This project forked from forrest-orr/artifacts-kit
Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS.
License: GNU General Public License v3.0
__ .__ _____ __ __ .__ __
_____ ________/ |_|__|/ ____\____ _____/ |_ | | _|__|/ |_
\__ \\_ __ \ __\ \ __\\__ \ _/ ___\ __\ | |/ / \ __\
/ __ \| | \/| | | || | / __ \\ \___| | | <| || |
(____ /__| |__| |__||__| (____ /\___ >__| |__|_ \__||__|
\/ \/ \/ \/
Malicious Memory Artifact Generator Kit v1.0 | Forrest Orr | 2020
REQUIRED
--alloc-type {dll-map-hollow|dll-load-hollow|txf-dll-map-hollow|private|mapped}
OPTIONAL
--payload-file <path>
--payload-type {PE|shellcode}
--exec-method {create-thread|call|ep-jmp-hook}
--stealth {wipe-headers|mirror-headers|rw-rx|dotnet|moat|peb-img-base}
--moat-size <size>
--hollow-dll-file <path>
--payload-file The file containing either the shellcode or PE to be used as an implant. If this is
not supplied by the user, the specified region type will still be allocated but not
implanted with any code.
--payload-type The type of code stored within the specified payload file. Must be a shellcode or
MZ PE. This parameter is required if a payload file is specified.
--alloc-type The way in which the dynamic memory used to hold the payload implant should be
created.
dll-map-hollow A view of an image section generated from a DLL in System32.
dll-load-hollow A DLL loaded via LoadLibrary from System32.
txf-dll-map-hollow A view of an image section generated from a transacted DLL from
System32 which has already been implanted with the payload.
private A region of private memory allocated via NtAllocateVirtualMemory
mapped A mapped view of a section derived from the Windows Page File.
--exec-method The method with which to call to the payload code after it has been implanted in the
specified memory region.
create-thread Execute the payload using the CreateThread API.
call Execute the payload using a regular CALL assembly instruction.
ep-jmp-hook Execute the payload via an inline JMP from the process EXE
entry point.
--stealth Optional obfuscations to the allocated region.
wipe-headers Overwrites the PE header of the payload in memory with 0's. Only
valid for PE payloads.
mirror-headers Preserves the original PE headers of a hollowed DLL after it is
implanted with a payload PE file. Only valid for a PE payload
using an image region type.
rw-rx Rather than directly allocate the implant region with +RWX
permissions, allocate it as +RW and set it to +RX afterward. Only
valid for private and mapped region types.
dotnet Only select DLLs with a .NET header during hollowing operations.
Only valid for image region types.
moat Pre-pad the allocated region proceeding the shellcode with 0s.
By default 1MB of padding is used. Not valid for shellcode
implants with hollowed DLLs. Cannot be used with TxF alloc type.
peb-img-base Updates the image base field of the PEB to point to the newly
allocated region.
--moat-size The size of the data moat to generate prior to the payload implant. Only required if
the moat stealth option is specified. Default size of 1MB.
--hollow-dll-file Manually specify the path of a DLL to use in conjunction with hollowing allocation
type. When this is not specified, a suitable DLL will randomly be selected from
the Windows directory or one of its subfolders.
EXAMPLES
Create a 32-bit shellcode implant within the .text section of a mapped 32-bit DLL image and execute it
using the CALL instruction:
ArtifactsKit32.exe --payload-type shellcode --payload-file Payloads\MsgboxShellcode32.bin --alloc-type dll-map-hollow
Create a 64-bit shellcode implant within a region of +RWX mapped page file memory at an offset +1MB
from its allocation base and execute it using the KERNEL32.DLL!CreateThread API:
ArtifactsKit64.exe --payload-type shellcode --payload-file Payloads\MsgboxShellcode64.bin --alloc-type mapped --stealth moat
Create a 32-bit PE implant on top of the mapped image memory of a 32-bit DLL image while preserving its
original headers, bootstrap and execute the payload PE IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint with a CALL.
ArtifactsKit32.exe --payload-type pe --payload-file Payloads\TestExe32.exe --alloc-type dll-map-hollow --stealth mirror-headers
Create a 64-bit PE implant within the mapped image memory of a modified TxF section of a 64-bit DLL
ie. phantom DLL hollowing and execute its IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint with a JMP hook from
the IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint of the artifact parent process:
ArtifactsKit64.exe --payload-type pe --payload-file Payloads\TestExe64.exe --alloc-type txf-dll-map-hollow --exec-method ep-jmp-hook
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.