klezVirus/rpcpsgen.py

## rpcpsgen.py
import argparse
import time
from binascii import hexlify


def generate_array(n_params):
    # Basic array structure
    proc_string = [
        0x32,  # FC_BIND_PRIMITIVE
        0x48,  # Old Flags:
        0x0, 0x0, 0x0, 0x0,  # 0 (NdrFcLong)
        0x0, 0x0,  # 0 (NdrFcShort)
        n_params * 8 + 8, 0x0,  # X64 Stack size/offset (total size calculated from parameters)
        0x60, 0x0,  # 96
        0x10, 0x0,  # 16
        0x44,  # Oi2 Flags: has return, has ext,
        n_params + 1,  # Number of parameters + 1 for the return value
        0xa,  # 10
        0x1,  # Ext Flags: new corr desc,
        0x0, 0x0,  # 0 (NdrFcShort)
        0x0, 0x0,  # 0 (NdrFcShort)
        0x0, 0x0,  # 0 (NdrFcShort)
        0x0, 0x0,  # 0 (NdrFcShort)
    ]

    # Add parameters
    for i in range(n_params):
        proc_string.extend([
            0x48, 0x0,  # Flags: in, base type,
            i * 8, 0x0,  # X64 Stack size/offset
            0xb,  # FC_HYPER
            0x0,  # 0
        ])

    # Add return value
    proc_string.extend([
        0x70, 0x0,  # Flags: out, return, base type,
        n_params * 8, 0x0,  # X64 Stack size/offset
        0xb,  # FC_HYPER
        0x0,  # 0
        0x0  # End of array
    ])

    return bytearray(proc_string)


def hexdump(buffer):
    # Function to print the array in hex format
    for i in range(0, len(buffer), 16):
        hex_data = ' '.join(f'{byte:02x}' for byte in buffer[i:i + 16])
        print(f'{i:04x}  {hex_data}')


def c_array(buffer):
    shell_string = shellcode_as_array(buffer)
    return f'int length = {len(buffer)};\n' + \
        f'unsigned char stack_proc_string[] = {{\n\t{shell_string}\t}};'


def shellcode_as_array(shellcode: bytes, n=25):
    if not isinstance(shellcode, bytes):
        shellcode = bytes(shellcode)
    hex_shellcode = hexlify(shellcode).decode()
    return hex2carray(hex_shellcode, n=n)


def hex2carray(hexs, n=25):
    shell_string = ''
    shellcode = [hexs[i:i + 2] for i in range(0, len(hexs), 2)]
    array_of_arrays = [shellcode[i:i + n] for i in range(0, len(shellcode), n)]
    for i in range(len(array_of_arrays)):
        if i == len(array_of_arrays) - 1:
            shell_string += ", ".join([f"0x{s}" for s in array_of_arrays[i]]) + "\n"
        else:
            shell_string += ", ".join(f"0x{s}" for s in array_of_arrays[i]) + ",\n\t"
    return shell_string


parser = argparse.ArgumentParser(description="RPC ProcString Generator")
parser.add_argument("-n", "--n-params", help="Number of parameters", type=int, default=0)
parser.add_argument("-f", "--out-format", help="Output Format", choices=['hex', 'c'], default='c')
parser.add_argument("--hexdump", help="Print HexDump of the string", default=False, action='store_true')

args = parser.parse_args()
if args.n_params <= 0:
    parser.print_help()
    exit(1)

array = generate_array(args.n_params)

if args.hexdump:
    hexdump(array)
    time.sleep(2)

if args.out_format == 'hex':
    print(hexlify(array).decode())
elif args.out_format == 'c':
    print(c_array(array))
	import argparse
	import time
	from binascii import hexlify


	def generate_array(n_params):
	# Basic array structure
	proc_string = [
	0x32, # FC_BIND_PRIMITIVE
	0x48, # Old Flags:
	0x0, 0x0, 0x0, 0x0, # 0 (NdrFcLong)
	0x0, 0x0, # 0 (NdrFcShort)
	n_params * 8 + 8, 0x0, # X64 Stack size/offset (total size calculated from parameters)
	0x60, 0x0, # 96
	0x10, 0x0, # 16
	0x44, # Oi2 Flags: has return, has ext,
	n_params + 1, # Number of parameters + 1 for the return value
	0xa, # 10
	0x1, # Ext Flags: new corr desc,
	0x0, 0x0, # 0 (NdrFcShort)
	0x0, 0x0, # 0 (NdrFcShort)
	0x0, 0x0, # 0 (NdrFcShort)
	0x0, 0x0, # 0 (NdrFcShort)
	]

	# Add parameters
	for i in range(n_params):
	proc_string.extend([
	0x48, 0x0, # Flags: in, base type,
	i * 8, 0x0, # X64 Stack size/offset
	0xb, # FC_HYPER
	0x0, # 0
	])

	# Add return value
	proc_string.extend([
	0x70, 0x0, # Flags: out, return, base type,
	n_params * 8, 0x0, # X64 Stack size/offset
	0xb, # FC_HYPER
	0x0, # 0
	0x0 # End of array
	])

	return bytearray(proc_string)


	def hexdump(buffer):
	# Function to print the array in hex format
	for i in range(0, len(buffer), 16):
	hex_data = ' '.join(f'{byte:02x}' for byte in buffer[i:i + 16])
	print(f'{i:04x} {hex_data}')


	def c_array(buffer):
	shell_string = shellcode_as_array(buffer)
	return f'int length = {len(buffer)};\n' + \
	f'unsigned char stack_proc_string[] = {{\n\t{shell_string}\t}};'


	def shellcode_as_array(shellcode: bytes, n=25):
	if not isinstance(shellcode, bytes):
	shellcode = bytes(shellcode)
	hex_shellcode = hexlify(shellcode).decode()
	return hex2carray(hex_shellcode, n=n)


	def hex2carray(hexs, n=25):
	shell_string = ''
	shellcode = [hexs[i:i + 2] for i in range(0, len(hexs), 2)]
	array_of_arrays = [shellcode[i:i + n] for i in range(0, len(shellcode), n)]
	for i in range(len(array_of_arrays)):
	if i == len(array_of_arrays) - 1:
	shell_string += ", ".join([f"0x{s}" for s in array_of_arrays[i]]) + "\n"
	else:
	shell_string += ", ".join(f"0x{s}" for s in array_of_arrays[i]) + ",\n\t"
	return shell_string


	parser = argparse.ArgumentParser(description="RPC ProcString Generator")
	parser.add_argument("-n", "--n-params", help="Number of parameters", type=int, default=0)
	parser.add_argument("-f", "--out-format", help="Output Format", choices=['hex', 'c'], default='c')
	parser.add_argument("--hexdump", help="Print HexDump of the string", default=False, action='store_true')

	args = parser.parse_args()
	if args.n_params <= 0:
	parser.print_help()
	exit(1)

	array = generate_array(args.n_params)

	if args.hexdump:
	hexdump(array)
	time.sleep(2)

	if args.out_format == 'hex':
	print(hexlify(array).decode())
	elif args.out_format == 'c':
	print(c_array(array))