PEInjector released ~ MITM PE file infector.

PEInjector released ~ MITM PE file infector.

The executable file format on the Windows platform is PE COFF. The peinjector provides different ways to infect these files with custom payloads without changing the original functionality. It creates patches, which are then applied seamlessly during file transfer. It is very performant, lightweight, modular and can be operated on embedded hardware.

Injector Setting

Injector Setting

Peinjector features
+ Remove integrated integrity checks, such as PE header checksums, certificates, force-check-checksum-flag, …
+ Try to inject the shellcode at the end of an executable section. This is possible because of the gap between the SizeOfRawData and the VirtualSize value.
+ Try to resize an executable section and to inject the shellcode there. This is possible because of the gap between the FileAlignment and the SectionAlignment value.
+ Insert a new section and inject the shellcode there.
+ Try to discover if the executable could possibly detect infection (e.g. NSIS setups) and skip the executable.
+ Generate a random name for sections created by the “new section name” flag.
+ Encrypt payload with random keys. The decryption stub is generated and obfuscated individually on-the-fly for each injection, using the integrated polymorphic engine.
+ Inject shellcode with one of the enabled methods and insert an obfuscated jump to the payload in another section. The EP doesn’t point to the shellcode now, but this can increase some AV’s heuristic detection rate. (default: OFF)

Shellcode setting

Shellcode setting

Installation:
Preparations for git clone

Clone peinjector project
cd /tmp
git clone https://github.com/JonDoNym/peinjector

Install peinjector-server (Provides PE file patching as a service)
– The install script installs gcc (if not exist)
– Compiles the source and copies the binary to /usr/bin/peinjector
– Installs the server as a service with autostart! (sudo service peinjector start|stop)
– CONFIG: /etc/peinjector
– LOG: /var/log/peinjector/
– HELP: sudo peinjector -h

cd /tmp/peinjector/peinjector/install/
sudo chmod a+x peinjector_install.sh
sudo ./peinjector_install.sh

Install peinjector-control (manages the peinjector server via webgui)
– The install script installs python3 (if not exists)
– Copies the controller to /etc/peinjector-control
– Installs the python webserver as a service with autostart! (sudo service peinjector-control start|stop)
– CONFIG: /etc/peinjector-control
– LOG: /var/log/peinjector-control
– Webserver listen on: https://{your_ip}:3333/

cd /tmp/peinjector/pe-injector-control/install/
sudo chmod a+x peinjector-control_install.sh
sudo ./peinjector-control_install.sh

Install peinjector-interceptor (the MitM-Proxy with peinjector connector)

cd /tmp/peinjector/pe-injector-interceptor/install/
sudo chmod a+x peinjector-interceptor_install.sh
sudo ./peinjector-interceptor_install.sh

hardening
replace the webgui certificate with your own

set a password for the gui

binding the peinjector ports on localhost
if you do that, only the webgui and the proxy can connect to the injector server (recommend)

Usage
– Go to https://{your_ip}:3333
– Navigate to “shellcode”
– Scroll to “demo (calc)”
– Click on “create and send shellcode”
– Set your firefox proxy setting to {your_ip}:8080
– Download any PE-File (Example: putty.exe or a hundreds of megabytes big AV setup to see the seamless infection in action)
– You will see, the program is infected!

Download : peinjector-1.0.1.zip(12.6MB)  | peinjector-1.0.1.tar.gz(12.6MB)
Source : https://github.com/JonDoNym