mabj/smokeloader_pe.py

## smokeloader_pe.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from lief import PE

# Constants
IMAGE_BASE = 0x02060000
ENTRY_POINT_OFFSET = 0x734
CODE_PAYLOAD_FILE = 'explorer_02060000.bin'
DATA_PAYLOAD_FILE = 'explorer_00B60000.bin'
FILE_ALIGNMENT = 0x200
PATCH = [
    0x68, 0x00, 0x50, 0x06, 0x02,        # push 0x02065000
    0x59                                 # pop  ecx
] + ([0x90] * 9)                         # nop (x9)


def __patch_buffer(_buf, offset, patch):
    for i in range(len(patch)):
        _buf[offset+i] = patch[i]
    return _buf

code = list(open(CODE_PAYLOAD_FILE, 'rb').read())
data = list(open(DATA_PAYLOAD_FILE, 'rb').read())

# Triming code bytes
code = code[0x1000:(0x1000+0x3400)]

# Patching code to initialize ECX
code = __patch_buffer(code, ENTRY_POINT_OFFSET, PATCH)

binary32 = PE.Binary("smokeloader", PE.PE_TYPE.PE32)

# Adding code .text section
section_text                 = PE.Section(".text")
section_text.content         = code
section_text.virtual_address = 0x1000
binary32.add_section(section_text, PE.SECTION_TYPES.TEXT)

# Adding data .data section
section_data                 = PE.Section(".data")
section_data.content         = data
section_data.virtual_address = 0x5000
binary32.add_section(section_data, PE.SECTION_TYPES.DATA)

# Updating optional_header
binary32.optional_header.file_alignment = FILE_ALIGNMENT
binary32.optional_header.imagebase = IMAGE_BASE
binary32.optional_header.addressof_entrypoint = ENTRY_POINT_OFFSET + section_text.virtual_address

builder = PE.Builder(binary32)
builder.build()
builder.write("unpacked_smokeloader.exe")
	#!/usr/bin/env python
	# -- coding: utf-8 --
	from lief import PE

	# Constants
	IMAGE_BASE = 0x02060000
	ENTRY_POINT_OFFSET = 0x734
	CODE_PAYLOAD_FILE = 'explorer_02060000.bin'
	DATA_PAYLOAD_FILE = 'explorer_00B60000.bin'
	FILE_ALIGNMENT = 0x200
	PATCH = [
	0x68, 0x00, 0x50, 0x06, 0x02, # push 0x02065000
	0x59 # pop ecx
	] + ([0x90] * 9) # nop (x9)


	def __patch_buffer(_buf, offset, patch):
	for i in range(len(patch)):
	_buf[offset+i] = patch[i]
	return _buf

	code = list(open(CODE_PAYLOAD_FILE, 'rb').read())
	data = list(open(DATA_PAYLOAD_FILE, 'rb').read())

	# Triming code bytes
	code = code[0x1000:(0x1000+0x3400)]

	# Patching code to initialize ECX
	code = __patch_buffer(code, ENTRY_POINT_OFFSET, PATCH)

	binary32 = PE.Binary("smokeloader", PE.PE_TYPE.PE32)

	# Adding code .text section
	section_text = PE.Section(".text")
	section_text.content = code
	section_text.virtual_address = 0x1000
	binary32.add_section(section_text, PE.SECTION_TYPES.TEXT)

	# Adding data .data section
	section_data = PE.Section(".data")
	section_data.content = data
	section_data.virtual_address = 0x5000
	binary32.add_section(section_data, PE.SECTION_TYPES.DATA)

	# Updating optional_header
	binary32.optional_header.file_alignment = FILE_ALIGNMENT
	binary32.optional_header.imagebase = IMAGE_BASE
	binary32.optional_header.addressof_entrypoint = ENTRY_POINT_OFFSET + section_text.virtual_address

	builder = PE.Builder(binary32)
	builder.build()
	builder.write("unpacked_smokeloader.exe")