-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path_fix5.py
More file actions
88 lines (76 loc) · 4.3 KB
/
_fix5.py
File metadata and controls
88 lines (76 loc) · 4.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
"""
Fix shellcode.cpp: When .text cave is too small, add a new executable
PE section (.shell) to the file_data buffer instead of failing.
"""
with open(r"C:\Users\Amru\code_3-2-2026\shellcode.cpp", "r", encoding="utf-8") as f:
content = f.read()
old_block = """ if (text_cave_size < 256) {
printf("[!] .text cave too small (%u bytes, need >= 256)\\n", text_cave_size);
VirtualFreeEx(process, remote_data, 0, MEM_RELEASE);
return false;
}"""
new_block = """ if (text_cave_size < 256) {
printf("[*] .text cave too small (%u bytes), adding .shell section...\\n", text_cave_size);
// Add a new executable section to the PE for shellcode embedding.
// This handles DLLs whose .text section is fully packed.
auto* dos_hdr = reinterpret_cast<IMAGE_DOS_HEADER*>(image.file_data.data());
auto* nt_hdr = reinterpret_cast<IMAGE_NT_HEADERS64*>(
image.file_data.data() + dos_hdr->e_lfanew);
auto* sec_hdrs = IMAGE_FIRST_SECTION(nt_hdr);
uint16_t nSec = nt_hdr->FileHeader.NumberOfSections;
uint32_t fileAlign = nt_hdr->OptionalHeader.FileAlignment;
uint32_t secAlign = nt_hdr->OptionalHeader.SectionAlignment;
// Check room for one more section header before first section's raw data
size_t headers_end = reinterpret_cast<uint8_t*>(&sec_hdrs[nSec + 1])
- image.file_data.data();
if (headers_end > sec_hdrs[0].PointerToRawData) {
printf("[!] No room in PE header for additional section\\n");
VirtualFreeEx(process, remote_data, 0, MEM_RELEASE);
return false;
}
// Calculate new section's virtual and raw positions
auto& last_sec = sec_hdrs[nSec - 1];
uint32_t last_extent = last_sec.Misc.VirtualSize > last_sec.SizeOfRawData
? last_sec.Misc.VirtualSize : last_sec.SizeOfRawData;
uint32_t new_va = (last_sec.VirtualAddress + last_extent + secAlign - 1)
& ~(secAlign - 1);
uint32_t new_raw = (static_cast<uint32_t>(image.file_data.size()) + fileAlign - 1)
& ~(fileAlign - 1);
uint32_t shell_virt = 0x1000; // 4KB virtual (plenty for wrapper + shellcode)
uint32_t shell_raw = (shell_virt + fileAlign - 1) & ~(fileAlign - 1);
// Write new section header (pointers still valid, resize happens after)
auto& ns = sec_hdrs[nSec];
memset(&ns, 0, sizeof(IMAGE_SECTION_HEADER));
memcpy(ns.Name, ".shell\\0", 8);
ns.Misc.VirtualSize = shell_virt;
ns.VirtualAddress = new_va;
ns.SizeOfRawData = shell_raw;
ns.PointerToRawData = new_raw;
ns.Characteristics = IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ;
// Update PE headers
nt_hdr->FileHeader.NumberOfSections = nSec + 1;
nt_hdr->OptionalHeader.SizeOfImage =
(new_va + shell_virt + secAlign - 1) & ~(secAlign - 1);
// Extend file_data (invalidates all pointers into it)
image.file_data.resize(new_raw + shell_raw, 0);
image.raw_data = image.file_data.data();
// Update cave variables to point to the new section
text_cave_rva = new_va;
text_cave_file_offset = new_raw;
text_cave_size = shell_raw;
printf("[+] Added .shell section: VA=0x%X, raw=0x%X, size=0x%X\\n",
new_va, new_raw, shell_raw);
}"""
if old_block in content:
content = content.replace(old_block, new_block)
print("SUCCESS: Replaced cave-too-small error with .shell section fallback")
else:
print("ERROR: Could not find the old cave-too-small block")
# Debug: print what's actually there
idx = content.find("text_cave_size < 256")
if idx >= 0:
snippet = content[idx-50:idx+200]
print(f"Found near pos {idx}:")
print(repr(snippet))
with open(r"C:\Users\Amru\code_3-2-2026\shellcode.cpp", "w", encoding="utf-8") as f:
f.write(content)