SuperMega

Shellcode

--shellcode <filename.exe>
The payload shellcode, like your CobaltStrike beacon. Should be x64.
Located in the data/binary/shellcodes/ directory.

Injectable

--inject <filename.exe>
A 64-bit Windows PE executable used as a trojan. The shellcode will be injected in this EXE. The original functionality of the EXE will not work anymore (it will only execute the carrier with the shellcode it is carrying)
Located in the data/binary/exes/ directory.

Carrier

--carrier <carrier_name>
The code which loads the payload shellcode. This includes allocating memory, changing its permissions, and then finally executing it. It has the main() function (and will include Decoder, Anti-Emulation, and Guardrail modules).
Located in the data/source/carrier directory

• alloc_rw_rx: Allocate RW memory, copy payload, then make it RX. Recommended.
• alloc_rw_rwx: Same as alloc_rw_rx, but useful for self-modyfing payloads (e.g. ShikataGaNai)
• change_rw_rx: Change the memory permissions of the payload to RW, decode, then RX (no copying)(see payload location)
• dll_loader_alloc:
• dll_loader_change

The shellcode has a payload location of either::

• .rdata
• .text

With --payload_location <carrier_name>. Depending on the carrier, one or the other may be preferred. For example, change_rw_rx can be adjusted accordingly.

Decoder

--decoder <decoder_name>
How the payload is encrypted & decrypted.

• plain: No encryption
• xor: Single byte xor key, random
• xor_2: Two byte xor key, random. Recommended.

Anti-Emulation

--antiemulation <anti_emulation_name>

• none: No anti-emulation
• timeraw: CPU register time based
• sirallocalot: CPU cycles, memory and time based. Also does EDR-deconditioning. Recommended.

Guardrail

Carrier Invoke

How the carrier (which will load the payload shellcode) is invoked.
--carrier_invoke <carrier_invoke_name>

• eop: Change entry point to the carrier shellcode
• backdoor: Parse main function for a few unconditional jmp's, and change last jmp to jump to the carrier shellcode. Recommended.

Fix IAT

The carrier, or one of its modules, like the decoder, antiemulation, or guardrail, may require imports like Windows kernel32.dll functions. If these are not available in the injectable, the IAT is being patched for the required imports automatically. This will change the IAT of the injectable, which makes it less stealthy.

If you want to keep maximum stealth, use --no-fix-iat and adjust your carrier/modules or exe manually.