Giter VIP home page Giter VIP logo

pe-code-cave-helper's Introduction

Portable Executable Code Cave Helper

This tool was created during my Offensive Security Certified Expert (OSCE) preparation. This is far from being a production application but was created to master one technique of backdooring / obfuscating PE Files.

I tested this script on few famous packed or not packed Microsoft binaries. It works perfectly.

One important cool missing from this tiny script is the possibility to create artificial code caves (One example among others would be to artificially create a new PE Section). If I find the motivation I will implement this feature asap.

Use such automated tools when you already know how to do it manually.

Features

  • Search for code caves in executable sections.
  • Encrypt / Obfuscate sections.

How it works

The script will patch target file PE Header and update its entry point to a desired code cave (script scans for code caves and ask user to choose which one to use).

The script will then inject instruction on code cave to:

  • Save CPU Registers and flags.
  • Save stack pointer.
  • Execute an optional payload.
  • Deobfuscation routine if requested (section obfuscation).
  • Restore stack pointer to its original state
  • Restore CPU Registers and flags.
  • Redirect back execution to original entry point.

One interesting point is the way I decided to restore ESP (stack pointer). I'm using a quite similar method as for Egg Hunters to search and restore original stack pointer value.

Available Commands

  • -f / --file : Valid PE File location (Ex: /path/to/calc.exe).
  • -p / --payload : Shellcode Payload (Example: "\x01\x02\x03...\x0a").
  • -x / --encrypt : Encrypt main section (entry point section).
  • -k / --encryption-key : Define custom encryption key (1 Byte only).
  • -c / --cave-opcodes : Define code opcode list to search for.
  • -s / --cave-min-size : Minimum size of region to be considered as code cave.
  • -e / --egg : Define a custom egg name (ESP Restore Mechanism).

Screenshots

Image 1 Image 2

TODO

  • Better Obfuscation / Encryption mechanism.
  • Artificial Code Cave Creation.
  • Better Comments.
  • Option to define which sections to obfuscate (Actually, default is all).

Changelog:

  • 0.1 : First release

pe-code-cave-helper's People

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.