Generate droppers with encrypted payloads automatically.

Overview

Metsubushi


Introduction

This tool started out as a simple Python script. After discovering Python just couldn't cut it for my intended use I decided to learn and move to Golang. So far I'm quite happy with that decision.

This was borne from me having completed Sektor7's malware essentials course. Metsubushi was supposed to be a simple way of automating the generation of droppers. I feel it's accomplished that with a few bells and whistles added as the project progressed.

We're using the Go-donut package by Binject. Credit to those guys - Dan Borges and Symbol Crash were both helpful while I have been developing this project. For anyone interested in this type of tooling it's worth checking the Binject github repo's, and taking a look at Dan's book: Adversarial Tradecraft in Cybersecurity.


Usage

The flags for metsubushi are as follows:

-p <file>		Payload. Pass it a Windows binary or file containing raw shellcode.
-t <file>		Template. Pass the name of the template file you wish to generate a dropper from.
-o <file>		OutFile. The name you wish you give the generated dropper.
-a <arch>		Architecture. Either x86 or x64.
-d <args>		Donut. If present the payload will be put through Binject's Go-donut package.
-q				Quiet. Do not display ASCII art banner.

If you're using the in-built Go-donut shellcode generator you can customise the Donut configuration. The arguments are passed to Donut as a string which is then parsed into a configuration struct.

The Go-donut options are:

Module options
n=string		Module name. Generated at random if entropy is enabled.
u=url			URL. HTTP server that hosts the donut module.
e=num			Entropy. 1=disable, 2=use random names, 3=random names + symmetric encryption (default)

PIC/Shellcode options
a=string		Target Architecture: x32, x64, or x84
b=num			Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.
y=address		Create a new thread for loader. Optionally execute original entrypoint of host process.
x=num			Exiting. 1=exit thread, 2=exit process

File options
c=string		Optional class name.  (required for .NET DLL)
d=string		AppDomain name to create for .NET.  Randomly generated by default with entropy enabled.
m=string		Optional method or API name for DLL. (a method is required for .NET DLL)
p=string		Optional parameters/command line inside quotations for DLL method/function or EXE.
w=true|false	Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
r=string		CLR runtime version. This will override the auto-detected version.
t=true|false	Create new thread for entrypoint of unmanaged EXE.
z=num			Pack/Compress file. 1=disable, 2=LZNT1, 3=Xpress, 4=Xpress Huffman

Example:

-d "a=x84,b=3,x=1"

This would set Arch to x84, Bypass to setting 3, and ExitOpt to exit thread.

You might also like...
An application that is developed to generate application by API specification

GO boilerplate is an application that is developed to generate application by API specification and Database schema with the collaboration with opn-generator.

A tool to generate Pulumi Package schemas from Go type definitions

MkSchema A tool to generate Pulumi Package schemas from Go type definitions. This tool translates annotated Go files into Pulumi component schema meta

Generate FIRST/FOLLOW/PREDICT Set from BNF.

Generate FIRST/FOLLOW/PREDICT Set from BNF. We can use it to study parser theory. Feature FirstSet generate. Output pretty. FollowSet generate. Output

Program to generate ruins using the Numenera Ruin Mapping Engine

Ruin Generator This is my attempt to build a program to generate ruins for Numenera using the rules from the Jade Colossus splatbook. The output only

Library to generate TOTP/HOTP codes

otpgen Library to generate TOTP/HOTP codes Installation go get -u github.com/grijul/otpgen Usage Here is a sample demonstration package main import (

Go library for generate serial numbers according to rules.

go-sn - Serial Number Generator Go library for generate serial numbers according to rules. This library is also useful for generating serial numbers i

Generate possible AD usernames from names like John Doe J.Doe or JDoe

GOtusernames Generate possible AD usernames from names like John Doe J.Doe or JDoe Example user file: ~/programming/golang/src/gotyourusername ❯ cat

Quickly collect data from thousands of exposed Elasticsearch or Kibana instances and generate a report to be reviewed.
Quickly collect data from thousands of exposed Elasticsearch or Kibana instances and generate a report to be reviewed.

elasticpwn Quickly collects data from exposed Elasticsearch or Kibana instances and generates a report to be reviewed. It mainly aims for sensitive da

gal - generate authors file from git log

[日本語] gal - generate authors file from git log gal command generate AUTHORS.md file at current directory. gal command gets the author name and email a

Owner
ByteJunkies
ByteJunkies
GoThanks automatically stars Go's official repository and your go.mod github dependencies, providing a simple way to say thanks to the maintainers of the modules you use and the contributors of Go itself.

Give thanks (in the form of a GitHub ★) to your fellow Go modules maintainers. About GoThanks performs the following operations Sends a star to Go's r

psampaz 117 Dec 24, 2022
Count Dracula is a fast metrics server that counts entries while automatically expiring old ones

In-Memory Expirable Key Counter This is a fast metrics server, ideal for tracking throttling. Put values to the server, and then count them. Values ex

Mailsac 51 Jun 17, 2022
HTTP service to generate PDF from Json requests

pdfgen HTTP service to generate PDF from Json requests Install and run The recommended method is to use the docker container by mounting your template

Hyperboloide 61 Dec 2, 2022
generate fake data in go

Faker for Go Usage package main import ( "github.com/manveru/faker" ) func main() { fake, err := faker.New("en") if err != nil { panic(err

Michael Fellinger 163 Sep 29, 2022
:runner:runs go generate recursively on a specified path or environment variable and can filter by regex

Package generate Package generate runs go generate recursively on a specified path or environment variable like $GOPATH and can filter by regex Why wo

Go Playgound 28 Sep 27, 2022
A command line tool to generate sequence diagrams

goseq - text based sequence diagrams A small command line utility used to generate UML sequence diagrams from a text-base definition file. Inspired by

Leon Mika 188 Dec 22, 2022
generate my_github status using GitHub Actions

generate my_github status using GitHub Actions

yihong 96 Sep 21, 2022
Generate spreadsheets based on GitHub contributions

pullsheet generates a CSV (comma separated values) & HTML output about GitHub activity across a series of repositories.

Google 63 Oct 17, 2022
Generate type-safe Go converters by simply defining an interface

goverter a "type-safe Go converter" generator goverter is a tool for creating type-safe converters. All you have to do is create an interface and exec

Jannis Mattheis 189 Jan 4, 2023
Generate random, pronounceable, sometimes even memorable, "superhero like" codenames - just like Docker does with container names.

Codename an RFC1178 implementation to generate pronounceable, sometimes even memorable, "superheroe like" codenames, consisting of a random combinatio

Luca Sepe 84 Dec 11, 2022