Phantom Evasion – Python AV Evasion Tool Capable To Generate FUD Executable Even With The Most Common 32 Bit Metasploit Payload (Exe/Elf/Dmg/Apk)

0
23
Phantom Evasion - Python AV Evasion Tool Capable To Generate FUD Executable Even With The Most Common 32 Bit Metasploit Payload (Exe/Elf/Dmg/Apk)

Phantom-Evasion is an interactive antivirus evasion instrument written in python succesful to generate (nearly) FUD executable even with the most typical 32 bit msfvenom payload (decrease detection ratio with 64 bit payloads). The purpose of this instrument is to make antivirus evasion a simple process for pentesters by means of using modules centered on polymorphic code and antivirus sandbox detection strategies. Since model 1.0 Phantom-Evasion additionally embrace a post-exploitation part devoted to persistence and auxiliary modules.

The following OSs officialy assist automated setup:

  1. Kali Linux Rolling 2018.1+ (64 bit)
  2. Parrot Security (64 bit)

The following OSs are doubtless in a position to run Phantom Evasion by means of guide setup:

  1. Arch Linux (64 bit)
  2. BlackArch Linux (64 bit)
  3. Elementary (64 bit)
  4. Linux Mint (64 bit)
  5. Ubuntu 15.10+ (64 bit)
  6. Windows 7/8/10 (64 bit)

Contributors
Special due to:
phra
https://github.com/phra
stefano118 https://github.com/stefano118

Getting Started
Simply git clone or obtain and unzip Phantom-Evasion folder

Kali Linux:
Automatic setup formally supported, open a terminal and execute phantom-evasion:

sudo python phantom-evasion.py 

or:

sudo chmod +x ./phantom-evasion.py

sudo ./phantom-evasion.py

Dependencies (just for guide setup)

  1. metasploit-framework
  2. mingw-w64 (cygwin on home windows)
  3. gcc
  4. apktool
  5. strip
  6. wine (not crucial on home windows)
  7. apksigner
  8. pyinstaller

require libc6-dev-i386 (linux solely)

WINDOWS PAYLOADS

Windows Shellcode Injection Modules (C)
Msfvenom home windows payloads and customized shellcodes supported
(>) Randomized junkcode and home windows antivirus evasion strategies
(>) Multibyte Xor encoders availables (see Multibyte Xor encoders readme part)
(>) Decoy Processes Spawner accessible (see Decoy Process Spawner part)
(>) Strip executable accessible (https://en.wikipedia.org/wiki/Strip_(Unix))
(>) Execution time vary:35-60 second

  1. Windows Shellcode Injection VirtualAlloc: Inject and Execute shellcode in reminiscence utilizing VirtualAlloc,CreateThread,WaitForSingleObject API.
  2. Windows Shellcode Injection VirtualAlloc NoDirectCall LL/GPA: Inject and Execute shellcode in reminiscence utilizing VirtualAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) utilizing LoadLibrary and GetProcAddress API.
  3. Windows Shellcode Injection VirtualAlloc NoDirectCall GPA/GMH: Inject and Execute shellcode in reminiscence utilizing VirtualAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) utilizing GetModuleDeal with and GetProcAddress API.
  4. Windows Shellcode Injection HeapAlloc: Inject and Execute shellcode in reminiscence utilizing HeapAlloc,HeapCreate,CreateThread,WaitForSingleObject API.
  5. Windows Shellcode Injection HeapAlloc NoDirectCall LL/GPA: Inject and Execute shellcode in reminiscence utilizing HeapCreate,HeapAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) utilizing LoadLibrary and GetProcAddress API.
  6. Windows Shellcode Injection HeapAlloc NoDirectCall GPA/GMH: Inject and Execute shellcode in reminiscence utilizing HeapCreate,HeapAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) utilizing GetModuleDeal with and GetProcAddress API.
  7. Windows Shellcode Injection Process inject: Inject and Execute shellcode into distant course of reminiscence (default: OneDrive.exe (x86) , explorer.exe (x64)) utilizing VirtualAllocEx,WriteProcessReminiscence,CreateRemoteThread,WaitForSingleObject API.
  8. Windows Shellcode Injection Process inject NoDirectCall LL/GPA: Inject and Execute shellcode into distant course of reminiscence (default: OneDrive.exe (x86) , explorer.exe (x64)) utilizing VirtualAllocEx,WriteProcessReminiscence,CreateRemoteThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) utilizing LoadLibrary and GetProcAddress API.
  9. Windows Shellcode Injection Process inject NoDirectCall GPA/GMH: Inject and Execute shellcode into distant course of reminiscence (default: OneDrive.exe (x86) , explorer.exe (x64)) utilizing VirtualAllocEx,WriteProcessReminiscence,CreateRemoteThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) utilizing GetModuleDeal with and GetProcAddress API.
  10. Windows Shellcode Injection Thread Hijack: Inject shellcode into distant course of reminiscence and execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) utilizing VirtualAllocEx,WriteProcessReminiscence,Get/SetThreadContext,Suspend/ResumeThread API.
  11. Windows Shellcode Injection Thread Hijack LL/GPA: Inject shellcode into distant course of reminiscence and execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) utilizing VirtualAllocEx,WriteProcessReminiscence,Get/SetThreadContext,Suspend/ResumeThread API. Critical API are dinamically loaded (No Direct Call) utilizing LoadLibrary and GetProcAddress API.
  12. Windows Shellcode Injection Thread Hijack GPA/GMH: Inject shellcode into distant course of reminiscence and execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) utilizing VirtualAllocEx,WriteProcessReminiscence,Get/SetThreadContext,Suspend/ResumeThread API. Critical API are dinamically loaded (No Direct Call) utilizing GetModuleDeal with and GetProcAddress API.

Windows Pure C meterpreter stager
Pure C polymorphic meterpreter stagers suitable with msfconsole and cobalt strike beacon.(reverse_tcp/reverse_http)
(>) Randomized junkcode and home windows antivirus evasion strategies (>) Phantom evasion decoy course of spawner accessible (see phantom evasion decoy course of spawner part) (>) Strip executable accessible (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution time vary:35-60 second

  1. C meterpreter/reverse_TCP VirtualAlloc (x86/x64): 32/64 bit home windows/meterpreter/reverse_tcp polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_tcp (if x86) — home windows/x64/meterpreter/reverse_tcp (if x64) , reminiscence:Virtual)
  2. C meterpreter/reverse_TCP HeapAlloc (x86/x64): 32/64 bit home windows/meterpreter/reverse_tcp polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_tcp (if x86) — home windows/x64/meterpreter/reverse_tcp (if x64) , reminiscence:Heap)
  3. C meterpreter/reverse_TCP VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit home windows/meterpreter/reverse_tcp polymorphic stager written in c (rrequire multi/handler listener with payload set to home windows/meterpreter/reverse_tcp (if x86) — home windows/x64/meterpreter/reverse_tcp (if x64) , reminiscence:Virtual , API loaded at runtime)
  4. C meterpreter/reverse_TCP HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit home windows/meterpreter/reverse_tcp polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_tcp (if x86) — home windows/x64/meterpreter/reverse_tcp (if x64) , reminiscence:Heap , API loaded at runtime)
  5. C meterpreter/reverse_HTTP VirtualAlloc (x86/x64): 32/64 bit home windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_http (if x86) — home windows/x64/meterpreter/reverse_http (if x64) , reminiscence:Virtual)
  6. C meterpreter/reverse_HTTP HeapAlloc (x86/x64): 32/64 bit home windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_http (if x86) — home windows/x64/meterpreter/reverse_http (if x64) , reminiscence:Heap)
  7. C meterpreter/reverse_HTTP VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit home windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_http (if x86) — home windows/x64/meterpreter/reverse_http (if x64) , API loaded at runtime)
  8. C meterpreter/reverse_HTTP HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit home windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_http (if x86) — home windows/x64/meterpreter/reverse_http (if x64) , reminiscence:Heap , API loaded at runtime)
  9. C meterpreter/reverse_HTTPS VirtualAlloc (x86/x64): 32/64 bit home windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_https (if x86) — home windows/x64/meterpreter/reverse_https (if x64) , reminiscence:Virtual)
  10. C meterpreter/reverse_HTTPS HeapAlloc (x86/x64): 32/64 bit home windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_https (if x86) — home windows/x64/meterpreter/reverse_https (if x64) , reminiscence:Heap)
  11. C meterpreter/reverse_HTTPS VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit home windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_https (if x86) — home windows/x64/meterpreter/reverse_https (if x64) , API loaded at runtime)
  12. C meterpreter/reverse_HTTPS HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit home windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to home windows/meterpreter/reverse_https (if x86) — home windows/x64/meterpreter/reverse_https (if x64) , reminiscence:Heap , API loaded at runtime)

Powershell / Wine-Pyinstaller modules
Powershell modules:
(>) Randomized junkcode and home windows antivirus evasion strategies (>) Decoy Process Spawner accessible (see phantom evasion decoy course of spawner part) (>) Strip executable accessible (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution time vary:35-60 second

  1. Windows Powershell/Cmd Oneliner Dropper: Require person-provided Powershell/Cmd oneliner payload (instance Empire oneliner payload). Generate Windows powershell/Cmd oneliner dropper written in c. Powershell/Cmd oneliner payload is executed utilizing system() perform.
  2. Windows Powershell Script Dropper: Both msfvenom and customized powershell payloads supported. (32 bit powershell payloads aren’t suitable with 64 bit powershell goal and vice versa.) Generate Windows powershell script (.ps1) dropper written in c. Powershell script payload is executed utilizing system() perform (powershell -executionpolicy bypass -WindowStyle Hidden -Noexit -File “PathTops1script”).

Wine-Pyinstaller modules:
(>) Randomized junkcode and home windows antivirus evasion strategies (>) Execution time vary:5-25 second (>) Require python and pyinstaller put in in wine.

  1. Windows WinePyinstaller Python Meterpreter

Pure python meterpreter payload.

  1. WinePyinstaller Oneline payload dropper

Pure python powershell/cmd oneliner dropper.
Powershell/cmd payload executed utilizing os.system().

LINUX PAYLOADS

Linux Shellcode Injection Module (C)
Msfvenom linux payloads and customized shellcodes supported.
(>) Randomized junkcode and C antivirus evasion strategies (>) Multibyte Xor encoders availables (see Multibyte Xor encoders readme part) (>) Strip executable accessible (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution time vary:20-45 second

  1. Linux Shellcode Injection HeapAlloc: Inject and Execute shellcode in reminiscence utilizing mmap and memcpy.
  2. Linux Bash Oneliner Dropper: Execute customized oneliner payload utilizing system() perform.

OSX PAYLOADS

  1. OSX 32bit multi-encoded:

Pure msfvenom multi-encoded OSX payloads.

ANDROID PAYLOADS

  1. Android Msfvenom Apk smali/baksmali:

(>) Fake loop injection (>) Goto loop
Android msfvenom payloads modified an rebuilded with apktool (Also able to apk backdoor injection).

UNIVERSAL PAYLOADS
Generate executable suitable with the OSs used to run Phantom-Evasion.

  1. Universal Meterpreter increments-trick
  2. Universal Polymorphic Meterpreter
  3. Universal Polymorphic Oneliner dropper

POST-EXPLOITATION MODULES

  1. Windows Persistence RegCreateKeyExW Add Registry Key (C) This modules generate executables which must be uploaded to the goal machine and excuted specifing the fullpath to file so as to add to startup as arguments.
  2. Windows Persistence REG Add Registry Key (CMD) This module generate persistence cmdline payloads (Add Registry Key through REG.exe).
  3. Windows Persistence Keep Process Alive This module generate executable which must be uploaded to the goal machine and executed. Use CreateToolSnapshoot ProcessFirst and ProcessSubsequent to verify if specified course of is alive each X seconds. Usefull mixed with Persistence N.1 or N.2 (persistence begin Keep course of alive file which then begin and preserve alive the required course of)
  4. Windows Persistence Schtasks cmdline

This modules generate persistence cmdline payloads (utilizing Schtasks.exe).

  1. Windows Set Files Attribute Hidden

conceal file by means of commandline or with compiled executable (SetFileAttributes API)

Warning
PYTHON3 COMPATIBILITY TEMPORARILY SUSPENDED!

Decoy Processes Spawner:
During goal-aspect execution it will trigger to spawn (Using WinExec or CreateProcess API) a most of four processes consequentialy. The final spawned course of will attain the malicious part of code whereas the opposite decoy processes spawned earlier than will executes solely random junk code.
PRO: Longer execution time,Lower price of detection. CONS: Higher useful resource consumption.

Multibyte Xor Encoder:
C xor encoders with three pure c decoding stub accessible with Shellcode Injection modules.

  1. MultibyteKey xor:

Shellcode xored with one multibyte (variable lenght) random key. Polymorphic C decoder stub.

  1. Double Multibyte-key xor:

Shellcode xored with the results of xor between two multibyte (variable lenght) random keys Polymorphic C decoder stub.

  1. Triple Multibyte-key xor:

Shellcode xored with the results of xor between two multibyte (variable lenght) random keys xored with a 3rd multibyte random key. Polymorphic C decoder stub.

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.