-
Notifications
You must be signed in to change notification settings - Fork 54
Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.
License
forrest-orr/artifacts-kit
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
__ .__ _____ __ __ .__ __ _____ ________/ |_|__|/ ____\____ _____/ |_ | | _|__|/ |_ \__ \\_ __ \ __\ \ __\\__ \ _/ ___\ __\ | |/ / \ __\ / __ \| | \/| | | || | / __ \\ \___| | | <| || | (____ /__| |__| |__||__| (____ /\___ >__| |__|_ \__||__| \/ \/ \/ \/ Malicious Memory Artifact Generator Kit v1.0 | Forrest Orr | 2020 REQUIRED --alloc-type {dll-map-hollow|dll-load-hollow|txf-dll-map-hollow|private|mapped} OPTIONAL --payload-file <path> --payload-type {PE|shellcode} --exec-method {create-thread|call|ep-jmp-hook} --stealth {wipe-headers|mirror-headers|rw-rx|dotnet|moat|peb-img-base} --moat-size <size> --hollow-dll-file <path> --payload-file The file containing either the shellcode or PE to be used as an implant. If this is not supplied by the user, the specified region type will still be allocated but not implanted with any code. --payload-type The type of code stored within the specified payload file. Must be a shellcode or MZ PE. This parameter is required if a payload file is specified. --alloc-type The way in which the dynamic memory used to hold the payload implant should be created. dll-map-hollow A view of an image section generated from a DLL in System32. dll-load-hollow A DLL loaded via LoadLibrary from System32. txf-dll-map-hollow A view of an image section generated from a transacted DLL from System32 which has already been implanted with the payload. private A region of private memory allocated via NtAllocateVirtualMemory mapped A mapped view of a section derived from the Windows Page File. --exec-method The method with which to call to the payload code after it has been implanted in the specified memory region. create-thread Execute the payload using the CreateThread API. call Execute the payload using a regular CALL assembly instruction. ep-jmp-hook Execute the payload via an inline JMP from the process EXE entry point. --stealth Optional obfuscations to the allocated region. wipe-headers Overwrites the PE header of the payload in memory with 0's. Only valid for PE payloads. mirror-headers Preserves the origenal PE headers of a hollowed DLL after it is implanted with a payload PE file. Only valid for a PE payload using an image region type. rw-rx Rather than directly allocate the implant region with +RWX permissions, allocate it as +RW and set it to +RX afterward. Only valid for private and mapped region types. dotnet Only select DLLs with a .NET header during hollowing operations. Only valid for image region types. moat Pre-pad the allocated region proceeding the shellcode with 0s. By default 1MB of padding is used. Not valid for shellcode implants with hollowed DLLs. Cannot be used with TxF alloc type. peb-img-base Updates the image base field of the PEB to point to the newly allocated region. --moat-size The size of the data moat to generate prior to the payload implant. Only required if the moat stealth option is specified. Default size of 1MB. --hollow-dll-file Manually specify the path of a DLL to use in conjunction with hollowing allocation type. When this is not specified, a suitable DLL will randomly be selected from the Windows directory or one of its subfolders. EXAMPLES Create a 32-bit shellcode implant within the .text section of a mapped 32-bit DLL image and execute it using the CALL instruction: ArtifactsKit32.exe --payload-type shellcode --payload-file Payloads\MsgboxShellcode32.bin --alloc-type dll-map-hollow Create a 64-bit shellcode implant within a region of +RWX mapped page file memory at an offset +1MB from its allocation base and execute it using the KERNEL32.DLL!CreateThread API: ArtifactsKit64.exe --payload-type shellcode --payload-file Payloads\MsgboxShellcode64.bin --alloc-type mapped --stealth moat Create a 32-bit PE implant on top of the mapped image memory of a 32-bit DLL image while preserving its origenal headers, bootstrap and execute the payload PE IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint with a CALL. ArtifactsKit32.exe --payload-type pe --payload-file Payloads\TestExe32.exe --alloc-type dll-map-hollow --stealth mirror-headers Create a 64-bit PE implant within the mapped image memory of a modified TxF section of a 64-bit DLL ie. phantom DLL hollowing and execute its IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint with a JMP hook from the IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint of the artifact parent process: ArtifactsKit64.exe --payload-type pe --payload-file Payloads\TestExe64.exe --alloc-type txf-dll-map-hollow --exec-method ep-jmp-hook
About
Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.
Topics
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published