go env -w GOPROXY=https://goproxy.cn
# 使用國內原
go build ScareCrow.go
# 編譯
查看幫助
./ScareCrow -h
_________ _________ / _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __\_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ // \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) /
/_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/ \/ \/ \/ \/ \/ (@Tyl0us)“Fear, you must understand is more than a mere obstacle. Fear is a TEACHER. the first one you ever had.”Usage of ./ScareCrow:-I stringPath to the raw 64-bit shellcode.-Loader stringSets the type of process that will sideload the malicious payload:[*] binary - Generates a binary based payload. (This type does not benfit from any sideloading) [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated.[*] dll - Generates just a DLL file. Can executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.[*] excel - Loads into a hidden Excel process using a JScript loader.[*] msiexec - Loads into MSIexec process using a JScript loader.[*] wscript - Loads into WScript process using a JScript loader.(default "binary")-O stringName of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.-configfile stringThe path to a json based configuration file to generate custom file attributes. This will not use the the default ones.-consoleOnly for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.-delivery stringGenerates a one-liner command to download and execute the payload remotely:[*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel and Wscript Loaders).[*] hta - Generates a blank hta file containing the loader along with a MSHTA command execute the loader remotely in the background (Compatible with Control and Excel Loaders). [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel and Wscript Loaders)-domain stringThe domain name to use for creating a fake code signing cert. (e.g. www.acme.com) -etwEnables ETW patching to prevent ETW events from being generated-injection stringEnables Process Injection Mode and specify the path to the process to create/inject into (use \ for the path).-password stringThe password for code signing cert. Required when -valid is used.-sandboxEnables sandbox evasion using IsDomainedJoined calls.-unmodifiedWhen enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls (set to false by default)-url stringURL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)-valid stringThe path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.
