fix(loaders): non-api-hashing methods would fail in some cases

Author: djnnvx

cli/parser.go

@@ -144,16 +144,28 @@ func GetParser(opts *Options) *cobra.Command {
 			}
 
 			if opts.UseAPIHashing {
-                fmt.Printf("[+] Retrieving dependencies to use API Hashing...\n")
+				fmt.Printf("[+] Retrieving dependencies to use API Hashing...\n")
 
 				execGoGetCmd := exec.Command("go", "get", "github.com/Binject/debug/pe")
 				execGoGetCmd.Dir = MYPH_TMP_DIR
 				_, _ = execGoGetCmd.Output()
 
-                // this should stay to cmepw addr
-                execGoGetCmd = exec.Command("go", "get", "github.com/cmepw/myph/internals")
-				execGoGetCmd.Dir = MYPH_TMP_DIR
-				_, _ = execGoGetCmd.Output()
+				if opts.WithDebug {
+					// if running debug, we want to have the local internals because
+					// it makes development easier
+
+					fmt.Printf("[+] Running \"cp -r ./internals /tmp/myph-out\"\n")
+
+					execGoGetCmd = exec.Command("cp", "-r", "./internals", MYPH_TMP_DIR)
+					execGoGetCmd.Dir = "."
+					_, _ = execGoGetCmd.Output()
+
+				} else {
+					// this should stay to cmepw addr
+					execGoGetCmd = exec.Command("go", "get", "github.com/cmepw/myph/internals")
+					execGoGetCmd.Dir = MYPH_TMP_DIR
+					_, _ = execGoGetCmd.Output()
+				}
 
 			}
 
@@ -288,7 +300,6 @@ func GetParser(opts *Options) *cobra.Command {
 
 			fmt.Printf("\n[+] Template (%s) written to tmp directory. Compiling...\n", opts.Technique)
 
-
 			execCmd := BuildLoader(opts)
 			execCmd.Dir = MYPH_TMP_DIR
 

loaders/createThread.go

@@ -35,24 +35,15 @@ import (
 }
 
 func (t CreateTTemplate) Const() string {
-	return fmt.Sprintf(`
+	if !t.UseApiHashing {
+
+		return fmt.Sprintf(`
 const (
 	MEM_COMMIT             = 0x1000
 	MEM_RESERVE            = 0x2000
 	PAGE_EXECUTE_READWRITE = 0x40
 )
 
-
-`)
-}
-
-func (t CreateTTemplate) Init() string {
-
-	if t.UseApiHashing {
-		return fmt.Sprintf("\n")
-	}
-
-	return fmt.Sprintf(`
 var (
 	kernel32        = syscall.MustLoadDLL("kernel32.dll")
 	ntdll           = syscall.MustLoadDLL("ntdll.dll")
@@ -63,7 +54,23 @@ var (
 
     RtlCopyMemory   = ntdll.MustFindProc("RtlCopyMemory")
 )
-    `)
+        `)
+
+	}
+
+	return fmt.Sprintf(`
+const (
+	MEM_COMMIT             = 0x1000
+	MEM_RESERVE            = 0x2000
+	PAGE_EXECUTE_READWRITE = 0x40
+)
+
+
+`)
+}
+
+func (t CreateTTemplate) Init() string {
+	return fmt.Sprintf("\n")
 }
 
 func (t CreateTTemplate) Process() string {

loaders/ntCreateThreadEx.go

@@ -29,6 +29,8 @@ import (
 
 	return fmt.Sprintf(`
 import (
+    "fmt"
+    "log"
 	"syscall"
 	"unsafe"
 )
@@ -38,30 +40,40 @@ import (
 func (t NtCreateThreadExTemplate) Const() string {
 	// same consts with or without API Hashing
 
-	return fmt.Sprintf(`
-const (
-	MEM_COMMIT = 0x1000
-	MEM_RESERVE = 0x2000
-	PAGE_EXECUTE_READ = 0x20
-	PAGE_READWRITE = 0x04
-)
-`)
-}
-
-func (t NtCreateThreadExTemplate) Init() string {
-
 	if t.UseApiHashing {
-		return fmt.Sprintf("\n")
+		return fmt.Sprintf(`
+        const (
+            MEM_COMMIT = 0x1000
+            MEM_RESERVE = 0x2000
+            PAGE_EXECUTE_READ = 0x20
+            PAGE_READWRITE = 0x04
+        )
+        `)
 	}
 
 	return fmt.Sprintf(`
-	ntdll := syscall.MustLoadDLL("ntdll.dll")
+    const (
+            MEM_COMMIT = 0x1000
+            MEM_RESERVE = 0x2000
+            PAGE_EXECUTE_READ = 0x20
+            PAGE_READWRITE = 0x04
+        )
+
+    var (
 
-    NtAllocateVirtualMemory = ntdll.MustFindProd("NtAllocateVirtualMemory")
-    NtWriteVirtualMemory = ntdll.MustFindProd("NtWriteVirtualMemory")
-    NtProtectVirtualMemory = ntdll.MustFindProd("NtProtectVirtualMemory")
-    NtCreateThreadEx = ntdll.MustFindProd("NtCreateThreadEx")
+	ntdll = syscall.MustLoadDLL("ntdll.dll")
+
+    NtAllocateVirtualMemory = ntdll.MustFindProc("NtAllocateVirtualMemory")
+    NtWriteVirtualMemory = ntdll.MustFindProc("NtWriteVirtualMemory")
+    NtProtectVirtualMemory = ntdll.MustFindProc("NtProtectVirtualMemory")
+    NtCreateThreadEx = ntdll.MustFindProc("NtCreateThreadEx")
+    )
 `)
+
+}
+
+func (t NtCreateThreadExTemplate) Init() string {
+	return fmt.Sprintf("\n")
 }
 
 func (t NtCreateThreadExTemplate) Process() string {

loaders/syscall.go

@@ -36,34 +36,43 @@ import (
 }
 
 func (t SysTemplate) Const() string {
-	// same consts with or without API Hashing
 
-	return fmt.Sprintf(`
+	if t.UseApiHashing {
+		return fmt.Sprintf(`
 const (
 	MEM_COMMIT = 0x1000
 	MEM_RESERVE = 0x2000
 	PAGE_EXECUTE_READ = 0x20
 	PAGE_READWRITE = 0x04
 )
 `)
-}
-
-func (t SysTemplate) Init() string {
 
-	if t.UseApiHashing {
-		return fmt.Sprintf("\n")
 	}
 
 	return fmt.Sprintf(`
-	kernel32 := syscall.MustLoadDLL("kernel32.dll")
-	ntdll := syscall.MustLoadDLL("ntdll.dll")
+const (
+	MEM_COMMIT = 0x1000
+	MEM_RESERVE = 0x2000
+	PAGE_EXECUTE_READ = 0x20
+	PAGE_READWRITE = 0x04
+)
+
+var (
+    kernel32 = syscall.MustLoadDLL("kernel32.dll")
+	ntdll = syscall.MustLoadDLL("ntdll.dll")
+
+	VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
+	VirtualProtect = kernel32.MustFindProc("VirtualProtect")
+	RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
+)
 
-	VirtualAlloc := kernel32.MustFindProc("VirtualAlloc")
-	VirtualProtect := kernel32.MustFindProc("VirtualProtect")
-	RtlCopyMemory := ntdll.MustFindProc("RtlCopyMemory")
 `)
 }
 
+func (t SysTemplate) Init() string {
+	return fmt.Sprintf("\n")
+}
+
 func (t SysTemplate) Process() string {
 	if t.UseApiHashing {
 		return fmt.Sprintf(`

loaders/utils.go

@@ -3,7 +3,7 @@ package loaders
 func InformExpermimental() {
 	println("[!] The API hashing feature is still in an an experimental stage!!")
 	println("Only a few methods are supported for now:")
-	println("\t-Syscall\n\t-CreateThread\n\t-tNtCreateThreadEx\n")
+	println("\t-Syscall\n\t-CreateThread\n\t-NtCreateThreadEx\n")
 }
 
 func InformProcessUnused(process string) {