▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄       │
                                                                           │ █   █ █ █ █   █       │
                                                                           │ █   █ █ █ █▀▀▀▀       │
                                                                           │ █   █   █ █     ▄     │
                                                                           │                 ▄▄▄▄▄ │
                                                                           │                 █   █ │
                                                                           │                 █   █ │
                                                                           │                 █▄▄▄█ │
                                                                           │                 ▄   ▄ │
                                                                           │                 █   █ │
                                                                           │                 █   █ │
                                                                           │                 █▄▄▄█ │
                                                                           │                 ▄▄▄▄▄ │
                                                                           │                   █   │
PT_NOTE Disinfector                                                        │                   █   │
~ manizzle                                                                 └───────────────────█ ──┘

Hi all. Just to start, I am not an AVer. AVs suck, they are buggy and are usually prone to 
exploitation. Feel free to fuzz the hell out of lief and capstone. I am sure they have bugs.
Now on to how to disinfect...

The PT_NOTE injection technique is quite clean and allows for a ready made memory slot to be filled
with goodies. But with all infection techniques, there is usually always a disinfection technique.
This is the nature of life.

I like to think of the easy by which to disinfect as a way to measure just how good an infection
technique is. The more constants in a disinfection technique, the more likely it will be broken 
quicker. The game of cat and mouse goes on and on, and is the only way to develop more and more 
insiduous virii. Keep playing the game with yourself and your virus will be the thing of madness 
and wonder. 

In this disinfection we use the fact that most virii will try to load the PT_NOTE segment as far
away as possible in case the binary is large and they are trying to make sure the goodies dont get
mapped over and cause some loading issues with the binary cause you gotta be surreptitious right?

We use Kmeans as a way to start and cluster the PT_LOAD segments together and we use the the inertia
of the clusters relative to their centroids as a way to measure how well Kmeans even did. Usually 
for infections there is 1 PT_NOTE being infected but maybe sblip will tell you later, sometimes 
there are 2 :)

  if (math.log(cluster_1.inertia_)/math.log(cluster_2.inertia_)) < INERTIA_RATIO:

Once we have found out which segments seems to be mapped a bit farther than usual (though if you 
wanted to map the PT_NOTE inbetween valid PT_LOADS and re-base the whole image, I mean who would do
such a thing?), we can begin to delve into its code.

Usually these virii will do some more worming around, infecting more files, but at some point they
need to let the program continue execution, you know, to avoid suspicion. We can assume that the jmp
to the original entry point occurs at the end of the infected PT_NOTE segment so we look for that.

Sometimes the jmp is direct, sometimes it is derived. We just follow the jmp target to a point where
it adds the OEP to the base it calculated before (if you want to get really fancy, you can always 
use a use-def chain, but of course the virii can get even fancier and force you to resolve your 
chain cross function boundaries OH MY!)

  add {target}, CONST

Pop that back into your PHDR and you're back to the action

Better luck next time friend!


#!/usr/bin/env python3

from capstone import *
from collections import Counter
import lief
import math
import numpy as np
from sklearn.cluster import KMeans
import sys

# dont be an anti-re sucker dude
# tested on a few large and small binaries
# most normal binaries fall within the range of 1.0SOMETHING
# even large multi-megabytes ones. I am sure we can find something
# that breaks it though

def find_anomalous_load_segment(segment_ranges):
  segment_array = np.array(segment_ranges)
  cluster_2 = KMeans(n_clusters=2, random_state=0).fit(segment_array)
  cluster_1 = KMeans(n_clusters=1, random_state=0).fit(segment_array)
  if (math.log(cluster_1.inertia_)/math.log(cluster_2.inertia_)) < INERTIA_RATIO:
    print("No anomaly detected")
    return None
  cluster_counts = {v:k for k,v in Counter(cluster_2.labels_.tolist()).items()}
  if 1 not in cluster_counts:
    print("No singular cluster found")
    return None
  return segment_array[np.where(cluster_2.labels_ == cluster_counts[1])[0]][0]

def find_oep(segment_bytes, segment_start):
  # we support x64-64 for now but this can be easily ported to 
  # other architectures as needed. Would be cool to use an IR 
  # here so that it is cross-platform
  md = Cs(CS_ARCH_X86, CS_MODE_64)
  md.skipdata = True
  oep = None
  last_jump = None
  early_bail = 0
  for r in [instr for instr in md.disasm(segment_bytes, segment_start)][::-1]:
    if last_jump:
      # if we see an instruction of the form 
      # add {target}, CONST
      # we are probably adding the OEP to the base address
      # We can make this more generic by actually constructing a
      # real use-def chain here and solving for the actual value of 
      # rax here. Would require for finding functions like get_rip
      # which are used to make jmps to the relative code easier
      if last_jump + ", " in r.op_str and "add" == r.mnemonic.strip():
          oep = int(r.op_str.split(",")[1].strip(), 16)
        except Exception as e:
          # keep going, but unlikely we find it now
          # keep trying a few more, but not too much
          # you dont want to be suckered by some anti-re
          early_bail += 1
          if early_bail == SUCKER_PUNCH:
    if not last_jump and r.mnemonic.strip() == "jmp":
      target = r.op_str.strip()
      # Try to see if the jmp happens directly
      # then take that value as the OEP
        oep = int(target, 16)
      except Exception as e:
        # If not, it is probably a register jump
        oep = None
        last_jump = target
  return oep

def main():
  l = lief.parse(sys.argv[1])
  load_segs = [ [ll.virtual_address, ll.virtual_address + ll.virtual_size]
        for ll in l.segments
        if ll.type == lief.ELF.SEGMENT_TYPES.LOAD
  anomalous_segment_start, anomalous_segment_end = find_anomalous_load_segment(load_segs)
  segment_bytes = l.get_content_from_virtual_address(anomalous_segment_start, anomalous_segment_end)
  real_oep = find_oep(bytes(segment_bytes), anomalous_segment_start)
  print("found OEP: ", hex(real_oep))
  l.header.entrypoint = real_oep
  l.write(sys.argv[1] + ".cleaned")

if __name__ == "__main__":