feature: redbackdoorer mode arg

2026-06-02 17:27:10 +00:00 · 2024-02-16 21:36:43 +00:00
parent 1feeb66f76
commit fd9dc68eea
3 changed files with 26 additions and 5 deletions
@@ -90,3 +90,14 @@ def delete_all_files_in_directory(directory_path):
            #logger.info(f"Deleted {file_path}")
        except Exception as e:
            logger.info(f"Error deleting {file_path}: {e}")
+
+
+def rbrunmode_str(rbrunmode):
+    if rbrunmode == "1":
+        return "change AddressOfEntryPoint"
+    elif rbrunmode == "2":
+        return "hijack branching instruction at Original Entry Point (jmp, call, ...)"
+    elif rbrunmode == "3":
+        return "setup TLS callback"
+    else:
+        return "Invalid"
@@ -16,7 +16,7 @@ class Project():

        # Injectable
        self.inject: bool = False
-        self.inject_mode: str = "1,1"
+        self.inject_mode: str = "1,2"
        self.inject_exe_in: FilePath = ""
        self.inject_exe_out: FilePath = ""
        self.exe_info: ExeInfo = None
@@ -61,6 +61,7 @@ def main():
    parser = argparse.ArgumentParser(description='SuperMega shellcode loader')
    parser.add_argument('--shellcode', type=str, help='The path to the file of your payload shellcode')
    parser.add_argument('--inject', type=str, help='The path to the file where we will inject ourselves in')
+    parser.add_argument('--rbrunmode', type=str, help='Redbackdoorer run argument (1 EAP, 2 hijack, 3 tls)')
    parser.add_argument('--start-injected', action='store_true', help='Dev: Start the generated infected executable at the end')
    parser.add_argument('--start-loader-shellcode', action='store_true', help='Dev: Start the loader shellcode (without payload)')
    parser.add_argument('--start-final-shellcode', action='store_true', help='Debug: Start the final shellcode (loader + payload)')
@@ -82,22 +83,22 @@ def main():

        if args.verify == "peb":
            project.inject = True
-            project.inject_mode = "1,1"
+            project.inject_mode = "1,2"
            project.inject_exe_in = "exes/7z.exe"
            project.inject_exe_out = "out/7z-verify.exe"
        elif args.verify == "iat":
            project.inject = True
-            project.inject_mode = "1,1"
+            project.inject_mode = "1,2"
            project.inject_exe_in = "exes/procexp64.exe"
            project.inject_exe_out = "out/procexp64-verify.exe"
        elif args.verify == "rwx":
            project.inject = True
-            project.inject_mode = "1,1"
+            project.inject_mode = "1,1"  # ,2 is broken atm
            project.inject_exe_in = "exes/wifiinfoview.exe"
            project.inject_exe_out = "out/wifiinfoview.exe-verify.exe"
-
        else:
            logger.info("Unknown verify option {}, use std/iat".format(args.verify))
+            return

    else:
        project.try_start_final_infected_exe = args.start_injected
@@ -107,6 +108,15 @@ def main():
        project.cleanup_files_on_start = not args.no_clean_at_start
        project.cleanup_files_on_exit =not args.no_clean_at_exit

+        if args.rbrunmode:
+            if args.rbrunmode == "1" or args.rbrunmode == "2" or args.rbrunmode == "3":
+                project.inject_mode = "1," + args.rbrunmode
+            else:
+                logging.error("Invalid mode, use one of:")
+                for i in ["1", "2", "3"]:
+                    logging.error("  {}  {}".format(i, rbrunmode_str(i)))
+                return
+
        if not args.shellcode or not args.inject:
            logger.error("Require: --shellcode <shellcode file> --inject <injectable.exe>")
            logger.info(r"Example: .\supermega.py --shellcode .\shellcodes\calc64.bin --inject .\exes\7z.exe")