admin/SuperMega
1
0
Fork 0
mirror of https://github.com/dobin/SuperMega synced 2026-06-02 17:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
78cb8ad1166ea1ce17ca1cf1043498deb37d59f0
SuperMega/app/templates/index.html
T
Dobin Rutishauser 78cb8ad116 feature: add doc in project
2025-06-19 20:46:21 +02:00

109 lines
3.7 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
{% include 'header.html' %}
</head>
<body>
{% include 'navigation.html' %}
<div class="indent">
<h1> SuperMega </h1>
<h3>Shellcode</h3>
<code>--shellcode &lt;filename.exe&gt; </code><br>
The payload shellcode, like your CobaltStrike beacon. Should be x64. <br>
Located in the <code>data/binary/shellcodes/</code> directory. <br>
<h3>Injectable</h3>
<code>--inject &lt;filename.exe&gt; </code><br>
A 64-bit Windows PE executable used as a trojan. The shellcode will be injected in this EXE.
The original functionality of the EXE will not work anymore (it will only execute the carrier
with the shellcode it is carrying)
<br>
Located in the <code>data/binary/exes/</code> directory. <br>
<h3>Carrier</h3>
<code>--carrier &lt;carrier_name&gt;</code> <br>
The code which loads the payload shellcode. This includes allocating memory,
changing its permissions, and then finally executing it. It has the main() function
(and will include Decoder, Anti-Emulation, and Guardrail modules).<br>
Located in the <code>data/source/carrier</code> directory <br>
<ul>
<li>alloc_rw_rx: Allocate RW memory, copy payload, then make it RX. <b>Recommended</b>.</li>
<li>alloc_rw_rwx: Same as alloc_rw_rx, but useful for self-modyfing payloads (e.g. ShikataGaNai)</li>
<li>change_rw_rx: Change the memory permissions of the payload to RW, decode, then RX (no copying)(see payload location)</li>
<li>dll_loader_alloc:</li>
<li>dll_loader_change</li>
</ul>
The shellcode has a payload location of either::
<ul>
<li>.rdata</li>
<li>.text</li>
</ul>
With <code>--payload_location &lt;carrier_name&gt;</code>. Depending on the carrier, one or
the other may be preferred. For example, change_rw_rx can be adjusted accordingly.
<h3>Decoder</h3>
<code>--decoder &lt;decoder_name&gt;</code> <br>
How the payload is encrypted & decrypted. <br>
<ul>
<li>plain: No encryption</li>
<li>xor: Single byte xor key, random</li>
<li>xor_2: Two byte xor key, random. <b>Recommended</b>.</li>
</ul>
<h3>Anti-Emulation</h3>
<code>--antiemulation &lt;anti_emulation_name&gt;</code> <br>
<ul>
<li>none: No anti-emulation</li>
<li>timeraw: CPU register time based</li>
<li>sirallocalot: CPU cycles, memory and time based. Also does EDR-deconditioning. <b>Recommended</b>.</li>
</ul>
<h3>Guardrail</h3>
<h3>Carrier Invoke</h3>
How the carrier (which will load the payload shellcode) is invoked. <br>
<code>--carrier_invoke &lt;carrier_invoke_name&gt;</code> <br>
<ul>
<li>eop: Change entry point to the carrier shellcode</li>
<li>backdoor: Parse main function for a few unconditional jmp's, and change last jmp to jump to the carrier shellcode. <b>Recommended</b>.</li>
</ul>
<h3>Fix IAT</h3>
The carrier, or one of its modules, like the decoder, antiemulation, or guardrail, may require imports like
Windows kernel32.dll functions. If these are not available in the injectable, the IAT is being patched
for the required imports automatically. This will change the IAT of the injectable, which makes it less stealthy.
<br>
<br>
If you want to keep maximum stealth, use <code>--no-fix-iat</code> and adjust your carrier/modules or exe
manually.
</div>
<script>
var tooltipTriggerList = [].slice.call(document.querySelectorAll('[data-bs-toggle="tooltip"]'))
var tooltipList = tooltipTriggerList.map(function (tooltipTriggerEl) {
return new bootstrap.Tooltip(tooltipTriggerEl)
})
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink