Where is Metsrv Hyde? - Commit 8adabb6b - STRLCPY/freeMetsrvLoader

Where is Metsrv Hyde?
attl4s committed 1 year ago

8adabb6b

1 parent c113779b

Total 10 files Show one by one

■ ■ ■ ■ ■ ■

Makefile

1		-	BOFNAME := freeBokuLoader
	1	+	BOFNAME := freeMetsrvLoader
2	2		CC_x64 := x86_64-w64-mingw32-gcc
3	3		CC_x86 := i686-w64-mingw32-gcc
4	4		STRIP_x64 := x86_64-w64-mingw32-strip
5	5		STRIP_x86 := i686-w64-mingw32-strip
6	6		OPTIONS := -masm=intel -Wall -I include
7	7
8		-	freeBokuLoader: clean
	8	+	freeMetsrvLoader: clean
9	9		$(CC_x64) -c source/entry.c -o dist/$(BOFNAME).x64.o $(OPTIONS) -DBOF
10	10		$(STRIP_x64) --strip-unneeded dist/$(BOFNAME).x64.o
11	11
		skipped 10 lines

■ ■ ■ ■ ■ ■

README.md

1		-	# freeBokuLoader
	1	+	# freeMetsrvLoader
2	2
3		-	A simple BOF that tries to free the memory region where the User Defined Reflective Loader is stored.
	3	+	Fork of freeBokuLoader which targets and frees Metsrv's initial reflective DLL package
4	4
5		-	As the name implies, it was tested against [BokuLoader](https://github.com/boku7/BokuLoader), but should work with most if not all UDRLs.
6		-
7		-	![](/images/example.png)
	5	+	![](/images/example_x64.png)
8	6
	7	+	![](/images/example_x86.png)
9	8
10	9		## Usage
	10	+
11	11		```
12		-	beacon> freeBokuLoader
	12	+	meterpreter> execute_bof freeMetsrvLoader.x64.o
13	13		```
14	14
	15	+	Can be automated with InitialAutoRunScript or AutoRunScript.
	16	+

dist/freeBokuLoader.x64.o

Binary file.
dist/freeBokuLoader.x86.o

Binary file.

■ ■ ■ ■ ■ ■

freeBokuLoader.cna

1		-
2		-	beacon_command_register(
3		-	"freeBokuLoader",
4		-	"Free/Remove the memory region where the User Defined Reflective Loader is.",
5		-	"Usage: freeBokuLoader");
6		-
7		-	alias freeBokuLoader {
8		-	local('$handle $data $barch $username $args');
9		-	$barch = barch($1);
10		-
11		-	# pack the arguments
12		-	$args = bof_pack($1, "");
13		-
14		-	# read in the BOF file
15		-	$handle = openf(script_resource("dist/freeBokuLoader $+ . $+ $barch $+ .o"));
16		-	$data = readb($handle, -1);
17		-	closef($handle);
18		-
19		-	if(strlen($data) == 0)
20		-	{
21		-	berror($1, "could not read bof file");
22		-	return;
23		-	}
24		-
25		-	# run
26		-	btask($1, "freeBokuLoader BOF");
27		-	beacon_inline_execute($1, $data, "go", $args);
28		-	}
29		-

images/example.png
images/example_x64.png
images/example_x86.png

■ ■ ■ ■ ■ ■

include/entry.h

		skipped 1 lines
2	2		#include <windows.h>
3	3		#include <winternl.h>
4	4
	5	+	#define MZ 0x5A4D
	6	+	#define MZ_MET_X64 0x52415A4D
	7	+	#define MZ_MET_X86 0x00E85A4D
	8	+
5	9		PVOID get_ip(VOID);
6	10
7	11		BOOL free_udrl(VOID);
		skipped 13 lines
21	25		#define RVA(type, base_addr, rva) (type)((ULONG_PTR) base_addr + rva)
22	26
23	27		#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
24		-
25		-	#define MZ 0x5A4D
26	28
27	29		#ifndef NT_SUCCESS
28	30		#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
		skipped 73 lines

■ ■ ■ ■ ■ ■

source/entry.c

		skipped 108 lines
109	109		PIMAGE_NT_HEADERS pNtHeaders;
110	110
111	111		// make sure the MZ magic bytes are valid
112		-	if (*(PUSHORT)base_address == MZ)
	112	+	#if defined(_WIN64)
	113	+	if (*(PULONG)base_address == MZ_MET_X64)
	114	+	#else
	115	+	if (*(PULONG)base_address == MZ_MET_X86)
	116	+	#endif
113	117		{
114	118		pNtHeaders = RVA(
115	119		PIMAGE_NT_HEADERS,
		skipped 46 lines
162	166		{
163	167		if (free_udrl())
164	168		{
165		-	PRINT("Removed the User Defined Reflective Loader :)");
	169	+	PRINT("Metsrv's initial reflective DLL package removed!");
166	170		}
167	171		else
168	172		{
169		-	PRINT_ERR("Could NOT remove the User Defined Reflective Loader :(");
	173	+	PRINT_ERR("Metsrv's initial reflective DLL package already cleaned (or perhaps could not be removed!)");
170	174		}
171	175		}
172	176

Please wait...

Page is in error, reload to recover