-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathstrip_bof.ps1
127 lines (107 loc) · 4.37 KB
/
strip_bof.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
function strip-bof {
<#
.SYNOPSIS
Removes debug symbols from a beacon object file
Heavily dependent on code by Matthew Graeber (@mattifestation)
Original code: https://www.powershellgallery.com/packages/PowerSploit/1.0.0.0/Content/PETools%5CGet-ObjDump.ps1
Author: Yasser Alhazmi (@yas_o_h)
License: BSD 3-Clause
.PARAMETER Path
Specifies a path to one or more object file locations.
.EXAMPLE
C:\PS>strip-bof -Path main.obj
#>
[CmdletBinding()] Param (
[Parameter(Position = 0, Mandatory = $True)]
[ValidateScript({ Test-Path $_ })]
[String]
$Path
)
$Code = @'
using System;
using System.IO;
using System.Text;
namespace COFF
{
public class SECTION_HEADER
{
public string Name;
public uint PhysicalAddress;
public uint VirtualSize;
public uint VirtualAddress;
public uint SizeOfRawData;
public uint PointerToRawData;
public uint PointerToRelocations;
public uint PointerToLinenumbers;
public ushort NumberOfRelocations;
public ushort NumberOfLinenumbers;
public uint Characteristics;
public Byte[] RawData;
public SECTION_HEADER(BinaryReader br)
{
this.Name = Encoding.UTF8.GetString(br.ReadBytes(8)).Split((Char) 0)[0];
this.PhysicalAddress = br.ReadUInt32();
this.VirtualSize = this.PhysicalAddress;
this.VirtualAddress = br.ReadUInt32();
this.SizeOfRawData = br.ReadUInt32();
this.PointerToRawData = br.ReadUInt32();
this.PointerToRelocations = br.ReadUInt32();
this.PointerToLinenumbers = br.ReadUInt32();
this.NumberOfRelocations = br.ReadUInt16();
this.NumberOfLinenumbers = br.ReadUInt16();
this.Characteristics = br.ReadUInt32();
}
}
public class HEADER
{
public ushort Machine;
public ushort NumberOfSections;
public uint TimeDateStamp;
public uint PointerToSymbolTable;
public uint NumberOfSymbols;
public ushort SizeOfOptionalHeader;
public ushort Characteristics;
public HEADER(BinaryReader br)
{
this.Machine = br.ReadUInt16();
this.NumberOfSections = br.ReadUInt16();
this.TimeDateStamp = br.ReadUInt32();
this.PointerToSymbolTable = br.ReadUInt32();
this.NumberOfSymbols = br.ReadUInt32();
this.SizeOfOptionalHeader = br.ReadUInt16();
this.Characteristics = br.ReadUInt16();
}
}
}
'@
Add-Type -TypeDefinition $Code
Write-Host "enumerating sections..."
try {
$FileStream = [IO.File]::OpenRead($Path)
$BinaryReader = New-Object IO.BinaryReader($FileStream)
$CoffHeader = New-Object COFF.HEADER($BinaryReader)
# Parse section headers
$SectionHeaders = New-Object COFF.SECTION_HEADER[]($CoffHeader.NumberOfSections)
for ($i = 0; $i -lt $CoffHeader.NumberOfSections; $i++)
{
$SectionHeaders[$i] = New-Object COFF.SECTION_HEADER($BinaryReader)
if($SectionHeaders[$i].Name.Contains("debug")){
Write-Host "found debug section.. zeroing it..."
$FileStream.Close();
$FileStream2 = [IO.File]::OpenWrite($Path)
$FileStream2.Seek($SectionHeaders[$i].PointerToRawData, 'Begin') | Out-Null
for($x = 0; $x -lt $SectionHeaders[$i].SizeOfRawData; $x++){
$FileStream2.WriteByte(0)
}
Write-Host "closing stream...";
$FileStream2.Close();
Write-Host "done!";
return;
}
}
} catch {
Add-Type -AssemblyName PresentationFramework
[System.Windows.MessageBox]::Show("error stripping debug symbols: " + $_.ToString());
return;
}
}