So you decided to go the C way for your implementation.
Install the packages needed for compiling and running the packer.py script:
apt install -y gcc-mingw-w64 nasm python3
The packer.py code is meant to be used as the start for automating the process of
- Encrypting input payloads (Shellcode, C# Assemblies, PE files)
- Creating
defines.hwhich holds the parameters that decide whether include certain code snippets into our loader or not - Compiling the loader, so that we have our final packed PE
All the sub-folders contain potential features.
Syscall sorting is already implemented for you for indirect syscall execution. Therefore you don't need to take care for potential Userland-Hooks, as those are bypassed via indirect syscalls. Some functions here use regular Win32 API calls, so you might want to change that ;)
There are // TODO for you: [...] blocks scattered all over the code snippets. These give you some hints on what you can implement. Alternatively, the below items can be a starting point:
- ✌️ easy ✌️ : Check out
pack.pyto familiarize yourself with the code and fill in the todos - ✌️ easy ✌️ : To lower entropy, and additionally evade some sandboxes, implement storing the payload in a separate file
- ✌️ easy ✌️ : Automate the building of Sideloading DLLs using Third Party tools such as Koppeling
- 👊 intermediate 👊 : If you prefer to inject payloads, integrate ThreadlessInject/Poolparty
- ✌️ easy ✌️ : Alternative Sandbox Evasion / AntiDebug techniques
- ✌️ easy ✌️ : Adjust
helpers.hto use API Hashing and Salting - 👊 intermediate 👊 : Use Hardware Breakpoints for AMSI/ETW evasion instead of simple patches
- ✌️ easy ✌️ : Add Module Stomping
- ✌️ easy ✌️ : Add an option for creating a service binary for lateral movement execution
- ✌️ easy ✌️ : Environmental keying on a target domain/hostname
- 😠 hard 😠 : Adjust .NET execution to add reading output and passing arguments
PE Injection is an adjusted version of: