{"id":27560,"date":"2022-11-08T04:50:42","date_gmt":"2022-11-08T04:50:42","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=27560"},"modified":"2022-11-08T04:50:44","modified_gmt":"2022-11-08T04:50:44","slug":"protectmytooling","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/","title":{"rendered":"ProtectMyTooling : Multi-Packer Wrapper Letting Us Daisy-Chain Various Packers, Obfuscators And Other Red Team Oriented Weaponry"},"content":{"rendered":"\n<p><strong>ProtectMyTooling<\/strong> is a script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders, generators to produce complex protected Red Team implants. Your perfect companion in Malware Development CI\/CD pipeline, <strong>helping watermark your artifacts, collect IOCs, backdoor and more<\/strong>.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><strong>ProtectMyToolingGUI.py<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEheokRTeY_AY2_JC9jh2D-Xjjs1Kw8GiOxvjbsiCK-cXKDdDq4HSKOtPHMS2-AX0YTBXA0dcE9dhn7vepIucj7ni-8AaJcfIzalN5UUEjTmBbnNIWT6PeQfOYv8eLPX1ObZhCrJlsok8AgiX0B7grN_MBjDE0CP3grvhydFqt5Dnl8wgbZMPRWAUmlv\/s1360\/ProtectMyTooling1.png\" alt=\"\" \/><\/figure>\n\n\n\n<p>With <code><strong>ProtectMyTooling<\/strong><\/code> you can quickly obfuscate your binaries without having to worry about clicking through all the Dialogs, interfaces, menus, creating projects to obfuscate a single binary, clicking through all the options available and wasting time about all that nonsense. It takes you straight to the point &#8211; to obfuscate your tool.<\/p>\n\n\n\n<p>Aim is to offer the most convenient interface possible and allow to leverage <em>a daisy-chain of multiple packers<\/em> combined on a single binary.<\/p>\n\n\n\n<p>That&#8217;s right &#8211; we can launch <code><strong>ProtectMyTooling<\/strong><\/code> with several packers at once:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">C:\\&gt; py ProtectMyTooling.py hyperion,upx mimikatz.exe mimikatz-obf.exe<\/pre>\n\n\n\n<p>The above example will firstly pass <code>mimikatz.exe<\/code> to the Hyperion for obfuscation, and then the result will be provided to UPX for compression. Resulting with <code>UPX(Hyperion(file))<\/code><\/p>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#features\"><\/a>Features<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Supports multiple different PE Packers, .NET Obfuscators, Shellcode Loaders\/Builders<\/li>\n\n\n\n<li>Allows daisy-chaining packers where output from a packer is passed to the consecutive one: <code>callobf,hyperion,upx<\/code> will produce artifact <code>UPX(Hyperion(CallObf(file)))<\/code><\/li>\n\n\n\n<li>Collects IOCs at every obfuscation step so that auditing &amp; Blue Team requests can be satisfied<\/li>\n\n\n\n<li>Offers functionality to inject custom Watermarks to resulting PE artifacts &#8211; in DOS Stub, Checksum, as a standalone PE Section, to file&#8217;s Overlay<\/li>\n\n\n\n<li>Comes up with a handy Cobalt Strike aggressor script bringing <code>protected-upload<\/code> and <code>protected-execute-assembly<\/code> commands<\/li>\n\n\n\n<li>Straightforward command line usage<\/li>\n<\/ul>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#installation\"><\/a>Installation<\/h2>\n\n\n\n<p><strong>This tool was designed to work on Windows, as most packers natively target that platform.<\/strong><\/p>\n\n\n\n<p>Some features may work however on Linux just fine, nonetheless that support is not fully tested, please report bugs and issues.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>First, <strong>disable your AV<\/strong> and add <code>contrib<\/code> directory to exclusions. That directory contains obfuscators, protectors which will get flagged by AV and removed.<\/li>\n\n\n\n<li>Then clone this repository<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">PS C:\\&gt; git clone --recurse https:\/\/github.com\/Binary-Offensive\/ProtectMyTooling<\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>Actual installation is straightforward:<\/li>\n<\/ol>\n\n\n\n<p class=\"has-cyan-bluish-gray-background-color has-background\"><strong>Windows<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">PS C:\\ProtectMyTooling&gt; .\\install.ps1<\/pre>\n\n\n\n<p class=\"has-cyan-bluish-gray-background-color has-background\"><strong>Linux<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">bash# .\/install.sh<\/pre>\n\n\n\n<h3 class=\"has-text-align-center has-cyan-bluish-gray-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#gimmicks\"><\/a>Gimmicks<\/h3>\n\n\n\n<p>For <code>ScareCrow<\/code> packer to run on Windows 10, there needs to be <code>WSL<\/code> installed and <code>bash.exe<\/code> available (in <code>%PATH%<\/code>). Then, in WSL one needs to have <code>golang<\/code> installed in version at least <code>1.16<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">cmd&gt; bash\nbash$ sudo apt update ; sudo apt upgrade -y ; sudo apt install golang=2:1.18~3 -y<\/pre>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#configuration\"><\/a>Configuration<\/h2>\n\n\n\n<p>To plug-in supported obfuscators, change default options or point <strong>ProtectMyTooling<\/strong> to your obfuscator executable path, you will need to adjust <code>config\\ProtectMyTooling.yaml<\/code> configuration file.<\/p>\n\n\n\n<p>There is also <code>config\\sample-full-config.yaml<\/code> file containing all the available options for all the supported packers, serving as reference point.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#friendly-reminder\"><\/a>Friendly reminder<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If your produced binary crashes or doesn&#8217;t run as expected &#8211; try using different packers chain.<\/li>\n\n\n\n<li>Packers don&#8217;t guarantee stability of produced binaries, therefore ProtectMyTooling cannot as well.<\/li>\n\n\n\n<li>While chaining, carefully match output-&gt;input payload formats according to what consecutive packer expects.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#usage\"><\/a>Usage<\/h2>\n\n\n\n<p>Before <code>ProtectMyTooling<\/code>&#8216;s first use, it is essential to adjust program&#8217;s YAML configuration file <code>ProtectMyTooling.yaml<\/code>. The order of parameters processal is following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Firstly default parameters are used<\/li>\n\n\n\n<li>Then they&#8217;re overwritten by values coming from YAML<\/li>\n\n\n\n<li>Finally, whatever is provided in command line will overwrite corresponding values<\/li>\n<\/ul>\n\n\n\n<p>There, supported packer paths and options shall be set to enable.<\/p>\n\n\n\n<h3 class=\"has-text-align-center has-cyan-bluish-gray-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#scenario-1-simple-confuserex-obfuscation\"><\/a>Scenario 1: Simple ConfuserEx obfuscation<\/h3>\n\n\n\n<p>Usage is very simple, all it takes is to pass the name of obfuscator to choose, input and output file paths:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>C:\\&gt; py ProtectMyTooling.py confuserex Rubeus.exe Rubeus-obf.exe\n\n    Red Team implants protection swiss knife.\n\n    Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.\n    Mariusz Banach \/ mgeeky '20-'22, &lt;mb@binary-offensive.com&gt;\n    v0.16\n\n&#091;.] Processing x86 file: \"\\Rubeus.exe\"\n&#091;.] Generating output of ConfuserEx(&lt;file&gt;)...\n\n&#091;+] SUCCEEDED. Original file size: 417280 bytes, new file size ConfuserEx(&lt;file&gt;): 756224, ratio: 181.23%\n<\/code><\/pre>\n\n\n\n<h3 class=\"has-text-align-center has-cyan-bluish-gray-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#scenario-2-simple-confuserex-obfuscation-followed-by-artifact-test\"><\/a>Scenario 2: Simple ConfuserEx obfuscation followed by artifact test<\/h3>\n\n\n\n<p>One can also obfuscate the file and immediately attempt to launch it (also with supplied optional parameters) to ensure it runs fine with options <code>-r --cmdline CMDLINE<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>C:\\&gt; py ProtectMyTooling.py confuserex Rubeus.exe Rubeus-obf.exe -r --cmdline \"hash \/password:foobar\"\n\n    &#091;...]\n\n&#091;.] Processing x86 file: \"\\Rubeus.exe\"\n&#091;.] Generating output of ConfuserEx(&lt;file&gt;)...\n\n&#091;+] SUCCEEDED. Original file size: 417280 bytes, new file size ConfuserEx(&lt;file&gt;): 758272, ratio: 181.72%\n\n\nRunning application to test it...\n\n   ______        _\n  (_____ \\      | |\n   _____) )_   _| |__  _____ _   _  ___\n  |  __  \/| | | |  _ \\| ___ | | | |\/___)\n  | |  \\ \\| |_| | |_) ) ____| |_| |___ |\n  |_|   |_|____\/|____\/|_____)____\/(___\/\n\n  v2.0.0\n\n\n&#091;*] Action: Calculate Password Hash(es)\n\n&#091;*] Input password             : foobar\n&#091;*]       rc4_hmac             : BAAC3929FABC9E6DCD32421BA94A84D4\n\n&#091;!] \/user:X and \/domain:Y need to be supplied to calculate AES and DES hash types!\n<\/code><\/pre>\n\n\n\n<h3 class=\"has-text-align-center has-cyan-bluish-gray-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#scenario-3-complex-malware-obfuscation-with-watermarking-and-iocs-collection\"><\/a>Scenario 3: Complex malware obfuscation with watermarking and IOCs collection<\/h3>\n\n\n\n<p>Below use case takes <code>beacon.exe<\/code> on input and feeds it consecutively into <code>CallObf<\/code> -&gt; <code>UPX<\/code> -&gt; <code>Hyperion<\/code> packers.<\/p>\n\n\n\n<p>Then it will inject specified <code>fooobar<\/code> watermark to the final generated output artifact&#8217;s DOS Stub as well as modify that artifact&#8217;s checksum with value <code>0xAABBCCDD<\/code>.<\/p>\n\n\n\n<p>Finally, ProtectMyTooling will capture all IOCs (md5, sha1, sha256, imphash, and other metadata) and save them in auxiliary CSV file. That file can be used for IOC matching as engagement unfolds.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PS&gt; py .\\ProtectMyTooling.py callobf,upx,hyperion beacon.exe beacon-obf.exe -i -I operation_chimera -w dos-stub=fooobar -w checksum=0xaabbccdd\n\n    &#091;...]\n\n&#091;.] Processing x64 file: \"beacon.exe\"\n&#091;&gt;] Generating output of CallObf(&lt;file&gt;)...\n\n&#091;.] Before obfuscation file's PE IMPHASH:       17b461a082950fc6332228572138b80c\n&#091;.] After obfuscation file's PE IMPHASH:        378d9692fe91eb54206e98c224a25f43\n&#091;&gt;] Generating output of UPX(CallObf(&lt;file&gt;))...\n\n&#091;&gt;] Generating output of Hyperion(UPX(CallObf(&lt;file&gt;)))...\n\n&#091;+] Setting PE checksum to 2864434397 (0xaabbccdd)\n&#091;+] Successfully watermarked resulting artifact file.\n&#091;+] IOCs written to: beacon-obf-ioc.csv\n\n&#091;+] SUCCEEDED. Original file size: 288256 bytes, new file size Hyperion(UPX(CallObf(&lt;file&gt;))): 175616, ratio: 60.92%\n<\/code><\/pre>\n\n\n\n<p>Produced IOCs evidence CSV file will look as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>timestamp,filename,author,context,comment,md5,sha1,sha256,imphash\n2022-06-10 03:15:52,beacon.exe,mgeeky@commandoVM,Input File,test,dcd6e13754ee753928744e27e98abd16,298de19d4a987d87ac83f5d2d78338121ddb3cb7,0a64768c46831d98c5667d26dc731408a5871accefd38806b2709c66cd9d21e4,17b461a082950fc6332228572138b80c\n2022-06-10 03:15:52,y49981l3.bin,mgeeky@commandoVM,Obfuscation artifact: CallObf(&lt;file&gt;),test,50bbce4c3cc928e274ba15bff0795a8c,15bde0d7fbba1841f7433510fa9aa829f8441aeb,e216cd8205f13a5e3c5320ba7fb88a3dbb6f53ee8490aa8b4e1baf2c6684d27b,378d9692fe91eb54206e98c224a25f43\n2022-06-10 03:15:53,nyu2rbyx.bin,mgeeky@commandoVM,Obfuscation artifact: UPX(CallObf(&lt;file&gt;)),test,4d3584f10084cded5c6da7a63d42f758,e4966576bdb67e389ab1562e24079ba9bd565d32,97ba4b17c9bd9c12c06c7ac2dc17428d509b64fc8ca9e88ee2de02c36532be10,9aebf3da4677af9275c461261e5abde3\n2022-06-10 03:15:53,beacon-obf.exe,mgeeky@commandoVM,Obfuscation artifact: Hyperion(UPX(CallObf(&lt;file&gt;))),test,8b706ff39dd4c8f2b031c8fa6e3c25f5,c64aad468b1ecadada3557cb3f6371e899d59790,087c6353279eb5cf04715ef096a18f83ef8184aa52bc1d5884e33980028bc365,a46ea633057f9600559d5c6b328bf83d\n2022-06-10 03:15:53,beacon-obf.exe,mgeeky@commandoVM,Output obfuscated artifact,test,043318125c60d36e0b745fd38582c0b8,a7717d1c47cbcdf872101bd488e53b8482202f7f,b3cf4311d249d4a981eb17a33c9b89eff656fff239e0d7bb044074018ec00e20,a46ea633057f9600559d5c6b328bf83d\n<\/code><\/pre>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#supported-packers\"><\/a>Supported Packers<\/h2>\n\n\n\n<p><code>ProtectMyTooling<\/code> was designed to support not only Obfuscators\/Packers but also all sort of builders\/generators\/shellcode loaders usable from the command line.<\/p>\n\n\n\n<p>At the moment, program supports various Commercial and Open-Source packers\/obfuscators. Those Open-Source ones are bundled within the project. Commercial ones will require user to purchase the product and configure its location in <code>ProtectMyTooling.yaml<\/code> file to point the script where to find them.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/EgeBalci\/amber\"><code>Amber<\/code><\/a> &#8211; Reflective PE Packer that takes EXE\/DLL on input and produces EXE\/PIC shellcode<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/ORCx41\/AtomPePacker\"><code>AtomPePacker<\/code><\/a> &#8211; A Highly capable Pe Packer<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Charterino\/AsStrongAsFuck\"><code>AsStrongAsFuck<\/code><\/a> &#8211; A console obfuscator for .NET assemblies by Charterino<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/d35ha\/CallObfuscator\"><code>CallObfuscator<\/code><\/a> &#8211; Obfuscates specific windows apis with different apis.<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/mkaring\/ConfuserEx\"><code>ConfuserEx<\/code><\/a> &#8211; Popular .NET obfuscator, forked from <a href=\"https:\/\/github.com\/mkaring\">Martin Karing<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/TheWover\/donut\"><code>Donut<\/code><\/a> &#8211; Popular PE loader that takes EXE\/DLL\/.NET on input and produces a PIC shellcode<\/li>\n\n\n\n<li><a href=\"https:\/\/enigmaprotector.com\/\"><code>Enigma<\/code><\/a> &#8211; A powerful system designed for comprehensive protection of executable files<\/li>\n\n\n\n<li><a href=\"https:\/\/nullsecurity.net\/tools\/binary.html\"><code>Hyperion<\/code><\/a> &#8211; runtime encrypter for 32-bit and 64-bit portable executables. It is a reference implementation and bases on the paper &#8220;Hyperion: Implementation of a PE-Crypter&#8221;<\/li>\n\n\n\n<li><a href=\"https:\/\/www.eziriz.com\/intellilock.htm\"><code>IntelliLock<\/code><\/a> &#8211; combines strong license security, highly adaptable licensing functionality\/schema with reliable assembly protection<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/danielbohannon\/Invoke-Obfuscation\"><code>InvObf<\/code><\/a> &#8211; Obfuscates Powershell scripts with <code>Invoke-Obfuscation<\/code> (by Daniell Bohannon)<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/AnErrupTion\/LoGiC.NET\"><code>LoGiC.NET<\/code><\/a> &#8211; A more advanced free and open .NET obfuscator using dnlib by AnErrupTion<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/optiv\/Mangle\"><code>Mangle<\/code><\/a> &#8211; Takes input EXE\/DLL file and produces output one with cloned certificate, removed Golang-specific IoCs and bloated size. By Matt Eidelberg (@Tyl0us).<\/li>\n\n\n\n<li><a href=\"https:\/\/www.autohotkey.com\/mpress\/mpress_web.htm\"><code>MPRESS<\/code><\/a> &#8211; MPRESS compressor by Vitaly Evseenko. Takes input EXE\/DLL\/.NET\/MAC-DARWIN (x86\/x64) and compresses it.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.eziriz.com\/dotnet_reactor.htm\"><code>NetReactor<\/code><\/a> &#8211; Unmatched .NET code protection system which completely stops anyone from decompiling your code<\/li>\n\n\n\n<li><a href=\"https:\/\/www.pelock.com\/pl\/produkty\/netshrink\"><code>NetShrink<\/code><\/a> &#8211; an exe packer aka executable compressor, application password protector and virtual DLL binder for Windows &amp; Linux .NET applications.<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/icyguider\/Nimcrypt2\"><code>Nimcrypt2<\/code><\/a> &#8211; Generates Nim loader running input .NET, PE or Raw Shellcode. Authored by <a href=\"https:\/\/twitter.com\/icyguider\">(@icyguider)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/chvancooten\/NimPackt-v1\"><code>NimPackt-v1<\/code><\/a> &#8211; Takes Shellcode or .NET Executable on input, produces EXE or DLL loader. Brought to you by Cas van Cooten <a href=\"https:\/\/twitter.com\/chvancooten\">(@chvancooten)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/S3cur3Th1sSh1t-Sponsors\/NimSyscallPacker\"><code>NimSyscallPacker<\/code><\/a> &#8211; Takes PE\/Shellcode\/.NET executable and generates robust Nim+Syscalls EXE\/DLL loader. Sponsorware authored by <a href=\"https:\/\/twitter.com\/ShitSecure\">(@S3cur3Th1sSh1t)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/jadams\/Packer64\"><code>Packer64<\/code><\/a> &#8211; wrapper around John Adams&#8217; <code>Packer64<\/code><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/hasherezade\/pe_to_shellcode\"><code>pe2shc<\/code><\/a> &#8211; Converts PE into a shellcode. By yours truly <a href=\"https:\/\/twitter.com\/hasherezade\">@hasherezade<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/v-p-b\/peCloakCapstone\/blob\/master\/peCloak.py\"><code>peCloak<\/code><\/a> &#8211; A Multi-Pass Encoder &amp; Heuristic Sandbox Bypass AV Evasion Tool<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/avast\/pe_tools\"><code>peresed<\/code><\/a> &#8211; Uses <em>&#8220;peresed&#8221;<\/em> from <strong>avast\/pe_tools<\/strong> to remove all existing PE Resources and signature <em>(think of Mimikatz icon).<\/em><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/optiv\/ScareCrow\"><code>ScareCrow<\/code><\/a> &#8211; EDR-evasive x64 shellcode loader that produces DLL\/CPL\/XLL\/JScript\/HTA artifact loader<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/EgeBalci\/sgn\"><code>sgn<\/code><\/a> &#8211; Shikata ga nai (\u4ed5\u65b9\u304c\u306a\u3044) encoder ported into go with several improvements. Takes shellcode, produces encoded shellcode<\/li>\n\n\n\n<li><a href=\"https:\/\/www.red-gate.com\/products\/dotnet-development\/smartassembly\/\"><code>SmartAssembly<\/code><\/a> &#8211; obfuscator that helps protect your application against reverse-engineering or modification, by making it difficult for a third-party to access your source code<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/monoxgas\/sRDI\"><code>sRDI<\/code><\/a> &#8211; Convert DLLs to position independent shellcode. Authored by: <a href=\"https:\/\/twitter.com\/monoxgas\">Nick Landers, @monoxgas<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.oreans.com\/Themida.php\"><code>Themida<\/code><\/a> &#8211; Advanced Windows software protection system<\/li>\n\n\n\n<li><a href=\"https:\/\/upx.github.io\/\"><code>UPX<\/code><\/a> &#8211; a free, portable, extendable, high-performance executable packer for several executable formats.<\/li>\n\n\n\n<li><a href=\"https:\/\/vmpsoft.com\/\"><code>VMProtect<\/code><\/a> &#8211; protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software<\/li>\n<\/ol>\n\n\n\n<p>You can quickly list supported packers using <code>-L<\/code> option (table columns are chosen depending on Terminal width, the wider the more information revealed):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>C:\\&gt; py ProtectMyTooling.py -L\n    &#091;...]\n\n    Red Team implants protection swiss knife.\n\n    Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.\n    Mariusz Banach \/ mgeeky '20-'22, &lt;mb@binary-offensive.com&gt;\n    v0.16\n\n+----+----------------+-------------+-----------------------+-----------------------------+------------------------+--------------------------------------------------------+\n| #  |      Name      |     Type    |       Licensing       |            Input            |         Output         |                         Author                         |\n+----+----------------+-------------+-----------------------+-----------------------------+------------------------+--------------------------------------------------------+\n| 1  |     amber      | open-source |    Shellcode Loader   |              PE             |     EXE, Shellcode     |                       Ege Balci                        |\n| 2  | asstrongasfuck | open-source |    .NET Obfuscator    |             .NET            |          .NET          |                 Charterino, klezVirus                  |\n| 3  |  atompepacker  | open-source |  PE EXE\/DLL Protector |              PE             |        EXE, DLL        |            ORCA (@ORCx41, ORCx41@gmail.com)            |\n| 4  |    backdoor    | open-source |    Shellcode Loader   |          Shellcode          |           PE           |              Mariusz Banach, @mariuszbit               |\n| 5  |    callobf     | open-source |  PE EXE\/DLL Protector |              PE             |           PE           |                Mustafa Mahmoud, @d35ha                 |\n| 6  |   confuserex   | open-source |    .NET Obfuscator    |             .NET            |          .NET          |                        mkaring                         |\n| 7  |  donut-packer  | open-source |  Shellcode Converter  | PE, .NET, VBScript, JScript |       Shellcode        |                        TheWover                        |\n| 8  |     enigma     |  commercial |  PE EXE\/DLL Protector |              PE             |           PE           |          The Enigma Protector Developers Team          |\n| 9  |    hyperion    | open-source |  PE EXE\/DLL Protector |              PE             |           PE           |                   nullsecurity team                    |\n| 10 |  intellilock   |  commercial |    .NET Obfuscator    |              PE             |           PE           |                         Eziriz                         |\n| 11 |     invobf     | open-source | Powershell Obfuscator |          Powershell         |       Powershell       |                    Daniel Bohannon                     |\n| 12 |    logicnet    | open-source |    .NET Obfuscator    |             .NET            |          .NET          |                 AnErrupTion, klezVirus                 |\n| 13 |     mangle     | open-source |   Executable Signing  |              PE             |           PE           |                Matt Eidelberg (@Tyl0us)                |\n| 14 |     mpress     |   freeware  | PE EXE\/DLL Compressor |              PE             |           PE           |                    Vitaly Evseenko                     |\n| 15 |   netreactor   |  commercial |    .NET Obfuscator    |             .NET            |          .NET          |                         Eziriz                         |\n| 16 |   netshrink    | open-source |    .NET Obfuscator    |             .NET            |          .NET          |                     Bartosz W\u00f3jcik                     |\n| 17 |   nimcrypt2    | open-source |    Shellcode Loader   |     PE, .NET, Shellcode     |           PE           |                       @icyguider                       |\n| 18 |    nimpackt    | open-source |    Shellcode Loader   |       .NET, Shellcode       |           PE           |             Cas van Cooten (@chvancooten)              |\n| 19 |   nimsyscall   | sponsorware |    Shellcode Loader   |     PE, .NET, Shellcode     |           PE           |                    @S3cur3Th1sSh1t                     |\n| 20 |    packer64    | open-source | PE EXE\/DLL Compressor |              PE             |           PE           |                  John Adams, @jadams                   |\n| 21 |     pe2shc     | open-source |  Shellcode Converter  |              PE             |       Shellcode        |                      @hasherezade                      |\n| 22 |    pecloak     | open-source |  PE EXE\/DLL Protector |              PE             |           PE           |     Mike Czumak, @SecuritySift, buherator \/ v-p-b      |\n| 23 |    peresed     | open-source |  PE EXE\/DLL Protector |              PE             |           PE           |                  Martin Vejn\u00e1r, Avast                  |\n| 24 |   scarecrow    | open-source |    Shellcode Loader   |          Shellcode          | DLL, JScript, CPL, XLL |                Matt Eidelberg (@Tyl0us)                |\n| 25 |      sgn       | open-source |   Shellcode Encoder   |          Shellcode          |       Shellcode        |                       Ege Balci                        |\n| 26 | smartassembly  |  commercial |    .NET Obfuscator    |             .NET            |          .NET          |                        Red-Gate                        |\n| 27 |      srdi      | open-source |   Shellcode Encoder   |             DLL             |       Shellcode        |                Nick Landers, @monoxgas                 |\n| 28 |    themida     |  commercial |  PE EXE\/DLL Protector |              PE             |           PE           |                         Oreans                         |\n| 29 |      upx       | open-source | PE EXE\/DLL Compressor |              PE             |           PE           | Markus F.X.J. Oberhumer, L\u00e1szl\u00f3 Moln\u00e1r, John F. Reiser |\n| 30 |   vmprotect    |  commercial |  PE EXE\/DLL Protector |              PE             |           PE           |                        vmpsoft                         |\n+----+----------------+-------------+-----------------------+-----------------------------+------------------------+--------------------------------------------------------+\n<\/code><\/pre>\n\n\n\n<p>Above are the packers that are supported, but that doesn&#8217;t mean that you have them configured and ready to use. To prepare their usage, you must first supply necessary binaries to the <code>contrib<\/code> directory and then configure your YAML file accordingly.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#redwatermarker---built-in-artifact-watermarking\"><\/a>RedWatermarker &#8211; built-in Artifact watermarking<\/h2>\n\n\n\n<h3 class=\"has-cyan-bluish-gray-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#artifact-watermarking--ioc-collection\"><\/a>Artifact watermarking &amp; IOC collection<\/h3>\n\n\n\n<p>This program is intended for professional Red Teams and is perfect to be used in a typical implant-development CI\/CD pipeline. As a red teamer I&#8217;m always expected to deliver decent quality list of IOCs matching back to all of my implants as well as I find it essential to watermark all my implants for bookkeeping, attribution and traceability purposes.<\/p>\n\n\n\n<p>To accommodate these requirements, ProtectMyTooling brings basic support for them.<\/p>\n\n\n\n<h3 class=\"has-cyan-bluish-gray-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#artifact-watermarking\"><\/a>Artifact Watermarking<\/h3>\n\n\n\n<p><code>ProtectMyTooling<\/code> can apply watermarks after obfuscation rounds simply by using <code>--watermark<\/code> option.:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">py ProtectMyTooling [...] -w dos-stub=fooooobar -w checksum=0xaabbccdd -w section=.coco,ALLYOURBASEAREBELONG<\/pre>\n\n\n\n<p>There is also a standalone approach, included in <code>RedWatermarker.py<\/code> script.<\/p>\n\n\n\n<p>It takes executable artifact on input and accepts few parameters denoting where to inject a watermark and what value shall be inserted.<\/p>\n\n\n\n<p>Example run will set PE Checksum to 0xAABBCCDD, inserts <code>foooobar<\/code> to PE file&#8217;s DOS Stub (bytes containing <em>This program cannot be run&#8230;<\/em>), appends <code>bazbazbaz<\/code> to file&#8217;s overlay and then create a new PE section named <code>.coco<\/code> append it to the end of file and fill that section with preset marker.<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\">py RedWatermarker.py beacon-obf.exe -c 0xaabbccdd -t fooooobar -e bazbazbaz -s .coco,ALLYOURBASEAREBELONG\n<\/p>\n\n\n\n<p><strong>Full watermarker usage:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cmd&gt; py RedWatermarker.py --help\n\n    Watermark thy implants, track them in VirusTotal\n    Mariusz Banach \/ mgeeky '22, (@mariuszbit)\n    &lt;mb@binary-offensive.com&gt;\n\nusage: RedWatermarker.py &#091;options] &lt;infile&gt;\n\noptions:\n  -h, --help            show this help message and exit\n\nRequired arguments:\n  infile                Input implant file\n\nOptional arguments:\n  -C, --check           Do not actually inject watermark. Check input file if it contains specified watermarks.\n  -v, --verbose         Verbose mode.\n  -d, --debug           Debug mode.\n  -o PATH, --outfile PATH\n                        Path where to save output file with watermark injected. If not given, will modify infile.\n\nPE Executables Watermarking:\n  -t STR, --dos-stub STR\n                        Insert watermark into PE DOS Stub (This program cannot be run...).\n  -c NUM, --checksum NUM\n                        Preset PE checksum with this value (4 bytes). Must be number. Can start with 0x for hex value.\n  -e STR, --overlay STR\n                        Append watermark to the file's Overlay (at the end of the file).\n  -s NAME,STR, --section NAME,STR\n                        Append a new PE section named NAME and insert watermark there. Section name must be shorter than 8 characters. Section will be marked Read-Only, non-executable.\n<\/code><\/pre>\n\n\n\n<p>Currently only PE files watermarking is supported, but in the future Office documents and other formats are to be added as well.<\/p>\n\n\n\n<h3 class=\"has-text-align-center has-cyan-bluish-gray-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#iocs-collection\"><\/a>IOCs Collection<\/h3>\n\n\n\n<p>IOCs may be collected by simply using <code>-i<\/code> option in <code>ProtectMyTooling<\/code> run.<\/p>\n\n\n\n<p>They&#8217;re being collected at the following phases:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>on the input file<\/li>\n\n\n\n<li>after each obfuscation round on an intermediary file<\/li>\n\n\n\n<li>on the final output file<\/li>\n<\/ul>\n\n\n\n<p>They will contain following fields saved in form of a CSV file:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>timestamp<\/code><\/li>\n\n\n\n<li><code>filename<\/code><\/li>\n\n\n\n<li><code>author<\/code> &#8211; formed as <code>username@hostname<\/code><\/li>\n\n\n\n<li><code>context<\/code> &#8211; whether a record points to an input, output or intermediary file<\/li>\n\n\n\n<li><code>comment<\/code> &#8211; value adjusted by the user through <code>-I value<\/code> option<\/li>\n\n\n\n<li><code>md5<\/code><\/li>\n\n\n\n<li><code>sha1<\/code><\/li>\n\n\n\n<li><code>sha256<\/code><\/li>\n\n\n\n<li><code>imphash<\/code> &#8211; PE Imports Hash, if available<\/li>\n\n\n\n<li>(TODO) <code>typeref_hash<\/code> &#8211; .NET TypeRef Hash, if available<\/li>\n<\/ul>\n\n\n\n<p>Resulting will be a CSV file named <code>outfile-ioc.csv<\/code> stored side by side to generated output artifact. That file is written in APPEND mode, meaning it will receive all subsequent IOCs.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#redbackdoorer---built-in-pe-backdooring\"><\/a>RedBackdoorer &#8211; built-in PE Backdooring<\/h2>\n\n\n\n<p><code>ProtectMyTooling<\/code> utilizes my own <code>RedBackdoorer.py<\/code> script which provides few methods for backdooring PE executables. Support comes as a dedicated packer named <code>backdoor<\/code>. Example usage:<\/p>\n\n\n\n<p><strong>Takes Cobalt Strike shellcode on input and encodes with SGN (Shikata Ga-Nai) then backdoors SysInternals DbgView64.exe then produces Amber EXE reflective loader<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PS&gt; py ProtectMyTooling.py sgn,backdoor,amber beacon64.bin dbgview64-infected.exe -B dbgview64.exe\n\n    Red Team implants protection swiss knife.\n\n    Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.\n    Mariusz Banach \/ mgeeky '20-'22, &lt;mb@binary-offensive.com&gt;\n    v0.16\n\n&#091;.] Processing x64 file :  beacon64.bin\n&#091;&gt;] Generating output of sgn(&lt;file&gt;)...\n&#091;&gt;] Generating output of backdoor(sgn(&lt;file&gt;))...\n&#091;&gt;] Generating output of Amber(backdoor(sgn(&lt;file&gt;)))...\n\n&#091;+] SUCCEEDED. Original file size: 265959 bytes, new file size Amber(backdoor(sgn(&lt;file&gt;))): 1372672, ratio: 516.12%\n<\/code><\/pre>\n\n\n\n<p>Full RedBackdoorer usage:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cmd&gt; py RedBackdoorer.py --help\n\n     \u2588\u2588\u2580\u2588\u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588\u2593\u2588\u2588\u2588\u2588\u2588\u2584\n    \u2593\u2588\u2588 \u2592 \u2588\u2588\u2593\u2588   \u2580\u2592\u2588\u2588\u2580 \u2588\u2588\u258c\n    \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2588\u2588\u2588  \u2591\u2588\u2588   \u2588\u258c\n    \u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2588  \u2584\u2591\u2593\u2588\u2584   \u258c\n    \u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2591\u2592\u2588\u2588\u2588\u2588\u2591\u2592\u2588\u2588\u2588\u2588\u2593\n    \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2592\u2591 \u2591\u2592\u2592\u2593  \u2592\n      \u2591\u2592 \u2591 \u2592\u2591\u2591 \u2591  \u2591\u2591 \u2592  \u2592\n      \u2591\u2591   \u2591   \u2591   \u2591 \u2591  \u2591\n     \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2591  \u2591  \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588 \u2584\u2588\u2593\u2588\u2588\u2588\u2588\u2588\u2584 \u2592\u2588\u2588\u2588\u2588\u2588  \u2592\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2580\u2588\u2588\u2588 \u2593\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2580\u2588\u2588\u2588\n    \u2593\u2588\u2588\u2588\u2588\u2588\u2584\u2592\u2588\u2588\u2588\u2588\u2584  \u2591\u2592\u2588\u2588\u2580 \u2580\u2588  \u2588\u2588\u2584\u2588\u2592\u2592\u2588\u2588\u2580 \u2588\u2588\u2592\u2588\u2588\u2592  \u2588\u2588\u2592\u2588\u2588\u2592  \u2588\u2588\u2593\u2588\u2588 \u2592 \u2588\u2588\u2593\u2588   \u2580\u2593\u2588\u2588 \u2592 \u2588\u2588\u2592\n    \u2592\u2588\u2588\u2592 \u2584\u2588\u2592\u2588\u2588  \u2580\u2588\u2584 \u2592\u2593\u2588    \u2584\u2593\u2588\u2588\u2588\u2584\u2591\u2591\u2588\u2588   \u2588\u2592\u2588\u2588\u2591  \u2588\u2588\u2592\u2588\u2588\u2591  \u2588\u2588\u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\u2588\u2588\u2588  \u2593\u2588\u2588 \u2591\u2584\u2588 \u2592\n    \u2592\u2588\u2588\u2591\u2588\u2580 \u2591\u2588\u2588\u2584\u2584\u2584\u2584\u2588\u2588\u2592\u2593\u2593\u2584 \u2584\u2588\u2588\u2593\u2588\u2588 \u2588\u2584\u2591\u2593\u2588\u2584   \u2592\u2588\u2588   \u2588\u2588\u2592\u2588\u2588   \u2588\u2588\u2592\u2588\u2588\u2580\u2580\u2588\u2584 \u2592\u2593\u2588  \u2584\u2592\u2588\u2588\u2580\u2580\u2588\u2584\n    \u2591\u2593\u2588  \u2580\u2588\u2593\u2593\u2588   \u2593\u2588\u2588\u2592 \u2593\u2588\u2588\u2588\u2580 \u2592\u2588\u2588\u2592 \u2588\u2591\u2592\u2588\u2588\u2588\u2588\u2593\u2591 \u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2591\u2592\u2588\u2588\u2588\u2588\u2591\u2588\u2588\u2593 \u2592\u2588\u2588\u2592\n    \u2591\u2592\u2593\u2588\u2588\u2588\u2580\u2592\u2592\u2592   \u2593\u2592\u2588\u2591 \u2591\u2592 \u2592  \u2592 \u2592\u2592 \u2593\u2592\u2592\u2592\u2593  \u2592\u2591 \u2592\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2591\u2592\u2591\u2592\u2591\u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\u2591 \u2592\u2591 \u2591 \u2592\u2593 \u2591\u2592\u2593\u2591\n    \u2592\u2591\u2592   \u2591  \u2592   \u2592\u2592 \u2591 \u2591  \u2592  \u2591 \u2591\u2592 \u2592\u2591\u2591 \u2592  \u2592  \u2591 \u2592 \u2592\u2591  \u2591 \u2592 \u2592\u2591  \u2591\u2592 \u2591 \u2592\u2591\u2591 \u2591  \u2591 \u2591\u2592 \u2591 \u2592\u2591\n     \u2591    \u2591  \u2591   \u2592  \u2591       \u2591 \u2591\u2591 \u2591 \u2591 \u2591  \u2591\u2591 \u2591 \u2591 \u2592 \u2591 \u2591 \u2591 \u2592   \u2591\u2591   \u2591   \u2591    \u2591\u2591   \u2591\n     \u2591           \u2591  \u2591 \u2591     \u2591  \u2591     \u2591       \u2591 \u2591     \u2591 \u2591    \u2591       \u2591  \u2591  \u2591\n          \u2591         \u2591              \u2591\n\n\n    Your finest PE backdooring companion.\n    Mariusz Banach \/ mgeeky '22, (@mariuszbit)\n    &lt;mb@binary-offensive.com&gt;\n\nusage: RedBackdoorer.py &#091;options] &lt;mode&gt; &lt;shellcode&gt; &lt;infile&gt;\n\noptions:\n  -h, --help            show this help message and exit\n\nRequired arguments:\n  mode                  PE Injection mode, see help epilog for more details.\n  shellcode             Input shellcode file\n  infile                PE file to backdoor\n\nOptional arguments:\n  -o PATH, --outfile PATH\n                        Path where to save output file with watermark injected. If not given, will modify infile.\n  -v, --verbose         Verbose mode.\n\nBackdooring options:\n  -n NAME, --section-name NAME\n                        If shellcode is to be injected into a new PE section, define that section name. Section name must not be longer than 7 characters. Default: .qcsw\n  -i IOC, --ioc IOC     Append IOC watermark to injected shellcode to facilitate implant tracking.\n\nAuthenticode signature options:\n  -r, --remove-signature\n                        Remove PE Authenticode digital signature since its going to be invalidated anyway.\n\n------------------\n\nPE Backdooring &lt;mode&gt; consists of two comma-separated options.\nFirst one denotes where to store shellcode, second how to run it:\n\n&lt;mode&gt;\n\n    save,run\n      |   |\n      |   +---------- 1 - change AddressOfEntryPoint\n      |               2 - hijack branching instruction at Original Entry Point (jmp, call, ...)\n      |               3 - setup TLS callback\n      |\n      +-------------- 1 - store shellcode in the middle of a code section\n                      2 - append shellcode to the PE file in a new PE section\nExample:\n\n    py RedBackdoorer.py 1,2 beacon.bin putty.exe putty-infected.exe\n<\/code><\/pre>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#cobalt-strike-integration\"><\/a>Cobalt Strike Integration<\/h2>\n\n\n\n<p>There is also a script that integrates <code>ProtectMyTooling.py<\/code> used as a wrapper around configured PE\/.NET Packers\/Protectors in order to easily transform input executables into their protected and compressed output forms and then upload or use them from within CobaltStrike.<\/p>\n\n\n\n<p>The idea is to have an automated process of protecting all of the uploaded binaries or .NET assemblies used by execute-assembly and forget about protecting or obfuscating them manually before each usage. The added benefit of an automated approach to transform executables is the ability to have the same executable protected each time it&#8217;s used, resulting in unique samples launched on target machines. That should nicely deceive EDR\/AV enterprise-wide IOC sweeps while looking for the same artefact on different machines.<\/p>\n\n\n\n<p>Additionally, the protected-execute-assembly command has the ability to look for assemblies of which only name were given in a preconfigured assemblies directory (set in dotnet_assemblies_directory setting).<\/p>\n\n\n\n<p>To use it:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Load <code>CobaltStrike\/ProtectMyTooling.cna<\/code> in your Cobalt Strike.<\/li>\n\n\n\n<li>Go to the menu and setup all the options<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>Then in your Beacon&#8217;s console you&#8217;ll have following commands available:<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>protected-execute-assembly<\/code> &#8211; Executes a local, previously protected and compressed .NET program in-memory on target.<\/li>\n\n\n\n<li><code>protected-upload<\/code> &#8211; Takes an input file, protects it if its PE executable and then uploads that file to specified remote location.<\/li>\n<\/ul>\n\n\n\n<p>Basically these commands will open input files, pass the firstly to the <code>CobaltStrike\/cobaltProtectMyTooling.py<\/code> script, which in turn calls out to <code>ProtectMyTooling.py<\/code>. As soon as the binary gets obfuscated, it will be passed to your beacon for execution\/uploading.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#cobalt-strike-related-options\"><\/a>Cobalt Strike related Options<\/h2>\n\n\n\n<p>Here&#8217;s a list of options required by the Cobalt Strike integrator:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>python3_interpreter_path<\/code> &#8211; Specify a path to Python3 interpreter executable<\/li>\n\n\n\n<li><code>protect_my_tooling_dir<\/code> &#8211; Specify a path to ProtectMyTooling main directory<\/li>\n\n\n\n<li><code>protect_my_tooling_config<\/code> &#8211; Specify a path to ProtectMyTooling configuration file with various packers options<\/li>\n\n\n\n<li><code>dotnet_assemblies_directory<\/code> &#8211; Specify local path .NET assemblies should be looked for if not found by execute-assembly<\/li>\n\n\n\n<li><code>cache_protected_executables<\/code> &#8211; Enable to cache already protected executables and reuse them when needed<\/li>\n\n\n\n<li><code>protected_executables_cache_dir<\/code> &#8211; Specify a path to a directory that should store cached protected executables<\/li>\n\n\n\n<li><code>default_exe_x86_packers_chain<\/code> &#8211; Native x86 EXE executables protectors\/packers chain<\/li>\n\n\n\n<li><code>default_exe_x64_packers_chain<\/code> &#8211; Native x64 EXE executables protectors\/packers chain<\/li>\n\n\n\n<li><code>default_dll_x86_packers_chain<\/code> &#8211; Native x86 DLL executables protectors\/packers chain<\/li>\n\n\n\n<li><code>default_dll_x64_packers_chain<\/code> &#8211; Native x64 DLL executables protectors\/packers chain<\/li>\n\n\n\n<li><code>default_dotnet_packers_chain<\/code> &#8211; .NET executables protectors\/packers chain<\/li>\n<\/ul>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#known-issues\"><\/a>Known Issues<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>ScareCrow<\/code> is very tricky to run from Windows. What worked for me is following:\n<ol class=\"wp-block-list\">\n<li>Run on Windows 10 and have WSL installed (<code>bash.exe<\/code> command available in Windows)<\/li>\n\n\n\n<li>Have <code>golang<\/code> installed in WSL at version <code>1.16+<\/code> (tested on <code>1.18<\/code>)<\/li>\n\n\n\n<li>Make sure to have <code>PackerScareCrow.Run_ScareCrow_On_Windows_As_WSL = True<\/code> set<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#credits-due--used-technology\"><\/a>Credits due &amp; used technology<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All packer, obfuscator, converter, loader credits goes to their authors. This tool is merely a wrapper around their technology!\n<ul class=\"wp-block-list\">\n<li>Hopefully none of them mind me adding such wrappers. Should there be concerns &#8211; please reach out to me.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><em>ProtectMyTooling<\/em> also uses <a href=\"https:\/\/github.com\/moloch--\/denim\"><code>denim.exe<\/code><\/a> by <strong>moloch&#8211;<\/strong> by some Nim-based packers.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#todo\"><\/a>TODO<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Write custom PE injector and offer it as a &#8220;protector&#8221;<\/li>\n\n\n\n<li>Add watermarking to other file formats such as Office documents, WSH scripts (VBS, JS, HTA) and containers<\/li>\n\n\n\n<li>Add support for a few other Packers\/Loaders\/Generators in upcoming future:\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/med0x2e\/GadgetToJScript\"><code>GadgetToJScript<\/code><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Tylous\/Limelighter\"><code>Limelighter<\/code><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/phra\/PEzor\"><code>PEZor<\/code><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/rapid7\/metasploit-framework\"><code>msfevenom<\/code><\/a> &#8211; two variants, one for input shellcode, the other for executable<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"has-text-align-center has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling#disclaimer\"><\/a>Disclaimer<\/h2>\n\n\n\n<p>Use of this tool as well as any other projects I&#8217;m author of for illegal purposes, unsolicited hacking, cyber-espionage is strictly prohibited. This and other tools I distribute help professional Penetration Testers, Security Consultants, Security Engineers and other security personnel in improving their customer networks cyber-defence capabilities.<br>In no event shall the authors or copyright holders be liable for any claim, damages or other liability arising from illegal use of this software.<\/p>\n\n\n\n<p>If there are concerns, copyright issues, threats posed by this software or other inquiries &#8211; I am open to collaborate in responsibly addressing them.<\/p>\n\n\n\n<p>The tool exposes handy interface for using mostly open-source or commercially available packers\/protectors\/obfuscation software, therefore not introducing any immediately new threats to the cyber-security landscape as is.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button aligncenter\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/github.com\/mgeeky\/ProtectMyTooling\" target=\"_blank\" rel=\"noreferrer noopener\">Click Here To Download<\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>ProtectMyTooling is a script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders, generators to produce complex protected Red Team implants. Your perfect companion in Malware Development CI\/CD pipeline, helping watermark your artifacts, collect IOCs, backdoor and more. ProtectMyToolingGUI.py With ProtectMyTooling you can quickly obfuscate your binaries without having to worry about clicking [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":27568,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[5729,3983,5727,5726,5728],"class_list":["post-27560","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-encoders","tag-iocs","tag-obfuscators","tag-protectmytooling","tag-shellcode-loaders"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>ProtectMyTooling : Multi-Packer Wrapper Letting Us Daisy-Chain<\/title>\n<meta name=\"description\" content=\"ProtectMyTooling is a script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ProtectMyTooling : Multi-Packer Wrapper Letting Us Daisy-Chain\" \/>\n<meta property=\"og:description\" content=\"ProtectMyTooling is a script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-08T04:50:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-08T04:50:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"ProtectMyTooling : Multi-Packer Wrapper Letting Us Daisy-Chain Various Packers, Obfuscators And Other Red Team Oriented Weaponry\",\"datePublished\":\"2022-11-08T04:50:42+00:00\",\"dateModified\":\"2022-11-08T04:50:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/\"},\"wordCount\":2210,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png\",\"keywords\":[\"encoders\",\"IOCs\",\"obfuscators\",\"ProtectMyTooling\",\"shellcode loaders\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/\",\"name\":\"ProtectMyTooling : Multi-Packer Wrapper Letting Us Daisy-Chain\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png\",\"datePublished\":\"2022-11-08T04:50:42+00:00\",\"dateModified\":\"2022-11-08T04:50:44+00:00\",\"description\":\"ProtectMyTooling is a script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#primaryimage\",\"url\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png\",\"contentUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png\",\"width\":\"728\",\"height\":\"380\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ProtectMyTooling : Multi-Packer Wrapper Letting Us Daisy-Chain","description":"ProtectMyTooling is a script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/","og_locale":"en_US","og_type":"article","og_title":"ProtectMyTooling : Multi-Packer Wrapper Letting Us Daisy-Chain","og_description":"ProtectMyTooling is a script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders","og_url":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2022-11-08T04:50:42+00:00","article_modified_time":"2022-11-08T04:50:44+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"ProtectMyTooling : Multi-Packer Wrapper Letting Us Daisy-Chain Various Packers, Obfuscators And Other Red Team Oriented Weaponry","datePublished":"2022-11-08T04:50:42+00:00","dateModified":"2022-11-08T04:50:44+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/"},"wordCount":2210,"commentCount":0,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png","keywords":["encoders","IOCs","obfuscators","ProtectMyTooling","shellcode loaders"],"articleSection":["Kali Linux"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kalilinuxtutorials.com\/protectmytooling\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/","url":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/","name":"ProtectMyTooling : Multi-Packer Wrapper Letting Us Daisy-Chain","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png","datePublished":"2022-11-08T04:50:42+00:00","dateModified":"2022-11-08T04:50:44+00:00","description":"ProtectMyTooling is a script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/protectmytooling\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/protectmytooling\/#primaryimage","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png","contentUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png","width":"728","height":"380"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSKGFPM_KojZEjFJ2K9TDcmJ0kuVNoeM_64Urm4n5e42LE0AiR3EbGH5QVkabBTCxgcWLp_Hd5GB1c4yp9fVHYhzRFuvjNnsM9SWmORi2wLTl9CyiNkNi6DFM4cYIDQBUSDmS9ruzjH5vzAlrlX_EjT4tok7373oJlVkqmP3BaSWDk9PcdBSUASyj7\/s728\/ProtectMyTooling.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":19760,"url":"https:\/\/kalilinuxtutorials.com\/inceptor\/","url_meta":{"origin":27560,"position":0},"title":"Inceptor : Template-Driven AV\/EDR Evasion Framework","author":"R K","date":"October 29, 2021","format":false,"excerpt":"Inceptor is a modern Penetration testing and Red Teaming often requires to bypass common AV\/EDR appliances in order to execute code on a target. With time, defenses are becoming more complex and inherently more difficult to bypass consistently. Inceptor is a tool which can help to automate great part of\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh2AaO3Wpu7SgBYBbqSLaQEzirbhU-ppbOFMOQipQD6WrxAUKk3n8uxC49u51KLuBNPefgSIkllMb-mtN9TH9TX4YdudAM2RV_mSFkOYI_MHM66J3vhJmVAwGMq76SifXd2n1quqYilV--Qn0a5Uo9DtV2i7Mfqo0V6Gvf8eGlneOykJCBgn1X9bErN=s698","width":350,"height":200,"srcset":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh2AaO3Wpu7SgBYBbqSLaQEzirbhU-ppbOFMOQipQD6WrxAUKk3n8uxC49u51KLuBNPefgSIkllMb-mtN9TH9TX4YdudAM2RV_mSFkOYI_MHM66J3vhJmVAwGMq76SifXd2n1quqYilV--Qn0a5Uo9DtV2i7Mfqo0V6Gvf8eGlneOykJCBgn1X9bErN=s698 1x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEh2AaO3Wpu7SgBYBbqSLaQEzirbhU-ppbOFMOQipQD6WrxAUKk3n8uxC49u51KLuBNPefgSIkllMb-mtN9TH9TX4YdudAM2RV_mSFkOYI_MHM66J3vhJmVAwGMq76SifXd2n1quqYilV--Qn0a5Uo9DtV2i7Mfqo0V6Gvf8eGlneOykJCBgn1X9bErN=s698 1.5x"},"classes":[]},{"id":10586,"url":"https:\/\/kalilinuxtutorials.com\/threadtear\/","url_meta":{"origin":27560,"position":1},"title":"Threadtear : Multifunctional Java Seobfuscation Tool Suite","author":"R K","date":"May 18, 2020","format":false,"excerpt":"Threadtear is a multifunctional deobfuscation tool for java. Android application support is coming soon (Currently working on a dalvik to java converter). Suitable for easier code analysis without worrying too much about obfuscation. Even the most expensive obfuscators like ZKM or Stringer are included. For easier debugging there are also\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8815,"url":"https:\/\/kalilinuxtutorials.com\/obfuscapk\/","url_meta":{"origin":27560,"position":2},"title":"Obfuscapk : Black-Box Obfuscation Tool For Android Apps","author":"R K","date":"February 5, 2020","format":false,"excerpt":"Obfuscapk\u00a0is a modular Python tool for obfuscating Android apps without needing their source code, since\u00a0apktool\u00a0is used to decompile the original apk file and to build a new application, after applying some obfuscation techniques on the de-compiled smali\u00a0code, resources and manifest. The obfuscated app retains the same functionality as the original\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":23117,"url":"https:\/\/kalilinuxtutorials.com\/php-malware-finder\/","url_meta":{"origin":27560,"position":3},"title":"Php-Malware-Finder : Detect Potentially Malicious PHP Files","author":"R K","date":"March 22, 2022","format":false,"excerpt":"PHP-malware-finder does its very best to detect obfuscated\/dodgy code as well as files using PHP functions often used in malwares\/webshells. The following list of encoders\/obfuscators\/webshells are also detected: BantamBest PHP ObfuscatorCarbylamineCipher DesignCyklodevJoes Web Tools ObfuscatorP.A.SPHP JiamiPhp Obfuscator EncodeSpinObfWeevely3atomikucobra obfuscatornanonovahotphpencodetenncweb-malware-collectionwebtoolsvn Of course it's\u00a0trivial\u00a0to bypass PMF, but its goal is to catch\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjXCuvX3j6RYEyafaB2-l-YNcb7vds2nAfOH5N7zot5TNVmW6dwek9R7EhidHtavfNDLZ3SOG1TFgcuNEpMA6aztaS82APN_9oOD3ubKRBcbbdb8nUoUm_WR6m9i1r1T6-ThJefCzB3qdkc2ac_SC3q7mfDCAQLDJDB-BMU6BJM5yDfcyfkfsXU7Uke=s608","width":350,"height":200,"srcset":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjXCuvX3j6RYEyafaB2-l-YNcb7vds2nAfOH5N7zot5TNVmW6dwek9R7EhidHtavfNDLZ3SOG1TFgcuNEpMA6aztaS82APN_9oOD3ubKRBcbbdb8nUoUm_WR6m9i1r1T6-ThJefCzB3qdkc2ac_SC3q7mfDCAQLDJDB-BMU6BJM5yDfcyfkfsXU7Uke=s608 1x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEjXCuvX3j6RYEyafaB2-l-YNcb7vds2nAfOH5N7zot5TNVmW6dwek9R7EhidHtavfNDLZ3SOG1TFgcuNEpMA6aztaS82APN_9oOD3ubKRBcbbdb8nUoUm_WR6m9i1r1T6-ThJefCzB3qdkc2ac_SC3q7mfDCAQLDJDB-BMU6BJM5yDfcyfkfsXU7Uke=s608 1.5x"},"classes":[]},{"id":36201,"url":"https:\/\/kalilinuxtutorials.com\/odinldr\/","url_meta":{"origin":27560,"position":4},"title":"OdinLdr : Advancing Red Team Stealth And Efficiency With Draugr And Cobalt Strike\u2019s UDRLs","author":"Varshini","date":"February 7, 2025","format":false,"excerpt":"The OdinLdr and Draugr tools, alongside Cobalt Strike's User-Defined Reflective Loader (UDRL), represent advanced mechanisms for enhancing stealth and flexibility in red team operations. These tools leverage innovative techniques to bypass endpoint detection and response (EDR) systems and optimize post-exploitation tasks. Key Features Of OdinLdr And Draugr Synthetic Stackframe for\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/OdinLdr.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/OdinLdr.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/OdinLdr.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/OdinLdr.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/OdinLdr.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/OdinLdr.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":35296,"url":"https:\/\/kalilinuxtutorials.com\/ulfberht\/","url_meta":{"origin":27560,"position":5},"title":"Ulfberht : Advanced Techniques For Shellcode Loading And Evasion","author":"Varshini","date":"November 27, 2024","format":false,"excerpt":"Ulfberht is a sophisticated shellcode loader designed to enhance operational security and evasion capabilities in cyber operations. Equipped with features like indirect syscalls, module stomping, and encrypted payloads, it minimizes the digital footprint on targeted systems. This article delves into Ulfberht's functionality, offering a step-by-step guide on its deployment and\u2026","rel":"","context":"In &quot;Exploitation Tools&quot;","block_context":{"text":"Exploitation Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/et\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjnGAdS2LvFqOhcFvmA6kPYoWgAogm3VIuolKPIx58AnXDBw-z-rBAuioJs_JRdE82UaRN-tNZn1af-yUkzh_pIbt1wh26IekK3IR95-fw72K3iS26Rje3rT_LwyJLgorVmY-MtcSuu1EN50R71i7voZ3_SkPra33hYUYdgEucD99_ZWFzRErLKmD0wwgIi\/s1600\/Ulfberht%20.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjnGAdS2LvFqOhcFvmA6kPYoWgAogm3VIuolKPIx58AnXDBw-z-rBAuioJs_JRdE82UaRN-tNZn1af-yUkzh_pIbt1wh26IekK3IR95-fw72K3iS26Rje3rT_LwyJLgorVmY-MtcSuu1EN50R71i7voZ3_SkPra33hYUYdgEucD99_ZWFzRErLKmD0wwgIi\/s1600\/Ulfberht%20.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjnGAdS2LvFqOhcFvmA6kPYoWgAogm3VIuolKPIx58AnXDBw-z-rBAuioJs_JRdE82UaRN-tNZn1af-yUkzh_pIbt1wh26IekK3IR95-fw72K3iS26Rje3rT_LwyJLgorVmY-MtcSuu1EN50R71i7voZ3_SkPra33hYUYdgEucD99_ZWFzRErLKmD0wwgIi\/s1600\/Ulfberht%20.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjnGAdS2LvFqOhcFvmA6kPYoWgAogm3VIuolKPIx58AnXDBw-z-rBAuioJs_JRdE82UaRN-tNZn1af-yUkzh_pIbt1wh26IekK3IR95-fw72K3iS26Rje3rT_LwyJLgorVmY-MtcSuu1EN50R71i7voZ3_SkPra33hYUYdgEucD99_ZWFzRErLKmD0wwgIi\/s1600\/Ulfberht%20.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjnGAdS2LvFqOhcFvmA6kPYoWgAogm3VIuolKPIx58AnXDBw-z-rBAuioJs_JRdE82UaRN-tNZn1af-yUkzh_pIbt1wh26IekK3IR95-fw72K3iS26Rje3rT_LwyJLgorVmY-MtcSuu1EN50R71i7voZ3_SkPra33hYUYdgEucD99_ZWFzRErLKmD0wwgIi\/s1600\/Ulfberht%20.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjnGAdS2LvFqOhcFvmA6kPYoWgAogm3VIuolKPIx58AnXDBw-z-rBAuioJs_JRdE82UaRN-tNZn1af-yUkzh_pIbt1wh26IekK3IR95-fw72K3iS26Rje3rT_LwyJLgorVmY-MtcSuu1EN50R71i7voZ3_SkPra33hYUYdgEucD99_ZWFzRErLKmD0wwgIi\/s1600\/Ulfberht%20.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/27560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=27560"}],"version-history":[{"count":5,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/27560\/revisions"}],"predecessor-version":[{"id":27565,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/27560\/revisions\/27565"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/27568"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=27560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=27560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=27560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}