• Звідки: Мордор
  • Дата реєстрації: 24.01.2013
  • Повідомлень: 592
    • Репутація: 380

Тема: [NODE.JS] Сніпет, який додає секцію до PE EXE x86

Я люблю Node JS та зворотню інженерію, тому я працюю над бібліотекою, що поєднує ці речі. Демо-код додає секцію до PE EXE x86 файла. Можливо, код містить глюки, але це лише початок розробки бібліотеки для NODE JS. Натхнення черпав з вбудованої скриптової мови в CFF Explorer (трохи змінений LUA).

var fs = require('fs');

const PE_DosHeader = 0, PE_NtHeaders = 1, PE_FileHeader = 2, PE_OptionalHeader = 3, PE_SectionHeaders = 4, PE_DataDirectories = 5,
PE_ExportDirectory = 6, PE_ImportDirectory = 7, PE_ResourceDirectory = 8, PE_ExceptionDirectory = 9, PE_SecurityDirectory = 0xa,
PE_RelocationDirectory = 0xb, PE_DebugDirectory = 0xc, PE_TLSDirectory = 0xd, PE_ConfigurationDirectory = 0xe,
PE_BoundImportDirectory = 0xf, PE_ImportAddressTableDirectory = 0x10, PE_DelayImportDirectory = 0x11, PE_DotNETDirectory = 0x12;

String.prototype.rtrim = function() {return this.replace(/\0+$/,"");}

function toSectionNameBuf(s) {
  var buf = new Buffer(8);
  buf.fill(0);
  if (s.length > 8) s = s.slice(0, 8);
  buf.write(s, 0, s.length, 'ascii');
  return(buf);};

function alignBy(v, by) {
 return((v%by)?(1+Math.floor(v/by))*by:v)};

function PEFile(){
  this.buf;
  this.peStrucTable;}
                                                                                                                             
PEFile.prototype.OpenPE = function(file) {
  this.buf = fs.readFileSync(file);
  var sig = this.buf.toString('ascii', 0, 2)
  if (sig != 'MZ') return(false);                                                            
  var pHeaderPE = this.buf.readUInt16LE(0x3c);
  if (this.buf.readUInt16LE(pHeaderPE) !== 0x4550) return(false);
  var pDataDirectories = pHeaderPE+0x78;
  this.peStrucTable = [0, pHeaderPE, pHeaderPE+0x4, pHeaderPE+44, pHeaderPE+0xf8, pDataDirectories, pDataDirectories,
    pDataDirectories+0x8, pDataDirectories+0x10, pDataDirectories+0x18, pDataDirectories+0x20, pDataDirectories+0x28,
    pDataDirectories+0x30, pDataDirectories+0x48, pDataDirectories+0x50, pDataDirectories+0x58, pDataDirectories+0x60, 
    pDataDirectories+0x68, pDataDirectories+0x70]; 
  return(true);};                                                  

PEFile.prototype.Save = function(name){
  fs.writeFileSync(name, this.buf);};

PEFile.prototype.readByte = function(ofs) {
  return(this.buf[ofs]);}

PEFile.prototype.readWord = function (ofs) {
  return(this.buf.readUInt16LE(ofs));}

PEFile.prototype.readDWord = function (ofs) {
  return(this.buf.readUInt32LE(ofs));}

PEFile.prototype.readQWord = function (ofs) {
  return(this.buf.readDoubleLE(ofs));}

PEFile.prototype.writeByte = function(ofs, val) {
  this.buf[ofs] = val;}

PEFile.prototype.writeWord = function (ofs, val) {
  this.buf.writeUInt16LE(val, ofs);}

PEFile.prototype.writeDWord = function (ofs, val) {
  this.buf.writeUInt32LE(val, ofs);}

PEFile.prototype.writeQWord = function (ofs, val) {
  this.buf.writeDoubleLE(val, ofs);}
  
PEFile.prototype.getNumberOfSections = function(n){
  return(this.readWord(this.getOffset(PE_FileHeader)+0x2));};

PEFile.prototype.getOffset = function(n){
  return(this.peStrucTable[n % 0x13]);};  

PEFile.prototype.enumSections = function(fEnumProc, lParam){
  var iSections = this.getNumberOfSections();
  for(var i = 0; i < iSections; i++){
    var pSection = this.getOffset(PE_SectionHeaders) + i*0x28;
    var sName = this.buf.toString('ascii', pSection, pSection+8).rtrim();
    fEnumProc.call(this, i, pSection, sName, lParam);};
  return(true);};

PEFile.prototype.findSection = function(sName){
  var pSection = null;
  this.enumSections( function(i, p, s, name) { if (s == name) {pSection = p;} }, sName);
  return(pSection);}

PEFile.prototype.dumpSection = function(sName) {
  var dwVirtualSize, dwRawSize, dwRawAddr, bufSection, bufSectionHeader = new Buffer(0x28), pSection = this.findSection(sName);
  if (!pSection) return(null);
  this.buf.copy(bufSectionHeader, 0, pSection, pSection+0x28);
  dwRawSize = bufSectionHeader.readUInt32LE(0x10);
  dwVirtualSize = bufSectionHeader.readUInt32LE(0x8);
  dwRawAddr = bufSectionHeader.readUInt32LE(0x14);
  if (dwRawSize < dwVirtualSize) dwVirtualSize = dwRawSize;
  bufSection = new Buffer(dwVirtualSize);
  this.buf.copy(bufSection, 0, dwRawAddr, dwRawAddr+dwVirtualSize);
  return(bufSection);};

PEFile.prototype.addSectionHeader = function(name) {
  var pSectionHeaders = this.getOffset(PE_SectionHeaders), pHeaderOffset = 0x28*this.getNumberOfSections()+pSectionHeaders,
  pFirstSectionData = this.readDWord(pSectionHeaders+0x14);
  if (pFirstSectionData <= pHeaderOffset) return(false);
  this.buf.fill(0, pHeaderOffset, pHeaderOffset+0x28);
  toSectionNameBuf(name).copy(this.buf, pHeaderOffset);
  this.writeDWord(pHeaderOffset+0x24, 0xC0000000);              
  var pSecNum = this.getOffset(PE_FileHeader)+0x2;
  this.writeWord(pSecNum, this.readWord(pSecNum)+1);
  return(true);};

PEFile.prototype.addSectionEmpty = function(name, size, ch){
  if (!this.addSectionHeader(name)) return false;
  var pSectionHeaders = this.getOffset(PE_SectionHeaders), iSect = this.getNumberOfSections(),
  dwSectionAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x34), 
  dwFileAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x38);
  var pLastSectionHdr = pSectionHeaders+(iSect-2)*0x28;
  var pVA = alignBy(this.readDWord(pLastSectionHdr+0x8), dwSectionAligment)+this.readDWord(pLastSectionHdr+0xC);
  var pRA = alignBy(this.readDWord(pLastSectionHdr+0x10), dwFileAligment)+this.readDWord(pLastSectionHdr+0x14);
  var dwSizeRaw = alignBy(size, dwFileAligment);
  var pNewSectionHdr = pSectionHeaders+(iSect-1)*0x28;
  this.writeDWord(pNewSectionHdr+0x8, size);
  this.writeDWord(pNewSectionHdr+0xC, pVA);
  this.writeDWord(pNewSectionHdr+0x10, dwSizeRaw);
  this.writeDWord(pNewSectionHdr+0x14, pRA);
  var b = new Buffer(dwSizeRaw);
  b.fill(0);
  this.buf = Buffer.concat([this.buf, b]);
  return(true)};

PEFile.prototype.addSection = function(name, buf, ch) {
  this.addSectionEmpty(name, buf.length, ch);
  var pLastSecHdr = this.getOffset(PE_SectionHeaders) + (this.getNumberOfSections()-1)*0x28; 
  buf.copy(this.buf, this.readDWord(pLastSecHdr+0x14));};  

PEFile.prototype.sectionFromRVA = function (rva) {
  var result = null;
  this.enumSections( function(i, p, s, rva){
    var dwVirtualSize = this.readWord(p+0x8), dwVirtualAddress =  this.readWord(p+0xC);
    if (rva >= dwVirtualAddress && rva  < dwVirtualAddress+dwVirtualSize) result = i;}, rva);
  return(result);};

PEFile.prototype.rebuildImageSize = function (){
  var  dwSectionAligment = this.readDWord(this.getOffset(PE_FileHeader)+0x34), 
  pLastSecHdr = this.getOffset(PE_SectionHeaders) + (this.getNumberOfSections()-1)*0x28;
  var dwSizeImage = alignBy(this.readDWord(pLastSecHdr+0x8), dwSectionAligment)+this.readDWord(pLastSecHdr+0xC);
  this.writeDWord(this.getOffset(PE_FileHeader)+0x4C, dwSizeImage);
  return(true)};

var bufX = new Buffer('I LOVE NODE.JS ! \n(c) CovetousEyes', 'ascii');
var pef = new PEFile();
pef.OpenPE('test.EXE');
pef.addSection('.FUNNY', bufX);
pef.rebuildImageSize();
pef.Save('testCracked.exe');
Подякували: Chemist-i, miroslav.chandler2