├── .gitattributes ├── .gitignore ├── README.md ├── Vault.dll ├── aeinv.dll ├── aslr-bruter ├── aeinv.dll ├── aslrbruter.c ├── aslrbruter.exe ├── test.c └── test.exe ├── badger.c ├── badger.exe ├── civil.dll ├── documentation.h ├── ieproxy.dll ├── kernel32.dll └── user32.dll /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Windows image file caches 2 | Thumbs.db 3 | ehthumbs.db 4 | 5 | # Folder config file 6 | Desktop.ini 7 | 8 | # Recycle Bin used on file shares 9 | $RECYCLE.BIN/ 10 | 11 | # Windows Installer files 12 | *.cab 13 | *.msi 14 | *.msm 15 | *.msp 16 | 17 | # Windows shortcuts 18 | *.lnk 19 | 20 | # ========================= 21 | # Operating System Files 22 | # ========================= 23 | 24 | # OSX 25 | # ========================= 26 | 27 | .DS_Store 28 | .AppleDouble 29 | .LSOverride 30 | 31 | # Thumbnails 32 | ._* 33 | 34 | # Files that might appear on external disk 35 | .Spotlight-V100 36 | .Trashes 37 | 38 | # Directories potentially created on remote AFP share 39 | .AppleDB 40 | .AppleDesktop 41 | Network Trash Folder 42 | Temporary Items 43 | .apdisk 44 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # badger 2 | The swiss army knife for windows exploit development.
3 | ---ABOUT--- 4 | Version: 3.0
5 | Made By: Lilly Chalupowski
6 | This application is designed to be the Swiss Army Knife of Windows exploit development
7 | Allowing exploit developers to think more about development than the repetitive tasks done everyday
8 | To participate in this project email lilly@arcnetworksecurity.com
9 | IMPORTANT: By using this application you indemnify and hold harmless Arc Network Security\nfor any unethical application or misuse of this software
10 | ---WHAT'S NEW--- 11 | - Now Using Structs for Easy to Read Code 12 | - Includes ASLR Bruter 13 | - Major code clean up and overhaul from alpha version
14 | ---FEATURES TO COME--- 15 | - ROP Gadget Dumps 16 | - x64 Support 17 | - x64 AlphaNumeric Shellcode Reference 18 | - Suggestions are welcome 19 | 20 | Examples: 21 | - badger --aslr-check 22 | - badger --lib library.dll function 23 | - badger --enable-dep or --disable-dep 24 | - badger --enum library.dll 25 | - badger --about 26 | Descriptions: 27 | - --aslr-check: Shows RSP and ESP to aid in discovering ASLR best run several times, if values change ASLR is enabled. 28 | - --lib: Shows the function actual address when loaded into memory ASLR may change this if enabled 29 | - --enable-dep and --disable--dep: Requires administrator command prompt and will allow to enable/disable DEP for troubleshooting. 30 | - --enum: This will give library headers and information including functions and actual addresses 31 | - --about: The about screen 32 | -------------------------------------------------------------------------------- /Vault.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/badger/fd0eee3ab0c38ced99890811660f26dd19a5df19/Vault.dll -------------------------------------------------------------------------------- /aeinv.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/badger/fd0eee3ab0c38ced99890811660f26dd19a5df19/aeinv.dll -------------------------------------------------------------------------------- /aslr-bruter/aeinv.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/badger/fd0eee3ab0c38ced99890811660f26dd19a5df19/aslr-bruter/aeinv.dll -------------------------------------------------------------------------------- /aslr-bruter/aslrbruter.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(){ 5 | static int addr; 6 | static HINSTANCE dllHandle; 7 | static unsigned char c[4]; 8 | static unsigned char d[4]; 9 | static int l; 10 | static int n[8] = {0, 0, 0, 0, 0, 0, 0, 0}; 11 | static int iter = 0; 12 | for(iter = 0; iter <= 1000; iter++){ 13 | dllHandle = LoadLibraryA("aeinv.dll"); 14 | addr = (int)GetProcAddress(dllHandle, "CollectMatchingInfo"); 15 | FreeLibrary(dllHandle); 16 | c[0] = (addr >> 24) & 0xFF; 17 | c[1] = (addr >> 16) & 0xFF; 18 | c[2] = (addr >> 8) & 0xFF; 19 | c[3] = addr & 0xFF; 20 | 21 | dllHandle = LoadLibraryA("aeinv.dll"); 22 | addr = (int)GetProcAddress(dllHandle, "CollectMatchingInfo"); 23 | FreeLibrary(dllHandle); 24 | d[0] = (addr >> 24) & 0xFF; 25 | d[1] = (addr >> 16) & 0xFF; 26 | d[2] = (addr >> 8) & 0xFF; 27 | d[3] = addr & 0xFF; 28 | 29 | static int i = 0; 30 | if ((c[0] & 0xF0) != (d[0] & 0xF0)){ 31 | n[0] = 1; 32 | } 33 | if ((c[0] & 0x0F) != (d[0] & 0x0F)){ 34 | n[1] = 1; 35 | } 36 | //------- 37 | if ((c[1] & 0xF0) != (d[1] & 0xF0)){ 38 | n[2] = 1; 39 | } 40 | if ((c[1] & 0x0F) != (d[1] & 0x0F)){ 41 | n[3] = 1; 42 | } 43 | //--------- 44 | if ((c[2] & 0xF0) != (d[2] & 0xF0)){ 45 | n[4] = 1; 46 | } 47 | if ((c[2] & 0x0F) != (d[2] & 0x0F)){ 48 | n[5] = 1; 49 | } 50 | //-------- 51 | if ((c[3] & 0xF0) != (d[3] & 0xF0)){ 52 | n[6] = 1; 53 | } 54 | if ((c[3] & 0x0F) != (d[3] & 0x0F)){ 55 | n[7] = 1; 56 | } 57 | } 58 | 59 | static int k = 0; 60 | printf("Flipped Nibbles: "); 61 | for (k = 0; k < 8; k++){ 62 | if(k ==0){l=0;} 63 | printf("%d", n[k]); 64 | if (n[k] == 1){ 65 | l++; 66 | } 67 | } 68 | printf("\n"); 69 | printf("Entropy: %dbit\n", l*4); 70 | return 0; 71 | } 72 | -------------------------------------------------------------------------------- /aslr-bruter/aslrbruter.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/badger/fd0eee3ab0c38ced99890811660f26dd19a5df19/aslr-bruter/aslrbruter.exe -------------------------------------------------------------------------------- /aslr-bruter/test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | int main(int argc, char *argv[]){ 6 | unsigned char test[4] = {'\xAA', '\xAA', '\xAA', '\xAA'}; 7 | unsigned char nibble1; 8 | unsigned char nibble2; 9 | int n[8] = { 0, 0, 0, 0 ,0 ,0, 0, 0}; 10 | int i, j, k, l, m; 11 | int addr; 12 | unsigned char c[4]; 13 | printf("0x%x\n",(int)GetProcAddress(LoadLibraryA(argv[1]), argv[2])); 14 | for (m = 0; m < atoi(argv[3]); m++){ 15 | for (i = 0; i <= 3; i++){ 16 | addr = (int)GetProcAddress(LoadLibraryA(argv[1]), argv[2]); 17 | c[0] = (addr >> 24) & 0xFF; 18 | c[1] = (addr >> 16) & 0xFF; 19 | c[2] = (addr >> 8) & 0xFF; 20 | c[3] = addr & 0xFF; 21 | 22 | nibble1 = (c[i] & 0xF0); 23 | nibble2 = (c[i] & 0x0F); 24 | 25 | addr = (int)GetProcAddress(LoadLibraryA(argv[1]), argv[2]); 26 | c[0] = (addr >> 24) & 0xFF; 27 | c[1] = (addr >> 16) & 0xFF; 28 | c[2] = (addr >> 8) & 0xFF; 29 | c[3] = addr & 0xFF; 30 | 31 | if (i == 2){c[i] = '\xd2';} 32 | if (nibble1 != (c[i] & 0xF0)){ 33 | n[i*2] = 1; 34 | } 35 | if (nibble2 != (c[i] & 0x0F)){ 36 | n[i*2+1] = 1; 37 | } 38 | } 39 | } 40 | for (k = 0; k < 8; k++){ 41 | if(k ==0){l=0;} 42 | printf("l: %d\n", n[k]); 43 | if (n[k] == 1){ 44 | l++; 45 | } 46 | } 47 | printf("Entropy: %dbit\n", l*4); 48 | return 0; 49 | } 50 | -------------------------------------------------------------------------------- /aslr-bruter/test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/badger/fd0eee3ab0c38ced99890811660f26dd19a5df19/aslr-bruter/test.exe -------------------------------------------------------------------------------- /badger.c: -------------------------------------------------------------------------------- 1 | //---------------------------// 2 | //----------BADGER-----------// 3 | //---BY: Lilly Chalupowski---// 4 | //---------------------------// 5 | 6 | //Includes 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "documentation.h" 12 | 13 | //Defines 14 | #define WINDOWS 15 | #ifdef WINDOWS 16 | #define MAX_PATH 260 17 | #endif 18 | #ifdef LINUX 19 | #define MAX_PATH 255 20 | #endif 21 | #define UINT_MAX 2147483647 22 | 23 | //DOS Struct 24 | struct DOSStruct { 25 | char mz[2]; 26 | char lastsize[2]; 27 | char PagesInFile[2]; 28 | char relocations[2]; 29 | char HeaderSizeInParagraph[2]; 30 | char MinExtraParagraphNeeded[2]; 31 | char MaxExtraParagraphNeeded[2]; 32 | char InitialSS[2]; 33 | char InitialSP[2]; 34 | char checksum[2]; 35 | char InitialIP[2]; 36 | char InitialCS[2]; 37 | char FileAddOfRelocTable[2]; 38 | char OverlayNumber[2]; 39 | char res_0[8]; 40 | char OEMIdentifier[2]; 41 | char OEMInformation[2]; 42 | char res_1[20]; 43 | int PEOffset; 44 | }; 45 | 46 | struct dotStruct { 47 | unsigned char dotName[5]; 48 | unsigned char res_0[3]; 49 | unsigned char VirtualSize[4]; 50 | unsigned char RVA[4]; 51 | unsigned char SizeOfRawData[4]; 52 | unsigned char PointerToRawData[4]; 53 | unsigned char PointerToRelocations[4]; 54 | unsigned char PointerToLineNumbers[4]; 55 | unsigned char NumberOfRelocations[2]; 56 | unsigned char NumberOfLineNumbers[2]; 57 | unsigned char Characteristics[4]; 58 | //PAD For Struct Bug 59 | unsigned char pad[5]; 60 | }; 61 | 62 | struct PEStruct { 63 | unsigned char pe[4]; 64 | unsigned char TargetMachine[2]; 65 | short NumberOfSections; 66 | unsigned int TimeDateStamp; 67 | unsigned char PointerToSymbolTable[4]; 68 | unsigned char NumberOfSymbols[4]; 69 | unsigned char SizeOfOptionalHeaders[2]; 70 | unsigned char Characteristics[2]; 71 | unsigned char exe[2]; 72 | unsigned char lnMajVer[1]; 73 | unsigned char lnMnrVer[1]; 74 | unsigned char SizeOfCode[4]; 75 | unsigned char SizeOfInitializedData[4]; 76 | unsigned char SizeOfUnInitializedData[4]; 77 | unsigned char AddressOfEntryPoint[4]; 78 | unsigned char BaseOfCode[4]; 79 | unsigned char BaseOfData[4]; 80 | unsigned char ImageBase[4]; 81 | unsigned char SectionAlignment[4]; 82 | unsigned char FileAlignment[4]; 83 | unsigned char MajorOSVersion[2]; 84 | unsigned char MinorOSVersion[2]; 85 | unsigned char MajorImageVersion[2]; 86 | unsigned char MinorImageVersion[2]; 87 | unsigned char MajorSubSystemVersion[2]; 88 | unsigned char MinorSubSystemVersion[2]; 89 | unsigned char Win32VersionValue[4]; 90 | unsigned char SizeOfImage[4]; 91 | unsigned char SizeOfHeaders[4]; 92 | unsigned char CheckSum_0[4]; 93 | unsigned char CheckSum_1[2]; 94 | unsigned char DllCharacteristics[2]; 95 | unsigned char SizeOfStackReserve[4]; 96 | unsigned char SizeOfStackCommit[4]; 97 | unsigned char SizeOfHeapReserve[4]; 98 | unsigned char SizeOfHeapCommit[4]; 99 | unsigned char LoaderFlags[4]; 100 | unsigned char NumberOfRVAandSizes[4]; 101 | unsigned char ExportTableRVA[4]; 102 | unsigned char ExportTableSize[4]; 103 | unsigned char ImportTableRVA[4]; 104 | unsigned char ImportTableSize[4]; 105 | unsigned char ResourceTableRVA[4]; 106 | unsigned char ResourceTableSize[4]; 107 | unsigned char ExceptionTableRVA[4]; 108 | unsigned char ExceptionTableSize[4]; 109 | unsigned char CertificateTableOffset[4]; 110 | unsigned char CertificateTableSize[4]; 111 | unsigned char BaseRelocationTableRVA[4]; 112 | unsigned char BaseRelocationTableSize[4]; 113 | unsigned char DebugDirectoryRVA[4]; 114 | unsigned char DebugDirectorySize[4]; 115 | unsigned char ArcSpecificDataRVA[4]; 116 | unsigned char ArcSpecificDataSize[4]; 117 | unsigned char GlobalPointerRegisterRVA[4]; 118 | unsigned char GlobalPointerRegisterSize[4]; 119 | unsigned char TLSTableRVA[4]; 120 | unsigned char TLSTableSize[4]; 121 | unsigned char LoadConfigurationTableRVA[4]; 122 | unsigned char LoadConfigurationTableSize[4]; 123 | unsigned char BoundImportTableRVA[4]; 124 | unsigned char BoundImportTableSize[4]; 125 | unsigned char ImportAddressTableRVA[4]; 126 | unsigned char ImportAddressTableSize[4]; 127 | unsigned char DelayImportDescriptorsRVA[4]; 128 | unsigned char DelayImportDescriptorsSize[4]; 129 | unsigned char CLIHeaderRVA_0[4]; 130 | unsigned char CLIHeaderSize_0[4]; 131 | unsigned char CLIHeaderRVA_1[4]; 132 | unsigned char CLIHeaderSize_1[4]; 133 | }; 134 | 135 | //IMAGE_EXPORT_DIRECTORY STRUCT 136 | struct STRUCT_IMAGE_EXPORT_DIRECTORY { 137 | unsigned char Characteristics[4]; 138 | unsigned char TimeDateStamp[4]; 139 | unsigned char MajorVersion[2]; 140 | unsigned char MinorVersion[2]; 141 | unsigned char NameRVA[4]; 142 | unsigned char OrdinalBase[4]; 143 | unsigned char NumberOfFunctions[4]; 144 | unsigned char NumberOfNames[4]; 145 | unsigned char AddressOfFunctions[4]; 146 | unsigned char AddressOfNames[4]; 147 | unsigned char AddressOfNameOrdinals[4]; 148 | }; 149 | 150 | struct STRUCT_IMAGE_LOAD_CONFIG_DIRECTORY { 151 | unsigned char Size[4]; 152 | unsigned char TimeDateStamp[4]; 153 | unsigned char MajorVersion[2]; 154 | unsigned char MinorVersion[2]; 155 | unsigned char GlobalFlagsClear[4]; 156 | unsigned char GlobalFlagsSet[4]; 157 | unsigned char CriticalSectionDefaultTimeout[4]; 158 | unsigned char DeCommitFreeBlockThreshold[4]; 159 | unsigned char DeCommitTotalFreeThreshold[4]; 160 | unsigned char LockPrefixTableVA[4]; 161 | unsigned char MaximumAllocationSize[4]; 162 | unsigned char VirtualMemoryThreshold[4]; 163 | unsigned char ProcessHeapFlags[4]; 164 | unsigned char ProcessAffinityMask[4]; 165 | unsigned char CSDVersion[2]; 166 | unsigned char Reserved[2]; 167 | unsigned char EditListVA[4]; 168 | unsigned char SecurityCookieVA[4]; 169 | unsigned char SEHandlerTableVA[4]; 170 | unsigned char SEHandlerCount[4]; 171 | //unsigned char pad[4]; 172 | }; 173 | 174 | //Boolean Type 175 | typedef int bool; 176 | #define true 1 177 | #define false 0 178 | 179 | //Print Function Address 180 | void printAddress(char fileName[MAX_PATH], char functionName[MAX_PATH]){ 181 | printf("0x%x", GetProcAddress(LoadLibraryA(fileName), functionName)); 182 | } 183 | 184 | //Print Stack Pointer 185 | void printSP(){ 186 | register int esp asm("esp"); 187 | register int rsp asm("rsp"); 188 | printf("Run Multiple Times\n"); 189 | printf("x86 ESP: 0x%x\n", esp); 190 | printf("x64 RSP: 0x%x\n", rsp); 191 | } 192 | 193 | //Arg Check 194 | bool argCheck(char *argv[], char strArg[MAX_PATH], int argc){ 195 | int i; 196 | for (i = 0; i <= argc-1; i++){ 197 | if (strcmp(argv[i], strArg) == 0){ 198 | return true; 199 | } 200 | } 201 | return false; 202 | } 203 | 204 | int argNum(char *argv[], char strArg[MAX_PATH], int argc){ 205 | int i; 206 | for (i = 0; i <= argc-1; i++){ 207 | if (strcmp(argv[i], strArg) == 0){ 208 | return i; 209 | } 210 | } 211 | return -1; 212 | } 213 | 214 | //Get File Size 215 | int getFileSize(FILE *inputFile){ 216 | int fileSize; 217 | fseek(inputFile, 0L, SEEK_END); 218 | fileSize = ftell(inputFile); 219 | return fileSize; 220 | } 221 | 222 | //Word To Int 223 | int wordToInt(unsigned char buff[]){ 224 | long int value = buff[0] | (buff[1]<<8) | (buff[2]<<16) | (buff[3]<<24); 225 | return value; 226 | } 227 | 228 | //Print Hex 229 | void printHex(char text[], char buff[], int buffSize){ 230 | int i; 231 | printf("%s", text); 232 | printf("0x"); 233 | for (i = 0; i <= buffSize-1; i++){ 234 | if(buff[i] == '\x00'){ 235 | printf("00"); 236 | } 237 | else{ 238 | printf("%02x", (unsigned char)buff[i]); 239 | } 240 | } 241 | printf("\n"); 242 | } 243 | 244 | //Print Hex LE 245 | void printHexLE(char text[], char buff[], int buffSize){ 246 | int i; 247 | printf("%s", text); 248 | printf("0x"); 249 | for (i = buffSize-1; i >= 0; i--){ 250 | if(buff[i] == '\x00'){ 251 | printf("00"); 252 | } 253 | else{ 254 | printf("%02x", (unsigned char)buff[i]); 255 | } 256 | } 257 | printf("\n"); 258 | } 259 | 260 | bool printFuncAddress(char fileName[MAX_PATH], char functionName[MAX_PATH]){ 261 | int address = (int)GetProcAddress(LoadLibraryA(fileName), functionName); 262 | if (address == 0){ 263 | fprintf(stderr, "ERROR: Please Specify Correct Function Name\n"); 264 | return 1; 265 | } 266 | printf("---BEGIN SINGLE FUNCTION---\n"); 267 | printf("%s RVA = ", functionName); 268 | printf("0x%x\n", address); 269 | printf("---END SINGLE FUNCTION---\n"); 270 | } 271 | 272 | //Main Program 273 | int main(int argc, char *argv[]){ 274 | //Input File Pointer 275 | FILE * inputFile; 276 | 277 | //Initalize DOS & PE Header 278 | struct DOSStruct DOSHeader; 279 | struct PEStruct PEHeader; 280 | struct dotStruct dotHeader; 281 | struct STRUCT_IMAGE_EXPORT_DIRECTORY IMAGE_EXPORT_DIRECTORY; 282 | struct STRUCT_IMAGE_LOAD_CONFIG_DIRECTORY IMAGE_LOAD_CONFIG_DIRECTORY; 283 | 284 | //Check For Args 285 | if (argc < 2){ 286 | printf("ERROR: Not enough arguments.\n"); 287 | help(); 288 | return 1; 289 | } 290 | 291 | //Help 292 | if ( argCheck(argv, "--help", argc) || argCheck(argv, "-h", argc) ){ 293 | help(); 294 | return 0; 295 | } 296 | 297 | if ( argCheck(argv, "--version", argc) || argCheck(argv, "-v", argc) ){ 298 | printf("v3.0\n"); 299 | return 0; 300 | } 301 | 302 | //About 303 | if (argCheck(argv, "--about", argc)){ 304 | about(); 305 | return 0; 306 | } 307 | 308 | //Alphanumeric Shellcode Reference 309 | if (argCheck(argv, "--alpha-ref", argc)){ 310 | alphaNumericRef(); 311 | return 0; 312 | } 313 | 314 | //ASLR Checker 315 | if (argCheck(argv, "--aslr-check", argc)){ 316 | printSP(); 317 | return 0; 318 | } 319 | 320 | //Enable DEP 321 | if (argCheck(argv, "--enable-dep", argc)){ 322 | int stderror = system("bcdedit.exe /set {current} nx AlwaysOn"); 323 | if (stderror == 1){ 324 | printf("Please Run --enable-dep as Admin.\n"); 325 | return 1; 326 | } 327 | } 328 | 329 | //Disable DEP 330 | if (argCheck(argv, "--disable-dep", argc)){ 331 | int stderror = system("bcedit.exe /set {current} nx AlwaysOff"); 332 | if (stderror == 1){ 333 | printf("Please run --disable-dep as Admin.\n"); 334 | return 1; 335 | } 336 | } 337 | 338 | //Enumerate Function ASLR Entropy 339 | if (argCheck(argv, "--bruter", argc)){ 340 | static unsigned char nibble1; 341 | static unsigned char nibble2; 342 | static int n[8] = {0, 0, 0, 0, 0, 0, 0, 0}; 343 | static int i, j, k, l, m; 344 | static int addr; 345 | static unsigned char c[4]; 346 | static int iterations; 347 | iterations = atoi(argv[argNum(argv, "--bruter", argc) + 3]); 348 | if (iterations > UINT_MAX){ 349 | fprintf(stderr, "Max iterations supported %d\n", UINT_MAX); 350 | return 1; 351 | } 352 | printf("Iterations: %d\n", iterations); 353 | printf("Initial Value: 0x%x\n",(int)GetProcAddress(LoadLibraryA(argv[argNum(argv, "--bruter", argc)+1]), argv[argNum(argv, "--bruter", argc)+2])); 354 | for (m = 0; m < iterations; m++){ 355 | for (i = 0; i <= 3; i++){ 356 | addr = (int)GetProcAddress(LoadLibraryA(argv[argNum(argv, "--bruter", argc)+1]), argv[argNum(argv, "--bruter", argc)+2]); 357 | c[0] = (addr >> 24) & 0xFF; 358 | c[1] = (addr >> 16) & 0xFF; 359 | c[2] = (addr >> 8) & 0xFF; 360 | c[3] = addr & 0xFF; 361 | 362 | nibble1 = (c[i] & 0xF0); 363 | nibble2 = (c[i] & 0x0F); 364 | 365 | addr = (int)GetProcAddress(LoadLibraryA(argv[argNum(argv, "--bruter", argc)+1]), argv[argNum(argv, "--bruter", argc)+2]); 366 | c[0] = (addr >> 24) & 0xFF; 367 | c[1] = (addr >> 16) & 0xFF; 368 | c[2] = (addr >> 8) & 0xFF; 369 | c[3] = addr & 0xFF; 370 | 371 | if (nibble1 != (c[i] & 0xF0)){ 372 | n[i*2] = 1; 373 | } 374 | if (nibble2 != (c[i] & 0x0F)){ 375 | n[i*2+1] = 1; 376 | } 377 | } 378 | } 379 | for (k = 0; k < 8; k++){ 380 | if(k ==0){l=0;} 381 | printf("l: %d\n", n[k]); 382 | if (n[k] == 1){ 383 | l++; 384 | } 385 | } 386 | printf("Entropy: %dbit\n", l*4); 387 | return 0; 388 | } 389 | 390 | //Check One Function RVA 391 | if (argCheck(argv, "--lib", argc)){ 392 | if (argc < 4){ 393 | fprintf(stderr, "ERROR: Need More Arguments\n"); 394 | return 1; 395 | } 396 | printFuncAddress(argv[argNum(argv, "--lib", argc)+1], argv[argNum(argv, "--lib", argc)+2]); 397 | return 0; 398 | } 399 | 400 | //Display the IMAGE_LOAD_CONFIG_DIRECTORY 401 | if (argCheck(argv, "--ilcd-header", argc)){ 402 | inputFile = fopen(argv[argNum(argv, "--ilcd-header", argc)+1], "r"); 403 | if (!inputFile){ fprintf(stderr, "ERROR: Unable to read file specified.\n"); return 1; } 404 | fread(&DOSHeader, 1, sizeof(DOSHeader)-1, inputFile); 405 | fseek(inputFile, DOSHeader.PEOffset, SEEK_SET); 406 | fread(&PEHeader, 1, sizeof(PEHeader)-1, inputFile); 407 | static int arrayRVAvsRAW[50]; 408 | static int arraySectionOffsets[50]; 409 | static int arraySizeOfRawData[50]; 410 | static int arrayPointerToRawData[50]; 411 | int i; 412 | for(i = 0; i <= PEHeader.NumberOfSections-1; i++){ 413 | arraySectionOffsets[i] = DOSHeader.PEOffset + sizeof(PEHeader) + ((sizeof(dotHeader)-sizeof(dotHeader.pad))*i); 414 | fseek(inputFile, DOSHeader.PEOffset + sizeof(PEHeader) + ((sizeof(dotHeader)-sizeof(dotHeader.pad))*i), SEEK_SET); 415 | fread(&dotHeader, 1, sizeof(dotHeader)-1, inputFile); 416 | arrayRVAvsRAW[i] = (wordToInt(dotHeader.RVA) - wordToInt(dotHeader.PointerToRawData)); 417 | arraySizeOfRawData[i] = wordToInt(dotHeader.SizeOfRawData); 418 | arrayPointerToRawData[i] = wordToInt(dotHeader.PointerToRawData); 419 | if (( (wordToInt(PEHeader.LoadConfigurationTableRVA)-arrayRVAvsRAW[i]) < (arraySizeOfRawData[i]+arrayPointerToRawData[i]) ) 420 | && ( (wordToInt(PEHeader.LoadConfigurationTableRVA)-arrayRVAvsRAW[i]) >= arrayPointerToRawData[i] )) { 421 | fseek(inputFile, (wordToInt(PEHeader.LoadConfigurationTableRVA) - arrayRVAvsRAW[i]), SEEK_SET); 422 | fread(&IMAGE_LOAD_CONFIG_DIRECTORY, 1, sizeof(IMAGE_LOAD_CONFIG_DIRECTORY)-1, inputFile); 423 | printf("---BEGIN IMAGE LOAD CONFIG DIRECTORY HEADER---\n"); 424 | printf("Size = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.Size)); 425 | printf("TimeDateStamp = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.TimeDateStamp)); 426 | printf("MajorVersion = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.MajorVersion)); 427 | printf("MinorVersion = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.MinorVersion)); 428 | printf("GlobalFlagsClear = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.GlobalFlagsClear)); 429 | printf("GlobalFlagsSet = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.GlobalFlagsSet)); 430 | printf("CriticalSectionDefaultTimeout = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.CriticalSectionDefaultTimeout)); 431 | printf("DeCommitFreeBlockThreshold = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.DeCommitFreeBlockThreshold)); 432 | printf("DeCommitTotalFreeThreshold = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.DeCommitTotalFreeThreshold)); 433 | printf("LockPrefixTableVA = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.LockPrefixTableVA)); 434 | printf("MaximumAllocationSize = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.MaximumAllocationSize)); 435 | printf("VirtualMemoryThreshold = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.VirtualMemoryThreshold)); 436 | printf("ProcessHeapFlags = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.ProcessHeapFlags)); 437 | printf("ProcessAffinityMask = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.ProcessAffinityMask)); 438 | printf("CSDVersion = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.CSDVersion)); 439 | printf("Reserved = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.Reserved)); 440 | printf("EditListVA = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.EditListVA)); 441 | printf("SecurityCookieVA = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.SecurityCookieVA)); 442 | printf("SEHandlerTableVA = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTableVA)); 443 | printf("SEHandlerCount = 0x%x\n", wordToInt(IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerCount)); 444 | printf("---END IMAGE LOAD CONFIG DIRECTORY HEADER---\n"); 445 | } 446 | } 447 | return 0; 448 | } 449 | 450 | //Enumerate Protections 451 | if (argCheck(argv, "--check-security", argc)){ 452 | inputFile = fopen(argv[argNum(argv, "--check-security", argc)+1], "r"); 453 | if (!inputFile){ fprintf(stderr, "ERROR: Unable to read file specified.\n"); return 1; } 454 | fread(&DOSHeader, 1, sizeof(DOSHeader)-1, inputFile); 455 | fseek(inputFile, DOSHeader.PEOffset, SEEK_SET); 456 | fread(&PEHeader, 1, sizeof(PEHeader)-1, inputFile); 457 | printf("---BEGIN SECURITY---\n"); 458 | //Microsoft Sets these in Nibbles must use bitwise masking 459 | if ((PEHeader.DllCharacteristics[0] & 0xF0) == '\x40'){ 460 | printf("ASLR = Enabled\n"); 461 | } 462 | else{ 463 | printf("ASLR = Disabled\n"); 464 | } 465 | if ((PEHeader.DllCharacteristics[1] & 0x0F)== '\x01'){ 466 | printf("DEP = Enabled\n"); 467 | } 468 | else{ 469 | printf("DEP = Disabled\n"); 470 | } 471 | if ((PEHeader.DllCharacteristics[1] & 0x0F)== '\x04'){ 472 | printf("SEH = Disabled\n"); 473 | } 474 | else{ 475 | printf("SEH = Enabled\n"); 476 | } 477 | //Get SEH and Security Cookies 478 | static int arrayRVAvsRAW[50]; 479 | static int arraySectionOffsets[50]; 480 | static int arraySizeOfRawData[50]; 481 | static int arrayPointerToRawData[50]; 482 | int i; 483 | for(i = 0; i <= PEHeader.NumberOfSections-1; i++){ 484 | arraySectionOffsets[i] = DOSHeader.PEOffset + sizeof(PEHeader) + ((sizeof(dotHeader)-sizeof(dotHeader.pad))*i); 485 | fseek(inputFile, DOSHeader.PEOffset + sizeof(PEHeader) + ((sizeof(dotHeader)-sizeof(dotHeader.pad))*i), SEEK_SET); 486 | fread(&dotHeader, 1, sizeof(dotHeader)-1, inputFile); 487 | arrayRVAvsRAW[i] = (wordToInt(dotHeader.RVA) - wordToInt(dotHeader.PointerToRawData)); 488 | arraySizeOfRawData[i] = wordToInt(dotHeader.SizeOfRawData); 489 | arrayPointerToRawData[i] = wordToInt(dotHeader.PointerToRawData); 490 | if (( (wordToInt(PEHeader.LoadConfigurationTableRVA)-arrayRVAvsRAW[i]) < (arraySizeOfRawData[i]+arrayPointerToRawData[i]) ) 491 | && ( (wordToInt(PEHeader.LoadConfigurationTableRVA)-arrayRVAvsRAW[i]) >= arrayPointerToRawData[i] )) { 492 | fseek(inputFile, (wordToInt(PEHeader.LoadConfigurationTableRVA) - arrayRVAvsRAW[i]), SEEK_SET); 493 | fread(&IMAGE_LOAD_CONFIG_DIRECTORY, 1, sizeof(IMAGE_LOAD_CONFIG_DIRECTORY)-1, inputFile); 494 | printf("LOAD_CONFIGURATION_TABLE = 0x%x\n", (wordToInt(PEHeader.LoadConfigurationTableRVA) - arrayRVAvsRAW[i]) ); 495 | printHexLE("Security Cookie VA = ",IMAGE_LOAD_CONFIG_DIRECTORY.SecurityCookieVA, sizeof(IMAGE_LOAD_CONFIG_DIRECTORY.SecurityCookieVA)); 496 | printHexLE("SEH Table VA = ", IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTableVA, sizeof(IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerTableVA)); 497 | printHexLE("SEH Count = ", IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerCount, sizeof(IMAGE_LOAD_CONFIG_DIRECTORY.SEHandlerCount)); 498 | } 499 | } 500 | printf("---END SECURITY---\n"); 501 | fclose(inputFile); 502 | return 0; 503 | } 504 | 505 | //Display DOS Header 506 | if (argCheck(argv, "--dos-header", argc)){ 507 | inputFile = fopen(argv[argNum(argv, "--dos-header", argc)+1], "r"); 508 | if (!inputFile){ fprintf(stderr, "ERROR: Unable to read file specified.\n"); return 1; } 509 | fread(&DOSHeader, 1, sizeof(DOSHeader)-1, inputFile); 510 | printf("---BEGIN DOS HEADER---\n"); 511 | printf("Offset = 0x0\n"); 512 | printf("File Size = %d\n", getFileSize(inputFile)); 513 | printHex("MZ = ", DOSHeader.mz, sizeof(DOSHeader.mz)); 514 | printHexLE("lastsize = ", DOSHeader.lastsize, sizeof(DOSHeader.lastsize)); 515 | printHexLE("PagesInFile = ", DOSHeader.PagesInFile, sizeof(DOSHeader.PagesInFile)); 516 | printHex("relocations = ", DOSHeader.relocations, sizeof(DOSHeader.relocations)); 517 | printHexLE("HeaderSizeInParagraph = ", DOSHeader.HeaderSizeInParagraph, sizeof(DOSHeader.HeaderSizeInParagraph)); 518 | printHexLE("MinExtraParagraphNeeded = ", DOSHeader.MinExtraParagraphNeeded, sizeof(DOSHeader.MinExtraParagraphNeeded)); 519 | printHexLE("MaxExtraParagraphNeeded = ", DOSHeader.MaxExtraParagraphNeeded, sizeof(DOSHeader.MaxExtraParagraphNeeded)); 520 | printHexLE("InitialSS = ", DOSHeader.InitialSS, sizeof(DOSHeader.InitialSS)); 521 | printHexLE("InitialSP = ", DOSHeader.InitialSP, sizeof(DOSHeader.InitialSP)); 522 | printHex("checksum = ", DOSHeader.checksum, sizeof(DOSHeader.checksum)); 523 | printHex("InitialIP = ", DOSHeader.InitialIP, sizeof(DOSHeader.InitialIP)); 524 | printHex("InitialCS = ", DOSHeader.InitialCS, sizeof(DOSHeader.InitialCS)); 525 | printHexLE("FileAddOfRelocTable = ", DOSHeader.FileAddOfRelocTable, sizeof(DOSHeader.FileAddOfRelocTable)); 526 | printHexLE("OverlayNumber = ", DOSHeader.OverlayNumber, sizeof(DOSHeader.OverlayNumber)); 527 | printHex("res_0 = ", DOSHeader.res_0, sizeof(DOSHeader.res_0)); 528 | printHex("OEMIdentifier = ", DOSHeader.OEMIdentifier, sizeof(DOSHeader.OEMIdentifier)); 529 | printHex("OEMInformation = ", DOSHeader.OEMInformation, sizeof(DOSHeader.OEMInformation)); 530 | printHex("res_1 = ", DOSHeader.res_1, sizeof(DOSHeader.res_1)); 531 | printf("PEOffset = 0x%x\n", DOSHeader.PEOffset); 532 | printf("---END DOS HEADER---\n"); 533 | fclose(inputFile); 534 | return 0; 535 | 536 | } 537 | 538 | //Enumerate Functions Table / Virtual Addresses 539 | if (argCheck(argv, "--enum-func", argc)){ 540 | static int arrayRVAvsRAW[50]; 541 | static int arraySectionOffsets[50]; 542 | static int arraySizeOfRawData[50]; 543 | static int arrayPointerToRawData[50]; 544 | static int j; 545 | static unsigned char singleByte[1]; 546 | static int nullCount = 0; 547 | static int prevNullPointer = 0; 548 | static int nextNullPointer = 0; 549 | static char functionName[MAX_PATH]; 550 | static int funcCount = 0; 551 | static int funcNameInt = 0; 552 | bool first = true; 553 | inputFile = fopen(argv[argNum(argv, "--enum-func", argc)+1], "r"); 554 | if (!inputFile){ fprintf(stderr, "ERROR: Unable to read file specified.\n"); return 1; } 555 | fread(&DOSHeader, 1, sizeof(DOSHeader)-1, inputFile); 556 | fseek(inputFile, DOSHeader.PEOffset, SEEK_SET); 557 | fread(&PEHeader, 1, sizeof(PEHeader)-1, inputFile); 558 | int i; 559 | for (i = 0; i <= PEHeader.NumberOfSections-1; i++){ 560 | arraySectionOffsets[i] = DOSHeader.PEOffset + sizeof(PEHeader) + ((sizeof(dotHeader)-sizeof(dotHeader.pad))*i); 561 | fseek(inputFile, DOSHeader.PEOffset + sizeof(PEHeader) + ((sizeof(dotHeader)-sizeof(dotHeader.pad))*i), SEEK_SET); 562 | fread(&dotHeader, 1, sizeof(dotHeader)-1, inputFile); 563 | arrayRVAvsRAW[i] = (wordToInt(dotHeader.RVA) - wordToInt(dotHeader.PointerToRawData)); 564 | arraySizeOfRawData[i] = wordToInt(dotHeader.SizeOfRawData); 565 | arrayPointerToRawData[i] = wordToInt(dotHeader.PointerToRawData); 566 | if (( (wordToInt(PEHeader.ExportTableRVA)-arrayRVAvsRAW[i]) < (arraySizeOfRawData[i]+arrayPointerToRawData[i]) ) 567 | && ( (wordToInt(PEHeader.ExportTableRVA)-arrayRVAvsRAW[i]) >= arrayPointerToRawData[i] )) { 568 | fseek(inputFile, (wordToInt(PEHeader.ExportTableRVA) - arrayRVAvsRAW[i]), SEEK_SET); 569 | fread(&IMAGE_EXPORT_DIRECTORY, 1, sizeof(IMAGE_EXPORT_DIRECTORY)-1, inputFile); 570 | printf("---BEGIN FUNCTION ENUMERATION---\n"); 571 | printf("Number Of Functions: %d\n", wordToInt(IMAGE_EXPORT_DIRECTORY.NumberOfNames)); 572 | printf("Export Names Offset: 0x%x\n", (wordToInt(IMAGE_EXPORT_DIRECTORY.NameRVA) - arrayRVAvsRAW[i])); 573 | printf("Virtual Address: Function Names:\n"); 574 | for (j = (wordToInt(IMAGE_EXPORT_DIRECTORY.NameRVA) - arrayRVAvsRAW[i]); j <= getFileSize(inputFile); j++){ 575 | fseek(inputFile, j, SEEK_SET); 576 | fread(singleByte, sizeof(singleByte)+1, 1, inputFile); 577 | functionName[funcNameInt] = singleByte[0]; 578 | funcNameInt++; 579 | if (singleByte[0] == '\x00'){ 580 | if (first == false){ 581 | printAddress(argv[argNum(argv, "--enum-func", argc)+1], functionName); 582 | printf(" %s\n", functionName); 583 | } 584 | first = false; 585 | funcNameInt = 0; 586 | funcCount++; 587 | if (funcCount == wordToInt(IMAGE_EXPORT_DIRECTORY.NumberOfNames)+1 ){ 588 | printf("--END FUNCTION ENUMERATION--\n"); 589 | break;; 590 | } 591 | } 592 | } 593 | } 594 | } 595 | fclose(inputFile); 596 | return 0; 597 | } 598 | 599 | //Display PE Header 600 | if (argCheck(argv, "--pe-header", argc)){ 601 | inputFile = fopen(argv[argNum(argv, "--pe-header", argc)+1], "r"); 602 | if (!inputFile){ fprintf(stderr, "ERROR: Unable to read file specified.\n"); return 1; } 603 | fread(&DOSHeader, 1, sizeof(DOSHeader)-1, inputFile); 604 | fseek(inputFile, DOSHeader.PEOffset, SEEK_SET); 605 | fread(&PEHeader, 1, sizeof(PEHeader)-1, inputFile); 606 | printf("---BEGIN PE HEADER---\n"); 607 | printf("Offset = 0x%x\n", DOSHeader.PEOffset); 608 | printf("File Size = %d\n", getFileSize(inputFile)); 609 | printHex("PE = ", PEHeader.pe, sizeof(PEHeader.pe)); 610 | printHexLE("TargetMachine = ", PEHeader.TargetMachine, sizeof(PEHeader.TargetMachine)); 611 | printf("NumberOfSections = 0x%x\n", PEHeader.NumberOfSections); 612 | time_t tm = PEHeader.TimeDateStamp; 613 | if (PEHeader.TimeDateStamp != 0){ 614 | printf("TimeDateStamp = %s",ctime( &tm )); 615 | } 616 | if (PEHeader.TimeDateStamp == 0){ 617 | printf("TimeDateStamp = N/A\n"); 618 | } 619 | printHexLE("PointerToSymbolTable = ", PEHeader.PointerToSymbolTable, sizeof(PEHeader.PointerToSymbolTable)); 620 | printHexLE("NumberOfSymbols = ", PEHeader.NumberOfSymbols, sizeof(PEHeader.NumberOfSymbols)); 621 | printHexLE("SizeOfOptionalHeaders = ", PEHeader.SizeOfOptionalHeaders, sizeof(PEHeader.SizeOfOptionalHeaders)); 622 | printHexLE("Characteristics = ", PEHeader.Characteristics, sizeof(PEHeader.Characteristics)); 623 | printHexLE("Magic = ", PEHeader.exe, sizeof(PEHeader.exe)); 624 | printHexLE("lnMajVer = ", PEHeader.lnMajVer, sizeof(PEHeader.lnMajVer)); 625 | printHexLE("lnMnrVer = ", PEHeader.lnMnrVer, sizeof(PEHeader.lnMnrVer)); 626 | printHexLE("SizeOfCode = ", PEHeader.SizeOfCode, sizeof(PEHeader.SizeOfCode)); 627 | printHexLE("SizeOfInitializedData = ", PEHeader.SizeOfInitializedData, sizeof(PEHeader.SizeOfInitializedData)); 628 | printHexLE("SizeOfUnInitializedData = ", PEHeader.SizeOfUnInitializedData, sizeof(PEHeader.SizeOfUnInitializedData)); 629 | printHexLE("AddressOfEntryPoint = ", PEHeader.AddressOfEntryPoint, sizeof(PEHeader.AddressOfEntryPoint)); 630 | printHexLE("BaseOfCode = ", PEHeader.BaseOfCode, sizeof(PEHeader.BaseOfCode)); 631 | printHexLE("BaseOfData = ", PEHeader.BaseOfData, sizeof(PEHeader.BaseOfData)); 632 | printHexLE("ImageBase = ", PEHeader.ImageBase, sizeof(PEHeader.ImageBase)); 633 | printHex("SectionAlignment = ", PEHeader.SectionAlignment, sizeof(PEHeader.SectionAlignment)); 634 | printHex("FileAlignment = ", PEHeader.FileAlignment, sizeof(PEHeader.FileAlignment)); 635 | printHexLE("MajorOSVersion = ", PEHeader.MajorOSVersion, sizeof(PEHeader.MajorOSVersion)); 636 | printHexLE("MinorOSVersion = ", PEHeader.MinorOSVersion, sizeof(PEHeader.MinorOSVersion)); 637 | printHexLE("MajorImageVersion = ", PEHeader.MajorImageVersion, sizeof(PEHeader.MajorImageVersion)); 638 | printHexLE("MinorImageVersion = ", PEHeader.MinorImageVersion, sizeof(PEHeader.MinorImageVersion)); 639 | printHexLE("MajorSubSystemVersion = ", PEHeader.MajorSubSystemVersion, sizeof(PEHeader.MajorSubSystemVersion)); 640 | printHexLE("MinorSubSystemVersion = ", PEHeader.MinorSubSystemVersion, sizeof(PEHeader.MinorSubSystemVersion)); 641 | printHexLE("Win32VersionValue = ", PEHeader.Win32VersionValue, sizeof(PEHeader.Win32VersionValue)); 642 | printHexLE("SizeOfImage = ", PEHeader.SizeOfImage, sizeof(PEHeader.SizeOfImage)); 643 | printHexLE("SizeOfHeaders = ", PEHeader.SizeOfHeaders, sizeof(PEHeader.SizeOfHeaders)); 644 | printHex("CheckSum_0 = ", PEHeader.CheckSum_0, sizeof(PEHeader.CheckSum_0)); 645 | printHex("CheckSum_1 = ", PEHeader.CheckSum_1, sizeof(PEHeader.CheckSum_1)); 646 | printHex("DllCharacteristics = ", PEHeader.DllCharacteristics, sizeof(PEHeader.DllCharacteristics)); 647 | printHexLE("SizeOfStackReserve = ", PEHeader.SizeOfStackReserve, sizeof(PEHeader.SizeOfStackReserve)); 648 | printHexLE("SizeOfStackCommit = ", PEHeader.SizeOfStackCommit, sizeof(PEHeader.SizeOfStackCommit)); 649 | printHexLE("SizeOfHeapReserve = ", PEHeader.SizeOfHeapReserve, sizeof(PEHeader.SizeOfHeapReserve)); 650 | printHexLE("SizeOfHeapCommit = ", PEHeader.SizeOfHeapCommit, sizeof(PEHeader.SizeOfHeapCommit)); 651 | printHex("LoaderFlags = ", PEHeader.LoaderFlags, sizeof(PEHeader.LoaderFlags)); 652 | printHexLE("NumberOfRVAandSizes = ", PEHeader.NumberOfRVAandSizes, sizeof(PEHeader.NumberOfRVAandSizes)); 653 | printHexLE("ExportTableRVA = ", PEHeader.ExportTableRVA, sizeof(PEHeader.ExportTableRVA)); 654 | printHexLE("ExportTableSize = ", PEHeader.ExportTableSize, sizeof(PEHeader.ExportTableSize)); 655 | printHexLE("ImportTableRVA = ", PEHeader.ImportTableRVA, sizeof(PEHeader.ImportTableRVA)); 656 | printHexLE("ImportTableSize = ", PEHeader.ImportTableSize, sizeof(PEHeader.ImportTableSize)); 657 | printHexLE("ResourceTableRVA = ", PEHeader.ResourceTableRVA, sizeof(PEHeader.ResourceTableRVA)); 658 | printHexLE("ResourceTableSize = ", PEHeader.ResourceTableSize, sizeof(PEHeader.ResourceTableSize)); 659 | printHexLE("ExceptionTableRVA = ", PEHeader.ExceptionTableRVA, sizeof(PEHeader.ExceptionTableRVA)); 660 | printHexLE("ExceptionTableSize = ", PEHeader.ExceptionTableSize, sizeof(PEHeader.ExceptionTableSize)); 661 | printHexLE("CertificateTableOffset = ", PEHeader.CertificateTableOffset, sizeof(PEHeader.CertificateTableOffset)); 662 | printHexLE("CertificateTableSize = ", PEHeader.CertificateTableSize, sizeof(PEHeader.CertificateTableSize)); 663 | printHexLE("BaseRelocationTableRVA = ", PEHeader.BaseRelocationTableRVA, sizeof(PEHeader.BaseRelocationTableRVA)); 664 | printHexLE("BaseRelocationTableSize = ", PEHeader.BaseRelocationTableSize, sizeof(PEHeader.BaseRelocationTableSize)); 665 | printHexLE("DebugDirectoryRVA = ", PEHeader.DebugDirectoryRVA, sizeof(PEHeader.DebugDirectoryRVA)); 666 | printHexLE("DebugDirectorySize = ", PEHeader.DebugDirectorySize, sizeof(PEHeader.DebugDirectorySize)); 667 | printHexLE("ArcSpecificDataRVA = ", PEHeader.ArcSpecificDataRVA, sizeof(PEHeader.ArcSpecificDataRVA)); 668 | printHexLE("ArcSpecificDataSize = ", PEHeader.ArcSpecificDataSize, sizeof(PEHeader.ArcSpecificDataSize)); 669 | printHexLE("GlobalPointerRegisterRVA = ", PEHeader.GlobalPointerRegisterRVA, sizeof(PEHeader.GlobalPointerRegisterRVA)); 670 | printHexLE("GlobalPointerRegisterSize = ", PEHeader.GlobalPointerRegisterSize, sizeof(PEHeader.GlobalPointerRegisterSize)); 671 | printHexLE("TLSTableRVA = ", PEHeader.TLSTableRVA, sizeof(PEHeader.TLSTableRVA)); 672 | printHexLE("TLSTableSize = ", PEHeader.TLSTableSize, sizeof(PEHeader.TLSTableSize)); 673 | printHexLE("LoadConfigurationTableRVA = ", PEHeader.LoadConfigurationTableRVA, sizeof(PEHeader.LoadConfigurationTableRVA)); 674 | printHexLE("LoadConfigurationTableSize = ", PEHeader.LoadConfigurationTableSize, sizeof(PEHeader.LoadConfigurationTableSize)); 675 | printHexLE("BoundImportTableRVA = ", PEHeader.BoundImportTableRVA, sizeof(PEHeader.BoundImportTableRVA)); 676 | printHexLE("BoundImportTableSize = ", PEHeader.BoundImportTableSize, sizeof(PEHeader.BoundImportTableSize)); 677 | printHexLE("ImportAddressTableRVA = ", PEHeader.ImportAddressTableRVA, sizeof(PEHeader.ImportAddressTableRVA)); 678 | printHexLE("ImportAddressTableSize = ", PEHeader.ImportAddressTableSize, sizeof(PEHeader.ImportAddressTableSize)); 679 | printHexLE("DelayImportDescriptorsRVA = ", PEHeader.DelayImportDescriptorsRVA, sizeof(PEHeader.DelayImportDescriptorsRVA)); 680 | printHexLE("DelayImportDescriptorsSize = ", PEHeader.DelayImportDescriptorsSize, sizeof(PEHeader.DelayImportDescriptorsSize)); 681 | printHexLE("CLIHeaderRVA_0 = ", PEHeader.CLIHeaderRVA_0, sizeof(PEHeader.CLIHeaderRVA_0)); 682 | printHexLE("CLIHeaderSize_0 = ", PEHeader.CLIHeaderSize_0, sizeof(PEHeader.CLIHeaderSize_0)); 683 | printHexLE("CLIHeaderRVA_1 = ", PEHeader.CLIHeaderRVA_1, sizeof(PEHeader.CLIHeaderRVA_1)); 684 | printHexLE("CLIHeaderSize_1 = ", PEHeader.CLIHeaderSize_1, sizeof(PEHeader.CLIHeaderSize_1)); 685 | int i; 686 | for (i = 0; i <= PEHeader.NumberOfSections-1; i++){ 687 | fseek(inputFile, DOSHeader.PEOffset + sizeof(PEHeader) + ((sizeof(dotHeader)-sizeof(dotHeader.pad))*i), SEEK_SET); 688 | fread(&dotHeader, 1, sizeof(dotHeader)-1, inputFile); 689 | printf("%s = ", dotHeader.dotName); 690 | printHex("", dotHeader.dotName, sizeof(dotHeader.dotName)); 691 | printf("%s Reserved = ", dotHeader.dotName); 692 | printHex("", dotHeader.res_0, sizeof(dotHeader.res_0)); 693 | printf("%s VirtualSize = ", dotHeader.dotName); 694 | printHexLE("", dotHeader.VirtualSize, sizeof(dotHeader.VirtualSize)); 695 | printf("%s RVA = ", dotHeader.dotName); 696 | printHexLE("", dotHeader.RVA, sizeof(dotHeader.RVA)); 697 | printf("%s SizeOfRawData = ", dotHeader.dotName); 698 | printHexLE("", dotHeader.SizeOfRawData, sizeof(dotHeader.SizeOfRawData)); 699 | printf("%s PointerToRawData = ", dotHeader.dotName); 700 | printHexLE("", dotHeader.PointerToRawData, sizeof(dotHeader.PointerToRawData)); 701 | printf("%s PointerToRelocations = ", dotHeader.dotName); 702 | printHexLE("", dotHeader.PointerToRelocations, sizeof(dotHeader.PointerToRelocations)); 703 | printf("%s PointerToLineNumbers = ", dotHeader.dotName); 704 | printHexLE("", dotHeader.PointerToLineNumbers, sizeof(dotHeader.PointerToLineNumbers)); 705 | printf("%s NumberOfRelocations = ", dotHeader.dotName); 706 | printHexLE("", dotHeader.NumberOfRelocations, sizeof(dotHeader.NumberOfRelocations)); 707 | printf("%s NumberOfLineNumbers = ", dotHeader.dotName); 708 | printHexLE("", dotHeader.NumberOfLineNumbers, sizeof(dotHeader.NumberOfLineNumbers)); 709 | printf("%s Characteristics = ", dotHeader.dotName); 710 | printHexLE("", dotHeader.Characteristics, sizeof(dotHeader.Characteristics)); 711 | } 712 | printf("---END PE HEADER---\n"); 713 | fclose(inputFile); 714 | } 715 | 716 | else{ 717 | printf("Arguments Incorrect or Unknown Error.\n"); 718 | help(); 719 | } 720 | 721 | return 0; 722 | } 723 | -------------------------------------------------------------------------------- /badger.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/badger/fd0eee3ab0c38ced99890811660f26dd19a5df19/badger.exe -------------------------------------------------------------------------------- /civil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/badger/fd0eee3ab0c38ced99890811660f26dd19a5df19/civil.dll -------------------------------------------------------------------------------- /documentation.h: -------------------------------------------------------------------------------- 1 | void help(){ 2 | printf("-------------------------------------BEGIN BADGER HELP-------------------------------------\n"); 3 | printf("|COMMANDS: DESCRIPTION: |\n"); 4 | printf("|badger --help || -h Shows this help menu |\n"); 5 | printf("|badger --version || -v Shows program version |\n"); 6 | printf("|badger --aslr-check Checks for ASLR on host machine |\n"); 7 | printf("|badger --lib library.dll function Displays virtual address of library function |\n"); 8 | printf("|badger --enable-dep || --disable-dep Enable or disable DEP, admin rights required |\n"); 9 | printf("|badger --check-security library.dll Security Details including ASLR, DEP and SEH |\n"); 10 | printf("|badger --bruter library.dll function #iter ASLR Function Entropy Bruteforcer |\n"); 11 | printf("|badger --enum-func library.dll Enumerate all functions and virtual addreses |\n"); 12 | printf("|badger --alpha-ref Display alpha-numeric shellcode reference |\n"); 13 | printf("|badger --dos-header library.dll Display the DOS Header |\n"); 14 | printf("|badger --pe-header library.dll Display the PE Header |\n"); 15 | printf("|badger --ilcd-header library.dll Display Image Load Config Directory Header |\n"); 16 | printf("|badger --about Displays the about screen |\n"); 17 | printf("--------------------------------------END BADGER HELP--------------------------------------\n"); 18 | } 19 | 20 | void about(){ 21 | printf("---ABOUT BADGER---\n"); 22 | printf("Version: 3.0\n"); 23 | printf("Made By: Lilly Chalupowski\n"); 24 | printf("This application is designed to be the Swiss Army Knife of Windows exploit development\n"); 25 | printf("Allowing exploit developers to think more about development than the repetitive tasks done everyday\n"); 26 | printf("To participate in this project email lillypadgirl86@gmail.com\n"); 27 | printf("IMPORTANT: By using this application you indemnify and hold harmless Lilly Chalupowski\nfor any unethical application or misuse of this software\n"); 28 | printf("---WHAT'S NEW---\n"); 29 | printf("- Code Cleanup and Formatting\n"); 30 | printf("- PE and DOS Header Dump Support\n"); 31 | printf("- Image Load Config Directory dump support\n"); 32 | printf("- Show DEP, ASLR, and SEH and Canary Properties\n"); 33 | printf("- ASLR Bruter to enumerate entropy of ASLR\n"); 34 | printf("---FEATURES TO COME---\n"); 35 | printf("- x64 support\n"); 36 | printf("- Dump ROP Gadgets\n"); 37 | printf("- x64 AlphaNumeric Shellcode Reference\n"); 38 | printf("- Suggestions are welcome\n"); 39 | } 40 | 41 | void alphaNumericRef(){ 42 | printf("//=====================================================================//\n"); 43 | printf("//==================ALPHA-NUMERIC SHELLCODE REFERENCE==================//\n"); 44 | printf("//=====================================================================//\n"); 45 | printf("//========================OpCodes vs. ASCII============================//\n"); 46 | printf("//=====================================================================//\n"); 47 | printf("20 = [space]\n"); 48 | printf(" ! \" # $ % & ' ( ) * + , - . / 0 1 2 3 4 5\n"); 49 | printf("20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35\n"); 50 | printf("\n"); 51 | printf("6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M\n"); 52 | printf("36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d\n"); 53 | printf("\n"); 54 | printf("N O P Q R S T U V W X Y Z [ \\ ] ^ _ ` a b c d\n"); 55 | printf("4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64\n"); 56 | printf("\n"); 57 | printf("e f g h i j k l m n o p q r s t u v w x y z { |\n"); 58 | printf("65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c\n"); 59 | printf("\n"); 60 | printf("} ~\n"); 61 | printf("7d 7e\n"); 62 | printf("\n"); 63 | printf("//=====================================================================//\n"); 64 | printf("//=============OpCodes vs. ASCII vs. x86 Intel ASM=====================//\n"); 65 | printf("//=====================================================================//\n"); 66 | printf("[arg] = The instruction takes more than one byte, [arg]\n"); 67 | printf("is part of instruction that varries depending on the\n"); 68 | printf("opcodes provided following it.\n"); 69 | printf(" = 20 = [space]\n"); 70 | printf(" = 20 = and BYTE [arg]\n"); 71 | printf("! = 21 = and DWORD [arg]\n"); 72 | printf("\" = 22 = and dl,BYTE PTR [arg]\n"); 73 | printf("# = 23 = and [arg],DWORD PTR [arg]\n"); 74 | printf("$ = 24 = and al,[arg]\n"); 75 | printf("%% = 25 = .byte 0x25\n"); 76 | printf("& = 26 = es\n"); 77 | printf("' = 27 = daa\n"); 78 | printf("( = 28 = sub BYTE PTR [arg],ah\n"); 79 | printf(") = 29 = sub DWORD PTR [arg],esp\n"); 80 | printf("* = 2a = sub ah,BYTE PTR [arg]\n"); 81 | printf("+ = 2b = sub esp,DWORD PTR [arg]\n"); 82 | printf(", = 2c = sub al,[arg]\n"); 83 | printf("- = 2d = .byte 0x2d\n"); 84 | printf(". = 2e = cs\n"); 85 | printf("/ = 2f = das\n"); 86 | printf("0 = 30 = xor BYTE PTR [arg],ah\n"); 87 | printf("1 = 31 = xor DWORD PTR [arg],esp\n"); 88 | printf("2 = 32 = xor ah,BYTE PTR [arg]\n"); 89 | printf("3 = 33 = xor esp,DWORD PTR [arg]\n"); 90 | printf("4 = 34 = xor al,[arg]\n"); 91 | printf("5 = 35 = .byte 0x35\n"); 92 | printf("6 = 36 = ss\n"); 93 | printf("7 = 37 = aaa\n"); 94 | printf("8 = 38 = cmp BYTE PTR [arg],ah\n"); 95 | printf("9 = 39 = cmp DWORD PTR [arg],esp\n"); 96 | printf(": = 3a = cmp ah,BYTE PTR [arg]\n"); 97 | printf("; = 3b = cmp esp,DWORD PTR [arg]\n"); 98 | printf("< = 3c = cmp al,[arg]\n"); 99 | printf("= = 3d = .byte 0x3d\n"); 100 | printf("> = 3e = ds\n"); 101 | printf("? = 3f = aas\n"); 102 | printf("@ = 40 = inc eax\n"); 103 | printf("A = 41 = inc ecx\n"); 104 | printf("B = 42 = inc edx\n"); 105 | printf("C = 43 = inc ebx\n"); 106 | printf("D = 44 = inc esp\n"); 107 | printf("E = 45 = inc ebp\n"); 108 | printf("F = 46 = inc esi\n"); 109 | printf("G = 47 = inc edi\n"); 110 | printf("H = 48 = dec eax\n"); 111 | printf("I = 49 = dec ecx\n"); 112 | printf("J = 4a = dec edx\n"); 113 | printf("K = 4b = dec ebx\n"); 114 | printf("L = 4c = dec esp\n"); 115 | printf("M = 4d = dec ebp\n"); 116 | printf("N = 4e = dec esi\n"); 117 | printf("O = 4f = dec edi\n"); 118 | printf("P = 50 = push eax\n"); 119 | printf("Q = 51 = push ecx\n"); 120 | printf("R = 52 = push edx\n"); 121 | printf("S = 53 = push ebx\n"); 122 | printf("T = 54 = push esp\n"); 123 | printf("U = 55 = push ebp\n"); 124 | printf("V = 56 = push esi\n"); 125 | printf("W = 57 = push edi\n"); 126 | printf("X = 58 = pop eax\n"); 127 | printf("Y = 59 = pop ecx\n"); 128 | printf("Z = 5a = pop edx\n"); 129 | printf("[ = 5b = pop ebx\n"); 130 | printf("\\ = 5c = pop esp\n"); 131 | printf("] = 5d = pop ebp\n"); 132 | printf("^ = 5e = pop esi\n"); 133 | printf("_ = 5f = pop edi\n"); 134 | printf("` = 60 = pusha\n"); 135 | printf("a = 61 = popa\n"); 136 | printf("b = 62 = bound esp,QWORD PTR [arg]\n"); 137 | printf("c = 63 = arpl WORD PTR [arg],sp\n"); 138 | printf("d = 64 = fs\n"); 139 | printf("e = 65 = gs\n"); 140 | printf("f = 66 = data16\n"); 141 | printf("g = 67 = addr16\n"); 142 | printf("h = 68 = .byte 0x68\n"); 143 | printf("i = 69 = .byte 0x69\n"); 144 | printf("j = 6a = push [arg]\n"); 145 | printf("k = 6b = .byte 0x6b\n"); 146 | printf("l = 6c = ins BYTE PTR es:[edi],dx\n"); 147 | printf("m = 6d = ins DWORD PTR es:[edi],dx\n"); 148 | printf("n = 6e = outs dx,BYTE PTR ds:[esi]\n"); 149 | printf("o = 6f = outs dx,DWORD PTR ds:[esi]\n"); 150 | printf("p = 70 = jo loc_[arg]\n"); 151 | printf("q = 71 = jno [arg]\n"); 152 | printf("r = 72 = jb loc_[arg]\n"); 153 | printf("s = 73 = jae loc_[arg]\n"); 154 | printf("t = 74 = je loc_[arg]\n"); 155 | printf("u = 75 = jne loc_[arg]\n"); 156 | printf("v = 76 = jbe loc_[arg]\n"); 157 | printf("w = 77 = ja loc_[arg]\n"); 158 | printf("x = 78 = js loc_[arg]\n"); 159 | printf("y = 79 = jns loc_[arg]\n"); 160 | printf("z = 7a = jp loc_[arg]\n"); 161 | printf("{ = 7b = jnp loc_[arg]\n"); 162 | printf("| = 7c = jl loc_[arg]\n"); 163 | printf("} = 7d = jge loc_[arg]\n"); 164 | printf("~ = 7e = jle loc_[arg]\n"); 165 | printf("//==========================================================//\n"); 166 | printf("//====================BY: Lilly Chalupowski=================//\n"); 167 | printf("//==========================================================//\n"); 168 | printf("//==========================================================//\n"); 169 | } 170 | -------------------------------------------------------------------------------- /ieproxy.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/badger/fd0eee3ab0c38ced99890811660f26dd19a5df19/ieproxy.dll -------------------------------------------------------------------------------- /kernel32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/badger/fd0eee3ab0c38ced99890811660f26dd19a5df19/kernel32.dll -------------------------------------------------------------------------------- /user32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lillypad/badger/fd0eee3ab0c38ced99890811660f26dd19a5df19/user32.dll --------------------------------------------------------------------------------