Commit 84d1a973 authored by Sophie Brun's avatar Sophie Brun

New upstream version 3.4.2

parent 1a00c9e5
##The Backdoor Factory (BDF)
For security professionals and researchers only.
The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.
[![Join the chat at https://gitter.im/secretsquirrel/the-backdoor-factory](https://badges.gitter.im/secretsquirrel/the-backdoor-factory.svg)](https://gitter.im/secretsquirrel/the-backdoor-factory?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2015.svg)](https://www.blackhat.com/us-15/arsenal.html)
Black Hat USA 2015:
Video: https://www.youtube.com/watch?v=OuyLzkG16Uk
......@@ -276,6 +281,15 @@ On successful run you should see this line in BDF output:
###Changelog
####01/11/2016
* Fix entry point truncation bug that led to improper recovery in rare instances
####07/04/2016
* Support for dynamic paths in BDFProxy for preprocessor
####06/19/2016
* Added the preprocessor and other optimizations
......
......@@ -12,7 +12,7 @@ techniques are based on.
Special thanks to Travis Morrow for poking holes in my ideas.
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......@@ -62,7 +62,7 @@ def signal_handler(signal, frame):
class bdfMain():
version = """\
Version: 3.4.0
Version: 3.4.2
"""
author = """\
......
#!/usr/bin/env python
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
''''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......@@ -79,7 +79,7 @@ class intelCore():
self.flItms['ImpList'] = []
md = Cs(CS_ARCH_X86, CS_MODE_32)
self.count = 0
for k in md.disasm(self.f.read(12), self.flItms['VrtStrtngPnt']):
for k in md.disasm(self.f.read(20), self.flItms['VrtStrtngPnt']):
self.count += k.size
_bytes = bytearray(b'')
......@@ -109,7 +109,7 @@ class intelCore():
self.count = 0
self.flItms['ImpList'] = []
md = Cs(CS_ARCH_X86, CS_MODE_64)
for k in md.disasm(self.f.read(12), self.flItms['VrtStrtngPnt']):
for k in md.disasm(self.f.read(20), self.flItms['VrtStrtngPnt']):
self.count += k.size
_bytes = bytearray(b'')
......
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
#!/usr/bin/env python
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
#!/usr/bin/env python
'''
Copyright (c) 2013-2015, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
#!/usr/bin/env python
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
'''
Copyright (c) 2013-2016, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......@@ -412,27 +412,26 @@ class pebin():
self.flItms['LoadConfigDirectory_SEHTVA'] = struct.unpack('<I', self.binary.read(4))[0]
self.flItms['LoadConfigDirectory_SEHC'] = struct.unpack('<I', self.binary.read(4))[0]
if self.flItms['LoadConfigDirectory_Size'] > 0x48:
#grab CFG info
if self.flItms['Magic'] == 0x20B:
self.flItms['LCD_CFG_address_CF_PTR_LOC'] = self.binary.tell()
self.flItms['LCD_CFG_address_CF_PTR'] = struct.unpack('<Q', self.binary.read(8))[0]
self.flItms['LCD_CFG_dispatch_fptr'] = struct.unpack('<Q', self.binary.read(8))[0]
self.flItms['LCD_CFG_Func_Table'] = struct.unpack('<Q', self.binary.read(8))[0]
self.flItms['LCD_CFG_Func_Count'] = struct.unpack('<Q', self.binary.read(8))[0]
# Zero out LCD_CFG_Guard_Flags to disable CFG
self.flItms['LCD_CFG_Guard_Flags'] = struct.unpack('<Q', self.binary.read(8))[0]
else:
self.flItms['LCD_CFG_address_CF_PTR_LOC'] = self.binary.tell()
self.flItms['LCD_CFG_address_CF_PTR'] = struct.unpack('<I', self.binary.read(4))[0]
self.flItms['LCD_CFG_dispatch_fptr'] = struct.unpack('<I', self.binary.read(4))[0]
self.flItms['LCD_CFG_Func_Table'] = struct.unpack('<I', self.binary.read(4))[0]
self.flItms['LCD_CFG_Func_Count'] = struct.unpack('<I', self.binary.read(4))[0]
# Zero out LCD_CFG_Guard_Flags to disable CFG
self.flItms['LCD_CFG_Guard_Flags'] = struct.unpack('<I', self.binary.read(4))[0]
# Find CFG_PTR_LOC
print "LCD_CFG_dispatch_fptr", hex(self.flItms['LCD_CFG_dispatch_fptr'])
#grab CFG info
if self.flItms['Magic'] == 0x20B and self.flItms['LoadConfigDirectory_Size'] > 0x70:
self.flItms['LCD_CFG_address_CF_PTR_LOC'] = self.binary.tell()
self.flItms['LCD_CFG_address_CF_PTR'] = struct.unpack('<Q', self.binary.read(8))[0]
self.flItms['LCD_CFG_dispatch_fptr'] = struct.unpack('<Q', self.binary.read(8))[0]
self.flItms['LCD_CFG_Func_Table'] = struct.unpack('<Q', self.binary.read(8))[0]
self.flItms['LCD_CFG_Func_Count'] = struct.unpack('<Q', self.binary.read(8))[0]
# Zero out LCD_CFG_Guard_Flags to disable CFG
self.flItms['LCD_CFG_Guard_Flags'] = struct.unpack('<Q', self.binary.read(8))[0]
elif self.flItms['Magic'] == 0x10B and self.flItms['LoadConfigDirectory_Size'] > 0x48:
self.flItms['LCD_CFG_address_CF_PTR_LOC'] = self.binary.tell()
self.flItms['LCD_CFG_address_CF_PTR'] = struct.unpack('<I', self.binary.read(4))[0]
self.flItms['LCD_CFG_dispatch_fptr'] = struct.unpack('<I', self.binary.read(4))[0]
self.flItms['LCD_CFG_Func_Table'] = struct.unpack('<I', self.binary.read(4))[0]
self.flItms['LCD_CFG_Func_Count'] = struct.unpack('<I', self.binary.read(4))[0]
# Zero out LCD_CFG_Guard_Flags to disable CFG
self.flItms['LCD_CFG_Guard_Flags'] = struct.unpack('<I', self.binary.read(4))[0]
# Find CFG_PTR_LOC
if "LCD_CFG_dispatch_fptr" in self.flItms:
if self.flItms['LCD_CFG_dispatch_fptr'] != 0:
self.flItms['LCD_CFG_dispatch_fptr_LOC'] = self.flItms['LCD_CFG_dispatch_fptr'] - self.flItms['ImageBase'] + self.flItms['LoadConfigTable_OFFSET']
self.binary.seek(self.flItms['LCD_CFG_dispatch_fptr_LOC'],0)
......
'''
Copyright (c) 2013-2015, Joshua Pitts
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment