[Note]: if you have issues or have suggestions for improvement, please don't hesitate to reach out
'PowerJoker' is a A PowerShell script which obfuscate a SimplePowerShell payload in each execution. in every execution of the script, after user enter LHOST/LPORT, the script generates a SimplePowerShell code, but in an {0/B/F/u/$/c/a/t/3} way which (for now), can evade the Windows Defender/RealTimeProtection. Instead of try changing it manually, the script check for 'known' words, and replace them with a random onces. When done, executing the .ps file results in a shell on the attacker machine, without victim notice it (process runs background). note: Read Bottom Lines about the .ps1 file.
- Turn on defender on victim machine. [ Just for fun ]
- git clone
- pip3 install -r requirements.txt
- python3 PowerJoker.py -l [ LOCAL MACHINE ] -p [ PORT ]
- run the powershell code on the victim machine NOTE: you can make a .ps file and send it to the victim, which must have admin permissions on the station. when the .ps script launch, it will execute as administrator permissions and could give high permissions. for now, these lines of code are just comments, but you can modifiy them as you wish. just uncoment the 'privilege' inside the source, and play with it the way want [ Read Update please ]
- Make sure victim runs it.
Windows keeps looking as we all know for such methods of bypassing AV's. for now, it seems the payload works. Please, if from some reason the script got chought by Defender, i would like to know.
PJ.mp4
When the process finish, victim must run the genereted PowerShell code. when he does, wait to recieve a shell. Now Soon i will add more options of bypassing Defender because i know that there are more options/method of bypassing, but again - it can change in everyday. what works today, might not work tomorrow.
Made the code results in giving the base64 as the payload and also generate a 'Privilege.ps1' file which can have inside it the base64 payload. just replace it inside the section where['BASE64_ENCODED_COMMAND_HERE'] with the base64 payload, and you can use the .ps1 instead using only the payload.
- PowerJoker can now randomly pick variables and strings.
- With this method, it is easier to evade real-time protection. I'm currently working on some new obfuscation techniques.
- Add the ability to show the replaced words in each execution.
- PowerJoker uses the random ability to pick-up from a list.
- Add more functionality to the code for user interaction.
- Using -r flag will show the results in raw mode.
- Auto listener with nc.
- Fix output when commands are entered.
Now Using another layer of obfuscating could be even strong when combine PJ inside a the generated ps1 file.
- Users can now maintain distinct sessions when interacting with PJ.
- On initiating a session, users have the option of selecting a specific session by entering its ID.
- Once inside the session, pressing "CTRL C" allows users to pause the current session and switch between sessions.
- Commands like "exit" or "quit" will terminate the current session. If you wish to close all, simply select "0" from the menu. Note while inside a session, and getting a new connection makes it look like it got hanging, press 'CTRL C' should make it ok.go back and select the SessionID you want.
- More layers of obfuscation.
- Note: For users seeking an extra layer, final payload can be a awesome start.
- Colors/INFO/OUTPUT has been improved to be much more nicely.
- [!!] Note: DO NOT forget to install the requirements.txt. if you face into errors, share me with the information.
- [ ] ngrok ability. with the use of '-n' flag, user wil be prompt to select a local port with the main socket connections. for example using 'python3 [ tool.py ] -l [ ngrok.link ] -p [ ngrok port ] -n ngrok', will prompt the user to choose a local port to forward connections from ngrok. Do not forget to register to the service of course.