MCPcopy Index your code
hub / github.com/ByteJunkies-co-uk/Metsubushi

github.com/ByteJunkies-co-uk/Metsubushi @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
42 symbols 113 edges 12 files 14 documented · 33%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Metsubushi

Sight-taker/closer of eyes

Introduction

This tool started out as a simple Python script. After discovering Python just couldn't cut it for my intended use I decided to learn and move to Golang. So far I'm quite happy with that decision.

This was borne from me having completed Sektor7's Malware Essentials course. Metsubushi was supposed to be a simple way of automating the generation of droppers. I feel it's accomplished that with a few bells and whistles added as the project progressed.

We're using the Go-donut package by Binject. Credit to those guys - Dan Borges and Symbol Crash were both helpful while I have been developing this project. For anyone interested in this type of tooling it's worth checking the Binject github repo's, and taking a look at Dan's book: Adversarial Tradecraft in Cybersecurity.

You can obfuscate the generated implant binary with the Garble Golang obfuscator and spoof code signing with Limelighter. See requirements below.

In the v0.2a update I've added in the ability to build DLL binaries, however this feature does depend on having a compatible template file. Examples will be added eventually but for now you will need to create these yourselves. template.go can be used as somewhat of a skeleton for building your own templates to generate from; the important part is the decryption - beyond that you can fashion them however you wish.

Credits: - C-Sto's BananaPhone - I've butchered one of his examples for my basic template. - Binject's Go-Donut implementation - Does the heavy-lifting for PIC shellcode generation. - Optiv's Scarecrow project and Tylous' Limelighter project - Responsible for the code signing magic.

OPSEC NOTE: When using code signing avoid using microsoft domains as Defender has a habit of sniffing those out. Credit to @AffineSec for pointing it out.


Installation

Requirements for Metsubushi are: - Go compiler - Obviously?! https://golang.org/ - Garble - Go obfuscator. https://github.com/burrowers/garble - openssl - For Limlighter binary signing functions - osslsigncode - For Limelighter binary signing functions

To install Metsubushi just run:

go install github.com/Bytejunkies-co-uk/metsubushi@latest

Usage

The flags for metsubushi are as follows:

-p <file>       Payload. Pass it a Windows binary or file containing raw shellcode.
-t <file>       Template. Pass the name of the template file you wish to generate a dropper from.
-b <build>      Build type. 0 = EXE (default), 1 = DLL.
-o <file>       OutFile. The name you wish you give the generated dropper.
-a <arch>       Architecture. Either x86 or x64.
-d <args>       Donut. If present the payload will be put through Binject's Go-donut package.
-s <domain>     Sign implant using Limelighter library. Provide the domain to spoof cert from. Eg. www.microsoft.com
-g              Use Garble obfuscator to generate the implant binary.
-q              Quiet. Do not display ASCII art banner.

If you're using the Go-donut shellcode generator option (from Binject) you can customise the Donut configuration. The arguments are passed to Donut as a string which is then parsed into a configuration struct.

The Go-donut options are:

Module options
n=string        Module name. Generated at random if entropy is enabled.
u=url           URL. HTTP server that hosts the donut module.
e=num           Entropy. 1=disable, 2=use random names, 3=random names + symmetric encryption (default)

PIC/Shellcode options
a=string        Target Architecture: x32, x64, or x84
b=num           Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.
y=address       Create a new thread for loader. Optionally execute original entrypoint of host process.
x=num           Exiting. 1=exit thread, 2=exit process

File options
c=string        Optional class name.  (required for .NET DLL)
d=string        AppDomain name to create for .NET.  Randomly generated by default with entropy enabled.
m=string        Optional method or API name for DLL. (a method is required for .NET DLL)
p=string        Optional parameters/command line inside quotations for DLL method/function or EXE.
w=true|false    Command line is passed to unmanaged DLL function in UNICODE format. (default is false)
r=string        CLR runtime version. This will override the auto-detected version.
t=true|false    Create new thread for entrypoint of unmanaged EXE. (default is false)
z=num           Pack/Compress file. 1=disable, 2=LZNT1, 3=Xpress, 4=Xpress Huffman

Example:

-d "a=x84,b=3,x=1"

This would set Arch to x84, Bypass to setting 3, and ExitOpt to exit thread.

NOTE: it is a good idea to inspect all generated implants with Redress and test the binary in a lab environment

Core symbols most depended-on inside this repo

generateHexVar
called by 2
main.go
banner
called by 1
main.go
padShellcode
called by 1
main.go
encryptShellcode
called by 1
main.go
convertArgsToConfig
called by 1
main.go
generateDonutShellcode
called by 1
main.go
compile
called by 1
main.go
signBinary
called by 1
main.go

Shape

Function 42

Languages

Go100%

Modules by API surface

main.go9 symbols
templates/template.go3 symbols
generated/test2/main.go3 symbols
generated/emp_csharp/main.go3 symbols
generated/emp-cs-plain/main.go3 symbols
generated/emp-cs-l/main.go3 symbols
generated/emp-cs-gl2/main.go3 symbols
generated/emp-cs-gl/main.go3 symbols
generated/emp-cs-g/main.go3 symbols
generated/emp-cs-d/main.go3 symbols
generated/emp-cs-baw2/main.go3 symbols
generated/emp-cs-baw/main.go3 symbols

For agents

$ claude mcp add Metsubushi \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact