admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-02 17:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

feature: add doc in project

Browse Source
This commit is contained in:
Dobin Rutishauser
2025-06-19 20:46:21 +02:00
parent 3196fa4ecb
commit 78cb8ad116
2 changed files with 90 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/static/styles.css
+4 -1
View File
@@ -40,9 +40,12 @@
}
.indent {
margin-top: 1em;
margin-top: 1.0em;
margin-left: 1em;
}
.indent h3 {
margin-top: 0.7em;
}
.matchesview {
padding-left: 4px !important;
app/templates/index.html
+86
View File
@@ -10,6 +10,92 @@
<h1> SuperMega </h1>
<h3>Shellcode</h3>
<code>--shellcode &lt;filename.exe&gt; </code><br>
The payload shellcode, like your CobaltStrike beacon. Should be x64. <br>
Located in the <code>data/binary/shellcodes/</code> directory. <br>
<h3>Injectable</h3>
<code>--inject &lt;filename.exe&gt; </code><br>
A 64-bit Windows PE executable used as a trojan. The shellcode will be injected in this EXE.
The original functionality of the EXE will not work anymore (it will only execute the carrier
with the shellcode it is carrying)
<br>
Located in the <code>data/binary/exes/</code> directory. <br>
<h3>Carrier</h3>
<code>--carrier &lt;carrier_name&gt;</code> <br>
The code which loads the payload shellcode. This includes allocating memory,
changing its permissions, and then finally executing it. It has the main() function
(and will include Decoder, Anti-Emulation, and Guardrail modules).<br>
Located in the <code>data/source/carrier</code> directory <br>
<ul>
<li>alloc_rw_rx: Allocate RW memory, copy payload, then make it RX. <b>Recommended</b>.</li>
<li>alloc_rw_rwx: Same as alloc_rw_rx, but useful for self-modyfing payloads (e.g. ShikataGaNai)</li>
<li>change_rw_rx: Change the memory permissions of the payload to RW, decode, then RX (no copying)(see payload location)</li>
<li>dll_loader_alloc:</li>
<li>dll_loader_change</li>
</ul>
The shellcode has a payload location of either::
<ul>
<li>.rdata</li>
<li>.text</li>
</ul>
With <code>--payload_location &lt;carrier_name&gt;</code>. Depending on the carrier, one or
the other may be preferred. For example, change_rw_rx can be adjusted accordingly.
<h3>Decoder</h3>
<code>--decoder &lt;decoder_name&gt;</code> <br>
How the payload is encrypted & decrypted. <br>
<ul>
<li>plain: No encryption</li>
<li>xor: Single byte xor key, random</li>
<li>xor_2: Two byte xor key, random. <b>Recommended</b>.</li>
</ul>
<h3>Anti-Emulation</h3>
<code>--antiemulation &lt;anti_emulation_name&gt;</code> <br>
<ul>
<li>none: No anti-emulation</li>
<li>timeraw: CPU register time based</li>
<li>sirallocalot: CPU cycles, memory and time based. Also does EDR-deconditioning. <b>Recommended</b>.</li>
</ul>
<h3>Guardrail</h3>
<h3>Carrier Invoke</h3>
How the carrier (which will load the payload shellcode) is invoked. <br>
<code>--carrier_invoke &lt;carrier_invoke_name&gt;</code> <br>
<ul>
<li>eop: Change entry point to the carrier shellcode</li>
<li>backdoor: Parse main function for a few unconditional jmp's, and change last jmp to jump to the carrier shellcode. <b>Recommended</b>.</li>
</ul>
<h3>Fix IAT</h3>
The carrier, or one of its modules, like the decoder, antiemulation, or guardrail, may require imports like
Windows kernel32.dll functions. If these are not available in the injectable, the IAT is being patched
for the required imports automatically. This will change the IAT of the injectable, which makes it less stealthy.
<br>
<br>
If you want to keep maximum stealth, use <code>--no-fix-iat</code> and adjust your carrier/modules or exe
manually.
</div>
<script>