admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-03 01:27:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: injector (EOP -> overwrite)

Browse Source
This commit is contained in:
Dobin Rutishauser
2025-06-21 14:06:50 +02:00
parent 1db212de53
commit a782fd0842
7 changed files with 319 additions and 303 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tester.py
+165 -163
View File
@@ -32,12 +32,15 @@ def main():
match sys.argv[1]:
case "all":
test_common()
test_dll_loader()
test_exe_code()
test_exe_data()
test_exe_code()
test_dll_code()
test_dll_data()
test_dll_loader()
case "common":
test_common()
case "dll_loader":
@@ -57,22 +60,21 @@ def main():
def test_common():
print("Testing: COMMON A")
print("Testing: COMMON procexp64.exe, alloc_rw_rwx, PayloadLocation.DATA, BackdoorFunc")
settings = Settings("unittest")
settings.injectable_base = "procexp64.exe"
settings.payload_base = "createfile.bin"
settings.payload_location = PayloadLocation.DATA
settings.carrier_name = "alloc_rw_rwx" # important (not rx)
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorFunc
settings.verify = True
settings.try_start_final_infected_exe = False
settings.payload_location = PayloadLocation.CODE
settings.cleanup_files_on_exit = False
print("Test COMMON 1/6: plain")
settings.decoder_style = "plain"
settings.carrier_name = "alloc_rw_rwx" # important (not rx)
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
if not start(settings):
return
@@ -86,8 +88,6 @@ def test_common():
if not start(settings):
return
print("Testing: COMMON B")
print("Test COMMON 4/6: +guardrail env")
settings.plugin_guardrail = "env"
settings.plugin_guardrail_data_key = "VCIDEInstallDir"
@@ -106,6 +106,162 @@ def test_common():
return
def test_exe_data():
print("Testing EXE: Payload in .data")
settings = Settings("unittest")
settings.payload_base = "createfile.bin"
settings.verify = True
settings.try_start_final_infected_exe = False
settings.payload_location = PayloadLocation.DATA
settings.carrier_name = "alloc_rw_rwx" # important (not rx)
# EXE: PROCEXP
settings.injectable_base = "procexp64.exe"
print("Test EXE DATA 1/8: procexp, overwrite-main")
settings.carrier_invoke_style = CarrierInvokeStyle.OverwriteFunc
if not start(settings):
return
print("Test EXE DATA 2/8: procexp, backdoor-main")
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorFunc
if not start(settings):
return
# EXE: 7Z
settings.injectable_base = "7z.exe"
print("Test EXE DATA 5/8: 7z, overwrite-main")
settings.carrier_invoke_style = CarrierInvokeStyle.OverwriteFunc
if not start(settings):
return
print("Test EXE DATA 6/4: 7z, backdoor-main")
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorFunc
if not start(settings):
return
def test_exe_code():
print("Testing: EXEs: Payload in .text")
settings = Settings("unittest")
settings.payload_base = "createfile.bin"
settings.verify = True
settings.try_start_final_infected_exe = False
settings.payload_location = PayloadLocation.CODE
settings.carrier_name = "alloc_rw_rwx" # important (not rx)
# EXE 7Z
settings.injectable_base = "7z.exe"
print("Test EXE CODE 1/8: 7z, overwrite-main")
settings.carrier_invoke_style = CarrierInvokeStyle.OverwriteFunc
if not start(settings):
return
print("Test EXE CODE 2/8: 7z, backdoor-main")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorFunc
if not start(settings):
return
# EXE procexp64.exe
settings.injectable_base = "procexp64.exe"
print("Test EXE CODE 5/8: procexp, overwrite-main")
settings.carrier_name = "alloc_rw_rwx"
settings.carrier_invoke_style = CarrierInvokeStyle.OverwriteFunc
if not start(settings):
return
print("Test EXE CODE 6/8: procexp, backdoor-main")
settings.carrier_name = "alloc_rw_rwx"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorFunc
if not start(settings):
return
def test_dll_code():
print("Testing: DLLs code")
settings = Settings("unittest")
settings.injectable_base = "libbz2.dll"
settings.payload_base = "createfile.bin"
settings.verify = True
settings.try_start_final_infected_exe = False
settings.payload_location = PayloadLocation.CODE
print("Test DLL 1/4: libbz2.dll, peb-walk, overwrite-func dllMain (func=None)")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.OverwriteFunc
if not start(settings):
return
print("Test DLL 2/4: libbz2.dll, peb-walk, hijack dllMain (func=None)")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorFunc
if not start(settings):
return
print("Test DLL 3/4: libbz2.dll, peb-walk, overwrite-func, func=BZ2_bzDecompress")
settings.dllfunc = "BZ2_bzDecompressInit"
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.OverwriteFunc
if not start(settings):
return
print("Test DLL 4/4: libbz2.dll, peb-walk, hijack main, func=BZ2_bzdopen")
settings.dllfunc = "BZ2_bzdopen"
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorFunc
if not start(settings):
return
def test_dll_data():
print("Testing: DLLs data")
settings = Settings("unittest")
settings.injectable_base = "libbz2.dll"
settings.payload_base = "createfile.bin"
settings.verify = True
settings.try_start_final_infected_exe = False
settings.payload_location = PayloadLocation.DATA
settings.carrier_name = "peb_walk"
###########settings.fix_missing_iat = True
# func = ""
print("Test DLL 1/4: libbz2.dll, overwrite-dllMain")
settings.carrier_invoke_style = CarrierInvokeStyle.OverwriteFunc
if not start(settings):
return
print("Test DLL 1/4: libbz2.dll, backdoor-dllMain")
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorFunc
if not start(settings):
return
# func = "BZ2_bzDecompressInit"
settings.dllfunc = "BZ2_bzDecompressInit"
print("Test DLL 3/4: libbz2.dll, overwrite=BZ2_bzDecompress")
settings.carrier_invoke_style = CarrierInvokeStyle.OverwriteFunc
if not start(settings):
return
print("Test DLL 4/4: libbz2.dll, backdoor=BZ2_bzDecompress")
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorFunc
if not start(settings):
return
def test_dll_loader():
print("Testing: DLL Loader")
settings = Settings("unittest")
@@ -126,161 +282,7 @@ def test_dll_loader():
settings.carrier_name = "dll_loader_change"
if not start(settings):
return
def test_exe_code():
print("Testing: EXEs: Inject payload into .text")
settings = Settings("unittest")
settings.injectable_base = "7z.exe"
settings.payload_base = "createfile.bin"
settings.verify = True
settings.try_start_final_infected_exe = False
settings.payload_location = PayloadLocation.CODE
# 7z, peb-walk, change-entrypoint
print("Test EXE 1/4: 7z, peb-walk, change-entrypoint")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
if not start(settings):
return
# 7z, peb-walk, hijack
print("Test EXE 2/4: 7z, peb-walk, hijack main")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
if not start(settings):
return
settings.injectable_base = "procexp64.exe"
# procexp, iat-reuse, change-entrypoint
print("Test EXE 3/4: procexp, iat-reuse, change-entrypoint")
settings.carrier_name = "alloc_rw_rwx"
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
if not start(settings):
return
# procexp, iat-reuse, backdoor
print("Test EXE 4/4: procexp, iat-reuse, backdoor")
settings.carrier_name = "alloc_rw_rwx"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
if not start(settings):
return
def test_exe_data():
print("Testing: EXEs: Inject into .data")
settings = Settings("unittest")
settings.injectable_base = "7z.exe"
settings.payload_base = "createfile.bin"
settings.verify = True
settings.try_start_final_infected_exe = False
settings.payload_location = PayloadLocation.DATA
# 7z, peb-walk, change-entrypoint
print("Test EXE 1/4: 7z, peb-walk, change-entrypoint")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
if not start(settings):
return
# 7z, peb-walk, hijack
print("Test EXE 2/4: 7z, peb-walk, hijack main")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
if not start(settings):
return
settings.injectable_base = "procexp64.exe"
# procexp, iat-reuse, change-entrypoint
print("Test EXE 3/4: procexp, iat-reuse, change-entrypoint")
settings.carrier_name = "alloc_rw_rwx"
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
if not start(settings):
return
# procexp, iat-reuse, backdoor
print("Test EXE 4/4: procexp, iat-reuse, backdoor")
settings.carrier_name = "alloc_rw_rwx"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
if not start(settings):
return
def test_dll_code():
print("Testing: DLLs code")
settings = Settings("unittest")
settings.injectable_base = "libbz2.dll"
settings.payload_base = "createfile.bin"
settings.verify = True
settings.try_start_final_infected_exe = False
settings.payload_location = PayloadLocation.CODE
print("Test DLL 1/4: libbz2.dll, peb-walk, change-entrypoint dllMain (func=None)")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
if not start(settings):
return
print("Test DLL 2/4: libbz2.dll, peb-walk, hijack dllMain (func=None)")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
if not start(settings):
return
print("Test DLL 3/4: libbz2.dll, peb-walk, change-entrypoint, func=BZ2_bzDecompress")
settings.dllfunc = "BZ2_bzDecompress"
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
if not start(settings):
return
print("Test DLL 4/4: libbz2.dll, peb-walk, hijack main, func=BZ2_bzdopen")
settings.dllfunc = "BZ2_bzdopen"
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
if not start(settings):
return
def test_dll_data():
print("Testing: DLLs data")
settings = Settings("unittest")
settings.injectable_base = "libbz2.dll"
settings.payload_base = "createfile.bin"
settings.verify = True
settings.try_start_final_infected_exe = False
settings.payload_location = PayloadLocation.DATA
print("Test DLL 1/4: libbz2.dll, peb-walk, change-entrypoint dllMain (func=None)")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
if not start(settings):
return
print("Test DLL 2/4: libbz2.dll, peb-walk, hijack dllMain (func=None)")
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
if not start(settings):
return
print("Test DLL 3/4: libbz2.dll, peb-walk, change-entrypoint, func=BZ2_bzDecompress")
settings.dllfunc = "BZ2_bzDecompress"
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
if not start(settings):
return
print("Test DLL 4/4: libbz2.dll, peb-walk, hijack main, func=BZ2_bzdopen")
settings.dllfunc = "BZ2_bzdopen"
settings.carrier_name = "peb_walk"
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
if not start(settings):
return
if __name__ == "__main__":
main()