mirror of
https://github.com/dobin/SuperMega
synced 2026-06-03 01:27:11 +00:00
doc
This commit is contained in:
Dobin Rutishauser
@@ -1,23 +1,74 @@
|
|||||||
# Todo List
|
# Todo List
|
||||||
|
|
||||||
+ settings -> project: prep_web() and prepare_project() are weird
|
+ show error message when using dll_loader with shellcode
|
||||||
|
+ and vice versa
|
||||||
|
+ make window hide an option
|
||||||
|
+ handle the injection rva reloc shit depending on initial payload size better
|
||||||
|
|
||||||
|
* slides: mention that threads need NOT to start in unbacked memory
|
||||||
|
|
||||||
|
|
||||||
|
# techniques
|
||||||
|
|
||||||
|
* fork-carrier?
|
||||||
|
* alloc and copy in EXE1
|
||||||
|
* fork
|
||||||
|
* RX in EXE2
|
||||||
|
|
||||||
|
* alternative: trash IAT entry with ROP ret?
|
||||||
|
* main first
|
||||||
|
* dll_loader too later
|
||||||
|
* for anti-ETW
|
||||||
|
* use gadget from library/DLL itself
|
||||||
|
|
||||||
|
dll loader:
|
||||||
|
* as .text is after header, do make header until end .text rx (less holes)
|
||||||
|
* the rest just rw?
|
||||||
|
* loader: overwrite PE header after loading it
|
||||||
|
* loader: some details at https://trustedsec.com/blog/loading-dlls-reflections
|
||||||
|
* DONT do it if we assume DLL is IMAGE? (self stomping)
|
||||||
|
* make DLL loader PE header overwrite an option (memory region)
|
||||||
|
|
||||||
|
? cover .text with empty 0000 relocs?
|
||||||
|
# pe-sieve will not scan reloced' sections
|
||||||
|
* add new (will fuckup .text addr?)
|
||||||
|
* overwrite existing (will not be applied?)
|
||||||
|
|
||||||
|
|
||||||
# high:
|
# high:
|
||||||
|
|
||||||
* remove r2 for disassembly? (or make it optional)
|
* make plugins name colored red/yellow/green opsec
|
||||||
* more code size checks when selecting (shellcode 300kb .text small)
|
* add info buttons to each option, including OPSEC
|
||||||
|
|
||||||
|
|
||||||
# mid:
|
# mid:
|
||||||
|
|
||||||
* remove HACK which finds ascii in IAT, just replace with first Interval (or skip found interval 0)
|
* guardrails: automatically put the hostname in it?
|
||||||
* do not add 0 reloc (for )
|
* doc: list of things which are modyfiable
|
||||||
* rename dll change-address-eop to overwrite?
|
* ui: templates ?
|
||||||
|
* bug: .rdata max: 0 ?!
|
||||||
|
|
||||||
|
|
||||||
|
* Cool ETW patch for our own process? (EtwEventWrite() or something)
|
||||||
|
* just RW it, then overwrite with
|
||||||
|
void* pEventWrite = GetProcAddress(GetModuleHandleA("ntdll.dll"), (LPCSTR)sEtwEventWrite);
|
||||||
|
memcpy(pEventWrite, "\x48\x33\xc0\xc3", 4); // xor rax, rax; ret
|
||||||
|
https://github.com/unkvolism/Fuck-Etw/blob/main/etw-fuck.cpp
|
||||||
|
https://github.com/Gurpreet06/ETW-Patcher/blob/Gurpreet/main.cpp
|
||||||
|
* do it in dll_loader at IAT?!
|
||||||
|
* only events from dll will not be traced!
|
||||||
|
* its free...
|
||||||
|
-> no. loadlibrary does its thing
|
||||||
|
* own implementation?
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
* injector is weird and/or too complicated
|
||||||
|
* remove project argument (used for project.payload.len)
|
||||||
|
|
||||||
|
* remove HACK which finds ascii in IAT, just replace with first Interval (or skip found interval 0)
|
||||||
|
|
||||||
* rename:
|
|
||||||
* sourcestyle (peb, iat): carrier_style?
|
|
||||||
* rbrunmode (eop, backdoor): start_mode?
|
|
||||||
* remove jmp at entry (reorder main first in .asm)
|
* remove jmp at entry (reorder main first in .asm)
|
||||||
|
|
||||||
* webapp: rename project
|
* webapp: rename project
|
||||||
@@ -238,5 +289,49 @@ low:
|
|||||||
+ IAT with cpuz.exe: no size 3 in .rdata?!
|
+ IAT with cpuz.exe: no size 3 in .rdata?!
|
||||||
|
|
||||||
|
|
||||||
|
+ settings -> project: prep_web() and prepare_project() are weird
|
||||||
|
+ remove r2 for disassembly? (or make it optional)
|
||||||
|
+ check entropy with a tool
|
||||||
|
+ do not add 0 reloc (for )
|
||||||
|
+ rename:
|
||||||
|
+ sourcestyle (peb, iat): carrier_style?
|
||||||
|
+ rbrunmode (eop, backdoor): start_mode?
|
||||||
|
+ loader: do not VirtualAlloc, reuse existing section
|
||||||
|
+ anti emulation
|
||||||
|
+ web make it configurable
|
||||||
|
+ decoy
|
||||||
|
+ web make it configurable
|
||||||
|
+ make executation guardrails a plugin too
|
||||||
|
+ web make it configurable
|
||||||
|
+ fix templates with
|
||||||
|
+ antiemulation
|
||||||
|
+ decoy
|
||||||
|
+ guardrails
|
||||||
|
+ tests all relevant:
|
||||||
|
+ dll_loader_alloc
|
||||||
|
+ dll_loader_change
|
||||||
|
+ put exe in projects/, not exes/
|
||||||
|
+ remove payload.len (its len(payload)...)
|
||||||
|
+ on start: check if all dependencies (ml64.exe) are available
|
||||||
|
+ put payload away from carrier so it can be RW'd instead of RWX'd
|
||||||
|
+ reference it like .rdata (not with the payload reference in asm-text)
|
||||||
|
+ make sane defaults when creating new project
|
||||||
|
+ .code injection should also always reference like .rdata?
|
||||||
|
# would make source more consistent
|
||||||
|
# but relative jump more stealthy?
|
||||||
|
+ rename dll change-address-eop to overwrite?
|
||||||
|
+ in injector, do we need a new superpe, or can just re-use the one from carrier?
|
||||||
|
+ on code injection: check if we overlap carrier, payload
|
||||||
|
+ support different locations in .text -> rm technique0
|
||||||
|
+ change_rwx_rx has the special VirtualProtect()
|
||||||
|
+ outsource it either in a .h, or template
|
||||||
|
+ remove decoder_styles (as they are files now)
|
||||||
|
+ sirallocalot is configurable
|
||||||
|
+ or make sensible defaults?
|
||||||
|
+ memory target = 10MB?
|
||||||
|
+ instruction target = 10'000?
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user