forked from mgeeky/ElusiveMice
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathelusiveMice.cna
167 lines (141 loc) · 5.12 KB
/
elusiveMice.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
# User Defined Reflective Loader Kit Aggressor Script
# Enable Debug of PE content
# The generated PE content will be displayed in the script console if debug is true
#$debug = "true";
$debug = "true";
# ===========================================================================
# 'case insensitive sort' from sleep manual...
# ===========================================================================
sub caseInsensitiveCompare
{
$a = lc($1);
$b = lc($2);
return $a cmp $b;
}
# ===========================================================================
# Dump PE Information
# $1 = Beacon DLL content
# ===========================================================================
sub dump_my_pe {
local('$out $key $val %pemap @sorted_keys');
%pemap = pedump($1);
# ---------------------------------------------------
# Example listing all items from hash/map...
# ---------------------------------------------------
@sorted_keys = sort(&caseInsensitiveCompare, keys(%pemap));
foreach $key (@sorted_keys)
{
$out = "$[50]key";
foreach $val (values(%pemap, @($key)))
{
$out .= " $val";
println($out);
}
}
# ---------------------------------------------------
# Example of grabbing specific items from hash/map...
# ---------------------------------------------------
local('@loc_cs @val_cs');
@loc_cs = values(%pemap, @("CheckSum."));
@val_cs = values(%pemap, @("CheckSum."));
println("");
println("My DLL CheckSum Location: " . @loc_cs);
println("My DLL CheckSum Value: " . @val_cs);
println("");
}
sub generate_my_dll {
local('$handle $data $loader $temp_dll');
# ---------------------------------------------------------------------
# Load a object file that contains a Reflective Loader.
# The architecture ($3) is used in the path.
# ---------------------------------------------------------------------
$handle = openf(script_resource("elusiveMice. $+ $3 $+ .o"));
$data = readb($handle, -1);
closef($handle);
warn("Loaded Length: " . strlen($data));
if (strlen($data) eq 0) {
warn("Error loading reflective loader object file.");
return $null;
}
# ---------------------------------------------------------------------
# extract loader ($loader) from the object file data ($data).
# ---------------------------------------------------------------------
$loader = extract_reflective_loader($data);
warn("Extracted Length: " . strlen($loader));
if (strlen($loader) eq 0) {
warn("Error extracting reflective loader.");
return $null;
}
# ---------------------------------------------------------------------
# Setup the reflective loader ($loader) in the beacon ($2).
# ---------------------------------------------------------------------
$temp_dll = setup_reflective_loader($2, $loader);
# ---------------------------------------------------------------------
# OPTIONAL: Additional Customization of the PE...
# - Use 'pedump' function to get information for the updated DLL.
# - Use these convenience functions to perform transformations on the DLL:
# pe_remove_rich_header
# pe_insert_rich_header
# pe_set_compile_time_with_long
# pe_set_compile_time_with_string
# pe_set_export_name
# pe_update_checksum
# - Use these basic functions to perform transformations on the DLL:
# pe_mask
# pe_mask_section
# pe_mask_string
# pe_patch_code
# pe_set_string
# pe_set_stringz
# pe_set_long
# pe_set_short
# pe_set_value_at
# pe_stomp
# ---------------------------------------------------------------------
println($debug);
if ($debug eq "true") {
dump_my_pe($temp_dll);
}
# ---------------------------------------------------------------------
# Give back the updated beacon DLL.
# ---------------------------------------------------------------------
return $temp_dll;
}
# ------------------------------------
# $1 = DLL file name
# $2 = DLL content
# $3 = arch
# ------------------------------------
set BEACON_RDLL_GENERATE {
warn("========== Running elusiveMice 'BEACON_RDLL_GENERATE' for DLL " . $1 . " with architecture " . $3 . " ==========");
return generate_my_dll($1, $2, $3);
}
# ------------------------------------
# $1 = DLL file name
# $2 = DLL content
# $3 = arch
# $4 = parent Beacon ID
# $5 = GetModuleHandleA pointer
# $6 = GetProcAddress pointer
# ------------------------------------
set BEACON_RDLL_GENERATE_LOCAL {
warn("========== Running elusiveMice 'BEACON_RDLL_GENERATE_LOCAL' for DLL " . $1 . " with architecture " . $3 . " Beacon ID " . $4 . " GetModuleHandleA " . $5 . " GetProcAddress " . $6 . " ==========");
return generate_my_dll($1, $2, $3);
}
# BEACON_RDLL_SIZE HOOK
# Override the beacon loader to load beacons with larger space reserved for the
# User Defined Reflective Loader function.
#
# Arguments
# $1 = dll name
# $2 = arch
#
# Returns
# a string representing the size to use for the Reflective Loader.
# valid values are: [0, 5, 100]
set BEACON_RDLL_SIZE {
println("UDRL - BEACON_RDLL_SIZE hook");
$size = 100;
println("UDRL - Use the $size $+ K Reflective Loader (elusiveMice)");
return "$size";
}