reubensammut/remove_exitthread_msf.py

## remove_exitthread_msf.py
import mmap
import sys
import re
import struct

FAIL = 0
X64 = 1
X86 = 2

def replace_bytes_x64(filename):
    with open(filename, mode="r+b") as fh:
        with mmap.mmap(fh.fileno(), length=0, access=mmap.ACCESS_WRITE) as mm:
            orig = mm.read()
            res = re.search(b"\x33\xc9\xff\x15.{2}\x00\x00\x48\x81\xc4.{2}\x00\x00\xc3", orig)
            if res:
                pos = res.start(0) + 2
                mm[pos:pos + 6] = b"\x90"*6
                mm.flush()
                print("[+] - {x64} - Binary patched")
            else:
                print("[-] - {x64} - ExitThread code not found")

def replace_bytes_x86(filename):
    with open(filename, mode="r+b") as fh:
        with mmap.mmap(fh.fileno(), length=0, access=mmap.ACCESS_WRITE) as mm:
            orig = mm.read()
            res = re.search(b"\x6a\x00\xff\x15.{4}\x8b\xe5\x5d\xc3", orig)
            if res:
                pos = res.start(0)
                mm[pos:pos + 8] = b"\x90"*8
                mm.flush()
                print("[+] - {x86} - Binary patched")
            else:
                print("[-] - {x86} - ExitThread code not found")

def detect_arch(filename):
    try:
        with open(filename, "rb") as fh:
            fh.seek(0x3c)
            offset = struct.unpack('<I', fh.read(4))[0]
            fh.seek(offset + 4)
            arch = struct.unpack('<H', fh.read(2))[0]
            if arch == 0x8664:
                return X64
            elif arch == 0x14c:
                return X86
            else:
                return FAIL
    except:
        return FAIL

def main():
    if len(sys.argv) != 2:
        sys.stderr.write(f"Usage: {sys.argv[0]} <filename>")
        exit(-1)

    filename = sys.argv[1]

    arch = detect_arch(filename)
    if arch == X64:
        replace_bytes_x64(filename)
    elif arch == X86:
        replace_bytes_x86(filename)


if __name__ == '__main__':
    main()
	import mmap
	import sys
	import re
	import struct

	FAIL = 0
	X64 = 1
	X86 = 2

	def replace_bytes_x64(filename):
	with open(filename, mode="r+b") as fh:
	with mmap.mmap(fh.fileno(), length=0, access=mmap.ACCESS_WRITE) as mm:
	orig = mm.read()
	res = re.search(b"\x33\xc9\xff\x15.{2}\x00\x00\x48\x81\xc4.{2}\x00\x00\xc3", orig)
	if res:
	pos = res.start(0) + 2
	mm[pos:pos + 6] = b"\x90"*6
	mm.flush()
	print("[+] - {x64} - Binary patched")
	else:
	print("[-] - {x64} - ExitThread code not found")

	def replace_bytes_x86(filename):
	with open(filename, mode="r+b") as fh:
	with mmap.mmap(fh.fileno(), length=0, access=mmap.ACCESS_WRITE) as mm:
	orig = mm.read()
	res = re.search(b"\x6a\x00\xff\x15.{4}\x8b\xe5\x5d\xc3", orig)
	if res:
	pos = res.start(0)
	mm[pos:pos + 8] = b"\x90"*8
	mm.flush()
	print("[+] - {x86} - Binary patched")
	else:
	print("[-] - {x86} - ExitThread code not found")

	def detect_arch(filename):
	try:
	with open(filename, "rb") as fh:
	fh.seek(0x3c)
	offset = struct.unpack('<I', fh.read(4))[0]
	fh.seek(offset + 4)
	arch = struct.unpack('<H', fh.read(2))[0]
	if arch == 0x8664:
	return X64
	elif arch == 0x14c:
	return X86
	else:
	return FAIL
	except:
	return FAIL

	def main():
	if len(sys.argv) != 2:
	sys.stderr.write(f"Usage: {sys.argv[0]} <filename>")
	exit(-1)

	filename = sys.argv[1]

	arch = detect_arch(filename)
	if arch == X64:
	replace_bytes_x64(filename)
	elif arch == X86:
	replace_bytes_x86(filename)


	if __name__ == '__main__':
	main()