python-obfuscation-framework 1.4.1__py3-none-any.whl

pof/evasion/os/domain.py

@@ -0,0 +1,27 @@
+from tokenize import LPAR, NAME, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class DomainEvasion(BaseEvasion):
+    def __init__(self, domain) -> None:
+        self.domain = domain
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "socket"),
+        ]
+
+    def check_tokens(self):
+        """`socket.getfqdn()!='debian'`."""
+        return [
+            (NAME, "socket"),
+            (OP, "."),
+            (NAME, "getfqdn"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (OP, "!="),
+            (STRING, repr(self.domain)),
+        ]

pof/evasion/os/hostname.py

@@ -0,0 +1,27 @@
+from tokenize import LPAR, NAME, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class HostnameEvasion(BaseEvasion):
+    def __init__(self, hostname) -> None:
+        self.hostname = hostname
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "socket"),
+        ]
+
+    def check_tokens(self):
+        """`socket.gethostname()!='debian'`."""
+        return [
+            (NAME, "socket"),
+            (OP, "."),
+            (NAME, "gethostname"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (OP, "!="),
+            (STRING, repr(self.hostname)),
+        ]

pof/evasion/os/uid.py

@@ -0,0 +1,28 @@
+# TODO (deoktr): add compat with windows: `ctypes.windll.shell32.IsUserAnAdmin()`
+from tokenize import LPAR, NAME, NUMBER, OP, RPAR
+
+from pof.evasion.base import BaseEvasion
+
+
+class LinuxUIDEvasion(BaseEvasion):
+    def __init__(self, uid) -> None:
+        self.uid = uid
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self):
+        """`os.getuid()!=1000`."""
+        return [
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "getuid"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (OP, "!="),
+            (NUMBER, str(self.uid)),
+        ]

pof/evasion/os/username.py

@@ -0,0 +1,27 @@
+from tokenize import LPAR, NAME, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class UsernameEvasion(BaseEvasion):
+    def __init__(self, username) -> None:
+        self.username = username
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "getpass"),
+        ]
+
+    def check_tokens(self):
+        """`getpass.getuser()!='username'`."""
+        return [
+            (NAME, "getpass"),
+            (OP, "."),
+            (NAME, "getuser"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (OP, "!="),
+            (STRING, repr(self.username)),
+        ]

pof/evasion/processes/proc_count.py

@@ -0,0 +1,47 @@
+# TODO (deoktr): make a version for windows
+from tokenize import LPAR, NAME, NUMBER, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class LinuxProcCountEvasion(BaseEvasion):
+    def __init__(self, proc_count=100) -> None:
+        self.proc_count = proc_count
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "os"),
+        ]
+
+    def check_tokens(self):
+        """`len(list(filter(lambda d: d.isdigit(), os.listdir("/proc")))) < 100`."""
+        return [
+            (NAME, "len"),
+            (LPAR, "("),
+            (NAME, "list"),
+            (LPAR, "("),
+            (NAME, "filter"),
+            (LPAR, "("),
+            (NAME, "lambda"),
+            (NAME, "d"),
+            (OP, ":"),
+            (NAME, "d"),
+            (OP, "."),
+            (NAME, "isdigit"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (OP, ","),
+            (NAME, "os"),
+            (OP, "."),
+            (NAME, "listdir"),
+            (LPAR, "("),
+            (STRING, repr("/proc")),
+            (RPAR, ")"),
+            (RPAR, ")"),
+            (RPAR, ")"),
+            (RPAR, ")"),
+            (OP, "<"),
+            (NUMBER, str(self.proc_count)),
+        ]

pof/evasion/time/expire.py

@@ -0,0 +1,75 @@
+from datetime import UTC, datetime, timedelta
+from tokenize import LPAR, NAME, NUMBER, OP, RPAR
+
+from pof.evasion.base import BaseEvasion
+
+
+class ExpireEvasion(BaseEvasion):
+    def __init__(self, under_datetime=None, over_datetime=None) -> None:
+        """Expire after a certain time (default 15 minutes)."""
+        if under_datetime is None:
+            under_datetime = datetime.now(tz=UTC) + timedelta(minutes=15)
+        self.under_datetime = under_datetime
+
+        # TODO (deoktr): remove random timedelta to now, as to not give the date/time of
+        # payload creation
+        if over_datetime is None:
+            over_datetime = datetime.now(tz=UTC)
+        self.over_datetime = over_datetime
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "from"),
+            (NAME, "datetime"),
+            (NAME, "import"),
+            (NAME, "datetime"),
+        ]
+
+    def check_tokens(self):
+        """Time expiry check tokens.
+
+        `datetime(2023,1,1,1,1)>datetime.utcnow()
+            or datetime.utcnow()>datetime(2023,1,2,1,1,1)`
+        """
+        return [
+            (NAME, "datetime"),
+            (LPAR, "("),
+            (NUMBER, str(self.over_datetime.year)),
+            (OP, ","),
+            (NUMBER, str(self.over_datetime.month)),
+            (OP, ","),
+            (NUMBER, str(self.over_datetime.day)),
+            (OP, ","),
+            (NUMBER, str(self.over_datetime.hour)),
+            (OP, ","),
+            (NUMBER, str(self.over_datetime.minute)),
+            (RPAR, ")"),
+            (OP, ">"),
+            (NAME, "datetime"),
+            (OP, "."),
+            (NAME, "utcnow"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (NAME, "or"),
+            (NAME, "datetime"),
+            (OP, "."),
+            (NAME, "utcnow"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (OP, ">"),
+            (NAME, "datetime"),
+            (LPAR, "("),
+            (NUMBER, str(self.under_datetime.year)),
+            (OP, ","),
+            (NUMBER, str(self.under_datetime.month)),
+            (OP, ","),
+            (NUMBER, str(self.under_datetime.day)),
+            (OP, ","),
+            (NUMBER, str(self.under_datetime.hour)),
+            (OP, ","),
+            (NUMBER, str(self.under_datetime.minute)),
+            (OP, ","),
+            (NUMBER, str(self.under_datetime.second)),
+            (RPAR, ")"),
+        ]

pof/evasion/time/uptime.py

@@ -0,0 +1,48 @@
+# TODO (deoktr): windows version: https://www.geeksforgeeks.org/getting-the-time-since-os-startup-using-python/
+from tokenize import LPAR, NAME, NUMBER, OP, RPAR, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class LinuxUptimeEvasion(BaseEvasion):
+    def __init__(self, uptime=12 * 60) -> None:
+        # uptime is in seconds
+        # default: 12 minutes
+        self.uptime = uptime
+
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "from"),
+            (NAME, "pathlib"),
+            (NAME, "import"),
+            (NAME, "Path"),
+        ]
+
+    def check_tokens(self):
+        """Validates system does not use UTC timezone.
+
+        `float(Path("/proc/uptime").read_text().split()[0]) < 12**60`
+        """
+        return [
+            (NAME, "float"),
+            (LPAR, "("),
+            (NAME, "Path"),
+            (LPAR, "("),
+            (STRING, repr("/proc/uptime")),
+            (RPAR, ")"),
+            (OP, "."),
+            (NAME, "read_text"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (OP, "."),
+            (NAME, "split"),
+            (LPAR, "("),
+            (RPAR, ")"),
+            (OP, "["),
+            (NUMBER, "0"),
+            (OP, "]"),
+            (RPAR, ")"),
+            (OP, "<"),
+            (NUMBER, str(self.uptime)),
+        ]

pof/evasion/time/utc.py

@@ -0,0 +1,26 @@
+from tokenize import NAME, OP, STRING
+
+from pof.evasion.base import BaseEvasion
+
+
+class UTCEvasion(BaseEvasion):
+    @staticmethod
+    def import_tokens():
+        return [
+            (NAME, "import"),
+            (NAME, "time"),
+        ]
+
+    @staticmethod
+    def check_tokens():
+        """Validates system does not use UTC timezone.
+
+        `"UTC" in time.tzname`
+        """
+        return [
+            (STRING, '"UTC"'),
+            (NAME, "in"),
+            (NAME, "time"),
+            (OP, "."),
+            (NAME, "tzname"),
+        ]

pof/evasion/utils.py

@@ -0,0 +1,198 @@
+"""Utils.
+
+Todo:
+- add process list
+- add list of directory
+- add reverse engineering tools
+- add Ansible directory
+"""
+
+WIN_FILE_SYSTEM_PARALLELS = [
+    r"c:\windows\system32\drivers\prleth.sys",
+    r"c:\windows\system32\drivers\prlfs.sys",
+    r"c:\windows\system32\drivers\prlmouse.sys",
+    r"c:\windows\system32\drivers\prlvideo.sys",
+    r"c:\windows\system32\drivers\prltime.sys",
+    r"c:\windows\system32\drivers\prl_pv32.sys",
+    r"c:\windows\system32\drivers\prl_paravirt_32.sys",
+]
+
+WIN_FILE_SYSTEM_VIRTUALBOX = [
+    r"c:\windows\system32\drivers\VBoxMouse.sys",
+    r"c:\windows\system32\drivers\VBoxGuest.sys",
+    r"c:\windows\system32\drivers\VBoxSF.sys",
+    r"c:\windows\system32\drivers\VBoxVideo.sys",
+    r"c:\windows\system32\vboxdisp.dll",
+    r"c:\windows\system32\vboxhook.dll",
+    r"c:\windows\system32\vboxmrxnp.dll",
+    r"c:\windows\system32\vboxogl.dll",
+    r"c:\windows\system32\vboxoglarrayspu.dll",
+    r"c:\windows\system32\vboxoglcrutil.dll",
+    r"c:\windows\system32\vboxoglerrorspu.dll",
+    r"c:\windows\system32\vboxoglfeedbackspu.dll",
+    r"c:\windows\system32\vboxoglpackspu.dll",
+    r"c:\windows\system32\vboxoglpassthroughspu.dll",
+    r"c:\windows\system32\vboxservice.exe",
+    r"c:\windows\system32\vboxtray.exe",
+    r"c:\windows\system32\VBoxControl.exe",
+]
+
+WIN_FILE_SYSTEM_VIRTUALPC = [
+    r"c:\windows\system32\drivers\vmsrvc.sys",
+    r"c:\windows\system32\drivers\vpc-s3.sys",
+]
+
+WIN_FILE_SYSTEM_VMWARE = [
+    r"c:\windows\system32\drivers\vmmouse.sys",
+    r"c:\windows\system32\drivers\vmnet.sys",
+    r"c:\windows\system32\drivers\vmxnet.sys",
+    r"c:\windows\system32\drivers\vmhgfs.sys",
+    r"c:\windows\system32\drivers\vmx86.sys",
+    r"c:\windows\system32\drivers\hgfs.sys",
+]
+
+WIN_FILE_SYSTEM = (
+    WIN_FILE_SYSTEM_PARALLELS
+    + WIN_FILE_SYSTEM_VIRTUALBOX
+    + WIN_FILE_SYSTEM_VIRTUALPC
+    + WIN_FILE_SYSTEM_VMWARE
+)
+
+FILE_SYSTEM = WIN_FILE_SYSTEM
+
+# source: https://evasions.checkpoint.com/techniques/generic-os-queries.html#check-if-username-is-specific
+USERNAME = [
+    "admin",
+    "andy",
+    "honey",
+    "john",
+    "john doe",
+    "malnetvm",
+    "maltest",
+    "malware",
+    "roo",
+    "sandbox",
+    "snort",
+    "tequilaboomboom",
+    "test",
+    "virus",
+    "virusclone",
+    "wilbert",
+    "remnux",
+    "nepenthes",  # Nepenthes
+    "currentuser",  # Norman
+    "username",  # ThreatExpert
+    "user",  # Sandboxie
+    "vmware",  # VMware
+]
+
+# source: https://evasions.checkpoint.com/techniques/generic-os-queries.html#check-if-computer-name-is-specific
+HOSTNAME = [
+    "klone_x64-pc",
+    "tequilaboomboom",
+    "TU-4NH09SMCG1HC",  # Anubis
+    "InsideTm",  # Anubis
+]
+
+# source: https://github.com/PwnDexter/SharpEDRChecker/blob/master/SharpEDRChecker/EDRData.cs
+EDR_LIST = [
+    "activeconsole",
+    "amsi.dll",
+    "anti malware",
+    "anti-malware",
+    "antimalware",
+    "anti virus",
+    "anti-virus",
+    "antivirus",
+    "appsense",
+    "authtap",
+    "avast",
+    "avecto",
+    "canary",
+    "carbonblack",
+    "carbon black",
+    "cb.exe",
+    "ciscoamp",
+    "cisco amp",
+    "countercept",
+    "countertack",
+    "cramtray",
+    "crssvc",
+    "crowdstrike",
+    "csagent",
+    "csfalcon",
+    "csshell",
+    "cybereason",
+    "cyclorama",
+    "cylance",
+    "cyoptics",
+    "cyupdate",
+    "cyvera",
+    "cyserver",
+    "cytray",
+    "darktrace",
+    "defendpoint",
+    "defender",
+    "eectrl",
+    "elastic",
+    "endgame",
+    "f-secure",
+    "forcepoint",
+    "fireeye",
+    "groundling",
+    "GRRservic",
+    "inspector",
+    "ivanti",
+    "kaspersky",
+    "lacuna",
+    "logrhythm",
+    "malware",
+    "mandiant",
+    "mcafee",
+    "morphisec",
+    "msascuil",
+    "msmpeng",
+    "nissrv",
+    "omni",
+    "omniagent",
+    "osquery",
+    "Palo Alto Networks",
+    "pgeposervice",
+    "pgsystemtray",
+    "privilegeguard",
+    "procwall",
+    "protectorservic",
+    "qradar",
+    "redcloak",
+    "secureworks",
+    "securityhealthservice",
+    "semlaunchsv",
+    "sentinel",
+    "sepliveupdat",
+    "sisidsservice",
+    "sisipsservice",
+    "sisipsutil",
+    "smc.exe",
+    "smcgui",
+    "snac64",
+    "sophos",
+    "splunk",
+    "srtsp",
+    "symantec",
+    "symcorpu",
+    "symefasi",
+    "sysinternal",
+    "sysmon",
+    "tanium",
+    "tda.exe",
+    "tdawork",
+    "tpython",
+    "vectra",
+    "wincollect",
+    "windowssensor",
+    "wireshark",
+    "threat",
+    "xagt.exe",
+    "xagtnotif.exe",
+    "hurukai",
+]