(&tmp, "%s('%s')", exit_msg, arg); + } else { + tmp = (char *) exit_msg; + } + perror(tmp); + if (arg != NULL) { + free(tmp); + } + exit(1); +} + +int +main(int argc, char **argv) +{ + int i, npos = 0, number = getnumber(_CRYPTVAL), nullbyte = 0; + int ldecoder = sizeof(decoder)-1; /* last byte is '\x00' */ + int lshellcode = sizeof(shellcode)-1; /* same as above */ + int first_arg = 1; + char *result; + FILE *outfile; + + printf("/* Using value %d to encode the shellcode. */\n", number); + printf("/* PRINT SHELLCODE */\n"); + print_code("shellcode", shellcode, lshellcode); + printf("/* PRINT DECODER */\n"); + print_code("decoder", decoder, ldecoder); + + for (i = 0; i < ldecoder; i++) { + if (decoder[i] == '\x00') { + if (first_arg) { + decoder[i] = lshellcode; + first_arg = 0; + } else { + decoder[i] = (unsigned char) number; + npos = i; + } + printf("// decoder[%d] = %u (%02x)\n", i, (unsigned char) decoder[i], (unsigned char) decoder[i]); + } + } + printf("\n"); + + result = malloc(lshellcode); + do { + memcpy(result, shellcode, lshellcode); + + if (nullbyte == 1) { + number = getnumber(_CRYPTVAL); + fprintf(stderr, "New crypt value: %d (%02x)\n", number, number); + decoder[npos] = number; + nullbyte = 0; + } + + for (i = 0; i < lshellcode; i++) { + result[i] ^= number; + if (result[i] == '\x00') { + nullbyte = 1; + fprintf(stderr, "Recode!\n"); + break; + } + } + } while (nullbyte == 1); + memcpy(shellcode, result, lshellcode); + free(result); + + result = malloc(ldecoder + lshellcode + 1); + memcpy(result, (const void *) decoder, ldecoder); + memcpy(result + ldecoder, shellcode, lshellcode); + *(result + ldecoder + lshellcode) = '\0'; + print_code("result", result, ldecoder + lshellcode); + + /* write2file */ + outfile = fopen(_OUTFILE, "w+b"); + if (outfile == NULL) err_n_xit("fopen", _OUTFILE); + if (fwrite((void *) result, sizeof(char), strlen(result), outfile) != strlen(result)) err_n_xit("fwrite", _OUTFILE); + if (fclose(outfile) != 0) err_n_xit("fclose", _OUTFILE); + fprintf(stderr, "outfile: %s\n", _OUTFILE); + + free(result); + return (0); +} diff --git a/crypter/xor_encoder.c b/crypter/xor_encoder.c index 5f148c2..456631e 100644 --- a/crypter/xor_encoder.c +++ b/crypter/xor_encoder.c @@ -15,7 +15,7 @@ #endif #ifndef _CRYPTVAL -#define _CRYPTVAL 256 +#define _CRYPTVAL 0xff #endif #ifndef _OUTFILE |