-
Notifications
You must be signed in to change notification settings - Fork 0
/
illtrace
executable file
·126 lines (107 loc) · 2.98 KB
/
illtrace
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/bash
# illtrace
# search in an executable file a call for ptrace and NOPs it
# it is assumed there is only one call to it, subsequent ones won't be found
# it can also NOP a particular bytes signature provided by input
display_help() {
echo "Usage: $(basename "$0") [OPTIONS] [FILE]"
echo "Options:"
echo " -h, --help Display this help message"
echo " -p, --pattern [PATTERN] NOPs also all the bytes that match with pattern"
echo " -v, --verbose Verbose mode DEFAULT: False"
echo "EXAMPLE: illtrace file.exe -> search and NOPs ptrace"
echo "EXAMPLE: illtrace -v -p e821f4ffff file.exe -> search and NOPs ALSO pattern"
}
if [ "$#" -le 0 ]; then
echo "too few arguments!"
display_help
exit -1
fi
verbose=0
pattern=""
origin=""
# Parsing options
while [ "$#" -gt 0 ] && [[ "$1" == -* ]]; do
case "$1" in
-h | --help)
display_help
exit 0
;;
-v | --verbose)
verbose=1
;;
-p | --pattern)
if [[ -n "$2" && "$2" =~ ^[0-9a-fA-F]+$ ]] && (( ${#2} % 2 == 0 )); then
pattern="$2"
shift
else
echo "provide a valid pattern"
exit -1
fi
;;
*)
echo "Invalid option: $1" >&2
display_help
exit -1
;;
esac
shift
done
#input file check
if [ ! -n "$1" -o ! -e "$1" ]; then
echo "input file not found"
exit -1
else
origin="$1"
desthex="$1.hex"
destmod="$1.mod"
fi
#creates a string of NOPs based on $1 (number of NOPs to have)
nop_builder() {
echo -n $(printf '90%.0s' $(seq 1 "$1"))
}
# start and end assembly ptrace fingerprints
start_s="b900000000ba01000000be00000000bf00000000b800000000"
end_s="4883f8ff"
# transform the exe into an hex string
origin_s=$(xxd -p "$origin" | tr -d '\n')
# PTRACE NOPPING
# try to find if it contains the fingerprints
# and take their indeces
rest1=${origin_s#*$start_s}
start_index=$(( ${#origin_s} - ${#rest1} ))
rest2=${origin_s#*$end_s}
end_index=$(( ${#origin_s} - ${#rest2} - ${#end_s} ))
# check if indeces found and are somewhat correct
if [ "$start_index" -le 0 -a "$end_index" -le "$start_index" ]; then
echo "ptrace not found"
else
echo "ptrace found!"
if [ "$verbose" -eq 1 ]; then
echo "incipit found at index $start_index"
echo "prolog found at index $end_index"
fi
# count how many NOPs to insert in place of the call, build them and substitute
replace_count=$(( (end_index - start_index) / 2 ))
replace_s=$(nop_builder "$replace_count")
origin_s="${origin_s:0:start_index}$replace_s${origin_s:end_index}"
fi
#PATTERN NOPPING
if [ -n "$pattern" ]; then
# Check if the substring exists in the original string
if [[ $origin_s == *"$pattern"* ]]; then
echo "pattern found!"
#count how many NOPs to insert in place of PATTERN and substitutes
replace_s=$(nop_builder $(( ${#pattern} / 2 )) )
origin_s="${origin_s/$pattern/$replace_s}"
else
echo "pattern not found"
fi
fi
if [ "$verbose" -eq 1 ]; then
echo -n "$origin_s" > "$desthex"
echo "create modified hex dump in $desthex"
fi
# recreating the exe from the modified version
echo -n "$origin_s" | xxd -r -p > "$destmod"
chmod +x "$destmod"