Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.

Overview

Matryoshka loader is a tool that red team operators can leverage to generate shellcode for an egghunter to bypass size-limitations and performance issues commonly associated with VBA or Excel 4.0 macro payloads when creating Microsoft Office documents for targeted phishing attacks.

Usage

The builder supports the following set of arguments. The user must supply an egg value along with the required architecture for the egghunter shellcode. When invoked the egghunter will search through the process memory to identify the egg, copies it to RWX memory, and then transfers control to it.

usage: matryoshka.py [-h] -s SHELLCODE -a ARCHITECTURE -o OUTPUT_SHELLCODE -e OUTPUT_EGG [-n]

Matryoshka Loader Shellcode Generator

optional arguments:
  -h, --help            show this help message and exit
  -s SHELLCODE, --shellcode SHELLCODE
                        Path to shellcode file
  -a ARCHITECTURE, --architecture ARCHITECTURE
                        Payload architecture to target (x86 or x86_64)
  -o OUTPUT_SHELLCODE, --output-shellcode OUTPUT_SHELLCODE
                        Path to write Matryoshka shellcode to
  -e OUTPUT_EGG, --output-egg OUTPUT_EGG
                        Path to write Egg value to
  -n, --no-spawn-thread
                        Do not spawn a new thread when running the stager (may cause stability issues)

Directory Structure

Matryoshka consists of two primary components. The first is the core loader written in C and the second component is the builder script written in Python. The builder is responsible for generating a preamble that handles bootstrapping tasks to launch the core loader and is responsible for passing an embedded configuration to the core loader.

  • src: The src directory contains the source code for the core loader.
  • builder: The builder directory contains the source code for the builder.

References

[1] https://www.praetorian.com/blog/red-team-tooling-writing-custom-shellcode/

Owner
Praetorian
Praetorian provides a suite of security solutions that enable clients to solve cybersecurity problems across their enterprise and product portfolios.
Praetorian
Similar Resources

sap is a document typesetting/preparation system similar in concept to LaTeX

sap is a document typesetting/preparation system similar in concept to LaTeX

Mar 29, 2022

OpenScan is an open-source document scanner app that enables users to scan hard copies of documents or notes and convert it into a PDF file. No ads. No data collection. We respect your privacy.

OpenScan is an open-source document scanner app that enables users to scan hard copies of documents or notes and convert it into a PDF file. No ads. No data collection. We respect your privacy.

OpenScan An open source app that enables users to scan hardcopies of documents or notes and convert it to a PDF file. No ads. No data collection. We r

Jan 4, 2023

A repo to document Ptokax DC++ setup at IIT Kharagpur

Raspberry Pi 4 Model B Rev 1.1 ( 2 GB ) OS : Rasbian 64 Bit Installing Ptokax on Raspberry Pi To install PtokaX on raspberry Pi run the following comm

Nov 22, 2022

(R) Efficient methods and operators for the sparse matrix classes in 'Matrix' (esp. CSR format or "RsparseMatrix")

MatrixExtra MatrixExtra is an R package which extends the sparse matrix and sparse vector types in the Matrix package, particularly the CSR or Rsparse

Aug 29, 2022

Tiny header-only library providing bitwise operators for enums in C++11

bitflags Tiny header-only library providing bitwise operators for enums in C++11. Getting started Import the operators from namespace avakar::bitflags

Aug 28, 2022

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages. In this way certain vehicle functionality can be triggered by responding to custom steering wheel button events, or use the vehicle virtual cockpit to display OBD-PIDs values instead of relying on an external display to present new information to the user

Dec 28, 2022

Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.

Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.

WORDament_Solver Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use whil

Aug 19, 2021

Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)

Linux x86_64 Process Injection Utility | Manipulate Processes With Customized Payloads (beta)

K55 - Linux x86_64 Process Injection Utility (C++11) About K55 (pronounced: "kay fifty-five") The K55 payload injection tool is used for injecting x86

Sep 5, 2022

A library to develop kernel level Windows payloads for post HVCI era

A library to develop kernel level Windows payloads for post HVCI era

A library to develop kernel level Windows payloads for post HVCI era

Dec 15, 2022
Comments
  • Added Create Thread Support

    Added Create Thread Support

    This branch adds support to the loader and builder to instruct Matryoshka to spawn the second-stage payload in a new thread. This support is needed for the loader to be compatible with Donut-generated payloads, which crash when executed using the main office thread (the reason is unclear).

    The user can now specify the "-t" option to instruct Matryoshka to call "CreateThread" when running the second-stage payload. There is also a new Matryoshka flags 16-bit WORD added to the configuration file so we have room for adding additional flags and sandbox evasion checks. Currently, only one flag is used for the create thread option with 15 reserved bits remaining for additional options.

A shellcode crypto-packing tool for PoC (used with msfvenom payloads)

crypter A shellcode crypto-packing tool for PoC (used with msfvenom/binary payloads) This tool is for proof of concept only - please use responsibly.

Dec 16, 2022
The goal of this project was to create my own red team campaign that would emulate some of the TTPs from the above campaign analysis

The goal of this project was to create my own red team campaign that would emulate some of the TTPs from the above campaign analysis. During my endeavor I decdied to switch from a complete mimick to a substitute / exclude / improve upon certain tactics that I deemed unnecessary. I will write an accompanying blog post which will be linked here once it is published.

Dec 1, 2022
The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for Vulkan application developers to leverage Vulkan Profiles while developing a Vulkan application
The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for Vulkan application developers to leverage Vulkan Profiles while developing a Vulkan application

Copyright © 2021-2022 LunarG, Inc. Vulkan Profiles Tools (BETA) The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for

Dec 25, 2022
Phishing with ESP32
Phishing with ESP32

ESP8266FBPhiSH Legal disclaimer The use of ESP8266FBPhiSH to attack targets without prior mutual consent is illegal. It is the end user's responsibili

Oct 18, 2021
Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de

Dec 28, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

Nov 5, 2021
Shellcode loader written in rust. Strives to evade modern EDR solutions.

Pestilence What is pestilence? Pestilence is a shellcode loader written in rust. It strives to evade modern EDR solutions. How does it work? It loads

Dec 5, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project

Dec 28, 2022
SysWhispers Shellcode Loader (Work in Progress)
SysWhispers Shellcode Loader (Work in Progress)

Shhhloader Shhhloader is a SysWhispers Shellcode Loader that is currently a Work in Progress. It takes raw shellcode as input and compiles a C++ stub

Dec 28, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Dec 20, 2022