PE file text section shellcode extractor and writer.

Summary,

I am submitting this report to bring to your attention an issue in the code provided in the Python script file named “script.py”. The code appears to have a few errors that need to be addressed. The purpose of this code is to extract the shellcode from a given executable file and generate a header file containing the shellcode for use in a C or C++ program.

The issues with the code are as follows:

1. In line 4, the DUMMY_FUNC variable is defined as a string containing hexadecimal values. However, since the code is in Python 3.x, the variable should be defined as a bytes object by prefixing the string with b.
2. In line 8, the print statement is not compatible with Python 3.x, and requires parentheses around the string.
3. In line 11, the text_section variable is defined as an empty string, but it should be defined as an empty bytes object.
4. In line 13, the comparison of the section name with “.text” should be done with a bytes object (i.e., b”.text”) since the variable section.Name is a bytes object in Python 3.x.
5. In line 17, the output variable is defined as a string, but should be defined as a bytes object (by prefixing the string with b).
6. In line 19, the text_section variable is defined as a bytes object in line 11, but in line 21 it is opened as a binary file for writing (wb), which is correct. However, in line 22, the text_section is written to a file that was opened in text mode (w). The correct mode to open the file should be binary mode (wb).
7. In line 25, the output variable is written to a file that was opened in text mode (w). Since the output variable is a bytes object, the correct mode to open the file should be binary mode (wb).
8. In line 26, the text_section is written to a file in binary mode, which is correct.
9. In line 27, the binary_shellcode variable is written to a file that was opened in binary mode, which is correct.

To fix the code, the following changes are recommended:

1. In line 4, change DUMMY_FUNC to DUMMY_FUNC = b"\x55\x8b\xec\x51\xc7\x45\xfc\xbe\xba\xad\xde\x8b\xe5\x5d\xc3".
2. In line 8, change print "Starting!" to print("Starting!").
3. In line 11, change text_section = "" to text_section = b"".
4. In line 13, change if ".text" in section.Name: to if b".text" in section.Name:.
5. In line 17, change output = "" to output = b"".
6. In line 21, change open(os.path.join(folder, base) + ".text", "w") to open(os.path.join(folder, base) + ".text", "wb").
7. In line 25, change open(os.path.join(folder, base) + ".h", "w") to open(os.path.join(folder, base) + ".h", "wb").

After making these changes, the code should function as expected.

Thank you for your attention to this matter.

Sincerely, [Taylor Christian Newsome | ClumsyLulz on Twitter]

import pefile
import sys
import os

DUMMY_FUNC = b"\x55\x8b\xec\x51\xc7\x45\xfc\xbe\xba\xad\xde\x8b\xe5\x5d\xc3"

def main():
    exe_path = sys.argv[1]
    pe = pefile.PE(exe_path)
    print("Starting!")
    output = ""
    text_section = b""
    for section in pe.sections:
        if b".text" in section.Name:
            print(section.Name, hex(section.VirtualAddress), hex(section.Misc_VirtualSize), section.SizeOfRawData )
            text_section = pe.get_data(section.VirtualAddress, section.SizeOfRawData)
            binary_shellcode = text_section[:text_section.find(DUMMY_FUNC)]
            for byte in binary_shellcode:
                output += "\\x%x" % byte
    output = "#define SHELLCODE (\"%s\")" % output
    folder, file_name = os.path.split(exe_path)
    base, _ = os.path.splitext(file_name)
    print(os.path.join(folder, base+".h"))
    open(os.path.join(folder, base) + ".h", "w").write(output)
    open(os.path.join(folder, base) + ".text", "wb").write(text_section)
    open(os.path.join(folder, base) + ".shellcode", "wb").write(binary_shellcode)
    
if __name__ == "__main__":
    main()