-
Notifications
You must be signed in to change notification settings - Fork 21
Expand file tree
/
Copy pathembed_payload.ps1
More file actions
113 lines (84 loc) · 3.35 KB
/
embed_payload.ps1
File metadata and controls
113 lines (84 loc) · 3.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# ---------------------------------------------------------------------------
# embed_payload.ps1 - Reads in payload file, XOR-encrypts the data using
# a randomly generated key, XOR-encrypts the key, and embeds the payload and
# encrypted key into header template
# This project makes use of ATT&CK®
# ATT&CK Terms of Use - https://attack.mitre.org/resources/terms-of-use/
# Usage: powershell -file embed_payload.ps1 -Template HEADER_TEMPLATE -InputFile PAYLOAD_FILE -OutputFile OUTPUT_FILE
# ---------------------------------------------------------------------------
<#
.Description
Encypts and embeds provided input file as a byte array in header template.
Encryption key is randomly generated, encrypted, and also embedded.
.Parameter Template
Template header file
.Parameter InputFile
Input file to embed
.Parameter OutputFile
Output header file
#>
Param(
[Parameter(Mandatory=$true)][String]$Template,
[Parameter(Mandatory=$true)][String]$InputFile,
[Parameter(Mandatory=$true)][String]$OutputFile,
[Parameter(Mandatory=$true)][String]$EmbedNamespace
)
function XOR-Encrypt {
Param(
[Parameter(Mandatory=$true)][Byte[]] $Plaintext,
[Parameter(Mandatory=$true)][Byte[]] $Key,
[Parameter(Mandatory=$true)][int] $Offset
)
$keyLen = $Key.Count;
$plaintextLen = $Plaintext.Count;
for ($i = 0; $i -lt $plaintextLen; $i++) {
$Plaintext[$i] = $Plaintext[$i] -bxor $Key[($i + $Offset) % $keyLen];
}
}
# Converts byte array to comma-separated hex string to include in
# the header template, with 16 bytes per line.
function BytesToHeaderString {
Param(
[Parameter(Mandatory=$true)][Byte[]] $InputBytes
)
$embeddedBytesStr = ($InputBytes | %{
# Line breaks every 16 bytes
if (($count % 16) -eq 0) {
"`n 0x{0:X2}" -f $_
} else {
"0x{0:X2}" -f $_
}
$count = $count + 1;
}) -join ",";
$embeddedBytesStr = $embeddedBytesStr + "`n";
$embeddedBytesStr;
}
echo "[INFO] Embedding $InputFile into template file $Template to create $OutputFile. Using namespace: $EmbedNamespace";
# Read input and template files
$inputBytes = [System.IO.File]::ReadAllBytes("$InputFile");
$templateText = Get-Content -Raw "$Template";
# Generate key
$payloadKey = [Byte[]]::new(32);
$rng = [System.Security.Cryptography.RandomNumberGenerator]::Create();
$rng.GetBytes($payloadKey);
$payloadKeyStr = ($payloadKey | %{"{0:X2}" -f $_}) -join "";
echo "Generated key: $payloadKeyStr";
# Triple-XOR encrypt payload
XOR-Encrypt -Plaintext $inputBytes -Key $payloadKey -Offset 0;
XOR-Encrypt -Plaintext $inputBytes -Key $payloadKey -Offset 1;
XOR-Encrypt -Plaintext $inputBytes -Key $payloadKey -Offset 7;
# Encrypt XOR key
[byte[]]$encKey = @([byte]0x3F);
XOR-Encrypt -Plaintext $payloadKey -Key $encKey -Offset 0;
# Generate array text
$count = 0;
$embeddedBytesStr = BytesToHeaderString -InputBytes $inputBytes;
# Generate key text
$keyStr = BytesToHeaderString -InputBytes $payloadKey;
# Embed encrypted payload bytes
$outputText = $templateText.Replace("PAYLOAD_SIZE", $inputBytes.Count.ToString()).Replace("PAYLOAD_BYTES", "$embeddedBytesStr");
# Embed key
$outputText = $outputText.Replace("KEY_BYTES", "$keyStr");
# Set namespace
$outputText = $outputText.Replace("EMBEDDED_NAMESPACE", "$EmbedNamespace");
$outputText | Out-File -FilePath "$OutputFile";