CHANGELOG ---------------------- [] * made compat.c great agein and using generic string factory * fixed bug in addStrEntry(...) for root section * using a centralised string factory for decrypting XOR'd strings * improved string decryption, more string sections and section marker (only for kernel32 funcs) * made tests/decrypter/disasm/loader_decrypt build optional * loader_decrypt uses additional dbg version * enumerate all logical devices and get some information + tests * _GetLogicalDriveStringsA, _GetDriveTypeA, _GetDiskFreeSpaceA, re-enabled anti av/debug * using generic and easy2use string decryption factory, added string decryption tester, upgraded hdr_crypt to add more information (struct/enum defines) * bintostr buf should be a const char* * always align encrypted XOR'd buffers to 4 byte (for now, might be changed to 8 in the future) * introduced string decryption factory * added release.exe target (uses DLL/LOADER86 without _DEBUG and _PRE_RELEASE), cleaned up loader.h/main.c * LOADER_X86 uses same section as debug version, `strip -R` may sometimes exit with a non-zero value (dunno why) * irc: private message (+binary,+buffered), bot control utils: is(space|upper|lower|alpha|digit) + __xbintostr(...) has newSizPtr arg * TODOs 'n TYPOs * using _VirtualFree in DLL for loader allocated memory * irc -> GetVolumeInfo(...) * fixed compat ptr check fail * missing important TODO * updated TODOs, encrypted SOCK(STR|CMD)s * disabled SO_RCVTIMEO (should not be less than the irc server PING time!) * using more flexible GETPROC(...) macro, added information gathering and shell execute code * using setsockopt(...) to set recv/send buffer_size/timeouts * removed vasprintf from compat (was a hell of a bugload), replaced it with mini_snprintf * added simple compat __xprintf(...) test * added MYASSERT_SILENT && windows null device * using CONTEXT_FULL instead of CONTEXT_CONTROL, initSocket(...) in NetThread and not before * removed unused ExitProcess(...), replaces GetProcessHeap(...) with HeapCreate(...) * FormatMessage is useless, added tests, code cleanup, TODO: fix Heap error (source currently unknown) * _SwitchToThread() + startThread(...) + hNetThread * irc testing /3 * irc testing /2 * moved SWITCH_ENDIANESS to utils.h and renamed it to SWAP_ENDIANESS32, also added 16 bit version, removed unused bswap(...) * irc testing * added back if non-mingw build * improved compat header, other include cleanups * new tool binary: ircmsg (test irc module) * new tool binary: ircmsg (test irc module) * compat include fixups (compat.h) is now *MAIN* header file * added irc module in DLL build + compat fixups * updated README && TODO * ported small irc bot * added `const` qualifier for code readability * iv/key in xor32n_pcbc_crypt_buf(...) should be const * patching works now from already encrypted/patched binaries * validating PE header e_lfanew (>=0x40 and <=0x80) * gimme more `comments` * loadmodule works now as expected * runbin works with current DLL * full dll encryption * removing fingerprints (GCC/LD version info) from all created miller binaries (dll/bin) * more readable code indentation * DLL loader patching: XOR key/iv gen, Loader Strings encryption * added rebuild warnings * full Multithreading enabled * dummy waits before it terminates (may be useful for multithreading tests) * DLL Multithreading support * added Thread/IPC functions * added warnings + names for thread/ipc functions * loader uses rep movsd instead if slower rep movsb * VirtualAlloc uses different PAGE_ACCESS flags * Removed unused loader data e.g. imageBase, sections adr/siz etc * DLL Encryption done (TODO: fix encryption of infected binaries, see source/patch.c) * removing *complete* DosStub * README/doc update * introduced new loader data: flags (DLL Flags) * patchLoader: String Encryption/Patching * string encryption works (TODO: PATCHING!) * pycrypt_test: check {plain|cipher}text length * bug fixed: wrong iv/key size in pycrypt * get 32 bit uint buffer * pyloader/pycrypt prep * cosmetics + pyloader macro funcs * file_crypt not used anymore, replaced with pycrypt * pycrypt+test * pycrypt: fixed memory leaks * pycrypt: fixed aes ctx alloc bug CMake: added crypt.c as dep (XOR) * better python module integration, pycrypt module init * patch loader section with dll data * removed unused infection video * added own GetProcAdr function * install *.bin files, rundll -> runbin * install *.bin files, rundll -> runbin * preparations for dll section encryption * preparations for dll section encryption * crypt dll with offset and size * crypt dll with offset and size * better host-tools building * better host-tools building * removed loader nops and use two different loaders (release and pre-release) * removed loader nops and use two different loaders (release and pre-release) * genShellcode accepts section as argument, removed loader_noPE32 build (useless in near future) * genShellcode accepts section as argument, removed loader_noPE32 build (useless in near future) * more loader targets, loader_base_enc * more loader targets, loader_base_enc * shellcode generator append mode * shellcode generator append mode * extended loader patching for NOPE32 builds (adrOfEntry,imageBase,sizOfImage,sizOfHeader) * extended loader patching for NOPE32 builds (adrOfEntry,imageBase,sizOfImage,sizOfHeader) * get binary data from PE32 e.g. imagebase, adrofentry, etc. * get binary data from PE32 e.g. imagebase, adrofentry, etc. * get objdump data like adrOfEntry, imageBase, etc. * get objdump data like adrOfEntry, imageBase, etc. * patchLoader.py uses generated pyloader.so to modify the loader trailer * patchLoader.py uses generated pyloader.so to modify the loader trailer * added infectable dummy_gui * added infectable dummy_gui * pyloader.so python module (patchLoader.py can access struct loader_x86_data easily) * pyloader.so python module (patchLoader.py can access struct loader_x86_data easily) * loader_base.exe: use w32miller.bin as dll payload * loader_base.exe: use w32miller.bin as dll payload * ivkeysize macro, dynamic stack memory reserve, rep movsd for string copy * ivkeysize macro, dynamic stack memory reserve, rep movsd for string copy * loader reserved stackmem can now modified by the dll * loader reserved stackmem can now modified by the dll * use pipes or stdout for debugging msgs * use pipes or stdout for debugging msgs * tell cmake about generated headers, compile pipe_(server|client) only if needed * tell cmake about generated headers, compile pipe_(server|client) only if needed * pipe_(server|client) output , use default miller path , strings , hdr crypt parses double (escape) backslash (..\\..) * pipe_(server|client) output , use default miller path , strings , hdr crypt parses double (escape) backslash (..\\..) * dont force user options, enable pipes options (-D_USE_PIPES=1) * dont force user options, enable pipes options (-D_USE_PIPES=1) * fixed ESI_PTRDLL and ESI_SIZDLL offsets, using faster rep movsb instead of slower __ldr_memcpy implementation * fixed ESI_PTRDLL and ESI_SIZDLL offsets, using faster rep movsb instead of slower __ldr_memcpy implementation * removing gcc fingerprint from distorm objects * removing gcc fingerprint from distorm objects * added simple named pipe server/client (future use in malware for app-to-user and app-to-app(IPC) communication) * added simple named pipe server/client (future use in malware for app-to-user and app-to-app(IPC) communication) * new loader prep.. * new loader prep.. * crypt.c tests * crypt.c tests * output host-tools{CMakeFiles, Makefile, etc} in ${BUILD_DIR}/host-tools instead of ${BUILD_DIR}/bin/host-tools * output host-tools{CMakeFiles, Makefile, etc} in ${BUILD_DIR}/host-tools instead of ${BUILD_DIR}/bin/host-tools * removed useless loader macros, additional pe loader tests * removed useless loader macros, additional pe loader tests * __attribute__((gcc_struct)) added (don't use ms_struct for this project!) * __attribute__((gcc_struct)) added (don't use ms_struct for this project!) * __printByteBuf allowed in tests for debugging purposes * __printByteBuf allowed in tests for debugging purposes * add print byte buffer option (aLOT output!) * add print byte buffer option (aLOT output!) * nasm: dynamic includes * nasm: dynamic includes * optimised host-tools cmakelists * optimised host-tools cmakelists * string (en|de)cryption fully works * string (en|de)cryption fully works * host-tools force target * host-tools force target * sub-cmake base build (host-tools) * sub-cmake base build (host-tools) * loader string decryption works * loader string decryption works * endmarker check + test * endmarker check + test * better error printing * better error printing * endmarker check/test, loader compensate _DEBUG instructions with NOPs * endmarker check/test, loader compensate _DEBUG instructions with NOPs * removed static lib build (not rly used) * removed static lib build (not rly used) * host tools got their chance, not needed in this directory anymore * host tools got their chance, not needed in this directory anymore * fixed typ0 * fixed typ0 * build host tools with source/tools/host/CMakeLists.txt, %include decrypter source (dont build two *.obj files since it fucks up my loader) * build host tools with source/tools/host/CMakeLists.txt, %include decrypter source (dont build two *.obj files since it fucks up my loader) * define _LOADER_MARKER for all modules * define _LOADER_MARKER for all modules * patcher prints now loader offset to console (if pre-release) * patcher prints now loader offset to console (if pre-release) * host tools CMakeLists (builds hdr_crypt && file_crypt for host system) * host tools CMakeLists (builds hdr_crypt && file_crypt for host system) * cmake encrypt loader strings prep, file_crypt searches for endmarker if -l missing * cmake encrypt loader strings prep, file_crypt searches for endmarker if -l missing * decrypter prep * decrypter prep * decrypter prep * decrypter prep * endmarker search + ldr dll crypt (does not modify loader) * endmarker search + ldr dll crypt (does not modify loader) * show argument in usage, prep for dll encryption * show argument in usage, prep for dll encryption * superfluous xor32n_pcbc_decrypter removed * superfluous xor32n_pcbc_decrypter removed * loader string encryption finally works * loader string encryption finally works * linux mmap'd file, encrypt loader strings * linux mmap'd file, encrypt loader strings * loader string encryption iv/key-size * loader string encryption iv/key-size * better binary diff (unified) * better binary diff (unified) * file_crypt encrypt loader strings option * file_crypt encrypt loader strings option * better hex string regex * better hex string regex * file crypter reads loader contents and encrypt loader strings, TODO: write part encrypted strings to disk * file crypter reads loader contents and encrypt loader strings, TODO: write part encrypted strings to disk * loader is now linux-gcc compatible, file_crypt uses endmarker * loader is now linux-gcc compatible, file_crypt uses endmarker * patchLoader shows marker offset * patchLoader shows marker offset * loader ENDMARKER is now more dynamicially e.g. it can be specified by cmake * loader ENDMARKER is now more dynamicially e.g. it can be specified by cmake * decrypter compilation for i386 target only (atm) * decrypter compilation for i386 target only (atm) * file crypter iv/key hex str arguments * file crypter iv/key hex str arguments * file crypter key/iv/offset/size prep * file crypter key/iv/offset/size prep * loader patching is now done by section name and endmarker * loader patching is now done by section name and endmarker * better loader patching (argument parsing, controlled output, etc) * better loader patching (argument parsing, controlled output, etc) * better decrypter output * better decrypter output * exported mapfile linux/mingw * exported mapfile linux/mingw * xor32n_pcbc asm x86 decrypter * xor32n_pcbc asm x86 decrypter * decrypter stuff * decrypter stuff * helper function module for tools * helper function module for tools * new module crypt.c: xor32 stuff, refactoring * new module crypt.c: xor32 stuff, refactoring * crypt module * crypt module * decrypter-asm/-tool skeleton * decrypter-asm/-tool skeleton * dll crypt done * dll crypt done * loader: prep for xor32 string encryption * loader: prep for xor32 string encryption * objdump should not ignore zeroes, loader byte pad * objdump should not ignore zeroes, loader byte pad * patchLoader.py modifies loader conforming to loader_x86.h * patchLoader.py modifies loader conforming to loader_x86.h * dll encryption preparations * dll encryption preparations * dont patch instructions which changes eip and uses relative addressing (will be fixed in the future, TODO) * dont patch instructions which changes eip and uses relative addressing (will be fixed in the future, TODO) * halfByte should be 1 byte (uchar) small instead of 4 bytes (int) * halfByte should be 1 byte (uchar) small instead of 4 bytes (int) * added objdump command output + todo * added objdump command output + todo * xor32n_pcbc_decrypt_buf * xor32n_pcbc_decrypt_buf * xor32n_pcbc encryption works * xor32n_pcbc encryption works * xor32pcbc (en|de)cryption * xor32pcbc (en|de)cryption * fixed bintostr halfbyte calc bug (wrong typesize) * fixed bintostr halfbyte calc bug (wrong typesize) * xor32 (en|de)cryption * xor32 (en|de)cryption * fixed issues on ubuntu * fixed issues on ubuntu * better output * better output * mem.c not used anymore except for XMemAlign * mem.c not used anymore except for XMemAlign * dynamically generate (DLL|DLL)SECTION from include/xor_strings.h * dynamically generate (DLL|DLL)SECTION from include/xor_strings.h * anti(debug|vm) is now disabled if pre-release * anti(debug|vm) is now disabled if pre-release * fixed invalid ptr free * fixed invalid ptr free * malware dll injection testvideo * re-alloc bugfix for bAddSection * compat cosmetics + GetCurrentProcessId,AttachConsole for Pre-Releases, added definitions deny including some annoying header files * cosmetics + latex work sample (for presentation purposes) * markdown brainfuck * typ0 * changelog, markdown cosmetics * cosmetics + set number of simlultaneous build jobs in deps/makedeps.sh * cosmetics * README.md update * display correct filename * anti vm counter measures, LoadLibraryA support, generate random hex string * fixed cmake deps, 'get miller section from include'-script * comments * Xor32 hash gen * get miller dll section name dynamically from include/xor_strings.h * fixed wrong header include * multijob build errors fixed * fixed shellcode bug (hardcoded path), some basic error detection * cmake support for out-of-source-dir builds * moved genhash,randstring to utils, dll needs it too * basic irc bot modified (WSA compat) * changed section names, dll_crypt cleanup * added irc bot stub (needs definitly some modification e.g. support threads?) * base64 encode * fixed wrong pe-hdr calculations, patching support works, loader struct initialised correctly * README update * CHANGELOG, CONTRIBUTING.md visuals * README, TODO, DOC update * basic code injection/patching works * OffsetToRva(...), PtrToOffset(...), PtrToRva(...), added test cases * print a binary buffer * added some useless bytes to the loader (so it can be dissambled correctly) * disabled nasm optimisations * fixed shellcode gen bug * cmake depend+custom cmd fix * gpg encrypt git archive * update README /4 * update README /3 * update REAMDE /2 * update README * cmake improvments, genShellcode supports multiprocess build job * fixed aes for x64 hosts * loader decrypter, cmake improvments, preparation for aes.c compilation on x64 systems * mingw compat header not useable, crypt compile under gnu linux, aes/utils does not require mingw to compile * build log + timestamps * build host gcc (non-mingw), used for pre-compile encryption + gcc4.9.4 * cmake stuff * build log + timestamps * cmake stuff /11 * cmake stuff /10 * build host gcc (non-mingw), used for pre-compile encryption * cmake stuff /9 * cmake stuff /8 * cmake stuff /7 * cmake stuff /6 * cmake stuiff /5 * cmake stuff /4 * cmake stuff /3 * cmake stuff /2 * cmake stuff * use ${PYTHON} binary * bump to Python-2.7.13 * multiplatform compatiblity * python2.7 deps * added mingw compat for non mingw builds * colored output * install stripped deps * added flex dep for wine * stable nasm release 2.12.02 * added (wine|nasm) build (wine and flex>2.6.1 breaks build) * added sysroot/${MINGW} to $PATH * additional checks (e.g. alrdy configured) * fixed `set -e` -> BASH_EXITONFAIL check * comments + format fix * pe + patch stuff * print GetLastError() * rundll can now load the module at a given address (force relocation!) * added nopsleds + loader struct * updated CHANGELOG * patchJMP * added bswap inline func (gcc builtin) * _MILLER_IMAGEBASE macro ifdef, bAddSection(...) checks if section alrdy exists * fixed README typ0, fixed loader_base format string * added PE related tests * basic binary patch enviroment * binary patcher skeleton * renamed TODO.txt * Add contribution guide * Add license * generated changelog * added markdown README * todo + basic doc * added additional debug check * added GetLastError after execution * linker script: dont sort sections, changed miller ldflags (linker map etc) * moved unused tools to tools/old * loader forces dll to relocate if _MILLER_IMAGEBASE is set * pe relocation should finally work * fixed VirtualAlloc, it overwrites ecx (sizeof malwareDLL) * crt fix for returned dll value (0xdeadc0de) * .idata and .edata should stay in both miller dlls so windows api LoadLibrary(...) will accept it * manual dll relocation work in progress * dont use file alignment because windows loader doesnt like it, pre release keeps .edata and .idata, crt checks now if started by loader or LoadLibrary(...) * disabled -Wl,--file-alignment, windows loader does not like it * loadmodule forces loaded malware dll to relocate * fixed broken dll reloc section -,- * -ffreestanding * whitespaces.. * loadmodule bin * loader VirtualAlloc without specific base address if previously failed * fixed header size check, improved bAddSection(...), cmake_strip * loader decryption, anti-debug * fixed loader_base stuff, rundll shows return value now in hex&&dec * python scripts should return a non-zero value on a fatal err, removed unused win batch script * lightwight x86-64 decoding works * config fix * build mingw64 from scratch /2 * build mingw64 from scratch * make dependencies (mingw64 ..) * linker script changes * internal x86-asm decoding * python script removing DOS header stub + unused header values * loader runtime decryption * embedded loader shellcode in malware dll * crypt editable define keyname * fixed aes encrypt buffer size, build tests with default linker script * encrypt escaped c strings (e.g. \xFF\x90\x00 ...), loader shellcode encryption * section xor macros * loader vars * pe section (writeable/executable) * disasm decode internal * smth * minimalized linker script * improved file handling && pe infection * +SetFilePointer,GetLastError && format(...) realloc ptr fail * fixed compatibility malfunction during tests ( missing a few COMPAT(...) ) * custom gnu linker script .. * merge text and rdata segments * fixed compile errors * libw32miller distorm link, disasm distorm interface, disasm tool * distorm disasm tool * distorm tests * changed compat format (%lu & %ld is now 64 bit wide), added compat (v)asprintf * bether cmake cmds, distorm testing wip * distorm integrated, testing .. * distorm assembler * export function pointer to struct * encode register * mnemonic parser * moved header files to header directory * aes dynamic memory ilog/sbox * generate loader shellcode, winapi function name encryption * string encryption done * compile string encryption (xor) * added stack-based xor crypt support (dynamic mem alloc not neccessary) * added XOR string encryption and pre-compile header generation * check for wine+python * added compat * aescrypt encrypts string before dll compilation * aescrypt skeleton + aes randomkey * asm + aes * added basic asm (en|de)coder and test * added 0xdeadc0de as loader end marker * support changeable loader section for loader_base testing * optimized * python patch script (patching test loader, loader_base) * malware dll injection * -,- * infection works * added CMake rule (build allowed in topdir only) added project config in top cmake dll sets and gets image base * fixed rundll bug (import data directory NULL), nullExportTable nulls import table too * fixed wrong register assignment in rundll, dont use ExitProcess() in main anymore * done * loader + crt works, 3 more idata functions needs to be resolved manually * loader memcpy header/sections (theres an error somewhere ..) * major loader fixes * get address of GetProcAddress from kernel32 export table through PEB->Ldr * better string loading and stack layout * get kernel base adr from PEB with pre calculated hash * CRT works now correct (exits __start subroutine if __main returns NULL) * fixed .miller section address (win7 does not like not-continuos sections ;) * loader reads all necessary pe data, added nasm cmake compile flags * updated TODO * codeblock not supported anymore .. * loadlib is now obsolete.. * loader read pe (1/2) * fixed custom command bug * doin da loada * loader stuff .. * removing rdata$zzz manually with objcopy * be less verbose * print imported libs from pe * prerelease target * codeblocks fix * *.nasm -> *.asm * added tools cmake * better gcc fingerprint removing, CMakeLists compiles nasm sources * removed libudis86 .. * renamed src to source * better compat testing + cmake tests * tests cmake * added libudis disasm as base for encoder * cmake compatibility, cz codeblocks sucks * cmake compatibility, cz codeblocks sucks * CMake compatible.. * new target: base relocations * remove linker major+minor version, infector todo, loader stub * pe section injection * fixed null-byte error in compat testing, some asm stuff, removed uselss pe infection routines * binary diff * LOG_MARKER uses now printf_ex, python script zeros unused export table * format_ex, printf_ex compat works * dont use `unsigned long long int` as function parameter ... -_- * fixed (u)lltoa * cbp2mk not needed anymore .. * (u)lltoa * using brctl is so much fun * math, meth, magic * yo_mama * m0w * fu * miller is now relocatable * compat * str* tests * m0w * m0wL * dummy blah * removing gcc fingerprint finished * need to fix removeGccVersion.py on devlap.. * blablatest * blubb * compat * tests * py * target test * test, loadlib * codeblocks targets finally working * happy nightmares * merry xmas * m0wL * muh * blubb * blubb * blah * section adder + codeblock project file * ReadPEFile, Next: ReadSections * initial commit