88import argparse
99import subprocess
1010import pefile
11+ import string
12+ import random
1113
1214PARSER = argparse .ArgumentParser ()
13- PARSER .add_argument ('-f' , '--file' , type = str , help = 'define the targeted binary' , required = True )
15+ PARSER .add_argument ('-f' , '--file' , type = str , help = 'define the targeted binary (use it alone without -p or -n)' , required = False )
16+ PARSER .add_argument ('-p' , '--proxydll' , type = str , help = 'create a proxy dll (redirecting all the functions to the original DLL)' , required = False )
1417ARGS = PARSER .parse_args ()
1518
1619# The DLL filenames who starts with one element of this list will not be checked.
2932 'ole32' ,
3033 'ninput' ,
3134 'setupapi' ,
32- 'mscoree'
35+ 'mscoree' ,
36+ 'msvcp_win' ,
37+ 'oleaut32' ,
38+ 'advapi32' ,
39+ 'crypt32'
3340}
3441
3542def ascii ():
3643 print ('·▄▄▄▄ ▄▄▌ ▄▄▌ ▪ ▄▄▄ ▄▄▄· ▐ ▄ ▄▄▄▄▄' )
3744 print ('██▪ ██ ██• ██• ██ ▀▄ █·▐█ ▀█ •█▌▐█•██ ' )
3845 print ('▐█· ▐█▌██▪ ██▪ ▐█·▐▀▀▄ ▄█▀▀█ ▐█▐▐▌ ▐█.▪' )
3946 print ('██. ██ ▐█▌▐▌▐█▌▐▌▐█▌▐█•█▌▐█ ▪▐▌██▐█▌ ▐█▌·' )
40- print ('▀▀▀▀▀• .▀▀▀ .▀▀▀ ▀▀▀.▀ ▀ ▀ ▀ ▀▀ █▪ ▀▀▀ v0.2 ' )
47+ print ('▀▀▀▀▀• .▀▀▀ .▀▀▀ ▀▀▀.▀ ▀ ▀ ▀ ▀▀ █▪ ▀▀▀ v0.3 ' )
4148
4249def rreplace (s , old , new ):
4350 return (s [::- 1 ].replace (old [::- 1 ],new [::- 1 ], 1 ))[::- 1 ]
@@ -112,7 +119,8 @@ def check_if_excluded(dll_name):
112119def get_imports_functions (dll_name , imports ):
113120 functions = []
114121 for imp in imports :
115- functions .append (imp .name .decode ('utf-8' ))
122+ if imp .name is not None :
123+ functions .append (imp .name .decode ('utf-8' ))
116124 return functions
117125
118126def generate_test_dll (functions = None ):
@@ -122,13 +130,19 @@ def generate_test_dll(functions = None):
122130 if functions is not None :
123131 for line in fin :
124132 if '##DLL_MAIN##' in line :
125- fout .write (line .replace ('##DLL_MAIN##' , '' ))
133+ if ARGS .proxydll :
134+ fout .write (line .replace ('##DLL_MAIN##' , 'CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Main, NULL, NULL, NULL);\n break;' ))
135+ else :
136+ fout .write (line .replace ('##DLL_MAIN##' , '' ))
126137 elif '##EXPORTED_FUNCTIONS##' in line :
127- for func in functions :
128- if len (func ) > 0 :
129- exported_functions .append (f'__declspec(dllexport) void { func } + '{ Main(); }' )
130- exported_functions = '\n ' .join (exported_functions )
131- fout .write (line .replace ('##EXPORTED_FUNCTIONS##' , exported_functions ))
138+ if ARGS .proxydll :
139+ fout .write (line .replace ('##EXPORTED_FUNCTIONS##' , functions ))
140+ else :
141+ for func in functions :
142+ if len (func ) > 0 :
143+ exported_functions .append (f'__declspec(dllexport) void { func } + '{ Main(); }' )
144+ exported_functions = '\n ' .join (exported_functions )
145+ fout .write (line .replace ('##EXPORTED_FUNCTIONS##' , exported_functions ))
132146 else :
133147 fout .write (line )
134148 else :
@@ -176,7 +190,28 @@ def check_dll_hijacking(binary_name, binary_original_directory, dll_name, export
176190 input (f'\n \n [+] [!] Admin privs required on { binary_name } )
177191 return False
178192
193+ def generate_proxy_dll ():
194+ exported_functions = []
195+
196+ letters = string .ascii_letters
197+ name_dll = '' .join (random .choice (letters ) for i in range (5 ))
198+ original_name = os .path .basename (ARGS .proxydll )
199+
200+ pe = pefile .PE (ARGS .proxydll )
201+
202+ for entry in pe .DIRECTORY_ENTRY_EXPORT .symbols :
203+ func = entry .name .decode ('utf-8' )
204+ exported_functions .append (f'#pragma comment(linker,"/export:{ func } { name_dll } { func } { entry .ordinal } )
205+ exported_functions = '\n ' .join (exported_functions )
206+
207+ generate_test_dll (exported_functions )
208+ print (f'\n \n [+] Rename the original dll file { name_dll } { original_name } )
209+
179210def main ():
211+ if ARGS .proxydll :
212+ generate_proxy_dll ()
213+ sys .exit ()
214+
180215 # Create output dir if not exists.
181216 create_dir ('output' )
182217
0 commit comments