diff --git a/helper.py b/helper.py index 23734e9..1b29950 100644 --- a/helper.py +++ b/helper.py @@ -55,6 +55,7 @@ def run_exe(exefile, dllfunc="", check=True): if exefile.endswith(".dll"): if dllfunc == "": dllfunc = "dllMain" + logger.info("----[ No DLL function specified, using default: {}".format(dllfunc)) #raise Exception("---[ No DLL function specified") args = [ "rundll32.exe", "{},{}".format(exefile, dllfunc) ] elif exefile.endswith(".exe"): diff --git a/phases/injector.py b/phases/injector.py index 506abde..bfcc02f 100644 --- a/phases/injector.py +++ b/phases/injector.py @@ -79,8 +79,9 @@ def inject_exe( logger.info("---( Rewire: DLL function: {} ".format(settings.dllfunc)) if carrier_invoke_style == CarrierInvokeStyle.ChangeEntryPoint: - raise Exception("--( Inject DLL: Change Entry Point unsupported when set ".format( - settings.dllfunc)) + #raise Exception("--( Inject DLL: Change Entry Point unsupported when set ".format( + # settings.dllfunc)) + pass elif carrier_invoke_style == CarrierInvokeStyle.BackdoorCallInstr: addr = pe_backdoorer.getExportEntryPoint(settings.dllfunc) @@ -103,11 +104,9 @@ def inject_exe( addr)) pe_backdoorer.backdoor_function(addr, shellcode_rva) - if False: - if source_style == FunctionInvokeStyle.iat_reuse: - injected_fix_iat(superpe, project.carrier, project.exe_host) - if True: - injected_fix_data(superpe, project.carrier, project.exe_host) + if source_style == FunctionInvokeStyle.iat_reuse: + injected_fix_iat(superpe, project.carrier, project.exe_host) + injected_fix_data(superpe, project.carrier, project.exe_host) # We done superpe.write_pe_to_file(exe_out) diff --git a/supermega.py b/supermega.py index dabba62..c6ffe8e 100644 --- a/supermega.py +++ b/supermega.py @@ -190,7 +190,9 @@ def start_real(settings: Settings): # Start/verify it at the end if settings.verify: logger.info("--[ Verify infected exe") - payload_exit_code = phases.injector.verify_injected_exe(settings.inject_exe_out) + payload_exit_code = phases.injector.verify_injected_exe( + settings.inject_exe_out, + dllfunc=settings.dllfunc) logging.info("Payload exit code: {}".format(payload_exit_code)) if payload_exit_code != 0: raise Exception("Payload exit code: {}".format(payload_exit_code)) diff --git a/tester.py b/tester.py index 94d01a0..adb2984 100644 --- a/tester.py +++ b/tester.py @@ -7,54 +7,130 @@ from model.defs import * from model.settings import Settings from log import setup_logging from supermega import start +from model.project import prepare_project def main(): logger.info("Super Mega Tester") config.load() + #test_exe() + test_dll() + + +def test_exe(): + print("Testing: EXEs") settings = Settings() - settings.payload_path = PATH_SHELLCODES + "createfile.bin" + settings.payload_path = PATH_SHELLCODES + "createfile.bin" settings.verify = True settings.try_start_final_infected_exe = False + settings.prep_web("unittest") + prepare_project("unittest", settings) # 7z, peb-walk, change-entrypoint + print("Test: 7z, peb-walk, change-entrypoint") settings.source_style = FunctionInvokeStyle.peb_walk settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint settings.inject_exe_in = PATH_EXES + "7z.exe" settings.inject_exe_out = PATH_EXES + "7z.verify.exe" if start(settings) != 0: print("Error") - return 1 # 7z, peb-walk, hijack + print("Test: 7z, peb-walk, hijack main") settings.source_style = FunctionInvokeStyle.peb_walk settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr settings.inject_exe_in = PATH_EXES + "7z.exe" settings.inject_exe_out = PATH_EXES + "7z.verify.exe" if start(settings) != 0: print("Error") - return 1 # procexp, iat-reuse, change-entrypoint + print("Test: procexp, iat-reuse, change-entrypoint") settings.source_style = FunctionInvokeStyle.iat_reuse settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint settings.inject_exe_in = PATH_EXES + "procexp64.exe" settings.inject_exe_out = PATH_EXES + "procexp64.verify.exe" if start(settings) != 0: print("Error") - return 1 - # procexp, iat-reuse, change-entrypoint + # procexp, iat-reuse, backdoor + print("Test: procexp, iat-reuse, backdoor") settings.source_style = FunctionInvokeStyle.iat_reuse - settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint + settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr settings.inject_exe_in = PATH_EXES + "procexp64.exe" settings.inject_exe_out = PATH_EXES + "procexp64.verify.exe" if start(settings) != 0: print("Error") + + +def test_dll(): + print("Testing: DLLs") + settings = Settings() + settings.payload_path = PATH_SHELLCODES + "createfile.bin" + settings.verify = True + settings.try_start_final_infected_exe = False + settings.prep_web("unittest") + prepare_project("unittest", settings) + + print("Test: libbz2-1.dll, peb-walk, change-entrypoint dllMain (func=None)") + settings.source_style = FunctionInvokeStyle.peb_walk + settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint + settings.inject_exe_in = PATH_EXES + "libbz2-1.dll" + settings.inject_exe_out = PATH_EXES + "libbz2-1.verify.dll" + if start(settings) != 0: + print("Error") + + print("Test: libbz2-1.dll, peb-walk, hijack dllMain (func=None)") + settings.source_style = FunctionInvokeStyle.peb_walk + settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr + settings.inject_exe_in = PATH_EXES + "libbz2-1.dll" + settings.inject_exe_out = PATH_EXES + "libbz2-1.verify.dll" + if start(settings) != 0: + print("Error") + + print("Test: libbz2-1.dll, peb-walk, change-entrypoint, func=BZ2_bzdopen") + settings.dllfunc = "BZ2_bzdopen" + settings.source_style = FunctionInvokeStyle.peb_walk + settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint + settings.inject_exe_in = PATH_EXES + "libbz2-1.dll" + settings.inject_exe_out = PATH_EXES + "libbz2-1.verify.dll" + if start(settings) != 0: + print("Error") + + print("Test: libbz2-1.dll, peb-walk, hijack main, func=BZ2_bzdopen") + settings.dllfunc = "BZ2_bzdopen" + settings.source_style = FunctionInvokeStyle.peb_walk + settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr + settings.inject_exe_in = PATH_EXES + "libbz2-1.dll" + settings.inject_exe_out = PATH_EXES + "libbz2-1.verify.dll" + if start(settings) != 0: + print("Error") + + +def dll_iat_reuse(): + # procexp, iat-reuse, change-entrypoint + print("Test: libbz2-1.dll, iat-reuse, change-entrypoint") + settings.source_style = FunctionInvokeStyle.iat_reuse + settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint + settings.inject_exe_in = PATH_EXES + "libbz2-1.dll" + settings.inject_exe_out = PATH_EXES + "libbz2-1.verify.dll" + if start(settings) != 0: + print("Error") return 1 + # procexp, iat-reuse, backdoor + print("Test: libbz2-1.dll, iat-reuse, backdoor") + settings.source_style = FunctionInvokeStyle.iat_reuse + settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr + settings.inject_exe_in = PATH_EXES + "libbz2-1.dll" + settings.inject_exe_out = PATH_EXES + "libbz2-1.verify.dll" + if start(settings) != 0: + print("Error") + return 1 + # DLL + if __name__ == "__main__": - setup_logging(level=logging.WARN) + setup_logging(level=logging.WARNING) main()