Metsubushi
Sight-taker/closer of eyes
Introduction
This tool started out as a simple Python script. After discovering Python just couldn't cut it for my intended use I decided to learn and move to Golang. So far I'm quite happy with that decision.
This was borne from me having completed Sektor7's Malware Essentials course. Metsubushi was supposed to be a simple way of automating the generation of droppers. I feel it's accomplished that with a few bells and whistles added as the project progressed.
We're using the Go-donut package by Binject. Credit to those guys - Dan Borges and Symbol Crash were both helpful while I have been developing this project. For anyone interested in this type of tooling it's worth checking the Binject github repo's, and taking a look at Dan's book: Adversarial Tradecraft in Cybersecurity.
You can obfuscate the generated implant binary with the Garble Golang obfuscator and spoof code signing with Limelighter. See requirements below.
In the v0.2a update I've added in the ability to build DLL binaries, however
this feature does depend on having a compatible template file. Examples will
be added eventually but for now you will need to create these yourselves.
template.go
can be used as somewhat of a skeleton for building your own
templates to generate from; the important part is the decryption - beyond
that you can fashion them however you wish.
Credits:
- C-Sto's BananaPhone - I've butchered one of his examples for my basic template.
- Binject's Go-Donut implementation - Does the heavy-lifting for PIC shellcode generation.
- Optiv's Scarecrow project and Tylous' Limelighter project - Responsible for the code signing magic.
OPSEC NOTE: When using code signing avoid using microsoft domains as Defender has a habit of sniffing those out. Credit to @AffineSec for pointing it out.
Installation
Requirements for Metsubushi are:
Go compiler
- Obviously?! https://golang.org/Garble
- Go obfuscator. https://github.com/burrowers/garbleopenssl
- For Limlighter binary signing functionsosslsigncode
- For Limelighter binary signing functions
To install Metsubushi just run:
go install github.com/Bytejunkies-co-uk/metsubushi@latest
Usage
The flags for metsubushi are as follows:
-p <file> Payload. Pass it a Windows binary or file containing raw shellcode.
-t <file> Template. Pass the name of the template file you wish to generate a dropper from.
-b <build> Build type. 0 = EXE (default), 1 = DLL.
-o <file> OutFile. The name you wish you give the generated dropper.
-a <arch> Architecture. Either x86 or x64.
-d <args> Donut. If present the payload will be put through Binject's Go-donut package.
-s <domain> Sign implant using Limelighter library. Provide the domain to spoof cert from. Eg. www.microsoft.com
-g Use Garble obfuscator to generate the implant binary.
-q Quiet. Do not display ASCII art banner.
If you're using the Go-donut shellcode generator option (from Binject) you can customise the Donut configuration. The arguments are passed to Donut as a string which is then parsed into a configuration struct.
The Go-donut options are:
Module options
n=string Module name. Generated at random if entropy is enabled.
u=url URL. HTTP server that hosts the donut module.
e=num Entropy. 1=disable, 2=use random names, 3=random names + symmetric encryption (default)
PIC/Shellcode options
a=string Target Architecture: x32, x64, or x84
b=num Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.
y=address Create a new thread for loader. Optionally execute original entrypoint of host process.
x=num Exiting. 1=exit thread, 2=exit process
File options
c=string Optional class name. (required for .NET DLL)
d=string AppDomain name to create for .NET. Randomly generated by default with entropy enabled.
m=string Optional method or API name for DLL. (a method is required for .NET DLL)
p=string Optional parameters/command line inside quotations for DLL method/function or EXE.
w=true|false Command line is passed to unmanaged DLL function in UNICODE format. (default is false)
r=string CLR runtime version. This will override the auto-detected version.
t=true|false Create new thread for entrypoint of unmanaged EXE. (default is false)
z=num Pack/Compress file. 1=disable, 2=LZNT1, 3=Xpress, 4=Xpress Huffman
Example:
-d "a=x84,b=3,x=1"
This would set Arch
to x84, Bypass
to setting 3, and ExitOpt
to exit thread.
NOTE: it is a good idea to inspect all generated implants with Redress and test the binary in a lab environment