diff --git a/README.md b/README.md index 2bac987..b708e89 100644 --- a/README.md +++ b/README.md @@ -202,29 +202,34 @@ Optional: Description of funtionality and settings. + ### Shellcode -`--shellcode ` -The payload shellcode, like your CobaltStrike beacon. Should be x64. +`--shellcode ` +The 64-bit payload shellcode, like your CobaltStrike beacon. Should be x64. Located in the `data/binary/shellcodes/` directory. + ### Injectable `--inject ` A 64-bit Windows PE executable used as a trojan. The shellcode will be injected in this EXE or DLL. The original functionality of the EXE/DLL will not work anymore (it will only execute the carrier with the shellcode it is carrying) Located in the `data/binary/injectables/` directory. +Make sure it has all it's required DLLs. + + ### Carrier `--carrier ` -The code which loads the payload shellcode. This includes allocating memory, changing its permissions, and then finally executing it. It has the main() function (and will include Decoder, Anti-Emulation, and Guardrail modules). +C code which loads and executes the payload shellcode. This includes allocating memory, changing its permissions, and then finally executing it. It has the main() function, and modules: Decoder, Anti-Emulation, and Guardrail. Located in the `data/source/carrier` directory * alloc\_rw\_rx: Allocate RW memory, copy payload, then make it RX. **Recommended**. * alloc\_rw\_rwx: Same as alloc\_rw\_rx, but useful for self-modyfing payloads (e.g. ShikataGaNai) -* change\_rw\_rx: Change the memory permissions of the payload to RW, decode, then RX (IMAGE spoofing, see `--`) -* dll\_loader\_alloc: -* dll\_loader\_change +* change\_rw\_rx: Change the memory permissions of the payload to RW, decode, then RX (IMAGE spoofing, see payload_location`) +* dll\_loader\_alloc: `.dll` payload: Allocate RW memory, load DLL, then make it RX. +* dll\_loader\_change: `.dll` payload: Change payload location to RW, load it, then make it RX. IMAGE spoofing. While the carrier is injected into the `.text` section, the payload can be placed in either `.rdata` or `.text`. @@ -240,7 +245,7 @@ In which section the payload is stored. Putting the payload in the `.text` section allows us to use carrier `change_rw_rx` to decrypt it there. This can have the advantage of looking like its natural -trusted IMAGE data. Its also possible to use carrier `dll_loader_change` with +trusted IMAGE data (IMAGE spoofing). Its also possible to use carrier `dll_loader_change` with a DLL as payload which may even be more stealthy. @@ -298,12 +303,12 @@ How the carrier (which will load the payload shellcode) is invoked. ### DLL as Injectable When injecting INTO a DLL, `dllMain()` will be used instead of `main()`. -To backdoor a specific export, use `--dllfunc `. +To backdoor or overwrite a specific export, use `--dllfunc `. ### DLL as payload - +When using a DLL instead of a shellcode, use carrier `dll_loader_alloc`, or `dll_loader_change`. ### Fix IAT