mirror of
https://github.com/dobin/SuperMega
synced 2026-06-02 17:27:10 +00:00
add: todo.txt
This commit is contained in:
Dobin
@@ -0,0 +1,242 @@
|
||||
# Todo List
|
||||
|
||||
+ settings -> project: prep_web() and prepare_project() are weird
|
||||
|
||||
|
||||
# high:
|
||||
|
||||
* remove r2 for disassembly? (or make it optional)
|
||||
* more code size checks when selecting (shellcode 300kb .text small)
|
||||
|
||||
|
||||
# mid:
|
||||
|
||||
* remove HACK which finds ascii in IAT, just replace with first Interval (or skip found interval 0)
|
||||
* do not add 0 reloc (for )
|
||||
* rename dll change-address-eop to overwrite?
|
||||
|
||||
* rename:
|
||||
* sourcestyle (peb, iat): carrier_style?
|
||||
* rbrunmode (eop, backdoor): start_mode?
|
||||
* remove jmp at entry (reorder main first in .asm)
|
||||
|
||||
* webapp: rename project
|
||||
* webapp: delete project
|
||||
|
||||
* derbackdoorer test-rwx is fucked? (Could not find section with directory index 5!)
|
||||
* refactor: ui web start / file make it a mode? enum
|
||||
* exe_view and other exec/exec_more is shit as it is a path / with cannot be used as get
|
||||
* get_addr_of_iat_function() and others: write if va or rva or offset in variables
|
||||
|
||||
|
||||
refactor mid:
|
||||
* REST /project_add is shitty
|
||||
* is helper::run_process_checkret() in wrong file? (see utils.py, but should be like process.py)
|
||||
* helper had to be changed because of observer include (utils.py) arrr
|
||||
|
||||
|
||||
low:
|
||||
* take a look at msf backdooring: -x
|
||||
* add Executor: Create new thread
|
||||
* integrate into avred
|
||||
* use r2 to identify strings, and overwrite them individually (injector::inject_fix_data)
|
||||
* get return value for debugging
|
||||
# it somehow doesnt work? does shellcode exit itself? check with NOP?
|
||||
|
||||
|
||||
# Unit Tests
|
||||
|
||||
* each modification:
|
||||
* inserting code
|
||||
* starting code: EOP
|
||||
* starting code: hijack
|
||||
* IAT patch
|
||||
* inserting .rdata data
|
||||
* referencing .rdata data
|
||||
* features
|
||||
* relocation holes (check the shitty one in procexp)
|
||||
* read/write .text
|
||||
|
||||
* make unittests
|
||||
* injector: injected_fix_iat() (asm, needs file)
|
||||
* model: exeinfo
|
||||
* pehelper:
|
||||
* extract_code_from_exe()
|
||||
* write_code_section()
|
||||
* get_code_section() (a few different ones?)
|
||||
* get_rwx_section()
|
||||
|
||||
|
||||
# Done
|
||||
|
||||
+ auto replace "supermega_payload" "shcstart"
|
||||
+ try debugging it with az and cmdline shit
|
||||
+ virtual alloc params are ok?
|
||||
/ convert shellcode to exe (so i can debug it)
|
||||
+ capture subprocess output, show it different color
|
||||
+ check return values of executed commands
|
||||
+ configurable payload size!
|
||||
/ best to template main.c?
|
||||
+ or replace in source
|
||||
# $LN4@main:
|
||||
# cmp DWORD PTR n$1[rsp], 348 ; 0000015cH
|
||||
# jge SHORT $LN3@main
|
||||
+ injector: use redbackdoorer (src) to inject it in a clean exe
|
||||
+ test if mashm_shc converts strings
|
||||
+ make it debuggable (stdout, stderr on error)
|
||||
+ config.yaml for paths and stuff
|
||||
+ write different encryptors
|
||||
+ save all stdout/stderr into a file
|
||||
+ make test for rwx
|
||||
+ check inject exe first for which we choose:
|
||||
+ based on shellcode needs too
|
||||
+ can be:
|
||||
+ rwx iat_reuse
|
||||
+ iat_reuse
|
||||
+ peb_walk
|
||||
+ refactor capabilities into project
|
||||
+ get payload_size earlier (not in supermega before c->asm)
|
||||
+ order of asm fixups
|
||||
+ web: also capture logger output into a separate file
|
||||
+ debug log disassemble with r2
|
||||
+ check code section size before injecting
|
||||
+ read from files from alloc_style etc. name
|
||||
+ find executable section
|
||||
+ code (0x20)
|
||||
+ then rx with entry point
|
||||
+ arg to enable short call patching
|
||||
+ remove TLS mentioning (as it sucks)
|
||||
+ read written shellcode out of the exe
|
||||
+ to verify its correct
|
||||
+ use redbackdoorer directly (as library)
|
||||
+ also: return addr of patched call
|
||||
+ webapp
|
||||
+ 11223344: {{PAYLOAD_LEN}} too
|
||||
+ show asm diff (for fixup)
|
||||
+ peb_walk template.c: also make includes
|
||||
+ remove project from global completely
|
||||
+ do settings? -> config
|
||||
+ remove observer from tests
|
||||
+ set mode from cmdline
|
||||
* also test with other modes
|
||||
+ fix derbackdoorer debug stuff
|
||||
/ remove use_templates
|
||||
+ use iconsext.exe UPX packed binary to test RWX insertion
|
||||
+ fix goddamn newlines again
|
||||
+ fix HTML encoding
|
||||
+ translate masmshc to python
|
||||
+ fix magic offset in reuse_data for REAL reliably
|
||||
+ make sure its possible to disable it, and use the other two options
|
||||
+ holes?
|
||||
+ :x -> :X
|
||||
+ check all invocations of pehelper.*get_code_section*()
|
||||
+ for example exehost, doesnt need it as we have it as superpe
|
||||
+ rawsize vs. virtualsize
|
||||
+ merge superpe with mype
|
||||
/ dont load too much by default (init()) -> Done twice
|
||||
+ check relocs/basereloc if they fall into my shellcode
|
||||
+ get relocs'
|
||||
# usually in .rdata
|
||||
+ make xor key configurable
|
||||
+ patch the additional newlines i stupidly add in the asm
|
||||
+ fix goddamn vs path -> readme again
|
||||
+ make log a class
|
||||
+ when error, no supermega.log is written
|
||||
+ old ones are not cleaned? (do it on start?)
|
||||
+ rename env
|
||||
/ should shellcode just be plugin?
|
||||
/ and "shellcode" the new shellcode?
|
||||
/ a lot in /dev, /dev/name shitfuck
|
||||
+ fix config.yaml with http:// and make it a template
|
||||
+ standardize in REST
|
||||
+ rework observer, logger, stdout so they work together
|
||||
+ helper::run_process_checkret() is ugly, too many conversions
|
||||
+ observer::add_log() its not clear what log is
|
||||
/ compile_dev in compiler.py is just a copy - is that necessary?
|
||||
+ put strings into data
|
||||
+ web: fix timeout on create
|
||||
+ observer: will too often write to file instead of doing it in a datastructure
|
||||
|
||||
+ give/create directory where everything is stored (per project / invocation)
|
||||
+ do all asm parsing like datareuse asm parser (in one place?)
|
||||
/ compiler a class? -> no, no shared stuff
|
||||
+ put logs into project dir
|
||||
+ remove AllocStyle
|
||||
+ remove ExecStyle
|
||||
+ rename InjectStyle -> CarrierInvokeStyle (how to call carrier, EOP/CALL)
|
||||
+ settings.inject_mode
|
||||
+ derbackdoorer.runMode
|
||||
+ rename SourceStyle -> FunctionInvokeStyle (how to call functions, IAT/PEB)
|
||||
+ sourcestyle
|
||||
+ sourcestyles
|
||||
/ rename DataRefStyle -> PayloadInjectStyle -> removed
|
||||
+ view_project::project() does not yet get real export list
|
||||
+ infect dll's
|
||||
+ based on redbackdoorer, DLL always use backdoorEntryPoint (not EOP)
|
||||
+ EOP is DllMain()!
|
||||
+ hide buttons if corresponding files aint there
|
||||
+ rename derbackdoorer.runMode to InjectStyle
|
||||
+ everywhere else too
|
||||
+ verifier with many exes (filecreate shellcode)
|
||||
|
||||
/ ui dropdown exe/dll: add rx section size -> no, performance
|
||||
+ ui dropdown shellcode: add size
|
||||
+ check if dll/exe runs (does not have any unfulfilled dependencies)
|
||||
+ iat_reuse in dll's seem to be a bit broken? -> fixed, iat and function size
|
||||
+ do not use jne/jge to recursively search for stuff (only for calls. if even?)
|
||||
+ test: iatttest-full.exe:
|
||||
+ hijack doesnt work
|
||||
+ eop says "no code section found"
|
||||
+ things to consider
|
||||
+ DLL-func EOP: needs to have space in it (relocs? or why?)
|
||||
+ DLL-func Hijack: always works? (very small functions with no jump?) -> 3 options
|
||||
+ show: the function, up until the jump
|
||||
+ make 3 options selectable
|
||||
+ datareuse::datareusefileparser: move away into compiler
|
||||
/ can or should i use strlen() for payload instead of hardcode length?
|
||||
/ add masm_shc, runshc binaries to the repo
|
||||
/ is reloc generally really necessary?
|
||||
# procexp pebwalk hijack: yes
|
||||
# procexp pebwalk eop: NO
|
||||
+ show missing dlls more dominantely
|
||||
/ make it unable to build?
|
||||
+ make a way where user can copy his dlls there (dont remove everything from project folder)
|
||||
+ rw: 0x4 rx: 0x20 rwx: 0x40
|
||||
+ most exes dont work (because missing dlls), check it
|
||||
/ remove exes_more/ and dlls/?
|
||||
+ ui build: will copy new files
|
||||
+ copy only when not exists? -> del all except nonstandard .exe .dll
|
||||
+ list shellcode
|
||||
+ list exes
|
||||
+ remotely detonate it on a host (like avred)
|
||||
+ change func hijack relocatable call to indirect call
|
||||
+ iat-overwrite/path settings
|
||||
+ remove exehost? it doesnt do much
|
||||
+ optimize get_vaddr_of_iatentry() ?
|
||||
+ remove all unecessary iat* functions in superpe
|
||||
+ injector: get from carrier
|
||||
+ change an IAT to the one's we need (existing DLLs only?)
|
||||
+ merge all Cs keystone disasm into pehelper? (derbackdoorer)
|
||||
+ put payload into data or other section (consider relocs)
|
||||
# note: lea is 7 bytes
|
||||
+ make webapp checkbox
|
||||
+ note: fix xor
|
||||
+ rename AsmParser to AsmTextParser, parse_asm_file
|
||||
+ use directory name as index instead of Enum?
|
||||
+ PATH_PEB_WALK, PATH_IAT_REUSE
|
||||
+ PATH_CARRIER
|
||||
+ settings.source_style -> carrier_name
|
||||
+ settings.template_path
|
||||
+ args.function_invoke_style
|
||||
/ remove peb_walk? -> no keep it
|
||||
+ modify .text or .data memory protection
|
||||
+ some of the shellcodes require RWX memory -> dedicated template
|
||||
+ shellcode: Use WinExec(), or CreateProcessA()?
|
||||
+ set enc key in config (xor_key, xor_key2)
|
||||
+ random if not set
|
||||
+ try again with short len for protect, but consider 300kb of pages (loop)
|
||||
+ IAT with cpuz.exe: no size 3 in .rdata?!
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user