View difference between Paste ID: <a href="/nzF8PPLU">nzF8PPLU</a> and <a href="/RhBmngSV">RhBmngSV</a>

import sys
1		import sys
2		from struct import pack
3		from io import BytesIO
4
5		from ctypes import *
6		from winappdbg import Debug, EventHandler
7		import pefile
8
9		from capstone import *
10		from capstone.x86 import *
11
12		from unicorn import *
13		from unicorn.x86_const import *
14
15		from keystone import *
16
17		SECTION_HEADER_SIZE = 0x28
18		IMAGE_DESCRIPTOR_HEADER_SIZE = 0x14
19
20		md = Cs(CS_ARCH_X86, CS_MODE_64)
21		md.detail = True
22
23		global target_pe
24		global mem_pages
25
26		# ----------------------------------------------------------------------------------------------------------------
27		def align_data(data, blocksize):
28		r = data
29		rm = len( r ) % blocksize
30		if rm != 0:
31		r += (blocksize - rm) * b'\x00'
32		return r
33
34		# ----------------------------------------------------------------------------------------------------------------
35		def align_int(integer, blocksize):
36		r = integer
37		rm = r % blocksize
38		if rm != 0:
39		r += (blocksize - rm)
40		return r
41
42		# ----------------------------------------------------------------------------------------------------------------
43		def image_import_descriptor(OriginalFirstThunk, Name, FirstThunk):
44		"""
45		+00 DWORD OriginalFirstThunk
46		+04 DWORD TimeDateStamp
47		+08 DWORD ForwarderChain
48		+12 DWORD Name
49		+16 DWORD FirstThunk
50		"""
51		return pack('<LLLLL', OriginalFirstThunk, 0, 0, Name, FirstThunk)
52
53		# ----------------------------------------------------------------------------------------------------------------
54		def image_import_by_name(hint, name):
55		"""
56		+00 WORD Hint
57		+02 BYTE Name
58		"""
59		return pack('<H', hint) + name.encode() + b'\0'
60
61
62		# ----------------------------------------------------------------------------------------------------------------
63		def image_thunk_data(imageimportbyname_rva, x64, lastthunk=True):
64		if x64:
65		r = pack('<Q', imageimportbyname_rva )
66		if lastthunk:
67		r += pack('<Q', 0 )
68		else:
69		r = pack('<L', imageimportbyname_rva )
70		if lastthunk:
71		r += pack('<L', 0 )
72		return r
73
74		# ----------------------------------------------------------------------------------------------------------------
75		def build_image_import_by_name(names, base=0):
76		funcrva = []
77		r = b''
78		for i, name in enumerate(names):
79		funcrva.append( len( r ) )
80		r += image_import_by_name(i, name)
81		return funcrva, r
82
83		# ----------------------------------------------------------------------------------------------------------------
84		def build_image_thunk_data(offsets, x64, base=0):
85		r = b''
86		offd = dict()
87		for i in range(len(offsets)):
88		r += image_thunk_data(base + offsets[i], x64, bool(i==len(offsets)-1))
89		return r
90
91		# ----------------------------------------------------------------------------------------------------------------
92		def section_header(roff, rsize, voff, vsize, name=b'.h4x'):
93		"""
94		+00 BYTE name[8]
95		+08 DWORD virtualsize
96		+12 DWORD virtualaddress
97		+16 DWORD rawsize
98		+20 DWORD rawaddress
99		+24 DWORD relocaddress
100		+28 DWORD linenumbers
101		+32 WORD nrofrelocs
102		+34 WORD nroflinenumbers
103		+36 DWORD characteristics
104		"""
105		return name.ljust(8, b'\x00') + pack('<LLLLLLHHL', vsize, voff, rsize, roff, 0, 0, 0, 0, 0xC0000040)
106
107		# ----------------------------------------------------------------------------------------------------------------
108		def rebuild_import_table(file_data, impt):
109		# collect some pe info from the file for later
110		pe = pefile.PE(data=file_data, fast_load=True)
111		is64bits = bool(pe.OPTIONAL_HEADER.Magic == 0x20b)
112		nrofsections = pe.FILE_HEADER.NumberOfSections
113		secalignment = pe.OPTIONAL_HEADER.SectionAlignment
114		filealignment = pe.OPTIONAL_HEADER.FileAlignment
115		sizeofheaders = pe.OPTIONAL_HEADER.SizeOfHeaders
116		lastsecoffset = pe.sections[nrofsections-1].__file_offset__
117		lastsection = pe.sections[nrofsections-1]
118		lastviraddr = lastsection.VirtualAddress + lastsection.Misc_VirtualSize
119		sizeofimage = pe.OPTIONAL_HEADER.SizeOfImage
120		pe.close()
121
122		imp_tbl = b''
123		imp_disc = b''
124		rvas = dict()
125		for dllname in impt:
126		importbyname_offsets, importbyname_data = build_image_import_by_name(impt[dllname])
127		thunk_data = build_image_thunk_data(importbyname_offsets, is64bits, sizeofimage + len(imp_tbl) + len(dllname) + 1)
128
129		name_rva = len(imp_tbl)
130
131		imp_tbl += dllname.encode() + b'\x00'
132		imp_tbl += importbyname_data
133		imp_tbl = align_data(imp_tbl, 8)
134		firstthunk_rva = sizeofimage + len(imp_tbl)
135		imp_tbl += thunk_data
136
137		rvas[dllname] = dict()
138		for i, funcname in enumerate(impt[dllname]):
139		rvas[dllname][funcname] = firstthunk_rva + (i * 8)
140
141		imp_disc += image_import_descriptor( firstthunk_rva, sizeofimage + name_rva, firstthunk_rva )
142
143		imp_disc += image_import_descriptor( 0, 0, 0 )
144		imp_tbl = align_data(imp_tbl, 4)
145
146		import_dir_rva = sizeofimage + len(imp_tbl)
147		imp_tbl += imp_disc
148		newsec_data = align_data(imp_tbl, filealignment)
149
150		newsec_rawsize = len(newsec_data)
151		# get the alignd virtual offset and size
152		newsec_viraddr = align_int(lastviraddr, secalignment)
153		newsec_virsize = align_int(newsec_rawsize, secalignment)
154		newsec_rawaddr = len(file_data)
155
156		# create a section header
157		newsec_header = section_header(newsec_rawaddr, newsec_rawsize, newsec_viraddr, newsec_virsize)
158
159		# contruct the new pe file
160		new_pe = file_data[:lastsecoffset + SECTION_HEADER_SIZE]
161		new_pe += newsec_header
162		new_pe += (sizeofheaders - len(new_pe)) * b'\x00'
163		new_pe += file_data[sizeofheaders:]
164		new_pe += newsec_data
165
166		# parse the pe of the rebuild data
167		pe = pefile.PE(data=new_pe, fast_load=True)
168		# increase nr of sections
169		pe.FILE_HEADER.NumberOfSections += 1
170		# update the imagesize
171		pe.OPTIONAL_HEADER.SizeOfImage = newsec_viraddr + newsec_virsize
172		# update the data_dir[imports] rva and size
173		pe.OPTIONAL_HEADER.DATA_DIRECTORY[ pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT'] ].VirtualAddress = import_dir_rva
174		pe.OPTIONAL_HEADER.DATA_DIRECTORY[ pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT'] ].Size = newsec_rawsize + IMAGE_DESCRIPTOR_HEADER_SIZE
175		# since this is removed from the header we reset its values if set
176		bound_imorts_dir = pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT']
177		if pe.OPTIONAL_HEADER.DATA_DIRECTORY[ bound_imorts_dir ].VirtualAddress != 0:
178		pe.OPTIONAL_HEADER.DATA_DIRECTORY[ bound_imorts_dir ].VirtualAddress = 0
179		pe.OPTIONAL_HEADER.DATA_DIRECTORY[ bound_imorts_dir ].Size = 0
180
181		# write to new file
182		return pe.write(), rvas
183
184		# ----------------------------------------------------------------------------------------------------------------
185		def hook_code64(uc, address, size, user_data):
186		code = uc.mem_read(address, size)
187		insn = disassemble(code, 0)
188		print_insn(insn)
189
190		# ----------------------------------------------------------------------------------------------------------------
191		def emu(pe, offsets, imports, tracecode=False):
192		imp = dict()
193		imgbase = pe.OPTIONAL_HEADER.ImageBase
194		imgsize = pe.OPTIONAL_HEADER.SizeOfImage
195
196		esp = 0x1000000
197
198		mu = Uc(UC_ARCH_X86, UC_MODE_64)
199
200		mu.mem_map(imgbase, imgsize)
201		mu.mem_map(esp, 2 * 1024 * 1024)
202
203		mu.mem_write(imgbase, bytes(pe.__data__))
204		mu.mem_write(esp, int(2 * 1024 * 1024) * b'\0')
205
206		if tracecode: mu.hook_add(UC_HOOK_CODE, hook_code64)
207
208		for offset, vm_eip in offsets:
209		mu.reg_write(UC_X86_REG_ESP, esp + int(1 * 1024 * 1024))
210		try:
211		mu.emu_start(imgbase + (vm_eip + 0x1000), imgbase + imgsize)
212		except UcError as e:
213		rip = mu.reg_read(UC_X86_REG_RIP)
214		if rip in imports:
215		print('0x%016x => %s' % (offset, imports[rip]))
216		imp[offset] = imports[rip]
217		else:
218		print(f'0x{rip:016x} not found')
219		return imp
220
221		# ----------------------------------------------------------------------------------------------------------------
222		def print_insn(insn):
223		print("0x%016x: %s %s" % (insn.address, insn.mnemonic.ljust(5, ' '), insn.op_str))
224
225		# ----------------------------------------------------------------------------------------------------------------
226		def disassemble(code, ep, maxinslen=12):
227		for insn in md.disasm(code[ep:ep+maxinslen], ep):
228		return insn
229
230		# ----------------------------------------------------------------------------------------------------------------
231		def call_ins_in_range(code, minaddress, maxaddress):
232		ep = 0
233		codelen = len(code)
234		addresses = list()
235		while ep < codelen:
236		insn = disassemble(code, ep)
237		if insn and insn.size == 5 and insn.id == X86_INS_CALL \
238		and insn.operands[0].type == X86_OP_IMM:
239		addr = insn.operands[0].imm & 0xffffffff
240		if addr >= minaddress and addr <= maxaddress:
241		addresses.append( (ep, addr) )
242		ep += 1
243		return addresses
244
245		# ----------------------------------------------------------------------------------------------------------------
246		def dump_fix(img, oep=None):
247		pe = pefile.PE(data=img, fast_load=True)
248		sectionAlignment = pe.OPTIONAL_HEADER.SectionAlignment
249		for section in pe.sections:
250		section.PointerToRawData = section.VirtualAddress
251		vsize = align_int(section.Misc_VirtualSize, sectionAlignment)
252		# section.SizeOfRawData = section.Misc_VirtualSize
253		section.SizeOfRawData = vsize
254		section.Misc_VirtualSize = vsize
255
256		if oep:
257		pe.OPTIONAL_HEADER.AddressOfEntryPoint = oep
258
259		# disable aslr for now, we need to do a reloc correction actualy
260		pe.OPTIONAL_HEADER.DllCharacteristics ^= 0x40
261
262		return pe.write()
263
264		# ----------------------------------------------------------------------------------------------------------------
265		def analyse_vmp_api_stub(code, address):
266		vmp_api = list()
267		while True:
268		insn = disassemble(code, address)
269		if insn.id in [X86_INS_PUSH, X86_INS_POP]:
270		vmp_api.append(insn)
271		elif insn.id in [X86_INS_LEA, X86_INS_MOV] and (insn.operands[0].type == X86_OP_MEM or insn.operands[1].type == X86_OP_MEM):
272		vmp_api.append(insn)
273		elif insn.id == X86_INS_XCHG and insn.operands[0].type != insn.operands[1].type:
274		vmp_api.append(insn)
275		elif insn.id == X86_INS_RET:
276		vmp_api.append(insn)
277		break
278
279		if insn.id == X86_INS_JMP:
280		address = insn.operands[0].imm
281		else:
282		address += insn.size
283		return vmp_api
284
285		# ----------------------------------------------------------------------------------------------------------------
286		def action_callback_page_access( event ):
287		global target_pe
288
289		process = event.get_process()
290		thread = event.get_thread()
291		context = thread.get_context()
292
293		img_base = process.get_image_base()
294
295		rip = context['Rip']
296
297		# we need this rip range filter, because we keep hiting a vmp section first...?!
298		if rip >= img_base + target_pe.sections[0].VirtualAddress \
299		and rip <= img_base + target_pe.sections[0].VirtualAddress + target_pe.sections[0].Misc_VirtualSize:
300		print(f'page_access: OEP => 0x{rip:016x} - 0x{rip-img_base:016x}')
301		event.debug.erase_all_breakpoints()
302
303		img_pe = dump_fix(process.read( img_base, target_pe.OPTIONAL_HEADER.SizeOfImage ), rip-img_base)
304
305		pe = pefile.PE(data=img_pe, fast_load=True)
306		pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']])
307
308		# grab the imported dll names from the import table
309		implookup = dict()
310		for entry in pe.DIRECTORY_ENTRY_IMPORT:
311		dllname = entry.dll.decode()
312		mod = process.get_module_by_name(dllname)
313
314		pedll = pefile.PE('c:\\windows\\system32\\' + dllname, fast_load=True)
315		pedll.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT']])
316
317		print(f'--> {dllname}')
318		for exp in pedll.DIRECTORY_ENTRY_EXPORT.symbols:
319		if exp.name == None:
320		continue
321		addr = mod.resolve( exp.name )
322		if addr not in implookup:
323		implookup[addr] = (dllname, exp.name.decode())
324		pedll.close()
325
326		# locate call's into the vmp section
327		code_section_data = pe.sections[0].get_data()
328		vm_section = pe.sections[4]
329
330		calltos = call_ins_in_range(
331		code_section_data,
332		vm_section.VirtualAddress,
333		vm_section.VirtualAddress + vm_section.Misc_VirtualSize
334		)
335
336		print('got %d vmp_api call(s)' % len(calltos))
337
338		# emulate the vmp api stubs
339		call2imp = emu(pe, calltos, implookup)
340
341		pe.close()
342
343		# filter imports for iat rebuilding
344		imptbl = dict()
345		for callfrom in call2imp:
346		dll, func = call2imp[callfrom]
347		if dll not in imptbl:
348		imptbl[dll] = list()
349
350		if func not in imptbl[dll]:
351		imptbl[dll].append( func )
352
353		# rebuild import table
354		img_pe, iat_rvas = rebuild_import_table(img_pe, imptbl)
355
356		# patch vmp call instructions
357		fio = BytesIO(img_pe)
358		ks = Ks(KS_ARCH_X86, KS_MODE_64)
359		for cfrom, cto in calltos:
360		vmpapi = analyse_vmp_api_stub(img_pe, cto + 0x1000)
361		if vmpapi[2].id == X86_INS_LEA and vmpapi[2].operands[1].type == X86_OP_MEM and vmpapi[2].operands[1].mem.disp == 1:
362		"""
363		0x00000000000fd9eb: push rax
364		0x00000000000fd9f7: mov rax, qword ptr [rsp + 8]
365		0x0000000000242ad2: lea rax, [rax + 1]
366		0x00000000001b7986: mov qword ptr [rsp + 8], rax
367		0x00000000001b7992: lea rax, [rip - 0x1af489]
368		0x0000000000173257: mov rax, qword ptr [rax + 0xd5f69]
369		0x000000000017325e: lea rax, [rax + 0x7fde623c]
370		0x000000000023dff5: xchg qword ptr [rsp], rax
371		0x0000000000256c24: ret
372		"""
373		dllname, funcname = call2imp[cfrom]
374		encoding, count = ks.asm('call qword ptr[0x%016x]' % (iat_rvas[dllname][funcname] - 0x1000 - cfrom))
375		fio.seek( cfrom + 0x1000 )
376		fio.write( bytes(encoding) )
377		elif vmpapi[0].id == X86_INS_POP and vmpapi[-1].size == 1:
378		"""
379		0x000000000020c562: pop rbx
380		0x000000000020bcda: xchg qword ptr [rsp], rbx
381		0x00000000000fcc27: push rbx
382		0x00000000000fcc28: lea rbx, [rip - 0xf30ea]
383		0x0000000000162a3c: mov rbx, qword ptr [rbx + 0x261566]
384		0x00000000000e2e6f: lea rbx, [rbx + 0x19bd2ee5]
385		0x00000000000e2e76: xchg qword ptr [rsp], rbx
386		0x0000000000259b32: ret
387		"""
388		dllname, funcname = call2imp[cfrom]
389		encoding, count = ks.asm('call qword ptr[0x%016x]' % (iat_rvas[dllname][funcname] - 0x1000 - (cfrom - 1)))
390		fio.seek( (cfrom - 1) + 0x1000 )
391		fio.write( bytes(encoding) )
392		elif vmpapi[0].id == X86_INS_POP and vmpapi[-1].size == 3:
393		"""
394		0x0000000000199b18: pop rbp
395		0x0000000000287e2e: xchg qword ptr [rsp], rbp
396		0x000000000016eeff: push rbp
397		0x000000000016ef04: lea rbp, [rip - 0x167a8b]
398		0x00000000002735e8: mov rbp, qword ptr [rbp + 0x10440d]
399		0x00000000000fcc15: lea rbp, [rbp + 0x1c97310c]
400		0x00000000001885a6: xchg qword ptr [rsp], rbp
401		0x0000000000150cb8: ret 8
402		"""
403		dllname, funcname = call2imp[cfrom]
404		# print(f'pop_call_ret8: 0x{img_base+0x1000+cfrom:016x} -> {funcname}')
405		encoding, count = ks.asm('jmp qword ptr[0x%016x]' % (iat_rvas[dllname][funcname] - 0x1000 - (cfrom - 2)))
406		fio.seek( (cfrom - 2) + 0x1000 )
407		fio.write( bytes(encoding) )
408		elif vmpapi[0].id == X86_INS_PUSH and vmpapi[-1].size == 3:
409		"""
410		0x0000000000149386: push rsi
411		0x000000000014938a: lea rsi, [rip - 0x144344]
412		0x00000000001bfe00: mov rsi, qword ptr [rsi + 0x12b866]
413		0x0000000000224a7c: lea rsi, [rsi + 0x95a4b96]
414		0x00000000001f6ad4: xchg qword ptr [rsp], rsi
415		0x00000000001f6ad8: ret 8
416		"""
417		dllname, funcname = call2imp[cfrom]
418		# print(f'push_call_ret8: 0x{img_base+0x1000+cfrom:016x} -> {funcname}')
419		dist = 1 if img_pe[(cfrom-1)+0x1000] == 0x48 else 0
420		encoding, count = ks.asm('jmp qword ptr[0x%016x]' % (iat_rvas[dllname][funcname] - 0x1000 - (cfrom - dist)))
421		fio.seek( (cfrom - dist) + 0x1000 )
422		fio.write( bytes(encoding) )
423
424		else:
425		print(f'unknown!!!! 0x{img_base+0x1000+cfrom:016x}')
426
427		fio.seek(0)
428		with open('dump.exe', 'wb') as fout:
429		fout.write( fio.read() )
430
431		print('PE image dumped')
432		print('Done')
433		exit(1)
434
435		# ----------------------------------------------------------------------------------------------------------------
436		def action_callback_NtProtectVirtualMemory( event ):
437		global target_pe
438		global mem_pages
439
440		process = event.get_process()
441		thread = event.get_thread()
442		context = thread.get_context()
443
444		img_base = process.get_image_base()
445		img_size = target_pe.OPTIONAL_HEADER.SizeOfImage
446
447		address = process.read_qword(context['Rdx'])
448		size = process.read_qword(context['R8'])
449		mode = context['R9']
450
451		if address >= img_base and address <= img_base + img_size:
452		print(f'NtProtectVirtualMemory: address=0x{address:016x} size=0x{size:016x} prot={mode:x}')
453		if address not in mem_pages:
454		mem_pages.append( address )
455		elif len(mem_pages) > 1 and address == mem_pages[-1]:
456		# memory bp on the .text(0) section
457		event.debug.erase_all_breakpoints()
458		pid = process.get_pid()
459		pages = (align_int(target_pe.sections[0].Misc_VirtualSize, 4096) // 4096)
460		print(f'page_breakpoint: address=0x{img_base + target_pe.sections[0].VirtualAddress:016x} pages={pages} size=0x{pages*4096:x}')
461		event.debug.define_page_breakpoint(
462		pid,
463		img_base + target_pe.sections[0].VirtualAddress,
464		pages=pages,
465		action=action_callback_page_access)
466		event.debug.enable_page_breakpoint(pid, img_base + target_pe.sections[0].VirtualAddress)
467
468		# ----------------------------------------------------------------------------------------------------------------
469		class MyEventHandler( EventHandler ):
470		def load_dll( self, event ):
471		module = event.get_module()
472		if module.match_name('ntdll.dll'):
473		# set HWBP on ntdll.NtProtectVirtualMemory
474		address = module.resolve( 'NtProtectVirtualMemory' )
475		tid = event.get_thread().get_tid()
476		event.debug.define_hardware_breakpoint(
477		tid,
478		address,
479		triggerFlag=Debug.BP_BREAK_ON_EXECUTION,
480		sizeFlag=Debug.BP_WATCH_BYTE,
481		action=action_callback_NtProtectVirtualMemory)
482		event.debug.enable_hardware_breakpoint(tid, address)
483
484		# ----------------------------------------------------------------------------------------------------------------
485		def debugger( argv ):
486		global target_pe
487		global mem_pages
488
489		target_pe = pefile.PE(argv[0], fast_load=True)
490		mem_pages = list()
491
492		with Debug( MyEventHandler(), bKillOnExit = True ) as debug:
493		debug.execv( argv )
494		debug.loop()
495
496		# ----------------------------------------------------------------------------------------------------------------
497		if __name__ == "__main__":
498		debugger( sys.argv[1:] )