Commit f4bf782e authored by Sophie Brun's avatar Sophie Brun

Imported Upstream version 3.2.2

parent 9fe5c38c
......@@ -229,6 +229,10 @@ Sample Usage:
###Changelog
####10/19/2015
* Fixed bug in IAT directory cave assignment that caused BDF crash
* Made the feature optional with -A flag
####10/13/2015
* Changed the Import Table Directory modifications from adding a new section to using an existing code cave
......
......@@ -62,7 +62,7 @@ def signal_handler(signal, frame):
class bdfMain():
version = """\
Version: 3.2.0
Version: 3.2.2
"""
author = """\
......@@ -255,8 +255,8 @@ class bdfMain():
help="EXPERIMENTAL "
"Checks the PE binaries for \'requestedExecutionLevel level=\"highestAvailable\"\'"
". If this string is included in the binary, it must run as system/admin. If not "
"in Support Check mode it will attmept to patch highestAvailable into the manifest "
"if requestedExecutionLevel entry exists."
"in Support Check mode it will attmept to patch highestAvailable into the manifest "
"if requestedExecutionLevel entry exists."
)
parser.add_option("-L", "--patch_dll", dest="PATCH_DLL", default=True, action="store_false",
help="Use this setting if you DON'T want to patch DLLs. Patches by default."
......@@ -275,7 +275,12 @@ class bdfMain():
help="For onionduke. Provide your desired binary.")
parser.add_option("-X", "--xp_mode", dest="XP_MODE", default=False, action="store_true",
help="Default: DO NOT support for XP legacy machines, use -X to support XP"
". By default the binary will crash on XP machines (e.g. sandboxes)"
". By default the binary will crash on XP machines (e.g. sandboxes)")
parser.add_option("-A", "--idt_in_cave", dest="IDT_IN_CAVE", default=False, action="store_true",
help="EXPERIMENTAL "
"By default a new Import Directory Table is created in a new section, "
"by calling this flag it will be put in a code cave. This can cause bianry "
"failure is some cases. Test on target binaries first."
)
(options, args) = parser.parse_args()
......@@ -342,7 +347,8 @@ class bdfMain():
options.PATCH_DLL,
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE
options.XP_MODE,
options.IDT_IN_CAVE
)
elif is_supported is "ELF":
supported_file = elfbin(options.FILE,
......@@ -436,6 +442,7 @@ class bdfMain():
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE
)
supported_file.OUTPUT = None
supported_file.output_options()
......@@ -511,6 +518,7 @@ class bdfMain():
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE
)
supported_file.injector()
sys.exit()
......@@ -548,6 +556,7 @@ class bdfMain():
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE
)
elif is_supported is "ELF":
supported_file = elfbin(options.FILE,
......
......@@ -92,7 +92,7 @@ class pebin():
INJECTOR=False, CHANGE_ACCESS=True, VERBOSE=False, SUPPORT_CHECK=False,
SHELL_LEN=300, FIND_CAVES=False, SUFFIX=".old", DELETE_ORIGINAL=False, CAVE_MINER=False,
IMAGE_TYPE="ALL", ZERO_CERT=True, RUNAS_ADMIN=False, PATCH_DLL=True, PATCH_METHOD="MANUAL",
SUPPLIED_BINARY=None, XP_MODE=False):
SUPPLIED_BINARY=None, XP_MODE=False, IDT_IN_CAVE=False):
self.FILE = FILE
self.OUTPUT = OUTPUT
self.SHELL = SHELL
......@@ -121,6 +121,7 @@ class pebin():
self.flItms = {}
self.iat_cave_loc = 0
self.SUPPLIED_BINARY = SUPPLIED_BINARY
self.flItms['IDT_IN_CAVE'] = IDT_IN_CAVE
if self.PATCH_METHOD.lower() == 'automatic':
self.CAVE_JUMPING = True
self.ADD_SECTION = False
......@@ -708,8 +709,6 @@ class pebin():
self.build_imports()
#and remove here
print "len(self.flItms['addedIAT'])", len(self.flItms['addedIAT'])
self.binary.write(self.flItms['addedIAT'])
self.binary.write(struct.pack("<B", 0x0) * (self.flItms['NewSectionSize'] -
len(self.flItms['addedIAT']) - len(self.flItms['Import_Directory_Table']) + 20))
......@@ -717,7 +716,6 @@ class pebin():
self.binary.write(struct.pack('<I', self.flItms['SizeOfImage']))
self.binary.write(struct.pack("<I", (self.flItms['ImportTableSize']) + self.flItms['apiCount'] * 8 + 20))
self.binary.seek(0)
print "new IAT size:", self.flItms['ImportTableSize'] + self.flItms['apiCount'] * 8 + 20
#For trimming File of cert (if there)
#get file data again
......@@ -960,12 +958,13 @@ class pebin():
# Take away the rsrc restriction, solved
for caveNumber, caveValues in pickACave.iteritems():
# caveValues[0], Begin Cave, [1] End of Cave
# stay clear of iat_cave_loc starting
if caveValues[0] <= self.iat_cave_loc[0] <= caveValues[1]:
continue
# stay clear of iat_cave_loc, will be zero if never touched
if self.iat_cave_loc != 0:
if caveValues[0] <= self.iat_cave_loc[0] <= caveValues[1]:
continue
# stay clear of iat_cave_loc ending
if caveValues[0] <= self.iat_cave_loc[1] <= caveValues[1]:
continue
if caveValues[0] <= self.iat_cave_loc[1] <= caveValues[1]:
continue
if caveValues[0] is None:
continue
elif caveValues[3] >= 50:
......@@ -1590,16 +1589,16 @@ class pebin():
if 'apis_needed' in self.flItms:
self.check_apis(self.FILE)
iat_result = ''
if "UPX".lower() in self.flItms['textSectionName'].lower():
print "[!] Cannot patch a new IAT into a UPX binary at this time."
return False
if self.flItms['neededAPIs'] != set():
if self.flItms['neededAPIs'] != set() and self.flItms['IDT_IN_CAVE'] is True:
iat_result = self.patch_in_new_iat()
print "[*] Checking updated IAT for thunks"
self.check_apis(self.flItms['backdoorfile'])
if iat_result is False or self.flItms['neededAPIs'] != set():
#reset the file
print "[!] Patching Import Directory in code cave failed"
shutil.copy2(self.FILE, self.flItms['backdoorfile'])
iat_result = self.create_new_iat()
if iat_result is False:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment