def add_section(self,
hdr,
name,
VirtualSize,
VirtualAddress,
Characteristics=0xe0000020):
if len(name) > 8:
print("Error section name too long")
return
import_section_hdr = IMAGE_SECTION_HEADER(
bytes(name, 'ascii'), # Name
VirtualSize, # VirtualSize
VirtualAddress, # VirtualAddress
VirtualSize, # SizeOfRawData
VirtualAddress, # PointerToRawData
0, # PointerToRelocations
0, # PointerToLinenumbers
0, # NumberOfRelocations
0, # NumberOfLinenumbers
Characteristics, # Characteristics
)
hdr.section_list.append(import_section_hdr)
# Correct Value of Number of Sections
hdr.pe_header.NumberOfSections += 1
# Fix SizeOfHeaders
hdr.opt_header.SizeOfHeaders = alignments(
hdr.opt_header.SizeOfHeaders + len(bytes(IMAGE_SECTION_HEADER())),
hdr.opt_header.FileAlignment)
return hdr
def add_import_section_api(self,
hdr,
virtualmemorysize,
totalsize,
check_space=True):
# Set check_space to false if the pe-header was relocated
if check_space:
rva_to_section_table = hdr.dos_header.e_lfanew + len(
bytes(_IMAGE_FILE_HEADER())) + len(
bytes(_IMAGE_OPTIONAL_HEADER()))
number_of_sections = hdr.pe_header.NumberOfSections
end_of_section_table = rva_to_section_table + len(
bytes(IMAGE_SECTION_HEADER())) * number_of_sections
beginning_of_first_section = sys.maxsize
for section in hdr.section_list:
if section.VirtualAddress < beginning_of_first_section:
beginning_of_first_section = section.VirtualAddress
if end_of_section_table + len(bytes(
IMAGE_SECTION_HEADER())) >= beginning_of_first_section:
print("Not enough space for additional section")
return
import_section = IMAGE_SECTION_HEADER(
bytes(".impdata", 'ascii'), # Name
0x10000, # VirtualSize
virtualmemorysize - 0x10000, # VirtualAddress
0x10000, # SizeOfRawData
virtualmemorysize - 0x10000, # PointerToRawData
0, # PointerToRelocations
0, # PointerToLinenumbers
0, # NumberOfRelocations
0, # NumberOfLinenumbers
0xe0000020, # Characteristics
)
hdr.section_list.append(import_section)
# Correct Value of Number of Sections
hdr.pe_header.NumberOfSections += 1
# Fix SizeOfHeaders
hdr.opt_header.SizeOfHeaders = alignments(
hdr.opt_header.SizeOfHeaders + len(bytes(IMAGE_SECTION_HEADER())),
hdr.opt_header.FileAlignment)
return hdr
def dump_image(self,
uc,
base_addr,
virtualmemorysize,
apicall_handler,
sample,
path="unpacked.exe"):
ntp = apicall_handler.ntp
dllname_to_functionlist = sample.dllname_to_functionlist
if len(sample.allocated_chunks) == 0:
total_size = virtualmemorysize
else:
total_size = sorted(sample.allocated_chunks)[-1][1] - base_addr
virtualmemorysize = total_size
print(f"Totalsize:{hex(total_size)}, "
f"VirtualMemorySize:{hex(virtualmemorysize)}")
print_chunks(sample.allocated_chunks)
try:
hdr = PE(uc, base_addr)
except InvalidPEFile as i:
print("Invalid PE File... Cannot dump")
return
old_number_of_sections = hdr.pe_header.NumberOfSections
print("Setting unpacked Entry Point")
print(f"OEP:{hex(uc.reg_read(UC_X86_REG_EIP) - base_addr)}")
hdr.opt_header.AddressOfEntryPoint = uc.reg_read(
UC_X86_REG_EIP) - base_addr
print("Fixing Imports...")
hdr = self.fix_imports(uc, hdr, virtualmemorysize, total_size,
dllname_to_functionlist,
sample.original_imports)
print("Fixing sections")
self.fix_sections(hdr, old_number_of_sections, virtualmemorysize)
print("Set IAT-Directory to 0 (VA and Size)")
hdr.data_directories[12].VirtualAddress = 0
hdr.data_directories[12].Size = 0
print(
f"RVA to import table: {hex(hdr.data_directories[1].VirtualAddress)}"
)
if (virtualmemorysize - 0xE000) <= hdr.data_directories[
1].VirtualAddress <= virtualmemorysize or len(
sample.allocated_chunks) != 0 or True:
print(f"Totalsize:{hex(total_size)}, "
f"VirtualMemorySize:{hex(virtualmemorysize)}, "
f"Allocated chunks: {sample.allocated_chunks}")
# print("Relocating Headers to End of Image")
# hdr.dos_header.e_lfanew = virtualmemorysize - 0x10000
# hdr = self.add_section(hdr, '.newhdr', 0x10000, virtualmemorysize-0x10000)
# print("Adding new import section")
# hdr = self.add_section(hdr, '.nimdata', 0xe000, (virtualmemorysize - 0x10000) + 0x2000)
# print("Appending allocated chunks at the end of the image")
# hdr = self.chunk_to_image_section_hdr(hdr, base_addr, sample.allocated_chunks)
# TODO Fix chunk unmapped space with 0
else:
virtualmemorysize -= 0x10000
total_size = virtualmemorysize
hdr.sync(uc)
print("Fixing SizeOfImage...")
hdr.opt_header.SizeOfImage = alignments(
total_size, hdr.opt_header.SectionAlignment)
print("Fixing Memory Protection of Sections")
hdr = self.fix_section_mem_protections(hdr, ntp)
hdr.sync(uc)
print("Fixing Checksum")
hdr = self.fix_checksum(uc, hdr, base_addr, total_size)
hdr.sync(uc)
dllcharacteristics = hdr.opt_header.DllCharacteristics & 0xFFBF
hdr.opt_header.DllCharacteristics = dllcharacteristics # Remove Dynamic Base
hdr.sync(uc)
print(f"Dumping state to {path}")
pe_write(uc, base_addr, total_size, path)