Metsubushi
Introduction
This tool started out as a simple Python script. After discovering Python just couldn't cut it for my intended use I decided to learn and move to Golang. So far I'm quite happy with that decision.
This was borne from me having completed Sektor7's malware essentials course. Metsubushi was supposed to be a simple way of automating the generation of droppers. I feel it's accomplished that with a few bells and whistles added as the project progressed.
We're using the Go-donut package by Binject. Credit to those guys - Dan Borges and Symbol Crash were both helpful while I have been developing this project. For anyone interested in this type of tooling it's worth checking the Binject github repo's, and taking a look at Dan's book: Adversarial Tradecraft in Cybersecurity.
Usage
The flags for metsubushi are as follows:
-p <file> Payload. Pass it a Windows binary or file containing raw shellcode.
-t <file> Template. Pass the name of the template file you wish to generate a dropper from.
-o <file> OutFile. The name you wish you give the generated dropper.
-a <arch> Architecture. Either x86 or x64.
-d <args> Donut. If present the payload will be put through Binject's Go-donut package.
-q Quiet. Do not display ASCII art banner.
If you're using the in-built Go-donut shellcode generator you can customise the Donut configuration. The arguments are passed to Donut as a string which is then parsed into a configuration struct.
The Go-donut options are:
Module options
n=string Module name. Generated at random if entropy is enabled.
u=url URL. HTTP server that hosts the donut module.
e=num Entropy. 1=disable, 2=use random names, 3=random names + symmetric encryption (default)
PIC/Shellcode options
a=string Target Architecture: x32, x64, or x84
b=num Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.
y=address Create a new thread for loader. Optionally execute original entrypoint of host process.
x=num Exiting. 1=exit thread, 2=exit process
File options
c=string Optional class name. (required for .NET DLL)
d=string AppDomain name to create for .NET. Randomly generated by default with entropy enabled.
m=string Optional method or API name for DLL. (a method is required for .NET DLL)
p=string Optional parameters/command line inside quotations for DLL method/function or EXE.
w=true|false Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
r=string CLR runtime version. This will override the auto-detected version.
t=true|false Create new thread for entrypoint of unmanaged EXE.
z=num Pack/Compress file. 1=disable, 2=LZNT1, 3=Xpress, 4=Xpress Huffman
Example:
-d "a=x84,b=3,x=1"
This would set Arch
to x84, Bypass
to setting 3, and ExitOpt
to exit thread.