Release v1.2.2

Author: djnnvx

.gitignore

@@ -12,6 +12,9 @@
 myph
 myph-out/
 
+scripts/hash_function
+scripts/hash
+
 # Test binary, built with `go test -c`
 *.test
 

Makefile

@@ -2,7 +2,7 @@
 # -------------------
 
 APP_NAME = myph
-APP_VERSION = 1.2.0
+APP_VERSION = 1.2.2
 GIT_REVISION = `git rev-parse HEAD`
 DOCKER_IMAGE_TAG ?= $(APP_VERSION)
 DOCKER_LOCAL_IMAGE = $(APP_NAME):$(DOCKER_IMAGE_TAG)

NOTES.txt

@@ -0,0 +1,8 @@
+#############################
+######### RESOURCES #########
+#############################
+
+- https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20workshops/DEF%20CON%2029%20Workshop%20Ben%20Kurtz%20Writing%20Golang%20Malwar.pdf
+
+- https://evasions.checkpoint.com
+

README.md

@@ -28,9 +28,9 @@ make  # you can also use `make help` to check recipes
 go build -o myph .
 ```
 
-> You can also grab the latest release from [here](https://github.com/CMEPW/myph/releases/)
+> You can also grab the latest release from [here](https://github.com/mato7sh/myph/releases/)
 
-Finally, you can install from the [golang package repository](https://pkg.go.dev/github.com/CMEPW/myph) like so:
+Finally, you can install from the [golang package repository](https://pkg.go.dev/github.com/mato7sh/myph) like so:
 ```bash
 # /!\ lowercase is important /!\
 go install github.com/cmepw/myph@latest
@@ -39,50 +39,25 @@ go install github.com/cmepw/myph@latest
 ### Usage
 
 ```
-
-              ...                                        -==[ M Y P H ]==-
-             ;::::;
-           ;::::; :;                                    In loving memory of
-         ;:::::'   :;                               Wassyl Iaroslavovytch Slipak
-        ;:::::;     ;.
-       ,:::::'       ;           OOO                       (1974 - 2016)
-       ::::::;       ;          OOOOO
-       ;:::::;       ;         OOOOOOOO
-      ,;::::::;     ;'         / OOOOOOO
-    ;::::::::: . ,,,;.        /  / DOOOOOO
-  .';:::::::::::::::::;,     /  /     DOOOO
- ,::::::;::::::;;;;::::;,   /  /        DOOO        AV / EDR evasion framework
-; :::::: '::::::;;;::::: ,#/  /          DOOO           to pop shells and
-: ::::::: ;::::::;;::: ;::#  /            DOOO        make the blue team cry
-:: ::::::: ;:::::::: ;::::# /              DOO
- : ::::::: ;:::::: ;::::::#/               DOO
- ::: ::::::: ;; ;:::::::::##                OO       written with <3 by djnn
- :::: ::::::: ;::::::::;:::#                OO                ------
- ::::: ::::::::::::;' :;::#                O             https://djnn.sh
-   ::::: ::::::::;  /  /  :#
-   :::::: :::::;   /  /    #
-
-Usage:
-  myph [flags]
-  myph [command]
-
 Available Commands:
   completion  Generate the autocompletion script for the specified shell
   help        Help about any command
   spoof       spoof PE metadata using versioninfo
 
 Flags:
-  -b, --builtype string      define the output type (allowed: exe, dll) (default "exe")
-  -e, --encryption encKind   encryption method. (allowed: AES, chacha20, XOR, blowfish) (default AES)
-  -h, --help                 help for myph
-  -k, --key string           encryption key, auto-generated if empty. (if used by --encryption)
-  -f, --out string           output name (default "payload.exe")
-  -z, --persistence string   name of the binary being placed in '%APPDATA%' and in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run' reg key (default: "")
-  -p, --process string       target process to inject shellcode to (default "cmd.exe")
-  -s, --shellcode string     shellcode path (default "msf.raw")
-      --sleep-time uint      sleep time in seconds before executing loader (default: 0)
-  -t, --technique string     shellcode-loading technique (allowed: CRT, CRTx, CreateFiber, ProcessHollowing, CreateThread, EnumCalendarInfoA, Syscall, Etwp) (default "CRT")
-  -v, --version              version for myph
+      --api-hashing-type string   Hashing algorithm used for API hashing (default "DJB2")
+  -d, --debug                     builds binary with debug symbols
+  -e, --encryption encKind        encryption method. (allowed: AES, chacha20, XOR, blowfish) (default AES)
+  -h, --help                      help for myph
+  -k, --key string                encryption key, auto-generated if empty. (if used by --encryption)
+  -f, --out string                output name (default "payload.exe")
+  -z, --persistence string        name of the binary being placed in '%APPDATA%' and in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run' reg key (default: "")
+  -p, --process string            target process to inject shellcode to (default "cmd.exe")
+  -s, --shellcode string          shellcode path (default "msf.raw")
+      --sleep-time uint           sleep time in seconds before executing loader (default: 0)
+  -t, --technique string          shellcode-loading technique (allowed: CRT, CRTx, CreateFiber, ProcessHollowing, CreateThread, NtCreateThreadEx, Syscall, SyscallTest, Etwp) (default "CRT")
+      --use-api-hashing           Use API Hashing
+  -v, --version                   version for myph
 ```
 
 #### Loader Methods
@@ -91,13 +66,14 @@ This tool supports few methods for now, but aims to add more as time goes on:
 - Syscall
 - CreateFiber
 - CreateThread
+- NtCreateThreadEx
 - Process hollowing
 - EnumCalendarInfoA
 - CreateRemoteThread
 - EtwpCreateEtwThread
 - CreateRemoteThreadEx
 
-If you don't know what that is about, go check out [this repository](https://github.com/CMEPW/BypassAV) :)~
+If you don't know what that is about, go check out [this repository](https://github.com/matro7sh/BypassAV) :)~
 
 
 #### Example run

TODO.txt

@@ -1,17 +1,12 @@
 #############################
-####### ROADMAP 1.2.0 #######
+####### ROADMAP 1.2.3 #######
 #############################
 
 Misc:
     - support for loading API calls from PEB
-    - Refactoring CLI options to interfaces
     - Decrypt shellcode at the last possible time & split templates into trigger & prepare-payload functions
 
 
-Encoders:
-    - add support for SGN
-
-
 #############################
 ####### ROADMAP 1.3.0 #######
 #############################
@@ -22,12 +17,30 @@ Commands:
 Sleep / jitter:
     - Ekko
 
+Encoders:
+    - add support for SGN
 
-dll:
+
+Dll:
     - hijacking techniques (teams/onedrive)
 
 Misc:
     - indirect syscalls
     - support for dameonizing ?
     - introduce ppid spoofing ?
     - add support for passing arguments to payload from command-line
+
+
+#############################
+####### ROADMAP 1.4.0 #######
+#############################
+
+
+Misc:
+    - add support for attaching to new processes
+    - add support for multiple hashing algorithms for retrieving API calls through PEB
+    - add support for variable assignment randomization
+        -> should assign variables differently (as random as possible) in order to
+        have different signatures each time
+    - optionally implement sandbox checks
+

cli/defaults.go

@@ -18,8 +18,11 @@ func GetDefaultCLIOptions() Options {
 		SleepTime:       0,
 		PEFilePath:      "payload.exe",
 		VersionFilePath: "goversion.json",
+		WithDebug:       false,
 		BuildType:       "exe",
 		Persistence:     "",
+		UseAPIHashing:   false,
+		APIHashingType:  "DJB2",
 	}
 
 	return opts

cli/parser.go

@@ -43,17 +43,25 @@ const ASCII_ART = `
     `
 
 func BuildLoader(opts *Options) *exec.Cmd {
-    os.Setenv("GOOS", opts.OS)
-    os.Setenv("GOARCH", opts.Arch)
+	os.Setenv("GOOS", opts.OS)
+	os.Setenv("GOARCH", opts.Arch)
 	if opts.BuildType == "dll" {
 		os.Setenv("CGO_ENABLED", "1")
 		os.Setenv("CC", "x86_64-w64-mingw32-gcc")
 		fmt.Println("[*] Compiling payload as dll...")
 
+		if opts.WithDebug {
+			return exec.Command("go", "build", "-buildmode=c-shared", "-o", "payload.dll", ".")
+		}
+
 		return exec.Command("go", "build", "-buildmode=c-shared", "-ldflags", "-s -w -H=windowsgui", "-o", "payload.dll", ".")
 	} else if opts.BuildType == "exe" {
 		fmt.Println("[*] Compiling payload as executable...")
 
+		if opts.WithDebug {
+			return exec.Command("go", "build", "-o", "payload.exe", ".")
+		}
+
 		return exec.Command("go", "build", "-ldflags", "-s -w -H=windowsgui", "-o", "payload.exe", ".")
 	} else {
 		fmt.Printf("[!] Buildtype format not supported!")
@@ -63,7 +71,7 @@ func BuildLoader(opts *Options) *exec.Cmd {
 
 func GetParser(opts *Options) *cobra.Command {
 
-	version := "1.2.0"
+	version := "1.2.2"
 	var spoofMetadata = &cobra.Command{
 		Use:                "spoof",
 		Version:            version,
@@ -142,7 +150,7 @@ func GetParser(opts *Options) *cobra.Command {
 				os.Exit(1)
 			}
 
-			/* i got 99 problems but generating a random key aint one */
+			/* generating a random key if none are selected */
 			if opts.Key == "" {
 				opts.Key = tools.RandomString(32)
 			}
@@ -190,9 +198,6 @@ func GetParser(opts *Options) *cobra.Command {
 					panic(err)
 				}
 
-				fmt.Println("\n...downloading necessary library...")
-				fmt.Println("if it fails because of your internet connection, please consider using XOR or AES instead")
-
 				/* Running `go get "golang.org/x/crypto/chacha20poly1305"` in MYPH_TMP_DIR` */
 				execCmd := exec.Command("go", "get", "golang.org/x/crypto/chacha20poly1305")
 				execCmd.Dir = MYPH_TMP_DIR
@@ -207,9 +212,6 @@ func GetParser(opts *Options) *cobra.Command {
 					panic(err)
 				}
 
-				fmt.Println("\n...downloading necessary library...")
-				fmt.Println("if it fails because of your internet connection, please consider using XOR or AES instead")
-
 				/* Running `go get golang.org/x/crypto/blowfish in MYPH_TMP_DIR` */
 				execCmd := exec.Command("go", "get", "golang.org/x/crypto/blowfish")
 				execCmd.Dir = MYPH_TMP_DIR
@@ -224,6 +226,7 @@ func GetParser(opts *Options) *cobra.Command {
 				panic(err)
 			}
 
+			/* FIXME(djnn): this should not work like this but instead have a flag and an array of techniques like the rest */
 			persistData := ""
 			if opts.Persistence != "" {
 				persistData = fmt.Sprintf(`persistExecute("%s")`, opts.Persistence)
@@ -258,7 +261,7 @@ func GetParser(opts *Options) *cobra.Command {
 				panic(err)
 			}
 
-			templateFunc := loaders.SelectTemplate(opts.Technique)
+			templateFunc := loaders.SelectTemplate(opts.Technique, opts.UseAPIHashing, opts.APIHashingType)
 			if templateFunc == nil {
 				fmt.Printf("[!] Could not find a technique for this method: %s\n", opts.Technique)
 				os.Exit(1)
@@ -270,19 +273,33 @@ func GetParser(opts *Options) *cobra.Command {
 			}
 
 			fmt.Printf("\n[+] Template (%s) written to tmp directory. Compiling...\n", opts.Technique)
+
+			if opts.UseAPIHashing {
+				execGoGetCmd := exec.Command("go", "get", "github.com/Binject/debug/pe")
+				execGoGetCmd.Dir = MYPH_TMP_DIR
+				_, _ = execGoGetCmd.Output()
+			}
+
 			execCmd := BuildLoader(opts)
 			execCmd.Dir = MYPH_TMP_DIR
 
-			_, stderr := execCmd.Output()
+			var stderr error
+			_, stderr = execCmd.Output()
 
 			if stderr != nil {
+
+				command := "go build -ldflags \"-s -w -H=windowsgui\" -o payload.exe"
+				if opts.BuildType == "dll" {
+					command = "CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -ldflags \"-s -w -H=windowsgui\" -o payload.dll"
+				}
+
 				fmt.Printf("[!] error compiling shellcode: %s\n", stderr.Error())
 				fmt.Printf(
 					"\nYou may try to run the following command in %s to find out what happend:\n\n GOOS=%s GOARCH=%s %s\n\n",
 					MYPH_TMP_DIR,
 					opts.OS,
 					opts.Arch,
-					"go build -ldflags \"-s -w -H=windowsgui\" -o payload.exe",
+					command,
 				)
 
 				fmt.Println("If you want to submit a bug report, please add the output from this command...Thank you <3")
@@ -308,12 +325,15 @@ func GetParser(opts *Options) *cobra.Command {
 	rootCmd.Flags().StringVarP(&opts.OutName, "out", "f", defaults.OutName, "output name")
 	rootCmd.Flags().StringVarP(&opts.ShellcodePath, "shellcode", "s", defaults.ShellcodePath, "shellcode path")
 	rootCmd.Flags().StringVarP(&opts.Target, "process", "p", defaults.Target, "target process to inject shellcode to")
-	rootCmd.Flags().StringVarP(&opts.Technique, "technique", "t", defaults.Technique, "shellcode-loading technique (allowed: CRT, CRTx, CreateFiber, ProcessHollowing, CreateThread, EnumCalendarInfoA, Syscall, Etwp)")
-	rootCmd.Flags().StringVarP(&opts.BuildType, "builtype", "b", defaults.BuildType, "define the output type (allowed: exe, dll)")
+	rootCmd.Flags().StringVarP(&opts.Technique, "technique", "t", defaults.Technique, "shellcode-loading technique (allowed: CRT, CRTx, CreateFiber, ProcessHollowing, CreateThread, NtCreateThreadEx, Syscall, SyscallTest, Etwp)")
 	rootCmd.Flags().VarP(&opts.Encryption, "encryption", "e", "encryption method. (allowed: AES, chacha20, XOR, blowfish)")
 	rootCmd.Flags().StringVarP(&opts.Key, "key", "k", "", "encryption key, auto-generated if empty. (if used by --encryption)")
 	rootCmd.Flags().UintVarP(&opts.SleepTime, "sleep-time", "", defaults.SleepTime, "sleep time in seconds before executing loader (default: 0)")
-	rootCmd.PersistentFlags().StringVarP(&opts.Persistence, "persistence", "z", defaults.Persistence, "name of the binary being placed in '%APPDATA%' and in 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' reg key (default: \"\")")
+	rootCmd.Flags().BoolVarP(&opts.WithDebug, "debug", "d", false, "builds binary with debug symbols")
+	rootCmd.Flags().BoolVarP(&opts.UseAPIHashing, "use-api-hashing", "", false, "Use API Hashing")
+	// TODO(djnn): re-add this flag once supported
+	// rootCmd.Flags().StringVarP(&opts.APIHashingType, "api-hashing-type", "", "DJB2", "Hashing algorithm used for API hashing")
+	rootCmd.Flags().StringVarP(&opts.Persistence, "persistence", "z", defaults.Persistence, "name of the binary being placed in '%APPDATA%' and in 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' reg key (default: \"\")")
 
 	spoofMetadata.Flags().StringVarP(&opts.PEFilePath, "pe", "p", defaults.PEFilePath, "PE file to spoof")
 	spoofMetadata.Flags().StringVarP(&opts.VersionFilePath, "file", "f", defaults.VersionFilePath, "manifest file path (as JSON)")