From df9937df96476fd9100a2cddc3f77f5ed28e99ad Mon Sep 17 00:00:00 2001 From: Dobin Rutishauser Date: Mon, 10 Jun 2024 08:02:05 +0200 Subject: [PATCH] feature: antiemulation in templates --- data/source/carrier/alloc_rw_rwx/template.c | 6 ++++++ data/source/carrier/alloc_rw_rx/template.c | 6 ++++++ data/source/carrier/antiemulation/none.c | 4 ++++ data/source/carrier/antiemulation/timeraw.c | 20 ++++++++++++++++++++ model/defs.py | 2 ++ phases/templater.py | 7 +++++++ 6 files changed, 45 insertions(+) create mode 100644 data/source/carrier/antiemulation/none.c create mode 100644 data/source/carrier/antiemulation/timeraw.c diff --git a/data/source/carrier/alloc_rw_rwx/template.c b/data/source/carrier/alloc_rw_rwx/template.c index 7ee8d8c..e51b144 100644 --- a/data/source/carrier/alloc_rw_rwx/template.c +++ b/data/source/carrier/alloc_rw_rwx/template.c @@ -15,6 +15,9 @@ char *supermega_payload; * will set it to RWX (safe to run shellcodes, opsec-unsafe) */ +{{plugin_antiemulation}} + + int main() { // Execution Guardrail: Env Check @@ -29,6 +32,9 @@ int main() return 6; } + // Depends on plugin_antiemulation + antiemulation(); + // Decoy //WinExec("C:\\windows\\system32\\notepad.exe", 1); diff --git a/data/source/carrier/alloc_rw_rx/template.c b/data/source/carrier/alloc_rw_rx/template.c index 896f6f8..8a6c2bd 100644 --- a/data/source/carrier/alloc_rw_rx/template.c +++ b/data/source/carrier/alloc_rw_rx/template.c @@ -8,6 +8,9 @@ char *supermega_payload; #define p_RX 0x20 #define p_RWX 0x40 + +{{plugin_antiemulation}} + /* iat_reuse_rx Standard IAT reuse shellcode @@ -29,6 +32,9 @@ int main() return 6; } + // Depends on plugin_antiemulation + antiemulation(); + // Decoy //WinExec("C:\\windows\\system32\\notepad.exe", 1); diff --git a/data/source/carrier/antiemulation/none.c b/data/source/carrier/antiemulation/none.c new file mode 100644 index 0000000..42e9393 --- /dev/null +++ b/data/source/carrier/antiemulation/none.c @@ -0,0 +1,4 @@ + +void antiemulation() { + // None +} \ No newline at end of file diff --git a/data/source/carrier/antiemulation/timeraw.c b/data/source/carrier/antiemulation/timeraw.c new file mode 100644 index 0000000..25cb454 --- /dev/null +++ b/data/source/carrier/antiemulation/timeraw.c @@ -0,0 +1,20 @@ + +int get_time_raw() { + ULONG* PUserSharedData_TickCountMultiplier = (PULONG)0x7ffe0004; + LONG* PUserSharedData_High1Time = (PLONG)0x7ffe0324; + ULONG* PUserSharedData_LowPart = (PULONG)0x7ffe0320; + DWORD kernelTime = (*PUserSharedData_TickCountMultiplier) * (*PUserSharedData_High1Time << 8) + + ((*PUserSharedData_LowPart) * (unsigned __int64)(*PUserSharedData_TickCountMultiplier) >> 24); + return kernelTime; +} + + +int sleep_ms(DWORD sleeptime) { + DWORD start = get_time_raw(); + while (get_time_raw() - start < sleeptime) {} +} + + +void antiemulation() { + sleep_ms(3000); +} \ No newline at end of file diff --git a/model/defs.py b/model/defs.py index 1febb48..04f1a4c 100644 --- a/model/defs.py +++ b/model/defs.py @@ -13,7 +13,9 @@ PATH_EXES_MORE = "data/binary/exes_more/" PATH_SHELLCODES = "data/binary/shellcodes/" PATH_CARRIER = "data/source/carrier/" PATH_PAYLOAD = "data/source/payload/" + PATH_DECODER = "data/source/carrier/decoder/" +PATH_ANTIEMULATION = "data/source/carrier/antiemulation/" PATH_WEB_PROJECT = "projects/" diff --git a/phases/templater.py b/phases/templater.py index 067877d..12414f6 100644 --- a/phases/templater.py +++ b/phases/templater.py @@ -37,15 +37,22 @@ def create_c_from_template(settings: Settings, payload_len: int): 'XOR_KEY2': ascii_to_hex_bytes(config.xor_key2), }) + # Anti-Emulation + filepath_antiemulation = PATH_ANTIEMULATION + "{}.c".format("timeraw") + with open(filepath_antiemulation, "r", encoding='utf-8') as file: + plugin_antiemualation = file.read() + # Choose correct template dirpath = PATH_CARRIER + settings.carrier_name + "/template.c" with open(dirpath, 'r', encoding='utf-8') as file: template_content = file.read() observer.add_text_file("main_c_template", template_content) + # Render main template template = Template(template_content) rendered_template = template.render({ 'plugin_decoder': plugin_decoder, + 'plugin_antiemulation': plugin_antiemualation, 'PAYLOAD_LEN': payload_len, }) with open(settings.main_c_path, "w", encoding='utf-8') as file: