Skip to content

Latest commit

 

History

History
57 lines (37 loc) · 3.28 KB

README.md

File metadata and controls

57 lines (37 loc) · 3.28 KB
Raw

PympMyBinary

Python tool to infect binaries with shellcode. The tool infects in one of three modes:

  • Injection at virtual section slack: assuming a shellcode with size x, the last x bytes of the virtual space for the section containing the entrypoint are overwritten with the shellcode. This mode may overwrite legitimate assembly from the application so a warning is provided.
  • Entrypoint section append: shellcode is appended at the end of the entrypoint section. If the virtual size of the entrypoint section and the shellcode cross the RVA for the following section, the tampering fails. Messing with section RVAs is unwise since the code application relies on relative addresses.
  • New section: a minimalistic section is created containing the shellcode. If the new section header together with the remaining header crosses the RVA for the first section, the tampering fails. Messing with section RVAs is unwise since the code application relies on relative addresses.

Regardless of the mode, the entrypoint RVA is overwritten so that the execution starts with the shellcode. The execution then passes to the original RVA. This requires the shellcode to be tuned with a negative jmp (details).

What works?

So far, the infector is only able to infect Win32/64 binaries.

What does not?

  • Integrity checks implemented by software installers like NSIS cause the execution to fail. Testing with those requires running the binaries with "/NCRC" flag.
  • Packed binaries (e.g. FireFox). Unpack the binary before using this.

Usage

       ____                        __  ___      ____  _
      / __ \__  ______ ___  ____  /  |/  /_  __/ __ )(_)___  ____ ________  __
     / /_/ / / / / __ `__ \/ __ \/ /|_/ / / / / __  / / __ \/ __ `/ ___/ / / /
    / ____/ /_/ / / / / / / /_/ / /  / / /_/ / /_/ / / / / / /_/ / /  / /_/ /
   /_/    \__, /_/ /_/ /_/ .___/_/  /_/\__, /_____/_/_/ /_/\__,_/_/   \__, /
         /____/         /_/           /____/                         /____/
                   
Invalid number of arguments.
PympMyBinary -i input binary path -o output binary path -sm shellcode generator name -m modifier name

    -i: path for clean binary
    -o: path to infected binary
    -sm: shellcode module name. Check the ShellCodeGenerators package (e.g. -m NOPSled)
    -m: modifier. Check the BinaryModifiers package:
        - Win32SectionAppender: Inserts the shellcode at the end of entrypoint's virtual section. It will fail if the shellcode crosses the RVA
         for the next section.
        - Win32SectionCreator: creates a new section on the binary and puts the shellcode there. This modifier fails if the new section header crosses
        the RVA for the first section.
        - Win32SectionInjector: overwrites x bytes at the end of entrypoint's virtual section. x bytes is the size of the shellcode. This modifier may
        overwrite important assembly.

Win32 binary modifier and supporting classes assume the following model:

alt tag

PEView has been my reference software to check for binary correctness.

Found this useful? Help me buy a cup of coffee to keep me warm during the harsh winters:

https://www.paypal.com/donate/?hosted_button_id=UDFXULV3WV5GL