@@ -147,6 +147,18 @@ def self.to_executable(framework, arch, plat, code = '', opts = {})
147147 nil
148148 end
149149
150+ def self . clear_dynamic_base ( exe , pe )
151+ c_bits = ( "%32d" %pe . hdr . opt . DllCharacteristics . to_s ( 2 ) ) . split ( '' ) . map { |e | e . to_i } . reverse
152+ c_bits [ 6 ] = 0 # DYNAMIC_BASE
153+ new_dllcharacteristics = c_bits . reverse . join . to_i ( 2 )
154+
155+ # PE Header Pointer offset = 60d
156+ # SizeOfOptionalHeader offset = 94h
157+ dll_ch_offset = exe [ 60 , 4 ] . unpack ( 'h4' ) [ 0 ] . reverse . hex + 94
158+ exe [ dll_ch_offset , 2 ] = [ new_dllcharacteristics ] . pack ( "v" )
159+ exe
160+ end
161+
150162 def self . to_win32pe ( framework , code , opts = { } )
151163
152164 # For backward compatability, this is roughly equivalent to 'exe-small' fmt
@@ -169,12 +181,6 @@ def self.to_win32pe(framework, code, opts = {})
169181 fsize = File . size ( opts [ :template ] )
170182 pe = Rex ::PeParsey ::Pe . new_from_file ( opts [ :template ] , true )
171183
172- # DYNAMIC_BASE modification
173- original_dllcharacteristics = pe . hdr . opt . DllCharacteristics
174- c_bits = ( "%32d" %original_dllcharacteristics . to_s ( 2 ) ) . split ( '' ) . map { |e | e . to_i } . reverse
175- c_bits [ 6 ] = 0 # DYNAMIC_BASE
176- new_dllcharacteristics = c_bits . reverse . join . to_i ( 2 )
177-
178184 text = nil
179185 pe . sections . each { |sec | text = sec if sec . name == ".text" }
180186
@@ -185,7 +191,7 @@ def self.to_win32pe(framework, code, opts = {})
185191 :template => opts [ :template ] ,
186192 :arch => :x86
187193 } )
188- injector . generate_pe
194+ return injector . generate_pe
189195 end
190196
191197 raise RuntimeError , "No .text section found in the template" unless text
@@ -284,15 +290,12 @@ def self.to_win32pe(framework, code, opts = {})
284290 tds = pe . hdr . file . TimeDateStamp
285291 exe [ exe . index ( [ tds ] . pack ( 'V' ) ) , 4 ] = [ tds - rand ( 0x1000000 ) ] . pack ( "V" )
286292
287- # Patch dll characteristics
288- dll_ch_offset = exe [ 60 , 4 ] . unpack ( 'h4' ) [ 0 ] . reverse . hex + 94
289- exe [ dll_ch_offset , 2 ] = [ new_dllcharacteristics ] . pack ( "v" )
290-
291293 cks = pe . hdr . opt . CheckSum
292294 unless cks == 0
293295 exe [ exe . index ( [ cks ] . pack ( 'V' ) ) , 4 ] = [ 0 ] . pack ( "V" )
294296 end
295297
298+ exe = clear_dynamic_base ( exe , pe )
296299 pe . close
297300
298301 exe
@@ -359,6 +362,7 @@ def self.to_winpe_only(framework, code, opts = {}, arch="x86")
359362 # put the shellcode at the entry point, overwriting template
360363 entryPoint_file_offset = pe . rva_to_file_offset ( addressOfEntryPoint )
361364 exe [ entryPoint_file_offset , code . length ] = code
365+ exe = clear_dynamic_base ( exe , pe )
362366 exe
363367 end
364368
@@ -440,7 +444,6 @@ def self.string_to_pushes(string)
440444 end
441445
442446 def self . exe_sub_method ( code , opts = { } )
443-
444447 pe = self . get_file_contents ( opts [ :template ] )
445448
446449 case opts [ :exe_type ]
@@ -506,7 +509,7 @@ def self.to_win64pe(framework, code, opts = {})
506509 :template => opts [ :template ] ,
507510 :arch => :x64
508511 } )
509- injector . generate_pe
512+ return injector . generate_pe
510513 end
511514 opts [ :exe_type ] = :exe_sub
512515 exe_sub_method ( code , opts )
0 commit comments