Giter Site home page Giter Site logo

zipexec's Introduction

ZipExec

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded into a string that is rebuilt on disk. This encoded string is then loaded into a JScript file that when executed, would rebuild the password-protected zip file on disk and execute it. This is done programmatically by using COM objects to access the GUI-based functions in Windows via the generated JScript loader, executing the loader inside the password-protected zip without having to unzip it first. By password protecting the zip file, it protects the binary from EDRs and disk-based or anti-malware scanning mechanisms.

Installation

The first step as always is to clone the repo. Before you compile ZipExec you'll need to install the dependencies. To install them, run following commands:

go get github.com/yeka/zip

Then build it

go build ZipExec.go

or

go install github.com/Tylous/ZipExec@latest

Help

./ZipExec -h

__________.__      ___________                     
\____    /|__|_____\_   _____/__  ___ ____   ____  
  /     / |  \____ \|    __)_\  \/  // __ \_/ ___\ 
 /     /_ |  |  |_> >        \>    <\  ___/\  \___ 
/_______ \|__|   __/_______  /__/\_ \\___  >\___  >
        \/   |__|          \/      \/    \/     \/ 
                (@Tyl0us)

Usage of ./ZipExec:
  -I string
        Path to the file containing binary to zip.
  -O string
        Name of output file (e.g. loader.js)
  -sandbox
        Enables sandbox evasion using IsDomainedJoined.

zipexec's People

Contributors

tylous avatar zc2638 avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

zipexec's Issues

No se visualiza el archivo loader.js

Se ejecuta la siguiente instrucción
ZipExec -I shell.exe -O loader.js -sandbox
y lo único que devuelve es shell.rar
El archivo loader.js no se genera, y me surge una duda si se dice que ejecuta binarios
sin descomprimir. Cuál es la instrucción?

Gracias de antemano, parece interesante, sólo que no hay mucha documentación al respecto.

Cryptor

Any assistance to changing the cryptor pattern or stub

PoC is not working on my side

Hello,

I just tested your PoC, and I'm probably doing it wrong, actually I compiled it on debian buster, and I use this command line :

./ZipExec -I /home/user/artifact.exe -O /home/user/loader.js -sandbox

And I run the loader.js on a windows 10 virtual machine but nothing happens, I edited the path in the .js file to avoid a weird linux path in it but it's the same result.

If I check in the %temp% directory, I don't have any zip file, so I tried to execute it with cscript, and I don't have any exceptions.

I'm interested if you have an idea.

Loader.js Problem

Hi,

Sometimes some loader.js's cannot unzip the file, while loader.js is executed via cscript.exe. However, in this case, I can see the zip file under the %TMP% directory. For another case, I can confirm that loader.js is working in my computer properly, but it doesn't work for another computer with the same build number and OS. In the second case, I am getting the same error. The screenshot of the given error can be seen below:

image

nice

wow that is very sneaky! is there a way to do this on linux or mac?

Temp1_xxxx.zip ?

It looks like it extracts the zipfile into %TEMP%\Temp1_xxxx.zip, (where xxxx is the zipfile name) then runs it from there, then deletes it. Do you know if there is any way to change the destination of this? I looked and couldn't find a way to do this but wondering if you knew anything off the top of your head.

Side note, thanks for publishing this tool, it's awesome!

EDIT this looks like the same behavior as executing from the windows zip GUI, disregard.

Not Working

Malicious File: Dark Comet Trojan

nothing happens when running loader.js

should i use a meterpreter shell or something?

как с ней работать?

Уважаемый разработчик, если есть возможность сделай видео о работе с этим чудом или напишите руководство.

Unzipping

Hi,

I am trying to unzip a file and I don't think I quite understand how to. I tried to execute the loader.js from cmd with $> node loader.js and it gave a syntax error saying "Identifier 'GIhtL' has already been declared". What's the correct way of unzipping?

Side note: I'm a new learner so it might be a silly question.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.