Simple packer for arbitrary data using only .NET API calls. Produces a unique signature with every usage. Standalone program and library. Algorithm: Data <-> GZip <-> AES-256 <-> Base64.
MIT License
Packs/unpacks arbitrary data using a simple Data -> Gzip -> AES -> Base64 algorithm. Generates a random AES-256 key and and IV and provides them to the user. Can be used to pack or unpack arbitrary data. Provided both as a program and a library.
There are several advantages of EasyNet:
Because the key must (probably) be sent along with the packed file to be unpacked on the other end, EasyNet does not provide a high degree of confidentiality. However, it is not intended to. Rather, it is intended to obfuscate arbitrary data to prevent it from being analyzed by automated defenses. Every time the same data is packed with EasyNet, the result possesses a unique signature. A human (or educated machine) could pick out the key from the stream and use it to unpack the accompanying data. However, that would require pre-existing knowledge of the implementation of EasyNet and the tool that uses it. That is unlikely, and is the chance that this tool bets on. In case EasyNet becomes understood by defenders, the source is provided so that the implementation may be easily modified.
One way to use this is with a non-packed wrapper. The wrapper is provided with a key and some packed data. At runtime, the wrapper unpacks the data using EasyNet and the provided key.
An example wrapper is provided by the ExampleWrapper folder. That example can unpack data passed in as a command-line argument, an embedded blob, or a file resource in the Assembly. Whichever way it is passed in, the example will unpack it, assume that it is a .NET Assembly, and then load it using Reflection. Command-line arguments may be passed in. If used with something like Cobalt Strike's execute-assembly, this results in a heavily obfuscated blob that may only be reversed if it is pulled out of memory in a short time-window at runtime along with the key, and then unpacked using knowledge of EasyNet for inspection. It is incredibly unlikely that this would ever occur, or that anyone will (soon) develop the capability to do such. At this point, the signaturable element would be the wrapper, which would be very easy to modify for signature avoidance.
EasyNet could also be used to protect exfiltrated data. Or, to bypass DLP (Data-Loss Prevention). Or, many other things. Really, it could be used for many purposes that I have not predicted or intended. That, to me, is the mark of a good tool. ;-)
Language: C# (.NET 3.5 compatible)
Usage to pack: EasyNet.exe --pack input_file [output_file]
Usage to unpack: EasyNet.exe --unpack AES_Key AES_IV input_file [output_file]
The result of the packing and unpacking algorithms are written to stdout. All other output is written to stderr. As a result, you may safely use pipe redirection for output as demonstrated below.
As you can see, the AES key and IV are randomly generated every time EasyNet is used. This produces a unique signature for every instance of the packed data.
To unpack the data, simply provide the AES key and IV that were provided when the data was packed. Pipe redirection works in the same way as packing.
Examples:
Packs the contents of testinput.txt and writes the result to testoutput.txt.
Packs the contents of testinput.txt and prints the result to the screen.
Packs the contents of testinput.txt and pipes the result into your clipboard so that it may be pasted elsewhere.
Packs the contents of testinput.txt and pipes the result to a file.
Unpacks the contents of testoutput.txt using the specified AES key and IV and prints the result.
Unpacks the contents of testoutput.txt using the specified AES key and IV and writes the result to testunpackedoutput.txt.
WARNING: When using pipe redirectiong for packing (as demonstrated above), avoid using Powershell. It automatically writes all output to the console as Unicode. However, C# reads the input file (for unpacking) as ASCII. As there is no clean way to detect the encoding of the packed input and I cannot (from within C#) force Powershell to output ASCII, I suggest that you avoid using Powershell for packing and instead use CMD.exe. It is friendlier.
A usage guide for the EasyNet Library and ExampleWrapper are provided in their subdirectories.
ATT&CK ID: T1045
Technique Name: Software Packing
ATT&CK Framework Link: https://attack.mitre.org/techniques/T1045/