This repository has been archived by the owner on Nov 9, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathCycotic.py
234 lines (195 loc) · 8.09 KB
/
Cycotic.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
# Polymorphic inline assembly generator for Revenant
# A modified version of cycotic is a standalone project availible
# https://github.com/0xTriboulet/Cycotic
######################################################################################################
# This version of Cycotic is not a standalone script and should NOT be used seperately from Revenant #
######################################################################################################
import os
import re
import random
directory_path = "./Agent/Source/"
# x86
instructions_low_entropy_x86 = [
"nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;nop;",
"inc eax;dec eax;inc eax;dec eax;inc eax;dec eax;inc eax;dec eax;inc eax;dec eax;inc eax;dec eax;",
"xor eax, eax;xor ecx, ecx;xor eax, eax;xor ecx, ecx;xor eax, eax;xor ecx, ecx;xor eax, eax;xor ecx, ecx;",
''"xor eax,eax;" \
"xor ecx,ecx;" \
"xor eax,eax;" \
"xor ecx,ecx;" \
"xor eax,eax;" \
"xor ecx,ecx;" \
"xor eax,eax;"''
]
#x64
# Volatile registers: rax, rcx, rdx, r8, r9
instructions_low_entropy_x64 = [
"xor rax, rax;xor rcx, rcx;xor rax, rax;xor rcx, rcx;xor rax, rax;xor rcx, rcx;xor rax, rax;xor rcx, rcx;",
"inc rax;dec rax;inc rax;dec rax;inc rax;dec rax;inc rax;dec rax;inc rax;dec rax;inc rax;dec rax;inc rax;dec rax;",
"cmp rax, rax;test rax, rax;cmp rax, rax;test rax, rax;cmp rax, rax;test rax, rax;cmp rax, rax;test rax, rax;",
''"pushfq;" \
"push rcx;" \
"push rdx;" \
"push r8;" \
"push r9;" \
"xor eax, eax;" \
"xor eax, eax;" \
"xor ebx, ebx;" \
"xor eax, eax;" \
"xor eax, eax;" \
"pop r9;" \
"pop r8;" \
"pop rdx;" \
"pop rcx;" \
"popfq;"''
]
# x86
instructions_x86 = [
"nop;nop;nop;",
"inc eax;dec eax;",
"dec eax;inc eax;",
"xchg eax, eax;xchg ecx, ecx;",
"push eax;.byte 0xe8, 0x0, 0x0, 0x0, 0x0;.intel_syntax noprefix; pop eax; add eax, 0x6; push eax; ret; pop eax;"
''"pushfd;"
"pushad;"\
"xchg ecx, eax;" \
"xchg ecx, eax;" \
"xchg ebx, eax;" \
"xchg ebx, eax;" \
"inc eax;" \
"dec eax;" \
"inc ebx;" \
"dec ebx;" \
"inc ecx;" \
"dec ecx;" \
"xchg ecx, ecx;" \
"xchg eax, eax;" \
"xchg ebx, ebx;" \
"xchg eax, eax;"\
"popad;"\
"popfd"''
]
#x64
# Volatile registers: rax, rcx, rdx, r8, r9
instructions_x64 = [
"nop;nop;nop;",
"inc rax;dec rax;",
"dec rax;inc rax;",
"xchg rax, rax;xchg rcx, rcx;",
"push rax; lea rax, [rip]; add rax, 0x6; push rax; ret; pop rax;",
''"pushfq;" \
"push rcx;" \
"push rdx;" \
"push r8;" \
"push r9;" \
"xchg rax, rax;" \
"xchg rax, rax;" \
"xchg rbx, rbx;" \
"xchg rbx, rbx;" \
"xchg rax, rax;" \
"xchg rax, rax;" \
"pop r9;" \
"pop r8;" \
"pop rdx;" \
"pop rcx;" \
"popfq;"''
]
eula = ["MICROSOFT SOFTWARE LICENSE TERMS", \
"(MVLTECHNOLOGIES1.0 – STABLE CHANNEL)", \
"MICROSOFT VISUAL STUDIO COMMUNITY 2019", \
"These license terms are an agreement between", \
"Microsoft Corporation (or based on where you live,", \
"one of its affiliates) and you. Please read them.", \
"They apply to the software named above, which", \
"includes the media on which you received it, if", \
"any. The terms also apply to any Microsoft", \
"updates, supplements, Internet-based services,", \
"and support services for this software, unless", \
"other terms accompany those items. If so, those", \
"terms apply. BY USING THE SOFTWARE, YOU ACCEPT", \
"THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT", \
"USE THE SOFTWARE. INSTEAD, RETURN IT TO THE", \
"RESELLER FOR A REFUND OR CREDIT. As described", \
"below, using the software also operates as your", \
"consent to the transmission of certain", \
"computer information for Internet-based", \
"services, as described in the privacy", \
"statement described in Section 3. If you", \
"comply with these license terms, you have the", \
"rights below. 1. INSTALLATION AND USE RIGHTS.", \
"a. Individual license. If you are an individual", \
"working on your own applications to sell or for", \
"any other purpose, you may use the software to", \
"develop and test those applications."]
def insert_asm_before_vars(file_contents, instructions):
return_pattern = re.compile(r"^\s*(?P<type>\w+)\s+(?P<var_name>\w+)\s*=\s*(?P<value>[^;]+)\s*;", re.MULTILINE)
def insert_asm(match):
num_statements = random.randint(0, 5)
asm_statements = "\n".join(
"//remove me\n__asm(\".intel_syntax noprefix;{}\");".format(random.choice(instructions)) for _ in range(num_statements)
)
#print(asm_statements)
return asm_statements + "\n" + match.group(0)
modified_contents = return_pattern.sub(insert_asm, file_contents)
return modified_contents
def insert_asm_statements(file_contents, instructions):
modified_contents = insert_asm_before_vars(file_contents, instructions)
function_pattern = re.compile(
r"(?P<return_type>[\w\s\*]+)\s+(?P<func_name>\w+)\s*\((?P<params>[^\)]*)\)\s*\{",
re.MULTILINE
)
def insert_asm(match):
num_statements = random.randint(0, 5)
asm_statements = "\n".join(
"//remove me\n__asm(\".intel_syntax noprefix;{}\");".format(random.choice(instructions)) for _ in range(num_statements)
)
#print(asm_statements)
return match.group(0) + "\n" + asm_statements
modified_contents = function_pattern.sub(insert_asm, modified_contents)
return modified_contents
def remove_asm_statements(file_contents):
# Regex pattern to match and remove lines after "//remove me" comments
remove_pattern = re.compile(r"//remove me\n.*;\n?", re.MULTILINE)
modified_contents = remove_pattern.sub("", file_contents)
return modified_contents
def insert_string_declarations(file_contents, eula):
function_pattern = re.compile(
r"(?P<return_type>[\w\s\*]+)\s+(?P<func_name>\w+)\s*\((?P<params>[^\)]*)\)\s*\{",
re.MULTILINE
)
def insert_string(match):
num_statements = random.randint(0, 5)
string_statements = "\n".join(
"//remove me\nchar* str{} = \"{}\";".format(random.randint(100, 99999), random.choice(eula)) for _ in range(num_statements)
)
return match.group(0) + "\n" + string_statements
modified_contents = function_pattern.sub(insert_string, file_contents)
return modified_contents
def remove_string_declarations(file_contents):
# Regex pattern to match and remove lines after "//remove me" comments
remove_pattern = re.compile(r"//remove me\nchar \*str\d+ = \".*?\";\n?", re.MULTILINE)
modified_contents = remove_pattern.sub("", file_contents)
return modified_contents
def process_c_file(file_path, instructions, eula, remove=False):
with open(file_path, 'r') as input_file:
file_contents = input_file.read()
if remove:
modified_contents = remove_asm_statements(file_contents)
modified_contents = remove_string_declarations(modified_contents)
else:
modified_contents = insert_asm_statements(file_contents, instructions)
modified_contents = insert_string_declarations(modified_contents, eula)
with open(file_path, 'w') as output_file:
output_file.write(modified_contents)
def process_directory(directory_path, instructions, eula, remove=False):
for filename in os.listdir(directory_path):
if filename.endswith('.c'):
if filename in ["Poly.c","Utilities.c","Obfuscation.c","Asm.c","AntiDebug.c"]:
#print(filename)
modified_instructions = instructions[0:-1]
#print(modified_instructions)
file_path = os.path.join(directory_path, filename)
process_c_file(file_path, modified_instructions, eula, remove)
else:
file_path = os.path.join(directory_path, filename)
process_c_file(file_path, instructions, eula, remove)