admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-02 17:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

doc: update

Browse Source
This commit is contained in:
Dobin Rutishauser
2025-06-10 09:20:03 +02:00
parent ec0776d82b
commit 4443827fcf
1 changed files with 21 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+21 -17
View File
@@ -8,9 +8,10 @@
## What
SuperMega is a shellcode loader by injecting it into genuine executables (.exe or .dll).
SuperMega is a shellcode loader. By injecting the payload shellcode into a
genuine executables (.exe or .dll).
The loader shellcode will be tightly integrated into the .exe so that static analysis
The loader/carrier shellcode will be tightly integrated into the .exe so that static analysis
has a hard time to spot that the exe is infected. Static analysis will just see
the genuine exe artefacts.
@@ -22,12 +23,9 @@ Features:
* Execution guardrails, so payload is only decrypted on target
* Anti emulation, against AV emulators detecting the payload in memory
* EDR deconditioner, against EDR memory scan
* Keep all original properties of the executable (imports, metadata etc.)
* Very small carrier loader
* Code execution with main function hijacking
* No PEB walk, reuses IAT to execute windows api functions
* Inject data into .rdata for the carrier shellcode
* Patch IAT for missing functions for the carrier
* Keep all original properties of the executable (imports, metadata etc.) against heuristics
* Code execution with main function hijacking against static analysis
* Carrier doesnt do PEB walk, reuses IAT to execute windows api functions (Cordyceps technique)
References:
* [Slides](https://docs.google.com/presentation/d/1_gwd0M49ObHZO5JtrkZl1NPwRKXWVRm_zHTDdGqRl3Q/edit?usp=sharing) HITB2024 BKK "My first and last shellcode loader"
@@ -175,30 +173,36 @@ community edition.
## Directories
* `data/binary/shellcodes`: Input: Shellcodes we want to use as input (payload)
* `data/binary/exes/`: Input: Nonmalicious EXE files we inject into
* `data/source/carrier`: Input: Carrier C templates
Input:
* `data/binary/shellcodes`: Input: Shellcodes we want to use as input (payload). .bin
* `data/binary/exes/`: Input: Nonmalicious EXE files we inject into. .exe
Output:
* `projects/<projectname>`: output: Project directory with generated files, including infected exe
* `projects/default`: output: Project directory with all files from web
* `projects/commandline`: output: Project directory with all files from commandline
Modifiable:
* `data/source/carrier`: The thing which actually decodes and executes the payload (alloc_rw_rx, alloc_rx_rwx, ...)
* `data/source/antiemulation`: Different implementation to make AV emulator give up (sirallocalot, timeraw, ...)
* `data/source/decoder`: Decryption of the payload (xor, xor2)
* `data/source/guardrails`: Execution guardrails example (env)
* `data/source/virtualprotect`: Some fun with virtualprotect
## Installation
VS2022 compilers.
Required:
VS2022 compiler is required:
* `ml64.exe`
* `cl.exe`
Optional:
* `r2.exe`
And the python packages:
```
> pip.exe install -r requirements.txt
```
Optional:
* `r2.exe`
### VS2022 Components