Script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders, generators to produce complex protected Red Team implants. Your perfect companion in
ProtectMyTooling you can quickly obfuscate your binaries without having to worry about clicking through all the Dialogs, interfaces, menus, creating projects to obfuscate a single binary, clicking through all the options available and wasting time about all that nonsense. It takes you straight to the point – to obfuscate your tool.
Aim is to offer the most convenient interface possible and allow to leverage a daisy-chain of multiple packers combined on a single binary.
That’s right – we can launch
ProtectMyTooling with several packers at once:
C:> py ProtectMyTooling.py hyperion,upx mimikatz.exe mimikatz-obf.exe
The above example will firstly pass
mimikatz.exe to the Hyperion for obfuscation, and then the result will be provided to UPX for compression. Resulting with
- Supports multiple different PE Packers, .NET Obfuscators, Shellcode Loaders/Builders
- Allows daisy-chaining packers where output from a packer is passed to the consecutive one:
callobf,hyperion,upxwill produce artifact
- Collects IOCs at every obfuscation step so that auditing & Blue Team requests can be satisfied
- Offers functionality to inject custom Watermarks to resulting PE artifacts – in DOS Stub, Checksum, as a standalone PE Section, to file’s Overlay
- Comes up with a handy
- Then in your Beacon’s console you’ll have following commands available:
protected-execute-assembly– Executes a local, previously protected and compressed .NET program in-memory on target.
protected-upload– Takes an input file, protects it if its PE executable and then uploads that file to specified remote location.
Basically these commands will open input files, pass the firstly to the
CobaltStrike/cobaltProtectMyTooling.pyscript, which in turn calls out to
ProtectMyTooling.py. As soon as the binary gets obfuscated, it will be passed to your beacon for execution/uploading.
Cobalt Strike related Options
Here’s a list of options required by the Cobalt Strike integrator:
python3_interpreter_path– Specify a path to Python3 interpreter executable
protect_my_tooling_dir– Specify a path to ProtectMyTooling main directory
protect_my_tooling_config– Specify a path to ProtectMyTooling configuration file with various packers options
dotnet_assemblies_directory– Specify local path .NET assemblies should be looked for if not found by execute-assembly
cache_protected_executables– Enable to cache already protected executables and reuse them when needed
protected_executables_cache_dir– Specify a path to a directory that should store cached protected executables
default_exe_x86_packers_chain– Native x86 EXE executables protectors/packers chain
default_exe_x64_packers_chain– Native x64 EXE executables protectors/packers chain
default_dll_x86_packers_chain– Native x86 DLL executables protectors/packers chain
default_dll_x64_packers_chain– Native x64 DLL executables protectors/packers chain
default_dotnet_packers_chain– .NET executables protectors/packers chain
ScareCrowis very tricky to run from Windows. What worked for me is following:
- Run on Windows 10 and have WSL installed (
bash.execommand available in Windows)
golanginstalled in WSL at version
- Make sure to have
PackerScareCrow.Run_ScareCrow_On_Windows_As_WSL = Trueset
- Run on Windows 10 and have WSL installed (
Credits due & used technology
All packer, obfuscator, converter, loader credits goes to their authors. This tool is merely a wrapper around their technology!
- Hopefully none of them mind me adding such wrappers. Should there be concerns – please reach out to me.
ProtectMyTooling also uses
denim.exeby moloch– by some Nim-based packers.
- Write custom PE injector and offer it as a “protector”
- Add watermarking to other file formats such as Office documents, WSH scripts (VBS, JS, HTA) and containers
- Add support for a few other Packers/Loaders/Generators in upcoming future:
msfevenom– two variants, one for input shellcode, the other for executable
Use of this tool as well as any other projects I’m author of for illegal purposes, unsolicited hacking, cyber-espionage is strictly prohibited. This and other tools I distribute help professional Penetration Testers, Security Consultants, Security Engineers and other security personnel in improving their customer networks cyber-defence capabilities.
In no event shall the authors or copyright holders be liable for any claim, damages or other liability arising from illegal use of this software.
If there are concerns, copyright issues, threats posed by this software or other inquiries – I am open to collaborate in responsibly addressing them.
The tool exposes handy interface for using mostly open-source or commercially available packers/protectors/obfuscation software, therefore not introducing any immediately new threats to the cyber-security landscape as is.
This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you!
Mariusz Banach / mgeeky, '20-'22
<mb [at] binary-offensive.com>