Skip to content

Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.

License

Notifications You must be signed in to change notification settings

forrest-orr/artifacts-kit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

               __  .__  _____               __     __   .__  __   
_____ ________/  |_|__|/ ____\____    _____/  |_  |  | _|__|/  |_ 
\__  \\_  __ \   __\  \   __\\__  \ _/ ___\   __\ |  |/ /  \   __\
 / __ \|  | \/|  | |  ||  |   / __ \\  \___|  |   |    <|  ||  |  
(____  /__|   |__| |__||__|  (____  /\___  >__|   |__|_ \__||__|  
     \/                           \/     \/            \/         

Malicious Memory Artifact Generator Kit v1.0 | Forrest Orr | 2020

REQUIRED
 
--alloc-type {dll-map-hollow|dll-load-hollow|txf-dll-map-hollow|private|mapped}

OPTIONAL

--payload-file <path>
--payload-type {PE|shellcode}
--exec-method {create-thread|call|ep-jmp-hook}
--stealth {wipe-headers|mirror-headers|rw-rx|dotnet|moat|peb-img-base}
--moat-size <size>
--hollow-dll-file <path>


--payload-file      The file containing either the shellcode or PE to be used as an implant. If this is
                    not supplied by the user, the specified region type will still be allocated but not
                    implanted with any code.
--payload-type      The type of code stored within the specified payload file. Must be a shellcode or
                    MZ PE. This parameter is required if a payload file is specified.
--alloc-type        The way in which the dynamic memory used to hold the payload implant should be
                    created.
                    
                    dll-map-hollow      A view of an image section generated from a DLL in System32.
                    dll-load-hollow     A DLL loaded via LoadLibrary from System32.
                    txf-dll-map-hollow  A view of an image section generated from a transacted DLL from
                                        System32 which has already been implanted with the payload.
                    private             A region of private memory allocated via NtAllocateVirtualMemory
                    mapped              A mapped view of a section derived from the Windows Page File.
--exec-method       The method with which to call to the payload code after it has been implanted in the
                    specified memory region.
                    
                    create-thread       Execute the payload using the CreateThread API.
                    call                Execute the payload using a regular CALL assembly instruction.
                    ep-jmp-hook         Execute the payload via an inline JMP from the process EXE
                                        entry point.
--stealth           Optional obfuscations to the allocated region.

                    wipe-headers        Overwrites the PE header of the payload in memory with 0's. Only
                                        valid for PE payloads.
                    mirror-headers      Preserves the original PE headers of a hollowed DLL after it is
                                        implanted with a payload PE file. Only valid for a PE payload
                                        using an image region type.
                    rw-rx               Rather than directly allocate the implant region with +RWX
                                        permissions, allocate it as +RW and set it to +RX afterward. Only
                                        valid for private and mapped region types.
                    dotnet              Only select DLLs with a .NET header during hollowing operations.
                                        Only valid for image region types.
                    moat                Pre-pad the allocated region proceeding the shellcode with 0s.
                                        By default 1MB of padding is used. Not valid for shellcode
                                        implants with hollowed DLLs. Cannot be used with TxF alloc type.
                    peb-img-base        Updates the image base field of the PEB to point to the newly
                                        allocated region.                   
--moat-size         The size of the data moat to generate prior to the payload implant. Only required if
                    the moat stealth option is specified. Default size of 1MB.
--hollow-dll-file   Manually specify the path of a DLL to use in conjunction with hollowing allocation
                    type. When this is not specified, a suitable DLL will randomly be selected from
                    the Windows directory or one of its subfolders.
					
EXAMPLES

Create a 32-bit shellcode implant within the .text section of a mapped 32-bit DLL image and execute it
using the CALL instruction:

	ArtifactsKit32.exe --payload-type shellcode --payload-file Payloads\MsgboxShellcode32.bin --alloc-type dll-map-hollow
	
Create a 64-bit shellcode implant within a region of +RWX mapped page file memory at an offset +1MB
from its allocation base and execute it using the KERNEL32.DLL!CreateThread API:

	ArtifactsKit64.exe --payload-type shellcode --payload-file Payloads\MsgboxShellcode64.bin --alloc-type mapped --stealth moat
	
Create a 32-bit PE implant on top of the mapped image memory of a 32-bit DLL image while preserving its
original headers, bootstrap and execute the payload PE IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint with a CALL.

	ArtifactsKit32.exe --payload-type pe --payload-file Payloads\TestExe32.exe --alloc-type dll-map-hollow --stealth mirror-headers
	
Create a 64-bit PE implant within the mapped image memory of a modified TxF section of a 64-bit DLL
ie. phantom DLL hollowing and execute its IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint with a JMP hook from
the IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint of the artifact parent process:

	ArtifactsKit64.exe --payload-type pe --payload-file Payloads\TestExe64.exe --alloc-type txf-dll-map-hollow --exec-method ep-jmp-hook
	

About

Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published