tag:blogger.com,1999:blog-83172222311336605472024-03-19T02:21:46.575-03:00KitPloit - PenTest & Hacking ToolsKitPloit - leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security ☣Unknownnoreply@blogger.comBlogger165125tag:blogger.com,1999:blog-8317222231133660547.post-70298883610182780762023-12-04T08:30:00.001-03:002023-12-04T08:30:00.232-03:00C2-Search-Netlas - Search For C2 Servers Based On Netlas<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj79yBttqVs7-VHYUGD6k2LwFhuaDvLl-qILPx9Zg_Znlo5Lql9tcdkyUVxF7dNyi5SolViKOH4YSawQhGq9RhIhsM0uLPQ1XzJZBq25Yrkhkjlaiuw51gh8olC_xD_keN6Eupfv6biId6CgTvsN2lfmxjfyOQ30zUFxPpWVYCupys3jWkxZkD4BlRHgxBR/s949/C2-Search-Netlas.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="275" data-original-width="949" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj79yBttqVs7-VHYUGD6k2LwFhuaDvLl-qILPx9Zg_Znlo5Lql9tcdkyUVxF7dNyi5SolViKOH4YSawQhGq9RhIhsM0uLPQ1XzJZBq25Yrkhkjlaiuw51gh8olC_xD_keN6Eupfv6biId6CgTvsN2lfmxjfyOQ30zUFxPpWVYCupys3jWkxZkD4BlRHgxBR/w640-h186/C2-Search-Netlas.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div> <p dir="auto">C2 Search Netlas is a Java utility designed to detect Command and Control (C2) servers using the Netlas API. It provides a straightforward and user-friendly CLI interface for searching C2 servers, leveraging the Netlas API to gather data and process it locally.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <p dir="auto"><a href="https://asciinema.org/a/Q0g0ego8SK97elJvTHN5IXLzs" rel="nofollow" target="_blank" title="Search for c2 servers based on netlas (9)"><img alt="Search for c2 servers based on netlas (8)" data-canonical-src="https://asciinema.org/a/Q0g0ego8SK97elJvTHN5IXLzs.svg" src="https://camo.githubusercontent.com/d540a759250a5b8cd5b630da0cb8d74a202632c93962f41118b03353a0c5af6d/68747470733a2f2f61736369696e656d612e6f72672f612f5130673065676f38534b3937656c4a7654484e3549584c7a732e737667" style="max-width: 100%;" /></a></p> <h2 dir="auto" tabindex="-1">Usage</h2> <p dir="auto">To utilize this terminal utility, you'll need a Netlas API key. Obtain your <a href="https://www.kitploit.com/search/label/Key" target="_blank" title="key">key</a> from the <a href="https://netlas.io" rel="nofollow" target="_blank" title="Netlas">Netlas</a> website.</p> <p dir="auto">After acquiring your API key, execute the following command to search servers:</p> <div><pre><code>c2detect -t <TARGET_DOMAIN> -p <TARGET_PORT> -s <API_KEY> [-v]</code></pre></div> <p dir="auto">Replace <code><TARGET_DOMAIN></code> with the desired IP address or domain, <code><TARGET_PORT></code> with the port you wish to scan, and <code><API_KEY></code> with your Netlas API key. Use the optional <code>-v</code> flag for verbose output. For example, to search at the <code>google.com</code> IP address on port <code>443</code> using the Netlas API key <code>1234567890abcdef</code>, enter:</p> <div><pre><code>c2detect -t google.com -p 443 -s 1234567890abcdef</code></pre></div> <h2 dir="auto" tabindex="-1">Release</h2> <p dir="auto">To download a release of the utility, follow these steps:</p> <ul dir="auto"> <li>Visit the repository's releases page on GitHub.</li> <li>Download the latest release file (typically a <a href="https://www.kitploit.com/search/label/JAR" target="_blank" title="JAR">JAR</a> file) to your local machine.</li> <li>In a terminal, navigate to the <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> containing the JAR file.</li> <li>Execute the following command to initiate the utility:</li> </ul> <div><pre><code>java -jar c2-search-netlas-<version>.jar -t <ip-or-domain> -p <port> -s <your-netlas-api-key></code></pre></div> <h2 dir="auto" tabindex="-1">Docker</h2> <p dir="auto">To build and start the Docker <a href="https://www.kitploit.com/search/label/Container" target="_blank" title="container">container</a> for this project, run the following commands:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="docker build -t c2detect . docker run -it --rm \ c2detect \ -s "your_api_key" \ -t "your_target_domain" \ -p "your_target_port" \ -v" dir="auto"><pre><code>docker build -t c2detect .<br />docker run -it --rm \<br /> c2detect \<br /> -s "your_api_key" \<br /> -t "your_target_domain" \<br /> -p "your_target_port" \<br /> -v</code></pre></div> <h2 dir="auto" tabindex="-1">Source</h2> <p dir="auto">To use this utility, you need to have a Netlas API key. You can get the key from the Netlas website. Now you can build the project and run it using the following commands:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="./gradlew build java -jar app/build/libs/c2-search-netlas-1.0-SNAPSHOT.jar --help" dir="auto"><pre><code>./gradlew build<br />java -jar app/build/libs/c2-search-netlas-1.0-SNAPSHOT.jar --help</code></pre></div> <p dir="auto">This will display the help message with available options. To search for C2 servers, run the following command:</p> <div><pre><code>java -jar app/build/libs/c2-search-netlas-1.0-SNAPSHOT.jar -t <ip-or-domain> -p <port> -s <your-netlas-api-key></code></pre></div> <p dir="auto">This will display a list of C2 servers found in the given IP address or domain.</p> <h2 dir="auto" tabindex="-1">Support</h2> <table> <tbody><tr> <th>Name</th> <th>Support</th> </tr> <tr> <td>Metasploit</td> <td>✅</td> </tr> <tr> <td>Havoc</td> <td>❓</td> </tr> <tr> <td>Cobalt Strike</td> <td>✅</td> </tr> <tr> <td>Bruteratel</td> <td>✅</td> </tr> <tr> <td>Sliver</td> <td>✅</td> </tr> <tr> <td>DeimosC2</td> <td>✅</td> </tr> <tr> <td>PhoenixC2</td> <td>✅</td> </tr> <tr> <td>Empire</td> <td>❌</td> </tr> <tr> <td>Merlin</td> <td>✅</td> </tr> <tr> <td>Covenant</td> <td>❌</td> </tr> <tr> <td>Villain</td> <td>✅</td> </tr> <tr> <td>Shad0w</td> <td>❌</td> </tr> <tr> <td>PoshC2</td> <td>✅</td> </tr> </tbody></table> <p dir="auto">Legend:</p> <ul dir="auto"> <li>✅ - Accept/good support</li> <li>❓ - Support unknown/unclear</li> <li>❌ - No support/poor support</li> </ul> <h2 dir="auto" tabindex="-1">Contributing</h2> <p dir="auto">If you'd like to contribute to this project, please feel free to create a pull request.</p> <h2 dir="auto" tabindex="-1">License</h2> <p dir="auto">This project is licensed under the License - see the <a href="https://github.com/michael2to3/c2-search-netlas/blob/main/LICENSE" rel="nofollow" target="_blank" title="LICENSE">LICENSE</a> file for details.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/michael2to3/c2-search-netlas" rel="nofollow" target="_blank" title="Download C2-Search-Netlas">Download C2-Search-Netlas</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-17704117886219203702023-08-15T08:30:00.013-04:002023-08-15T08:30:00.149-04:00Trawler - PowerShell Script To Help Incident Responders Discover Adversary Persistence Mechanisms<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY9kq-VlmQ2IPwPbzUkWZkGRpKdmY0KHmM-OqvdIxCG5crNfC_iXNOeHyun8_ZtH2NaDqCfSd5kXcvUquqVBo88fJrRimXs3Jzj4KtynCFeV1x0RoApBDhAXFlpnt7HlS4muwO0R63pfdwuB62qCkarMamWPqJHR2Kj3lYSAGc8zL0Scs3dzhXnGT-nqSv/s2000/Trawler_1_logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1668" data-original-width="2000" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY9kq-VlmQ2IPwPbzUkWZkGRpKdmY0KHmM-OqvdIxCG5crNfC_iXNOeHyun8_ZtH2NaDqCfSd5kXcvUquqVBo88fJrRimXs3Jzj4KtynCFeV1x0RoApBDhAXFlpnt7HlS4muwO0R63pfdwuB62qCkarMamWPqJHR2Kj3lYSAGc8zL0Scs3dzhXnGT-nqSv/w400-h334/Trawler_1_logo.png" width="400" /></a></div><p align="center" dir="auto"><br /></p>
<h1 align="center" dir="auto" tabindex="-1">
Dredging Windows for Persistence
</h1>
<h2 dir="auto" tabindex="-1">What is it?</h2>
<p dir="auto">Trawler is a PowerShell script designed to help Incident Responders discover potential <a href="https://www.kitploit.com/search/label/Indicators%20of%20Compromise" target="_blank" title="indicators of compromise">indicators of compromise</a> on Windows hosts, primarily focused on persistence mechanisms including Scheduled Tasks, Services, Registry Modifications, Startup Items, Binary Modifications and more.</p>
<p dir="auto">Currently, trawler can detect most of the persistence techniques specifically called out by MITRE and Atomic Red Team with more detections being added on a regular basis.</p><span><a name='more'></a></span><p dir="auto"><br /></p>
<h2 dir="auto" tabindex="-1">Main Features</h2>
<ul dir="auto">
<li>Scanning Windows OS for a variety of persistence techniques (Listed below)</li>
<li>CSV Output with MITRE Technique and Investigation Jumpstart Metadata</li>
<li>Analysis and Remediation Guidance Documentation (<a href="https://github.com/joeavanzato/Trawler/wiki/Analysis-and-Remediation-Guidance" rel="nofollow" target="_blank" title="https://github.com/joeavanzato/Trawler/wiki/Analysis-and-Remediation-Guidance">https://github.com/joeavanzato/Trawler/wiki/Analysis-and-Remediation-Guidance</a>)</li>
<li>Dynamic Risk Assignment for each detection</li>
<li>Built-in Allow Lists for common Windows configurations spanning Windows 10/Server 2012|2016|2019|2022 to reduce noise</li>
<li>Capture persistence metadata from 'golden' enterprise image for use as a dynamic allow-list at runtime</li>
<li>Analyze mounted disk images via drive re-targeting</li>
</ul>
<h2 dir="auto" tabindex="-1">How do I use it?</h2>
<p dir="auto">Just download and run trawler.ps1 from an Administrative PowerShell/cmd prompt - any detections will be displayed in the console as well as written to a CSV ('detections.csv') in the current working directory. The generated CSV will contain Detection Name, Source, Risk, Metadata and the relevant MITRE Technique.</p>
<p dir="auto">Or use this one-liner from an Administrative PowerShell terminal:</p>
<div><pre><code>iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/joeavanzato/Trawler/main/trawler.ps1'))<br /></code></pre></div>
<p dir="auto">Certain detections have allow-lists built-in to help remove noise from default Windows configurations (10/2016/2019/2022) - expected Scheduled Tasks, Services, etc. Of course, it is always possible for attackers to hijack these directly and masquerade with great detail as a default OS process - take care to use multiple forms of analysis and detection when dealing with skillful adversaries.</p>
<p dir="auto">If you have examples or ideas for additional detections, please feel free to submit an Issue or PR with relevant technical details/references - the code-base is a little messy right now and will be cleaned up over time.</p>
<p dir="auto">Additionally, if you identify obvious false positives, please let me know by opening an issue or PR on GitHub! The obvious culprits for this will be non-standard COMs, Services or Tasks.</p>
<h3 dir="auto" tabindex="-1">CLI Parameters</h3>
<div><pre><code>-scanoptions : Tab-through possible detections and select a sub-set using comma-delimited terms (eg. .\trawler.ps1 -scanoptions Services,Processes)<br />-hide : Suppress Detection output to console<br />-snapshot : Capture a "persistence snapshot" of the current system, defaulting to "$PSScriptRoot\snapshot.csv"<br />-snapshotpath : Define a custom file-path for saving snapshot output to.<br />-outpath : Define a custom file-path for saving detection output to (defaults to "$PSScriptRoot\detections.csv")<br />-loadsnapshot : Define the path for an existing snapshot file to load as an allow-list reference<br />-drivetarget : Define the variable for a mounted target drive (eg. .\trawler.ps1 -targetdrive "D:") - using this alone leads to an 'assumed homedrive' variable of C: for analysis purposes<br /></code></pre></div>
<h2 dir="auto" tabindex="-1">What separates this from PersistenceSniper?</h2>
<p dir="auto">PersistenceSniper is an awesome tool - I've used it heavily in the past - but there are a few key points that differentiate these utilities</p>
<ul dir="auto">
<li>trawler is (currently) a local utility - it would be pretty straight-forward to wrap it in a loop and use WinRM/PowerShell Sessions to execute it on remote hosts though</li>
<li>trawler implements allow-listing for many 'noisy' detections to help remove expected detections from default configurations of Windows (10/2016/2019/2022) and these are constantly being updated
<ul dir="auto">
<li>PersistenceSniper (for the most part) does not contain any type of allow-listing - therefore, there is more noise generated when considering items such as Services, Scheduled Tasks, general COM DLL scanning, etc.</li>
</ul>
</li>
<li>trawler's output is much more simplified - Name, Risk, Source, MITRE Technique and Metadata are the only items provided for each detection to help analysts jump-start their persistence hunting efforts</li>
<li>Regex is used in many checks to help detect 'suspicious' keywords or patterns in various critical areas including scanned file contents, registry values, etc.</li>
<li>trawler supports 'snapshotting' a system (for example, an enterprise golden image) then using the generated snapshot as an allow-list to reduce noise.</li>
<li>trawler supports 'drive-retargeting' to check dead-boxes mounted to an analysis machine.</li>
</ul>
<p dir="auto">Overall, these tools are extremely similar but approach the problem from slightly different angles - <a href="https://www.kitploit.com/search/label/PersistenceSniper" target="_blank" title="PersistenceSniper">PersistenceSniper</a> provides all information back to the analyst for review while Trawler tries to limit what is returned to only results that are likely to be potential adversary persistence mechanisms. As such, there is a possibility for false-negatives with trawler if an adversary completely mimics an allow-listed item.</p>
<h2 dir="auto" tabindex="-1">Tuning to your environment</h2>
<p dir="auto">Trawler supports loading an allow-list from a 'snapshot' - to do this requires two steps.</p>
<ol dir="auto">
<li>Run '.\trawler.ps1 -snapshot' on a "Golden Image" representing the servers in your environment - once complete, in addition to the standard 'detections.csv' a file named 'snapshots.csv' will be generated</li>
<li>This file can then be used as input to trawler when running on other hosts and the data will be loaded dynamically as an allow-list for each appropriate detection
<ol dir="auto">
<li>'.\trawler.ps1' -loadsnapshot "path\to\snapshot.csv"</li>
</ol>
</li>
</ol>
<p dir="auto">That's it - all relevant detections will then draw from the snapshot file as an allow-list to reduce noise and identify any potential changes to the base image that may have occurred.</p>
<p dir="auto">(Allow-listing is implemented for most of the checks but not all - still being actively implemented)</p>
<h2 dir="auto" tabindex="-1">Drive ReTargeting</h2>
<p dir="auto">Often during an investigation, analysts may end up mounting a new drive that represents an imaged Windows device - Trawler now partially supports scanning these mounted drives through the use of the '-drivetarget' parameter.</p>
<p dir="auto">At runtime, Trawler will re-target temporary script-level variables for use in checking file-based artifacts and also will attempt to load relevant Registry Hives (HKLM\SOFTWARE, HKLM\SYSTEM, NTUSER.DATs, USRCLASS.DATs) underneath HKLM/HKU and prefixed by 'ANALYSIS_'. Trawler will also attempt to unload these temporarily loaded hives upon script completion.</p>
<p dir="auto">As an example, if you have an image mounted at a location such as 'F:\Test' which contains the NTFS file system ('F:\Test\Windows', 'F:\Test\User', etc) then you can invoke trawler like below;</p>
<div><pre><code>.\trawler.ps1 -drivetarget "F:\Test"</code></pre></div>
<p dir="auto">Please note that since trawler attempts to load the registry hive files from the drive in question, mapping a UNC path to a live remote device will NOT work as those files will not be accessible due to system locks. I am working on an approach which will handle live remote devices, stay tuned.</p>
<h3 dir="auto" tabindex="-1">What is not inspected when drive retargeting?</h3>
<ul dir="auto">
<li>Running Processes</li>
<li>Network Connections</li>
<li>'Phantom' DLLs</li>
<li>WMI Consumers (Being worked on)</li>
<li>BITS Jobs (Being worked on)</li>
<li>Certificate Parsing (Being worked on)</li>
</ul>
<p dir="auto">Most other checks will function fine because they are based entirely on reading registry hives or file-based artifacts (or can be converted to do so, such as directly reading Task XML as opposed to using built-in command-lets.)</p>
<p dir="auto">Any limitations in checks when doing drive-retargeting will be discussed more fully in the GitHub Wiki.</p>
<h2 dir="auto" tabindex="-1">Example Images </h2>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP02RuSFcrJo4DP9qTjU6lmx5pLNxho6hA6GRckjuljDcP6DFx57IzrF7laCn7x7U4jj2Y7p8Us18NN9QH2G23FsrBYr4Q2Is2bPckI7Tx3nAsdutpu5WnUbnHWJurR3r06CsphpCWBNljKrJqJsRx7nm0tVVA_pbWpz-8D0doCs6-7qAWcGXQiyQYzkx5/s1679/Trawler_2_sample.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="402" data-original-width="1679" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP02RuSFcrJo4DP9qTjU6lmx5pLNxho6hA6GRckjuljDcP6DFx57IzrF7laCn7x7U4jj2Y7p8Us18NN9QH2G23FsrBYr4Q2Is2bPckI7Tx3nAsdutpu5WnUbnHWJurR3r06CsphpCWBNljKrJqJsRx7nm0tVVA_pbWpz-8D0doCs6-7qAWcGXQiyQYzkx5/w640-h154/Trawler_2_sample.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2msxdZAOo5ZZBZOgOl--fOKMnkCvOMVp1MpCOXaypAYhiZ05B6tUfKusjXWSLNeLGK8Le97KBs76h6WCAtIksR0zeXQj0Ck_8NDRb8YOjsC0oo15Z8NA-stWNsazL0gBaJ2PAOHac_-q63wDnQMljzao9HRXvaIlXQfUDadgv4GmBIfm8n8aMTTHeZsHs/s2286/Trawler_3_sample2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="2286" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2msxdZAOo5ZZBZOgOl--fOKMnkCvOMVp1MpCOXaypAYhiZ05B6tUfKusjXWSLNeLGK8Le97KBs76h6WCAtIksR0zeXQj0Ck_8NDRb8YOjsC0oo15Z8NA-stWNsazL0gBaJ2PAOHac_-q63wDnQMljzao9HRXvaIlXQfUDadgv4GmBIfm8n8aMTTHeZsHs/w640-h336/Trawler_3_sample2.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn7tF32cJFQ_6yXlKRDVdIBlFbkt9vJ0IHg52OW-79qFEJ6dlHah_eVhmHFVpMjgr7ls2UuF5uUsd__4LNwMzbTlZxYWnpcYRSzwImlfIyEiqlIYEabXnUGuuypp8pwGWNZi3SfGTMrVu0NztqBD15Q9fy9YWt0Kyscnh65ucxBYY6JZH4wfULqljQHJC9/s1853/Trawler_4_sample3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="299" data-original-width="1853" height="104" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn7tF32cJFQ_6yXlKRDVdIBlFbkt9vJ0IHg52OW-79qFEJ6dlHah_eVhmHFVpMjgr7ls2UuF5uUsd__4LNwMzbTlZxYWnpcYRSzwImlfIyEiqlIYEabXnUGuuypp8pwGWNZi3SfGTMrVu0NztqBD15Q9fy9YWt0Kyscnh65ucxBYY6JZH4wfULqljQHJC9/w640-h104/Trawler_4_sample3.png" width="640" /></a></div><p align="center" dir="auto"><span style="text-align: left;"> </span></p>
<h2 dir="auto" tabindex="-1">What is inspected?</h2>
<ul dir="auto">
<li>Scheduled Tasks</li>
<li>Users</li>
<li>Services</li>
<li>Running Processes</li>
<li>Network Connections</li>
<li>WMI Event Consumers (CommandLine/Script)</li>
<li>Startup Item Discovery</li>
<li>BITS Jobs Discovery</li>
<li>Windows Accessibility Feature Modifications</li>
<li>PowerShell Profile Existence</li>
<li>Office Addins from Trusted Locations</li>
<li>SilentProcessExit Monitoring</li>
<li>Winlogon Helper DLL Hijacking</li>
<li>Image File Execution Option Hijacking</li>
<li>RDP Shadowing</li>
<li>UAC Setting for Remote Sessions</li>
<li>Print Monitor DLLs</li>
<li>LSA Security and Authentication Package Hijacking</li>
<li>Time Provider DLLs</li>
<li>Print Processor DLLs</li>
<li>Boot/Logon Active Setup</li>
<li>User Initialization Logon Script Hijacking</li>
<li>ScreenSaver Executable Hijacking</li>
<li>Netsh DLLs</li>
<li>AppCert DLLs</li>
<li>AppInit DLLs</li>
<li>Application Shimming</li>
<li>COM Object Hijacking</li>
<li>LSA Notification Hijacking</li>
<li>'Office test' Usage</li>
<li>Office GlobalDotName Usage</li>
<li>Terminal Services DLL Hijacking</li>
<li>Autodial DLL Hijacking</li>
<li>Command AutoRun Processor Abuse</li>
<li>Outlook OTM Hijacking</li>
<li>Trust Provider Hijacking</li>
<li>LNK Target Scanning (Suspicious Terms, Multiple Extensions, Multiple EXEs)</li>
<li>'Phantom' Windows DLL Names loaded into running process (eg. un-signed WptsExtensions.dll)</li>
<li>Scanning Critical OS Directories for Unsigned EXEs/DLLs</li>
<li>Un-Quoted Service Path Hijacking</li>
<li>PATH Binary Hijacking</li>
<li>Common File Association Hijacks and Suspicious Keywords</li>
<li>Suspicious Certificate Hunting</li>
<li>GPO Script Discovery/Scanning</li>
<li>NLP Development Platform DLL Overrides</li>
<li>AeDebug/.NET/Script/Process/WER Debug Replacements</li>
<li>Explorer 'Load'</li>
<li>Windows Terminal startOnUserLogin Hijacks</li>
<li>App Path Mismatches</li>
<li>Service DLL/ImagePath Mismatches</li>
<li>GPO Extension DLLs</li>
<li>Potential COM Hijacks</li>
<li>Non-Standard LSA Extensions</li>
<li>DNSServerLevelPluginDll Presence</li>
<li>Explorer\MyComputer Utility Hijack</li>
<li>Terminal Services InitialProgram Check</li>
<li>RDP Startup Programs</li>
<li>Microsoft Telemetry Commands</li>
<li>Non-Standard AMSI Providers</li>
<li>Internet Settings LUI Error DLL</li>
<li>PeerDist\Extension DLL</li>
<li>ErrorHandler.CMD Checks</li>
<li>Built-In Diagnostics DLL</li>
<li>MiniDumpAuxiliary DLLs</li>
<li>KnownManagedDebugger DLLs</li>
<li>WOW64 Compatibility Layer DLLs</li>
<li>EventViewer MSC Hijack</li>
<li>Uninstall Strings Scan</li>
<li>PolicyManager DLLs</li>
<li>SEMgr Wallet DLL</li>
<li>WER Runtime Exception Handlers</li>
<li>HTML Help (.CHM)</li>
<li>Remote Access Tool Artifacts (Files, Directories, Registry Keys)</li>
<li>ContextMenuHandler DLL Checks</li>
<li>Office AI.exe Presence</li>
<li>Notepad++ Plugins</li>
<li>MSDTC Registry Hijacks</li>
<li>Narrator DLL Hijack (MSTTSLocEnUS.DLL)</li>
<li>Suspicious File Location Checks</li>
</ul>
<p dir="auto">TODO</p>
<ul dir="auto">
<li>Add Analysis/Remediation Guidance to each detection in the GitHub Wiki (In-Progress)</li>
<li>Browser <a href="https://www.kitploit.com/search/label/Extension%20Analysis" target="_blank" title="Extension Analysis">Extension Analysis</a> (?)</li>
<li>RID Hijacking [<a href="https://www.ired.team/offensive-security/persistence/rid-hijacking][https://pentestlab.blog/2020/02/12/persistence-rid-hijacking/" rel="nofollow" target="_blank" title="https://www.ired.team/offensive-security/persistence/rid-hijacking][https://pentestlab.blog/2020/02/12/persistence-rid-hijacking/">https://www.ired.team/offensive-security/persistence/rid-hijacking][https://pentestlab.blog/2020/02/12/persistence-rid-hijacking/</a>]</li>
<li>PowerAutomate Checks</li>
<li>ShadowPad Indicators [<a href="https://www.secureworks.com/research/shadowpad-malware-analysis" rel="nofollow" target="_blank" title="https://www.secureworks.com/research/shadowpad-malware-analysis">https://www.secureworks.com/research/shadowpad-malware-analysis</a>, <a href="https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/" rel="nofollow" target="_blank" title="https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/">https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/</a>]</li>
<li>OBS Startup Script Scanning [<a href="https://www.hexacorn.com/blog/2023/04/14/beyond-good-ol-run-key-part-142/" rel="nofollow" target="_blank" title="https://www.hexacorn.com/blog/2023/04/14/beyond-good-ol-run-key-part-142/">https://www.hexacorn.com/blog/2023/04/14/beyond-good-ol-run-key-part-142/</a>]</li>
<li>SQL <a href="https://www.kitploit.com/search/label/Server%20Management" target="_blank" title="Server Management">Server Management</a> Addins [<a href="https://www.hexacorn.com/blog/2019/09/28/beyond-good-ol-run-key-part-117/" rel="nofollow" target="_blank" title="https://www.hexacorn.com/blog/2019/09/28/beyond-good-ol-run-key-part-117/">https://www.hexacorn.com/blog/2019/09/28/beyond-good-ol-run-key-part-117/</a>]</li>
<li>AutoPlay Handler Inspection [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers]</li>
<li>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Pending\SPReviewEnabler</li>
<li>OCSetup [<a href="https://www.hexacorn.com/blog/2019/11/09/beyond-good-ol-run-key-part-122/" rel="nofollow" target="_blank" title="https://www.hexacorn.com/blog/2019/11/09/beyond-good-ol-run-key-part-122/">https://www.hexacorn.com/blog/2019/11/09/beyond-good-ol-run-key-part-122/</a>]</li>
<li>Review <a href="https://hijacklibs.net/#" rel="nofollow" target="_blank" title="https://hijacklibs.net/#">https://hijacklibs.net/#</a> for additional opportunities</li>
<li>Review <a href="https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows" rel="nofollow" target="_blank" title="https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows">https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows</a> for additional opportunities</li>
<li>Review <a href="https://silentrunners.org/launchpoints.html" rel="nofollow" target="_blank" title="https://silentrunners.org/launchpoints.html">https://silentrunners.org/launchpoints.html</a> for additional opportunities</li>
</ul>
<h2 dir="auto" tabindex="-1">MITRE Techniques Evaluated</h2>
<p dir="auto">Please be aware that some of these are (of course) more detected than others - for example, we are not detecting all possible registry modifications but rather inspecting certain keys for obvious changes and using the generic MITRE technique "Modify Registry" where no other technique is applicable. For other items such as COM hijacking, we are inspecting all entries in the relevant registry section, checking against 'known-good' patterns and bubbling up unknown or mismatched values, resulting in a much more complete detection surface for that particular technique.</p>
<ul dir="auto">
<li>T1037: Boot or Logon Initialization Scripts</li>
<li>T1037.001: Boot or Logon Initialization Scripts: Logon Script (Windows)</li>
<li>T1037.005: Boot or Logon Initialization Scripts: Startup Items</li>
<li>T1055.001: Process Injection: Dynamic-link Library Injection</li>
<li>T1059: Command and Scripting Interpreter</li>
<li>T1071: Application Layer Protocol</li>
<li>T1098: Account Manipulation</li>
<li>T1112: Modify Registry</li>
<li>T1053: Scheduled Task/Job</li>
<li>T1136: Create Account</li>
<li>T1137.001: Office Application Office Template Macros</li>
<li>T1137.002: Office Application Startup: Office Test</li>
<li>T1137.006: Office Application Startup: Add-ins</li>
<li>T1197: BITS Jobs</li>
<li>T1505.005: Server Software Component: Terminal Services DLL</li>
<li>T1543.003: Create or Modify System Process: Windows Service</li>
<li>T1546: Event Triggered Execution</li>
<li>T1546.001: Event Triggered Execution: Change Default File Association</li>
<li>T1546.002: Event Triggered Execution: Screensaver</li>
<li>T1546.003: Event Triggered Execution: Windows Management <a href="https://www.kitploit.com/search/label/Instrumentation" target="_blank" title="Instrumentation">Instrumentation</a> Event Subscription</li>
<li>T1546.007: Event Triggered Execution: Netsh Helper DLL</li>
<li>T1546.008: Event Triggered Execution: Accessibility Features</li>
<li>T1546.009: Event Triggered Execution: AppCert DLLs</li>
<li>T1546.010: Event Triggered Execution: AppInit DLLs</li>
<li>T1546.011: Event Triggered Execution: Application Shimming</li>
<li>T1546.012: Event Triggered Execution: Image File Execution Options Injection</li>
<li>T1546.013: Event Triggered Execution: PowerShell Profile</li>
<li>T1546.015: Event Triggered Execution: Component Object Model Hijacking</li>
<li>T1547.002: Boot or Logon Autostart Execution: Authentication Packages</li>
<li>T1547.003: Boot or Logon Autostart Execution: Time Providers</li>
<li>T1547.004: Boot or Logon Autostart Execution: Winlogon Helper DLL</li>
<li>T1547.005: Boot or Logon Autostart Execution: Security Support Provider</li>
<li>T1547.009: Boot or Logon Autostart Execution: Shortcut Modification</li>
<li>T1547.012: Boot or Logon Autostart Execution: Print Processors</li>
<li>T1547.014: Boot or Logon Autostart Execution: Active Setup</li>
<li>T1553: Subvert Trust Controls</li>
<li>T1553.004: Subvert Trust Controls: Install Root Certificate</li>
<li>T1556.002: Modify Authentication Process: Password Filter DLL</li>
<li>T1574: Hijack Execution Flow</li>
<li>T1574.007: Hijack Execution Flow: Path Interception by PATH Environment Variable</li>
<li>T1574.009: Hijack Execution Flow: Path Interception by Unquoted Path</li>
</ul>
<h2 dir="auto" tabindex="-1">References</h2>
<p dir="auto">This tool would not exist without the amazing InfoSec community - the most notable references I used are provided below.</p>
<ul dir="auto">
<li><a href="https://github.com/last-byte/PersistenceSniper" rel="nofollow" target="_blank" title="PersistenceSniper">PersistenceSniper</a></li>
<li><a href="https://attack.mitre.org/tactics/TA0003/" rel="nofollow" target="_blank" title="MITRE ATT&CK">MITRE ATT&CK</a></li>
<li><a href="https://persistence-info.github.io/" rel="nofollow" target="_blank" title="Persistence Info GitHub">Persistence Info GitHub</a></li>
<li><a href="https://www.hexacorn.com/blog/2017/01/28/beyond-good-ol-run-key-all-parts/" rel="nofollow" target="_blank" title="Hexacorn - Persistence Series">Hexacorn - Persistence Series</a></li>
<li><a href="https://www.ired.team/" rel="nofollow" target="_blank" title="IRED">IRED</a></li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings" rel="nofollow" target="_blank" title="PayloadsAllTheThings">PayloadsAllTheThings</a></li>
</ul>
<h2 dir="auto" tabindex="-1">More References</h2>
<ul dir="auto">
<li><a href="https://twitter.com/Laughing_Mantis/status/1645268114966470662" rel="nofollow" target="_blank" title="https://twitter.com/Laughing_Mantis/status/1645268114966470662">https://twitter.com/Laughing_Mantis/status/1645268114966470662</a></li>
<li><a href="https://shellz.club/posts/a-novel-method-for-bypass-ETW/" rel="nofollow" target="_blank" title="https://shellz.club/posts/a-novel-method-for-bypass-ETW/">https://shellz.club/posts/a-novel-method-for-bypass-ETW/</a></li>
<li><a href="https://pentestlab.blog/2023/03/20/persistence-service-control-manager/" rel="nofollow" target="_blank" title="https://pentestlab.blog/2023/03/20/persistence-service-control-manager/">https://pentestlab.blog/2023/03/20/persistence-service-control-manager/</a></li>
<li><a href="https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html" rel="nofollow" target="_blank" title="https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html">https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html</a></li>
<li><a href="https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/" rel="nofollow" target="_blank" title="https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/">https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/</a></li>
</ul>
<br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/joeavanzato/Trawler" rel="nofollow" target="_blank" title="Download Trawler">Download Trawler</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-60948736712715136432023-08-13T08:30:00.000-04:002023-08-13T08:30:00.134-04:00NixImports - A .NET Malware Loader, Using API-Hashing To Evade Static Analysis<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Zq8zJu8KUW6x6AabU-OR0RAh6f7ncktwNDdnF1BDB_ExxXnb7vYeSvoTmvK92klLZD_BTSKymjXg68SKD5rdJrcKhCo7Ba_RU6dnjYDwHLX0UvH5j7Gp8Ss9dVjvTBKqxnAhc4h3kwIC7j4R6fuc763g0CQvwtRvJdenCBwY_7x3mcfXa5RtVkwVUBLv/s1174/nix_references.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="572" data-original-width="1174" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Zq8zJu8KUW6x6AabU-OR0RAh6f7ncktwNDdnF1BDB_ExxXnb7vYeSvoTmvK92klLZD_BTSKymjXg68SKD5rdJrcKhCo7Ba_RU6dnjYDwHLX0UvH5j7Gp8Ss9dVjvTBKqxnAhc4h3kwIC7j4R6fuc763g0CQvwtRvJdenCBwY_7x3mcfXa5RtVkwVUBLv/w640-h312/nix_references.png" width="640" /></a></div><p><br /></p> <p dir="auto">A .NET <a href="https://www.kitploit.com/search/label/Malware" target="_blank" title="malware">malware</a> loader, using API-Hashing and <a href="https://www.kitploit.com/search/label/Dynamic" target="_blank" title="dynamic">dynamic</a> invoking to evade static analysis</p> <h2 dir="auto" tabindex="-1">How does it work?</h2> <p dir="auto">NixImports uses my managed API-Hashing implementation HInvoke, to dynamically resolve most of it's called functions at runtime. To resolve the functions HInvoke requires two hashes the typeHash and the methodHash. These hashes represent the type name and the methods FullName, on runtime HInvoke parses the entire mscorlib to find the matching type and method. Due to this process, HInvoke does not leave any import references to the methods called trough it.</p> <p dir="auto">Another interesting feature of NixImports is that it avoids calling known methods as much as possible, whenever applicable NixImports uses internal methods instead of their wrappers. By using internal methods only we can evade basic hooks and monitoring employed by some security tools.</p> <p dir="auto">For a more detailed explanation checkout <a href="https://dr4k0nia.github.io/posts/NixImports-a-NET-loader-using-HInvoke/" rel="nofollow" target="_blank" title="my blog post">my blog post</a>.</p> <p dir="auto">You can generate hashes for HInvoke using <a href="https://gist.github.com/dr4k0nia/813087cee2875f5f82e37c8a731b80b0" rel="nofollow" target="_blank" title="this tool">this tool</a></p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">How to use</h2> <p dir="auto">NixImports only requires a filepath to the .NET <a href="https://www.kitploit.com/search/label/Binary" target="_blank" title="binary">binary</a> you want to pack with it.</p> <div><pre><code>NixImports.exe <filepath><br /></code></pre></div> <p dir="auto">It will automatically generate a new executable called Loader.exe in it's root folder. The loader executable will contain your encoded <a href="https://www.kitploit.com/search/label/Payload" target="_blank" title="payload">payload</a> and the stub code required to run it.</p> <h2 dir="auto" tabindex="-1">Tips for Defenders</h2> <p dir="auto">If youre interested in <a href="https://www.kitploit.com/search/label/Detection%20Engineering" target="_blank" title="detection engineering">detection engineering</a> and possible detection of NixImports, checkout <a href="https://dr4k0nia.github.io/posts/NixImports-a-NET-loader-using-HInvoke/#tips-for-defenders" rel="nofollow" target="_blank" title="the last section of my blog post">the last section of my blog post</a></p> <p dir="auto">Or <a href="https://github.com/dr4k0nia/yara-rules/blob/main/dotnet/msil_mal_niximports_loader.yar" rel="nofollow" target="_blank" title="click here">click here</a> for a basic yara rule covering NixImports.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/dr4k0nia/NixImports" rel="nofollow" target="_blank" title="Download NixImports">Download NixImports</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-19856402287546555002023-06-12T08:30:00.005-04:002023-06-12T08:30:00.135-04:00C2-Hunter - Extract C2 Traffic<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIyW03UsgU2Hgw9yj77HfkE551VVUsKoT0ebQhorJyBkmQLdGQCmsNCj3otHkIMSrfAxNsoLhpHYUqI7DC_Cbmy1BxKlDDZ-3PRF1ceS56o2-t53m_MpoCXaSAytSOvG7F_2T6Biwgbe_T8-FNOrjA0S8akEUrs86gyq24gMbod7ONO_bYEulpmdrUUg/s656/h144.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="398" data-original-width="656" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIyW03UsgU2Hgw9yj77HfkE551VVUsKoT0ebQhorJyBkmQLdGQCmsNCj3otHkIMSrfAxNsoLhpHYUqI7DC_Cbmy1BxKlDDZ-3PRF1ceS56o2-t53m_MpoCXaSAytSOvG7F_2T6Biwgbe_T8-FNOrjA0S8akEUrs86gyq24gMbod7ONO_bYEulpmdrUUg/w640-h388/h144.png" width="640" /></a></div><p><br /></p><h1 dir="auto" tabindex="-1">C2-Hunter</h1> <ul dir="auto"> <li> <p dir="auto">C2-Hunter is a program designed for <a href="https://www.kitploit.com/search/label/Malware" target="_blank" title="malware">malware</a> analysts to extract Command and Control (C2) <a href="https://www.kitploit.com/search/label/Traffic" target="_blank" title="traffic">traffic</a> from malwares in real-time. The program uses a unique approach by <a href="https://www.kitploit.com/search/label/Hooking" target="_blank" title="hooking">hooking</a> into win32 connections APIs.</p> </li> <li> <p dir="auto">With C2-Hunter, malware analysts can now <a href="https://www.kitploit.com/search/label/Intercept" target="_blank" title="intercept">intercept</a> and analyze communication in real-time, gaining valuable insights into the inner workings of <a href="https://www.kitploit.com/search/label/Cyber" target="_blank" title="cyber">cyber</a> threats. Its ability to track C2 elements of malware makes it an essential tool for any cyber security team.</p> </li> </ul><span><a name='more'></a></span><div><br /></div> <h1 dir="auto" tabindex="-1">Features</h1> <ul dir="auto"> <li>Real-time extraction of C2 traffic</li> <li>Bypasses malware time delays to speed up the extraction process (SOON)</li> </ul> <h1 dir="auto" tabindex="-1">Requirements</h1> <ul dir="auto"> <li>Windows Operating System</li> <li>Administrator Privileges</li></ul><div><br /></div><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/ZeroMemoryEx/C2-Hunter" rel="nofollow" target="_blank" title="Download C2-Hunter">Download C2-Hunter</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-26570921533878728982023-02-09T08:30:00.001-03:002023-02-09T08:30:00.258-03:00C99Shell-PHP7 - PHP 7 And Safe-Build Update Of The Popular C99 Variant Of PHP Shell<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgM5673_l5p8LZW2RUBTXeebgWq2EfrsUTcjRhmyNEFb_kxGsz-rAhJiqmdm8mjzOR-Aq6NjMnA3yIJ-OhAlWM3FCqddR1N-askE6n_7zsMHmzCFVh81KK9S5_2HkygBgd6JaxOZj5baTErmWoZVQ2Um_ippXSdl29SgLEqSZLC-I5wFalymGetxe3oAA"><img alt="" border="0" height="388" id="BLOGGER_PHOTO_ID_7196541703362138850" src="https://blogger.googleusercontent.com/img/a/AVvXsEgM5673_l5p8LZW2RUBTXeebgWq2EfrsUTcjRhmyNEFb_kxGsz-rAhJiqmdm8mjzOR-Aq6NjMnA3yIJ-OhAlWM3FCqddR1N-askE6n_7zsMHmzCFVh81KK9S5_2HkygBgd6JaxOZj5baTErmWoZVQ2Um_ippXSdl29SgLEqSZLC-I5wFalymGetxe3oAA=w640-h388" width="640" /></a></p><br />
<h1 dir="auto">C99Shell-PHP7</h1> <p dir="auto">PHP 7 and safe-build Update of the popular C99 variant of PHP Shell.</p> <p dir="auto">c99shell.php v.2.0 (PHP 7) (25.02.2019) Updated by: PinoyWH1Z for PHP 7</p> <h1 dir="auto">About C99Shell</h1> <p dir="auto">An excellent example of a web shell is the c99 variant, which is a PHP shell (most of them calls it malware) often uploaded to a <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="vulnerable">vulnerable</a> web application to give <a href="https://www.kitploit.com/search/label/Hackers" target="_blank" title="hackers">hackers</a> an interface. The c99 shell lets the attacker take control of the processes of the Internet server, allowing him or her give commands on the server as the account under which the threat is operating. It lets the hacker upload, browse the file system, edit and view files, in addition, to deleting, moving them and changing permissions. Finding a c99 shell is an excellent way to identify a compromise on a system. The c99 shell is about 1500 lines long if packed and 4900+ if properly displayed, and some of its traits include showing security measures the web server may use, a file viewer that has permissions, a place w here the attacker can operate custom PHP code (PHP malware c99 shell).</p> <p dir="auto">There are different variants of the c99 shell that are being used today. This github release is an example of a relatively recent one. It has many signatures that can be utilized to write protective countermeasures.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h1 dir="auto">About this release:</h1> <p dir="auto">I've been using php shells as part of my <a href="https://www.kitploit.com/search/label/Ethical%20Hacking" target="_blank" title="Ethical Hacking">Ethical Hacking</a> activities. And I have noticed that most of the php shells that are downloadable online are encrypted with malicious codes and without you knowing, others also insert <a href="https://www.kitploit.com/search/label/Trackers" target="_blank" title="trackers">trackers</a> so they can see where you placed your php shell at.</p> <p dir="auto">I've came up with an idea such as "what if I get the stable version of c99shell and reverse the encrypted codes, remove the malicious codes and release it to public for good." And yeah, I decided to do it, but I noticed that most of the servers now have upgraded their apache service to PHP 7, sadly, the codes that I have is for PHP 5.3 and below.</p> <p dir="auto">The good thing is.. only few lines of syntax are needed to be altered, so I did it.</p> <p dir="auto">Here you go mates, a clean and safe-build version of the most stable c99shell that I can see.</p> <p dir="auto">If ever you see more bugs, please create an issue or just fork it, update it and do a pull request so I can check it and update the codes for stabilization.</p> <h1 dir="auto">PS:</h1> <p dir="auto">This is a widely used php shell by hackers, so don't freak out if your anti-virus/anti-malware detects this php file as malicious or treated as backdoor. Since you can see the codes in my re-released project, you can read all throughout the codes and inspect or even debug as much as you like.</p> <h1 dir="auto">Disclaimer:</h1> <p dir="auto">I will NOT be held responsible for any unethical use of this hacking tool.</p> <h1 dir="auto">Official Release:</h1> <p dir="auto"><a href="https://github.com/PinoyWH1Z/C99Shell-PHP7/releases/download/v2.0.0/c99shell_v2.0.zip" rel="nofollow" target="_blank" title="c99shell_v2.0.zip">c99shell_v2.0.zip</a> (<code>Zip Password: PinoyWH1Z</code>)</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/PinoyWH1Z/C99Shell-PHP7" rel="nofollow" target="_blank" title="Download C99Shell-PHP7">Download C99Shell-PHP7</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-35344501372378142402022-09-08T08:30:00.011-04:002022-09-08T08:30:00.248-04:00ForceAdmin - Create Infinite UAC Prompts Forcing A User To Run As Admin<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTCOt66qL6-UmPkc-_JP_NlmLZHzhiM7caD9uiVO1YQwh_cYazmlkUt7etbLB_-mXMuV9VrbsBLza7wmkp82E8gILCUN_FdJ4OC1zh8qZWBnGquvahILS1gFcytHcIyzpXILhIEQbtt5b7URM0AGrz3vtd_WhzrLXgrYbfFM62XjXl0ShaWASSCbRgnA/s618/ForceAdmin_7_Screenshot_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="261" data-original-width="618" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTCOt66qL6-UmPkc-_JP_NlmLZHzhiM7caD9uiVO1YQwh_cYazmlkUt7etbLB_-mXMuV9VrbsBLza7wmkp82E8gILCUN_FdJ4OC1zh8qZWBnGquvahILS1gFcytHcIyzpXILhIEQbtt5b7URM0AGrz3vtd_WhzrLXgrYbfFM62XjXl0ShaWASSCbRgnA/w640-h270/ForceAdmin_7_Screenshot_1.png" width="640" /></a></div><p><br /></p>
<p dir="auto">ForceAdmin is a c# <a href="https://www.kitploit.com/search/label/Payload" target="_blank" title="payload">payload</a> builder, creating infinate <a href="https://www.kitploit.com/search/label/UAC" target="_blank" title="UAC">UAC</a> pop-ups until the user allows the program to be ran. The inputted commands are ran via <a href="https://www.kitploit.com/search/label/PowerShell" target="_blank" title="powershell">powershell</a> calling cmd.exe and should be using the <a href="https://www.kitploit.com/search/label/Batch" target="_blank" title="batch">batch</a> syntax. Why use? Well some users have UAC set to always show, so UAC bypass techniques are not possible. However - this attack will force them to run as admin. <a href="https://www.kitploit.com/search/label/Bypassing" target="_blank" title="Bypassing">Bypassing</a> these settings.</p><span><a name='more'></a></span><p dir="auto"><br /></p>
<h2 dir="auto">Screenshots</h2><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbaWIcVOJpeBBZ51w6-QicqqCTgKPy1K73T-j3cYO2fDPDl9aBXftHLcbJEZ7PVNzl0AFiWoqEArZ8YyiHbUuJqZURVyswp1HHC2-fVxZr7vXOdxMwWE0fJoIvGtFx-QI5UNSQIKBhRcMZdJBUZlOiBWjY97ZHIZH_fWY4fkEmiAajYkAKUQJUpQ78fw/s600/ForceAdmin_8_Demo.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="389" data-original-width="600" height="414" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbaWIcVOJpeBBZ51w6-QicqqCTgKPy1K73T-j3cYO2fDPDl9aBXftHLcbJEZ7PVNzl0AFiWoqEArZ8YyiHbUuJqZURVyswp1HHC2-fVxZr7vXOdxMwWE0fJoIvGtFx-QI5UNSQIKBhRcMZdJBUZlOiBWjY97ZHIZH_fWY4fkEmiAajYkAKUQJUpQ78fw/w640-h414/ForceAdmin_8_Demo.gif" width="640" /></a></div><p dir="auto"><br /></p>
<h2 dir="auto"><div>Required</div></h2>
<p dir="auto">For building on your own, the following NuGet packages are needed</p>
<ul dir="auto">
<li><a href="https://www.nuget.org/packages/Fody/" rel="nofollow" target="_blank" title="<g-emoji alias=zap class=g-emoji fallback-src=https://github.githubassets.com/images/icons/emoji/unicode/26a1.png>&#9889;</g-emoji> Create infinite UAC prompts forcing a user to run as admin <g-emoji alias=zap class=g-emoji fallback-src=https://github.githubassets.com/images/icons/emoji/unicode/26a1.png>&#9889;</g-emoji> (15)"><code>Fody</code></a>: "Extensible tool for weaving .net assemblies."</li>
<li><a href="https://www.nuget.org/packages/Costura.Fody/" rel="nofollow" target="_blank" title="<g-emoji alias=zap class=g-emoji fallback-src=https://github.githubassets.com/images/icons/emoji/unicode/26a1.png>&#9889;</g-emoji> Create infinite UAC prompts forcing a user to run as admin <g-emoji alias=zap class=g-emoji fallback-src=https://github.githubassets.com/images/icons/emoji/unicode/26a1.png>&#9889;</g-emoji> (16)"><code>Costura.Fody</code></a> "Fody add-in for embedding references as resources."</li>
<li><a href="https://www.nuget.org/packages/Microsoft.AspNet.WebApi.Client/" rel="nofollow" target="_blank" title="<g-emoji alias=zap class=g-emoji fallback-src=https://github.githubassets.com/images/icons/emoji/unicode/26a1.png>&#9889;</g-emoji> Create infinite UAC prompts forcing a user to run as admin <g-emoji alias=zap class=g-emoji fallback-src=https://github.githubassets.com/images/icons/emoji/unicode/26a1.png>&#9889;</g-emoji> (17)"><code>Microsoft.AspNet.WebApi.Client</code></a> "This package adds support for formatting and content negotiation to System.Net.Http. It includes support for JSON, XML, and form URL encoded data."</li>
</ul><div><br /></div>
<h2 dir="auto"><div>Installation</div></h2>
<p dir="auto">You can download the latest tarball by clicking <a href="https://github.com/CatzSec/ForceAdmin/tarball/master" rel="nofollow" target="_blank" title="here">here</a> or latest zipball by clicking <a href="https://github.com/catzsec/ForceAdmin/zipball/master" rel="nofollow" target="_blank" title="here">here</a>.</p>
<p dir="auto">Download the project:</p>
<div><pre><code>$ git clone https://github.com/catzsec/ForceAdmin.git</code></pre></div>
<p dir="auto">Enter the project folder</p>
<div><pre><code>$ cd ForceAdmin</code></pre></div>
<p dir="auto">Run ForceAdmin:</p>
<div><pre><code>$ dotnet run</code></pre></div>
<p dir="auto">Compile ForceAdmin:</p>
<div><pre><code>$ dotnet publish -r win-x64 -c Release -o ./publish/</code></pre></div>
<hr />
<p dir="auto"></p><div>⚠ONLY USE FOR EDUCATIONAL PURPOSES⚠</div><hr />
<p dir="auto">Any questions, errors or solutions, create an Issue in the Issues tab.</p>
<br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/catzsec/ForceAdmin" rel="nofollow" target="_blank" title="Download ForceAdmin">Download ForceAdmin</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-48845022732027754802021-08-18T08:30:00.001-04:002021-08-18T08:30:00.340-04:00AuraBorealisApp - Do You Know What's In Your Python Packages? A Tool For Visualizing Python Package Registry Security Audit Data<p style="text-align: center;"><a href="http://4.bp.blogspot.com/-l967QEd6tCY/YRvF0ewhS3I/AAAAAAAAqjs/8Y2EYMTm3n0IQg-kc_EiMU5wH_dZeaKpQCK4BGAYYCw/s1600/AuraBorealisApp_1_auraborealis_homepage_ui-755385.png"><img alt="" border="0" height="358" id="BLOGGER_PHOTO_ID_6997403951450639218" src="http://4.bp.blogspot.com/-l967QEd6tCY/YRvF0ewhS3I/AAAAAAAAqjs/8Y2EYMTm3n0IQg-kc_EiMU5wH_dZeaKpQCK4BGAYYCw/w640-h358/AuraBorealisApp_1_auraborealis_homepage_ui-755385.png" width="640" /></a></p> <br /> <p>AuraBorealis is a web application for visualizing anomalous and potentially malicious code in Python package registries. It uses security audit data produced by scanning the <a href="https://www.kitploit.com/search/label/Python%20Package" target="_blank" title="Python Package">Python Package</a> Index (PyPI) via <a href="https://github.com/SourceCode-AI/aura" rel="nofollow" target="_blank" title="Aura">Aura</a>, a static <a href="https://www.kitploit.com/search/label/Analysis" target="_blank" title="analysis">analysis</a> designed for large scale security <a href="https://www.kitploit.com/search/label/Auditing" target="_blank" title="auditing">auditing</a> of Python packages. The current tool is a proof-of-concept, and includes some live Aura data, as well as some mockup data for demo purposes.</p> <p>Current features include:</p> <ul> <li> <p>Scanning the entire python package <a href="https://www.kitploit.com/search/label/Registry" target="_blank" title="registry">registry</a> to:</p> <ul> <li>List packages with the highest number of security warnings, sorted by <a href="https://docs.aura.sourcecode.ai/cookbook/misc/detections.html" rel="nofollow" target="_blank" title="Aura warning type">Aura warning type</a></li> <li>List packages sorted by the total and unique count of warnings</li> <li>List packages by their overall severity score</li> </ul> </li> <li> <p>Displaying security warnings for an individual package, sorted by criticality</p> </li> <li> <p>Visualize the line numbers and lines of code in files generating security warnings for a specific package</p> </li> <li> <p>Compare two packages for security warnings</p></li></ul><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Instructions</b></span><br /> <p>Turn on your VPN (at IQT)</p> <p>Clone the repository.</p> <p><code>git clone https://github.com/IQTLabs/AuraBorealisApp.git</code></p> <p>Navigate to aura-borealis-flask-app directory.</p> <p><code>cd aura-borealis-flask-app</code></p> <p>Install dependencies.</p> <p><code>pip install -r requirements.txt</code></p> <p>Run the app.</p> <p><code>python app.py</code></p> <p>Navigate to the URL <code>http://0.0.0.0:7000/</code> via a browser.</p> <br /><span style="font-size: large;"><b>Feature Roadmap</b></span><br /> <ul> <li>Compare a package to a <em>benchmark profile</em> of packages of similar purpose for security warnings</li> <li>Compare different versions of the same package for security warnings</li> <li>List packages that have changes in their warnings and/or severity score between two dates</li> <li>Ability to scan an internal package/registry that's not public on PyPI</li> <li>Display an analysis of permissions (does this package make a network connection? Does this package require OS-level library permissions?)</li> </ul> <br /><span style="font-size: large;"><b>Contact Information</b></span><br /> <p><a href="mailto:jmeyers@iqt.org" rel="nofollow" target="_blank" title="jmeyers@iqt.org">jmeyers@iqt.org</a> (John Speed Meyers, IQT Labs, Secure Code Reuse project lead).</p> <p>The lead developer and creator of Aura is Martin Carnogusky of <a href="https://aura.sourcecode.ai/" rel="nofollow" target="_blank" title="sourcecode.ai">sourcecode.ai</a>.</p> <br /><span style="font-size: large;"><b>Related Work</b></span><br /> <ul> <li>IQT blog post on <a href="https://www.iqt.org/toward-secure-code-reuse/" rel="nofollow" target="_blank" title="secure code reuse">secure code reuse</a></li> <li>IQT blog posts on <a href="https://www.iqt.org/bewear-python-typosquatting-is-about-more-than-typos/" rel="nofollow" target="_blank" title="typosquatting">typosquatting</a> and <a href="https://www.iqt.org/pypi-scan/" rel="nofollow" target="_blank" title="preventing">preventing </a><a href="https://www.kitploit.com/search/label/Typosquatting" target="_blank" title="typosquatting">typosquatting</a> via pypi-scan</li> <li>USENIX article on <a href="https://www.usenix.org/system/files/login/articles/login_winter20_17_geer.pdf" rel="nofollow" target="_blank" title="Counting Broken Links: A Quant's View of Software Supply Chain Security">"Counting Broken Links: A Quant's View of Software Supply Chain Security"</a></li> <li>IQT open source <a href="https://github.com/IQTLabs/software-supply-chain-compromises" rel="nofollow" target="_blank" title="dataset">dataset</a> on known software supply chain compromises</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/IQTLabs/AuraBorealisApp" rel="nofollow" target="_blank" title="Download AuraBorealisApp">Download AuraBorealisApp</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-78219342296290605352021-08-04T17:30:00.001-04:002021-08-04T17:30:00.338-04:00Uchihash - A Small Utility To Deal With Malware Embedded Hashes<p><a href="http://1.bp.blogspot.com/-LhLwXh1BbXs/YP8gLRzS6aI/AAAAAAAAoqc/urZ-y1SsamYCvfrpAUEyDyVk6GRqiMrUwCK4BGAYYCw/s1600/Uchihash_1_ida_result-744612.png" style="text-align: center;"><img alt="" border="0" height="368" id="BLOGGER_PHOTO_ID_6989340524831500706" src="http://1.bp.blogspot.com/-LhLwXh1BbXs/YP8gLRzS6aI/AAAAAAAAoqc/urZ-y1SsamYCvfrpAUEyDyVk6GRqiMrUwCK4BGAYYCw/w640-h368/Uchihash_1_ida_result-744612.png" width="640" /></a></p><div><br /></div> <p>Uchihash is a small utility that can save malware analysts the time of dealing with <a href="https://www.kitploit.com/search/label/Embedded" target="_blank" title="embedded">embedded</a> hash values used for various things such as:</p> <ul> <li>Dynamically importing APIs (especially in shellcode)</li> <li>Checking running process used by analysts (Anti-Analysis)</li> <li>Checking VM or <a href="https://www.kitploit.com/search/label/Antivirus" target="_blank" title="Antivirus">Antivirus</a> artifacts (Anti-Analysis)</li> </ul> <p>Uchihash can generate hashes with your own custom hashing algorithm, search for a list of hashes in an already generated hashmap and also it can generate an IDAPython script to annotate the hashes with their corresponding values for easier analysis.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Installation</b></span><br /> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ git clone https://github.com/N1ght-W0lf/Uchihash.git $ pip install -r requirements.txt "><pre><code>$ git clone https://github.com/N1ght-W0lf/Uchihash.git<br />$ pip install -r requirements.txt<br /></code></pre></div> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="usage: uchihash.py [-h] [--algo ALGO] [--apis] [--keywords] [--list LIST] [--script SCRIPT] [--search SEARCH] [--hashes HASHES] [--ida] optional arguments: -h, --help show this help message and exit --algo ALGO <a title=" hashing="" href="https://www.kitploit.com/search/label/Hashing">Hashing algorithm --apis Calculate hashes of APIs --keywords Calculate hashes of keywords --list LIST Calculate hashes of your own word list --script SCRIPT Script file containing your custom hashing algorithm --search SEARCH Search a JSON File containing hashes mapped to words --hashes HASHES File containing list of hashes to search for --ida Generate an IDAPython script to annotate hash values Examples: * python uchihash.py --algo crc32 --apis * python uchihash.py --algo murmur3 --list mywords.txt * python uchihash.py --search hashmap.txt --hashes myhashes.txt "><pre><code>usage: uchihash.py [-h] [--algo ALGO] [--apis] [--keywords] [--list LIST] [--script SCRIPT] [--search SEARCH] [--hashes HASHES] [--ida]<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> --algo ALGO Hashing algorithm<br /> --apis Calculate hashes of APIs<br /> --keywords Calculate hashes of keywords<br /> --list LIST Calculate hashes of your own word list<br /> --script SCRIPT Script file containing your custom hashing algorithm<br /> --search SEARCH Search a JSON File containing hashes mapped to words<br /> --hashes HASHES File containing list of hashes to search for<br /> --ida Generate an IDAPython script to annotate hash values<br /><br />Examples:<br /> * python uchihash.py --algo crc32 --apis<br /> * python uchihash.py --algo murmur3 --list mywords.txt<br /> * python uchihash.py --search hashmap.txt --hashes myhashes.txt<br /></code></pre></div> <br /><span style="font-size: large;"><b>Notes</b></span><br /> <ul> <li> <p><strong><code>--algo</code></strong>: One of the available hashing algorithms</p> </li> <li> <p><strong><code>--apis</code></strong>: Hashes a huge list of windows APIs (see <a href="https://github.com/N1ght-W0lf/Uchihash/blob/main/data/apis_list.txt" rel="nofollow" target="_blank" title="data/apis_list.txt">data/apis_list.txt</a>)</p> </li> <li> <p><strong><code>--keywords</code></strong>: Hashes a list of common keywords used by malware families such as <a href="https://www.kitploit.com/search/label/Analysis" target="_blank" title="Analysis">Analysis</a> tools and VM/Antivirus/EDR artifacts (see <a href="https://github.com/N1ght-W0lf/Uchihash/blob/main/data/keywords_list.txt" rel="nofollow" target="_blank" title="data/keywords_list.txt">data/keywords_list.txt</a>)</p> </li> <li> <p><strong><code>--list</code></strong> : Words are separated by a newline (see <a href="https://github.com/N1ght-W0lf/Uchihash/blob/main/examples/mywords.txt" rel="nofollow" target="_blank" title="examples/mywords.txt">examples/mywords.txt</a>)</p> </li> <li> <p><strong><code>--script</code></strong>: Hashing function must be called <code>hashme()</code> and the return value must be in hex format <code>0xDEADBEEF</code> (see <a href="https://github.com/N1ght-W0lf/Uchihash/blob/main/examples/custom_algo.py" rel="nofollow" target="_blank" title="examples/custom_algo.txt">examples/custom_algo.txt</a>)</p> </li> <li> <p><strong><code>--search</code></strong>: File to search must be in JSON format (see <a href="https://github.com/N1ght-W0lf/Uchihash/blob/main/examples/searchme.txt" rel="nofollow" target="_blank" title="examples/searchme.txt">examples/searchme.txt</a>)</p> </li> <li> <p><strong><code>--hashes</code></strong>: Hash values are separated by a newline and they must be in hex format (see <a href="https://github.com/N1ght-W0lf/Uchihash/blob/main/examples/myhashes.txt" rel="nofollow" target="_blank" title="examples/myhashes.txt">examples/myhashes.txt</a>)</p> </li> </ul> <p>see examples folder for more clarification</p> <br /><span style="font-size: large;"><b>Available Hashing Algorithms</b></span><br /> <ul> <li>md4</li> <li>md5</li> <li>sha1</li> <li>sha224</li> <li>sha256</li> <li>sha384</li> <li>sha512</li> <li>ripemd160</li> <li>whirlpool</li> <li>crc8</li> <li>crc16</li> <li>crc32</li> <li>crc64</li> <li>djb2</li> <li>sdbm</li> <li>loselose</li> <li>fnv1_32</li> <li>fnv1a_32</li> <li>fnv1_64</li> <li>fnv1a_64</li> <li>murmur3</li> </ul> <br /><span style="font-size: large;"><b>Example</b></span><br /> <p>Let's take an examples with a real malware family, in this case we have <strong><code>BuerLoader</code></strong> which is using hash values to dynamically import APIs and it's using a custom hashing algorithm.</p> <p>First we need to implement the hashing algorithm in python:</p> <div class="highlight highlight-source-python position-relative" data-snippet-clipboard-copy-content="def ROR4(val, bits, bit_size=32): return ((val & (2 ** bit_size - 1)) >> bits % bit_size) | \ (val << (bit_size - (bits % bit_size)) & (2 ** bit_size - 1)) def hashme(s): res = 0 for c in s: v3 = ROR4(res, 13) v4 = c - 32 if c < 97: v4 = c res = v4 + v3 return hex(res) "><pre><code>def ROR4(val, bits, bit_size=32):<br /> return ((val & (2 ** bit_size - 1)) >> bits % bit_size) | \<br /> (val << (bit_size - (bits % bit_size)) & (2 ** bit_size - 1))<br /> <br />def hashme(s):<br /> res = 0<br /> for c in s:<br /> v3 = ROR4(res, 13)<br /> v4 = c - 32<br /> if c < 97:<br /> v4 = c<br /> res = v4 + v3<br /> return hex(res)</code></pre></div> <p>Then we calculate the hashes of all APIs:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ python uchihash.py --script custom_algo.py --apis "><pre><code>$ python uchihash.py --script custom_algo.py --apis<br /></code></pre></div> <p>Finally we search for the hash values that BuerLoader is using in the generated hashmap, we can also generate an IDAPython script to annotate those hash values with their corresponding API names:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="$ python uchihash.py --search output/hashmap.txt --hashes buer_hashes.txt --ida "><pre><code>$ python uchihash.py --search output/hashmap.txt --hashes buer_hashes.txt --ida<br /></code></pre></div> <p>We should get 2 output files, one is <strong><code>"output/search_hashmap.txt"</code></strong> which maps BuerLoader's hash values to API names:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="{ "0x8a8b468c": "LoadLibraryW", "0x302ebe1c": "VirtualAlloc", "0x1803b7e3": "VirtualProtect", "0xe183277b": "VirtualFree", "0x24e2968d": "GetComputerNameW", "0xab489125": "GetNativeSystemInfo", ....... } "><pre><code>{<br /> "0x8a8b468c": "LoadLibraryW",<br /> "0x302ebe1c": "VirtualAlloc",<br /> "0x1803b7e3": "VirtualProtect",<br /> "0xe183277b": "VirtualFree",<br /> "0x24e2968d": "GetComputerNameW",<br /> "0xab489125": "GetNativeSystemInfo",<br /> .......<br />}<br /></code></pre></div> <p>The other file is <strong><code>"output/ida_script.py"</code></strong> which will add the comments to your idb:</p> <p style="text-align: center;"><a href="https://github.com/N1ght-W0lf/Uchihash/blob/main/screenshots/ida_result.png" rel="nofollow" target="_blank" title="A small utility to deal with malware embedded hashes. (10)"></a><a href="http://1.bp.blogspot.com/-LhLwXh1BbXs/YP8gLRzS6aI/AAAAAAAAoqc/urZ-y1SsamYCvfrpAUEyDyVk6GRqiMrUwCK4BGAYYCw/s1600/Uchihash_1_ida_result-744612.png"><img alt="" border="0" height="368" id="BLOGGER_PHOTO_ID_6989340524831500706" src="http://1.bp.blogspot.com/-LhLwXh1BbXs/YP8gLRzS6aI/AAAAAAAAoqc/urZ-y1SsamYCvfrpAUEyDyVk6GRqiMrUwCK4BGAYYCw/w640-h368/Uchihash_1_ida_result-744612.png" width="640" /></a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/N1ght-W0lf/Uchihash" rel="nofollow" target="_blank" title="Download Uchihash">Download Uchihash</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-91138890460372613042021-06-19T17:30:00.013-04:002021-06-19T17:30:00.311-04:00FalconEye - Real-time detection software for Windows process injections<p><a href="http://2.bp.blogspot.com/-evr-g5bb7m0/YMZqSngj2lI/AAAAAAAAaDg/k68fHZQrOU4C76vvSH_y02ES5jzzWSvzwCK4BGAYYCw/s1600/FalconEye_1-770139.png"><img alt="" border="0" height="432" id="BLOGGER_PHOTO_ID_6973377941105531474" src="http://2.bp.blogspot.com/-evr-g5bb7m0/YMZqSngj2lI/AAAAAAAAaDg/k68fHZQrOU4C76vvSH_y02ES5jzzWSvzwCK4BGAYYCw/w640-h432/FalconEye_1-770139.png" width="640" /></a></p> <p><br /></p><p>FalconEye is a windows endpoint detection software for real-time process injections. It is a kernel-mode driver that aims to catch process injections as they are happening (real-time). Since FalconEye runs in kernel mode, it provides a stronger and reliable defense against process injection techniques that try to evade various user-mode hooks.</p> <p>You can check our presentation at <a href="https://www.blackhat.com/asia-21/arsenal/schedule/#falconeye-windows-process-injection-techniques---catch-them-all-22612" rel="nofollow" target="_blank" title="2021 Blackhat ASIA Arsenal">2021 Blackhat ASIA Arsenal</a> and <a href="https://github.com/rajiv2790/FalconEye/blob/main/2021BHASIA_FalconEye.pdf" rel="nofollow" target="_blank" title="slides">slides</a>.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Project Overview</b></span><br /> <br /><b>Detection Coverage</b><br /> <p>The table below shows the implementation status and the detection logic for the various process injection techniques. WPM stands for WriteProcessMemory. To test the detection, one can refer to the references section.</p> <table> <tr> <th>Technique</th> <th>Status</th> <th>Detection</th> <th>POC Used</th> </tr> <tr> <td>Atombombing</td> <td>✓</td> <td>Hook QueueUserAPC and look for GlobalGetAtom family of functions</td> <td>Pinjectra</td> </tr> <tr> <td>Instrumentation callback injection</td> <td>✓</td> <td>Detect if a new thread is created from floating code</td> <td><a href="https://github.com/antonioCoco/Mapping-Injection" rel="nofollow" target="_blank" title="https://github.com/antonioCoco/Mapping-Injection">https://github.com/antonioCoco/Mapping-Injection</a></td> </tr> <tr> <td>Reflective DLL Injection</td> <td>✓</td> <td>Detect if a new thread is created from floating code and if PE header is being written into victim</td> <td>MInjector</td> </tr> <tr> <td>PROPagate</td> <td>✓</td> <td>Hook SetProp to get the address of the property being written and corelate with the previous WPM calls to get the address of floating code</td> <td>Pinjectra</td> </tr> <tr> <td>Process Hollowing</td> <td>✓</td> <td>Detected using PE header written into target process memory</td> <td>MInjector</td> </tr> <tr> <td>CreateRemoteThread with LoadLibrary</td> <td>✓</td> <td>New thread with start address pointing to LoadLibrary. MInjector version also writes DLL path using WPM which is also detected</td> <td>MInjector, Pinjectra</td> </tr> <tr> <td>CreateRemoteThread with MapViewOfFile</td> <td>✓</td> <td>Detect if a new thread is created from floating code</td> <td>Pinjectra</td> </tr> <tr> <td>Suspend-Inject-Resume</td> <td>✓</td> <td>Detect if a new thread is created from floating code(MInjector). DLL Path being written via WPM (MInjector). Detect if context set on a previously suspended thread (Pinjectra)</td> <td>MInjector, Pinjectra</td> </tr> <tr> <td>QueueUserAPC</td> <td>✓</td> <td>DLL path being written via WPM</td> <td>MInjector</td> </tr> <tr> <td>QueueUserAPC with memset (Stackbombing)</td> <td>✓</td> <td>Hook QueueUserAPC and look for memset</td> <td>Pinjectra</td> </tr> <tr> <td>SetWindowLong (Extra window memory injection)</td> <td>✓</td> <td>Hook SetWindowLong to get the address of the function pointer being written and corelate with the previous WPM calls to get the address of floating code</td> <td>Pinjectra</td> </tr> <tr> <td>Unmap + Overwrite</td> <td>✓</td> <td>Alert if attacker process is unmapping ntdll from the victim</td> <td>Pinjectra</td> </tr> <tr> <td>Kernel Ctrl Table</td> <td>✓</td> <td>Detect if WPM is overwriting KernelCallbackTable field in the PEB of the victim</td> <td><a href="https://github.com/odzhan/injection/blob/master/kct" rel="nofollow" target="_blank" title="https://github.com/odzhan/injection/blob/master/kct">https://github.com/odzhan/injection/blob/master/kct</a></td> </tr> <tr> <td>USERDATA</td> <td>✓</td> <td>Check if WPM target address is in conhost.exe range. If so check if any relevant function pointers from conhost match previously stored WPM address</td> <td><a href="https://github.com/odzhan/injection/blob/master/conhost" rel="nofollow" target="_blank" title="https://github.com/odzhan/injection/blob/master/conhost">https://github.com/odzhan/injection/blob/master/conhost</a></td> </tr> <tr> <td>Ctrl-inject</td> <td>✓</td> <td>Detect if the attacker does WPM in victim's KernelBase.dll range</td> <td>Pinjectra</td> </tr> <tr> <td>ALPC Callback</td> <td>✓</td> <td>Extract victim pid in NtConnectPort calls to ALPC port. For attacker-victim pid tuple check prior WPM calls and apply Floating code detection</td> <td>Pinjectra</td> </tr> <tr> <td>WNF Callback</td> <td>✓</td> <td>WPM followed by UpdateWNFStateData call</td> <td><a href="https://github.com/odzhan/injection/tree/master/wnf" rel="nofollow" target="_blank" title="https://github.com/odzhan/injection/tree/master/wnf">https://github.com/odzhan/injection/tree/master/wnf</a></td> </tr> <tr> <td>SetWindowsHook</td> <td>✓</td> <td>Save module paths registered in NtUserSetWindowsHookEx hook. Later when a module matching this path loads in a different process, generate alert</td> <td>MInjector</td> </tr> <tr> <td>GhostWriting</td> <td>✓</td> <td>Detect if context is set (NtSetContextThread is called) on a previously suspended thread</td> <td>Pinjectra</td> </tr> <tr> <td>Service Control</td> <td>✓</td> <td>WPM overwriting Service IDE of a process (service)</td> <td><a href="https://github.com/odzhan/injection/tree/master/svcctrl" rel="nofollow" target="_blank" title="https://github.com/odzhan/injection/tree/master/svcctrl">https://github.com/odzhan/injection/tree/master/svcctrl</a></td> </tr> <tr> <td>Shellcode injection</td> <td>✓</td> <td>New thread started from floating code. DLL path being written by WPM</td> <td>MInjector</td> </tr> <tr> <td>Image Mapping</td> <td>✓</td> <td>Thread started from floating code. PE header being written by WPM. DLL path being written by WPM</td> <td>MInjector</td> </tr> <tr> <td>Thread Reuse</td> <td>✓</td> <td>Thread started from floating code. DLL path being written by WPM</td> <td>MInjector</td> </tr> </table> <br /><b>Architecture Overview</b><br /> <p><a href="https://github.com/rajiv2790/FalconEye/blob/main/diagrams/FalconEye_Software_Architecture.png" rel="nofollow" target="_blank" title="$ (8)"></a><a href="http://2.bp.blogspot.com/-evr-g5bb7m0/YMZqSngj2lI/AAAAAAAAaDg/k68fHZQrOU4C76vvSH_y02ES5jzzWSvzwCK4BGAYYCw/s1600/FalconEye_1-770139.png"><img alt="" border="0" height="432" id="BLOGGER_PHOTO_ID_6973377941105531474" src="http://2.bp.blogspot.com/-evr-g5bb7m0/YMZqSngj2lI/AAAAAAAAaDg/k68fHZQrOU4C76vvSH_y02ES5jzzWSvzwCK4BGAYYCw/w640-h432/FalconEye_1-770139.png" width="640" /></a></p> <ol> <li>The driver is an on-demand load driver</li> <li>The initialization includes setting up callbacks and syscall hooks via libinfinityhook</li> <li>The callbacks maintain a map of Pids built from cross process activity such as OpenProcess but it is not limited to OpenProcess</li> <li>Subsequent callbacks and syscall hooks use this Pid map to reduce the noise in processing. As a part of noise reduction, syscall hooks filter out same process activity.</li> <li>The detection logic is divided into subcategories namely - stateless (example: Atombombing), stateful (Unmap+Overwrite) and Floating code(Shellcode from multiple techniques)</li> <li>For stateful detections, syscall hooks record an ActionHistory which is implemented as a circular buffer. e.g. It records all the NtWriteVirtualMemory calls where the caller process is different from the target process.</li> <li>The detection logic has common anomaly detection functionality such as floating code detection and detection for shellcode triggers in remote processes. Both callbacks and syscall hooks invoke this common functionality for actual detection.</li> </ol> <p>NOTE: Our focus has been detection and not creating a performant detection engine. We’ll continue on these efforts past the BlackHat presentation.</p> <br /><span style="font-size: large;"><b>Files</b></span><br /> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content=". ├── src │ ├── FalconEye ---------------------------# FalconEye user and kernel space │ └── libinfinityhook ---------------------# Kernel hook implementation ├── 2021BHASIA_FalconEye.pdf └── README.md "><pre><code>.<br />├── src <br />│ ├── FalconEye ---------------------------# FalconEye user and kernel space<br />│ └── libinfinityhook ---------------------# Kernel hook implementation<br />├── 2021BHASIA_FalconEye.pdf<br />└── README.md</code></pre></div> <br /><span style="font-size: large;"><b>Getting Started</b></span><br /> <br /><b>Prerequisites</b><br /> <ol> <li>Windows 10 Build 1903/1909</li> <li>Microsoft Visual Studio 2019 onwards</li> <li>Virtualization Software such as VmWare, Hyper-V (Optional)</li> </ol> <br /><b>Installation</b><br /> <br /><b>Build</b><br /> <ol> <li>Open the solution with Visual Studio 2019</li> <li>Select x64 as build platform</li> <li>Build solution. This should generate FalconEye.sys binary under src\kernel\FalconEye\x64\Debug or src\kernel\FalconEye\x64\Release</li> </ol> <br /><b>Test Machine Setup</b><br /> <ol> <li>Install <a href="https://www.kitploit.com/search/label/Windows%2010" target="_blank" title="Windows 10">Windows 10</a> Build 1903/1909 in a VM</li> <li>Configure VM for testing unsigned driver</li> </ol> <ul> <li>Using bcdedit, disable integrity checks : <code>BCDEDIT /set nointegritychecks ON</code></li> </ul> <ol start="3"> <li>Run DbgView from <a href="https://www.kitploit.com/search/label/Sysinternals" target="_blank" title="sysinternals">sysinternals</a> in the VM or start a <a href="https://www.kitploit.com/search/label/Debugging" target="_blank" title="debugging">debugging</a> connection using WinDbg.</li> </ol> <br /><b>Usage</b><br /> <ol> <li>Copy FalconEye.sys to the Test Machine (Windows 10 VM)</li> <li>Load FalconEye.sys as 'On Demand' load driver using OSR Loader or similar tools</li> <li>Run injection test tools such as pinjectra, minjector or other samples</li> <li>Monitor debug logs either via WinDbg or DbgView</li> </ol> <br /><span style="font-size: large;"><b>References</b></span><br /> <p><a href="https://github.com/everdox/InfinityHook/" rel="nofollow" target="_blank" title="InfinityHook, 2019">InfinityHook, 2019</a></p> <p><a href="https://www.blackhat.com/us-19/briefings/schedule/#process-injection-techniques---gotta-catch-them-all-16010" rel="nofollow" target="_blank" title="Itzik Kotler and Amit Klein. Process Injection Techniques - Gotta Catch Them All, Blackhat USA Briengs, 2019">Itzik Kotler and Amit Klein. Process Injection Techniques - Gotta Catch Them All, Blackhat USA Briengs, 2019</a></p> <p><a href="https://github.com/SafeBreach-Labs/pinjectra/" rel="nofollow" target="_blank" title="Pinjectra, 2019">Pinjectra, 2019</a></p> <p><a href="https://github.com/antonioCoco/Mapping-Injection" rel="nofollow" target="_blank" title="Mapping-Injection, 2020">Mapping-Injection, 2020</a></p> <p><a href="https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows" rel="nofollow" target="_blank" title="Atombombing: Brand new code injection for windows, 2016">Atombombing: Brand new code injection for windows, 2016</a></p> <p><a href="http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/" rel="nofollow" target="_blank" title="Propagate - a new code injection trick, 2017">Propagate - a new code injection trick, 2017</a></p> <p><a href="https://modexp.wordpress.com/2018/08/26/process-injection-ctray/" rel="nofollow" target="_blank" title="Windows process injection: Extra window bytes, 2018">Windows process injection: Extra window bytes, 2018</a></p> <p><a href="https://securityintelligence.com/diving-into-zberps-unconventional-process-injection-technique/" rel="nofollow" target="_blank" title="Pavel Asinovsky. Diving into zberp's unconventional process injection technique, 2016">Pavel Asinovsky. Diving into zberp's unconventional process injection technique, 2016</a></p> <p><a href="https://blog.ensilo.com/ctrl-inject" rel="nofollow" target="_blank" title="Rotem Kerner. Ctrl-inject, 2018">Rotem Kerner. Ctrl-inject, 2018</a></p> <p><a href="https://modexp.wordpress.com/2018/09/12/process-injection-user-data/" rel="nofollow" target="_blank" title="Windows process injection: Consolewindowclass, 2018">Windows process injection: Consolewindowclass, 2018</a></p> <p><a href="https://modexp.wordpress.com/2019/06/15/4083/" rel="nofollow" target="_blank" title="Windows process injection: Windows notication facility, 2018">Windows process injection: Windows notication facility, 2018</a></p> <p><a href="http://blog.txipinet.com/2007/04/05/69-a-paradox-writing-to-another-process-without-openning-it-nor-actually-writing-to-it/" rel="nofollow" target="_blank" title="A paradox: Writing to another process without openning it nor actually writing to it, 2007">A paradox: Writing to another process without openning it nor actually writing to it, 2007</a></p> <p><a href="https://modexp.wordpress.com/2018/08/30/windows-process-injection-control-handler/" rel="nofollow" target="_blank" title="Windows process injection: Service control handler, 2018">Windows process injection: Service control handler, 2018</a></p> <p><a href="https://github.com/marcosd4h/memhunter" rel="nofollow" target="_blank" title="Marcos Oviedo. Memhunter -">Marcos Oviedo. Memhunter - </a><a href="https://www.kitploit.com/search/label/Automated" target="_blank" title="Automated">Automated</a> hunting of memory resident malware at scale. Defcon Demo Labs, 2019</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/rajiv2790/FalconEye" rel="nofollow" target="_blank" title="Download FalconEye">Download FalconEye</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-85712921545301037392021-06-13T08:30:00.042-04:002021-06-13T08:30:00.320-04:00pyWhat - Identify Anything. Easily Lets You Identify Emails, IP Addresses, And More...<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-vnYIDPEVvV4/YL17ys1knWI/AAAAAAAAZ9c/k-B1-wqemj0RKuPPwoYyhjsBRRShNOtzACNcBGAsYHQ/s1500/pyWhat_1_logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1500" data-original-width="1500" height="640" src="https://1.bp.blogspot.com/-vnYIDPEVvV4/YL17ys1knWI/AAAAAAAAZ9c/k-B1-wqemj0RKuPPwoYyhjsBRRShNOtzACNcBGAsYHQ/w640-h640/pyWhat_1_logo.png" width="640" /></a></div><p><br /></p> <i>The easiest way to identify anything</i><br /> <code>pip3 install pywhat && pywhat --help<br /></code><span><a name='more'></a></span><p align="center"><br /></p><span style="font-size: x-large;"><b><div><b><code>What</code> is this?</b></div></b></span> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-MXPZN2lpWl8/YL1_mW-m7xI/AAAAAAAAZ9k/vPUwYLJGUQEhdT5s9k1X-IUamyQcmj6DwCNcBGAsYHQ/s1950/pyWhat_7_main_demo.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1110" data-original-width="1950" height="364" src="https://1.bp.blogspot.com/-MXPZN2lpWl8/YL1_mW-m7xI/AAAAAAAAZ9k/vPUwYLJGUQEhdT5s9k1X-IUamyQcmj6DwCNcBGAsYHQ/w640-h364/pyWhat_7_main_demo.gif" width="640" /></a></div><p><br /></p> <p>Imagine this: You come across some mysterious text</p> <code>5f4dcc3b5aa765d61d8327deb882cf99</code> and you wonder what it is. What do you do? <p>Well, with <code>what</code> all you have to do is ask <code>what "5f4dcc3b5aa765d61d8327deb882cf99"</code> and <code>what</code> will tell you!</p> <p><code>what</code>'s job is to <strong>identify <em>what</em> something is.</strong> Whether it be a file or text! Or even the hex of a file! What about text <em>within</em> files? We have that too! <code>what</code> is recursive, it will identify <strong>everything</strong> in text and more!</p> <br /><span style="font-size: x-large;"><b><div><b>Use Cases</b></div></b></span> <br /><span style="font-size: large;"><b><div><b>Wannacry</b></div></b></span> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-lBs8j7NBm8A/YL1_tFe7ohI/AAAAAAAAZ9o/Tf8kbIQ2i0gdeKwP-uHdnnQV_NpaAMCoQCNcBGAsYHQ/s1531/pyWhat_8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="328" data-original-width="1531" height="138" src="https://1.bp.blogspot.com/-lBs8j7NBm8A/YL1_tFe7ohI/AAAAAAAAZ9o/Tf8kbIQ2i0gdeKwP-uHdnnQV_NpaAMCoQCNcBGAsYHQ/w640-h138/pyWhat_8.png" width="640" /></a></div><p><br /></p> <p>You come across a new piece of <a href="https://www.kitploit.com/search/label/Malware" target="_blank" title="malware">malware</a> called WantToCry. You think back to Wannacry and remember it was stopped because a researcher found a <a href="https://www.kitploit.com/search/label/Kill-Switch" target="_blank" title="kill-switch">kill-switch</a> in the code.</p> <p>When a domain, hardcoded into Wannacry, was registered the virus would stop.</p> <p>You use <code>What</code> to identify all the domains in the malware, and use a domain registrar API to register all the domains. If Wannacry happens again, you can stop it in minutes - not weeks.</p> <br /><span style="font-size: large;"><b><div><b>Faster <a href="https://www.kitploit.com/search/label/Analysis" target="_blank" title="Analysis">Analysis</a> of <a href="https://www.kitploit.com/search/label/Pcap" target="_blank" title="Pcap">Pcap</a> files</b></div></b></span> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-jqT5kopV8Lo/YL1_yQsoTzI/AAAAAAAAZ9s/AcPu-J9-y44N8VLXgXqCDXn8WOiFGYZ5ACNcBGAsYHQ/s1340/pyWhat_9_pcap_demo.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="860" data-original-width="1340" height="410" src="https://1.bp.blogspot.com/-jqT5kopV8Lo/YL1_yQsoTzI/AAAAAAAAZ9s/AcPu-J9-y44N8VLXgXqCDXn8WOiFGYZ5ACNcBGAsYHQ/w640-h410/pyWhat_9_pcap_demo.gif" width="640" /></a></div><p><br /></p> <p>Say you have a <code>.pcap</code> file from a network attack. <code>What</code> can identify this and quickly find you:</p> <ul> <li>All hashes</li> <li>Credit card numbers</li> <li>Cryptocurrency addresses</li> <li>Social Security Numbers</li> <li>and much more.</li> </ul> <p>With <code>what</code>, you can identify the important things in the pcap in seconds, not minutes.</p> <br /><span style="font-size: large;"><b><div><b>Anything</b></div></b></span> <p>Anytime you have a file and you want to find structured data in it that's useful, <code>What</code> is for you.</p> <p>Or if you come across some piece of text and you don't know what it is, <code>What</code> will tell you.</p> <p><strong>File Opening</strong> You can pass in a file path by <code>what "this/is/a/file/path"</code>. What is smart enough to figure out it's a file!</p> <br /><span style="font-size: x-large;"><b><div><b>Contributing</b></div></b></span> <p><code>what</code> not only thrives on contributors, but can't <a href="https://www.kitploit.com/search/label/EXIST" target="_blank" title="exist">exist</a> without them! If you want to add a new regex to check for things, you can read our documentation <a href="https://github.com/bee-san/what/wiki/Adding-your-own-Regex" rel="nofollow" target="_blank" title="here">here</a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/bee-san/pyWhat" rel="nofollow" target="_blank" title="Download pyWhat">Download pyWhat</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-33349979138326934952021-06-10T17:30:00.019-04:002021-06-10T17:30:00.283-04:00Neurax - A Framework For Constructing Self-Spreading Binaries<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-V8i4IVrC9q0/YL1vJ805J0I/AAAAAAAAZ80/EYeeOBnjiSQypvcsXxdj4TMvdl9BGRh1wCNcBGAsYHQ/s626/Neurax_1_neurax.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="75" data-original-width="626" height="76" src="https://1.bp.blogspot.com/-V8i4IVrC9q0/YL1vJ805J0I/AAAAAAAAZ80/EYeeOBnjiSQypvcsXxdj4TMvdl9BGRh1wCNcBGAsYHQ/w640-h76/Neurax_1_neurax.png" width="640" /></a></div><p><br /></p> <p align="center"> A framework that aids in creation of self-spreading software</p> <span><a name='more'></a></span><p><br /></p><span style="font-size: x-large;"><b>Requirements</b></span><br /> <p><code>go get -u github.com/redcode-labs/Coldfire</code></p> <p><code>go get -u github.com/yelinaung/go-haikunator</code></p> <br /><span style="font-size: x-large;"><b>New in v. 2.0</b></span><br /> <ul> <li>New wordlist mutators + common <a href="https://www.kitploit.com/search/label/Passwords" target="_blank" title="passwords">passwords</a> by country</li> <li>Improvised passive scanning</li> <li><code>.FastScan</code> option that makes active scans a bit quicker</li> <li>Wordlists are created strictly in-memory</li> <li><code>NeuraxScan()</code> accepts a callback function instead of channel as an argument.</li> <li><code>NeuraxScan()</code> scans in infinite loop with possibility to set interval between each scan of whole subnet/pool of targets</li> <li>Reverse-DNS lookup for targets that are not in IP format</li> <li>Extraction of target candidates from ARP cache</li> <li>Possibility to scan only a selected list of targets + prioritizing specific targets (such as default gateways)</li> <li>Possibility to specify interface and timeout when using passive network scan.</li> <li>Improved command stager (can be optionally executed with elevated privilleges / multiple times)</li> <li>Few changes of options' names</li> <li><code>NeuraxConfig.</code> became <code>N.</code> (cause it's shorter to type)</li> <li>Functions for random <a href="https://www.kitploit.com/search/label/Memory%20Allocation" target="_blank" title="memory allocation">memory allocation</a> + binary migration</li> <li>Possibility to chain multiple stagers (ex. <code>wget</code> + <code>curl</code>)</li> <li>Volume and complexity of created wordlist can be easily tuned (with options such as <code>.WordlistExpand</code>)</li> <li>Possibility to set time-to-live of created binary</li> </ul> <br /><span style="font-size: x-large;"><b>Usage</b></span><br /> <p>With help of Neurax, Golang binaries can spread on local network without using any external servers.</p> <p>Diverse config options and command stagers allow rapid propagation across various wireless environments.</p> <br /><span style="font-size: large;"><b>Example code</b></span><br /> <div class="highlight highlight-source-go position-relative" data-snippet-clipboard-copy-content="package main import . "github.com/redcode-labs/Neurax" func main(){ //Specify serving port and stager to use N.Port = 5555 N.Stager = "wget" //Start a server that exposes the current binary in the background go NeuraxServer() //Copy current binary to all logical drives NeuraxDisks() //Create a command stager that should be launched on target machine //It will download, decode and execute the binary cmd_stager := NeuraxStager() /* Now you have to somehow execute the command generated above. You can use SSH bruteforce, some RCE or whatever else you want ;> */ } "><pre><code>package main<br />import . "github.com/redcode-labs/Neurax"<br /><br />func main(){<br /><br /> //Specify serving port and stager to use<br /> N.Port = 5555<br /> N.Stager = "wget"<br /><br /> //Start a server that exposes the current binary in the background<br /> go NeuraxServer()<br /> <br /> //Copy current binary to all logical drives<br /> NeuraxDisks()<br /><br /> //Create a command stager that should be launched on target machine<br /> //It will download, decode and execute the binary<br /> cmd_stager := NeuraxStager()<br /><br /> /* Now you have to somehow execute the command generated above.<br /> You can use SSH bruteforce, some RCE or whatever else you want ;> */<br /><br />}</code></pre></div> <br /><span style="font-size: large;"><b>List of config entries</b></span><br /> <table> <tr> <th><span>Name</span></th> <th><span>Description</span></th> <th><span>Default value</span></th> </tr> <tr> <td>N.Stager</td> <td>Name of the command stager to use</td> <td><code>random, platform-compatible</code></td> </tr> <tr> <td>N.StagerSudo</td> <td>If true, Linux cmd stagers are executed with elevated privilleges</td> <td><code>false</code></td> </tr> <tr> <td>N.StagerRetry</td> <td>Number of times to re-execute the command stager</td> <td><code>0</code></td> </tr> <tr> <td>N.Port</td> <td>Port to serve on</td> <td><code>6741</code></td> </tr> <tr> <td>N.Platform</td> <td>Platform to target</td> <td><code>detected automatically</code></td> </tr> <tr> <td>N.Path</td> <td>The path under which binary is saved on the host</td> <td><code>random</code></td> </tr> <tr> <td>N.FileName</td> <td>Name under which downloaded binary should be served and then saved</td> <td><code>random</code></td> </tr> <tr> <td>N.Base64</td> <td>Encode the transferred binary in base64</td> <td><code>false</code></td> </tr> <tr> <td>N.CommPort</td> <td>Port that is used by binaries to communicate with each other</td> <td><code>7777</code></td> </tr> <tr> <td>N.CommProto</td> <td>Protocol for communication between nodes</td> <td><code>"udp"</code></td> </tr> <tr> <td>N.ReverseListener</td> <td>Contains <code>"<host>:<port>"</code> of remote reverse shell handler</td> <td><code>not specified</code></td> </tr> <tr> <td>N.ReverseProto</td> <td>Protocol to use for reverse connection</td> <td><code>"udp"</code></td> </tr> <tr> <td>N.ScanRequiredPort</td> <td>NeuraxScan() treats host as active only when it has a specific port opened</td> <td><code>none</code></td> </tr> <tr> <td>N.ScanPassive</td> <td>NeuraxScan() detects hosts using passive ARP traffic monitoring</td> <td><code>false</code></td> </tr> <tr> <td>N.ScanPassiveTimeout</td> <td>NeuraxScan() monitors ARP layer this amount of seconds</td> <td><code>50 seconds</code></td> </tr> <tr> <td>N.ScanPassiveIface</td> <td>Interface to use when <a href="https://www.kitploit.com/search/label/Scanning" target="_blank" title="scanning">scanning</a> passively</td> <td><code>default</code></td> </tr> <tr> <td>N.ScanActiveTimeout</td> <td>NeuraxScan() sets this value as timeout for scanned port in each thread</td> <td><code>2 seconds</code></td> </tr> <tr> <td>N.ScanPassiveAll</td> <td>NeuraxScan() captures packets on all found devices</td> <td><code>false</code></td> </tr> <tr> <td>N.ScanPassiveNoArp</td> <td>Passive scan doesn't set strict ARP capture filter</td> <td><code>false</code></td> </tr> <tr> <td>N.ScanFirst</td> <td>A slice containing IP addresses to scan first</td> <td><code>[]string{}</code></td> </tr> <tr> <td>N.ScanFirstOnly</td> <td>NeuraxScan() scans only hosts specified within <code>.ScanFirst</code></td> <td><code>false</code></td> </tr> <tr> <td>N.ScanArpCache</td> <td>NeuraxScan() scans first the hosts found in local ARP cache. Works only with active scan</td> <td><code>false</code></td> </tr> <tr> <td>N.ScanCidr</td> <td>NeuraxScan() scans this CIDR</td> <td><code>local IP + "\24"</code></td> </tr> <tr> <td>N.ScanThreads</td> <td>Number of threads to use for NeuraxScan()</td> <td><code>10</code></td> </tr> <tr> <td>N.ScanFullRange</td> <td>NeuraxScan() scans all ports of target host to determine if it is active</td> <td><code>from 19 to 300</code></td> </tr> <tr> <td>N.ScanInterval</td> <td>Time interval to sleep before scanning whole subnet again</td> <td><code>"2m"</code></td> </tr> <tr> <td>N.ScanHostInterval</td> <td>Time interval to sleep before scanning next host in active mode</td> <td><code>"none"</code></td> </tr> <tr> <td>N.ScanGatewayFirst</td> <td>Gateway is the first host scanned when active scan is used</td> <td><code>false</code></td> </tr> <tr> <td>N.Verbose</td> <td>If true, all error messages are printed to STDOUT</td> <td><code>false</code></td> </tr> <tr> <td>N.Remove</td> <td>When any errors occur, binary removes itself from the host</td> <td><code>false</code></td> </tr> <tr> <td>N.PreventReexec</td> <td>If true, when any command matches with those that were already received before, it is not executed</td> <td><code>true</code></td> </tr> <tr> <td>N.ExfilAddr</td> <td>Address to which output of command is sent when <code>'v'</code> preamble is present.</td> <td><code>none</code></td> </tr> <tr> <td>N.WordlistExpand</td> <td>NeuraxWordlist() performs non-standard transformations on input words</td> <td>false</td> </tr> <tr> <td>N.WordlistCommon</td> <td>Prepend 20 most common passwords to wordlist</td> <td><code>false</code></td> </tr> <tr> <td>N.WordlistCommonNum</td> <td>Number of common passwords to use</td> <td><code>all</code></td> </tr> <tr> <td>N.WordlistCommonCountries</td> <td>A map[string]int that contains country codes and number of passwords to use</td> <td>map[string]int</td> </tr> <tr> <td>N.WordlistMutators</td> <td>Mutators to use when <code>.WordlistExpand</code> is specified</td> <td><code>{"single_upper", "cyryllic", "encapsule"}</code></td> </tr> <tr> <td>N.WordlistPermuteNum</td> <td>Maximum length of permutation generated by NeuraxWordlistPermute()</td> <td><code>2</code></td> </tr> <tr> <td>N.WordlistPermuteSeparator</td> <td>A separator character to use for permutations</td> <td><code>"-"</code></td> </tr> <tr> <td>N.WordlistShuffle</td> <td>Shuffle generated wordlist before returning it</td> <td><code>false</code></td> </tr> <tr> <td>N.AllocNum</td> <td>This entry defines how many times <code>NeuraxAlloc()</code> allocates random memory</td> <td><code>5</code></td> </tr> <tr> <td>N.Blacklist</td> <td>Slice that contains IP addresses that are excluded from any type of scanning</td> <td><code>[]string{}</code></td> </tr> <tr> <td>N.FastHTTP</td> <td>HTTP request in IsHostInfected() is performed using fasthttp library</td> <td><code>false</code></td> </tr> <tr> <td>N.Debug</td> <td>Enable debug messages</td> <td><code>false</code></td> </tr> </table> <br /><span style="font-size: large;"><b>Finding new targets</b></span><br /> <p>Function <code>NeuraxScan(func(string))</code> enables detection of active hosts on local network. It's only argument is a callback function that is called in background for every active host. Host is treated as active when it has at least 1 open port, is not already infected + fullfils conditions specified within <code>N.</code></p> <p><code>NeuraxScan()</code> runs as infinite loop - it scans whole subnet specified by <code>.Cidr</code> config entry and when every host is scanned, function sleeps for an interval given in <code>.ScanInterval</code>.</p> <br /><span style="font-size: large;"><b>Disks infection</b></span><br /> <p>Neurax binary doesn't have to copy itself using wireless means. Function <code>NeuraxDisks()</code> copies current binary (under non-suspicious name) to all logical drives that were found. Copied binary is not executed, but simply resides in it's destination waiting to be run. <code>NeuraxDisks()</code> returns an <code>error</code> if list of disks cannot be obtained or copying to any destination was impossible.</p> <p>Another function, <code>NeuraxZIP(num_files int) err</code> allows to create a randomly named .zip archive containing current binary. It is saved in current directory, and contains up to <code>num_files</code> random files it.</p> <p><code>NeuraxZIPSelf()</code> simply zips the current binary, creating an archive holding the same name.</p> <br /><span style="font-size: large;"><b>Synchronized command execution</b></span><br /> <p>Function <code>NeuraxOpenComm()</code> (launched as goroutine) allows binary to receive and execute commands. It listens on port number specified in <code>.CommPort</code> using protocol defined in <code>.CommProto</code>. Field <code>.CommProto</code> can be set either to <code>"tcp"</code> or <code>"udp"</code>. Commands that are sent to the port used for communication are executed in a blind manner - their output isn't saved anywhere.</p> <p>An optional preamble can be added before the command string.</p> <p>Format: <code>:<preamble_letters> <command></code></p> <p>Example command with preamble might look like this: <code>:ar echo "pwned"</code></p> <p>Following characters can be specified inside preamble:</p> <ul> <li><code>a</code> - received command is forwarded to each infected node, but the node that first received the command will not execute it</li> <li><code>x</code> - received command will be executed even if <code>a</code> is specified</li> <li><code>r</code> - after receiving the command, binary removes itself from infected host and quits execution</li> <li><code>k</code> - keep preamble when sending command to other nodes</li> <li><code>s</code> - sleep random number of seconds between 1 and 5 before executing command</li> <li><code>q</code> - after command is executed, the machine reboots</li> <li><code>o</code> - command is sent to a single, random node. <code>a</code> must be specified</li> <li><code>v</code> - output of executed command is sent to an address specified under <code>.ExfilAddr</code></li> <li><code>m</code> - mechanism that prevents re-execution of commands becomes disabled just for this specific command</li> <li><code>l</code> - command is executed in infinite loop</li> <li><code>e</code> - command is executed only if the node has elevated privilleges</li> <li><code>p</code> - command becomes persistent and is executed upon each startup</li> <li><code>d</code> - output of executed command is printed to STDOUT for <a href="https://www.kitploit.com/search/label/Debugging" target="_blank" title="debugging">debugging</a> purpose</li> <li><code>f</code> - forkbomb is launched after command was executed</li> <li><code>!</code> - if command was executed with errors and <code>a</code> is specified, this command is not forwarded</li> </ul> <p>By default, raw command sent without any preambles is executed by a single node that the command was addressed for.</p> <p>It is also important to note that when <code>k</code> is not present inside preamble, preamble is removed from command right after the first node receives it.</p> <br /><b>Example 1 - preamble is not forwarded to other nodes:</b><br /> <div class="highlight highlight-source-go position-relative" data-snippet-clipboard-copy-content=" (1) [TCP_client] ":ar whoami" -----> [InfectedHost1] (2) [InfectedHost1] "whoami" -----> [InfectedHostN] [InfectedHost1] removes itself after command was sent to all infected nodes in (2) because "r" was specified in preamble. "x" was not specified, so "whoami" was not executed by [InfectedHost1] "><pre><code> (1) [TCP_client] ":ar whoami" -----> [InfectedHost1] <br /> (2) [InfectedHost1] "whoami" -----> [InfectedHostN]<br /> <br /> [InfectedHost1] removes itself after command was sent to all infected nodes in (2)<br /> because "r" was specified in preamble. "x" was not specified, so "whoami" was not executed by [InfectedHost1] </code></pre></div> <br /><b>Example 2 - preamble is forwarded:</b><br /> <div class="highlight highlight-source-go position-relative" data-snippet-clipboard-copy-content=" (1) [TCP_client] ":akxr whoami" -----> [InfectedHost1] (2) [InfectedHost1] ":akxr whoami" -----> [InfectedHostN] (n) [InfectedHostN] ":axkr whoami" -----> ............... ................................. -----> ............... Both [InfectedHost1] and [InfectedHostN] execute command and they try to send it to another nodes with preamble preserved "><pre><code> (1) [TCP_client] ":akxr whoami" -----> [InfectedHost1] <br /> (2) [InfectedHost1] ":akxr whoami" -----> [InfectedHostN]<br /> (n) [InfectedHostN] ":axkr whoami" -----> ...............<br /> ................................. -----> ...............<br /><br /> Both [InfectedHost1] and [InfectedHostN] execute command and they try to send it to another nodes with preamble preserved</code></pre></div> <br /><span style="font-size: large;"><b>Reverse connections</b></span><br /> <p>An interactive reverse shell can be established with <code>NeuraxReverse()</code>. It will receive commands from hostname specified inside <code>.ReverseListener</code> in a form of <code>"<host>:<port>"</code>. Protocol that is used is defined under <code>.ReverseProto</code> If <code>NeuraxOpenComm()</code> was started before calling this function, each command will behave as described in above section. If it was not, commands will be executed locally.</p> <p>Note: this function should be also runned as goroutine to prevent blocking caused by infinite loop used for receiving.</p> <br /><span style="font-size: large;"><b>Cleaning up</b></span><br /> <p>Whenever <code>"purge"</code> command is received by a node, it resends this command to all other nodes, removes itself from host and quits. This behaviour can be also commenced using <code>NeuraxPurge()</code> executed somewhere in the source.</p> <br /><span style="font-size: large;"><b>Wordlist creation</b></span><br /> <p>If spread vector of your choice is based on some kind of bruteforce, it is good to have a proper wordlist prepared. Storing words in a text-file on <a href="https://www.kitploit.com/search/label/Client%20Side" target="_blank" title="client side">client side</a> isn't really effective, so you can mutate a basic wordlist using <code>NeuraxWordlist(...words) []string</code>. To permute a set of given words, use <code>NeuraxWordlistPermute(..words) []string</code></p> <br /><span style="font-size: large;"><b>Setting time-to-live</b></span><br /> <p>If you want your binary to remove itself after given time, use <code>NeuraxSetTTL()</code> at the beginnig of your code. This function should be launched as a goroutine. For example:</p> <p><code>go NeuraxSetTTL("2m")</code></p> <p>will make the binary run <code>NeuraxPurgeSelf()</code> after 2 minutes from initial execution.</p> <br /><span style="font-size: large;"><b>Using multiple stagers at once</b></span><br /> <p>If you would like to chain all stagers available for given platform, set <code>.Stager</code> to <code>"chain"</code>.</p> <br /><span style="font-size: large;"><b>Moving the dropped binary</b></span><br /> <p>If you need to copy the binary after initial execution, use <code>NeuraxMigrate(path string)</code>. It will copy the binary under <code>path</code>, remove current binary and execute newly migrated one.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/redcode-labs/Neurax" rel="nofollow" target="_blank" title="Download Neurax">Download Neurax</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-72831550313712485982021-06-06T08:30:00.003-04:002021-06-06T08:30:00.311-04:00Typodetect - Detect The Active Mutations Of Domains<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-SEsKTYK_GUQ/YLc1qISOJFI/AAAAAAAAXrs/o_PZ3P9gQ-cleYEMvHunLGfvDxoFdFNKACNcBGAsYHQ/s811/domain.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="370" data-original-width="811" height="292" src="https://1.bp.blogspot.com/-SEsKTYK_GUQ/YLc1qISOJFI/AAAAAAAAXrs/o_PZ3P9gQ-cleYEMvHunLGfvDxoFdFNKACNcBGAsYHQ/w640-h292/domain.png" width="640" /></a></div><p><br /></p> <p>This tool gives blue teams, SOC's, researchers and companies the ability to detect the active mutations of their domains, thus preventing the use of these domains in fraudulent activities, such as <a href="https://www.kitploit.com/search/label/Phishing" target="_blank" title="phishing">phishing</a> and smishing.</p> <p>For this, Typodetect allows the use of the latest available version of the TLDs (Top Level Domains) published on the IANA website, the validation of decentralized domains in Blockchain DNS and the malware reports in <a href="https://www.kitploit.com/search/label/DoH" target="_blank" title="DoH">DoH</a> services (DNS over HTTPS) .</p> <p>For the ease of the user, Typodetect delivers the report in <a href="https://www.kitploit.com/search/label/JSON" target="_blank" title="JSON">JSON</a> format by default, or in TXT format, depending on how the user selects and shows on the screen a summary of the mutations generated, the active domains and the reports detected with <a href="https://www.kitploit.com/search/label/Malware" target="_blank" title="Malware">Malware</a> or decentralized domains.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Installation</b></span><br /> <p>Clone this repository with:</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="git clone https://github.com/Telefonica/typodetect "><pre><code>git clone https://github.com/Telefonica/typodetect</code></pre></div> <p>Run setup for installation:</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="python3 pip install -r requirements.txt "><pre><code>python3 pip install -r requirements.txt</code></pre></div> <br /><b>Running TypoDetect</b><br /> <p>Inside the TypoDetect directory:</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="python3 typodetect.py -h "><pre><code>python3 typodetect.py -h</code></pre></div> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="usage: typodetect.py [-h] [-u UPDATE] [-t N_THREADS] [-d DOH_SERVER] [-o OUTPUT] domain positional arguments: domain specify domain to process optional arguments: -h, --help show this help message and exit -u UPDATE, --update UPDATE (Y/N) for update TLD's database (default:N) -t N_THREADS, --threads N_THREADS Number of threads for processing (default:5) -d DOH_SERVER, --doh DOH_SERVER Section DoH for use: [1] ElevenPaths (default) [2] Cloudfare -o OUTPUT, --output OUTPUT JSON or TXT, options of filetype (default:JSON) "><pre><code>usage: typodetect.py [-h] [-u UPDATE] [-t N_THREADS] [-d DOH_SERVER] [-o OUTPUT] domain<br /><br />positional arguments:<br /> domain specify domain to process<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> -u UPDATE, --update UPDATE<br /> (Y/N) for update TLD's database (default:N)<br /> -t N_THREADS, --threads N_THREADS<br /> Number of threads for processing (default:5)<br /> -d DOH_SERVER, --doh DOH_SERVER<br /> Section DoH for use: [1] ElevenPaths (default) [2] Cloudfare<br /> -o OUTPUT, --output OUTPUT<br /> JSON or TXT, options of filetype (default:JSON)</code></pre></div> <p>For a simple analysis:</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="python3 typodetect.py <domain> "><pre><code>python3 typodetect.py <domain></code></pre></div> <p>For update IANA database and analysis:</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="python3 typodetect.py -u y <domain> "><pre><code>python3 typodetect.py -u y <domain></code></pre></div> <p>For more threads analysis:</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="python3 typodetect.py -t <number of threads> <domain> "><pre><code>python3 typodetect.py -t <number of threads> <domain></code></pre></div> <p>For a different DoH (currently only has ElevenPaths o CloudFare)</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="python3 typodetect.py -d 2 <domain> "><pre><code>python3 typodetect.py -d 2 <domain></code></pre></div> <p>For create TXT report</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="python3 typodetect.py -o TXT <domain> "><pre><code>python3 typodetect.py -o TXT <domain></code></pre></div> <br /><b>Reports</b><br /> <p>Inside the reports directory, the report file is saved, by default in JSON, with the name of the analyzed domain and the date, for example:</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="elevenpaths.com2021-01-26T18:20:10.34568.json "><pre><code>elevenpaths.com2021-01-26T18:20:10.34568.json</code></pre></div> <p>The JSON report has the following structure for each active mutation detected:</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="{ id: "report_DoH" : <string> "domain": <string> "A": [ip1, ip2, ...] "MX": [mx1, mx2, ...] } "><pre><code>{ id: <br /> "report_DoH" : <string><br /> "domain": <string><br /> "A": [ip1, ip2, ...]<br /> "MX": [mx1, mx2, ...]<br /> }</code></pre></div> <p>The fields contain the following information:</p> <div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="id: Integer id of mutation "report_DoH": "" - Domain of Descentralised DNS "Malware" - Domain reported as dangerous for DoH "Good" - Domain reported as good for DoH "domain": Mutation detected as active. "A": IP's address of A type in DNS of the mutation. "MX": IP's or CNAME of MX type in DNS of the mutation. "><pre><code>id: Integer id of mutation<br />"report_DoH": "" - Domain of Descentralised DNS<br /> "Malware" - Domain reported as dangerous for DoH<br /> "Good" - Domain reported as good for DoH<br />"domain": Mutation detected as active.<br />"A": IP's address of A type in DNS of the mutation.<br />"MX": IP's or CNAME of MX type in DNS of the mutation.</code></pre></div> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/telefonica/typodetect" rel="nofollow" target="_blank" title="Download Typodetect">Download Typodetect</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-47573486134957182021-04-25T17:30:00.006-04:002021-04-25T17:30:00.323-04:00Tscopy - Tool to parse the NTFS $MFT file to locate and copy specific files<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-6kEwADpsWIc/YIJcp0eQglI/AAAAAAAAV9I/65EdC_isA5QjiWgnVWHBHktEtpImm2LBwCNcBGAsYHQ/s854/tscopy_1_Blog_061120.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="210" data-original-width="854" height="157" src="https://1.bp.blogspot.com/-6kEwADpsWIc/YIJcp0eQglI/AAAAAAAAV9I/65EdC_isA5QjiWgnVWHBHktEtpImm2LBwCNcBGAsYHQ/w640-h157/tscopy_1_Blog_061120.png" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b>Introducing TScopy</b></span><br /> <p>It is a requirement during an <a href="https://www.kitploit.com/search/label/Incident%20Response" target="_blank" title="Incident Response">Incident Response</a> (IR) engagement to have the ability to analyze files on the filesystem. Sometimes these files are locked by the operating system (OS) because they are in use, which is particularly frustrating with event logs and registry hives. TScopy allows the user, who is running with administrator privileges, to access locked files by parsing out their raw location in the <a href="https://www.kitploit.com/search/label/Filesystem" target="_blank" title="filesystem">filesystem</a> and copying them without asking the OS.</p> <p>There are other tools that perform similar functions, such as RawCopy, which we have used and is the basis for this tool. However, there are some disadvantages to RawCopy that led us to develop TScopy, including performance, size, and the ability to incorporate it in other tools.</p> <p>This blog is intended to introduce TScopy but also to ask for assistance. As in all software development, the more a tool is used, the more edge cases can be found. We are asking that people try out the tool and report any bugs.</p><span><a name='more'></a></span><p><br /></p><span style="font-size: large;"><b>What is TScopy?</b></span><br /> <p>TScopy is a Python script used to parse the NTFS $MFT file to locate and copy specific files. By parsing the Master File Table (MFT), the script bypasses operating system locks on files. The script was originally based on the work of RawCopy. RawCopy is written in AutoIT and is difficult to modify for our purposes. The decision to port RawCopy to Python was done because of the need to incorporate this functionality natively into our toolset.</p> <p>TScopy is designed to be run as a standalone program or included as a python module. The python implementation makes use of the python-ntfs tools found at <a href="https://github.com/williballenthin/python-ntfs" rel="nofollow" target="_blank" title="https://github.com/williballenthin/python-ntfs">https://github.com/williballenthin/python-ntfs</a>. TScopy built upon the base functionality of python-ntfs to isolate the location of each file from the raw disk.</p> <br /><span style="font-size: large;"><b>What makes TScopy different?</b></span><br /> <p>TScopy is written in Python and organized into classes to make it more maintainable and readable than AutoIT. AutoIT can be flagged as malicious by anti-virus or detections software because some malware has utilized its potential.</p> <p>The major difference between TScopy and RawCopy is the ability to copy multiple files per execution and to cache the file structure. As shown in the image below, TScopy has options to download a single file, multiple comma delimited files, the contents of a directory, wildcarded paths (individual files or directories), and recursive directories.</p> <p>TScopy caches the location of each directory and file as it iterates the target file’s full path. It then uses this cache to optimize the search for any other files, ensuring future file copies are performed much faster. This is a significant advantage over RawCopy, which iterates over the entire path for each file.</p> <br /><span style="font-size: large;"><b>TScopy Options</b></span><br /> <pre><code>.\TScopy_x64.exe -h<br /><br />usage: <br /> TScopy_x64.exe -r -o c:\test -f c:\users\tscopy\ntuser.dat <br /> Description: Copies only the ntuser.dat file to the c:\test directory <br /> TScopy_x64.exe -o c:\test -f c:\Windows\system32\config <br /> Description: Copies all files in the config directory but does not copy the directories under it. <br /> TScopy_x64.exe -r -o c:\test -f c:\Windows\system32\config <br /> Description: Copies all files and subdirectories in the config directory. <br /> TScopy_x64.exe -r -o c:\test -f c:\users\*\ntuser*,c:\Windows\system32\config <br /> Description: Uses Wildcards and listings to copy any file beginning with ntuser under users accounts and recursively copies the registry hives.<br /> <br /><br />Copy protected files by parsing the MFT. Must be run with Administrator privileges<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> -f FILE, --file FILE Full path of the file or directory to be copied.<br /> Filenames can be grouped in a comma ',' seperated<br /> list. Wildcard '*' is accepted.<br /> -o OUTPUTDIR, --outputdir OUTPUTDIR<br /> Directory to copy files too. Copy will keep paths<br /> -i, --ignore_saved_ref_nums<br /> Script stores the Reference numbers and path info to<br /> speed up internal run. This option will ignore and not<br /> save the stored MFT reference numbers and path<br /> -r, --recursive Recursively copies directory. Note this only works with<br /> directories.<br /></code></pre> <p>There is a hidden option ‘--debug’, which enables the debug output.</p> <br /><span style="font-size: large;"><b>Examples</b></span><br /> <pre lang="code"><code>TScopy_x64.exe -f c:\windows\system32\config\SYSTEM -o e:\outputdir </code></pre> <p>Copies the SYSTEM registry to e:\outputdir The new file will be located at e:\outputdir\windows\system32\config\SYSTEM</p> <pre lang="code"><code>TScopy_x64.exe -f c:\windows\system32\config\SYSTEM -o e:\outputdir -i </code></pre> <p>Copies the SYSTEM registry to e:\outputdir but ignores any previous cached files and does not save the current cache to disk</p> <pre lang="code"><code>TScopy_x64.exe -f c:\windows\system32\config\SYSTEM,c:\windows\system32\config\SOFTWARE -o e:\outputdir </code></pre> <p>Copies the SYSTEM and the SOFTWARE registries to e:\outputdir</p> <pre lang="code"><code>TScopy_x64.exe -f c:\windows\system32\config\ -o e:\outputdir </code></pre> <p>Copies the contents of the directory config to e:\outputdir</p> <pre lang="code"><code>TScopy_x64.exe -r -f c:\windows\system32\config\ -o e:\outputdir </code></pre> <p>Recursively copies the contents of the directory config to e:\outputdir</p> <pre lang="code"><code>TScopy_x64.exe -f c:\users\*\ntuser.dat -o e:\outputdir </code></pre> <p>Copies each users NTUSER.DAT file to e:\outputdir</p> <pre lang="code"><code>TScopy_x64.exe -f c:\users\*\ntuser.dat* -o e:\outputdir </code></pre> <p>For each users copies all files that begin with NTUSER.DAT to e:\outputdi</p> <pre lang="code"><code>TScopy_x64.exe -f c:\users\*\AppData\Roaming\Microsoft\Windows\Recent,c:\windows\system32\config,c:\users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -o e:\outputdir </code></pre> <p>For each users copies all jumplists, Registry hives, and Powershell history commands to e:\outputdi</p> <br /><span style="font-size: large;"><b>Bug Reporting Information</b></span><br /> <p>Please report bugs in the issues section of the GitHub page.</p> <br /><span style="font-size: large;"><b>Bug Fixes and Enhancements</b></span><br /> <br /><b>Version 2.0</b><br /> <ul> <li>Issue 1: Change sys.exit to raise Exception</li> <li>Issue 2: The double copying of files. Full name and short name.</li> <li>Issue 3: Added the ability to recursively copy a directory</li> <li>Issue 4: Add the support for wildcards in the path. Currently only supports *</li> <li>Issue 5: Removed the hardcoded MFT size. MFT size determined by the Boot Sector</li> <li>Issue 6: Converted the TScopy class into a singleton. This allows the class to be instantiated once and reuse the current MFT <a href="https://www.kitploit.com/search/label/Metadata" target="_blank" title="metadata">metadata</a> object for all copies.</li> <li>Issue 7: Attribute type ATTRIBUTE_LIST is now being handled.</li> <li>Issue 9: Attrubute type ATTRIBUTE_LIST was not handled for files. THis caused a silent failure for files like SOFTWARE regestry hive.</li> <li>Changes: General comments have been added to the code</li> <li>Changes: Input parameters have changed. Reduced the three(3) different options --file, --list, and --directory to --file.</li> <li>Changes: Backend restructuring to support new features.</li> </ul> <br /><span style="font-size: large;"><b>TODO:</b></span><br /> <ol> <li>Add support for Alternate Data Streams (ADS)</li> <li>Verify support for non-ascii path characters</li> </ol> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/trustedsec/tscopy" rel="nofollow" target="_blank" title="Download Tscopy">Download Tscopy</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-65167743609180220482021-03-27T08:30:00.008-03:002021-03-27T08:30:07.373-03:00Obfuscation_Detection - Collection Of Scripts To Pinpoint Obfuscated Code<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-pVG_GY_Kvjg/YFexRwJ3VZI/AAAAAAAAVrY/p638kM3wVY895SoSAenvnyZFnfoxs9u-wCNcBGAsYHQ/s774/Obfuscation_Detection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="459" data-original-width="774" height="380" src="https://1.bp.blogspot.com/-pVG_GY_Kvjg/YFexRwJ3VZI/AAAAAAAAVrY/p638kM3wVY895SoSAenvnyZFnfoxs9u-wCNcBGAsYHQ/w640-h380/Obfuscation_Detection.png" width="640" /></a></div><p><br /></p> <p><em>Automatically detect control-flow flattening and other state machines</em></p> Author: <strong>Tim Blazytko</strong><div><b><br /></b><span style="font-size: large;"><b>Description:</b></span><br /> <p>Scripts and binaries to automatically detect control-flow flattening and other state machines in binaries.</p> <p>Implementation is based on <a href="https://www.kitploit.com/search/label/Binary" target="_blank" title="Binary">Binary</a> Ninja. Check out the following blog post for more information:</p> <p><a href="https://synthesis.to/2021/03/03/flattening_detection.html" rel="nofollow" target="_blank" title="Automated Detection of Control-flow Flattening">Automated Detection of Control-flow Flattening</a></p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Usage</b></span><br /> <pre><code>$ ./detect_flattening.py samples/finspy <br />Function 0x401602 has a flattening score of 0.9473684210526315.<br />Function 0x4017c0 has a flattening score of 0.9981378026070763.<br />Function 0x405150 has a flattening score of 0.9166666666666666.<br />Function 0x405270 has a flattening score of 0.9166666666666666.<br />Function 0x405370 has a flattening score of 0.9984544049459042.<br />Function 0x4097a0 has a flattening score of 0.9992378048780488.<br />Function 0x412c70 has a flattening score of 0.9629629629629629.<br />Function 0x412df0 has a flattening score of 0.9629629629629629.<br />Function 0x412f70 has a flattening score of 0.9927007299270073.<br />Function 0x4138e0 has a flattening score of 0.9629629629629629.<br /></code></pre> <br /><span style="font-size: large;"><b>Note</b></span><br /> <p>The password for the zipped <a href="https://www.kitploit.com/search/label/Malware%20Samples" target="_blank" title="malware samples">malware samples</a> is "infected". To unpack, use the following command line:</p> <pre><code>$ unzip -P infected samples.zip<br /></code></pre> <br /><span style="font-size: large;"><b>Contact</b></span><br /> <p>For more information, contact <a href="https://twitter.com/mr_phrazer" rel="nofollow" target="_blank" title="@mr_phrazer">@mr_phrazer</a>.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/mrphrazer/obfuscation_detection" rel="nofollow" target="_blank" title="Download Obfuscation_Detection">Download Obfuscation_Detection</a></span></b></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-68076176976045972322021-03-26T08:30:00.011-03:002021-03-26T08:30:02.850-03:00Retoolkit - Reverse Engineer's Toolkit<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-h3zUjXIqD94/YFevZ6TF4kI/AAAAAAAAVq4/ctwJfCSMdOwOMd9c922fgZketTQKRHJMACNcBGAsYHQ/s769/retoolkit_1_ret2021c.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="608" data-original-width="769" height="506" src="https://1.bp.blogspot.com/-h3zUjXIqD94/YFevZ6TF4kI/AAAAAAAAVq4/ctwJfCSMdOwOMd9c922fgZketTQKRHJMACNcBGAsYHQ/w640-h506/retoolkit_1_ret2021c.png" width="640" /></a></div><p><br /></p> <p>This is a collection of tools you may like if you are interested on <a href="https://www.kitploit.com/search/label/Reverse%20Engineering" target="_blank" title="reverse engineering">reverse engineering</a> and/or <a href="https://www.kitploit.com/search/label/Malware%20Analysis" target="_blank" title="malware analysis">malware analysis</a> on x86 and x64 Windows systems. After installing this toolkit you'll have a folder in your <a href="https://www.kitploit.com/search/label/Desktop" target="_blank" title="desktop">desktop</a> with shortcuts to RE tools like these:</p><span><a name='more'></a></span><p><br /></p><span style="font-size: large;"><b>Why do I need it?</b></span><br /> <p>You don't. Obviously, you can download such tools from their own website and install them by yourself in a new VM. But if you download retoolkit, it can probably save you some time. Additionally, the tools come pre-configured so you'll find things like x64dbg with a few plugins, command-line tools working from any directory, etc. You may like it if you're setting up a new <a href="https://www.kitploit.com/search/label/Analysis" target="_blank" title="analysis">analysis</a> VM.</p> <br /><span style="font-size: large;"><b>Download</b></span><br /> <p>The *.iss files you see here are the source code for our setup program built with <a href="https://jrsoftware.org/isinfo.php" rel="nofollow" target="_blank" title="Inno Setup">Inno Setup</a>. To download the real thing, you have to go to the <a href="https://github.com/mentebinaria/retoolkit/releases" rel="nofollow" target="_blank" title="Releases">Releases</a> section and download the setup program.</p> <br /><span style="font-size: large;"><b>Included tools</b></span><br /> <p>Check the <a href="https://github.com/mentebinaria/retoolkit/wiki" rel="nofollow" target="_blank" title="wiki">wiki</a>.</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-4oetWUTvvmY/YFeveotNrtI/AAAAAAAAVq8/JbNuiFxOQcYG4uJFB8aYsnU46lYQVL8hQCNcBGAsYHQ/s596/retoolkit_2_ret.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="464" data-original-width="596" height="498" src="https://1.bp.blogspot.com/-4oetWUTvvmY/YFeveotNrtI/AAAAAAAAVq8/JbNuiFxOQcYG4uJFB8aYsnU46lYQVL8hQCNcBGAsYHQ/w640-h498/retoolkit_2_ret.gif" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b>Is it safe to install it in my environment?</b></span><br /> <p>I don't know. Some included tools are not open source and come from shady places. You should use it exclusively in virtual machines and under your own responsibility.</p> <br /><span style="font-size: large;"><b>Can you add tool X?</b></span><br /> <p>It depends. The idea is to keep it simple. We won't add a tool just because it's not here yet. But if you think there's a good reason to do so, and the license allows us to redistribuite the software, please <a href="https://github.com/mentebinaria/retoolkit/discussions/categories/new-app-requests" rel="nofollow" target="_blank" title="file a request here">file a request here</a>.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/mentebinaria/retoolkit" rel="nofollow" target="_blank" title="Download Retoolkit">Download Retoolkit</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-24040059069162009462021-03-18T08:30:00.010-03:002021-03-18T08:30:05.984-03:00Strafer - A Tool To Detect Potential Infections In Elasticsearch Instances<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-3uVRHmgMPzw/YEGeAYwHheI/AAAAAAAAVlI/J5tPR986h1MC24GWzCA0yeATaQ_GZmvjQCNcBGAsYHQ/s1744/strafer_1_strafer.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="750" data-original-width="1744" height="276" src="https://1.bp.blogspot.com/-3uVRHmgMPzw/YEGeAYwHheI/AAAAAAAAVlI/J5tPR986h1MC24GWzCA0yeATaQ_GZmvjQCNcBGAsYHQ/w640-h276/strafer_1_strafer.png" width="640" /></a></div><p><br /></p> <p>Elasticsearch infections are rising exponentially. The adversaries are <a href="https://www.kitploit.com/search/label/Exploiting" target="_blank" title="exploiting">exploiting</a> open and exposed <a href="https://www.kitploit.com/search/label/Elasticsearch" target="_blank" title="Elasticsearch">Elasticsearch</a> interfaces to trigger infections in the cloud and non-cloud deployments. During this talk, we will release a tool named "STRAFER" to detect potential infections in the Elasticsearch instances. The tool allows security researchers, penetration testers, and <a href="https://www.kitploit.com/search/label/Threat%20Intelligence" target="_blank" title="threat intelligence">threat intelligence</a> experts to detect compromised and infected Elasticsearch instances running malicious code. The tool also enables you to conduct efficient research in the field of malware targeting cloud databases. In this version of the tool, the following modules are supported:</p> <ul> <li>Elasticsearch instance <a href="https://www.kitploit.com/search/label/Information%20Gathering" target="_blank" title="information gathering">information gathering</a> and reconnaissance</li> <li>Elasticsearch instance exposure on the Internet</li> <li>Detecting potential ransomware infections in the Elasticsearch instances</li> <li>Detecting potential botnet infections such as meow botnet.</li> <li>Detecting infected indices in the Elasticsearch instances</li> <li>Detecting Elasticsearch honeypots</li> </ul><span><a name='more'></a></span><div><br /></div> <p>Note: This is the first release of the tool and we expect to add more modules in the nearby future.</p> <p>Researched and Developed By: Aditya K Sood and Rohit Bansal</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/adityaks/strafer" rel="nofollow" target="_blank" title="Download Strafer">Download Strafer</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-78330689726136412702021-02-12T08:30:00.004-03:002021-02-12T08:30:10.126-03:00BaphoDashBoard - Dashboard For Manage And Generate The Baphomet Ransomware<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-p1bvq3CE1TI/YCSkp0fFCRI/AAAAAAAAVRw/kdpzqYEVfGIU-VzW_qlxcufTzpAO2PP1QCNcBGAsYHQ/s1116/BaphoDashBoard.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="555" data-original-width="1116" height="318" src="https://1.bp.blogspot.com/-p1bvq3CE1TI/YCSkp0fFCRI/AAAAAAAAVRw/kdpzqYEVfGIU-VzW_qlxcufTzpAO2PP1QCNcBGAsYHQ/w640-h318/BaphoDashBoard.png" width="640" /></a></div><p><br /></p> <p>With this proyect we will be able to handle the data of the victims we obtain with <a href="https://www.kitploit.com/search/label/Baphomet" target="_blank" title="Baphomet">Baphomet</a> Ransomware. BaphoDashBoard is developed in C# under framework dotnet-core 3.1. Both Baphomet <a href="https://www.kitploit.com/search/label/Ransomware" target="_blank" title="Ransomware">Ransomware</a> and BaphoDashBoard proyects are thrown out for educational purposes and so we can get something out of it to learn new things.</p><span><a name='more'></a></span><p><br /></p> <p><strong>DashBoard features</strong></p> <ul> <li>Generate .exe to encrypt data.</li> <li>Generate .exe to decrypt data.</li> <li>When we generate the ransomware, we keep the <a href="https://www.kitploit.com/search/label/RSA" target="_blank" title="rsa">rsa</a> keys that encrypt the symmetric key in charge of encrypting the files.</li> <li>Location of each victim shown on map.</li> <li>Graphics for better visualization.</li> <li>We can obtain the data of all our hosting servers.</li> <li>Handling of each baphomet.exe that we generate.</li> <li>Victims details and more using web scraping.</li> </ul> <p><strong>Requirements</strong></p> <ul> <li>Dotnet core 3.1</li> <li>SDK & RunTime download link: <a href="https://dotnet.microsoft.com/download/dotnet-core/3.1" rel="nofollow" target="_blank" title="https://dotnet.microsoft.com/download/dotnet-core/3.1">https://dotnet.microsoft.com/download/dotnet-core/3.1</a></li> </ul><div><br /></div> <p><strong>Operating systems tested to date to run Bapho-Dashboard</strong></p> <ul> <li>Windows 10</li> <li>Mac OS Mojave</li> </ul><div><br /></div> <p><strong>File that we must modify</strong></p> <ul> <li>file: BaphoDashBoard > Dal > Services > BaseService.cs line: 32</li> <li>NOTE: We add the hosting that contains the victim's data. for example <a href="https://myhosting.com/data.txt" rel="nofollow" target="_blank" title="https://myhosting.com/data.txt">https://myhosting.com/data.txt</a></li> </ul><div><br /></div> <p><strong>Instalation and Framework use</strong></p> <p>For complete tutorials of Baphodashboard use join me on Patreon, where I will be sharing information and exclusive content about hacking, <a href="https://www.kitploit.com/search/label/Malware" target="_blank" title="malware">malware</a> creation, tutorials for use my projects, etc. </p><p><br /></p> <p><strong>Video Demo</strong></p> <ul> <li><a href="https://open.lbry.com/@HackingPills:c/BaphoDashBoard-Generate-Ransomware-Tool:6?r=2FfhiGAXcxqD1V7dnpaZYmDo3gmSz6pw" rel="nofollow" target="_blank" title="https://open.lbry.com/@HackingPills:c/BaphoDashBoard-Generate-Ransomware-Tool:6?r=2FfhiGAXcxqD1V7dnpaZYmDo3gmSz6pw">https://open.lbry.com/@HackingPills:c/BaphoDashBoard-Generate-Ransomware-Tool:6?r=2FfhiGAXcxqD1V7dnpaZYmDo3gmSz6pw</a></li> </ul><div><br /></div> <p><b>Baphomet </b><strong>Ransomware: </strong><a href="https://www.kitploit.com/2020/12/baphomet-basic-concept-of-how.html">https://www.kitploit.com/2020/12/baphomet-basic-concept-of-how.html</a></p><p><strong><br /></strong></p> <p><strong>Service for more information and help</strong></p> <ul> <li>Twitter-DM : https://twitter.com/Chungo_0/</li></ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Sh4rk0-666/BaphoDashBoard" rel="nofollow" target="_blank" title="Download BaphoDashBoard">Download BaphoDashBoard</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-24592971959350037062021-02-07T17:30:00.008-03:002021-02-07T17:30:08.424-03:00COM-Code-Helper - Two IDAPython Scripts Help You To Reconstruct Microsoft COM (Component Object Model) Code<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-icrYnoH6Hto/YBoXIF29jnI/AAAAAAAAVOM/2jPkzKUiqOQhyaD-MyIw0aBbiKOMwbXEQCNcBGAsYHQ/s1319/COM-Code-Helper_1_COM-Code-Before-After-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="619" data-original-width="1319" height="300" src="https://1.bp.blogspot.com/-icrYnoH6Hto/YBoXIF29jnI/AAAAAAAAVOM/2jPkzKUiqOQhyaD-MyIw0aBbiKOMwbXEQCNcBGAsYHQ/w640-h300/COM-Code-Helper_1_COM-Code-Before-After-1.png" width="640" /></a></div><p><br /></p><p>Two IDAPython <a href="https://www.kitploit.com/search/label/Scripts" target="_blank" title="Scripts">Scripts</a> help you to reconstruct <a href="https://www.kitploit.com/search/label/Microsoft" target="_blank" title="Microsoft">Microsoft</a> COM (Component Object Model) Code Especially <a href="https://www.kitploit.com/search/label/Malware" target="_blank" title="malware">malware</a> reversers will find this useful, as COM Code is still regularly found in malware.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>ClassAndInterfaceToNames.py</b></span><br /> <p>This IDAPython script <a href="https://www.kitploit.com/search/label/Scans" target="_blank" title="scans">scans</a> an idb file for class and interfaces UUIDs and creates the matching structure and its name. Make sure to copy interfaces.txt + classes.txt is in the same directory as ClassAndInterfaceToNames.py</p> <br /><span style="font-size: large;"><b>Microsoft-SDK-Vtable-Structs.py</b></span><br /> <p>This IDAPython script creates vtables derrived from Microsoft SDK. Execution of the script takes a while, as lot of structures are created. After the script finished, go to the COM code you like to reconstruct, press 'T' and select the correct vtable-structure.</p> <p>To learn about COM check out the Microsoft website: <a href="https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-model" rel="nofollow" target="_blank" title="https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-model">https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-model</a></p> <p>Code was tested on IDA 7.4 and Python versions 2+3</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-TaLvqPT1I1U/YBoXPF2ODzI/AAAAAAAAVOQ/-ZoZ85PRUuwJ15E9ABLY4-SyHSRhsrnvwCNcBGAsYHQ/s1319/COM-Code-Helper_1_COM-Code-Before-After-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="619" data-original-width="1319" height="300" src="https://1.bp.blogspot.com/-TaLvqPT1I1U/YBoXPF2ODzI/AAAAAAAAVOQ/-ZoZ85PRUuwJ15E9ABLY4-SyHSRhsrnvwCNcBGAsYHQ/w640-h300/COM-Code-Helper_1_COM-Code-Before-After-1.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Hu5LpPH_wA4/YBoXPBCvxsI/AAAAAAAAVOY/1isTAnSXargtcynDo1RPOCKZKeIWIrnHgCNcBGAsYHQ/s1190/COM-Code-Helper_2_COM-Code-Before-After-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="657" data-original-width="1190" height="354" src="https://1.bp.blogspot.com/-Hu5LpPH_wA4/YBoXPBCvxsI/AAAAAAAAVOY/1isTAnSXargtcynDo1RPOCKZKeIWIrnHgCNcBGAsYHQ/w640-h354/COM-Code-Helper_2_COM-Code-Before-After-2.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-nso3kFcB2-E/YBoXPPTfxPI/AAAAAAAAVOU/kMi816ZC-Jki-CrKsHHd-S2IHzzka975QCNcBGAsYHQ/s1653/COM-Code-Helper_3_COM-Code-Before-After-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="673" data-original-width="1653" height="260" src="https://1.bp.blogspot.com/-nso3kFcB2-E/YBoXPPTfxPI/AAAAAAAAVOU/kMi816ZC-Jki-CrKsHHd-S2IHzzka975QCNcBGAsYHQ/w640-h260/COM-Code-Helper_3_COM-Code-Before-After-3.png" width="640" /></a></div><br /><p><br /></p><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/fboldewin/COM-Code-Helper" rel="nofollow" target="_blank" title="Download COM-Code-Helper">Download COM-Code-Helper</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-18060196895705663672021-01-24T08:30:00.022-03:002021-01-24T08:30:02.347-03:00ATMMalScan - Tool for Windows which helps to search for malware traces on an ATM during the DFIR process<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-uSxCzzI1iNI/YAuh_U64NhI/AAAAAAAAVDY/nDpSQt9-8Ew9wA3z_vLJmWbY0g1MtueeACNcBGAsYHQ/s959/ATMMalScan_1_ATMMalScan-Logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="908" data-original-width="959" height="606" src="https://1.bp.blogspot.com/-uSxCzzI1iNI/YAuh_U64NhI/AAAAAAAAVDY/nDpSQt9-8Ew9wA3z_vLJmWbY0g1MtueeACNcBGAsYHQ/w640-h606/ATMMalScan_1_ATMMalScan-Logo.png" width="640" /></a></div><p><br /></p> <p>ATMMalScan is a <a href="https://www.kitploit.com/search/label/Commandline" target="_blank" title="commandline">commandline</a> tool for <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> operating systems version 7 and higher, which helps to search for malware traces on an ATM during the DFIR process. This tool examines the running processes of a system, as well as the hard disk, depending on the specified file path. To scan a system, a user with standard rights is sufficient. However, ATMMalScan provides the best results with administrator privileges.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Known issues:</b></span><br /> <p>Currently ATMMalScan does not support codepages that require Unicode, this means Windows operating systems that are set to e.g. Cyrillic or Chinese characters, no representative result can be guaranteed.</p> <br /><span style="font-size: large;"><b>Requirements:</b></span><br /> <p>Make sure at least Visual C++ Redistributable for Visual Studio 2015 has been installed on the ATM, you like to scan.</p> <br /><span style="font-size: large;"><b>Usage (Example)</b></span><br /> <p>Step1 => Scan process <a href="https://www.kitploit.com/search/label/Memory" target="_blank" title="memory">memory</a> and disk. ===> Check if Admin privileges are available on the device for best results! <a href="https://github.com/fboldewin/ATMMalScan/blob/main/graphics/1-Scan-Mem-Disk.PNG" rel="nofollow" target="_blank" title="$ (5)"></a></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-nKUnXLr1EO8/YAuiGDmfr1I/AAAAAAAAVDc/Igy2i2f16fEVzFOoV-bljBBZ5avcvszLgCNcBGAsYHQ/s1824/ATMMalScan_2_1-Scan-Mem-Disk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="691" data-original-width="1824" height="242" src="https://1.bp.blogspot.com/-nKUnXLr1EO8/YAuiGDmfr1I/AAAAAAAAVDc/Igy2i2f16fEVzFOoV-bljBBZ5avcvszLgCNcBGAsYHQ/w640-h242/ATMMalScan_2_1-Scan-Mem-Disk.png" width="640" /></a></div><p><br /></p> <p>Step2 => ATMMalScan detected a <a href="https://www.kitploit.com/search/label/Malware" target="_blank" title="Malware">Malware</a> called XFS_DIRECT in a process, gives details about the thread and its rules matches. Further a full processmemory dump has been saved to disk, to catch the malicious process, its modules, as well as its stack and heap pages. <a href="https://github.com/fboldewin/ATMMalScan/blob/main/graphics/2-Scan-Malware-Detected.PNG" rel="nofollow" target="_blank" title="$ (7)"></a></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-P-O6U_7kUXw/YAuiLV8J4HI/AAAAAAAAVDg/TpGww8P8KHAn-dyMTBbXg3_Yr7326j2agCNcBGAsYHQ/s1076/ATMMalScan_3_2-Scan-Malware-Detected.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1076" data-original-width="1012" height="640" src="https://1.bp.blogspot.com/-P-O6U_7kUXw/YAuiLV8J4HI/AAAAAAAAVDg/TpGww8P8KHAn-dyMTBbXg3_Yr7326j2agCNcBGAsYHQ/w602-h640/ATMMalScan_3_2-Scan-Malware-Detected.png" width="602" /></a></div><p><br /></p> <p>Step3 => Dump can be found here => .\Dump<br /> <a href="https://github.com/fboldewin/ATMMalScan/blob/main/graphics/3-Scan-Malware-Dump.PNG" rel="nofollow" target="_blank" title="$ (8)"></a></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-5IPOg017bVc/YAuiQhgPkjI/AAAAAAAAVDo/HYK1FiDiDbAE4LPKqsaGKumPFntV1XmCACNcBGAsYHQ/s875/ATMMalScan_4_3-Scan-Malware-Dump.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="380" data-original-width="875" height="278" src="https://1.bp.blogspot.com/-5IPOg017bVc/YAuiQhgPkjI/AAAAAAAAVDo/HYK1FiDiDbAE4LPKqsaGKumPFntV1XmCACNcBGAsYHQ/w640-h278/ATMMalScan_4_3-Scan-Malware-Dump.png" width="640" /></a></div><p><br /></p><p>Step4 => Open dumpfile with Windbg and extract the ATM malware to disk using ".writemem" <a href="https://github.com/fboldewin/ATMMalScan/blob/main/graphics/4-Windbg-Malware-Extraction.PNG" rel="nofollow" target="_blank" title="$ (9)"></a></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-uDYla6Qc1CU/YAuiXAwt7hI/AAAAAAAAVDs/h6ZmcxU0rUQbkz0CyxebRYK7i5qzMh0swCNcBGAsYHQ/s1750/ATMMalScan_5_4-Windbg-Malware-Extraction.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="915" data-original-width="1750" height="334" src="https://1.bp.blogspot.com/-uDYla6Qc1CU/YAuiXAwt7hI/AAAAAAAAVDs/h6ZmcxU0rUQbkz0CyxebRYK7i5qzMh0swCNcBGAsYHQ/w640-h334/ATMMalScan_5_4-Windbg-Malware-Extraction.png" width="640" /></a></div><p><br /></p> <p>Step5 => <a href="https://www.kitploit.com/search/label/Repair" target="_blank" title="Repair">Repair</a> the dumped PE with one of your favorite PE-Fixers and start analysing the malware in detail. <a href="https://github.com/fboldewin/ATMMalScan/blob/main/graphics/5-PEDumpFixer%2BIDA.PNG" rel="nofollow" target="_blank" title="$ (11)"></a></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-LJunRUT54hY/YAuicRZW2RI/AAAAAAAAVD0/SJy1fZRTHVcmOCxtSWSytsw5Qq2qJQV5gCNcBGAsYHQ/s1347/ATMMalScan_6_5-PEDumpFixer%25252BIDA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="961" data-original-width="1347" height="456" src="https://1.bp.blogspot.com/-LJunRUT54hY/YAuicRZW2RI/AAAAAAAAVD0/SJy1fZRTHVcmOCxtSWSytsw5Qq2qJQV5gCNcBGAsYHQ/w640-h456/ATMMalScan_6_5-PEDumpFixer%25252BIDA.png" width="640" /></a></div><br /><p><br /></p><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/fboldewin/ATMMalScan" rel="nofollow" target="_blank" title="Download ATMMalScan">Download ATMMalScan</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-74871803417259985552021-01-19T08:30:00.010-03:002021-01-19T08:30:03.534-03:00HosTaGe - Low Interaction Mobile Honeypot<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ZfiRYUE8MHg/YAZj7ncs6oI/AAAAAAAAVBo/x-EIVYrL0FYWVDdvy7aVl8T9yQ2bw8QvQCNcBGAsYHQ/s730/HosTaGe_0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="730" data-original-width="349" height="640" src="https://1.bp.blogspot.com/-ZfiRYUE8MHg/YAZj7ncs6oI/AAAAAAAAVBo/x-EIVYrL0FYWVDdvy7aVl8T9yQ2bw8QvQCNcBGAsYHQ/w306-h640/HosTaGe_0.png" width="306" /></a></div><p><br /></p><p></p> <p>HosTaGe is a lightweight, low-interaction, portable, and generic <a href="https://www.kitploit.com/search/label/HoneyPot" target="_blank" title="honeypot">honeypot</a> for mobile devices that aims on the detection of malicious, <a href="https://www.kitploit.com/search/label/Wireless" target="_blank" title="wireless">wireless</a> network environments. As most malware propagate over the network via specific protocols, a low-interaction honeypot located at a mobile device can check wireless networks for actively propagating malware. We envision such honeypots running on all kinds of mobile devices, e.g., smartphones and tablets, to provide a quick assessment on the potential security state of a network.</p> <p>HosTaGe emulates the following <a href="https://www.kitploit.com/search/label/Protocols" target="_blank" title="protocols">protocols</a> as of the latest version: AMQP, COAP, ECHO, FTP, HTTP, HTTPS, MySQL, MQTT, MODBUS, S7COMM, SNMP, SIP, SMB, SSH, SMTP and TELNET</p><span><a name='more'></a></span><p><br /></p> <p><strong>Download from Play Store!</strong></p> <p>The stable release of HosTaGe can be installed from Google Play Store. <a href="https://play.google.com/store/apps/details?id=dk.aau.netsec.hostage" rel="nofollow" target="_blank" title="Play Store Link">Play Store Link</a> or, Scan the QR code below from your <a href="https://www.kitploit.com/search/label/Android" target="_blank" title="Android">Android</a> device.</p><p><br /></p><p style="text-align: center;"><iframe width="560" height="315" src="https://www.youtube.com/embed/nRrc2T8_oKM" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></p><p><br /></p> <p><strong>References</strong></p> <p>The <a href="https://www.kitploit.com/search/label/Research" target="_blank" title="research">research</a> behind HosTaGe has been published and presented in a number of scientific and industrial conferences. Below you can find some selected papers:</p> <p>[1] Emmanouil Vasilomanolakis, Shankar Karuppayah, Mathias Fischer, Mihai Plasoianu, Wulf Pfeiffer, Lars Pandikow, Max Mühlhäuser: This Network is Infected: HosTaGe – a Low-Interaction Honeypot for Mobile Devices. SPSM@CCS 2013:43-48</p> <p>[2] Emmanouil Vasilomanolakis, Shankar Karuppayah, Mathias Fischer, Max Mühlhäuser: HosTaGe: a Mobile Honeypot for Collaborative Defense. ACM SIN 2014:330-333</p> <p>[3] Emmanouil Vasilomanolakis, Shreyas Srinivasa, Max Mühlhäuser: Did you really hack a nuclear power plant? An industrial control mobile honeypot. IEEE CNS 2015:729-730</p> <p>[4] Emmanouil Vasilomanolakis, Shreyas Srinivasa, Carlos Garcia Cordero, Max Mühlhäuser: Multi-stage Attack Detection and Signature Generation with ICS Honeypots. IEEE/IFIP DISSECT@NOMS 2016:1227-1232</p> <p><strong>Download APK</strong></p> <p><a href="https://github.com/aau-network-security/HosTaGe/releases/download/v2.2.11/HosTaGe-2.2.11.apk" rel="nofollow" target="_blank" title="HosTaGe-v2.2.11.apk">HosTaGe-v2.2.11.apk</a> <a href="https://github.com/aau-network-security/HosTaGe/releases/tag/v2.2.11" rel="nofollow" target="_blank" title="Release-Notes">Release-Notes</a>(latest)</p> <p>HosTaGe-v2.1.1.apk <a href="https://github.com/aau-network-security/HosTaGe/releases/tag/v2.1.1" rel="nofollow" target="_blank" title="Release-Notes">Release-Notes</a></p> <p>HosTaGe-v2.0.0.apk <a href="https://github.com/aau-network-security/HosTaGe/releases/tag/v2.0.0" rel="nofollow" target="_blank" title="Release-Notes">Release-Notes</a></p> <p><strong>Wiki</strong></p> <p>The Wiki provides information on getting started and using the app. Wiki for HosTaGe can be found here: <a href="https://github.com/aau-network-security/HosTaGe/wiki/2.-Getting-Started" rel="nofollow" target="_blank" title="Wiki">Wiki</a>.</p> <p><strong>GUI</strong></p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-qbchruAcSJc/YAZkKBxmyQI/AAAAAAAAVBs/eprbW-aL25QEJAjXOOJyyCOUFezEdYNSQCNcBGAsYHQ/s740/HosTaGe_4_alert.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="740" data-original-width="350" height="640" src="https://1.bp.blogspot.com/-qbchruAcSJc/YAZkKBxmyQI/AAAAAAAAVBs/eprbW-aL25QEJAjXOOJyyCOUFezEdYNSQCNcBGAsYHQ/w302-h640/HosTaGe_4_alert.gif" width="302" /></a></div><p><br /></p> <p><strong>Original Authors</strong></p> <p><a href="https://mvasiloma.com/" rel="nofollow" target="_blank" title="Emmanouil Vasilomanolakis">Emmanouil Vasilomanolakis</a> - idea, guidance and suggestions during development</p> <p><strong>Contributors</strong></p> <p><a href="https://sastry17.github.io/" rel="nofollow" target="_blank" title="Shreyas Srinivasa">Shreyas Srinivasa</a>, lead developer, Aalborg University and Technische Universität Darmstadt (Github - @sastry17)</p> <p>Eirini Lygerou, GSoC 2020 Developer (Github - @irinil)</p> <p>Mihai Plasoianu, student developer, Technische Universität Darmstadt</p> <p>Wulf Pfeiffer, student developer, Technische Universität Darmstadt</p> <p>Lars Pandikow, student developer, Technische Universität Darmstadt</p> <p><strong>Researchers</strong></p> <p><a href="https://www.kshankar.com/" rel="nofollow" target="_blank" title="Shankar Karuppayah">Shankar Karuppayah</a>, mentoring, developer, Technische Universität Darmstadt</p> <p><a href="https://www.inf.uni-hamburg.de/inst/ab/snp/team/fischer.html" rel="nofollow" target="_blank" title="Mathias Fischer">Mathias Fischer</a>, mentoring, Universität Hamburg</p> <p><a href="https://www.informatik.tu-darmstadt.de/telekooperation/telecooperation_group/staff_1/staff_1_details_23168.en.jsp" rel="nofollow" target="_blank" title="Max Mühlhäuser">Max Mühlhäuser</a>, mentoring, Technische Universität Darmstadt</p> <p>Carlos Garcia Cordero, mentoring, Technische Universität Darmstadt</p> <p>Features of HoneyRJ were inspiration for this project. <a href="http://www.cse.wustl.edu/~jain/cse571-09/ftp/honey/manual.html%5C" rel="nofollow" target="_blank" title="http://www.cse.wustl.edu/~jain/cse571-09/ftp/honey/manual.html\">http://www.cse.wustl.edu/~jain/cse571-09/ftp/honey/manual.html\</a></p> <p>Encryption for the SSH protocol were taken from Ganymed SSH-2 and slightly modified. <a href="http://code.google.com/p/ganymed-ssh-2/" rel="nofollow" target="_blank" title="http://code.google.com/p/ganymed-ssh-2/">http://code.google.com/p/ganymed-ssh-2/</a></p> <p><strong>GSoC 2020</strong></p> <p>The project was actively developed with participation in Google Summer of Code 2020. More information about GSoC2020 is <a href="https://summerofcode.withgoogle.com/projects/#5293206515744768" rel="nofollow" target="_blank" title="here">here</a></p> <p><strong>HPFeeds</strong></p> <p>To access the hpfeeds from hostage please send an access request to <a href="mailto:hostage@es.aau.dk" rel="nofollow" target="_blank" title="hostage@es.aau.dk">hostage@es.aau.dk</a> with your name and organization. Please note that access to the hpfeeds repository is provided only after an internal review.</p> <p><strong>Contact</strong></p> <p>Please use the Github issues to report any issues or for questions. <a href="https://honeynetpublic.slack.com/archives/CUCJPUE3H" rel="nofollow" target="_blank" title="Slack channel">Slack channel</a>; <a href="mailto:hostage@es.aau.dk" rel="nofollow" target="_blank" title="Email">Email</a></p> <p><br /></p><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/aau-network-security/HosTaGe" rel="nofollow" target="_blank" title="Download HosTaGe">Download HosTaGe</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-25408353566003231822021-01-16T17:30:00.020-03:002021-01-16T17:30:01.370-03:00SysWhispers2 - AV/EDR Evasion Via Direct System Calls<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-2huQwb9tNh4/X_u1-J9Tg7I/AAAAAAAAU-g/zaW0M51ztJ8p6zLoFx4yJYBaOb45jN9bgCNcBGAsYHQ/s722/SysWhispers2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="524" data-original-width="722" height="464" src="https://1.bp.blogspot.com/-2huQwb9tNh4/X_u1-J9Tg7I/AAAAAAAAU-g/zaW0M51ztJ8p6zLoFx4yJYBaOb45jN9bgCNcBGAsYHQ/w640-h464/SysWhispers2.png" width="640" /></a></div><p><br /></p> <p>SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.</p> <p>All core syscalls are supported and example generated files available in the <code>example-output/</code> folder.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Difference Between <a href="https://www.kitploit.com/search/label/SysWhispers" target="_blank" title="SysWhispers">SysWhispers</a> 1 and 2</b></span><br /> <p>The usage is almost identical to <a href="https://github.com/jthuraisamy/SysWhispers" rel="nofollow" target="_blank" title="SysWhispers1">SysWhispers1</a> but you don't have to specify which versions of Windows to support. Most of the changes are under the hood. It no longer relies on <a href="https://twitter.com/j00ru" rel="nofollow" target="_blank" title="@j00ru">@j00ru</a>'s <a href="https://github.com/j00ru/windows-syscalls" rel="nofollow" target="_blank" title="syscall tables">syscall tables</a>, and instead uses the "<a href="https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/" rel="nofollow" target="_blank" title="sorting by system call address">sorting by system call address</a>" technique popularized by <a href="https://twitter.com/modexpblog" rel="nofollow" target="_blank" title="@modexpblog">@modexpblog</a>. This significantly reduces the size of the syscall stubs.</p> <p>The specific implementation in SysWhispers2 is a variation of @modexpblog's code. One difference is that the function name hashes are randomized on each generation. <a href="https://twitter.com/ElephantSe4l" rel="nofollow" target="_blank" title="@ElephantSe4l">@ElephantSe4l</a>, who had <a href="https://www.crummie5.club/freshycalls/" rel="nofollow" target="_blank" title="published">published</a> this technique earlier, has another <a href="https://github.com/crummie5/FreshyCalls" rel="nofollow" target="_blank" title="implementation">implementation</a> based in C++17 which is also worth checking out.</p> <p>The original SysWhispers repository is still up but may be deprecated in the future.</p> <br /><span style="font-size: large;"><b>Introduction</b></span><br /> <p>Various security products place hooks in user-mode API functions which allow them to redirect execution flow to their engines and detect for suspicious behaviour. The functions in <code>ntdll.dll</code> that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks. This technique was popularized by <a href="https://twitter.com/Cneelis" rel="nofollow" target="_blank" title="@Cn33liz">@Cn33liz</a> and his <a href="https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/" rel="nofollow" target="_blank" title="blog post">blog post</a> has more technical details worth reading.</p> <p>SysWhispers provides <a href="https://www.kitploit.com/search/label/Red%20Teamers" target="_blank" title="red teamers">red teamers</a> the ability to generate header/ASM pairs for any system call in the core kernel image (<code>ntoskrnl.exe</code>). The headers will also include the necessary type definitions.</p> <br /><span style="font-size: large;"><b>Installation</b></span><br /> <div><pre><code>> git clone https://github.com/jthuraisamy/SysWhispers2.git<br />> cd SysWhispers2<br />> py .\syswhispers.py --help</code></pre></div> <br /><span style="font-size: large;"><b>Usage and Examples</b></span><br /> <br /><b>Command Lines</b><br /> <div><pre><code># Export all functions with compatibility for all supported Windows versions (see example-output/).<br />py .\syswhispers.py --preset all -o syscalls_all<br /><br /># Export just the common functions (see below for list).<br />py .\syswhispers.py --preset common -o syscalls_common<br /><br /># Export NtProtectVirtualMemory and NtWriteVirtualMemory with compatibility for all versions.<br />py .\syswhispers.py --functions NtProtectVirtualMemory,NtWriteVirtualMemory -o syscalls_mem</code></pre></div> <br /><b>Script Output</b><br /> <pre><code>PS C:\Projects\SysWhispers2> py .\syswhispers.py --preset common --out-file syscalls_common<br /><br /> . ,--. <br />,-. . . ,-. . , , |-. o ,-. ,-. ,-. ,-. ,-. / <br />`-. | | `-. |/|/ | | | `-. | | |-' | `-. ,-' <br />`-' `-| `-' ' ' ' ' ' `-' |-' `-' ' `-' `--- <br /> /| | @Jackson_T <br /> `-' ' @modexpblog, 2021<br /><br />SysWhispers2: Why call the kernel when you can whisper?<br /><br />Common functions selected.<br /><br />Complete! Files written to:<br /> syscalls_common.h<br /> syscalls_common.c<br /> syscalls_common_stubs.asm<br /></code></pre> <br /><b>Before-and-After Example of Classic <code>CreateRemoteThread</code> DLL Injection</b><br /> <pre><code>py .\syswhispers.py -f NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx -o syscalls<br /></code></pre> <div><pre><code>#include <Windows.h><br /><br />void InjectDll(const HANDLE hProcess, const char* dllPath)<br />{<br /> LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, strlen(dllPath), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);<br /> LPVOID lpStartAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");<br /> <br /> WriteProcessMemory(hProcess, lpBaseAddress, dllPath, strlen(dllPath), nullptr);<br /> CreateRemoteThread(hProcess, nullptr, 0, (LPTHREAD_START_ROUTINE)lpStartAddress, lpBaseAddress, 0, nullptr);<br />}</code></pre></div> <div><pre><code>#include <Windows.h><br />#include "syscalls.h" // Import the generated header.<br /><br />void InjectDll(const HANDLE hProcess, const char* dllPath)<br />{<br /> HANDLE hThread = NULL;<br /> LPVOID lpAllocationStart = nullptr;<br /> SIZE_T szAllocationSize = strlen(dllPath);<br /> LPVOID lpStartAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");<br /> <br /> NtAllocateVirtualMemory(hProcess, &lpAllocationStart, 0, (PULONG)&szAllocationSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);<br /> NtWriteVirtualMemory(hProcess, lpAllocationStart, (PVOID)dllPath, strlen(dllPath), nullptr);<br /> NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, hProcess, lpStartAddress, lpAllocationStart, FALSE, 0, 0, 0, nullptr);<br />}</code></pre></div> <br /><span style="font-size: large;"><b>Common Functions</b></span><br /> <p>Using the <code>--preset common</code> switch will create a header/ASM pair with the following functions:</p> <ul> <li>NtCreateProcess (CreateProcess)</li> <li>NtCreateThreadEx (CreateRemoteThread)</li> <li>NtOpenProcess (OpenProcess)</li> <li>NtOpenThread (OpenThread)</li> <li>NtSuspendProcess</li> <li>NtSuspendThread (SuspendThread)</li> <li>NtResumeProcess</li> <li>NtResumeThread (ResumeThread)</li> <li>NtGetContextThread (GetThreadContext)</li> <li>NtSetContextThread (SetThreadContext)</li> <li>NtClose (CloseHandle)</li> <li>NtReadVirtualMemory (ReadProcessMemory)</li> <li>NtWriteVirtualMemory (WriteProcessMemory)</li> <li>NtAllocateVirtualMemory (VirtualAllocEx)</li> <li>NtProtectVirtualMemory (VirtualProtectEx)</li> <li>NtFreeVirtualMemory (VirtualFreeEx)</li> <li>NtQuerySystemInformation (GetSystemInfo)</li> <li>NtQueryDirectoryFile</li> <li>NtQueryInformationFile</li> <li>NtQueryInformationProcess</li> <li>NtQueryInformationThread</li> <li>NtCreateSection (CreateFileMapping)</li> <li>NtOpenSection</li> <li>NtMapViewOfSection</li> <li>NtUnmapViewOfSection</li> <li>NtAdjustPrivilegesToken (AdjustTokenPrivileges)</li> <li>NtDeviceIoControlFile (DeviceIoControl)</li> <li>NtQueueApcThread (QueueUserAPC)</li> <li>NtWaitForMultipleObjects (WaitForMultipleObjectsEx)</li> </ul> <br /><span style="font-size: large;"><b>Importing into Visual Studio</b></span><br /> <ol> <li>Copy the generated H/C/ASM files into the project folder.</li> <li>In Visual Studio, go to <em>Project</em> → <em>Build Customizations...</em> and enable MASM.</li> <li>In the <em>Solution Explorer</em>, add the .h and .c/.asm files to the project as header and source files, respectively.</li> <li>Go to the properties of the ASM file, and set the <em>Item Type</em> to <em>Microsoft Macro Assembler</em>.</li> <li>Ensure that the project platform is set to x64. 32-bit projects are not supported at this time.</li> </ol> <br /><span style="font-size: large;"><b>Caveats and Limitations</b></span><br /> <ul> <li>Only 64-bit Windows is supported at this time.</li> <li>System calls from the graphical subsystem (<code>win32k.sys</code>) are not supported.</li> <li>Tested on Visual Studio 2019 (v142) with <a href="https://www.kitploit.com/search/label/Windows%2010" target="_blank" title="Windows 10">Windows 10</a> SDK.</li> </ul> <br /><span style="font-size: large;"><b>Troubleshooting</b></span><br /> <ul> <li>Type redefinitions errors: a project may not compile if typedefs in <code>syscalls.h</code> have already been defined. <ul> <li>Ensure that only required functions are included (i.e. <code>--preset all</code> is rarely necessary).</li> <li>If a typedef is already defined in another used header, then it could be removed from <code>syscalls.h</code>.</li> </ul> </li> </ul> <br /><span style="font-size: large;"><b>Credits</b></span><br /> <p>Developed by <a href="https://twitter.com/Jackson_T" rel="nofollow" target="_blank" title="@Jackson_T">@Jackson_T</a> and <a href="https://twitter.com/modexpblog" rel="nofollow" target="_blank" title="@modexpblog">@modexpblog</a>, but builds upon the work of many others:</p> <ul> <li><a href="https://twitter.com/FoxHex0ne" rel="nofollow" target="_blank" title="@FoxHex0ne">@FoxHex0ne</a> for cataloguing many function prototypes and typedefs in a machine-readable format.</li> <li><a href="https://twitter.com/PetrBenes" rel="nofollow" target="_blank" title="@PetrBenes">@PetrBenes</a>, <a href="https://undocumented.ntinternals.net/" rel="nofollow" target="_blank" title="NTInternals.net team">NTInternals.net team</a>, and <a href="https://docs.microsoft.com/en-us/windows/" rel="nofollow" target="_blank" title="MSDN">MSDN</a> for additional prototypes and typedefs.</li> <li><a href="https://twitter.com/Cneelis" rel="nofollow" target="_blank" title="@Cn33liz">@Cn33liz</a> for the initial <a href="https://github.com/outflanknl/Dumpert" rel="nofollow" target="_blank" title="Dumpert">Dumpert</a> POC implementation.</li> </ul> <br /><span style="font-size: large;"><b>Related Articles and Projects</b></span><br /> <ul> <li><a href="https://twitter.com/modexpblog" rel="nofollow" target="_blank" title="@modexpblog">@modexpblog</a>: <a href="https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/" rel="nofollow" target="_blank" title="Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams">Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams</a></li> <li><a href="https://twitter.com/hodg87" rel="nofollow" target="_blank" title="@hodg87">@hodg87</a>: <a href="https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/" rel="nofollow" target="_blank" title="Malware Mitigation when Direct System Calls are Used">Malware Mitigation when Direct System Calls are Used</a></li> <li><a href="https://twitter.com/Cneelis" rel="nofollow" target="_blank" title="@Cn33liz">@Cn33liz</a>: <a href="https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/" rel="nofollow" target="_blank" title="Combining Direct System Calls and sRDI to bypass AV/EDR">Combining Direct System Calls and sRDI to bypass AV/EDR</a> (<a href="https://github.com/outflanknl/Dumpert" rel="nofollow" target="_blank" title="Code">Code</a>)</li> <li><a href="https://twitter.com/0x00dtm" rel="nofollow" target="_blank" title="@0x00dtm">@0x00dtm</a>: <a href="https://0x00sec.org/t/userland-api-monitoring-and-code-injection-detection/5565" rel="nofollow" target="_blank" title="Userland API Monitoring and Code Injection Detection">Userland API Monitoring and Code Injection Detection</a></li> <li><a href="https://twitter.com/0x00dtm" rel="nofollow" target="_blank" title="@0x00dtm">@0x00dtm</a>: <a href="https://0x00sec.org/t/defeating-userland-hooks-ft-bitdefender/12496" rel="nofollow" target="_blank" title="Defeating Userland Hooks (ft. Bitdefender)">Defeating Userland Hooks (ft. Bitdefender)</a> (<a href="https://github.com/NtRaiseHardError/Antimalware-Research/tree/master/Generic/Userland%20Hooking/AntiHook" rel="nofollow" target="_blank" title="Code">Code</a>)</li> <li><a href="https://twitter.com/mrgretzky" rel="nofollow" target="_blank" title="@mrgretzky">@mrgretzky</a>: <a href="https://breakdev.org/defeating-antivirus-real-time-protection-from-the-inside/" rel="nofollow" target="_blank" title="Defeating Antivirus Real-time">Defeating Antivirus Real-time </a><a href="https://www.kitploit.com/search/label/Protection" target="_blank" title="Protection">Protection</a> From The Inside</li> <li><a href="https://twitter.com/SpecialHoang" rel="nofollow" target="_blank" title="@SpecialHoang">@SpecialHoang</a>: <a href="https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6" rel="nofollow" target="_blank" title="Bypass EDR’s memory protection, introduction to hooking">Bypass EDR’s memory protection, introduction to hooking</a> (<a href="https://github.com/hoangprod/AndrewSpecial/tree/master" rel="nofollow" target="_blank" title="Code">Code</a>)</li> <li><a href="https://twitter.com/_xpn_" rel="nofollow" target="_blank" title="@xpn">@xpn</a> and <a href="https://twitter.com/domchell" rel="nofollow" target="_blank" title="@domchell">@domchell</a>: <a href="https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/" rel="nofollow" target="_blank" title="Silencing Cylance: A Case Study in Modern EDRs">Silencing Cylance: A Case Study in Modern EDRs</a></li> <li><a href="https://twitter.com/mrjefftang" rel="nofollow" target="_blank" title="@mrjefftang">@mrjefftang</a>: <a href="https://threatvector.cylance.com/en_us/home/universal-unhooking-blinding-security-software.html" rel="nofollow" target="_blank" title="Universal Unhooking: Blinding Security Software">Universal Unhooking: Blinding Security Software</a> (<a href="https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher" rel="nofollow" target="_blank" title="Code">Code</a>)</li> <li><a href="https://twitter.com/spotheplanet" rel="nofollow" target="_blank" title="@spotheplanet">@spotheplanet</a>: <a href="https://ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++" rel="nofollow" target="_blank" title="Full DLL Unhooking with C++">Full DLL Unhooking with C++</a></li> <li><a href="https://twitter.com/hasherezade" rel="nofollow" target="_blank" title="@hasherezade">@hasherezade</a>: <a href="https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/" rel="nofollow" target="_blank" title="Floki Bot and the stealthy dropper">Floki Bot and the stealthy dropper</a></li> <li><a href="https://twitter.com/hodg87" rel="nofollow" target="_blank" title="@hodg87">@hodg87</a>: <a href="https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/" rel="nofollow" target="_blank" title="Latest Trickbot Variant has New Tricks Up Its Sleeve">Latest Trickbot Variant has New Tricks Up Its Sleeve</a></li> </ul> <br /><span style="font-size: large;"><b>References to SysWhispers</b></span><br /> <ul> <li><a href="https://twitter.com/JFaust_" rel="nofollow" target="_blank" title="@JFaust_">@JFaust_</a>: Process Injection <a href="https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/" rel="nofollow" target="_blank" title="Part 1">Part 1</a>, <a href="https://sevrosecurity.com/2020/04/13/process-injection-part-2-queueuserapc/" rel="nofollow" target="_blank" title="Part 2">Part 2</a>, and <a href="https://sevrosecurity.com/2020/10/14/alaris-a-protective-loader/" rel="nofollow" target="_blank" title="Alaris loader">Alaris loader</a> project (<a href="https://github.com/cribdragg3r/Alaris" rel="nofollow" target="_blank" title="Code">Code</a>)</li> <li><a href="https://www.twitter.com/0xPat" rel="nofollow" target="_blank" title="@0xPat">@0xPat</a>: <a href="https://0xpat.github.io/Malware_development_part_2/" rel="nofollow" target="_blank" title="Malware Development Part 2">Malware Development Part 2</a></li> <li><a href="https://twitter.com/brsn76945860" rel="nofollow" target="_blank" title="@brsn76945860">@brsn76945860</a>: <a href="https://br-sn.github.io/Implementing-Syscalls-In-The-CobaltStrike-Artifact-Kit/" rel="nofollow" target="_blank" title="Implementing Syscalls In The">Implementing Syscalls In The </a><a href="https://www.kitploit.com/search/label/CobaltStrike" target="_blank" title="CobaltStrike">CobaltStrike</a> Artifact Kit</li> <li><a href="https://twitter.com/Cneelis" rel="nofollow" target="_blank" title="@Cn33liz">@Cn33liz</a> and <a href="https://twitter.com/_DaWouw" rel="nofollow" target="_blank" title="@_DaWouw">@_DaWouw</a>: <a href="https://outflank.nl/blog/2020/12/26/direct-syscalls-in-beacon-object-files/" rel="nofollow" target="_blank" title="Direct Syscalls in Beacon Object Files">Direct Syscalls in Beacon Object Files</a> (<a href="https://github.com/outflanknl/InlineWhispers" rel="nofollow" target="_blank" title="Code">Code</a>)</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/jthuraisamy/SysWhispers2" rel="nofollow" target="_blank" title="Download SysWhispers2">Download SysWhispers2</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-32751864067979115652021-01-09T08:30:00.059-03:002021-01-09T08:30:05.333-03:00Emp3R0R - Linux Post-Exploitation Framework Made By Linux User<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ebyn50hsMeU/X_lPY2STkrI/AAAAAAAAU5s/2Bq8MVwb26EODfof9fQDAAPOT8aPnGedgCNcBGAsYHQ/s1406/emp3r0r_01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1406" data-original-width="1168" height="640" src="https://1.bp.blogspot.com/-ebyn50hsMeU/X_lPY2STkrI/AAAAAAAAU5s/2Bq8MVwb26EODfof9fQDAAPOT8aPnGedgCNcBGAsYHQ/w532-h640/emp3r0r_01.png" width="532" /></a></div><p><br /></p> <p>linux <a href="https://www.kitploit.com/search/label/Post-Exploitation" target="_blank" title="post-exploitation">post-exploitation</a> framework made by linux user</p> <p><strong>Still under active development</strong></p> <ul> <li><a href="https://www.freebuf.com/sectool/259079.html" rel="nofollow" target="_blank" title="中文介绍">中文介绍</a></li> <li><a href="https://jm33.me/emp3r0r-0x00.html" rel="nofollow" target="_blank" title="check my blog for updates">check my blog for updates</a></li> <li><a href="https://github.com/jm33-m0/emp3r0r/wiki" rel="nofollow" target="_blank" title="how to use">how to use</a></li></ul><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>what to expect (in future releases)</b></span><br /> <ul class="contains-task-list"> <li class="task-list-item">packer: cryptor + <code>memfd_create</code></li> <li class="task-list-item">packer: use <code>shm_open</code> in older Linux kernels</li> <li class="task-list-item">dropper: shellcode injector - python</li> <li class="task-list-item">injector: inject shellcode into another process, using GDB</li> <li class="task-list-item">port mapping: forward from CC to agents, so you can use encapsulate other tools (such as Cobalt Strike) in emp3r0r's CC tunnel</li> <li class="task-list-item">dropper: shellcode injector - dd</li> <li class="task-list-item">dropper: downloader (stage 0) shellcode</li> <li class="task-list-item">network scanner</li> <li class="task-list-item">passive scanner, for host/service discovery</li> <li class="task-list-item">exploit kit</li> <li class="task-list-item">conservative weak <a href="https://www.kitploit.com/search/label/Credentials" target="_blank" title="credentials">credentials</a> scanner</li> <li class="task-list-item">auto pwn using weak credentials and RCEs</li> </ul> <br /><span style="font-size: large;"><b>why another post-exploitation tool?</b></span><br /> <p>why not? i dont see many post-exploitation frameworks for linux systems, even if there were, they are nothing like mine</p> <p>as a linux user, the most critical thing for <a href="https://www.kitploit.com/search/label/Remote%20Administration" target="_blank" title="remote administration">remote administration</a> is <strong>terminal</strong>. if you hate the garbage reverse shell experience (sometimes it aint even a shell), take a look at emp3r0r, you will be impressed</p> <p>yes i just want to make a post-exploitation tool for linux users like me, who want better experience in their hacking</p> <p>another reason is compatibility. as emp3r0r is mostly written in <a href="https://golang.org" rel="nofollow" target="_blank" title="Go">Go</a>, and fully static (so are all the plugins used by emp3r0r), it will run everywhere (tested on Linux 2.6 and above) you want, regardless of the shitty environments. in some cases you wont even find bash on your target, dont worry, emp3r0r uploads its own <a href="https://github.com/jm33-m0/static-bins/tree/main/vaccine" rel="nofollow" target="_blank" title="bash">bash</a> and many other useful tools</p> <p>why is it called <code>emp3r0r</code>? because theres an <a href="https://github.com/BC-SECURITY/empire" rel="nofollow" target="_blank" title="empire">empire</a></p> <p>i hope this tool helps you, and i will add features to it as i learn new things</p> <br /><span style="font-size: large;"><b>what does it do</b></span><br /> <br /><b>glance</b><br /> <ul> <li>beautiful terminal UI</li> <li><strong>perfect reverse shell</strong> (true color, key bindings, custom bashrc, custom bash binary, etc)</li> <li>auto <strong>persistence</strong> via various methods</li> <li><strong>post-exploitation tools</strong> like nmap, socat, are integreted with reverse shell</li> <li><strong>credential harvesting</strong></li> <li>process <strong>injection</strong></li> <li>ELF <strong>patcher</strong></li> <li><strong>hide processes and files</strong> via libc hijacking</li> <li>port mapping, socks5 <strong>proxy</strong></li> <li>auto root</li> <li><strong>LPE</strong> suggest</li> <li>system info collecting</li> <li>file management</li> <li>log cleaner</li> <li><strong>stealth</strong> connection</li> <li>internet access checker</li> <li><strong>autoproxy</strong> for semi-isolated networks</li> <li>all of these in one <strong>HTTP2</strong> connection</li> <li>can be encapsulated in any external proxies such as <strong>TOR</strong>, and <strong>CDNs</strong></li> <li>and many more...</li> </ul> <br /><b>core features</b><br /> <br /><b>transports</b><br /> <p>emp3r0r utilizes <a href="https://github.com/posener/h2conn" rel="nofollow" target="_blank" title="HTTP2">HTTP2</a> (TLS enabled) for its CC communication, but you can also encapsulate it in other transports such as <a href="https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#tor" rel="nofollow" target="_blank" title="TOR">TOR</a>, and <a href="https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#cdn" rel="nofollow" target="_blank" title="CDNs">CDNs</a>. all you need to do is <a href="https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#tor-1" rel="nofollow" target="_blank" title="tell emp3r0r agent to use your proxy">tell emp3r0r agent to use your proxy</a></p> <p>also, emp3r0r has its own CA pool, agents trusts only emp3r0r's own CA (which you can <a href="https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#build-cc" rel="nofollow" target="_blank" title="generate">generate</a> using <code>build.py</code>), making MITM attack much harder</p> <p>below is a screenshot of emp3r0r's CC server, which has 3 agent coming from 3 different transports</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-RDh3XVUeUZ0/X_lPiSvxCnI/AAAAAAAAU5w/sUXx4qinrFUWjS3HWtwWt1Y6YYgFP8eJgCNcBGAsYHQ/s1406/emp3r0r_01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1406" data-original-width="1168" height="640" src="https://1.bp.blogspot.com/-RDh3XVUeUZ0/X_lPiSvxCnI/AAAAAAAAU5w/sUXx4qinrFUWjS3HWtwWt1Y6YYgFP8eJgCNcBGAsYHQ/w532-h640/emp3r0r_01.png" width="532" /></a></div><p><br /></p><b>auto proxy for agents without direct internet access</b><br /> <p>emp3r0r agents check if they have internet access on start, and start a socks5 proxy if they do, then they broadcast their proxy addresses (in encrypted form) on each network they can reach</p> <p>if an agent doesn't have internet, its going to listen for such broadcasts. when it receives a working proxy, it starts a port mapping of that proxy and broadcasts it to its own networks, bringing the proxy to every agent it can ever touch, and eventually bring all agents to our CC server.</p> <p>in the following example, we have 3 agents, among which only one (<code>[1]</code>) has internet access, and <code>[0]</code> has to use the proxy passed by <code>[2]</code></p> <p><br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-6JSXZbLtxEo/X_lPoUVw4FI/AAAAAAAAU50/_qpNf6-TimEcJJj8XvcDQtG4fjV_rUVVACNcBGAsYHQ/s880/emp3r0r_02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="880" data-original-width="855" height="640" src="https://1.bp.blogspot.com/-6JSXZbLtxEo/X_lPoUVw4FI/AAAAAAAAU50/_qpNf6-TimEcJJj8XvcDQtG4fjV_rUVVACNcBGAsYHQ/w622-h640/emp3r0r_02.png" width="622" /></a></div><br /><p></p><b>agent traffic</b><br /> <p>every time an agent starts, it checks a preset URL for CC status, if it knows CC is offline, no further action will be executed, it waits for CC to go online</p> <p>you can set the URL to a GitHub page or other less suspicious sites, your agents will poll that URL every random minutes</p> <p>no CC communication will happen when the agent thinks CC is offline</p> <p>if it isnt:</p> <p>bare HTTP2 traffic:</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-aSsDA_EsuOc/X_lPuif28xI/AAAAAAAAU58/kki2axaE3XQykmyy9xbNwn4SXw8ziW2wgCNcBGAsYHQ/s1754/emp3r0r_03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1029" data-original-width="1754" height="376" src="https://1.bp.blogspot.com/-aSsDA_EsuOc/X_lPuif28xI/AAAAAAAAU58/kki2axaE3XQykmyy9xbNwn4SXw8ziW2wgCNcBGAsYHQ/w640-h376/emp3r0r_03.png" width="640" /></a></div><p> </p> <p>when using Cloudflare CDN as CC frontend:</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-UzeO5H62uss/X_lP5OO4wUI/AAAAAAAAU6E/WYva575RkPMSzlwR73P5cCPQzX_UjCoRgCNcBGAsYHQ/s1920/emp3r0r_04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1920" height="400" src="https://1.bp.blogspot.com/-UzeO5H62uss/X_lP5OO4wUI/AAAAAAAAU6E/WYva575RkPMSzlwR73P5cCPQzX_UjCoRgCNcBGAsYHQ/w640-h400/emp3r0r_04.png" width="640" /></a></div><p><br /></p><b>packer - start agent in memory</b><br /> <p><a href="https://github.com/jm33-m0/emp3r0r/wiki/Packer" rel="nofollow" target="_blank" title="packer">packer</a> encrypts <code>agent</code> binary, and runs it from memory (using <code>memfd_create</code>)</p> <p>currently emp3r0r is mostly memory-based, if used with this packer</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-x1e8iTZUB9s/X_lQBPOAZTI/AAAAAAAAU6M/gwsOguKPeN0mzWW9Sp8bU30FtviKwUL9gCNcBGAsYHQ/s1758/emp3r0r_05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="831" data-original-width="1758" height="302" src="https://1.bp.blogspot.com/-x1e8iTZUB9s/X_lQBPOAZTI/AAAAAAAAU6M/gwsOguKPeN0mzWW9Sp8bU30FtviKwUL9gCNcBGAsYHQ/w640-h302/emp3r0r_05.png" width="640" /></a></div><p><br /></p><b>dropper - pure memory based agent launching</b><br /> <p><a href="https://github.com/jm33-m0/emp3r0r/wiki/Dropper" rel="nofollow" target="_blank" title="dropper">dropper</a> drops a shellcode or script on your target, eventually runs your agent, in a stealth way</p> <p>below is a screenshot of a python based shellcode delivery to agent execution:</p> <p><a href="https://github.com/jm33-m0/emp3r0r/blob/master/img/dropper.webp" rel="nofollow" target="_blank" title="linux post-exploitation framework made by linux user (43)"><img alt="linux post-exploitation framework made by linux user (6)" src="https://github.com/jm33-m0/emp3r0r/raw/master/img/dropper.webp" style="max-width: 100%;" /></a></p> <br /><b>hide processes and files</b><br /> <p>currently emp3r0r uses <a href="https://github.com/jm33-m0/emp3r0r/tree/master/libemp3r0r" rel="nofollow" target="_blank" title="libemp3r0r">libemp3r0r</a> to hide its files and processes, which utilizes glibc hijacking</p> <br /><b>persistence</b><br /> <p>currently implemented methods:</p> <ul> <li><a href="https://github.com/jm33-m0/emp3r0r/tree/master/libemp3r0r" rel="nofollow" target="_blank" title="libemp3r0r">libemp3r0r</a></li> <li>cron</li> <li>bash profile and command injection</li> </ul> <p>more will be added in the future</p> <br /><b>modules</b><br /> <br /><b>basic command shell</b><br /> <p>this is <strong>not a shell</strong>, it just executes any commands you send with <code>sh -c</code> and sends the result back to you</p> <p>besides, it provides several useful helpers:</p> <ul> <li>file management: <code>put</code> and <code>get</code></li> <li>command autocompletion</li> <li><code>#net</code> shows basic network info, such as <code>ip a</code>, <code>ip r</code>, <code>ip neigh</code></li> <li><code>#kill</code> processes, and a simple <code>#ps</code></li> <li><code>bash</code> !!! this is the real bash shell, keep on reading!</li> </ul> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-4CKoYSXwrx4/X_lQLa7qBYI/AAAAAAAAU6U/zWEj7WzLlPI5MSMX7Ly37lbSXn9J9fmkQCNcBGAsYHQ/s1405/emp3r0r_07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1405" data-original-width="1187" height="640" src="https://1.bp.blogspot.com/-4CKoYSXwrx4/X_lQLa7qBYI/AAAAAAAAU6U/zWEj7WzLlPI5MSMX7Ly37lbSXn9J9fmkQCNcBGAsYHQ/w540-h640/emp3r0r_07.png" width="540" /></a></div><p><br /></p><b>fully interactive and stealth bash shell</b><br /> <p>a reverse bash shell, started with custom <code>bash</code> binary and <code>bashrc</code>, leaving no trace on the system shell</p> <p>emp3r0r's terminal supports <strong>everything your current terminal supports</strong>, you can use it just like an <a href="https://www.openssh.com/" rel="nofollow" target="_blank" title="openssh">openssh</a> session</p> <p>but wait, it's more than just a reverse bash shell, with <a href="https://github.com/jm33-m0/static-bins/tree/main/vaccine" rel="nofollow" target="_blank" title="module vaccine">module vaccine</a>, you can use whatever tool you like on your target system</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-6TRtZgfuCTU/X_lQUVOk_cI/AAAAAAAAU6c/yjFUFPswZ1UPybunzvI1FQnvp_rAXUk7ACNcBGAsYHQ/s1412/emp3r0r_08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1405" data-original-width="1412" height="636" src="https://1.bp.blogspot.com/-6TRtZgfuCTU/X_lQUVOk_cI/AAAAAAAAU6c/yjFUFPswZ1UPybunzvI1FQnvp_rAXUk7ACNcBGAsYHQ/w640-h636/emp3r0r_08.png" width="640" /></a></div><p><br /></p><b>credential harvesting</b><br /> <p>not implemented yet</p> <p>i wrote about this in my <a href="https://jm33.me/sshd-injection-and-password-harvesting.html" rel="nofollow" target="_blank" title="blog">blog</a></p> <br /><b>auto root</b><br /> <p>currently emp3r0r supports <a href="https://jm33.me/sshd-injection-and-password-harvesting.html" rel="nofollow" target="_blank" title="CVE-2018-14665">CVE-2018-14665</a>, agents can exploit this <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="vulnerability">vulnerability</a> if possible, and restart itself with root privilege</p> <p><br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-2hJDiez46XA/X_lQbzj0wpI/AAAAAAAAU6k/lGIslle3NcolgrHjmuzf75hZL8PljmKiwCNcBGAsYHQ/s680/emp3r0r_09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="484" data-original-width="680" height="456" src="https://1.bp.blogspot.com/-2hJDiez46XA/X_lQbzj0wpI/AAAAAAAAU6k/lGIslle3NcolgrHjmuzf75hZL8PljmKiwCNcBGAsYHQ/w640-h456/emp3r0r_09.png" width="640" /></a></div><br /><p></p><b>LPE suggest</b><br /> <p>upload the latest:</p> <ul> <li><a href="https://github.com/mzet-/linux-exploit-suggester" rel="nofollow" target="_blank" title="mzet-/linux-exploit-suggester">mzet-/linux-exploit-suggester</a></li> <li><a href="https://github.com/pentestmonkey/unix-privesc-check" rel="nofollow" target="_blank" title="pentestmonkey/unix-privesc-check">pentestmonkey/unix-privesc-check</a></li> </ul> <p>and run them on target system, return the results</p> <p><br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-dwR5eysxREw/X_lQhIRfQNI/AAAAAAAAU6o/homwn1vZglwtF2fJxPo7hb9h3Dy67Cc6wCNcBGAsYHQ/s1280/emp3r0r_10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="890" data-original-width="1280" height="444" src="https://1.bp.blogspot.com/-dwR5eysxREw/X_lQhIRfQNI/AAAAAAAAU6o/homwn1vZglwtF2fJxPo7hb9h3Dy67Cc6wCNcBGAsYHQ/w640-h444/emp3r0r_10.png" width="640" /></a></div><br /><p></p><b>port mapping</b><br /> <p>map any target addresses to CC side, using HTTP2 (or whatever transport your agent uses)</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-QVv1X1MFq9o/X_lQmgsCpZI/AAAAAAAAU6w/Z75lOl5o0fQZytPA-QdA3g_Woqgw97tygCNcBGAsYHQ/s1134/emp3r0r_11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="739" data-original-width="1134" height="418" src="https://1.bp.blogspot.com/-QVv1X1MFq9o/X_lQmgsCpZI/AAAAAAAAU6w/Z75lOl5o0fQZytPA-QdA3g_Woqgw97tygCNcBGAsYHQ/w640-h418/emp3r0r_11.png" width="640" /></a></div><p><br /></p><b>plugin system</b><br /> <p>yes, there is a plugin system. please read the <a href="https://github.com/jm33-m0/emp3r0r/wiki/Plugins" rel="nofollow" target="_blank" title="wiki">wiki</a> for more information</p> <p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-QWG5o2SiEv8/X_lQsm2SndI/AAAAAAAAU64/MjjHhhBShbwj6GanqGltpc2OXasKPww7gCNcBGAsYHQ/s817/emp3r0r_12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="789" data-original-width="817" height="618" src="https://1.bp.blogspot.com/-QWG5o2SiEv8/X_lQsm2SndI/AAAAAAAAU64/MjjHhhBShbwj6GanqGltpc2OXasKPww7gCNcBGAsYHQ/w640-h618/emp3r0r_12.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-95HW3W3R-Pg/X_lQsjAIS8I/AAAAAAAAU68/tFOALiRQbi86nFjeaiQowidctPsS3-vPgCNcBGAsYHQ/s1274/emp3r0r_13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1144" data-original-width="1274" height="574" src="https://1.bp.blogspot.com/-95HW3W3R-Pg/X_lQsjAIS8I/AAAAAAAAU68/tFOALiRQbi86nFjeaiQowidctPsS3-vPgCNcBGAsYHQ/w640-h574/emp3r0r_13.png" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b>thanks</b></span><br /> <ul> <li><a href="https://github.com/creack/pty" rel="nofollow" target="_blank" title="pty">pty</a></li> <li><a href="https://github.com/guitmz" rel="nofollow" target="_blank" title="guitmz">guitmz</a></li> <li><a href="https://github.com/bettercap/readline" rel="nofollow" target="_blank" title="readline">readline</a></li> <li><a href="https://github.com/posener/h2conn" rel="nofollow" target="_blank" title="h2conn">h2conn</a></li> <li><a href="https://github.com/m0nad/Diamorphine" rel="nofollow" target="_blank" title="diamorphine">diamorphine</a></li> <li><a href="https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/" rel="nofollow" target="_blank" title="Upgrading Simple Shells to Fully Interactive TTYs">Upgrading Simple Shells to Fully Interactive TTYs</a></li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/jm33-m0/emp3r0r" rel="nofollow" target="_blank" title="Download Emp3R0R">Download Emp3R0R</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-40757416291145635272020-12-16T17:30:00.012-03:002020-12-16T17:30:00.138-03:00Freki - Malware Analysis Platform<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-_Ppxx7Hemug/X9bvfIDh-BI/AAAAAAAAUp4/oTXPhYjCUkwKC88_-ZAuddpKq8nTyGLkQCNcBGAsYHQ/s912/freki.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="292" data-original-width="912" height="204" src="https://1.bp.blogspot.com/-_Ppxx7Hemug/X9bvfIDh-BI/AAAAAAAAUp4/oTXPhYjCUkwKC88_-ZAuddpKq8nTyGLkQCNcBGAsYHQ/w640-h204/freki.png" width="640" /></a></div><p align="center"><span style="text-align: left;"> </span></p> <p>Freki is a free and open-source <a href="https://www.kitploit.com/search/label/Malware%20Analysis" target="_blank" title="malware analysis">malware analysis</a> platform.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: x-large;"><b>Goals</b></span><br /> <ol> <li>Facilitate <a href="https://www.kitploit.com/search/label/Malware" target="_blank" title="malware">malware</a> <a href="https://www.kitploit.com/search/label/Analysis" target="_blank" title="analysis">analysis</a> and <a href="https://www.kitploit.com/search/label/Reverse" target="_blank" title="reverse">reverse</a> engineering;</li> <li>Provide an easy-to-use <a href="https://www.kitploit.com/search/label/REST%20API" target="_blank" title="REST API">REST API</a> for different projects;</li> <li>Easy deployment (via Docker);</li> <li>Allow the addition of new features by the community.</li> </ol> <br /><span style="font-size: x-large;"><b>Current features</b></span><br /> <ul> <li>Hash extraction.</li> <li>VirusTotal API queries.</li> <li>Static analysis of PE files (headers, sections, imports, capabilities, and strings).</li> <li>Pattern matching with Yara.</li> <li>Web interface and REST API.</li> <li>User management.</li> <li>Community comments.</li> <li>Download samples.</li> </ul> <p>Check our <a href="https://crhenr.github.io/freki" rel="nofollow" target="_blank" title="online documentation">online documentation</a> for more details.</p> <p>Open an <a href="https://github.com/crhenr/freki/issues" rel="nofollow" target="_blank" title="issue">issue</a> to suggest new features. All contributions are welcome.</p> <br /><span style="font-size: x-large;"><b>How to get the source code</b></span><br /> <p><code>git clone https://github.com/crhenr/freki.git</code></p> <br /><span style="font-size: x-large;"><b>Demo</b></span><br /> <p>Video demo: <a href="https://youtu.be/brvNUPgw7ho" rel="nofollow" target="_blank" title="https://youtu.be/AW4afoaogt0">https://youtu.be/AW4afoaogt0</a>.</p> <br /><span style="font-size: x-large;"><b>Running</b></span><br /> <br /><span style="font-size: large;"><b>The easy way: Docker</b></span><br /> <ol> <li>Install <a href="https://docs.docker.com/get-docker/" rel="nofollow" target="_blank" title="Docker">Docker</a> and <a href="https://docs.docker.com/compose/install/" rel="nofollow" target="_blank" title="Docker Compose">Docker Compose</a>.</li> <li>Edit the <a href="https://github.com/crhenr/freki/blob/master/.env" rel="nofollow" target="_blank" title=".env">.env</a> file.</li> <li>If you are going to use it in production, edit <a href="https://github.com/crhenr/freki/blob/master/nginx/freki.conf" rel="nofollow" target="_blank" title="freki.conf">freki.conf</a> to enable HTTPS.</li> <li>Run <code>docker-compose up</code> or <code>make</code>.</li> </ol> <br /><span style="font-size: large;"><b>Other ways</b></span><br /> <p>If you want to use it locally (e.g., for development), please check our <a href="https://crhenr.github.io/freki" rel="nofollow" target="_blank" title="online documentation">online documentation</a> for more details.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/crhenr/freki" rel="nofollow" target="_blank" title="Download Freki">Download Freki</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-88640284952076588652020-11-15T17:30:00.001-03:002020-11-15T17:30:02.707-03:00Go_Parser - Yet Another Golang Binary Parser For IDAPro<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-VjEcJJT-s-I/X7Ckt8hCdNI/AAAAAAAAUWc/FQW4w6dHKnYN5Yxt3w33tXr1ckY-3gVhQCNcBGAsYHQ/s2966/go_parser_2_map_type_parse_eg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1060" data-original-width="2966" height="228" src="https://1.bp.blogspot.com/-VjEcJJT-s-I/X7Ckt8hCdNI/AAAAAAAAUWc/FQW4w6dHKnYN5Yxt3w33tXr1ckY-3gVhQCNcBGAsYHQ/w640-h228/go_parser_2_map_type_parse_eg.png" width="640" /></a></div><p><br /></p><p>Yet Another Golang Binary Parser For IDAPro</p><blockquote><div></div> <strong>NOTE</strong>: <p>This <strong>master</strong> branch is written in <a href="https://www.kitploit.com/search/label/Python2" target="_blank" title="Python2">Python2</a> for IDAPython, and tested only on IDA7.2/IDA7.0. If you use IDAPython with Python3 and higher version of IDAPro, please use <strong><a href="https://github.com/0xjiayu/go_parser/tree/py3" rel="nofollow" target="_blank" title="Python3 Branch">Python3 Branch</a></strong> for go_parser.</p> </blockquote> <p>Inspired by <a href="https://github.com/strazzere/golang_loader_assist" rel="nofollow" target="_blank" title="golang_loader_assist">golang_loader_assist</a> and <a href="https://github.com/pnfsoftware/jeb-golang-analyzer" rel="nofollow" target="_blank" title="jeb-golang-analyzer">jeb-golang-analyzer</a>, I wrote a more complete Go binaries parsing tool for IDAPro.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Main Features:</b></span><br /> <ol> <li>Locate and parse <strong>firstmoduledata</strong> structure in Go binary file, and make comment for each field;</li> <li>Locate <strong>pclntab</strong>(PC Line Table) according to the <strong>firstmoduledata</strong> and parse it. Then find and parse and recover function names and source file paths in the pclntab. Source file paths will be printed in the output window of IDAPro;</li> <li>Parse strings and string pointers, make comment for each string, and make <strong>dref</strong> for each string pointer;</li> <li>According to firstmoduledata, find each <strong>type</strong> and parse it, meke comment for each attribute of <strong>type</strong>, which will be very convenient for <a href="https://www.kitploit.com/search/label/Malware" target="_blank" title="malware">malware</a> researcher to analyze a complex type or data structure definition;</li> <li>Parse <strong>itab</strong>(Interface Table).</li> </ol> <p>Helpful information to RE work for Go binaries:</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-QS4lXQ86MHw/X7Ck1xab4wI/AAAAAAAAUWg/REeRVgNI3XklRmt4A0exUmewKZtxFh1wACNcBGAsYHQ/s2048/go_parser_1_go_binary_info.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1474" data-original-width="2048" height="460" src="https://1.bp.blogspot.com/-QS4lXQ86MHw/X7Ck1xab4wI/AAAAAAAAUWg/REeRVgNI3XklRmt4A0exUmewKZtxFh1wACNcBGAsYHQ/w640-h460/go_parser_1_go_binary_info.png" width="640" /></a></div><p><br /></p> <p>And there are two useful feature in <strong>go_parser</strong>:</p> <ol> <li>It also work fine for binaries with <a href="https://www.kitploit.com/search/label/Malformed" target="_blank" title="malformed">malformed</a> File Header information, especially malformed Section <a href="https://www.kitploit.com/search/label/Headers" target="_blank" title="Headers">Headers</a> information;</li> <li>All those features above are valid for binaries built with <strong>buildmode=pie</strong>.</li> </ol> <p>A config data structure in DDGMiner v5029 (MD5: 95199e8f1ab987cd8179a60834644663) parsing result as below:</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-MDJzeq_gcf8/X7Ck71xaolI/AAAAAAAAUWk/IZG6bPwXmIcEdo3ozGl4ziEcEEhy6Q5kQCNcBGAsYHQ/s2966/go_parser_2_map_type_parse_eg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1060" data-original-width="2966" height="228" src="https://1.bp.blogspot.com/-MDJzeq_gcf8/X7Ck71xaolI/AAAAAAAAUWk/IZG6bPwXmIcEdo3ozGl4ziEcEEhy6Q5kQCNcBGAsYHQ/w640-h228/go_parser_2_map_type_parse_eg.png" width="640" /></a></div><p><br /></p> <p>And the user-defined source file paths list:</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-C-WQZ3MJSeU/X7ClB8S4YaI/AAAAAAAAUWs/K29R7BU8HLYn3pTK2zq9ILn1GUJRIc5rACNcBGAsYHQ/s1972/go_parser_3_srcfiles.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1972" data-original-width="1313" height="640" src="https://1.bp.blogspot.com/-C-WQZ3MJSeU/X7ClB8S4YaI/AAAAAAAAUWs/K29R7BU8HLYn3pTK2zq9ILn1GUJRIc5rACNcBGAsYHQ/w426-h640/go_parser_3_srcfiles.png" width="426" /></a></div><p><br /></p><span style="font-size: large;"><b>Project files:</b></span><br /> <ul> <li><strong>go_parser.py</strong> :Entry file, press <strong>[Alt+F7]</strong> , select and execute this file;</li> <li><strong>common.py</strong>: Common variables and functions definition;</li> <li><strong>pclntbl.py</strong>: Parse <strong>pclntab</strong>(PC Line Table);</li> <li><strong>strings.py</strong>: Parse strings 和 string pointers;</li> <li><strong>moduldata.py</strong>: Parse <strong>firstmoduledata</strong>;</li> <li><strong>types_builder.py</strong>: Parse <strong>types</strong> ;</li> <li><strong>itab.py</strong>: Parse <strong>itab</strong>(Interface Table).</li> </ul> <p>Additionally, the <strong>str_ptr.py</strong> will parse <strong>string pointers</strong> by specify the start address and end address of <strong>string pointers</strong> manually.</p> <br /><span style="font-size: large;"><b>Note</b></span><br /> <ol> <li>This branch is written in Python2 for IDAPython, and tested only on IDA7.2/IDA7.0;</li> <li>The strings parsing module was migrated from <a href="https://github.com/strazzere/golang_loader_assist" rel="nofollow" target="_blank" title="golang_loader_assist">golang_loader_assist</a>, and I added the feature of string pointers parsing. It only supports x86(32bit & 64bit) architecture for now.</li> </ol> <br /><span style="font-size: large;"><b>Refer</b></span><br /> <ol> <li><a href="https://www.pnfsoftware.com/blog/analyzing-golang-executables/" rel="nofollow" target="_blank" title="Analyzing Golang Executables">Analyzing Golang Executables</a></li> <li><a href="https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/" rel="nofollow" target="_blank" title="Reversing GO binaries like a pro">Reversing GO binaries like a pro</a></li> <li><a href="http://home.in.tum.de/~engelke/pubs/1709-ma.pdf" rel="nofollow" target="_blank" title="Reconstructing Program Semantics from Go binaries.pdf">Reconstructing Program Semantics from Go binaries.pdf</a></li> <li><a href="https://www.anquanke.com/post/id/214940" rel="nofollow" target="_blank" title="Go二进制文件逆向分析从基础到进阶——综述">Go二进制文件逆向分析从基础到进阶——综述</a></li> <li><a href="https://www.anquanke.com/post/id/215419" rel="nofollow" target="_blank" title="Go二进制文件逆向分析从基础到进阶——MetaInfo、函数符号和源码文件路径列表">Go二进制文件逆向分析从基础到进阶——MetaInfo、函数符号和源码文件路径列表</a></li> <li><a href="https://www.anquanke.com/post/id/215820" rel="nofollow" target="_blank" title="Go二进制文件逆向分析从基础到进阶——数据类型">Go二进制文件逆向分析从基础到进阶——数据类型</a></li> <li><a href="https://www.anquanke.com/post/id/218377" rel="nofollow" target="_blank" title="Go二进制文件逆向分析从基础到进阶——itab与strings">Go二进制文件逆向分析从基础到进阶——itab与strings</a></li> <li><a href="https://www.anquanke.com/post/id/218674" rel="nofollow" target="_blank" title="Go二进制文件逆向分析从基础到进阶——Tips与实战案例">Go二进制文件逆向分析从基础到进阶——Tips与实战案例</a></li> </ol> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/0xjiayu/go_parser" rel="nofollow" target="_blank" title="Download Go_Parser">Download Go_Parser</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-92116070772285112252020-11-08T17:30:00.005-03:002020-11-08T17:30:08.680-03:00ShowStopper - Anti-Debug tricks exploration tool<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-YVcPmXG59Cc/X6XnorXFImI/AAAAAAAAURc/lQKpAi1xSQgUaoGEQ7W5dnLz4eivofKbQCNcBGAsYHQ/s128/showstopper_1_showstopper_logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="128" data-original-width="128" src="https://1.bp.blogspot.com/-YVcPmXG59Cc/X6XnorXFImI/AAAAAAAAURc/lQKpAi1xSQgUaoGEQ7W5dnLz4eivofKbQCNcBGAsYHQ/s0/showstopper_1_showstopper_logo.png" /></a></div><p><br /></p><p>The <b>ShowStopper</b> project is a tool to help <a href="https://www.kitploit.com/search/label/Malware%20Researchers" target="_blank" title="malware researchers">malware researchers</a> explore and test anti-debug techniques or verify <a href="https://www.kitploit.com/search/label/Debugger" target="_blank" title="debugger">debugger</a> plugins or other solutions that clash with standard anti-debug methods.<br /> With this tool, you can attach a debugger to its process and <a href="https://www.kitploit.com/search/label/Research" target="_blank" title="research">research</a> the debugger’s behavior for the techniques you need (the virtual addresses of functions that apply to anti-debug techniques are printed to console) and compare them with their implementation. The tool includes a varied set of different techniques from multiple sources, including real-world malware and published documents and articles. The implemented techniques work for the latest Windows releases and for different modern debuggers.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Documenattion</b></span><br /> <p>How to install and use the tool, and contribute your findings in the <a href="https://github.com/CheckPointSW/showstopper/blob/master/DOCS.md" rel="nofollow" target="_blank" title="documentation">documentation</a> for the project.</p> <br /><span style="font-size: large;"><b>System Requirements</b></span><br /> <ul> <li>Windows 7, 8, 8.1, 10 (x86/x86-64)</li> <li>32-Bit debuggers (OllyDbg, x32dbg, WinDbg, etc.)</li> </ul> <br /><span style="font-size: large;"><b>References</b></span><br /> <ul> <li><a href="http://pferrie.epizy.com/papers/antidebug.pdf" rel="nofollow" target="_blank" title="P. Ferrie. The “Ultimate”Anti-Debugging Reference">P. Ferrie. The “Ultimate”Anti-Debugging Reference</a></li> <li><a href="https://www.symantec.com/connect/articles/windows-anti-debug-reference" rel="nofollow" target="_blank" title="N. Falliere. Windows Anti-Debug Reference">N. Falliere. Windows Anti-Debug Reference</a></li> <li><a href="https://forum.tuts4you.com/files/file/1218-anti-reverse-engineering-guide/" rel="nofollow" target="_blank" title="J. Jackson. An Anti-Reverse Engineering Guide">J. Jackson. An Anti-Reverse Engineering Guide</a></li> <li><a href="https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software" rel="nofollow" target="_blank" title="Anti">Anti </a><a href="https://www.kitploit.com/search/label/Debugging" target="_blank" title="Debugging">Debugging</a> <a href="https://www.kitploit.com/search/label/Protection" target="_blank" title="Protection">Protection</a> Techniques with Examples</li> <li><a href="https://bitbucket.org/fkie_cd_dare/simplifire.antire/src/master/" rel="nofollow" target="_blank" title="simpliFiRE.AntiRE">simpliFiRE.AntiRE</a></li> </ul> <div><br /></div><div><em>Contributed by</em> Check Point Software Technologies LTD.<br /><em>Programmed by</em> Yaraslau Harakhavik</div><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/CheckPointSW/showstopper" rel="nofollow" target="_blank" title="Download Showstopper">Download Showstopper</a></span></b></div>Unknownnoreply@blogger.com