diff --git a/todo.md b/todo.md deleted file mode 100644 index ebb5414..0000000 --- a/todo.md +++ /dev/null @@ -1,337 +0,0 @@ -# Todo List - -+ show error message when using dll_loader with shellcode - + and vice versa -+ make window hide an option -+ handle the injection rva reloc shit depending on initial payload size better - -* slides: mention that threads need NOT to start in unbacked memory - - -# techniques - -* fork-carrier? - * alloc and copy in EXE1 - * fork - * RX in EXE2 - -* alternative: trash IAT entry with ROP ret? - * main first - * dll_loader too later - * for anti-ETW - * use gadget from library/DLL itself - -dll loader: -* as .text is after header, do make header until end .text rx (less holes) - * the rest just rw? -* loader: overwrite PE header after loading it -* loader: some details at https://trustedsec.com/blog/loading-dlls-reflections -* DONT do it if we assume DLL is IMAGE? (self stomping) -* make DLL loader PE header overwrite an option (memory region) - -? cover .text with empty 0000 relocs? - # pe-sieve will not scan reloced' sections - * add new (will fuckup .text addr?) - * overwrite existing (will not be applied?) - - -# high: - -* make plugins name colored red/yellow/green opsec - * add info buttons to each option, including OPSEC - - -# mid: - -* guardrails: automatically put the hostname in it? -* doc: list of things which are modyfiable -* ui: templates ? -* bug: .rdata max: 0 ?! - - -* Cool ETW patch for our own process? (EtwEventWrite() or something) - * just RW it, then overwrite with - void* pEventWrite = GetProcAddress(GetModuleHandleA("ntdll.dll"), (LPCSTR)sEtwEventWrite); - memcpy(pEventWrite, "\x48\x33\xc0\xc3", 4); // xor rax, rax; ret - https://github.com/unkvolism/Fuck-Etw/blob/main/etw-fuck.cpp - https://github.com/Gurpreet06/ETW-Patcher/blob/Gurpreet/main.cpp - * do it in dll_loader at IAT?! - * only events from dll will not be traced! - * its free... - -> no. loadlibrary does its thing - * own implementation? - - - - -* injector is weird and/or too complicated - * remove project argument (used for project.payload.len) - -* remove HACK which finds ascii in IAT, just replace with first Interval (or skip found interval 0) - -* remove jmp at entry (reorder main first in .asm) - -* webapp: rename project -* webapp: delete project - -* derbackdoorer test-rwx is fucked? (Could not find section with directory index 5!) -* refactor: ui web start / file make it a mode? enum -* exe_view and other exec/exec_more is shit as it is a path / with cannot be used as get -* get_addr_of_iat_function() and others: write if va or rva or offset in variables - - -refactor mid: -* REST /project_add is shitty -* is helper::run_process_checkret() in wrong file? (see utils.py, but should be like process.py) -* helper had to be changed because of observer include (utils.py) arrr - - -low: -* take a look at msf backdooring: -x -* add Executor: Create new thread -* integrate into avred -* use r2 to identify strings, and overwrite them individually (injector::inject_fix_data) -* get return value for debugging - # it somehow doesnt work? does shellcode exit itself? check with NOP? - - -# Unit Tests - -* each modification: - * inserting code - * starting code: EOP - * starting code: hijack - * IAT patch - * inserting .rdata data - * referencing .rdata data -* features - * relocation holes (check the shitty one in procexp) - * read/write .text - -* make unittests - * injector: injected_fix_iat() (asm, needs file) - * model: exeinfo - * pehelper: - * extract_code_from_exe() - * write_code_section() - * get_code_section() (a few different ones?) - * get_rwx_section() - - -# Done - -+ auto replace "supermega_payload" "shcstart" -+ try debugging it with az and cmdline shit -+ virtual alloc params are ok? -/ convert shellcode to exe (so i can debug it) -+ capture subprocess output, show it different color -+ check return values of executed commands -+ configurable payload size! - / best to template main.c? - + or replace in source - # $LN4@main: - # cmp DWORD PTR n$1[rsp], 348 ; 0000015cH - # jge SHORT $LN3@main -+ injector: use redbackdoorer (src) to inject it in a clean exe -+ test if mashm_shc converts strings -+ make it debuggable (stdout, stderr on error) -+ config.yaml for paths and stuff -+ write different encryptors -+ save all stdout/stderr into a file -+ make test for rwx -+ check inject exe first for which we choose: - + based on shellcode needs too - + can be: - + rwx iat_reuse - + iat_reuse - + peb_walk -+ refactor capabilities into project -+ get payload_size earlier (not in supermega before c->asm) -+ order of asm fixups -+ web: also capture logger output into a separate file -+ debug log disassemble with r2 -+ check code section size before injecting -+ read from files from alloc_style etc. name -+ find executable section - + code (0x20) - + then rx with entry point -+ arg to enable short call patching -+ remove TLS mentioning (as it sucks) -+ read written shellcode out of the exe - + to verify its correct -+ use redbackdoorer directly (as library) - + also: return addr of patched call -+ webapp -+ 11223344: {{PAYLOAD_LEN}} too -+ show asm diff (for fixup) -+ peb_walk template.c: also make includes -+ remove project from global completely - + do settings? -> config -+ remove observer from tests -+ set mode from cmdline - * also test with other modes -+ fix derbackdoorer debug stuff -/ remove use_templates -+ use iconsext.exe UPX packed binary to test RWX insertion -+ fix goddamn newlines again -+ fix HTML encoding -+ translate masmshc to python -+ fix magic offset in reuse_data for REAL reliably - + make sure its possible to disable it, and use the other two options - + holes? -+ :x -> :X -+ check all invocations of pehelper.*get_code_section*() - + for example exehost, doesnt need it as we have it as superpe -+ rawsize vs. virtualsize -+ merge superpe with mype - / dont load too much by default (init()) -> Done twice -+ check relocs/basereloc if they fall into my shellcode - + get relocs' - # usually in .rdata -+ make xor key configurable -+ patch the additional newlines i stupidly add in the asm -+ fix goddamn vs path -> readme again -+ make log a class -+ when error, no supermega.log is written -+ old ones are not cleaned? (do it on start?) -+ rename env - / should shellcode just be plugin? - / and "shellcode" the new shellcode? - / a lot in /dev, /dev/name shitfuck -+ fix config.yaml with http:// and make it a template -+ standardize in REST -+ rework observer, logger, stdout so they work together -+ helper::run_process_checkret() is ugly, too many conversions -+ observer::add_log() its not clear what log is -/ compile_dev in compiler.py is just a copy - is that necessary? -+ put strings into data -+ web: fix timeout on create -+ observer: will too often write to file instead of doing it in a datastructure - -+ give/create directory where everything is stored (per project / invocation) -+ do all asm parsing like datareuse asm parser (in one place?) - / compiler a class? -> no, no shared stuff -+ put logs into project dir -+ remove AllocStyle -+ remove ExecStyle -+ rename InjectStyle -> CarrierInvokeStyle (how to call carrier, EOP/CALL) - + settings.inject_mode - + derbackdoorer.runMode -+ rename SourceStyle -> FunctionInvokeStyle (how to call functions, IAT/PEB) - + sourcestyle - + sourcestyles -/ rename DataRefStyle -> PayloadInjectStyle -> removed -+ view_project::project() does not yet get real export list -+ infect dll's - + based on redbackdoorer, DLL always use backdoorEntryPoint (not EOP) - + EOP is DllMain()! -+ hide buttons if corresponding files aint there -+ rename derbackdoorer.runMode to InjectStyle - + everywhere else too -+ verifier with many exes (filecreate shellcode) - -/ ui dropdown exe/dll: add rx section size -> no, performance -+ ui dropdown shellcode: add size -+ check if dll/exe runs (does not have any unfulfilled dependencies) -+ iat_reuse in dll's seem to be a bit broken? -> fixed, iat and function size -+ do not use jne/jge to recursively search for stuff (only for calls. if even?) -+ test: iatttest-full.exe: - + hijack doesnt work - + eop says "no code section found" -+ things to consider - + DLL-func EOP: needs to have space in it (relocs? or why?) - + DLL-func Hijack: always works? (very small functions with no jump?) -> 3 options - + show: the function, up until the jump - + make 3 options selectable -+ datareuse::datareusefileparser: move away into compiler -/ can or should i use strlen() for payload instead of hardcode length? -/ add masm_shc, runshc binaries to the repo -/ is reloc generally really necessary? - # procexp pebwalk hijack: yes - # procexp pebwalk eop: NO -+ show missing dlls more dominantely - / make it unable to build? - + make a way where user can copy his dlls there (dont remove everything from project folder) -+ rw: 0x4 rx: 0x20 rwx: 0x40 -+ most exes dont work (because missing dlls), check it -/ remove exes_more/ and dlls/? -+ ui build: will copy new files - + copy only when not exists? -> del all except nonstandard .exe .dll -+ list shellcode -+ list exes -+ remotely detonate it on a host (like avred) -+ change func hijack relocatable call to indirect call -+ iat-overwrite/path settings -+ remove exehost? it doesnt do much - + optimize get_vaddr_of_iatentry() ? -+ remove all unecessary iat* functions in superpe -+ injector: get from carrier -+ change an IAT to the one's we need (existing DLLs only?) -+ merge all Cs keystone disasm into pehelper? (derbackdoorer) -+ put payload into data or other section (consider relocs) - # note: lea is 7 bytes - + make webapp checkbox - + note: fix xor -+ rename AsmParser to AsmTextParser, parse_asm_file -+ use directory name as index instead of Enum? - + PATH_PEB_WALK, PATH_IAT_REUSE - + PATH_CARRIER - + settings.source_style -> carrier_name - + settings.template_path - + args.function_invoke_style -/ remove peb_walk? -> no keep it -+ modify .text or .data memory protection -+ some of the shellcodes require RWX memory -> dedicated template -+ shellcode: Use WinExec(), or CreateProcessA()? -+ set enc key in config (xor_key, xor_key2) - + random if not set -+ try again with short len for protect, but consider 300kb of pages (loop) -+ IAT with cpuz.exe: no size 3 in .rdata?! - - -+ settings -> project: prep_web() and prepare_project() are weird -+ remove r2 for disassembly? (or make it optional) -+ check entropy with a tool -+ do not add 0 reloc (for ) -+ rename: - + sourcestyle (peb, iat): carrier_style? - + rbrunmode (eop, backdoor): start_mode? -+ loader: do not VirtualAlloc, reuse existing section -+ anti emulation - + web make it configurable -+ decoy - + web make it configurable -+ make executation guardrails a plugin too - + web make it configurable -+ fix templates with - + antiemulation - + decoy - + guardrails -+ tests all relevant: - + dll_loader_alloc - + dll_loader_change -+ put exe in projects/, not exes/ -+ remove payload.len (its len(payload)...) -+ on start: check if all dependencies (ml64.exe) are available -+ put payload away from carrier so it can be RW'd instead of RWX'd - + reference it like .rdata (not with the payload reference in asm-text) -+ make sane defaults when creating new project -+ .code injection should also always reference like .rdata? - # would make source more consistent - # but relative jump more stealthy? -+ rename dll change-address-eop to overwrite? -+ in injector, do we need a new superpe, or can just re-use the one from carrier? -+ on code injection: check if we overlap carrier, payload -+ support different locations in .text -> rm technique0 -+ change_rwx_rx has the special VirtualProtect() - + outsource it either in a .h, or template -+ remove decoder_styles (as they are files now) -+ sirallocalot is configurable - + or make sensible defaults? - + memory target = 10MB? - + instruction target = 10'000? - - - - -