예제 #1
0
    def pack(self):
        # names table
        number_of_dll = len(self.functions)
        names_table_base = self.base_address + PE.structSize(PE.IMAGE_IMPORT_DESCRIPTOR)*(number_of_dll + 1) # for the last null value
        names_table = ''
        names_table_offset = {}
        offset = names_table_base
        tmp = ''
        for (dll_name, functions) in self.functions.items(): # for each dll
            names_table_offset[dll_name] = offset
            tmp = dll_name + '\x00'
            names_table += tmp
            offset += len(tmp)
            for function_name in functions:                 # for each function in this dll
                names_table_offset[function_name] = offset
                tmp = '\x00\x00' + function_name + '\x00'
                names_table += tmp
                offset += len(tmp)

        # Original First Thunk table
        original_first_thunk_table = ''
        original_first_thunk_base = offset
        original_first_thunk_offset = {}
        for (dll_name, functions) in self.functions.items(): # for each dll
            original_first_thunk_offset[dll_name] = offset

            for function_name in functions:                 # for each function in this dll
                tmp = struct.pack('<I', names_table_offset[function_name])
                original_first_thunk_table += tmp
                offset += len(tmp)

            original_first_thunk_table += '\x00\x00\x00\x00'
            offset += 4

        # First Thunk Table
        first_thunk_table = original_first_thunk_table
        first_thunk_base = offset
        first_thunk_offset = {}
        for (dll_name, offset_in_oft) in original_first_thunk_offset.items():
            first_thunk_offset[dll_name] = offset_in_oft - original_first_thunk_base + first_thunk_base

        # IAT Table
        iat_table = ''

        for (dll_name, functions) in self.functions.items(): # for each dll
            function = PE.structDictionary(PE.IMAGE_IMPORT_DESCRIPTOR)
            function['OriginalFirstThunk'] = original_first_thunk_offset[dll_name]
            function['TimeDateStamp'] = 0
            function['ForwarderChain'] = 0 
            function['Name'] = names_table_offset[dll_name]
            function['FirstThunk'] = first_thunk_offset[dll_name]
            iat_table += PE.packDictionary(PE.IMAGE_IMPORT_DESCRIPTOR, function)
        function['OriginalFirstThunk'] = 0
        function['TimeDateStamp'] = 0
        function['ForwarderChain'] = 0 
        function['Name'] = 0
        function['FirstThunk'] = 0
        iat_table += PE.packDictionary(PE.IMAGE_IMPORT_DESCRIPTOR, function)

        iat_table += names_table
        iat_table += original_first_thunk_table
        iat_table += first_thunk_table

        return iat_table
예제 #2
0
파일: packer.py 프로젝트: x0xa/resources
    def pack(self, stub_path, output_path, input_file):
        f = open(stub_path, 'rb')
        stub_file = f.read()
        f.close()

        # encrypt the input
        key_str = ''
        for i in range(4):
            key_str += chr(random.randint(1, 0xFF))

        input_encrypted = self.xor_long(input_file, key_str)
        input_file = key_str + input_encrypted

        # increment the number of sections
        dos_header = PE.unpack(PE.IMAGE_DOS_HEADER, stub_file)
        peHeader_offset = dos_header['e_lfanew']
        numberOfSections_offset = peHeader_offset + 0x6
        numberOfSections = struct.unpack(
            '<H',
            stub_file[numberOfSections_offset:numberOfSections_offset + 2])[0]
        numberOfSections = numberOfSections + 1
        stub_file = stub_file[:numberOfSections_offset] + struct.pack(
            '<H', numberOfSections) + stub_file[numberOfSections_offset + 2:]

        # add the section header
        sectionHeader_offset = peHeader_offset + 0xF8
        last_section_offset = sectionHeader_offset + (
            (numberOfSections - 2) * 0x28)  # last section
        print 'last section: {0:x}'.format(last_section_offset)
        last_section = PE.unpack(PE.IMAGE_SECTION_HEADER,
                                 stub_file[last_section_offset:])

        new_section_header_offset = last_section_offset + 0x28
        new_section = PE.structDictionary(PE.IMAGE_SECTION_HEADER)
        new_section['Name'] = '.rsrc'
        new_section['Misc_VirtualSize'] = len(input_file)
        new_section['VirtualAddress'] = PE.align_value(
            last_section['VirtualAddress'] + last_section['SizeOfRawData'],
            0x1000)
        new_section['SizeOfRawData'] = PE.align_value(len(input_file), 0x200)
        new_section['PointerToRawData'] = PE.align_value(len(stub_file), 0x200)
        new_section[
            'Characteristics'] = PE.IMAGE_SCN_CNT_INITIALIZED_DATA | PE.IMAGE_SCN_MEM_READ | PE.IMAGE_SCN_MEM_WRITE | PE.IMAGE_SCN_ALIGN_4BYTES
        stub_file = stub_file[:new_section_header_offset] + PE.packDictionary(
            PE.IMAGE_SECTION_HEADER,
            new_section) + stub_file[new_section_header_offset + 0x28:]

        # section jam
        stub_file += '\x00' * (new_section['PointerToRawData'] -
                               len(stub_file))

        # append the section
        stub_file += input_file
        padding = new_section['SizeOfRawData'] - len(input_file)
        stub_file += '\x00' * padding

        # increment SizeOfImage
        optionalHeader_offset = peHeader_offset + 0x18
        optionalHeader_size = PE.structSize(PE.IMAGE_OPTIONAL_HEADER)
        optional_header = PE.unpack(PE.IMAGE_OPTIONAL_HEADER,
                                    stub_file[optionalHeader_offset:])
        optional_header['SizeOfImage'] = PE.align_value(
            new_section['VirtualAddress'] + new_section['SizeOfRawData'],
            0x1000)
        stub_file = stub_file[:optionalHeader_offset] + PE.packDictionary(
            PE.IMAGE_OPTIONAL_HEADER,
            optional_header) + stub_file[optionalHeader_offset +
                                         optionalHeader_size:]

        # save the file
        f = open(output_path, 'wb')
        f.write(stub_file)
        f.close()
예제 #3
0
파일: pearmor.py 프로젝트: x0xa/resources
print 'New entropy:', round(entropy(h, l), 2)

########################################################################
# Make the IAT
########################################################################

iat = IatTable(base_offset_iat)
iat.add_function('kernel32.dll', 'TerminateProcess')
iat.add_function('user32.dll', 'MessageBoxA')
iat_table = iat.pack()

########################################################################
# Make the sections
########################################################################

section_code = PE.structDictionary(PE.IMAGE_SECTION_HEADER)
section_code['Name'] = '.text'
section_code['Misc_VirtualSize'] = len(code)
section_code['VirtualAddress'] = base_offset_code
section_code['SizeOfRawData'] = PE.align_value(len(code), 0x200)
section_code['PointerToRawData'] = PE.align_value(
    PE.structSize(PE.IMAGE_DOS_HEADER) + PE.structSize(PE.IMAGE_NT_HEADERS) +
    PE.structSize(PE.IMAGE_FILE_HEADER) +
    PE.structSize(PE.IMAGE_OPTIONAL_HEADER) +
    PE.structSize(PE.IMAGE_DATA_DIRECTORY) *
    PE.IMAGE_NUMBEROF_DIRECTORY_ENTRIES +
    PE.structSize(PE.IMAGE_SECTION_HEADER) * nb_sections, 0x200)
section_code[
    'Characteristics'] = PE.IMAGE_SCN_CNT_CODE | PE.IMAGE_SCN_MEM_EXECUTE | PE.IMAGE_SCN_MEM_READ

section_iat = PE.structDictionary(PE.IMAGE_SECTION_HEADER)