Phantom Evasion - Python Av Evasion Tool Capable To Generate Fud Executable Fifty-Fifty Amongst The Virtually Mutual 32 Fleck Metasploit Payload (Exe/Elf/Dmg/Apk)


Phantom-Evasion is an interactive antivirus evasion tool written inwards python capable to generate (almost) FUD executable fifty-fifty amongst the most mutual 32 fleck msfvenom payload (lower detection ratio amongst 64 fleck payloads). The aim of this tool is to brand antivirus evasion an slowly chore for pentesters through the usage of modules focused on polymorphic code in addition to antivirus sandbox detection techniques. Since version 1.0 Phantom-Evasion also include a post-exploitation department dedicated to persistence in addition to auxiliary modules.

The next OSs officialy back upward automatic setup:
  1. Kali Linux Rolling 2018.1+ (64 bit)
  2. Parrot Security (64 bit)
The next OSs are probable able to run Phantom Evasion through manual setup:
  1. Arch Linux (64 bit)
  2. BlackArch Linux (64 bit)
  3. Elementary (64 bit)
  4. Linux Mint (64 bit)
  5. Ubuntu 15.10+ (64 bit)
  6. Windows 7/8/10 (64 bit)

Contributors
Special thank you lot to:
phra https://github.com/phra
stefano118 https://github.com/stefano118

Getting Started
Simply git clone or download in addition to unzip Phantom-Evasion folder

Kali Linux:
Automatic setup officially supported, opened upward a terminal in addition to execute phantom-evasion:
sudo python phantom-evasion.py 
or:
sudo chmod +x ./phantom-evasion.py  sudo ./phantom-evasion.py

Dependencies (only for manual setup)
  1. metasploit-framework
  2. mingw-w64 (cygwin on windows)
  3. gcc
  4. apktool
  5. strip
  6. wine (not necessary on windows)
  7. apksigner
  8. pyinstaller
require libc6-dev-i386 (linux only)

WINDOWS PAYLOADS

Windows Shellcode Injection Modules (C)
Msfvenom windows payloads in addition to custom shellcodes supported
(>) Randomized junkcode in addition to windows antivirus evasion techniques
(>) Multibyte Xor encoders availables (see Multibyte Xor encoders readme section)
(>) Decoy Processes Spawner available (see Decoy Process Spawner section)
(>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix))
(>) Execution fourth dimension range:35-60 second
  1. Windows Shellcode Injection VirtualAlloc: Inject in addition to Execute shellcode inwards retention using VirtualAlloc,CreateThread,WaitForSingleObject API.
  2. Windows Shellcode Injection VirtualAlloc NoDirectCall LL/GPA: Inject in addition to Execute shellcode inwards retention using VirtualAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary in addition to GetProcAddress API.
  3. Windows Shellcode Injection VirtualAlloc NoDirectCall GPA/GMH: Inject in addition to Execute shellcode inwards retention using VirtualAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle in addition to GetProcAddress API.
  4. Windows Shellcode Injection HeapAlloc: Inject in addition to Execute shellcode inwards retention using HeapAlloc,HeapCreate,CreateThread,WaitForSingleObject API.
  5. Windows Shellcode Injection HeapAlloc NoDirectCall LL/GPA: Inject in addition to Execute shellcode inwards retention using HeapCreate,HeapAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary in addition to GetProcAddress API.
  6. Windows Shellcode Injection HeapAlloc NoDirectCall GPA/GMH: Inject in addition to Execute shellcode inwards retention using HeapCreate,HeapAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle in addition to GetProcAddress API.
  7. Windows Shellcode Injection Process inject: Inject in addition to Execute shellcode into remote procedure retention (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject API.
  8. Windows Shellcode Injection Process inject NoDirectCall LL/GPA: Inject in addition to Execute shellcode into remote procedure retention (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary in addition to GetProcAddress API.
  9. Windows Shellcode Injection Process inject NoDirectCall GPA/GMH: Inject in addition to Execute shellcode into remote procedure retention (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle in addition to GetProcAddress API.
  10. Windows Shellcode Injection Thread Hijack: Inject shellcode into remote procedure retention in addition to execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,Get/SetThreadContext,Suspend/ResumeThread API.
  11. Windows Shellcode Injection Thread Hijack LL/GPA: Inject shellcode into remote procedure retention in addition to execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,Get/SetThreadContext,Suspend/ResumeThread API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary in addition to GetProcAddress API.
  12. Windows Shellcode Injection Thread Hijack GPA/GMH: Inject shellcode into remote procedure retention in addition to execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,Get/SetThreadContext,Suspend/ResumeThread API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle in addition to GetProcAddress API.

Windows Pure C meterpreter stager
Pure C polymorphic meterpreter stagers compatible amongst msfconsole in addition to cobalt strike beacon.(reverse_tcp/reverse_http)
(>) Randomized junkcode in addition to windows antivirus evasion techniques (>) Phantom evasion decoy procedure spawner available (see phantom evasion decoy procedure spawner section) (>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution fourth dimension range:35-60 second
  1. C meterpreter/reverse_TCP VirtualAlloc (x86/x64): 32/64 fleck windows/meterpreter/reverse_tcp polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_tcp (if x86) -- windows/x64/meterpreter/reverse_tcp (if x64) , memory:Virtual)
  2. C meterpreter/reverse_TCP HeapAlloc (x86/x64): 32/64 fleck windows/meterpreter/reverse_tcp polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_tcp (if x86) -- windows/x64/meterpreter/reverse_tcp (if x64) , memory:Heap)
  3. C meterpreter/reverse_TCP VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 fleck windows/meterpreter/reverse_tcp polymorphic stager written inwards c (rrequire multi/handler listener amongst payload fix to windows/meterpreter/reverse_tcp (if x86) -- windows/x64/meterpreter/reverse_tcp (if x64) , memory:Virtual , API loaded at runtime)
  4. C meterpreter/reverse_TCP HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 fleck windows/meterpreter/reverse_tcp polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_tcp (if x86) -- windows/x64/meterpreter/reverse_tcp (if x64) , memory:Heap , API loaded at runtime)
  5. C meterpreter/reverse_HTTP VirtualAlloc (x86/x64): 32/64 fleck windows/meterpreter/reverse_http polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_http (if x86) -- windows/x64/meterpreter/reverse_http (if x64) , memory:Virtual)
  6. C meterpreter/reverse_HTTP HeapAlloc (x86/x64): 32/64 fleck windows/meterpreter/reverse_http polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_http (if x86) -- windows/x64/meterpreter/reverse_http (if x64) , memory:Heap)
  7. C meterpreter/reverse_HTTP VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 fleck windows/meterpreter/reverse_http polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_http (if x86) -- windows/x64/meterpreter/reverse_http (if x64) , API loaded at runtime)
  8. C meterpreter/reverse_HTTP HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 fleck windows/meterpreter/reverse_http polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_http (if x86) -- windows/x64/meterpreter/reverse_http (if x64) , memory:Heap , API loaded at runtime)
  9. C meterpreter/reverse_HTTPS VirtualAlloc (x86/x64): 32/64 fleck windows/meterpreter/reverse_http polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_https (if x86) -- windows/x64/meterpreter/reverse_https (if x64) , memory:Virtual)
  10. C meterpreter/reverse_HTTPS HeapAlloc (x86/x64): 32/64 fleck windows/meterpreter/reverse_http polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_https (if x86) -- windows/x64/meterpreter/reverse_https (if x64) , memory:Heap)
  11. C meterpreter/reverse_HTTPS VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 fleck windows/meterpreter/reverse_http polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_https (if x86) -- windows/x64/meterpreter/reverse_https (if x64) , API loaded at runtime)
  12. C meterpreter/reverse_HTTPS HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 fleck windows/meterpreter/reverse_http polymorphic stager written inwards c (require multi/handler listener amongst payload fix to windows/meterpreter/reverse_https (if x86) -- windows/x64/meterpreter/reverse_https (if x64) , memory:Heap , API loaded at runtime)

Powershell / Wine-Pyinstaller modules
Powershell modules:
(>) Randomized junkcode in addition to windows antivirus evasion techniques (>) Decoy Process Spawner available (see phantom evasion decoy procedure spawner section) (>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution fourth dimension range:35-60 second
  1. Windows Powershell/Cmd Oneliner Dropper: Require user-supplied Powershell/Cmd oneliner payload (example Empire oneliner payload). Generate Windows powershell/Cmd oneliner dropper written inwards c. Powershell/Cmd oneliner payload is executed using system() function.
  2. Windows Powershell Script Dropper: Both msfvenom in addition to custom powershell payloads supported. (32 fleck powershell payloads are non compatible amongst 64 fleck powershell target in addition to vice versa.) Generate Windows powershell script (.ps1) dropper written inwards c. Powershell script payload is executed using system() business office (powershell -executionpolicy bypass -WindowStyle Hidden -Noexit -File "PathTops1script").
Wine-Pyinstaller modules:
(>) Randomized junkcode in addition to windows antivirus evasion techniques (>) Execution fourth dimension range:5-25 minute (>) Require python in addition to pyinstaller installed inwards wine.
  1. Windows WinePyinstaller Python Meterpreter
Pure python meterpreter payload.
  1. WinePyinstaller Oneline payload dropper
Pure python powershell/cmd oneliner dropper.
Powershell/cmd payload executed using os.system().

LINUX PAYLOADS

Linux Shellcode Injection Module (C)
Msfvenom linux payloads in addition to custom shellcodes supported.
(>) Randomized junkcode in addition to C antivirus evasion techniques (>) Multibyte Xor encoders availables (see Multibyte Xor encoders readme section) (>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution fourth dimension range:20-45 second
  1. Linux Shellcode Injection HeapAlloc: Inject in addition to Execute shellcode inwards retention using mmap in addition to memcpy.
  2. Linux Bash Oneliner Dropper: Execute custom oneliner payload using system() function.

OSX PAYLOADS
  1. OSX 32bit multi-encoded:
Pure msfvenom multi-encoded OSX payloads.

ANDROID PAYLOADS
  1. Android Msfvenom Apk smali/baksmali:
(>) Fake loop injection (>) Goto loop
Android msfvenom payloads modified an rebuilded amongst apktool (Also capable of apk backdoor injection).

UNIVERSAL PAYLOADS
Generate executable compatible amongst the OSs used to run Phantom-Evasion.
  1. Universal Meterpreter increments-trick
  2. Universal Polymorphic Meterpreter
  3. Universal Polymorphic Oneliner dropper

POST-EXPLOITATION MODULES
  1. Windows Persistence RegCreateKeyExW Add Registry Key (C) This modules generate executables which needs to live on uploaded to the target machine in addition to excuted specifing the fullpath to file to add together to startup equally arguments.
  2. Windows Persistence REG Add Registry Key (CMD) This module generate persistence cmdline payloads (Add Registry Key via REG.exe).
  3. Windows Persistence Keep Process Alive This module generate executable which demand to live on uploaded to the target machine in addition to executed. Use CreateToolSnapshoot ProcessFirst in addition to ProcessNext to cheque if specified procedure is live on every X seconds. Usefull combined amongst Persistence N.1 or N.2 (persistence commencement Keep procedure live on file which thence commencement in addition to popular off on live on the specified process)
  4. Windows Persistence Schtasks cmdline
This modules generate persistence cmdline payloads (using Schtasks.exe).
  1. Windows Set Files Attribute Hidden
enshroud file through commandline or amongst compiled executable (SetFileAttributes API)

Warning
PYTHON3 COMPATIBILITY TEMPORARILY SUSPENDED!

Decoy Processes Spawner:
During target-side execution this volition campaign to spawn (Using WinExec or CreateProcess API) a maximum of iv processes consequentialy. The terminal spawned procedure volition reach the malicious department of code piece the other decoy processes spawned earlier volition executes exclusively random junk code.
PRO: Longer execution time,Lower charge per unit of measurement of detection. CONS: Higher resources consumption.

Multibyte Xor Encoder:
C xor encoders amongst 3 pure c decoding stub available amongst Shellcode Injection modules.
  1. MultibyteKey xor:
Shellcode xored amongst 1 multibyte (variable lenght) random key. Polymorphic C decoder stub.
  1. Double Multibyte-key xor:
Shellcode xored amongst the number of xor betwixt 2 multibyte (variable lenght) random keys Polymorphic C decoder stub.
  1. Triple Multibyte-key xor:
Shellcode xored amongst the number of xor betwixt 2 multibyte (variable lenght) random keys xored amongst a tertiary multibyte random key. Polymorphic C decoder stub.