Proof-of-concept obfuscation toolkit for C# post-exploitation tools

Overview

InvisibilityCloak

Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio project.

  • Change the tool name
  • Change the project GUID
  • Obfuscate compatible strings in source code files based on obfuscation method entered by user
  • Removes one-line comments (e.g. // this is a comment)
  • Remove PDB string option for compiled release .NET assembly

Blog Post: https://securityintelligence.com/posts/invisibility-cloak-obfuscate-c-tools-evade-signature-based-detection

String Candidates Not Obfuscated

The below string candidates are not included in obfuscation

  • Strings less than 3 characters
  • Strings using string interpolation (e.g., Console.WriteLine($"Hello, {name}! Today is {date.DayOfWeek}, it's {date:HH:mm} now.");)
  • Case statements as they need to be static values
  • Const vars as they need to be static values
  • Strings in method signatures as they need to be static values
  • Strings within Regexes
  • Override strings as they need to be static values
  • The below random edge cases for strings, as they have caused issues when encoding/decoding
    • String starting with or ending with '
    • ""' in the line
    • + @" in the line
    • """ in the line

Support Information

  • Windows
  • Linux (Debian-based systems)
  • Python3

Arguments/Options

  • -d, --directory - directory where your visual studio project is located
  • -m, --method - obfuscation method (base64, rot13)
  • -n, --name - name of your new tool
  • -h, --help - help menu
  • --version - get version of tool

Usage/Examples

python InvisibilityCloak.py -d /path/to/project -n "TotallyLegitTool" -m base64

python InvisibilityCloak.py -d C:\path\to\project -n "TotallyLegitTool" -m base64

python InvisibilityCloak.py -d /path/to/project -n "TotallyLegitTool" -m rot13

python InvisibilityCloak.py -d C:\path\to\project -n "TotallyLegitTool" -m rot13

Output

Below is what the output would look like when running the tool.

screenshot

Below is the difference in Seatbelt between unobfuscated and then obfuscated version with InvisibilityCloak against Microsoft Defender using Defender Check.

screenshot

Comments
  • build fix - rename subfolder

    build fix - rename subfolder

    Before the fix the primary subfolder doesnt get renamed which causes the build to fail.

    py InvisibilityCloak\InvisibilityCloak.py -d Seatbelt -n TestBelt -m base64
    

    build:

    msbuild /t:Rebuild -p:Configuration=Release;TargetFrameworkVersion=v4.0
    

    output:

    ..snip...
    
    ValidateSolutionConfiguration:
      Building solution configuration "Release|Any CPU".
    Z:\Seatbelt\TestBelt.sln.metaproj : error MSB3202: The project file "Z:\Seatbelt\TestBelt\TestBelt.csproj" was not found. [Z:\Seatbelt\TestBelt.sln]
    Done Building Project "Z:\Seatbelt\TestBelt.sln" (Rebuild target(s)) -- FAILED.
    
    Build FAILED.
    

    After the fix it compiles just fine.

    opened by jabra- 6
  • Fails when trying to cloak StandIn

    Fails when trying to cloak StandIn

    Hello and thanks for the tool! I just watched your talk on C# obfuscation, and I wanted to attempt it myself. However, when I attempted to build StandIn (https://github.com/FuzzySecurity/StandIn) after being obfuscated, I got many syntax errors. For example:

    L969:

    sTaskContent = String.Format(new string(@"<VzzrqvngrGnfxI2 pyfvq=".Select(xAZ => (xAZ >= 'a' && xAZ <= 'z') ? (char)((xAZ - 'a' + 13) % 26 + 'a') : ((xAZ >= 'A' && xAZ <= 'Z') ? (char)((xAZ - 'A' + 13) % 26 + 'A') : xAZ)).ToArray())new string("
    

    Here I am getting a "Syntax error, ',' expected" error between the end of the first string([...]) and the next new string. I have a few hundred of these in my build log.

    opened by davidmckennirey 4
  • Testing with Rubeus

    Testing with Rubeus

    Hey, thanks for the great tool! I've been testing it against Rubeus, but even after cloaking, Defender still flags it.

    With rot13 method, this is the result:

    [!] Identified end of bad bytes at offset 0x4903B
    00000000   72 65 73 73 00 44 6F 6D  61 69 6E 43 6F 6E 74 72   ress·DomainContr
    00000010   6F 6C 6C 65 72 41 64 64  72 65 73 73 00 48 6F 73   ollerAddress·Hos
    00000020   74 41 64 64 72 65 73 73  00 61 64 64 72 65 73 73   tAddress·address
    00000030   00 63 72 6F 73 73 00 75  73 65 72 53 74 61 74 73   ·cross·userStats
    00000040   00 45 6E 75 6D 65 72 61  74 65 54 69 63 6B 65 74   ·EnumerateTicket
    00000050   73 00 50 61 72 73 65 53  61 76 65 54 69 63 6B 65   s·ParseSaveTicke
    00000060   74 73 00 73 61 76 65 54  69 63 6B 65 74 73 00 43   ts·saveTickets·C
    00000070   6F 75 6E 74 4F 66 54 69  63 6B 65 74 73 00 48 61   ountOfTickets·Ha
    00000080   72 76 65 73 74 54 69 63  6B 65 74 47 72 61 6E 74   rvestTicketGrant
    00000090   69 6E 67 54 69 63 6B 65  74 73 00 77 72 61 70 54   ingTickets·wrapT
    000000A0   69 63 6B 65 74 73 00 64  69 73 70 6C 61 79 4E 65   ickets·displayNe
    000000B0   77 54 69 63 6B 65 74 73  00 72 65 6E 65 77 54 69   wTickets·renewTi
    000000C0   63 6B 65 74 73 00 67 65  74 5F 61 64 64 69 74 69   ckets·get_additi
    000000D0   6F 6E 61 6C 5F 74 69 63  6B 65 74 73 00 73 65 74   onal_tickets·set
    000000E0   5F 61 64 64 69 74 69 6F  6E 61 6C 5F 74 69 63 6B   _additional_tick
    000000F0   65 74 73 00 67 65 74 5F  74 69 63 6B 65 74 73 00   ets·get_tickets·
    

    With the base64 method, it still gets flagged, but it breaks ThreatCheck so I can't see the bad bytes

    [+] Target file size: 315392 bytes
    [+] Analyzing...
    
    Unhandled Exception: System.IO.IOException: The process cannot access the file 'C:\Temp\file.exe' because it is being used by another process.
       at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
       at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
       at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
       at System.IO.File.InternalWriteAllBytes(String path, Byte[] bytes, Boolean checkHost)
       at ThreatCheck.Defender.AnalyzeFile()
       at ThreatCheck.Program.RunOptions(Options opts)
       at CommandLine.ParserResultExtensions.WithParsed[T](ParserResult`1 result, Action`1 action)
       at ThreatCheck.Program.Main(String[] args)
    

    Do you have any suggestions? :-)

    opened by init5-SF 2
  • Added single file input

    Added single file input

    turns out I had time :) Added support to process a single file instead of an entire project, also during testing I found out the my single file, wrapped around a project, wasn't being obfuscated, seems like a bug but I'm not sure why :(

    opened by nemesis7331 0
  • Add support for single file

    Add support for single file

    It would be nice to add the ability to obfuscate a single file, without having to create a project around it. If I get the time I'll try and hopefully make a pull request :)

    opened by nemesis7331 0
Owner
null
An open-source post-exploitation framework for students, researchers and developers.

Questions? Join the Discord support server Disclaimer: This project should be used for authorized testing or educational purposes only. BYOB is an ope

dvm 8.1k Dec 31, 2022
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

null 7.4k Jan 4, 2023
Crowbar - A windows post exploitation tool

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

null 29 Nov 20, 2022
A windows post exploitation tool that contains a lot of features for information gathering and more.

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

null 29 Nov 20, 2022
Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, downloads, history, and more.

ChromePE [Linux/Windows] Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, download

Finn Lancaster 3 Oct 5, 2022
Proof of Concept Exploit for vCenter CVE-2021-21972

CVE-2021-21972 Proof of Concept Exploit for vCenter CVE-2021-21972

Horizon 3 AI Inc 210 Dec 31, 2022
Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Axel Souchet 220 Dec 14, 2022
Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

OMIGOD Proof on Concept Exploit for CVE-2021-38647 (OMIGOD) For background information and context, read the our blog post detailing this vulnerabilit

Horizon 3 AI Inc 231 Nov 12, 2022
Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Astro 9 Sep 27, 2022
IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Carry 1 Nov 25, 2021
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

null 22 Nov 9, 2022
Proof of concept GnuCash Webinterface

Proof of Concept GnuCash Webinterface This may one day be a something truly great. Milestones [ ] Browse accounts and view transactions [ ] Record sim

Josh 14 Dec 28, 2022
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 43 Nov 9, 2022
Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077

CVE-2021-44077 Proof of Concept Exploit for CVE-2021-44077: PreAuth RCE in ManageEngine ServiceDesk Plus < 11306 Based on: https://xz.aliyun.com/t/106

Horizon 3 AI Inc 25 Nov 9, 2022
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

Pedro Havay 12 Nov 18, 2022
A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

Pedro Havay 20 Nov 11, 2022
Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Cod

Axel Souchet 820 Dec 18, 2022
A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

log4j-shell-poc A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability. Recently there was a new vulnerability in log4j, a java loggin

koz 1.5k Jan 4, 2023