From 8440872aba10af686160b73147e4ea99d97b4ade Mon Sep 17 00:00:00 2001 From: georgesotiriadis <40565316+georgesotiriadis@users.noreply.github.com> Date: Mon, 15 May 2023 16:25:27 +0300 Subject: [PATCH] Update README.md --- README.md | 36 ++++++++++++++++-------------------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 69f7114..cdf2d9a 100644 --- a/README.md +++ b/README.md @@ -2,19 +2,18 @@ -![](Files/0_create%20a%20logo%20that%20represents%20chimera%20creature%20of%20_esrgan-v1-x2plus(1).png) +![](Images/Chimera.png) - ## Tool Background  * * * While DLL sideloading can be used for legitimate purposes, such as loading necessary libraries for a program to function, it can also be used for malicious purposes. Attackers can use DLL sideloading to execute arbitrary code on a target system, often by exploiting vulnerabilities in legitimate applications that are used to load DLLs. -To automate the DLL sideloading process and make it more effective, Chimera was created a tool that include evasion methodologies to bypass EDR/AV products. These tool can automatically encrypt a shellcode via XOR with a random key and create template files that can be imported into Visual Studio to create a malicious DLL. +To automate the DLL sideloading process and make it more effective, Chimera was created a tool that include evasion methodologies to bypass EDR/AV products. These tool can automatically encrypt a shellcode via XOR with a random key and create template Images that can be imported into Visual Studio to create a malicious DLL. -The tool automatically encrypts a shellcode via XOR with a random key and creates template files which can then be imported into Visual Studio to create a malicious DLL. +The tool automatically encrypts a shellcode via XOR with a random key and creates template Images which can then be imported into Visual Studio to create a malicious DLL. Also Dynamic Syscalls from SysWhispers2 is used and a modified assembly version to evade the pattern that the EDR search for, Random nop sleds are added and also registers are moved. Furthermore Early Bird Injection is also used to inject the shellcode in another process which the user can specify with Sandbox Evasion mechanisms like HardDisk check & if the process is being debugged. Finally Timing attack is placed in the loader which using waitable timers to delay the execution of the shellcode. @@ -41,14 +40,11 @@ Someone can create userenv.dll which is a missing DLL from Microsoft Teams and i `⁠%USERPROFILE%/Appdata/local/Microsoft/Teams/current` - For Microsoft OneDrive the script uses version DLL which is common because its missing from the binary example onedriveupdater.exe - ### Chimera Usage. -* * * `python3 ./chimera.py met.bin chimera_automation notepad.exe teams` @@ -90,23 +86,23 @@ Step 1: Creating a New Visual Studio Project with DLL Template -![](Files/image.png) +![](Images/image.png) -![](Files/image%202.png) +![](Images/image%202.png) -Step 2: Importing Files into the Visual Studio Project +Step 2: Importing Images into the Visual Studio Project -1. Locate the "chimera\_automation" folder containing the necessary files. -2. Open the folder and identify the following files: main.c, syscalls.c, syscallsstubs.std.x64.asm. +1. Locate the "chimera\_automation" folder containing the necessary Images. +2. Open the folder and identify the following Images: main.c, syscalls.c, syscallsstubs.std.x64.asm. 3. In Visual Studio, right-click on the project in the "Solution Explorer" panel and select "Add" -> "Existing Item." 4. Browse to the location of each file (main.c, syscalls.c, syscallsstubs.std.x64.asm) and select them one by one. Click "Add" to import them into the project. -5. Create a folder named "header\_files" within the project directory if it doesn't exist already. -6. Locate the "syscalls.h" header file in the "header\_files" folder of the "chimera\_automation" directory. -7. Right-click on the "header\_files" folder in Visual Studio's "Solution Explorer" panel and select "Add" -> "Existing Item." +5. Create a folder named "header\_Images" within the project directory if it doesn't exist already. +6. Locate the "syscalls.h" header file in the "header\_Images" folder of the "chimera\_automation" directory. +7. Right-click on the "header\_Images" folder in Visual Studio's "Solution Explorer" panel and select "Add" -> "Existing Item." 8. Browse to the location of "syscalls.h" and select it. Click "Add" to import it into the project. @@ -124,7 +120,7 @@ Step 4: Enable MASM 2. Click "OK" to close the build customization dialog. -![](Files/image%203.png) +![](Images/image%203.png) Step 5:  @@ -134,13 +130,13 @@ Step 5:  4. Item type → Microsoft Macro Assembler -![](Files/image%204.png) +![](Images/image%204.png) ### Final Project Setup -![](Files/image%205.png) +![](Images/image%205.png) ## Compiler Optimizations  @@ -152,14 +148,14 @@ Step 1: Change optimization  1. In Visual Studio choose Project → properties  2. C/C++ Optimization and change to the following -![](Files/image%206.png) +![](Images/image%206.png) Step 2: Remove Debug Information's 1. In Visual Studio choose Project → properties  2. Linker → Debugging → Generate Debug Info → No -![](Files/image%207.png) +![](Images/image%207.png) ## Liability Disclaimer: