mirror of
https://github.com/dobin/SuperMega
synced 2026-06-02 17:27:10 +00:00
Dobin Rutishauser
304 lines
11 KiB
Python
304 lines
11 KiB
Python
from typing import Dict, List
|
|
import sys
|
|
import os
|
|
|
|
from helper import *
|
|
from config import config
|
|
from model.defs import *
|
|
from model.settings import Settings
|
|
from log import setup_logging
|
|
from supermega import start
|
|
from utils import check_deps
|
|
|
|
|
|
def main():
|
|
print("Super Mega Tester: " + os.path.dirname(VerifyFilename))
|
|
|
|
#setup_logging(level=logging.INFO)
|
|
setup_logging(level=logging.WARNING)
|
|
|
|
config.load()
|
|
check_deps()
|
|
|
|
if not os.path.exists(os.path.dirname(VerifyFilename)):
|
|
print("{} directory does not exist".format(os.path.dirname(VerifyFilename)))
|
|
return
|
|
|
|
match sys.argv[1]:
|
|
case "all":
|
|
test_common()
|
|
test_dll_loader()
|
|
test_exe_code()
|
|
test_exe_data()
|
|
test_dll_code()
|
|
test_dll_data()
|
|
|
|
case "common":
|
|
test_common()
|
|
case "dll_loader":
|
|
test_dll_loader()
|
|
case "exe_code":
|
|
test_exe_code()
|
|
case "exe_data":
|
|
test_exe_data()
|
|
case "dll_code":
|
|
test_dll_code()
|
|
case "dll_data":
|
|
test_dll_data()
|
|
case _:
|
|
print("Unknown test: {}".format(sys.argv[1]))
|
|
print("Available tests: all, common, dll_loader, exe_code, exe_data, dll_code, dll_data")
|
|
return
|
|
|
|
|
|
def test_common():
|
|
print("Testing: COMMON A")
|
|
|
|
settings = Settings("unittest")
|
|
settings.payload_path = FilePath(PATH_SHELLCODES + "createfile.bin")
|
|
settings.verify = True
|
|
settings.try_start_final_infected_exe = False
|
|
settings.payload_location = PayloadLocation.CODE
|
|
|
|
settings.cleanup_files_on_exit = False
|
|
|
|
print("Test COMMON 1/6: plain")
|
|
settings.decoder_style = "plain"
|
|
settings.carrier_name = "alloc_rw_rwx" # important (not rx)
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
|
|
settings.inject_exe_in = FilePath(PATH_EXES + "procexp64.exe")
|
|
settings.inject_exe_out = FilePath(PATH_EXES + "procexp64.verify.exe")
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test COMMON 2/6: xor_1")
|
|
settings.decoder_style = "xor_1"
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test COMMON 3/6: xor_2")
|
|
settings.decoder_style = "xor_2"
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Testing: COMMON B")
|
|
|
|
print("Test COMMON 4/6: +guardrail env")
|
|
settings.plugin_guardrail = "env"
|
|
settings.plugin_guardrail_data_key = "VCIDEInstallDir"
|
|
settings.plugin_guardrail_data_value = "Community"
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test COMMON 5/6: +sirallocalot ")
|
|
settings.plugin_antiemulation = "sirallocalot"
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test COMMON 6/6: +virtualprotect undersized")
|
|
settings.plugin_virtualprotect = "undersized"
|
|
if not start(settings):
|
|
return
|
|
|
|
|
|
def test_dll_loader():
|
|
print("Testing: DLL Loader")
|
|
settings = Settings("unittest")
|
|
settings.payload_path = FilePath(PATH_SHELLCODES + "createfile.dll")
|
|
settings.verify = True
|
|
settings.try_start_final_infected_exe = False
|
|
settings.payload_location = PayloadLocation.CODE # important
|
|
settings.inject_exe_in = FilePath(PATH_EXES + "procexp64.exe")
|
|
settings.inject_exe_out = FilePath(PATH_EXES + "procexp64.verify.exe")
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
|
|
|
|
print("Test DLL Loader 1/2: procexp, backdoor main, dll loader alloc")
|
|
settings.carrier_name = "dll_loader_alloc"
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test DLL Loader 2/2: procexp, backdoor main, dll loader change")
|
|
settings.carrier_name = "dll_loader_change"
|
|
if not start(settings):
|
|
return
|
|
|
|
|
|
def test_exe_code():
|
|
print("Testing: EXEs: Inject payload into .text")
|
|
settings = Settings("unittest")
|
|
settings.payload_path = FilePath(PATH_SHELLCODES + "createfile.bin")
|
|
settings.verify = True
|
|
settings.try_start_final_infected_exe = False
|
|
settings.payload_location = PayloadLocation.CODE
|
|
|
|
# 7z, peb-walk, change-entrypoint
|
|
print("Test EXE 1/4: 7z, peb-walk, change-entrypoint")
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
|
|
settings.inject_exe_in = FilePath(PATH_EXES + "7z.exe")
|
|
settings.inject_exe_out = FilePath(PATH_EXES + "7z.verify.exe")
|
|
if not start(settings):
|
|
return
|
|
|
|
# 7z, peb-walk, hijack
|
|
print("Test EXE 2/4: 7z, peb-walk, hijack main")
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
|
|
settings.inject_exe_in = FilePath(PATH_EXES + "7z.exe")
|
|
settings.inject_exe_out = FilePath(PATH_EXES + "7z.verify.exe")
|
|
if not start(settings):
|
|
return
|
|
|
|
# procexp, iat-reuse, change-entrypoint
|
|
print("Test EXE 3/4: procexp, iat-reuse, change-entrypoint")
|
|
settings.carrier_name = "alloc_rw_rwx"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
|
|
settings.inject_exe_in = FilePath(PATH_EXES + "procexp64.exe")
|
|
settings.inject_exe_out = FilePath(PATH_EXES + "procexp64.verify.exe")
|
|
if not start(settings):
|
|
return
|
|
|
|
# procexp, iat-reuse, backdoor
|
|
print("Test EXE 4/4: procexp, iat-reuse, backdoor")
|
|
settings.carrier_name = "alloc_rw_rwx"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
|
|
settings.inject_exe_in = FilePath(PATH_EXES + "procexp64.exe")
|
|
settings.inject_exe_out = FilePath(PATH_EXES + "procexp64.verify.exe")
|
|
if not start(settings):
|
|
return
|
|
|
|
|
|
def test_exe_data():
|
|
print("Testing: EXEs: Inject into .data")
|
|
settings = Settings("unittest")
|
|
settings.payload_path = FilePath(PATH_SHELLCODES + "createfile.bin")
|
|
settings.verify = True
|
|
settings.try_start_final_infected_exe = False
|
|
settings.payload_location = PayloadLocation.DATA
|
|
|
|
# 7z, peb-walk, change-entrypoint
|
|
print("Test EXE 1/4: 7z, peb-walk, change-entrypoint")
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
|
|
settings.inject_exe_in = FilePath(PATH_EXES + "7z.exe")
|
|
settings.inject_exe_out = FilePath(PATH_EXES + "7z.verify.exe")
|
|
if not start(settings):
|
|
return
|
|
|
|
# 7z, peb-walk, hijack
|
|
print("Test EXE 2/4: 7z, peb-walk, hijack main")
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
|
|
settings.inject_exe_in = FilePath(PATH_EXES + "7z.exe")
|
|
settings.inject_exe_out = FilePath(PATH_EXES + "7z.verify.exe")
|
|
if not start(settings):
|
|
return
|
|
|
|
# procexp, iat-reuse, change-entrypoint
|
|
print("Test EXE 3/4: procexp, iat-reuse, change-entrypoint")
|
|
settings.carrier_name = "alloc_rw_rwx"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
|
|
settings.inject_exe_in = FilePath(PATH_EXES + "procexp64.exe")
|
|
settings.inject_exe_out = FilePath(PATH_EXES + "procexp64.verify.exe")
|
|
if not start(settings):
|
|
return
|
|
|
|
# procexp, iat-reuse, backdoor
|
|
print("Test EXE 4/4: procexp, iat-reuse, backdoor")
|
|
settings.carrier_name = "alloc_rw_rwx"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
|
|
settings.inject_exe_in = FilePath(PATH_EXES + "procexp64.exe")
|
|
settings.inject_exe_out = FilePath(PATH_EXES + "procexp64.verify.exe")
|
|
if not start(settings):
|
|
return
|
|
|
|
|
|
def test_dll_code():
|
|
print("Testing: DLLs code")
|
|
settings = Settings("unittest")
|
|
settings.payload_path = FilePath(PATH_SHELLCODES + "createfile.bin")
|
|
settings.verify = True
|
|
settings.try_start_final_infected_exe = False
|
|
settings.payload_location = PayloadLocation.CODE
|
|
|
|
print("Test DLL 1/4: libbz2.dll, peb-walk, change-entrypoint dllMain (func=None)")
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
|
|
settings.inject_exe_in = FilePath(PATH_DLLS + "libbz2.dll")
|
|
settings.inject_exe_out = FilePath(PATH_DLLS + "libbz2.verify.dll")
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test DLL 2/4: libbz2.dll, peb-walk, hijack dllMain (func=None)")
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
|
|
settings.inject_exe_in = FilePath(PATH_DLLS + "libbz2.dll")
|
|
settings.inject_exe_out = FilePath(PATH_DLLS + "libbz2.verify.dll")
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test DLL 3/4: libbz2.dll, peb-walk, change-entrypoint, func=BZ2_bzDecompress")
|
|
settings.dllfunc = "BZ2_bzDecompress"
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
|
|
settings.inject_exe_in = FilePath(PATH_DLLS + "libbz2.dll")
|
|
settings.inject_exe_out = FilePath(PATH_DLLS + "libbz2.verify.dll")
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test DLL 4/4: libbz2.dll, peb-walk, hijack main, func=BZ2_bzdopen")
|
|
settings.dllfunc = "BZ2_bzdopen"
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
|
|
settings.inject_exe_in = FilePath(PATH_DLLS + "libbz2.dll")
|
|
settings.inject_exe_out = FilePath(PATH_DLLS + "libbz2.verify.dll")
|
|
if not start(settings):
|
|
return
|
|
|
|
|
|
def test_dll_data():
|
|
print("Testing: DLLs data")
|
|
settings = Settings("unittest")
|
|
settings.payload_path = FilePath(PATH_SHELLCODES + "createfile.bin")
|
|
settings.verify = True
|
|
settings.try_start_final_infected_exe = False
|
|
settings.payload_location = PayloadLocation.DATA
|
|
|
|
print("Test DLL 1/4: libbz2.dll, peb-walk, change-entrypoint dllMain (func=None)")
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
|
|
settings.inject_exe_in = FilePath(PATH_DLLS + "libbz2.dll")
|
|
settings.inject_exe_out = FilePath(PATH_DLLS + "libbz2.verify.dll")
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test DLL 2/4: libbz2.dll, peb-walk, hijack dllMain (func=None)")
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
|
|
settings.inject_exe_in = FilePath(PATH_DLLS + "libbz2.dll")
|
|
settings.inject_exe_out = FilePath(PATH_DLLS + "libbz2.verify.dll")
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test DLL 3/4: libbz2.dll, peb-walk, change-entrypoint, func=BZ2_bzDecompress")
|
|
settings.dllfunc = "BZ2_bzDecompress"
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.ChangeEntryPoint
|
|
settings.inject_exe_in = FilePath(PATH_DLLS + "libbz2.dll")
|
|
settings.inject_exe_out = FilePath(PATH_DLLS + "libbz2.verify.dll")
|
|
if not start(settings):
|
|
return
|
|
|
|
print("Test DLL 4/4: libbz2.dll, peb-walk, hijack main, func=BZ2_bzdopen")
|
|
settings.dllfunc = "BZ2_bzdopen"
|
|
settings.carrier_name = "peb_walk"
|
|
settings.carrier_invoke_style = CarrierInvokeStyle.BackdoorCallInstr
|
|
settings.inject_exe_in = FilePath(PATH_DLLS + "libbz2.dll")
|
|
settings.inject_exe_out = FilePath(PATH_DLLS + "libbz2.verify.dll")
|
|
if not start(settings):
|
|
return
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|