cr0Kz/ExeMask.py

## ExeMask.py
import pefile, struct, sys

if len(sys.argv) != 2:
    print(f"Strip your personal compile info from Exe Files by aaaddress1@chroot.org")
    print(f"Usage: {sys.argv[0]} [path/to/exe]")
    sys.exit(-1)

# Rewrite from pefile: https://github.com/erocarrera/pefile/blob/593d094e35198dad92aaf040bef17eb800c8a373/pefile.py#L3402
def mask_myRichHdr(in_pefile):
    DANS = 0x536E6144  # 'DanS' as dword
    RICH = 0x68636952  # 'Rich' as dword
    rich_index = in_pefile.__data__.find( b"Rich", 0x80, in_pefile.OPTIONAL_HEADER.get_file_offset() )
    try:
        # The end of the structure is 8 bytes after the start of the Rich
        # string.
        rich_data = in_pefile.__data__[0x80 : rich_index + 8]
        # Make the data have length a multiple of 4, otherwise the
        # subsequent parsing will fail. It's not impossible that we retrieve
        # truncated data that is not a multiple.
        rich_data = rich_data[: 4 * (len(rich_data) // 4)]
        data = list(
            struct.unpack("<{0}I".format(len(rich_data) // 4), rich_data)
        )
        if RICH in data:
            print(f"[+] Detect RichHdr Payload: {str(rich_data)[:20]}...")
            in_pefile.set_bytes_at_offset(0x80, b'\x00' * (rich_index + 8 - 0x80))
            print(f"[v] Success Strip RichHdr from Exe")
    except:
        print("[v] Input Exe don't have RichHdr... Nice!")

def mask_debugInfo(in_pefile: pefile.PE):
    if debugDir := in_pefile.OPTIONAL_HEADER.DATA_DIRECTORY[6]:
        offset =  in_pefile.get_offset_from_rva(debugDir.VirtualAddress)
        in_pefile.__data__[offset : offset+debugDir.Size] = b'\x00' * debugDir.Size
        print(f"[v] Success Strip DebugInfo from Exe")
    else:
        print("[v] No DebugInfo in the Exe file")


binary = pefile.PE(sys.argv[1])
mask_myRichHdr(binary)
mask_debugInfo(binary)
outPath = sys.argv[1].replace("/", "\\").split("\\")[-1].split(".")[0] + "_new.exe"
open(outPath, 'wb').write(binary.__data__)
print(f"[v] done! check out {outPath}")
	import pefile, struct, sys

	if len(sys.argv) != 2:
	print(f"Strip your personal compile info from Exe Files by aaaddress1@chroot.org")
	print(f"Usage: {sys.argv[0]} [path/to/exe]")
	sys.exit(-1)

	# Rewrite from pefile: https://github.com/erocarrera/pefile/blob/593d094e35198dad92aaf040bef17eb800c8a373/pefile.py#L3402
	def mask_myRichHdr(in_pefile):
	DANS = 0x536E6144 # 'DanS' as dword
	RICH = 0x68636952 # 'Rich' as dword
	rich_index = in_pefile.__data__.find( b"Rich", 0x80, in_pefile.OPTIONAL_HEADER.get_file_offset() )
	try:
	# The end of the structure is 8 bytes after the start of the Rich
	# string.
	rich_data = in_pefile.__data__[0x80 : rich_index + 8]
	# Make the data have length a multiple of 4, otherwise the
	# subsequent parsing will fail. It's not impossible that we retrieve
	# truncated data that is not a multiple.
	rich_data = rich_data[: 4 * (len(rich_data) // 4)]
	data = list(
	struct.unpack("<{0}I".format(len(rich_data) // 4), rich_data)
	)
	if RICH in data:
	print(f"[+] Detect RichHdr Payload: {str(rich_data)[:20]}...")
	in_pefile.set_bytes_at_offset(0x80, b'\x00' * (rich_index + 8 - 0x80))
	print(f"[v] Success Strip RichHdr from Exe")
	except:
	print("[v] Input Exe don't have RichHdr... Nice!")

	def mask_debugInfo(in_pefile: pefile.PE):
	if debugDir := in_pefile.OPTIONAL_HEADER.DATA_DIRECTORY[6]:
	offset = in_pefile.get_offset_from_rva(debugDir.VirtualAddress)
	in_pefile.__data__[offset : offset+debugDir.Size] = b'\x00' * debugDir.Size
	print(f"[v] Success Strip DebugInfo from Exe")
	else:
	print("[v] No DebugInfo in the Exe file")


	binary = pefile.PE(sys.argv[1])
	mask_myRichHdr(binary)
	mask_debugInfo(binary)
	outPath = sys.argv[1].replace("/", "\\").split("\\")[-1].split(".")[0] + "_new.exe"
	open(outPath, 'wb').write(binary.__data__)
	print(f"[v] done! check out {outPath}")