Setup

Overview

Input Modules

Input modules are responsible for taking either generating or processing input that must be passed into the rendered payload.

There are currently two types of input modules:

• EKeys (Encryption Keys) - These modules are used to derive payload encryption keys
• Crypters - These modules are used to encrypt the payload's shellcode using key data provided by the EKey modules

All Input Modules must have at least one corresponding output module, as they perform some action that must either be repeated (e.g. key derivation) or reversed (e.g. encryption) by the payload on the target system.

Output Modules

Output modules are used for rendering individual components of the generated payload. Some output modules are designed to be used with a corresponding input modules. Examples of these include:

• DKeys - Used to render a key derivation function. Must be used with a compatible EKey input module.
• Decrypters - Used to decrypt ciphertext into plaintext data. Must be used with a compatible Crypter input module.

Others are standalone modules that do not need an input module to function properly. Some examples of standalone output modules are:

• Executors - renders the function that executes raw shellcode
• PreModules / PostModules - executes some action before or after main payload execution

All output modules have the following attributes, which are made accessible to the Interface:

• List of symbol names to be mutated
• List of imports
• The path to the component's Jinja template
• Data Transfer Container (DTC)

The list of symbol names is passed to the Interface, which mutates them using whatever Mutator module has been selected by the user. The Interface then provides the Output Module any external data it may require by placing it in the DTC. If the Output Module relies on symbol names from other modules, these are passed through the Output Module's DTC as well. Finally, the Interface renders the output module, at which point the mutated symbols and DTC data is incorporated into the Output Module's Jinja template.

Mutators

Mutators are used to transform symbols such as variable names into an obfuscated form. They are the simplest category of DropEngine module: all they do is accept a symbol as input and map it to something else.

Interfaces

Interface modules are used to orchestrate the payload creation process and facilitate data transfer between individual payload components. Interfaces typically implement the following workflow:

1. Mutate symbols - the Interface systematically mutates the symbols of all Output Modules using the selected Mutator module
2. Merge Imports - the Interface consolidates all Output Module dependencies into a single list, eliminating any duplicates
3. Run Input Modules - the Interfaces runs all Input Modules. The results of all EKey modules are combined into a single encryption key. The selected crypter module is used to convert the shellcode into ciphertext.
4. Transfer data to Output Modules - The Interface facilitates the transfer of any data that needs to be sent between output / input modules.
5. Payload rendering - all output modules are rendered and combined into a single payload

The exact steps involved with this process may differ depending on the target programming language or environment.