add warning when .NET bin is loaded on memory

2018-11-27 14:03:24 +01:00 · 2018-11-27 14:03:24 +01:00 · c051113d10
parent eccd51e2b7
commit c051113d10
2 changed files with 22 additions and 8 deletions
--- a/pupy/modules/lib/windows/memory_exec.py
+++ b/pupy/modules/lib/windows/memory_exec.py
@ -2,10 +2,11 @@
 # -*- coding: utf-8 -*-
 # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu)
 # Pupy is under the BSD 3-Clause license. see the LICENSE file at the root of the project for the detailed licence terms
-from pupylib.utils.pe import get_pe_arch
+from pupylib.utils.pe import get_pe_arch, is_dotnet_bin
 from modules.lib.utils.cmdrepl import CmdRepl
 import threading

+
 def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, use_impersonation=False, suspended_process="cmd.exe", codepage=None):
    if not raw_pe and not path:
        raise Exception("raw_pe or path must be supplied")
@ -16,14 +17,19 @@ def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, use_im
        if pe_arch != proc_arch:
            module.error(
                '%s is a %s PE and your pupy payload is a %s process. '
-                'Please inject a %s PE or migrate into a %s process first'%(
+                'Please inject a %s PE or migrate into a %s process first' % (
                    path, pe_arch, proc_arch, proc_arch, pe_arch))
+            return

+        if is_dotnet_bin(path):
+            module.error(
+                '%s is a .Net binary. Right now this kind of binary is not managed and cannot be loaded '
+                'in memory.' % path)
            return

    if not raw_pe:
        raw_pe = b''
-        with open(path,'rb') as f:
+        with open(path, 'rb') as f:
            raw_pe = f.read()

    dupHandle = None
@ -58,7 +64,6 @@ def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, use_im
        module.client.conn.register_remote_cleanup(
            module.mp.close
        )
-
        if module.mp.execute(complete.set, repl._con_write):
            complete.wait()
            module.mp.close()
@ -79,5 +84,4 @@ def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, use_im
        else:
            module.error('Launch failed')

-
    return module.mp.stdout
--- a/pupy/pupylib/utils/pe.py
+++ b/pupy/pupylib/utils/pe.py
@ -3,17 +3,27 @@

 import pefile

+
 def get_pe_arch(*args, **kwargs):
-    pe=None
+    pe = None
    if args:
        pe = pefile.PE(args[0], fast_load=True)
    elif "data" in kwargs:
        pe = pefile.PE(data=kwargs["data"], fast_load=True)
    else:
        raise NameError("at least a path or data must be supplied to get_arch")
-    if pe.OPTIONAL_HEADER.Magic==0x010b:
+    if pe.OPTIONAL_HEADER.Magic == 0x010b:
        return "32bit"
-    elif pe.OPTIONAL_HEADER.Magic==0x020b:
+    elif pe.OPTIONAL_HEADER.Magic == 0x020b:
        return "64bit"
    else:
        return "UNKNOWN"
+
+
+def is_dotnet_bin(*args):
+    pe = pefile.PE(args[0], fast_load=True)
+    is_dotnet = pe.OPTIONAL_HEADER.DATA_DIRECTORY[14]
+    if is_dotnet.VirtualAddress == 0 and is_dotnet.Size == 0:
+        return False
+    else:
+        return True