ProtectMyTooling – Multi-Packer Wrapper Letting Us Daisy-Chain Various Packers, Obfuscators And Other Red Team Oriented Weaponry

Script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders, generators to produce complex protected Red Team implants. Your perfect companion in

With ProtectMyTooling you can quickly obfuscate your binaries without having to worry about clicking through all the Dialogs, interfaces, menus, creating projects to obfuscate a single binary, clicking through all the options available and wasting time about all that nonsense. It takes you straight to the point – to obfuscate your tool.

Aim is to offer the most convenient interface possible and allow to leverage a daisy-chain of multiple packers combined on a single binary.

That’s right – we can launch ProtectMyTooling with several packers at once:

C:> py ProtectMyTooling.py hyperion,upx mimikatz.exe mimikatz-obf.exe

The above example will firstly pass mimikatz.exe to the Hyperion for obfuscation, and then the result will be provided to UPX for compression. Resulting with UPX(Hyperion(file))

Features

• Supports multiple different PE Packers, .NET Obfuscators, Shellcode Loaders/Builders
• Allows daisy-chaining packers where output from a packer is passed to the consecutive one: callobf,hyperion,upx will produce artifact UPX(Hyperion(CallObf(file)))
• Collects IOCs at every obfuscation step so that auditing & Blue Team requests can be satisfied
• Offers functionality to inject custom Watermarks to resulting PE artifacts – in DOS Stub, Checksum, as a standalone PE Section, to file’s Overlay
• Comes up with a handy
  3. Then in your Beacon’s console you’ll have following commands available:
  • protected-execute-assembly – Executes a local, previously protected and compressed .NET program in-memory on target.
  • protected-upload – Takes an input file, protects it if its PE executable and then uploads that file to specified remote location.

  Basically these commands will open input files, pass the firstly to the CobaltStrike/cobaltProtectMyTooling.py script, which in turn calls out to ProtectMyTooling.py. As soon as the binary gets obfuscated, it will be passed to your beacon for execution/uploading.

  Cobalt Strike related Options

  Here’s a list of options required by the Cobalt Strike integrator:

  • python3_interpreter_path – Specify a path to Python3 interpreter executable
  • protect_my_tooling_dir – Specify a path to ProtectMyTooling main directory
  • protect_my_tooling_config – Specify a path to ProtectMyTooling configuration file with various packers options
  • dotnet_assemblies_directory – Specify local path .NET assemblies should be looked for if not found by execute-assembly
  • cache_protected_executables – Enable to cache already protected executables and reuse them when needed
  • protected_executables_cache_dir – Specify a path to a directory that should store cached protected executables
  • default_exe_x86_packers_chain – Native x86 EXE executables protectors/packers chain
  • default_exe_x64_packers_chain – Native x64 EXE executables protectors/packers chain
  • default_dll_x86_packers_chain – Native x86 DLL executables protectors/packers chain
  • default_dll_x64_packers_chain – Native x64 DLL executables protectors/packers chain
  • default_dotnet_packers_chain – .NET executables protectors/packers chain

  ---

  Known Issues

  • ScareCrow is very tricky to run from Windows. What worked for me is following:
    1. Run on Windows 10 and have WSL installed (bash.exe command available in Windows)
    2. Have golang installed in WSL at version 1.16+ (tested on 1.18)
    3. Make sure to have PackerScareCrow.Run_ScareCrow_On_Windows_As_WSL = True set

  ---

  Credits due & used technology

  • All packer, obfuscator, converter, loader credits goes to their authors. This tool is merely a wrapper around their technology!

    • Hopefully none of them mind me adding such wrappers. Should there be concerns – please reach out to me.

  • ProtectMyTooling also uses denim.exe by moloch– by some Nim-based packers.

  ---

  TODO

  • Write custom PE injector and offer it as a “protector”
  • Add watermarking to other file formats such as Office documents, WSH scripts (VBS, JS, HTA) and containers
  • Add support for a few other Packers/Loaders/Generators in upcoming future:
    • GadgetToJScript
    • Limelighter
    • PEZor
    • msfevenom – two variants, one for input shellcode, the other for executable

  ---

  Disclaimer

  Use of this tool as well as any other projects I’m author of for illegal purposes, unsolicited hacking, cyber-espionage is strictly prohibited. This and other tools I distribute help professional Penetration Testers, Security Consultants, Security Engineers and other security personnel in improving their customer networks cyber-defence capabilities.
  In no event shall the authors or copyright holders be liable for any claim, damages or other liability arising from illegal use of this software.

  If there are concerns, copyright issues, threats posed by this software or other inquiries – I am open to collaborate in responsibly addressing them.

  The tool exposes handy interface for using mostly open-source or commercially available packers/protectors/obfuscation software, therefore not introducing any immediately new threats to the cyber-security landscape as is.

  ---

  ☕Show Support☕

  This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you!

  

  ---

  Author

     Mariusz Banach / mgeeky, '20-'22
     <mb [at] binary-offensive.com>
     (https://github.com/mgeeky) 
  

  Download ProtectMyTooling